906 Search Results

June 14, 2018 |
Revisions to the FFIEC BSA/AML Manual to Include the New CDD Regulation

Click for PDF On May 11, 2018, the federal bank regulators and the Financial Crimes Enforcement Network (“FinCEN”) published two new chapters of the Federal Financial Institution Examination Council Bank Secrecy Act/Anti-Money Laundering Examination Manual (“BSA/AML Manual”) to reflect changes made by FinCEN to the CDD regulation.[1]  One of the chapters replaces the current chapter “Customer Due Diligence – Overview and Examination Procedures” (“CDD Chapter”), and the other chapter is entirely new and contains an overview of and examination procedures for “Beneficial Ownership for Legal Entity Customers” to reflect the beneficial ownership requirements of the CDD regulation (“Beneficial Ownership Chapter”).[2] The new CDD Chapter builds upon the previous chapter, adds the requirements of the CDD regulation, and otherwise updates the chapter, which had not been revised since 2007.  The Beneficial Ownership Chapter largely repeats what is in the CDD Rule.  Both new chapters reference the regulatory guidance and clarifications from the Frequently Asked Questions issued by FinCEN on April 3, 2018 (the “FAQs”).[3]   Other Refinements to the CDD Regulation May Impact the BSA/AML Manual Implementation of the CDD regulation is a dynamic process and may require further refinement of these chapters as FinCEN issues further guidance.  For instance, in response to concerns of the banking industry, on May 16, 2018, FinCEN issued an administrative ruling imposing a 90-day moratorium on the requirement to recertify CDD information when certificates of deposit (“CDs”) are rolled over or loans renewed (if the CDs or loans were opened before May 11, 2018).  FinCEN will have further discussions with the banking industry and will make a decision whether to make this temporary exception permanent within this 90-day period (before August 9, 2018).[4] In his May 16, 2018, testimony at a House Financial Services Committee hearing on “Implementation of FinCEN’s Customer Due Diligence Rule,” FinCEN Director Kenneth Blanco suggested that FinCEN may be receptive to refinements as compliance experience is gained with the regulation.  Director Blanco also indicated that there will be a period of adjustment for compliance with the regulation and that FinCEN and the regulators will not engage in “gotcha” enforcement, but are seeking “good faith compliance.” Highlights from the New Chapters Periodic Reviews:  The BSA/AML Manual no longer expressly requires periodic CDD reviews, but suggests that regulators may still expect periodic reviews for higher risk customers.  The language in the previous CDD Chapter requiring periodic CDD refresh reviews has been eliminated.[5]Consistent with FAQ 14, the new CDD Chapter states that updating CDD information will be event driven and provides a list of possible event triggers, such as red flags identified through suspicious activity monitoring or receipt of a criminal subpoena.  Nevertheless, the CDD Chapter does not completely eliminate the expectation of periodic reviews for higher risk clients, stating:  “Information provided by higher profile customers and their transactions should be reviewed . . . more frequently throughout the term of the relationship with the bank.”Although this appears to be a relaxation of the expectation to conduct periodic reviews, we expect many banks will not change their current practices.  For a number of years, in addition to event driven reviews, many banks have conducted periodic CDD reviews at risk based intervals because they have understood periodic reviews to be a regulatory expectation. Lower Beneficial Ownership Thresholds:  Somewhat surprisingly, there is no expression in the new chapters that consideration should be given to obtaining beneficial ownership at a lower threshold than 25% for certain high risk business lines or customer types.  The new Beneficial Ownership Chapter simply repeats the regulatory requirement stating that:  “The beneficial ownership rule requires banks to collect beneficial ownership information at the 25 percent ownership threshold regardless of the customer’s risk profile.”  The FAQs (FAQ 6 and 7) refer to the fact that a financial institution may “choose” to apply a lower threshold and “there may be circumstances where a financial institution may determine a lower threshold may be warranted.”  We understand that specifying an expectation that there should be lower beneficial thresholds for certain higher risk customers was an issue that was debated among FinCEN and the bank regulators.For a number of years, many banks have obtained beneficial ownership at lower than 25% thresholds for high risk business lines and customers (e.g., private banking for non-resident aliens).  Banks that have previously applied a lower threshold, however, should carefully evaluate any decision to raise thresholds to the 25% level in the regulation.  If a bank currently applies a lower threshold, raising the threshold may attract regulatory scrutiny about whether the move was justified from a risk standpoint.  Moreover, a risk-based program should address not only regulatory risk, but also money laundering risk.  Therefore, banks should consider reviewing beneficial ownership at lower thresholds for certain customers and business lines and when a legal entity customer has an unusually complex or opaque ownership structure for the type of customer regardless of the business line or risk rating of the customer. New Accounts:  The new chapters do not discuss one of the most controversial and challenging requirements of the CDD rule, the requirement to verify CDD information when a customer previously subject to CDD opens a new account, including when CDs are rolled over or loans renewed.  This most likely may be because application of the requirement to CD rollovers and loan renewals is still under consideration by FinCEN, as discussed above. Enhanced Due Diligence:  The requirement to maintain enhanced due diligence (“EDD”) policies, procedures, and processes for higher risk customers remains with no new suggested categories of customers that should be subject to EDD. Risk Rating:  The new CDD Chapter seems to articulate an expectation to risk rate customers:  “The bank should have an understanding of the money laundering and terrorist financing risk of its customers, referred to in the rule as the customer risk profile.  This concept is also commonly referred to as the customer risk rating.”  The CDD Chapter, therefore, could be read as expressing for banks an expectation that goes beyond FinCEN’s expectation for all covered financial institutions in FAQ 35, which states that a customer profile “may, but need not, include a system of risk ratings or categories of customers.”  It appears that banks that do not currently risk rate customers should consider doing so.  Since the CDD section was first drafted in 2006 and amended in 2007, customer risk rating based on an established method with weighted risk factors has become a best and almost universal practice for banks to facilitate the AML risk assessment, CDD/EDD, and the identification of suspicious activity. Enterprise-Wide CDD:  The new CDD Chapter recognizes the CDD approach of many complex organizations that have CDD requirements and functions that cross financial institution legal entities and the general enterprise-wide approach to BSA/AML long referenced in the BSA/AML Manual.  See BSA/AML Manual, BSA/AML Compliance Program Structures Overview, at p. 155.  The CDD Chapter states that a bank “may choose to implement CDD policies, procedures and processes on an enterprise-wide basis to the extent permitted by law sharing across business lines, legal entities, and with affiliate support units.” Conclusion Despite the CDD regulation, at its core CDD compliance is still risk based and regulatory risk remains a concern.  Every bank must carefully and continually review its CDD program against the regulatory requirements and expectations articulated in the BSA/AML Manual, as well as recent regulatory enforcement actions, the institution’s past examination and independent and compliance testing issues, and best practices of peer institutions.  This review will help anticipate whether there are aspects of its CDD/EDD program that could be subject to criticism in the examination process.  As the U.S. Court of Appeals for the Ninth Circuit recently recognized, detailed manuals issued by agencies with enforcement authority like the BSA/AML Manual “can put regulated banks on notice of expected conduct.”  California Pacific Bank v. Federal Deposit Insurance Corporation, 885 F.3d 560, 572 (9th Cir. 2018).  The BSA/AML Manual is an important and welcome roadmap although not always as up to date, clear or detailed as banks would like it to be. These were the first revisions to the BSA/AML Manual since 2014.  We understand that additional revisions to other chapters are under consideration.    [1]   May 11, 2018 also was the compliance date for the CDD regulations.  The Notice of Final Rulemaking for the CDD regulation, which was published on May 11, 2016, provided a two-year implementation period.  81 Fed. Reg. 29,398 (May 11, 2016).  https://www.gpo.gov/fdsys/pkg/FR-2016-05-11/pdf/2016-10567.pdf. For banks, the new regulation is set forth in the BSA regulations at 31 C.F.R. § 1010.230 (beneficial ownership requirements) and 31 C.F.R. § 1020.210(a)(5).    [2]   The new chapters can be found at: https://www.ffiec.gov/press/pdf/Customer%20Due%20Diligence%20-%20Overview%20and%20Exam%20Procedures-FINAL.pdfw  (CDD Chapter) and https://www.ffiec.gov/press/pdf/Beneficial%20Ownership%20Requirements%20for %20Legal%20Entity%20CustomersOverview-FINAL.pdf (Beneficial Ownership Chapter).    [3]   Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions, FIN-2018-G001.  https://www.fincen.gov/resources/statutes-regulations/guidance/frequently-asked-questions-regarding-customer-due-0.  On April 23, 2018, Gibson Dunn published a client alert on these FAQs.  FinCEN Issues FAQs on Customer Due Diligence Regulation.  https://www.gibsondunn.com/fincen-issues-faqs-on-customer-due-diligence-regulation/. FinCEN also issued FAQs on the regulation on September 29, 2017. https://www.fincen.gov/sites/default/files/2016-09/FAQs_for_CDD_Final_Rule_%287_15_16%29.pdf.    [4]   Beneficial Ownership Requirements for Legal Entity Customers of Certain Financial Products and Services with Automatic Rollovers or Renewals, FIN-2018-R002.  https://www.fincen.gov/sites/default/files/2018-05/FinCEN%20Ruling%20CD%20and%20Loan%20Rollover%20Relief_FINAL%20508-revised.pdf    [5]   The BSA/AML Manual previously stated at p. 57:  “CDD processes should include periodic risk-based monitoring of the customer relationship to determine if there are substantive changes to the original CDD information. . . .” Gibson Dunn’s lawyers  are available to assist in addressing any questions you may have regarding these developments.  Please contact any member of the Gibson Dunn team, the Gibson Dunn lawyer with whom you usually work in the firm’s Financial Institutions practice group, or the authors: Stephanie L. Brooker – Washington, D.C. (+1 202-887-3502, sbrooker@gibsondunn.com) M. Kendall Day – Washington, D.C. (+1 202-955-8220, kday@gibsondunn.com) Arthur S. Long – New York (+1 212-351-2426, along@gibsondunn.com) Linda Noonan – Washington, D.C. (+1 202-887-3595, lnoonan@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

May 9, 2018 |
The Trump Administration Pulls the Plug on the Iran Nuclear Agreement

Click for PDF On May 8, 2018, President Donald Trump announced his decision to abandon the 2015 Iran nuclear deal—the Joint Comprehensive Plan of Action (the “JCPOA”)—and re-impose U.S. nuclear-related sanctions on the Iranian regime.[1]  Though it came as no surprise, the decision went further than many observers had anticipated.  Notably, under the terms of the JCPOA, U.S. sanctions were held in abeyance through a series of waivers that were periodically renewed by both the Obama and Trump administrations.  Many commentators expected the current administration to discontinue only waivers of sanctions on the Iranian financial sector that were set to expire on May 12, 2018, leaving other sanctions untouched.[2]  Instead, the Trump administration re-imposed all nuclear related sanctions on Iran, staggering the implementation over the course of the next six months.  As described in an initial volley of frequently asked questions (“FAQs”) set forth by the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”), the re-imposition of nuclear sanctions will be subject to certain 90 and 180 day wind-down periods that expire on August 6, 2018 and November 4, 2018, respectively.[3] Background The JCPOA The JCPOA was a purposefully limited accord focusing only on Iran’s nuclear activities and the international community’s nuclear-related sanctions.  Prior to the JCPOA, the international community, including the United Nations, the European Union, and the United States imposed substantial sanctions on Iran of varying scope and severity.  The European Union had implemented an oil embargo and U.S. nuclear sanctions had included the “blacklisting” of more than 700 individuals and entities on OFAC’s list of Specially Designated Nationals and Blocked Persons (“SDN List”), as well as economic restrictions imposed on entities under U.S. jurisdiction (“Primary Sanctions”) and restrictions on entities outside U.S. jurisdiction (“Secondary Sanctions”).  Secondary Sanctions threatened non-U.S. entities with limitations on their access to the U.S. market if they transacted with various Iranian entities.  Broadly, Secondary Sanctions forced non-U.S. entities to decide whether they were going to deal with Iran or with the United States.  They could not do both. The JCPOA, signed between Iran and the five permanent members of the United Nations Security Council (the United States, the United Kingdom, France, Russia, and China) and Germany (the “P5+1”) in 2015, committed both sides to certain obligations related to Iran’s nuclear development.[4]  Iran committed to various limitations on its nuclear program, and in return the international community (the P5+1 alongside the European Union and the United Nations) committed to relieving substantial portions of the sanctions that had been placed on Iran to address that country’s nuclear activities.  This relief included the United States’ commitment to ease certain Secondary Sanctions, thus opening up the Iranian economy for non-U.S. persons without risking their access to the U.S. market to pursue Iranian deals.  This sanctions relief came into effect in January 2016 (on “Implementation Day”) when the IAEA determined that Iran was compliant with the initial nuclear components of the JCPOA. Criticism of the Deal Donald Trump made his opposition to the JCPOA a cornerstone of his presidential campaign.  On occasions too numerous to count, then candidate and now President Trump criticized the deal and indicated his intent to withdraw from the JCPOA unless it was “fixed” to address his concerns, including the deal’s silence on Iran’s ballistic missile development and the existence of certain “sunset provisions” (after which any remaining sanctions would be permanently lifted).[5] There were at least two challenges built into the JCPOA that critics—including President Trump—have seized upon.  First, in an effort to reach an agreement to limit Iran’s nuclear capabilities, the Obama administration and other JCPOA parties not only included “sunset” provisions in the accord after which certain restrictions on Iran would be lifted, but also drew a distinction between Iran’s compliance with the nuclear deal and its conduct in other areas (including its support for groups the United States deems terrorists, its repression of its citizens, its support for Syrian President Bashar al-Assad, and its conventional weapons development programs).  Supporters of the deal argued that addressing the immediate nuclear weapons risk was paramount—this necessitated both the sunset provisions and the absence of addressing other troubling activities.  Critics of the deal, however, including some powerful Congressional leaders and President Trump, derided these compromises and claimed not only that the sunset periods were too brief to be meaningful, but also that by ignoring non-nuclear issues Iran was given both a free pass to continue its bad behavior and indeed the ability to fund that bad behavior out of proceeds received from the nuclear-related sanctions relief. A second challenge to the deal came from the fact that while the other parties to the JCPOA agreed to remove almost all of their sanctions on Iran, U.S. relief was far more surgical and reversible.  This was recognized by all parties to the JCPOA but so long as President Obama (or a successor with similar political views) was in office, it was thought to be a manageable limitation.  One of the key limits to the U.S. relief was that U.S. persons—including financial institutions and companies—have remained broadly prohibited from engaging with Iran even after the JCPOA was implemented in 2016.  Instead, the principal relief the U.S. offered was on the sanctions risks posed to non-U.S. parties pursuant to Secondary Sanctions and related measures.  As a consequence, it has remained a challenge for non-U.S. persons to fully engage with Iran due to the continued inability to leverage U.S. banks, insurance and other institutions that remain central to the bulk of cross-border finance and trade. Changes to U.S. Sanctions Regarding Iran Wind-Down Periods In conjunction with the May 8, 2018 announcement, the President issued a National Security Presidential Memorandum (“NSPM”) directing the Secretary of State and the Secretary of the Treasury to prepare immediately for the re-imposition of all of the U.S. sanctions lifted or waived in connection with the JCPOA, to be accomplished as expeditiously as possible and in no case later than 180 days from the date of the NSPM. According to FAQs published by OFAC, the 90-day wind-down period will apply to sanctions on:[6] The purchase and acquisition of U.S. dollar banknotes by the Government of Iran; Gold and precious metals; Graphite, raw or semi-finished metals such as aluminum and steel; Coal; Software for integrating industrial processes; Iranian rials; Iranian sovereign debt; and Iran’s automobile sector. At the end of the 90-day wind-down period, the U.S. government will also revoke authorizations to import into the United States Iranian carpets and foodstuffs and to sell to Iran commercial passenger aircraft and related parts and services.[7] The longer 180-day wind-down period will apply to sanctions on:[8] Iranian port operators, shipping and shipbuilding; Petroleum-related transactions; Transactions by foreign financial institutions with the Central Bank of Iran and designated Iranian financial institutions; Provision of specialized financial messaging services to the Central Bank of Iran and certain Iranian financial institutions; Underwriting services, insurance and reinsurance; and Iran’s energy sector. At the end of the 180-day wind-down period, the U.S. government will also revoke General License H, which authorizes foreign entities of U.S. companies to do business with Iran, and the U.S. government will re-impose sanctions against individuals and entities removed from the SDN List on Implementation Day.[9] The nature and scope of the “wind-down” period resulted in immediate, and significant, concerns from companies seeking to comply with U.S. sanctions.  OFAC has clarified that, in the event a non-U.S. non-Iranian person is owed payment after the conclusion of the wind-down period for goods or services that were provided lawfully therein, the U.S. government would allow that person to receive payment according to the terms of the written contract or written agreement.[10]  Similarly, if a non-U.S., non-Iranian person is owed repayment after the expiration of the wind-down periods for loans or credits extended to an Iranian counterparty prior to the end of the 90-day or 180-day wind-down period, as applicable, provided that such loans or credits were extended pursuant to a written contract or written agreement entered into prior to May 8, 2018, and such activities were consistent with U.S. sanctions in effect at the time the loans or credits were extended, the U.S. government would allow the non-U.S., non-Iranian person to receive repayment of the related debt or obligation according to the terms of the written contract or written agreement.[11]  These allowances are designed for such parties to be made whole for debts and obligations owed or due to them for goods or services fully provided or delivered or loans or credit extended to an Iranian party prior to the end of the wind-down periods.  Notably, any payments would need to be consistent with U.S. sanctions, including that payments could not involve U.S. persons or the U.S. financial system, unless the transactions are exempt from regulation or authorized by OFAC.[12] Changes to the SDN List In assessing the impact of the “re-designations” under the SDN List, it is useful to note the restrictions that remained in place after the JCPOA was implemented.  For example, although they were not classified as SDNs, the property and interests in property of persons of the Government of Iran and Iranian financial institutions remained blocked if they are in or come within the United States or if they are in or come within the possession or control of a U.S. person, wherever located.  As a result, U.S. persons were broadly prohibited from engaging in transactions or dealing with the Government of Iran and Iranian financial institutions, while non-U.S. persons could deal with them in non-dollar currencies.[13]  But under the new policy, such persons will be moved to the SDN List, which means that non-U.S. persons who continue to deal with them will be subject to Secondary Sanctions.[14]  OFAC indicated that it will not add such persons to the SDN List immediately, so as “to allow for the orderly wind down by non-U.S., non-Iranian persons of activities that had been undertaken” consistent with the prior regulations.  This change will happen no later than November 5, 2018.[15] Diplomatic Next Steps Yesterday’s announcement followed significant diplomatic efforts to save the deal.  Trump’s January 2018 announcement that he would extend existing waivers until May 2018 set off a feverish round of negotiations with European partners, culminating in recent visits by French President Emmanuel Macron and German Chancellor Angela Merkel to try to persuade the Trump administration to remain in the deal.  Many expect those negotiations to continue, as the global community is significantly more exposed to the Iranian market than U.S. persons, who continued to be subject to sanctions post-JCPOA.  Indeed, since sanctions were suspended in early 2016, Iran’s oil exports have increased dramatically, reaching approximately two million barrels per day in 2017.  European imports from Iran rose by nearly 800 percent between 2015 and 2017 (primarily imports of Iranian oil), while European exports to Iran rose by more than four billion euros ($5 billion) annually over the same period.[16]  Major European companies have also resumed investing in Iran—France’s Total has announced plans to invest $1 billion in one of Iran’s largest offshore gas fields.[17]  Early press reports following President Trump’s May 2018 announcement, if accurate, suggest that Iran and the other JCPOA parties remain committed to the underlying deal and plan to begin prompt negotiations to salvage the JCPOA.[18] Because full re-imposition of U.S. sanctions is not scheduled to take effect for another six months, it is entirely possible that the announcement by President Trump will serve as an impetus to negotiations that bring Iran and the rest of the P5+1 to the table.  Such an approach could mirror the Trump administration’s recent tactics with respect to steel and aluminum tariffs, where a splashy public announcement is followed by a series of repeated extensions as the administration seeks to extract further concessions.  One point of leverage the EU may have in these negotiations is the possibility of extending the existing “Blocking Regulation,”[19] which makes it unlawful for EU persons to comply with a specific list of U.S. sanctions laws against Cuba, Libya and Iran as of 1996.  That list could be extended to capture U.S. sanctions against Iran in respect of which the JCPOA offered relief.  This possibility has been mentioned by senior EU officials a number of times since late last year, including by the EU ambassador to the United States in September 2017,[20] and the head of the Iranian Taskforce in the EU’s External Action Service in February 2018.[21] For now, the EU remains committed to the deal.  On the same day that President Trump announced the change in Iran sanctions policy, European Union High Representative and Vice-President Federica Mogherini remarked that “[a]s long as Iran continues to implement its nuclear related commitments, as it is doing so far, the European Union will remain committed to the continued full and effective implementation of the nuclear deal. . . . The lifting of nuclear related sanctions is an essential part of the agreement.  The European Union has repeatedly stressed that the lifting of nuclear related sanctions has not only a positive impact on trade and economic relations with Iran, but also and mainly crucial benefits for the Iranian people.  The European Union is fully committed to ensuring that this continues to be delivered on.”[22] Notably, the Trump administration may be hard pressed to convince Iran’s most significant trading partners —many of whom are mired in disputes with the United States—to add pressure on Tehran.  China and India are Iran’s largest importers, and China appears particularly unlikely to reduce its reliance on Iranian oil given heightened tensions between Beijing and Washington over bilateral trade and investment issues.  Furthermore, the Trump administration would need to convince Russia to halt plans to invest potentially tens of billions of dollars in Iran’s oil and gas sector, and the Trump administration’s strained ties with Turkey make it far from clear that Turkey would cooperate with renewed U.S. pressure on Iran.[23]  Furthermore, the expected rise in oil prices as a result of the withdrawal is seen as a boon to Russia, whose economy is heavily dependent on petroleum and natural gas exports. Alternatively, U.S. allies in the Middle East, led by Israel and Saudi Arabia, support the Trump administration and have argued that Iran threatens their own national security.  Last week Israeli Prime Minister Benjamin Netanyahu unveiled documents regarding Iran’s covert nuclear weapons project from the 1990s as proof that Iran lied about the extent of its program, a move that was widely criticized as an effort to influence U.S. public opinion with information that was widely known and had provided the impetus for the negotiations in the first place.  The U.S. intelligence community had confirmed the weapons program ended in 2003. Furthermore, the Trump administration could have a difficult time persuading countries to cut commercial ties with Iran in the absence of any international legal basis for doing so.  Although U.S. sanctions on Iran have more force than United Nations sanctions, the latter created an important international framework that the United States and other countries could expand on.  Most of these sanctions were repealed with the passage of UN Security Council Resolution 2231 (2015), which endorsed the JCPOA.  The “snapback” mechanism in UNSCR 2231 would enable the United States to unilaterally require the restoration of UN sanctions on Iran under international law.  But as the UN’s nuclear watchdog has repeatedly confirmed Iran’s compliance with the JCPOA’s nuclear terms, the diplomatic costs of unilaterally requiring UN sanctions’ reactivation would likely outweigh any benefits.[24] Although the JCPOA contains no provisions for withdrawal, Iran has long threatened to resume its nuclear program if the United States reneges on its obligations by reinstituting sanctions.[25]  In the immediate aftermath of the Trump administration’s May 8 announcement, however, Iranian President Hassan Rouhani said that his government remains committed to maintaining the nuclear deal with other world powers.  The Iranian leader said he had directed his diplomats to negotiate with the deal’s remaining signatories—including European countries, Russia and China—and that the JCPOA could survive without the United States.  Rouhani, who had made the deal his signature achievement, faces stiff pressure from the hardline elements within Iran who objected to the deal.  If Iran resumes uranium enrichment activities, that could move European parties to walk away from the negotiating table, thereby dooming the JCPOA on which President Rouhani has staked so much political capital and empowering more hardline elements within the Iranian regime.[26] Conclusion Although many expect negotiations regarding the fate of the JCPOA to continue over the next six months, the outcome of such deliberations is highly uncertain.  Notably, it took the combined efforts of the Bush and Obama administrations to convince foreign governments and companies to join the United States in imposing sanctions on Iran, and such coordinated actions are unlikely to be replicated in the wake of leaving the JCPOA.  As the Trump administration negotiates with the rest of the parties to the JCPOA, it is possible that the U.S. administration may exercise discretion and decline to bring enforcement actions against non-U.S. persons that continue to do business with Iran.  That would mitigate the immediate impact of re-imposing sanctions. The precise nature of any EU response remains to be seen.  Although potential blocking regulations may serve as leverage in negotiations, the impact would be severe for European companies seeking to comply with both U.S. and European laws.  Whether the position of the United Kingdom will remain aligned with its European partners once it has left the EU is another imponderable,[27] although the U.K., French and German governments have projected a united front in re-affirming their commitment to the JCPOA,[28] and the U.K. is a signatory to the JCPOA separate from its status as an EU member state.  Further strains to the U.S.–EU relationship are likely if the U.S. were to bring enforcement actions against EU persons for alleged breaches of re-imposed sanctions.  The EU has stated that “it is determined to act in accordance with its security interests and to protect its economic investments.”[29]  However, what this might mean in practice remains unclear.    [1]   Press Release, White House, Remarks by President Trump on the Joint Comprehensive Plan of Action (May 8, 2018), available at https://www.whitehouse.gov/briefings-statements/remarks-president-trump-joint-comprehensive-plan-action; see also Presidential Memorandum, Ceasing U.S. Participation in the JCPOA and Taking Additional Action to Counter Iran’s Malign Influence and Deny Iran All Paths to a Nuclear Weapon (May 8, 2018), available at https://www.whitehouse.gov/presidential-actions/ceasing-u-s-participation-jcpoa-taking-additional-action-counter-irans-malign-influence-deny-iran-paths-nuclear-weapon.    [2]   These sanctions were enacted on the last day of 2011, when President Obama signed into law the National Defense Authorization Act for Fiscal Year 2012 (“NDAA”).  Included within the NDAA is a measure that designated the entire Iranian financial sector as a primary money laundering concern, which effectively required the President to freeze the assets of Iranian financial institutions and prohibit all transactions with respect to Iranian financial institutions’ property and interests in property if the property or interest in property comes within the United States’ jurisdiction or the possession and control of a United States person.  In addition, the measure broadly authorized the President to impose sanctions on the Central Bank of Iran.    [3]   Press Release, U.S. Dep’t of Treasury, Statement by Secretary Steven T. Mnuchin on Iran Decision (May 8, 2018), available at https://home.treasury.gov/news/press-releases/sm0382.    [4]   U.S. Dep’t of State, Joint Comprehensive Plan of Action (July 14, 2015), available at https://www.state.gov/documents/organization/245317.pdf.    [5]   Press Release, White House, Statement by the President on the Iran Nuclear Deal (Jan. 12, 2018), available at https://www.whitehouse.gov/briefings-statements/statement-president-iran-nuclear-deal.    [6]   U.S. Dep’t of Treasury, Frequently Asked Questions Regarding the Re-Imposition of Sanctions Pursuant to the May 8, 2018 National Security Presidential Memorandum Relating to the Joint Comprehensive Plan of Action (JCPOA) (May 8, 2018), available at https://www.treasury.gov/resource-center/sanctions/Programs/Documents/jcpoa_winddown_faqs.pdf, FAQ No. 1.2.    [7]   Id.    [8]   OFAC FAQ No. 1.3.    [9]   Id. [10]   OFAC FAQ No. 2.1. [11]   Id. [12]   Id. [13]   E.O. 13599, 77 Fed. Reg. 6659 (Feb. 5, 2012); U.S. Dep’t of Treasury, Resource Center, OFAC, JCPOA-related Designation Removals, JCPOA Designation Updates, Foreign Sanctions Evaders Removals, NS-ISA List Removals; 13599 List Changes (Jan. 16, 2016), available at https://www.treasury.gov/resource-center/sanctions/OFAC-Enforcement/Pages/updated_names.aspx. [14]   OFAC FAQ No. 3. [15]   Id. (“Beginning on November 5, 2018, activities with most persons moved from the E.O. 13599 List to the SDN List will be subject to secondary sanctions.  Such persons will have a notation of “Additional Sanctions Information – Subject to Secondary Sanctions” in their SDN List entry.”) [16]   Peter Harrell, The Challenge of Reinstating Sanctions Against Iran, Foreign Affairs (May 4, 2018), available at https://www.foreignaffairs.com/articles/iran/2018-05-04/challenge-reinstating-sanctions-against-iran?cid=int-fls&pgtype=hpg. [17]   Id. [18]   See, e.g., Erin Cunningham & Bijan Sabbagh, Iran to Negotiate with Europeans, Russia and China about Remaining in Nuclear Deal, Wash. Post (May 8, 2018), available at https://wapo.st/2HWaI9w?tid=ss_tw&utm_term=.ed12421ad6a6; James McAuley, After Trump Says U.S. Will Withdraw from Iran Deal, Allies Say They’ll Try to Save It, Wash. Post (May 8, 2018), available at https://wapo.st/2rokYfI?tid=ss_tw&utm_term=.291cd9490f2e. [19]   Council Regulation (EC) No 2271/96 of 22 November 1996 protecting against the effects of the extra-territorial application of legislation adopted by a third country, and actions based thereon or resulting therefrom. [20]   Jessica Schulberg, Europe Considering Blocking Iran Sanctions if U.S. Leaves Nuclear Deal, EU Ambassador Says, Huffington Post (Sept. 26, 2017), available at https://www.huffingtonpost.co.uk/entry/europe-iran-sanctions-nuclear-deal_us_59c9772ce4b0cdc77333e758. [21]   John Irish & Parisa Hafezi, EU could impose blocking regulations if U.S. pulls out of Iran deal, Reuters, (Feb. 8, 2018), available at https://uk.reuters.com/article/uk-iran-nuclear-eu/eu-could-impose-blocking-regulations-if-u-s-pulls-out-of-iran-deal-idUKKBN1FS2F0. [22]   Press Release, European Union External Action Service, Remarks by HR/VP Mogherini on the statement by US President Trump regarding the Iran nuclear deal (JCPOA) (May 8, 2018). [23]   Harrell, see supra n. 16. [24]   Id. [25]   The last sentence of the JCPOA expressly provides: “Iran has stated that if sanctions are reinstated in whole or in part, Iran will treat that as grounds to cease performing its commitments under this JCPOA in whole or in part.” [26]   See Erin Cunningham & Bijan Sabbagh, Iran to Negotiate with Europeans, Russia and China about Remaining in Nuclear Deal, Wash. Post (May 8, 2018), available at https://wapo.st/2HWaI9w?tid=ss_tw&utm_term=.ed12421ad6a6; James McAuley, After Trump Says U.S. Will Withdraw from Iran Deal, Allies Say They’ll Try to Save It, Wash. Post (May 8, 2018), available at https://wapo.st/2rokYfI?tid=ss_tw&utm_term=.291cd9490f2e. [27]   While the U.K. is currently in the EU, it will be leaving the EU shortly, at which time it may seek to negotiate trade deals with a variety of governments.  Particularly if negotiations over the U.K.’s exit from the EU were to become fractious, it is possible a post-Brexit U.K. could use its stance on the JCPOA as a bargaining counter in negotiations with the Trump administration over a new U.K.–U.S. trade deal. [28]   Press Release, U.K. Prime Minister’s Office, Joint statement from Prime Minister May, Chancellor Merkel and President Macron following President Trump’s statement on Iran (May 8, 2018), available at https://www.gov.uk/government/news/joint-statement-from-prime-minister-may-chancellor-merkel-and-president-macron-following-president-trumps-statement-on-iran. [29]   Press Release, EU External Action Serv., Remarks by HR/VP Mogherini on the statement by US President Trump regarding the Iran nuclear deal (JCPOA) (May 8, 2018. The following Gibson Dunn lawyers assisted in preparing this client update: Judith Alison Lee, Adam Smith, Patrick Doris, Mark Handley, Stephanie Connor, Richard Roeder, and Scott Toussaint. Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the above developments.  Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following leaders and members of the firm’s International Trade Group: United States: Judith Alison Lee – Co-Chair, International Trade Practice, Washington, D.C. (+1 202-887-3591, jalee@gibsondunn.com) Ronald Kirk – Co-Chair, International Trade Practice, Dallas (+1 214-698-3295, rkirk@gibsondunn.com) Jose W. Fernandez – New York (+1 212-351-2376, jfernandez@gibsondunn.com) Marcellus A. McRae – Los Angeles (+1 213-229-7675, mmcrae@gibsondunn.com) Daniel P. Chung – Washington, D.C. (+1 202-887-3729, dchung@gibsondunn.com) Adam M. Smith – Washington, D.C. (+1 202-887-3547, asmith@gibsondunn.com) Christopher T. Timura – Washington, D.C. (+1 202-887-3690, ctimura@gibsondunn.com) Stephanie L. Connor – Washington, D.C. (+1 202-955-8586, sconnor@gibsondunn.com) Kamola Kobildjanova – Palo Alto (+1 650-849-5291, kkobildjanova@gibsondunn.com) Courtney M. Brown – Washington, D.C. (+1 202-955-8685, cmbrown@gibsondunn.com) Laura R. Cole – Washington, D.C. (+1 202-887-3787, lcole@gibsondunn.com) Scott R. Toussaint – Palo Alto (+1 650-849-5320, stoussaint@gibsondunn.com) Europe: Peter Alexiadis – Brussels (+32 2 554 72 00, palexiadis@gibsondunn.com) Attila Borsos – Brussels (+32 2 554 72 10, aborsos@gibsondunn.com) Patrick Doris – London (+44 (0)207 071 4276, pdoris@gibsondunn.com) Penny Madden – London (+44 (0)20 7071 4226, pmadden@gibsondunn.com) Mark Handley – London (+44 (0)207 071 4277, mhandley@gibsondunn.com) Benno Schwarz – Munich (+49 89 189 33 110, bschwarz@gibsondunn.com) Richard W. Roeder – Munich (+49 89 189 33-160, rroeder@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

May 4, 2018 |
Efforts to Strengthen U.S. Public Capital Markets Continue – New SIFMA Report Provides Recommendations to Help More Companies Go and Stay Public

Click for PDF On April 27, 2018, the Securities Industry and Financial Markets Association (“SIFMA”), the leading industry group representing broker-dealers, banks and asset managers, along with other securities industry related groups, released a report called “Expanding the On-Ramp: Recommendations to Help More Companies Go and Stay Public” (the “Report”).[1]  In response to the decline in the number of IPOs and the number of public companies generally in the United States over the last twenty years, the Report provides recommendations aimed at reducing perceived impediments to becoming and remaining a public company. As the Report notes, the United States is now home to only about half the number of public companies that existed 20 years ago.  This decline is believed to have had adverse repercussions for the American economy generally, and the jobs market specifically.  For example, the Report cites a 2010 study by IHS Global Insight suggesting that, generally speaking, 92% of a company’s job growth occurs after it completes an IPO.[2]  In addition, the growth of private capital markets at the expense of public capital markets has raised concerns that individual investors are being marginalized.  More specifically, as many of the most innovative companies in the U.S. stay private longer and raise significant amounts of capital privately, the returns generated by such companies appear to accrue disproportionally to institutional, high net worth and other similar investors.  As Securities and Exchange Commission (the “SEC”) Chairman Jay Clayton noted in a July 2017 speech, “the reduction in the number of U.S.-listed public companies is a serious issue for our markets and the country more generally.  To the extent companies are eschewing our public markets, the vast majority of main street investors will be unable to participate in their growth.  The potential lasting effects of such an outcome to the economy and society are, in two words, not good.” To remedy this decline, the Report makes recommendations in five areas: 1.      enhance several provisions of the Jumpstart Our Business Startups Act (the “JOBS Act”); 2.      encourage more research on emerging growth companies (“EGCs”)[3] and other small public companies; 3.      improve certain corporate governance, disclosure, and other regulatory requirements; 4.      address concerns relating to financial reporting; and 5.      tailor the equity market structure for small public companies. 1. Enhancing the JOBS Act Over the past six years, the JOBS Act has demonstrated that rules and regulations around capital raising can be modernized while maintaining investor protections.  Its accomodations have been widely adopted. The Report sets forth four recommendations to further enhance some of the key provisions of the JOBS Act: Extend Title I “on-ramp provisions.” The JOBS Act Title I “on-ramp” provisions  provide a number of significant benefits to EGCs, including confidential review of registration statements and streamlined financial and executive compensation disclosure requirements, among others.  The Report recommends that the benefits available to EGCs be extended from 5 years to 10 years after a company goes public.  The “on-ramp” provisions have been widely utilized by EGCs since enactment.  By increasing the length of time these benefits are available, the Report argues that even more companies may consider going public. Expand the “testing the waters” exemption to all issuers. The Report recommends that Section 5(d) of the Securities Act of 1933 (the “Securities Act”) be modified to permit all issuers, not just EGCs, to engage in “testing the waters” communications with qualified institutional buyers (“QIBs”) or institutional accredited investors to determine interest in a securities offering.  Consistent with this, in April 2018, SEC Director of Corporation Finance Bill Hinman reported to a congressional committee that the SEC is planning to expand the “testing the waters” benefit to all companies.  This change would allow companies to better understand investor interest prior to undertaking the expense of an IPO. Increase exemption for reporting on adequacy of internal controls from 5 to 10 years for EGCs. The JOBS Act gives EGCs a five-year exemption from Section 404(b) of the Sarbanes-Oxley Act, which requires external auditors to attest to the adequacy of the company’s internal control on financial reporting.  The Report recommends that this be extended from 5 years to 10 years for EGCs that have less than $50 million in revenue and less than $700 million in public float.  This change is designed to ensure that internal control reporting requirements, and associated costs, are appropriately scaled to the size of the company. Remove “phase out” rules relating to EGC status. The Report argues that the “phase out” rules related to EGC status should be removed, specifically given the overlap in certain status designations (e.g., companies who qualify as both a large accelerated filer and an EGC face uncertainty as to their status after going public. See Section 4 below).  Instead, issuers should be allowed to maintain their EGC status based on the JOBS Act definition.  The Report suggests that the SEC could still set a public float or other threshold requirement to limit the size of company that could benefit from the change in phase out triggers.[4] 2. Encourage More Research  Research coverage can increase interest from investors in a company, and a lack of research coverage can adversely impact liquidity for certain companies.  However, the Report notes that 61% of all companies listed on a major exchange with less than a $100 million market capitalization have no research coverage.  To address this disparity, the Report makes the following three recommendations: Amend the Securities Act Rule 139 research safe harbor to allow continuing research coverage for all issuers during an offering. The Report recommends that Rule 139 of the Securities Act be amended to provide that continued research analyst coverage does not constitute an offer or sale of securities, before, during, or after an offering by such issuer, regardless of whether the publishing broker-dealer is also an underwriter in the offering.  Currently, only issuers who are eligible to use Form S-3 qualify for the Rule 139 safe harbor.  As the Report notes, if an analyst has already been covering an issuer, there is no obvious logic to distinguishing companies that are S-3 eligible for the purposes of research coverage. Allow investment banking and research analysts to attend “pitch” meetings together. While the JOBS Act permits investment banks and analysts to jointly attend pitch meetings, given other restrictions on the content of what those discussions may contain, bankers and analysts typically refrain from jointly attending pitch meetings with IPO candidates.  The Report proposes that the SEC consider the removal of barriers prohibiting investment banks and analysts from jointly attending these meetings, as long as no direct or indirect promise of favorable research is given.  The Report also endorses reviewing the 2003 global research settlement between many large investment banks and the SEC, self-regulatory organizations, such as Financial Industry Regulatory Authority (“FINRA”), and other regulators regarding research analyst conflicts of interest (the “Global Research Settlement”).  The Global Research Settlement precludes settling firms from having research analysts attend EGC IPO pitch meetings, irrespective of the regulatory easing afforded by the JOBS Act.[5] Investigate why pre-IPO research remains limited. Despite the liberalization of “gun jumping” rules related to research as part of the JOBS Act, the Report states that very few investment banks have published any pre-IPO research.  The Report urges the SEC to investigate why the JOBS Act has not led to an increase in pre-IPO research.  This may be due to existing FINRA rules, the Global Research Settlement, and federal and state law liability concerns.  The Report advocates for the SEC to examine this issue in an effort to increase pre-IPO research coverage. 3. Improve Certain Corporate Governance, Disclosure and other Regulatory Requirements According to the 2011 IPO Task Force, a group convened in response to a capital access roundtable sponsored by the Department of the Treasury, 92% of U.S. public company CEOs have found the “administrative burden of public reporting” to be a significant barrier to completing an IPO.  In addition, pressure from activist investors (often supported by proxy advisory firms) can distract management from carrying out their management duties, which in turn costs shareholders.  In response to these and other pressures, the Report recommends the following eleven improvements to help deal with some of these issues: Institute reasonable and effective SEC oversight of proxy advisory firms. Proxy advisory firms have become so influential over public companies that they have in essence become the standard setters for corporate governance.  Two advisory firms effectively control the market: Institutional Shareholder Services (“ISS”) and Glass Lewis.  According to the Report, these firms operate with significant conflicts of interest and lack transparency, discouraging small and midsized companies from tapping into the public markets.  Legislation introduced in December 2017 would require proxy advisory firms to register with the SEC and to (1) disclose and manage their conflicts of interest, (2) provide issuers with reasonable time to respond to errors or flaws in advisory voting recommendations, and (3) demonstrate that they have the proper expertise to make accurate and objective recommendations.  The Report endorses the passage of this or similar legislation, and at a minimum, recommends the SEC’s withdrawal of the Egan-Jones Proxy Services (avail. May 27, 2004) and Institutional Shareholder Services, Inc. (avail. Sept. 15, 2004) no-action letters that minimize scrutiny of proxy advisory firms with respect to conflicts of interest. Reform shareholder proposal “resubmission thresholds” under Rule 14a-8 of the Securities Exchange Act of 1934 (the “Exchange Act”) to facilitate more meaningful shareholder engagement with management. Rule 14a-8 allows shareholders who own a relatively small amount of company shares to include qualifying proposals in a company’s proxy materials.  Under current law, Rule 14-8a(i)(12) (the “Resubmission Rule”) allows companies to exclude certain shareholder proposals that were voted on in recent years.  Specifically, a company may exclude a resubmitted proposal if in the last five years the proposal: was voted on once and received less than 3% of votes cast; was voted on twice and received less than 6% of votes cast the last time it was voted on; or was voted on three or more times and received less than 10% of votes cast the last time it was voted on. The Report asserts that the proxy process is currently subject to abuse by a “minority of special interests that use it to advance idiosyncratic agendas.”  The Report argues that raising these resubmission thresholds, as the SEC proposed in 1997 (6%, 15%, and 30%), is a “good starting point” to modernize the SEC’s shareholder proposal system. The Report also notes that the SEC should withdraw Staff Legal Bulletin 14H (Oct. 22, 2015), which effectively declawed Rule 14a-8(i)(9) that allowed companies to exclude certain shareholder proposals that directly conflict with a management proposal. Simplify quarterly reporting requirements. Due to the increased size and complexity of annual (Form 10-K) and quarterly (Form 10‑Q) reports, compliance has become increasingly costly and more difficult, especially for smaller companies.  The Report recommends granting EGCs the option of issuing a press release that includes quarterly earnings results in lieu of a full Form 10-Q.  This approach would simplify the quarterly reporting process for EGCs and reduce the burdens related to financial quarterly reporting, while at the same time still providing investors with necessary material information. The “materiality” standard for corporate disclosure should be maintained and certain disclosure requirements should be scaled for EGCs. The Report suggests that the SEC should maintain the longstanding “materiality” standard with respect to corporate disclosures.  The Report points to the conflict minerals and pay ratio rules under the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”) as examples of disclosure requirements that veer the application of securities laws away from their original mission to provide material information to investors.The Report also recommends that policymakers continue to scale down disclosure requirements for EGCs.  For example, the Report proposes exempting EGCs from conflict minerals, mine safety, and resources extraction disclosures implemented under the Dodd-Frank Act. Allow purchases of EGC shares to be qualifying investments for purposes of Registered Investment Adviser (“RIA”) exemption determinations. Under the Dodd-Frank Act, venture capital funds were meant to be exempt from the certain costs and requirements to become an RIA.  However, the definition of “venture capital fund” under the Investment Advisers Act is viewed by the Report as narrow, which limits the ability of these funds to invest in EGCs.  The Report argues that shares of EGCs should be considered qualifying investments, which would potentially expand investment in EGCs. Allow issuers of all sizes to be eligible to use Forms S-3 and F-3 for shelf registration. Many EGCs and small issuers are precluded from using the simplified registration statement Forms S-3 and F-3, which allows faster and cheaper access to public capital markets.  The Report, along with the SEC’s Annual Government-Business Forum on Small Business Capital Formation, recommends that all issuers be allowed to use Forms S-3 and F-3.[6]  In addition, the Report suggests eliminating the “baby-shelf” rules applicable to companies with a public float of less than $75 million, which limit the amount of capital a small-market cap company can raise using a shelf registration statement. Address unlawful activity related to short sales. There are currently no disclosure requirements applicable to investors who take short positions in publicly registered stock.  Although short selling can have positive effects on the overall market, the Report argues that such transactions can also lead to abusive activity that unduly harms investors or the reputation of a company.  The Report recommends that the SEC continue to take action against market manipulators who engage in unlawful activity that harms the market and ensure that there is sufficient public information with respect to potential market manipulation. Allow prospective underwriters to make offers of well-known seasoned issuer securities in advance of filing a registration statement. Since 2005, “well-known seasoned issuers” (or “WKSIs”) have been permitted to engage in oral or written communications in accordance with Securities Act Rule 163 in advance of filing a registration statement without violating “gun jumping” rules.  The SEC proposed an amendment in 2009 that would permit underwriters or dealers to engage in communications “by or on behalf of” WKSIs under similar circumstances, which would allow WKSIs to better gauge investor interest and market conditions prior to an offering.  The Report argues that this amendment should be enacted. Make eXtensible Business Reporting Language (“XBRL”) compliance optional for EGCs, smaller reporting companies (“SRCs”), and non-accelerated filers. Public companies are required to provide financial statements in XBRL, which imposes significant costs on EGCs and SRCs, and in the view of the Report, minimal benefit to investors.  Accordingly, the Report recommends exempting EGCs, SRCs, and non-accelerated filers from XBRL reporting requirements. Increase the diversified funds limit for mutual funds’ position in companies from current 10% of voting shares to 15%. Due to the increased size of mutual funds, the diversified fund thresholds have limited mutual funds’ ability to take meaningful positions in small-cap companies.  The Report argues that moving the threshold up from 10% to 15% would make investments in EGCs and other small-cap companies more attractive to mutual funds. Allow disclosure of selling stockholders to be done on a group basis. The Report recommends that disclosure of selling stockholders in registration statements should be permitted on a group or aggregate basis if each selling stockholder is (1) not a director or named executive officer of the registrant, and (2) holds less than 1% of outstanding shares. 4. Financial Reporting The SEC should consider aligning the SRC definition with the definition of a non-accelerated filer and institute a revenue-only test for pre- or low- revenue companies that may be highly valued. In 2016, the SEC proposed increasing the public float cap for SRCs from $75 million to $250 million, but did not do so with respect to non-accelerated filers that are subject to the same limit.  In the Report’s view, raising this cap for SRCs would help promote capital formation and reduce compliance costs for small companies, including scaled disclosure obligations under Regulation S-K for SRCs.  In addition, consideration should be given to whether the exemption available to non-accelerated filers from the requirement for auditor attestation over internal controls should also be extended to SRCs.  In particular, the Report points out that many companies may still choose to comply with auditor attestation requirements, noting that shareholders could also encourage issuers to maintain internal control systems similar to those called for by Sarbanes-Oxley Section 404(b).In addition, the 2016 SRC proposal introduced an alternative “revenue only” test for companies to qualify as an SRC if the company had less than $100 million in revenue, regardless of its public float.  The Report proposes that a revenue-only test should be considered as an alternative standard. Modernize the Public Company Accounting Oversight Board (“PCAOB”) inspection process related to internal control over financial reporting (“ICFR”). In 2007, the SEC issued Commission Guidance Regarding Management’s Report on Internal Controls over Financial Reporting under Section 13(a) or 15(d) of the Exchange Act (the “2007 Guidance”).  The 2007 Guidance was meant to allow companies to prioritize and focus on “what matters most” in assessing ICFR, principally those material issues that pose the greatest risk of material misstatements.  However, companies have continued to experience unintended ICFR-related burdens due to audit processes and PCAOB inspections.  The 2007 Guidance has not been effective due to changing interpretations of PCAOB standards for attestations during the inspection process.  Accordingly, the Report proposes that the 2007 Guidance should be updated to ensure that it is working as originally intended.  The Group also suggests that the PCAOB should consider an ICFR task force to address issues companies face as a result of the PCAOB inspection process and its consequences for audit firms and auditors.  Pre- and post-implementation reviews by the PCAOB would improve audit standard setting, prevent harmful impacts, and address the unintended consequences that result from implementation of new PCAOB auditing standards. 5. Tailoring Equity Market Structure for Small Public Companies While the overall U.S. equity markets have become more efficient due to venue competition and increased liquidity, some of these benefits have failed to reach small and mid-size stocks.  The Report makes two recommendations to address market structure challenges faced by these issuers: Examine tick sizes for EGCs and small capitalization stocks. The Report argues that the SEC should examine the appropriate tick size, which is the minimum price movement of a trading instrument, for EGCs and small capitalization stocks.  The Report notes that while stocks trading in penny increments may be an appropriate trading increment for large capitalization stocks, it may not be the best option for EGCs.  This is because narrower spreads resulting from penny increments may disincentivize market makers from trading in EGCs and small capitalization stocks.  Instead, individual exchanges should have the flexibility to develop tick sizes that are tailored for a limited number of stocks with distressed liquidity.[7] Allow EGCs or small issuers with distressed liquidity the choice to opt out of unlisted trading privileges. The Report recommends that a limited number of SRCs with distressed liquidity be able to opt out of unlisted trading privileges.  This would allow these less frequently traded stocks to focus their trading on fewer exchanges, thus enabling buyers and sellers to more easily find each other, providing more liquidity in these stocks.  This would also enable these companies to reduce fragmentation in trading, and simplify market making for these stocks. Conclusion Since at least 2012, the SEC and Congress have proposed various reforms[8] aimed at improving the attractiveness and competitiveness of the U.S. public capital markets.  In the last year, consistent with Chairman Clayton’s core principles,[9] the SEC has taken steps to further expand the benefits of the JOBS Act and the FAST Act to a broader range of companies, such as allowing non-EGCs to make confidential submissions of initial registration statements, permitting all companies to confidentially submit registration statements in connection with offerings within one year of an IPO and granting more waivers of financial statement requirements.  In addition, there have been a number of legislative proposals intended to further expand the benefits of the JOBS Act and the FAST Act.  The Report is consistent with these themes.  Congress and the SEC must now consider comprehensive reform in this vein and also consider how a complex system of regulations could be further simplified.  Ultimately, a company’s decision whether to go public is driven primarily by business rationales, including valuation, liquidity and investor considerations.  However, reducing the burdens of becoming and staying a public company without compromising investor protection will benefit both companies and investors, help ensure that the U.S. public capital markets remain attractive and competitive in the face of global competition, and provide more diverse investment opportunities for all investors.    [1]   SIFMA, Expanding the On-Ramp: Recommendations to Help More Companies Go and Stay Public, available at https://www.sifma.org/resources/submissions/expanding-the-on-ramp-recommendations-to-help-more-companies-go-and-stay-public (last visited April 27, 2018). Other organizations joining SIFMA in the Report included, among others, the U.S. Chamber of Commerce, the National Venture Capital Association, Biotechnology Innovation Organization (Bio), Technet and Nasdaq.    [2]   Id.    [3]   Under the JOBS Act, EGCs are defined as companies with less than $1.07 billion of annual revenue.    [4]   For a more complete discussion on the transition from EGC status, see our Alert from March 12, 2014, which is available at the following link:  https://www.gibsondunn.com/emerging-from-egc-status-transition-periods-for-former-egc-issuers-to-comply-with-reporting-and-corporate-governance-requirements/    [5]   For a more complete discussion of the interaction between the JOBS Act and the Global Research Settlement, see our alert from October 11, 2012, which is available at the following link: https://www.gibsondunn.com/jobs-act-finra-proposes-rule-changes-relating-to-research-analysts-and-underwriters/    [6]   See generally SEC Government-Business Forum on Small Capital Business Formation, which is available at the following link: https://www.sec.gov/files/gbfor36.pdf    [7]   For additional information, see the SEC’s investor alert titled “Investor Alert: Tick Size Pilot Program – What Investors Need to Know” which is available at the following link: https://www.sec.gov/oiea/investor-alerts-bulletins/ia_ticksize.html    [8]   For more information, see our post from October 13, 2017 titled “SEC Proposes Amendments to Securities Regulations to Modernize and Simplify Disclosure,” which is available at the following link: https://www.gibsondunn.com/sec-proposes-amendments-to-securities-regulations-to-modernize-and-simplify-disclosure/    [9]   See, e.g., “SEC to Tailor Disclosure Regime Under New Chair Clayton” (July 12, 2017), which is available at the following link: https://www.bna.com/sec-tailor-disclosure-n73014461648/ Gibson Dunn’s lawyers  are available to assist in addressing any questions you may have regarding these developments.  Please contact any member of the Gibson Dunn team, the Gibson Dunn lawyer with whom you usually work in the firm’s Capital Markets or Securities Regulation and Corporate Governance practice groups, or the authors: Glenn R. Pollner – New York (+1 212-351-2333, gpollner@gibsondunn.com) Hillary H. Holmes – Houston (+1 346-718-6602, hholmes@gibsondunn.com) Jessica Annis – San Francisco (+1 415-393-8234, jannis@gibsondunn.com) Nicolas H.R. Dumont – New York (+1 212-351-3837, ndumont@gibsondunn.com) Sean Sullivan – San Francisco (+1 415–393–8275, ssullivan@gibsondunn.com) Victor Twu – Orange County, CA (+1 949-451-3870, vtwu@gibsondunn.com) Please also feel free to contact any of the following practice leaders: Capital Markets Group: Stewart L. McDowell – San Francisco (+1 415-393-8322, smcdowell@gibsondunn.com) Peter W. Wardle – Los Angeles (+1 213-229-7242, pwardle@gibsondunn.com) Andrew L. Fabens – New York (+1 212-351-4034, afabens@gibsondunn.com) Hillary H. Holmes – Houston (+1 346-718-6602, hholmes@gibsondunn.com) Securities Regulation and Corporate Governance Group: Elizabeth Ising – Washington, D.C. (+1 202-955-8287, eising@gibsondunn.com) James J. Moloney – Orange County, CA (+1 949-451-4343, jmoloney@gibsondunn.com) Lori Zyskowski – New York (+1 212-351-2309, lzyskowski@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

April 23, 2018 |
FinCEN Issues FAQs on Customer Due Diligence Regulation

Click for PDF On April 3, 2018, FinCEN issued its long-awaited Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions, FIN-2018-G001. https://www.fincen.gov/resources/statutes-regulations/guidance/frequently-asked-questions-regarding-customer-due-0.[1]  The timing of this guidance is very controversial, issued five weeks before the new Customer Due Diligence (“CDD”) regulation goes into effect on May 11, 2018.[2]  Most covered financial institutions (banks, broker-dealers, mutual funds, and futures commission merchants and introducing brokers in commodities) already have drafted policies, procedures, and internal controls and made IT systems changes to comply with the new regulation.  Covered financial institutions will need to review these FAQs carefully to ensure that their proposed CDD rule compliance measures are consistent with FinCEN’s guidance. The guidance is set forth in 37 questions.  As discussed below, some of the information is helpful, allaying financial institutions’ most significant concerns.  Other FAQs confirm what FinCEN has said in recent months informally to industry groups and at conferences.  A few FAQs raise additional questions, and others, particularly the FAQ on rollovers of certifications of deposit and loan renewals, are not responsive to industry concerns and may raise significant compliance burdens for covered financial institutions.  The guidance reflects FinCEN’s regulatory interpretations based on discussions within the government and with financial institutions and their trade associations.  The need for such extensive guidance on so many issues in the regulation illustrates the complexity of compliance and suggests that FinCEN should consider whether clarifications and technical corrections to the regulation should be made.  We provide below discussion of highlights from the FAQs, including areas of continued ambiguity and uncertainty in the regulation and FAQs. Highlights from the FAQs FAQ 1 and 2 discuss the threshold for obtaining and verifying beneficial ownership.  FinCEN states that financial institutions can “choose” to collect beneficial ownership information at a lower threshold than required under the regulation (25%), but does not acknowledge that financial institution regulators may expect a lower threshold for certain business lines or customer types or that there may be regulatory concerns if financial institutions adjust thresholds upward to meet the BSA regulatory threshold.  A covered financial institution may be in compliance with the regulatory threshold, but fall short of regulatory expectations. FAQ 7 states that a financial institution need not re-verify the identity of a beneficial owner of a legal entity customer if that beneficial owner is an existing customer of the financial institution on whom CIP has been conducted previously provided that the existing information is “up-to-date, accurate, and the legal entity’s customer’s representative certifies or confirms (verbally or in writing) the accuracy of the pre-existing CIP information.”  The example given suggests that no steps are expected to verify that the information is up-to-date and accurate beyond the representative’s confirmation or certification.  The beneficial ownership records must cross reference the individual’s CIP record. FAQs 9-12 address one of the most controversial aspects of the regulation, about which there has been much confusion: the requirement that, when an existing customer opens a new account, a financial institution must identify and verify beneficial ownership information.  FinCEN provides further clarity on what must be updated and how:Under FAQ 10, if a legal entity customer, for which the required beneficial ownership information has been obtained for an existing account, opens a new account, the financial institution can rely on the information obtained and verified previously “provided the customer certifies or confirms (verbally or in writing) that such information is up-to-date and accurate at the time each subsequent new account is opened,” and the financial institution has no knowledge that would “reasonably call into question” the reliability of the information.  The financial institution also would need to maintain a record of the certification or confirmation by the customer.There is no grace period.  If an account is opened on Tuesday, and a new account is opened on Thursday, the certification or confirmation is still required.  In advance planning for compliance, many financial institutions had included a grace period in their procedures. FAQ 11 provides that, when the financial institution opens a new account or subaccount for an existing legal entity customer whose beneficial ownership has been verified for the institution’s own recordkeeping and operational purposes and not at the customer’s request, there is no requirement to update the beneficial ownership information for the new account.  This is because the account would be considered opened by the financial institution and the requirement to update only applies to each new account opened by a customer.  This is consistent with what FinCEN representatives have said at recent conferences.The FAQ specifies that this would not apply to (1) accounts or subaccounts set up to accommodate a trading strategy of a different legal entity, e.g., a subsidiary of the customer, or (2) accounts of a customer of the existing legal entity customer, “i.e., accounts (or subaccounts) through which a customer of a financial institution’s existing legal entity carries out trading activity through the financial institution without intermediation from the existing legal entity customer.”  We believe the FAQ may fall far short of addressing all the concerns expressed to FinCEN on this issue by the securities industry. FAQ 12 addresses an issue which has been a major concern to the banking industry:  whether beneficial ownership information must be updated when a certificate of deposit (“CD”) is rolled over or a loan is renewed.  These actions are generally not considered opening of new accounts by banks.FinCEN continues to maintain that CD rollovers or loan renewals are openings of new accounts for purposes of the CDD regulation.  Therefore, the first time a CD or loan renewal for a legal entity customer occurs after May 11, 2018, the effective date of the CDD regulation, beneficial ownership information must be obtained and verified, and at each subsequent rollover or renewal, there must be confirmation that the information is current and accurate (consistent with FAQ 10) as for any other new account for an existing customer.  There is an exception or alternative approach authorized in FAQ 12 “because the risk of money laundering is very low”:  If, at the time of the rollover or renewal, the customer certifies its beneficial ownership information, and also agrees to notify the financial institution of any change in information in the future, no action will be required at subsequent renewals or rollovers.The response in FAQ 12 is not responsive to the concerns that have been expressed by the banking industry and will be burdensome for banks to administer.  Obtaining a certification in time, without disrupting the rollover or renewal, will be challenging, and it appears that if it the certification or promise to update is not obtained in time, the account may have to be closed. FAQs 13 through 17 address another aspect of the regulation that has generated extensive discussion: When (1) must beneficial ownership be obtained for an account opened before the effective date of the regulation, or (2) beneficial ownership information updated on existing accounts whose beneficial ownership has been obtained and verified.Following closely what was said in the preamble to the final rule, FAQ 13 states that the obligation is triggered when a financial institution “becomes aware of information about the customer during the course of normal monitoring relevant to assessing or reassessing the risk posed by the customer, and such information indicates a possible change in beneficial ownership.”FAQ 14 clarifies somewhat what is considered normal monitoring but is not perfectly clear what triggers obtaining and verifying beneficial ownership.  It is clear that there is no obligation to obtain or update beneficial ownership information in routine periodic CDD reviews (CDD refresh reviews) “absent specific risk-based concerns.” We would assume that means, following FAQ 13, concerns about the ownership of the customer.  Beyond that FAQ 14  is less clear.  It states that the obligation is triggered “when, in the course of normal monitoring a financial institution becomes aware of information about a customer or an account, including a possible change of beneficial ownership information, relevant to assessing or reassessing the customer’s overall risk profile.  Absent such a risk-related trigger or event, collecting or updating of beneficial ownership information is at the discretion of the covered financial institution.”The trigger or event may mean in the course of SAR monitoring or when conducting event-driven CDD reviews, e.g., when a subpoena is received or material negative news is identified – something that may change a risk profile.  Does the obligation then arise only if the risk profile change includes a concern about whether the financial institution has accurate ownership information?  That may be the intent, but is not clearly stated.  If the account is being considered for closure because of the change in risk profile, would the financial institution be released from the obligation to obtain beneficial ownership?   That would make sense, but is not stated.  This FAQ is in need of clarification and examples would be helpful.On another note, the language in FAQ 14 also is of interest because it may suggest, in FinCEN’s view, that periodic CDD reviews should be conducted on a risk basis, and CDD refresh reviews may not be expected for lower risk customers, as is the practice for some banks. FAQ 18 seems to address at least partially a technical issue with the regulation that arises because SEC-registered investment advisers are excluded from the definition of legal entity customer in the regulation, but U.S. pooled investment vehicles advised by them are not excluded.[3]  FAQ 18 states that, if the operator or adviser of a pooled investment vehicle is not excluded from the definition of legal entity customer, under the regulation, e.g., like a foreign bank, no beneficial ownership information is required to be obtained on the pooled investment vehicle under the ownership prong, but there must be compliance with beneficial ownership control party prong, i.e., verification of identity of a control party.  A control party could be a “portfolio manager” in these situations.FinCEN describes why no ownership information is required as follows:  “Because of the way the ownership of a pooled investment vehicle fluctuates, it would be impractical for covered financial institutions to collect and verify ownership identity for this type of entity.”  Thus, in the case where the operator or adviser of the pooled investment vehicle is excluded from the definition of legal entity, like an SEC-registered investment adviser, it would seem not to be an expectation to obtain beneficial ownership information under the ownership prong.  Nevertheless, the question of whether you need to obtain and verify the identity of a control party for a pooled investment vehicle advised by a SEC registered investment adviser is not squarely answered in the FAQ.  A technical correction to the regulation is still needed, but it is unlikely there would be regulatory or audit criticism for following the FAQ guidance at least with respect to the ownership prong. FAQ 19 clarifies that, when a beneficial owner is a trust (where the legal entity customer is owned more than 25% by a trust), the financial institution is only required to verify the identity of one trustee if there are multiple trustees. FAQ 20 deals with what to do if a trust holds more than a 25% beneficial interest in a legal entity customers and the trustee is not an individual, but a legal entity, like a bank or law firm.  Under the regulation, if a trust holds more than 25% beneficial ownership of a legal entity customer, the financial institution must verify the identity of the trustee to satisfy the ownership prong of the beneficial ownership requirement.  The ownership prong references identification of “individuals.”  Consequently, the language of the regulation does not seem to contemplate the situation where the trustee was a legal entity.FAQ 20 seems to suggest that, despite this issue with the regulation, CIP should be conducted on the legal entity trustee, but apparently, on a risk basis, not in every case:  “In circumstances where a natural person does not exist for purposes of the ownership/equity prong, a natural person would not be identified.  However, a covered financial institution should collect identification information on the legal entity trustee as part of its CIP, consistent with the covered institution’s risk assessment and customer risk profile.”  (Emphasis added.)More clarification is needed on this issue, and perhaps an amendment to the regulation to address this specific situation.  Pending additional guidance, the safest course appears to be to verify the identity of legal entity trustee consistent with CIP requirements, which may pose practical difficulties, e.g., will a law firm trustee easily provide its TIN?  Presumably, CIP would not be required on any legal entity trustee that is excepted from the definition of legal entity under 31 C.F.R. § 1010.230(e)(2). FAQ 21 addresses the question of how does a financial institution verify that a legal entity comes within one of the regulatory exceptions to the definition of legal entity customer in 31 C.F.R. § 1010.230(e)(2).  The answer is that the financial institution generally can rely on information provided by the customer if it has no knowledge of facts that would reasonably call into question the reliability of the information.  Nevertheless, that is not the end of the story.  The FAQ provides that the financial institution also must have risk-based policies and procedures that specify the type of information they will obtain and reasonably rely on to determine eligibility for exclusions. FAQ 24 may resolve another technical issue in the regulation.  The exceptions to the definition of legal entity in the regulation refer back to the BSA CIP exemption provisions, which in turn, cross reference the Currency Transaction Reporting (CTR) exemption for banks when granting so-called Tier One exemptions.  One category for the CTR exemption is “listed” entities, which includes NASDAQ listed entities, but excludes NASDAQ Capital Markets Companies, i.e., this category of NASDAQ listed entity is not subject to CIP or CTR Tier One exemptions.  31 C.F.R. § 1020.315(b)(4).  This carve out was not discussed in the preamble to the CDD final regulation or in FAQ 24.The FAQ simply states:  “[A]ny company (other than a bank) whose common stock or analogous equity interests are listed on the New York Stock Exchange, the American Stock Exchange (currently known as the NYSE American), or NASDAQ stock exchange” is excepted from the definition of legal entity.  In any event, as with the FAQ 18 issue, it would appear that a technical correction is needed on this point, but, given the FAQ, it is unlikely that a financial institution would be criticized if it treated NASDAQ Capital Markets Companies as excepted legal entities. FAQs 32 and 33 end the speculation that the CDD regulation impacts CTR compliance.  Consistent with FinCEN CTR guidance, under FAQ 32, the rule remains that, for purposes of CTR aggregation, the fact that two businesses share a common owner does not mean that a financial institution must aggregate the currency transactions of the two businesses for CTR reporting, except in the narrow situation where there is a reason to believe businesses are not being operated separately. Conclusion Financial institutions and their industry groups will likely continue to seek further guidance on the most problematic issues in the CDD regulation.  It is our understanding that FinCEN and the bank regulators also will address compliance with the CDD regulation in the upcoming update to the FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual. Covered financial institutions already have spent, and will continue to spend, significant time and resources to meet the complex regulatory requirements and anticipated regulatory expectations.  In this flurry of activity to address regulatory risk, it is essential for financial institutions to continue to consider any money laundering risk of legal entity clients and that CDD not become simply mechanical.  It is not only a matter of documenting and updating all of the right information about beneficial ownership and control, but financial institutions should continue to assess whether the ownership structure makes sense for the business or whether it is overly complex for the business type and purposely opaque.  Also, it is important to consider whether it makes sense for a particular legal entity to be seeking a relationship with your financial institution and whether the legal entity is changing financial institutions voluntarily.  CDD measures to address regulatory risk and money laundering risk overlap but are not equivalent.    [1]   FinCEN also issued FAQs on the regulation on July 19, 2016. https://www.fincen.gov/sites/default/files/2016-09/FAQs_for_CDD_Final_Rule_%287_15_16%29.pdf.   FINRA issued guidance on the CDD regulation in FINRA Notice to Members 17-40 (Nov. 21, 2017). http://www.finra.org/sites/default/files/notice_doc_file_ref/Regulatory-Notice-17-40.pdf.    [2]   The Notice of Final Rulemaking was published on May 11, 2016 and provided a two-year implementation period.  81 Fed. Reg. 29,398 (May 11, 2016). https://www.gpo.gov/fdsys/pkg/FR-2016-05-11/pdf/2016-10567.pdf.  FinCEN made some slight amendments to the rule on September 29, 2017.  https://www.fincen.gov/sites/default/files/federal_register_notices/2017-09-29/CDD_Technical_Amendement_17-20777.pdf The new regulations are set forth in the BSA regulations at 31 C.F.R. § 1010.230 (beneficial ownership requirements); 31 C.F.R. § 1020.210(a)(5) (banks); 31 C.F.R. § 1023.210(b)(5) (broker-dealers); 31 C.F.R. § 1024.210(b)(4) (mutual funds); and 31 C.F.R. § 1026.210(b)(5) (future commission merchants and introducing brokers in commodities).    [3]   The regulation does not clearly address the beneficial ownership requirements for a U.S. pooled investment vehicle operated or controlled by a registered SEC investment adviser.  Pooled investment vehicles operated or advised by a “financial institution” regulated by a Federal functional regulator are not considered legal entities under the regulation.  31 C.F.R. § 1010.230(e)(2)(xi).  An SEC registered investment adviser, however, is not yet a financial institution under the BSA.  Under 31 C.F.R. § 1010.230(e)(3), a pooled investment vehicle that is operated or advised by a “financial institution” not excluded from the definition of legal entity is subject to the beneficial ownership control party prong. Gibson Dunn’s lawyers  are available to assist in addressing any questions you may have regarding these developments.  Please contact any member of the Gibson Dunn team, the Gibson Dunn lawyer with whom you usually work in the firm’s Financial Institutions practice group, or the authors: Stephanie L. Brooker – Washington, D.C. (+1 202-887-3502, sbrooker@gibsondunn.com) Arthur S. Long – New York (+1 212-351-2426, along@gibsondunn.com) Linda Noonan – Washington, D.C. (+1 202-887-3595, lnoonan@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

April 12, 2018 |
Trump Administration Imposes Unprecedented Russia Sanctions

Click for PDF On April 6, 2018, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) significantly enhanced the impact of sanctions against Russia by blacklisting almost 40 Russian oligarchs, officials, and their affiliated companies pursuant to Obama-era sanctions, as modified by the Countering America’s Adversaries Through Sanctions Act (“CAATSA”) of 2017.  In announcing the sanctions, Treasury Secretary Steven Mnuchin cited Russia’s involvement in “a range of malign activity around the globe,” including the continued occupation of Crimea, instigation of violence in Ukraine, support of the Bashal al-Assad regime in Syria, attempts to subvert Western democracies, and malicious cyber activities.[1]  Russian stocks fell sharply in response to the new measures, and the ruble depreciated almost 5 percent against the dollar.[2] Although this is not the first time that the Trump administration imposed sanctions against Russia, it is the most significant action taken to date.  In June 2017, OFAC added 38 individuals and entities involved in the Ukraine conflict to OFAC’s list of Specially Designated Nationals (“SDNs”).[3]  The April 6 sanctions added seven Russian oligarchs and 12 companies they own or control, 17 senior Russian government officials, the primary state-owned Russian weapons trading company and its subsidiary, a Russian bank, to the SDN List.[4]  These designations include major, publicly-traded companies that have been listed on the London and Hong Kong exchanges and that have thousands of customers and tens of thousands of investors throughout the world. OFAC has never designated similar companies, and the potential challenges for global companies seeking to comply with OFAC measures are substantial.  An SDN designation prohibits U.S. persons—including U.S. companies, U.S. financial institutions, and their foreign branches—from engaging in any transactions with the designees or with entities in which they hold an aggregate ownership of 50 percent or more.  The designation of a small company in a regional market can be devastating for the company, but rarely would it impose meaningful collateral consequences on global markets or investors.  In this case, sanctions on companies such as EN+ and RUSAL (amongst others) have already impacted a substantial portion of a core global commodity (the aluminum market) while also preventing further trades in their shares, a move that could harm pension funds, mutual funds, and other investors that have long held stakes worth billions of dollars. To minimize the immediate disruptions, OFAC issued two time-limited general licenses (regulatory exemptions) permitting companies and individuals to undertake certain transactions to “wind down” business dealings related to the designated parties.[5]  However, our assessment is that disruptions are inevitable and the size of the sanctions targets in this case means that the general licenses will have potentially limited effect in reducing dislocations. Background OFAC’s April 6 designations mark a clear change in tone from the Trump administration, which had initially resisted imposing the full force of CAATSA’s sanctions.  For example, as we wrote in our 2017 Year-End Sanctions Update, CAATSA required the imposition of secondary sanctions on any person the President determined to have been engaging in “a significant transaction with a person that is part, or operates for or on behalf of, the defense or intelligence sectors of the Government Russia.”[6]  On the day such sanctions were to be imposed, State Department representatives provided classified briefings to Congressional leaders to explain their decision not to impose any such sanctions under CAATSA, namely because the Trump administration felt that CAATSA was already having an deterrent effect which removed any immediate need to impose sanctions.[7] Section 241 of CAATSA also required OFAC to publish a report on January 29, 2018 identifying “the most significant senior foreign political figures and oligarchs in the Russian Federation,”[8] (the “Section 241 List”).  The Treasury Department issued the report shortly before midnight on the due date, publicly naming 114 senior Russian political figures and 96 oligarchs.[9]  Although the report did not result in any sanctions or legal repercussions, the public naming of such persons did cause confusion for those who sought to engage with them in compliance with U.S. law.[10]  However, most observers were highly critical of the list, claiming that it demonstrated that the Trump administration was failing to adequately address Congressional intent to punish Moscow.  Interestingly, almost all of the oligarchs designated on April 6 originally appeared on the Section 241 List.[11] Designations Included among the list of sanctioned parties were seven Russian oligarchs designated for being a Russian government official or operating in the energy sector of the Russian Federation economy, and 12 companies they own or control.  In its press release, OFAC warned that the 12 companies identified as owned or controlled by the designated Russian oligarchs “should not be viewed as exhaustive, and the regulated community remains responsible for compliance with OFAC’s 50 percent rule.”  This rule extends U.S. sanctions prohibitions to entities owned 50 percent or more, even if those companies are not themselves listed by OFAC.  The opacity of ownership in the Russian economy makes the 50 percent rule very difficult to operationalize. In addition, OFAC designated 17 senior Russian government officials, a state-owned company and its subsidiary.  The sanctioned individuals and entities, as described by OFAC, are provided in the following table. SDN Description Designated Russian Oligarchs 1. Vladimir Bogdanov Bogdanov is the Director General and Vice Chairman of the Board of Directors of Surgutneftegaz, a vertically integrated oil company operating in Russia. OFAC imposed sectoral sanctions on Surgutneftegaz pursuant to Directive 4 issued under E.O. 13662 in September 2014. 2. Oleg Deripaska Deripaska has said that he does not separate himself from the Russian state.  He has also acknowledged possessing a Russian diplomatic passport, and claims to have represented the Russian government in other countries.  Deripaska has been investigated for money laundering, and has been accused of threatening the lives of business rivals, illegally wiretapping a government official, and taking part in extortion and racketeering.  There are also allegations that Deripaska bribed a government official, ordered the murder of a businessman, and had links to a Russian organized crime group. 3. Suleiman Kerimov Kerimov is a member of the Russian Federation Council.  On November 20, 2017, Kerimov was detained in France and held for two days. He is alleged to have brought hundreds of millions of euros into France – transporting as much as 20 million euros at a time in suitcases, in addition to conducting more conventional funds transfers – without reporting the money to French tax authorities.  Kerimov allegedly launders the funds through the purchase of villas.  Kerimov was also accused of failing to pay 400 million euros in taxes. 4. Kirill Shamalov Shamalov married Putin’s daughter Katerina Tikhonova in February 2013 and his fortunes drastically improved following the marriage; within 18 months, he acquired a large portion of shares of Sibur, a Russia-based company involved in oil and gas exploration, production, processing, and refining.  A year later, he was able to borrow more than one $1 billion through a loan from Gazprombank, a state-owned entity subject to sectoral sanctions pursuant to E.O. 13662.  That same year, long-time Putin associate Gennady Timchenko, who is himself designated pursuant to E.O. 13661, sold an additional 17 percent of Sibur’s shares to Shamalov.  Shortly thereafter, Kirill Shamalov joined the ranks of the billionaire elite around Putin. 5. Andrei Skoch Skoch is a deputy of the Russian Federation’s State Duma.  Skoch has longstanding ties to Russian organized criminal groups, including time spent leading one such enterprise. 6. Viktor Vekselberg Vekselberg is the founder and Chairman of the Board of Directors of the Renova Group.  The Renova Group is comprised of asset management companies and investment funds that own and manage assets in several sectors of the Russian economy, including energy.  In 2016, Russian prosecutors raided Renova’s offices and arrested two associates of Vekselberg, including the company’s chief managing director and another top executive, for bribing officials connected to a power generation project in Russia. Designated Oligarch-Owned Companies 7. B-Finance Ltd. British Virgin Islands company owned or controlled by, directly or indirectly, Oleg Deripaska. 8. Basic Element Limited Basic Element Limited is based in Jersey and is the private investment and management company for Deripaska’s various business interests. 9. EN+ Group Owned or controlled by, directly or indirectly, Oleg Deripaska, B-Finance Ltd., and Basic Element Limited.  EN+ Group is located in Jersey and is a leading international vertically integrated aluminum and power producer.  This is a publicly traded company that has been listed, inter alia, on the London Stock Exchange. 10. EuroSibEnergo Owned or controlled by, directly or indirectly, Oleg Deripaska and EN+ Group. EuroSibEnergo is one of the largest independent power companies in Russia, operating power plants across Russia and producing around nine percent of Russia’s total electricity. 11. United Company RUSAL PLC Owned or controlled by, directly or indirectly, EN+ Group.  United Company RUSAL PLC is based in Jersey and is one of the world’s largest aluminum producers, responsible for seven percent of global aluminum production.  This is a publicly traded company that has been listed, inter alia¸ on the Hong Kong Stock Exchange. 12. Russian Machines Owned or controlled by, directly or indirectly, Oleg Deripaska and Basic Element Limited.  Russian Machines was established to manage the machinery assets of Basic Element Limited. 13. GAZ Group Owned or controlled by, directly or indirectly, Oleg Deripaska and Russian Machines.  GAZ Group is Russia’s leading manufacturer of commercial vehicles. 14. Agroholding Kuban Owned or controlled by, directly or indirectly, Oleg Deripaska and Basic Element Limited. 15. Gazprom Burenie, OOO Owned or controlled by Igor Rotenberg.  Gazprom Burenie, OOO provides oil and gas exploration services in Russia. 16. NPV Engineering Open Joint Stock Company Owned or controlled by Igor Rotenberg.  NPV Engineering Open Joint Stock Company provides management and consulting services in Russia. 17. Ladoga Menedzhment, OOO Owned or controlled by Kirill Shamalov.  Ladoga Menedzhment, OOO is located in Russia and engaged in deposit banking. 18. Renova Group Owned or controlled by Viktor Vekselberg.  Renova Group, based in Russia, is comprised of investment funds and management companies operating in the energy sector, among others, in Russia’s economy. Designated Russian State-Owned Firms 19. Rosoboroneksport State-owned Russian weapons trading company with longstanding and ongoing ties to the Government of Syria, with billions of dollars’ worth of weapons sales over more than a decade.  Rosoboroneksport is being designated under E.O. 13582 for having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of, the Government of Syria. 20. Russian Financial Corporation Bank (RFC Bank) Owned by Rosoboroneksport.  RFC Bank incorporated is in Moscow, Russia and its operations include deposit banking activities. Designated Russian Government Officials 21. Andrey Akimov Chairman of the Management Board of state-owned Gazprombank 22. Mikhail Fradkov President of the Russian Institute for Strategic Studies (RISS), a major research and analytical center established by the President of the Russian Federation, which provides information support to the Presidential Administration, Federation Council, State Duma, and Security Council. 23. Sergey Fursenko Member of the board of directors of Gazprom Neft, a subsidiary of state-owned Gazprom 24. Oleg Govorun Head of the Presidential Directorate for Social and Economic Cooperation with the Commonwealth of Independent States Member Countries.  Govorun is being designated pursuant to E.O. 13661 for being an official of the Government of the Russian Federation. 25. Alexey Dyumin Governor of the Tula region of Russia.  He previously headed the Special Operations Forces, which played a key role in Russia’s purported annexation of Crimea. 26. Vladimir Kolokoltsev Minister of Internal Affairs and General Police of the Russian Federation 27. Konstantin Kosachev Chairperson of the Council of the Federation Committee on Foreign Affairs 28. Andrey Kostin President, Chairman of the Management Board, and Member of the Supervisory Council of state-owned VTB Bank 29. Alexey Miller Chairman of the Management Committee and Deputy Chairman of the Board of Directors of state-owned company Gazprom 30. Nikolai Patrushev Secretary of the Russian Federation Security Council 31. Vladislav Reznik Member of the Russian State Duma 32. Evgeniy Shkolov Aide to the President of the Russian Federation 33. Alexander Torshin State Secretary – Deputy Governor of the Central Bank of the Russian Federation 34. Vladimir Ustinov Plenipotentiary Envoy to Russia’s Southern Federal District 35. Timur Valiulin Head of the General Administration for Combatting Extremism within Russia’s Ministry of Interior 36. Alexander Zharov Head of Roskomnadzor (the Federal Service for the Supervision of Communications, Information Technology, and Mass Media) 37. Viktor Zolotov Director of the Federal Service of National Guard Troops and Commander of the National Guard Troops of the Russian Federation All assets subject to U.S. jurisdiction of the designated individuals and entities, and of any other entities blocked by operation of law as a result of their ownership by a sanctioned party, are frozen, and U.S. persons are generally prohibited from dealings with them.  OFAC’s Frequently Asked Questions (“FAQs”) make clear that if a blocked person owns less than 50 percent of a U.S. company, the U.S. company will not be blocked.  However, the U.S. company (1) must block all property and interests in property in which the blocked person has an interest and (2) cannot make any payments, dividends, or disbursement of profits to the blocked person and must place them in a blocked account at a U.S. financial institution.[12] Non-U.S. persons could face secondary sanctions for knowingly facilitating significant transactions for or on behalf of the designated individuals or entities.  CAATSA strengthened the secondary sanctions measures that could be used to target such persons, although such measures typically carry less risk because as a matter of implementation OFAC traditionally warns those who may be transacting with parties that could subject them to secondary sanctions and provides them with an opportunity to cure.  While this outreach and deterrence model of imposing secondary sanctions was developed under the Obama administration (and resulted in very few impositions of secondary sanctions), the Trump administration could theoretically change it and impose secondary sanctions without the traditional warning.  However, that appears unlikely and the Trump administration has indicated that it will continue to provide warnings before imposing secondary sanctions. Two CAATSA provisions bear particular note as they are implicated by Friday’s actions:  section 226, which authorizes sanctions on foreign financial institutions for facilitating a transaction on behalf of a Russian person on the SDN List, and section 228, which seeks to impose sanction on a person who “facilitates a significant transaction…for or on behalf of any person subject to sanctions imposed by the United States with respect to the Russian Federation.”[13]  OFAC has clarified that the section 228 provision extends to persons listed on either the SDN or the Sectoral Sanctions Identifications (“SSI”) List, as well as persons they may own or control pursuant to OFAC’s 50 percent rule.[14]  As we noted when CAATSA was passed, despite the mandatory nature of these sections, the President appears to retain the discretion to impose restrictions based upon whether he finds certain transaction significant or for other reasons.  With the increase in the SDN list to include major players in global commodities such as EN+ or RUSAL, more companies around the world that rely on these companies could find themselves at least theoretically at risk of being sanctioned themselves.  Companies should also consider this risk where there is reliance on material produced by any company in the Russian military establishment and sold by the Russian state arms company such as Rosoboronexport, which was also sanctioned. General Licenses In an effort to minimize the immediate disruptions to U.S. persons and global markets (especially given the sanctioning of major publicly traded corporations that have thousands of clients and investors throughout the world), OFAC issued General Licenses 12 and 13, permitting companies to undertake certain transactions and activities to “wind down” certain business dealings related to certain, listed designated parties.  These General Licenses only cover U.S. persons, which has led some non-U.S. companies to inquire whether their ability to wind down operations with respect to the SDN companies would place them at risk for secondary sanctions (as they would be engaging with sanctioned parties and perhaps trigger the CAATSA provisions above).  OFAC has noted in its FAQs that the U.S. Government would not find a transaction “significant” if a U.S. person would not need a specific license to undertake it.[15]  That is, it would seem that at least for the duration of the General Licenses a non-U.S. party can engage in similar wind down operations without risking secondary sanctions. General License 12, which expires June 5, 2018, authorizes U.S. persons to engage in transactions and activities with the 12 oligarch-owned designated entities that are “ordinarily incident and necessary to the maintenance or wind down of operations, contracts, or other agreements” related to these 12 entities (as well as those entities impacted by operation of OFAC’s 50 percent rule).  This is a broader wind down provision than OFAC has issued in the past in that it allows not just “wind down” activities but also non-defined “maintenance” activities.  Despite this breadth it is already uncertain how this General License will actually work in practice.  Permissible transactions and activities include importation from blocked entities and broader dealings with them.  However, no payments are allowed to be made to blocked entities–rather such payments can only be made to the blocked entities listed in General License 12 into blocked, interest-bearing accounts and reported to OFAC by June 18, 2018 (10 business days after the expiration of the license).[16]  It is not clear why a sanctioned party would wish to deliver goods and services to parties if the sanctioned party cannot be paid.  In line with the FAQ noted above, for non-U.S. companies it would seem that in order to avoid secondary sanctions implications the same restrictions would apply–that is, continued transactions are permitted on a wind down basis, but transfer of funds to the SDN companies could be viewed as “significant” or otherwise sanctionable. Recognizing how broad the sanctions are and how far they may implicate subsidiaries of SDN companies inside the United States, OFAC’s FAQs clarify that General License 12 generally permits the blocked entities listed to pay U.S. persons their salaries, pension payments, or other benefits due during the wind down period.  U.S. persons employed by entities that are not explicitly listed in General License 12—principally the designated Russian state-owned entities—do not have the benefit of this wind down period.  OFAC FAQs note that such U.S. persons may seek authorization from OFAC to maintain or wind down their relationships with any such blocked entity, but make clear that continued employment or board membership related to these entities is prohibited.[17]  The implications of these restrictions are significant where, as is the case with the blocked entities listed in General License 12, U.S. subsidiaries exist and U.S. persons are involved throughout company operations. General License 13, which expires May 7, 2018, similarly allows transactions and activities otherwise prohibited under the April 6 sanctions.  This license allows transactions and activities necessary to “divest or transfer debt, equity, or other holdings” in three designated Russia entities:  EN+ Group PLC, GAZ Group, and United Company RUSAL PLC.  Permitted transactions include facilitating, clearing, and settling transactions.  General License 13, however, does not permit any divestment or transfer to a blocked person, including the three entities listed in General License 13.[18]  As with General License 12, transactions permitted under General License 13 must be reported to OFAC within 10 business days after the expiration of the license. Once again, it is uncertain how the General License will work in practice.  Given the designations which have depressed the share prices of the sanctions parties it is unknown who might be willing to purchase the shares even if U.S. holders are permitted to sell them. Other Ramifications for Investors, Supply Chains, and Customers The April 6 sanctions raise other significant questions and practical challenges for U.S. and non-U.S. companies, with particular risks for investors as well as the manufacturers, suppliers, and customers of the SDN companies. Investors and fund managers will need to conduct significant diligence into the participants and ownership structures of their funds, including fund limited partners, to determine whether sanctioned persons or entities are involved.  Moreover, for those who have seen the value of any assets tied to these companies decline significantly, they are allowed to continue to try sell their assets to non-U.S. persons.  However, given the challenge in finding buyers and evidence that certain financial institutions and brokers are already refusing to engage in any trades (even during the wind down period), the investment community needs to potentially prepare for long-term holding of blocked assets (by setting up sequestered accounts). For those within the supply chains of sanctioned companies, from suppliers of commodities to finished goods, as well as customers of sanctioned companies, the concern will be to potentially replace key commercial relationships which will become increasingly difficult (if not prohibited) to maintain.  For companies that have relied on RUSAL, for example, as a source of aluminum or as a customer for their goods they will potentially need to find replacements.  While aluminum is not in short supply globally, in certain jurisdictions RUSAL has a commanding position and even a monopoly.  It is unclear how companies that seek to be compliant with OFAC regulations will navigate a world in which RUSAL has been a primary or secondary supplier (and there is no clear way to avoid such engagement so long as the company seeks to be active in that jurisdiction and in need of aluminum).  Moreover, it is not just U.S. person counterparties that are likely to be affected by prohibitions on dealing with sanctioned parties.  In line with the FAQ noted above, if non-U.S. companies were to make payments to the sanctioned companies for deliveries, these could be deemed “significant transactions” and could make the non-U.S. companies, themselves, the target of OFAC designations and/or secondary sanctions.  One option—reportedly pursued by one major trading company—is to declare force majeure on contracts with Rusal. As noted above, relief contemplated by General Licenses 12 and 13 may be operationally difficult to implement.  The sanctions apply to companies 50 percent owned or controlled by blocked parties.  Companies will need to undertake, under a short time line, significant due diligence to determine whether any such companies are involved in its operations.  The wind down process may be further complicated by any Russian response to the U.S. sanctions. What Happens Next? The April 6 sanctions are likely not the end of the story.  The next steps to watch include: 1.)    Potential Russian Retaliation:  During an address to the State Duma on April 11, Prime Minister Dmitry Medvedev said, for example, that Russia should consider targeting U.S. goods or goods produced in Russia by U.S. companies when considering a possible response.[19]  Any such measures could implicate further U.S. business dealings with Russian entities, including the blocked entities. 2.)    Changing Ownership and Structure of Sanctioned Parties:  Given that the sanctioned companies were listed due to their ownership/control by sanctioned persons (pursuant to the 50 percent rule) there have already been moves to dilute their ownership and thus potentially have the companies de-listed.  While possible, it is important to note that because the companies were explicitly listed by OFAC (and now appear on the SDN list), any reduction in ownership or control will not result in an automatic de-listing.  Rather, OFAC will need to process these changes and formally de-list the entities before they can be treated as non-sanctioned.  OFAC could opt not to de-list, or could decide to list the companies on other bases.  Regardless the process will undoubtedly take some time.  We note that at least one engineering firm whose stock was held by a designated entity has already obtained a license to complete the transfer of these shares; this is helpful precedent for any company impacted but only tangentially related to the designated entities.  Sanctioned entities have also changed their board membership in response to the U.S. sanctions.  On Monday, April 11, for example, the entire board at Renova Management AG, the Swiss subsidiary of the Renova Group, was dismissed after Renova Group’s designation.[20] 3.)    European Follow On Restrictions:  The shock of many of Europe’s major powers following the poisoning of Sergei and Yulia Skripal in Salisbury in early March and the resulting mass expulsion of Russian diplomats from European capitals suggests that sanctions may be next.  Core European U.S. allies were likely notified in advance of the April 6 measures.  In the run up to sanctions in 2014, Washington and Brussels worked very closely to institute parallel measures against Moscow.  While that unity has broken down under the Trump administration, especially since CAATSA was passed in August, it would appear as though some European sanctions are liking in the offing. 4.)    OFAC FAQs/Licenses and Potentially New Measures:  Due to the complexity of the April 6 measures, we expect that OFAC will issue additional FAQs and potentially revisions to General Licenses 12 and 13 (or new General Licenses) in the near term to clear up questions and further calibrate response.  Depending upon next steps from Russia and Europe we may see additional sanctions as well.  Secretary of State-designate Mike Pompeo’s statement that the United States “soft” policy toward Russia is over suggests as much.[21] Unfortunately, there is no clear path towards a de-escalation in Washington-Moscow tensions.  When the U.S. first issued sanctions against Russia in response to the Crimea incursion in 2014 the sanctions “off-ramp” was very clearly defined: if Russia altered its behavior in Crimea/Ukraine there was a way that sanctions could be removed.  Since 2014, as Secretary Mnuchin noted, Russia’s activities have exacerbated in scope and territory to include support for the Bashar regime in Syria, election meddling, cyber-attacks, and the nerve agent attack in the United Kingdom.  The breadth and boldness of this activity makes it even more unlikely that Russia will comply with the West’s wishes and thus even less likely that the sanctions would be removed or even reduced at any point in the near term.  For its part, bipartisan Congressional leadership expressed broad support for the Trump administration’s actions—however, Congress will likely demand more from the President in the near term.  Perhaps eager to placate Congress and dispel any notion that he is “soft” on Russia and buffeted by external circumstances ranging from any potential attack in Syria to the investigation by Robert Mueller, the President may impose still harsher measures on Moscow. [1]      Press Release, U.S. Department of the Treasury, Treasury Designates Russian Oligarchs, Officials, and Entities in Response to Worldwide Malign Activity (Apr. 6, 2018), available at https://home.treasury.gov/news/featured-stories/treasury-designates-russian-oligarchs-officials-and-entities-in-response-to. [2]      Natasha Turak, US sanctions are finally proving a ‘major game changer’ for Russia, CNBC, (Apr. 10, 2018) available at https://www.cnbc.com/2018/04/10/us-moscow-sanctions-finally-proving-a-major-game-changer-for-russia.html. [3]      Press Release, U.S. Dep’t of the Treasury, Treasury Designates Individuals and Entities Involved in the Ongoing Conflict in Ukraine (June 20, 2017), available at https://www.treasury.gov/press-center/press-releases/Pages/sm0114.aspx.  Designated persons and entities included separatists and their supporters; entities operating in and connected to the Russian annexation of Crimea; entities owned or controlled by, or which have provided support to, persons operating in the Russian arms or materiel sector; and Russian government officials. [4]      U.S. Department of the Treasury, supra, n. 1. [5]      Id. [6]      CAATSA, Title II, § 231 (a). Specifically, CAATSA Section 231(a) specified that the President shall impose five or more of the secondary sanctions described in Section 235 with respect to a person the President determines knowingly “engages in a significant transaction with a person that is part of, or operates for or on behalf of, the defense or intelligence sectors of the Government of the Russian Federation, including the Main Intelligence Agency of the General Staff of the Armed Forces of the Russian Federation or the Federal Security Service of the Russian Federation.”  The measures that could be imposed under Section 231 are discretionary in nature.  The language of the legislation is somewhat misleading in this regard.  Section 231 is written as a mandatory requirement—providing that the President “shall impose” various restrictions.  However, the legislation itself—and the October 27, 2017 guidance provided by the State Department—makes clear that secondary sanctions are only imposed after the President makes a determination that a party “knowingly” engaged in “significant” transactions with a listed party.  The terms “knowingly” and “significant” have imprecise meanings, even under the State Department guidance.  OFAC Ukraine-/Russia-related Sanctions FAQs (“OFAC FAQs”), OFAQ No. 545, available at https://www.treasury.gov/resource-center/faqs/Sanctions/Pages/faq_other.aspx#567. [7]      Press Release, U.S. Dep’t of State, Background Briefing on the Countering America’s Adversaries Through Sanctions Act (CAATSA) Section 231 (Jan. 30, 2018), available at https://www.state.gov/r/pa/prs/ps/2018/01/277775.htm. [8]      CAATSA, Title II, § 241. [9]      See U.S. Dep’t of the Treasury, Report to Congress Pursuant to Section 241 of the Countering America’s Adversaries Through Sanctions Act of 2017 Regarding Senior Foreign Political Figures and Oligarchs in the Russian Federation and Russian Parastatal Entities (Unclassified) (Jan. 29, 2018), available at https://www.scribd.com/document/370313106/2018-01-29-Treasury-Caatsa-241-Final. [10]     See, e.g., Press Release, U.S. Dep’t of the Treasury, Treasury Releases CAATSA Reports, Including on Senior Foreign Political Figures and Oligarchs in the Russian Federation (Jan. 29, 2018), available at https://home.treasury.gov/news/press-releases/sm0271. [11]     The one exception is Igor Rotenberg.  Although Igor Rotenberg did not appear on the Section 241 List, his father and uncle were included.  According to the April 6 OFAC announcement, Igor Rotenberg acquired significant assets from his father, Arkady Rotenberg, after OFAC designated the latter in March 2014.  Specifically Arkady Rotenberg sold Igor Rotenberg 79 percent of the Russian oil and gas drilling company Gazprom Burenie.  Igor Rotenberg’s uncle, Boris Rotenberg, owns 16 percent of the company.  Like his brother Arkady Rotenberg, Boris Rotenberg was designated in March 2014. [12]     OFAC FAQ No. 573. [13]     CAATSA, Title II, §228. [14]     OFAC FAQ No. 546.  In its implementing guidance, OFAC confirmed that Section 228 extends to SDNs and SSI entities but clarified that it would not deem a transaction “significant” if U.S. persons could engage in the transaction without the need for a specific license from OFAC.  In other words, only transactions prohibited by OFAC—specifically, transactions with SDNs and/or transactions with SSI entities that are prohibited by the sectoral sanctions—will “count” as significant for purposes of Section 228.  OFAC also noted that even a transaction with an SSI that involves prohibited debt or equity would not automatically be deemed “significant”—it would need to also involve “deceptive practices” and OFAC would assess this criteria on a “totality of the circumstances” basis. [15]     OFAC FAQ No. 574. [16]     General License 12; OFAC FAQ No. 569. [17]     See also OFAC FAQ Nos. 567-568. [18]     See also OFAC FAQ Nos. 570-571. [19]     Russia’s Renova says board at its Swiss subsidiary dismissed due to sanctions, Reuters (Apr. 11, 2018), available at https://uk.reuters.com/article/usa-russia-sanctions-renova/russias-renova-says-board-at-its-swiss-subsidiary-dismissed-due-to-sanctions-idUKR4N1NE02P. [20]     Russia ready to prop Up Deripaska’s Rusal as US sanctions bite, Financial Times (Apr. 11, 2018), available at https://www.ft.com/content/4904f6d4-3d97-11e8-b7e0-52972418fec4. [21]     Patricia Zengerle, Lesley Wroughton, As Pompeo signals hard Russia line, lawmakers want him to stand on his own, Reuters (Apr. 12, 2018), available at https://www.reuters.com/article/us-usa-trump-pompeo/as-pompeo-signals-hard-russia-line-lawmakers-want-him-to-stand-on-his-own-idUSKBN1HJ0HO. The following Gibson Dunn lawyers assisted in preparing this client update: Adam Smith, Judith Alison Lee, Christopher Timura, Stephanie Connor, and Courtney Brown. Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the above developments.  Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following leaders and members of the firm’s International Trade Group: United States: Judith Alison Lee – Co-Chair, International Trade Practice, Washington, D.C. (+1 202-887-3591, jalee@gibsondunn.com) Ronald Kirk – Co-Chair, International Trade Practice, Dallas (+1 214-698-3295, rkirk@gibsondunn.com) Jose W. Fernandez – New York (+1 212-351-2376, jfernandez@gibsondunn.com) Marcellus A. McRae – Los Angeles (+1 213-229-7675, mmcrae@gibsondunn.com) Daniel P. Chung – Washington, D.C. (+1 202-887-3729, dchung@gibsondunn.com) Adam M. Smith – Washington, D.C. (+1 202-887-3547, asmith@gibsondunn.com) Christopher T. Timura – Washington, D.C. (+1 202-887-3690, ctimura@gibsondunn.com) Stephanie L. Connor – Washington, D.C. (+1 202-955-8586, sconnor@gibsondunn.com) Kamola Kobildjanova – Palo Alto (+1 650-849-5291, kkobildjanova@gibsondunn.com) Courtney M. Brown – Washington, D.C. (+1 202-955-8685, cmbrown@gibsondunn.com) Laura R. Cole – Washington, D.C. (+1 202-887-3787, lcole@gibsondunn.com) Europe: Peter Alexiadis – Brussels (+32 2 554 72 00, palexiadis@gibsondunn.com) Attila Borsos – Brussels (+32 2 554 72 10, aborsos@gibsondunn.com) Patrick Doris – London (+44 (0)207 071 4276, pdoris@gibsondunn.com) Penny Madden – London (+44 (0)20 7071 4226, pmadden@gibsondunn.com) Mark Handley – London (+44 (0)207 071 4277, mhandley@gibsondunn.com) Benno Schwarz – Munich (+49 89 189 33 110, bschwarz@gibsondunn.com) Richard Roeder – Munich (+49 89 189 33-160, rroeder@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

April 5, 2018 |
M&A Report – AOL and Aruba Networks Continue Trend of Delaware Courts Deferring to Deal Price in Appraisal Actions

Click for PDF Two recent decisions confirm that, in the wake of the Delaware Supreme Court’s landmark decisions in Dell and DFC, Delaware courts are taking an increasingly skeptical view of claims in appraisal actions that the “fair value” of a company’s shares exceeds the deal price.[1] However, as demonstrated by each of these recent Delaware Court of Chancery decisions—In re Appraisal of AOL Inc. and Verition Partners Master Fund Limited v. Aruba Networks, Inc.—several key issues are continuing to evolve in the Delaware courts.[2] In particular, Delaware courts are refining the criteria in appraisal actions for determining whether a transaction was “Dell-compliant.” If so, then the court will likely look to market-based indicators of fair value, though which such indicator (unaffected share price or deal price) is the best evidence of fair value remains unresolved. If not, the court will likely conduct a valuation based on discounted cash flow (DCF) analysis or an alternative method to determine fair value. The development of these issues will help determine whether M&A appraisal litigation will continue to decline in frequency and will be critical for deal practitioners.[3] DFC and “Dell-Compliant” Transactions In DFC, the Delaware Supreme Court endorsed deal price as the “best evidence of fair value” in an arm’s-length merger resulting from a robust sale process. The Court held that, in determining fair value in such transactions, the lower court must “explain” any departure from deal price based on “economic facts,” and must justify its selection of alternative valuation methodologies and its weighting of those methodologies, setting forth whether such methodologies are grounded in market-based indicators (such as unaffected share price or deal price) or in other forms of analysis (such as DCF, comparable companies analysis or comparable transactions analysis). In Dell, the Court again focused on the factual contexts in which market-based indicators of fair value should be accorded greater weight. In particular, the Court found that if the target has certain attributes—for example, “many stockholders; no controlling stockholder; highly active trading; and if information is widely available and easily disseminated to the market”—and if the target was sold in an arm’s-length transaction, then the “deal price has heavy, if not overriding, probative value.” Aruba Networks and AOL: Marking the Boundaries for “Dell-Compliant” Transactions In Aruba Networks, the Delaware Court of Chancery concluded that an efficient market existed for the target’s stock, in light of the presence of a large number of stockholders, the absence of a controlling stockholder, the deep trading volume for the target’s stock and the broad dissemination of information about the target to the market. In addition, the court found that the target’s sale process had been robust, noting that the transaction was an arm’s-length merger that did not involve a controller squeeze-out or management buyout, the target’s board was disinterested and independent, and the deal protection provisions in the merger agreement were not impermissibly restrictive. On this basis, the Court determined that the transaction was “Dell-compliant” and, as a result, market-based indicators would provide the best evidence of fair value. The Court found that both the deal price and the unaffected stock price provided probative evidence of fair value, but in light of the significant quantum of synergies that the parties expected the transaction to generate, the Court elected to rely upon the unaffected stock price, which reflected “the collective judgment of the many based on all the publicly available information . . . and the value of its shares.” The Court observed that using the deal price and subtracting synergies, which may not be counted towards fair value under the appraisal statute,[4] would necessarily involve judgment and introduce a likelihood of error in the Court’s computation. By contrast, AOL involved facts much closer to falling under the rubric of a “Dell-compliant” transaction, but the Court nonetheless determined that the transaction was not “Dell-compliant.” At the time of the transaction, the target was well-known to be “likely in play” and had communicated with many potential bidders, no major conflicts of interest were present and the merger agreement did not include a prohibitively large breakup fee. Nonetheless, the Court focused on several facts that pointed to structural defects in the sale process, including that the merger agreement contained a no-shop period with unlimited three-day matching rights for the buyer and that the target failed to conduct a robust auction once the winning bidder emerged. In addition, and importantly, the Court took issue with certain public comments of the target’s chief executive officer indicating a high degree of commitment to the deal after it had been announced, which the Court took to signal “to potential market participants that the deal was done, and that they need not bother making an offer.” On this basis, the Court declined to ascribe any weight to the deal price and instead conducted a DCF analysis, from which it arrived at a fair value below the deal price. It attributed this gap to the inclusion of synergies in the deal price that are properly excluded from fair value. Parenthetically, the Court did take note of the fact that its computation of fair value was close to the deal price, which offered a “check on fair value analysis,” even if it did not factor into the Court’s computation. Key Takeaways Aruba Networks and AOL provide useful guidelines to M&A practitioners seeking to manage appraisal risk, while also leaving several open questions with which the Delaware courts will continue to grapple: Whether market-based indicators of fair value will receive deference from the Delaware courts (and, correspondingly, diminish the incentives for would-be appraisal arbitrageurs) depends upon whether the sale process could be considered “Dell-compliant.” This includes an assessment of both the robustness of the sale process, on which M&A practitioners seeking to manage appraisal risk would be well-advised to focus early, and the efficiency of the trading market for the target’s stock, to which litigators in appraisal actions should pay close attention. For those transactions found to be “Dell-compliant,” the best evidence of fair value will be a market-based indicator of the target’s stock. Whether such evidence will be the deal price, the unaffected stock price or a different measure remains an open question dependent upon the facts of the particular case. However, for those transactions in which synergies are anticipated by the parties to be a material driver of value, Aruba Networks suggests that the unaffected share price may be viewed as a measure of fair value that is less susceptible to errors or biases in judgment. For those transactions found not to be “Dell-compliant,” DCF analyses or other similar calculated valuation methodologies are more likely to be employed by courts to determine fair value. As AOL and other recent opinions indicate, however, there is no guarantee for stockholders that the result will yield a fair value in excess of the deal price—particularly given the statutory mandate to exclude expected synergies from the computation. [1] Dell, Inc. v. Magnetar Global Event Driven Master Fund Ltd., 177 A.3d 1 (Del. 2017); DFC Global Corp. v. Muirfield Value Partners, L.P., 172 A.3d 346 (Del. 2017). See our earlier discussion of Dell and DFC here. [2] In re Appraisal of AOL Inc., C.A. No. 11204-VCG, 2018 WL 1037450 (Del. Ch. Feb. 23, 2018); Verition Partners Master Fund Ltd. v. Aruba Networks, Inc., C.A. No. 11448-VCL, 2018 WL 922139 (Del. Ch. Feb. 15, 2018). [3] It is worth noting that, after DFC and Dell, the Delaware Supreme Court summarily affirmed the decision of the Court of Chancery in Merlin Partners, LP v. SWS Grp., Inc., No. 295, 2017, 2018 WL 1037477 (Table) (Del. Feb. 23, 2018), aff’g, In re Appraisal of SWS Grp., Inc., C.A. No. 10554-VCG, 2017 WL 2334852 (Del. Ch. May 30, 2017). The Court of Chancery decided SWS Group prior to the Delaware Supreme Court’s decisions in DFC and Dell. Nonetheless, it is clear that the court would have found the transaction at issue in SWS Group not to be “Dell-compliant,” as the transaction involved the sale of the target to a buyer that was also a lender to the target and so could exercise veto rights over any transaction. Indeed, no party to the SWS Group litigation argued that the deal price provided probative evidence of fair value. See our earlier discussion of the SWS Group decision by the Delaware Court of Chancery here. [4] See 8 Del. C. § 262(h) (“[T]he Court shall determine the fair value of the shares exclusive of any element of value arising from the accomplishment or expectation of the merger or consolidation . . . .”); see also Global GT LP v. Golden Telecom, Inc., 993 A.2d 497, 507 (Del. Ch.) (“The entity must be valued as a going concern based on its business plan at the time of the merger, and any synergies or other value expected from the merger giving rise to the appraisal proceeding itself must be disregarded.” (internal citations omitted)), aff’d, 11 A.3d 214 (Del. 2010). The following Gibson Dunn lawyers assisted in preparing this client update:  Barbara Becker, Jeffrey Chapman, Stephen Glover, Eduardo Gallardo, Jonathan Layne, Joshua Lipshutz, Brian Lutz, Adam Offenhartz, Aric Wu, Meryl Young, Daniel Alterbaum, Colin Davis, and Mark Mixon. Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues.  For further information, please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following leaders and members of the firm’s Mergers and Acquisitions practice group: Mergers and Acquisitions Group / Corporate Transactions: Barbara L. Becker – Co-Chair, New York (+1 212-351-4062, bbecker@gibsondunn.com) Jeffrey A. Chapman – Co-Chair, Dallas (+1 214-698-3120, jchapman@gibsondunn.com) Stephen I. Glover – Co-Chair, Washington, D.C. (+1 202-955-8593, siglover@gibsondunn.com) Dennis J. Friedman – New York (+1 212-351-3900, dfriedman@gibsondunn.com) Jonathan K. Layne – Los Angeles (+1 310-552-8641, jlayne@gibsondunn.com) Eduardo Gallardo – New York (+1 212-351-3847, egallardo@gibsondunn.com) Jonathan Corsico – Washington, D.C. (+1 202-887-3652), jcorsico@gibsondunn.com Mergers and Acquisitions Group / Litigation: Meryl L. Young – Orange County (+1 949-451-4229, myoung@gibsondunn.com) Brian M. Lutz – San Francisco (+1 415-393-8379, blutz@gibsondunn.com) Aric H. Wu – New York (+1 212-351-3820, awu@gibsondunn.com) Paul J. Collins – Palo Alto (+1 650-849-5309, pcollins@gibsondunn.com) Michael M. Farhang – Los Angeles (+1 213-229-7005, mfarhang@gibsondunn.com) Joshua S. Lipshutz – Washington, D.C. (+1 202-955-8217, jlipshutz@gibsondunn.com) Adam H. Offenhartz – New York (+1 212-351-3808, aoffenhartz@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

March 26, 2018 |
D.C. Circuit Holds That Witnesses in PCAOB Investigations Have the Right to a Technical Expert

Click for PDF On March 23, 2018, the U.S. Court of Appeals for the D.C. Circuit issued a unanimous opinion vacating an SEC order upholding sanctions issued by the Public Accounting Oversight Board against petitioner Mark E. Laccetti. The court held that petitioner was deprived of his right to counsel because the Board denied his request that a technical expert be present while he gave investigative testimony to the Board.  The court therefore vacated the SEC’s order and directed the Commission to vacate the sanctions.[1] In 2007, the Board required petitioner, a partner with an accounting firm, to give investigative testimony in connection with an investigation into certain audits.  Petitioner requested a technical expert to aid counsel on the complex accounting issues that would be the subject of the Board’s questioning.  The Board denied that request out of a supposed concern over “internal monitoring,” because the expert petitioner had proposed was associated with the accounting firm under investigation.  The Board did so despite using its own technical experts to question petitioner and despite allowing attorneys associated with the accounting firm to attend the testimony. The Board ultimately instituted disciplinary proceedings against petitioner, and Gibson Dunn was brought in to represent him in his administrative trial before a Board hearing officer.  Gibson Dunn secured a favorable disposition of several of the claims against petitioner, which the Board’s Division of Enforcement appealed to the Board itself.  The Board ultimately issued sanctions against petitioner, which the SEC upheld on appeal. In his challenge to the SEC’s order in the D.C. Circuit, petitioner advanced several arguments, including that the Board’s denial of his request for a technical expert violated the right to counsel in Board investigative proceedings secured by Board Rule 5109.  The D.C. Circuit agreed for three independent reasons.  First, the court held that the Board’s stated “internal monitoring” rationale made “no sense” because it allowed other individuals from the accounting firm to attend petitioner’s investigative testimony.[2]  Second, the court held that the Board’s supposed rationale could not in any event support its refusal to allow petitioner to have any technical expert present.[3]  And third, the court held that, under Rule 5109, the Board “may not bar a witness from bringing an accounting expert who could assist the witness’s counsel during an investigative interview.”[4]  On this point, the court recognized that the Administrative Procedure Act’s right to counsel (which arguably applied in SEC proceedings, but not Board proceedings) required the assistance of a technical expert.[5]  In the court’s view, there was “no meaningful distinction between the right to counsel in the APA and the right to counsel in the Board’s rules.”[6]  Finally, the court rejected the Board’s argument that the error was harmless—the agency admitted that its decision to institute proceedings may have been based on the tainted investigative testimony.[7] The D.C. Circuit’s opinion is significant because it makes clears that, under the Board’s rules, the right to counsel in investigative proceedings includes the assistance of a technical expert.  In this regard, the opinion reaffirms that the subjects of Board proceedings enjoy a right essential to procedural fairness and due process, and brings the Board’s procedures in line with those governing similar administrative proceedings under the APA.    [1]   Laccetti v. SEC, No. 16-1368, slip op. 9 (D.C. Cir. Mar. 23, 2018).    [2]   Id. at 4.    [3]   Id. at 5.    [4]   Id. at 7.    [5]   SEC v. Whitman, 613 F. Supp. 48 (D.D.C. 1985).    [6]   Slip op. 7.    [7]   Id. at 8. The following Gibson Dunn lawyers assisted in the preparation of this client update: Michael Scanlon, Douglas Cox, Lawrence Zweifach, Rajiv Mohan and Darcy Harris. Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments.  Please contact the Gibson Dunn lawyer with whom you usually work or any of the following members of the firm’s Securities Enforcement Group Douglas R. Cox – Washington, D.C. (+1 202-887-3531, dcox@gibsondunn.com) Michael J. Scanlon – Washington, D.C. (+1 202-887-3668, mscanlon@gibsondunn.com) Lawrence J. Zweifach – New York (+1 212-351-2625, lzweifach@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

March 20, 2018 |
Supreme Court Holds States May Hear Securities Fraud Class Actions Under The 1933 Act

Click for PDF Cyan, Inc. v. Beaver County Employees Retirement Fund, No. 15-1439 Decided March 20, 2018 Today, the Supreme Court held 9-0 that class actions alleging only federal claims under the Securities Act of 1933 may be heard in state court and, if brought in state court, cannot be removed to federal court. Background: Federal and state courts have traditionally shared jurisdiction over claims under the Securities Act of 1933. After the Private Securities Litigation Reform Act of 1995 (PSLRA) tightened standards for pleading and proving federal securities fraud class actions, plaintiffs began filing those claims in state court. In response, Congress enacted the Securities Litigation Uniform Standards Act of 1998 (SLUSA), which requires certain “covered class actions” alleging state law securities claims to be heard and dismissed in federal court. 15 U.S.C. § 77p(c). But courts were split over whether covered class actions filed in state court that allege only claims under the 1933 Act also must be heard in federal court. In this case, investors in Cyan, Inc. filed a class action in California state court alleging only claims under the 1933 Act. The California courts refused to dismiss the case for lack of subject-matter jurisdiction. Issues: (1) Whether state courts lack subject-matter jurisdiction over class actions that allege only Securities Act of 1933 claims, and (2) Whether defendants in class actions filed in state court that allege only 1933 Act claims may remove the cases to federal court. “[W]e will not revise [Congress’s] legislative choice, by reading a conforming amendment and a definition in a most improbable way, in an effort to make the world of securities litigation more consistent or pure.” Justice Kagan,writing for the Court Court’s Holding: SLUSA does not deprive state courts of subject-matter jurisdiction over class actions raising only claims under the 1933 Act and does not authorize defendants to remove such actions to federal court. What It Means: SLUSA has often been the subject of statutory-interpretation disputes. But here, the unanimous Court held that SLUSA’s “clear statutory language” does not preclude state courts from adjudicating class actions involving 1933 Act claims. SLUSA’s class-action bar and federal-court-channeling provision apply only to state law claims. Under SLUSA, covered securities class actions based on the 1934 Act must proceed in federal court. 15 U.S.C. § 78aa. But as a result of the Court’s decision today, covered class actions based only on the 1933 Act may proceed in state court. Either way, the Court emphasized, the substantive protections of the PSLRA (such as the safe harbor for forward-looking statements) apply to all claims under both the 1933 and 1934 Acts. The United States argued that SLUSA permits defendants in class actions filed in state court that raise 1933 Act claims to remove those actions to federal court. The Court disagreed. In the wake of this ruling, businesses should expect to see more securities class actions alleging violations of the 1933 Act in state court, because plaintiffs will seek to take advantage of state courts that are perceived to be friendlier to their interests. This significant loophole may prompt Congress to enact new legislation, similar to SLUSA, to ensure that plaintiffs are required to bring securities class actions in federal court. Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the Supreme Court.  Please feel free to contact the following practice leaders: Appellate and Constitutional Law Practice Caitlin J. Halligan +1 212.351.3909 challigan@gibsondunn.com Mark A. Perry +1 202.887.3667 mperry@gibsondunn.com Nicole A. Saharsky +1 202.887.3669 nsaharsky@gibsondunn.com Related Practice: Securities Litigation Brian M. Lutz +1 415.393.8379 blutz@gibsondunn.com Robert F. Serio +1 212.351.3917 rserio@gibsondunn.com Meryl L. Young +1 949.451.4229 myoung@gibsondunn.com Related Practice: Class Actions Theodore J. Boutrous, Jr. +1 213.229.7804 tboutrous@gibsondunn.com Christopher Chorba +1 213.229.7396 cchorba@gibsondunn.com Theane Evangelis +1 213.229.7726 tevangelis@gibsondunn.com © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

March 2, 2018 |
ALJs Check Their Own Work, With Unsurprising Results

San Francisco partner Marc Fagel is the author of “ALJs Check Their Own Work, With Unsurprising Results,” [PDF] published by Law360 on March 2, 2018.

March 5, 2018 |
Supreme Court Settles Circuit Split Concerning Bankruptcy Code “Safe Harbor”

Click for PDF On February 27, 2018, the U.S. Supreme Court issued a decision in Merit Management Group, LP v. FTI Consulting, Inc. (No. 16-784), settling a circuit split regarding the “safe harbor” provision in § 546(e) of the Bankruptcy Code.  That section bars the avoidance of certain types of securities and commodities transactions that are made by, to or for the benefit of covered entities including financial institutions, stockbrokers and securities clearing agencies. Circuits had split regarding whether the safe harbor protects a transfer that passes through a covered entity, where the entity only acts as a conduit and has no beneficial interest in the property transferred.  In Merit Management, the Court held that the safe harbor does not apply when a covered entity only acts as a conduit, and that the safe harbor only applies when the “relevant transfer” (i.e., the “overarching” transfer sought to be avoided) is by, to or for the benefit of a covered entity.  As a result, the Court held that the safe harbor did not protect a private securities transaction where neither the buyer nor the seller was a covered entity, even though the funds passed through covered entities. The Bankruptcy Code “Safe Harbor” The Bankruptcy Code permits a trustee to bring claims to “avoid” (or undo) for the benefit of the bankruptcy estate certain prepetition transfers or obligations, including claims to avoid a preference (11 U.S.C. § 547) or fraudulent transfer (11 U.S.C. § 548(a)).  Section 546(e) limits those avoidance powers by providing that, “[n]otwithstanding” the trustee’s avoidance powers, “the trustee may not avoid a transfer that is” (1) a “margin payment” or “settlement payment” “made by or to (or for the benefit of)” a covered entity, or (2) “a transfer made by or to (or for the benefit of)” a covered entity “in connection with a securities contract . . . or forward contract.”  11 U.S.C. § 546(e).  The sole exception to the safe harbor is a claim for “actual fraudulent transfer” under § 548(a)(1)(A).  Id. Background Merit Management involved the acquisition of a “racino” (a combined horse racing and casino business) by its competitor.  To consummate the transaction, the buyer’s bank wired $55 million to another bank that acted as a third-party escrow agent, which disbursed the funds to the seller’s shareholders in exchange for their stock in the seller.  The buyer subsequently filed for Chapter 11 bankruptcy protection and a litigation trust was established pursuant to the buyer’s confirmed reorganization plan.  The trustee sued one of the selling shareholders that received $16.5 million from the buyer, alleging that the transaction was a constructive fraudulent transfer under § 548(a)(1)(B) because the buyer was insolvent at the time of the purchase and “significantly overpaid” for the stock. The district court held that the safe harbor barred the fraudulent transfer claim because the transaction was a securities settlement payment involving intermediate transfers “by” and “to” covered entities (the banks).  The Seventh Circuit reversed, holding that the safe harbor did not apply because the banks only acted as conduits and neither the buyer nor the shareholder was a covered entity.  In so holding, the Seventh Circuit diverged from other circuits that had applied the safe harbor to transactions consummated through a covered entity acting as a conduit.[1]  Those circuits interpreted the disjunctive language in the safe harbor that protects transfers “by or to (or for the benefit of)” a covered entity to mean that a transfer “by” or “to” a covered entity is protected even if the transfer is not “for the benefit of” the covered entity.  The Supreme Court granted certiorari to settle the circuit split. The Supreme Court Holds That the Safe Harbor Does Not Protect a Transfer When a Covered Entity Only Acts as a Conduit   The Supreme Court affirmed the Seventh Circuit’s decision, holding that the safe harbor does not protect a transfer when a covered entity only acts as a conduit.  The crux of the decision is that a safe harbor analysis must focus on whether the “relevant transfer,” meaning the “overarching” or “end-to-end” transfer that the trustee seeks to avoid, was by, to or for the benefit of a covered entity.  Whether an intermediate or “component” transfer was made by or to a covered entity is “simply irrelevant to the analysis under § 546(e).”[2]  The Court reasoned that, as an express limitation on the trustee’s avoidance powers, § 546(e) must be applied in relation to the trustee’s exercise of those powers with respect to the transfer that the trustee seeks to avoid, not component transfers that the trustee does not seek to avoid.[3]  In the case before it, because the trustee sought to avoid the “end-to-end” transfer from the buyer to the shareholder, and neither was a covered entity, the safe harbor did not apply. The Court Avoids Adjudicating a Potentially Significant Defense The shareholder did not argue in the lower courts that the buyer or the shareholder was a covered entity.  In its briefing in the Supreme Court, the shareholder argued that the buyer and seller were both covered entities because they were customers of the banks that facilitated the transaction, and the definition of “financial institution” in 11 U.S.C. § 101(22)(A) includes a “customer” of a financial institution when the institution “is acting as agent or custodian for a customer.”  During oral argument, Justice Breyer indicated that he might have been receptive to that potentially dispositive argument.  However, the decision expressly avoids adjudicating the argument on the basis that the shareholder raised the point “only in footnotes and did not argue that it somehow dictates the outcome in this case.”  Id. at n. 2.  As a result, the “customer-as-financial-institution defense” will likely be litigated in the lower courts going forward. Impact of Merit Management As a result of Merit Management, parties to securities and commodities transactions should expect that, in the event of a bankruptcy filing, the safe harbor will not protect a transaction unless the transferor, transferee or beneficiary of the “overarching” transfer is a covered entity.  Routing a transfer through a covered entity will no longer protect the transaction.  Given the increased importance placed on whether a party to the overarching transfer is a covered entity, Merit Management may lead to a new wave of litigation regarding the scope of the covered entities, including the circumstances in which the customer of a financial institution constitutes a covered entity, and related planning strategies to fall within such scope.    [1]   See, e.g., In re Quebecor World (USA) Inc., 719 F. 3d 94, 99 (2d Cir. 2013); In re QSI Holdings, Inc., 571 F. 3d 545, 551 (6th Cir. 2009); Contemporary Indus. Corp. v. Frost, 564 F. 3d 981, 987 (8th Cir. 2009); In re Resorts Int’l, Inc., 181 F. 3d 505, 516 (3d Cir. 1999); In re Kaiser Steel Corp., 952 F. 2d 1230, 1240 (10th Cir. 1991).    [2]   Decision at p. 14.    [3]   See id. at pp. 11-14 (“If a trustee properly identifies an avoidable transfer . . . the court has no reason to examine the relevance of component parts when considering a limit to the avoiding power, where that limit is defined by reference to an otherwise avoidable transfer, as is the case with §546(e). . . .”). Gibson, Dunn & Crutcher’s lawyers are available to assist with any questions you may have regarding these issues.  For further information, please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Business Restructuring and Reorganization practice group, or the following authors: Oscar Garza – Orange County, CA (+1 949-451-3849, ogarza@gibsondunn.com) Michael A. Rosenthal – New York (+1 212-351-3969, mrosenthal@gibsondunn.com) Douglas G Levin – Orange County, CA (+1 949-451-4196, dlevin@gibsondunn.com) Please also feel free to contact the following practice group leaders: Business Restructuring and Reorganization Group: Michael A. Rosenthal – New York (+1 212-351-3969, mrosenthal@gibsondunn.com) David M. Feldman – New York (+1 212-351-2366, dfeldman@gibsondunn.com) Jeffrey C. Krause – Los Angeles (+1 213-229-7995, jkrause@gibsondunn.com) Robert A. Klyman – Los Angeles (+1 213-229-7562, rklyman@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

February 28, 2018 |
Webcast: Shareholder Engagement & Activism – Preparing for the 2018 Proxy Season

The subject of shareholder engagement and activism rightfully continues to be the focus of discussion in boardrooms and in-house legal departments across the country. With no public company “too big” to be the subject of an activist intervention, it is imperative for corporations to proactively manage the risk of a disruptive activist campaign. Our team of experienced corporate, governance and litigation attorneys will be joined by proxy solicitation and public relations experts from Innisfree and Joele Frank to discuss the steps that corporations should be taking to prepare for the 2018 proxy season. View Slides [PDF] PANELISTS: Eduardo Gallardo is a partner in Gibson Dunn’s New York office. His practice focuses on mergers and acquisitions and corporate governance matters. Mr. Gallardo has extensive experience representing public and private acquirers and targets in connection with mergers, acquisitions and takeovers, both negotiated and contested. He has also represented public and private companies in connection with proxy contests, leveraged buyouts, spinoffs, divestitures, restructurings, recapitalizations, joint ventures and other complex corporate transactions. Mr. Gallardo also advises corporations, their boards of directors and special board committees in connection with corporate governance and compliance matters, shareholder activism, takeover preparedness and other corporate matters. Brian Lutz is a partner in Gibson Dunn’s San Francisco and New York offices where he is Co-Chair of the Firm’s National Securities Litigation Practice Group. Mr. Lutz has experience in a wide range of complex commercial litigation, with an emphasis on corporate control contests, securities litigation, and shareholder actions alleging breaches of fiduciary duties. He represents public companies, private equity firms, investment banks and clients across a variety of industries, including bio-pharma, tech, finance, retail, health care, energy, accounting and insurance. Mr. Lutz has twice been named a Rising Star by Law360 in the Securities category—a distinction awarded annually to five attorneys nationwide under the age of 40. He also has been named a Leading Lawyer in M&A Defense by Legal 500. Mr. Lutz was named “Litigator of the Week” by AmLaw Litigation Daily (an American Lawyer publication) for his work in securing a rare preliminary injunction that prevented a hostile takeover attempt of the pharmaceutical company Depomed, Inc. Lori Zyskowski is a partner in Gibson Dunn’s New York office where she is a member of the Firm’s Securities Regulation and Corporate Governance Practice Group. Ms. Zyskowski advises public companies and their boards of directors on a wide range of corporate law matters, including corporate governance, compliance with U.S. federal securities laws and the requirements of the major U.S. stock exchanges, and shareholder engagement and activism matters. She formerly served as Executive Counsel, Corporate, Securities & Finance at the General Electric Company, where she advised GE’s board of directors and senior management on corporate governance and securities law issues. Matthew Sherman is President, a Partner and a founding member of JOELE FRANK, a leading strategic financial communications and investor relations firm.  Mr. Sherman has more than 22 years of experience providing strategic corporate, financial and crisis communications counsel to Boards of Directors and executive leadership of public corporations and private equity firms involved in M&A, hostile takeovers, proxy contests, shareholder activism defense, spin-offs, reorganizations, financial restructurings, management changes, litigation, regulatory actions and a wide range of corporate crises. Scott Winter is a Managing Director of Innisfree M&A Incorporated. Mr. Winter advises companies and investors on all aspects of shareholder engagement focusing on hostile and friendly acquisitions, shareholder activism, contested shareholder meetings, corporate governance, and other proxy solicitation matters. Mr. Winter has been involved in most of the significant U.S. hostile takeovers in the past decade as well as activism situations involving, among others, Barington, Corvex, Elliott Management, Engaged Capital, Icahn Associates, Land & Buildings, Lone Star Value, JANA Partners, Marcato, Pershing Square, SachemHead, Sandell, Starboard Value, Third Point, Trian, and ValueAct. MCLE CREDIT INFORMATION: This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 1.0 credit hour, of which 1.00 credit hour may be applied toward the areas of professional practice requirement.  This course is approved for transitional/non-transitional credit. Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast.  Please contact Jeanine McKeown (National Training Administrator), at 213-229-7140 or jmckeown@gibsondunn.com to request the MCLE form. Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1.0 hour. California attorneys may claim “self-study” credit for viewing the archived version of this webcast.  No certificate of attendance is required for California “self-study” credit.  

February 21, 2018 |
Court Reevaluates Stockholder Ratification of Director Compensation for First Time in Decades

New York associates Jefferson Bell and David Coon are the authors of “Court Reevaluates Stockholder Ratification of Director Compensation for First Time in Decades,” [PDF] published by Delaware Business Court Insider on February 21, 2018.

February 21, 2018 |
Supreme Court Says Whistleblowers Must Report to the SEC Before Suing for Retaliation Under Dodd-Frank

Click for PDF Today, the Supreme Court held 9-0 that whistleblowers must report alleged misconduct to the SEC before they can sue under the Dodd-Frank Act’s anti-retaliation provision. Background: The Dodd-Frank Act prohibits retaliating against a “whistleblower” because that person reported misconduct to the SEC; initiated, testified in, or assisted with an SEC proceeding; or made certain required or protected disclosures. 15 U.S.C. § 78u-6(h)(1)(A). The Act defines a “whistleblower” as a person who reports misconduct to the SEC. 15 U.S.C. § 78u-6(a)(6). Paul Somers reported suspected misconduct to his employer but not to the SEC. After he was fired, he sued his former employer for retaliation under the Dodd-Frank Act. Issue: Whether the Dodd-Frank Act’s anti-retaliation provision extends to individuals who have not reported alleged misconduct to the SEC. Court’s Holding: Whistleblowers must report suspected misconduct to the SEC to be able to sue for retaliation under the Dodd-Frank Act. “Courts are not at liberty to dispense with the condition—tell the SEC—Congress imposed.”          Justice Ginsburg, writing for the Court What It Means: The Court premised its decision on the statute’s text. Even though purpose-based arguments were made for extending the anti-retaliation provision to individuals who do not report to the SEC, the Court declined to take that step because the statute clearly defines a “whistleblower” as a person who reported alleged misconduct to the SEC. The Court rejected the SEC’s contrary interpretation of the statute, which was contained in a regulation. The Court also dismissed concerns that the ruling would undermine protection for “auditors, attorneys, and other employees subject to internal-reporting requirements,” explaining that they already had protection under Sarbanes-Oxley and would also be protected under Dodd-Frank once they provided the relevant information to the SEC. Recall that the Court addressed a similar issue in Lawson v. FMR LLC, 134 S. Ct. 1158 (2014). In that case, the Court held for the whistleblower, ruling that contractors and subcontractors of a public company may sue for retaliation under the Sarbanes-Oxley Act. It is important to note that the Sarbanes-Oxley Act does not include a requirement that a whistleblower report to the SEC. Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the Supreme Court.  Please feel free to contact the following practice leaders: Appellate and Constitutional Law Practice Caitlin J. Halligan +1 212.351.3909challigan@gibsondunn.com Mark A. Perry +1 202.887.3667mperry@gibsondunn.com Nicole A. Saharsky +1 202.887.3669 nsaharsky@gibsondunn.com   Related Practices: Labor and Employment Catherine A. Conway+1 213-229-7822 cconway@gibsondunn.com Eugene Scalia+1 202-955-8206 escalia@gibsondunn.com Jason C. Schwartz+1 202-955-8242 jschwartz@gibsondunn.com © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

February 14, 2018 |
Webcast: IPO and Public Company Readiness: Oil and Gas Industry Issues

Oil and gas prices are recovering and there is a friendlier regulatory climate in Washington for capital raising. Times may never be better for considering an initial public offering for your company. There are many advantages and challenges to becoming a public company. This panel identifies the issues and opportunities for companies in the oil and gas sector to consider in deciding whether to become a public company. View Slides [PDF] PANELISTS: Hillary Holmes focuses on securities offerings and SEC and governance counseling for master limited partnerships (MLPs) and corporations in all sectors of the oil & gas energy industry. She represents public companies, private companies, MLPs and investment banks in all forms of capital raising transactions, including IPOs, registered offerings of debt and equity securities, private placements of debt and equity securities, and spin-offs. She also advises boards of directors, conflicts committees, and financial advisors of energy companies in complex transactions. Gerry Spedale focuses on capital markets, mergers and acquisitions, joint ventures and corporate governance matters for companies in the energy industry, including MLPs. He has extensive experience representing issuers and investment banks in both public and private debt and equity offerings, including initial public offerings, convertible note offerings and offerings of preferred securities. He also has substantial experience in public and private company acquisitions and dispositions and board committee representations. James Chenoweth counsels clients regarding tax-efficient structuring of energy transactions, including MLPs, IPOs and follow-on offerings, as well as acquisitions and dispositions, taxable sales and the formation of joint ventures, particularly in the oil and gas upstream and midstream sectors. James represents clients regarding the funding, formation, transfer and acquisition of upstream drilling joint ventures in cash and carry transactions and similar arrangements forming tax partnerships in various shale plays, including the Eagle Ford, Utica, Three Forks, Marcellus and Niobrara. Brian Lane counsels companies on the most sophisticated corporate governance and regulatory issues under the federal securities laws. He is nationally recognized in his field as an author, media commentator, and conference speaker. Brian ended a 16 year career with the Securities and Exchange Commission as the Director of the Division of Corporation Finance where he supervised over 300 attorneys and accountants in all matters related to disclosure and accounting by public companies (e.g. M&A, capital raising, disclosure in periodic reports and proxy statements). In his practice, Brian has advised on dozens of IPOs. MCLE CREDIT INFORMATION: This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 1.0 credit hour, of which 1.00 credit hour may be applied toward the areas of professional practice requirement.  This course is approved for transitional/non-transitional credit. Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast.  Please contact Jeanine McKeown (National Training Administrator), at 213-229-7140 or jmckeown@gibsondunn.com to request the MCLE form. Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1.0 hour. California attorneys may claim “self-study” credit for viewing the archived version of this webcast.  No certificate of attendance is required for California “self-study” credit.

February 8, 2018 |
Law360 Names Gibson Dunn Among its Securities 2017 Practice Groups of the Year

Law360 named Gibson Dunn one of its seven Securities Practice Groups of the Year [PDF] for 2017. The firm’s profile was published on February 8, 2018.

February 6, 2018 |
Webcast: Shareholder Litigation Developments and Trends

Shareholder lawsuits are not only complicated to litigate, but due to the high financial stakes, these actions can be among the most threatening to a company and its directors and officers. It has been over twenty years since Congress enacted the Private Securities Litigation Reform Act of 1995, and since that time, private actions under the federal securities laws have continued to be filed at a steady pace. In addition, shareholders have aggressively pursued state-law claims to contest mergers or to assert claims purportedly on behalf of companies. Over the last decade, the U.S. Supreme Court and the Delaware Supreme Court have issued multiple decisions impacting the way shareholder actions are litigated and decided. This One-Hour Briefing will highlight recent developments and trends in this constantly evolving and complex area of the law. View Slides Expert faculty discuss: Shareholders actions filing and settlement trends. Developments in appraisal litigation, in which shareholders whose shares will be cashed out in a merger or consolidation seek judicial appraisal of the value of their shares. Developments concerning loss causation in Section 10(b) cases precipitated by short sellers PANELISTS: Jennifer L. Conn is a partner in the New York office of Gibson, Dunn & Crutcher. She is co-editor of PLI’s Securities Litigation: A Practitioner’s Guide, Second Edition. Ms. Conn has extensive experience in a wide range of complex commercial litigation matters, including those involving securities, accounting malpractice, antitrust, contracts, insurance and information technology. She is also a member of Gibson Dunn’s General Commercial Litigation, Securities Litigation, Appellate, and Privacy, Cybersecurity and Consumer Protection Practice Groups. Gabrielle Levin is a partner in the New York office of Gibson, Dunn & Crutcher. She is co-author of PLI’s Securities Litigation: A Practitioner’s Guide, Second Edition. Her practice focuses on representing corporate clients in securities, employment, and general litigation matters. She has extensive experience in securities class actions, shareholder derivative litigation, SOX and Dodd-Frank whistleblower litigation, and employment litigation. Ms. Levin is a member of Gibson Dunn’s Securities Litigation Practice, Labor and Employment Practice, and Media, Entertainment and Technology Practice Group, as well as the Firm’s Diversity Committee. Alexander K. Mircheff is a partner in the Los Angeles office Gibson, Dunn & Crutcher. He is co-author of PLI’s Securities Litigation: A Practitioner’s Guide, Second Edition. His practice emphasizes securities and appellate litigation, and he has substantial experience representing issuers, officers, directors, and underwriters in class action and shareholder derivative matters. MCLE CREDIT INFORMATION: This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 1.0 credit hour, of which 1.00 credit hour may be applied toward the areas of professional practice requirement.  This course is approved for transitional/non-transitional credit. Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast.  Please contact Jeanine McKeown (National Training Administrator), at 213-229-7140 or jmckeown@gibsondunn.com to request the MCLE form. Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1.0 hour. California attorneys may claim “self-study” credit for viewing the archived version of this webcast.  No certificate of attendance is required for California “self-study” credit.

February 5, 2018 |
2017 Year-End Sanctions Update

Click for PDF A year ago this week, we assessed that the newly-minted Trump administration could follow through on the President’s campaign promises and alter several sanctions programs administered by the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”). The U.S. Congress, we surmised, could respond by codifying and expanding existing regulations.  After a year of historic growth in the use of sanctions—and one in which sanctions played a greater role in both foreign and domestic policy in the United States—we stand by that assessment.  The Trump administration continued a nearly two-decade bipartisan trend of increasing reliance on sanctions.  Across the full range of sanctions programs, nearly 1,000 entities and individuals were added to the Specially Designated Nationals and Blocked Persons (the “SDN” or “black”) list.  (see below).  This represented a nearly 30 percent increase over the number added during President Obama’s last year in office, and a nearly three-fold increase over the number added during President Obama’s first year in office. Source: Graph compiled from OFAC data. The Trump administration’s Secretary of the Treasury, Steven Mnuchin, has had an unprecedented level of involvement in OFAC’s recent actions.  In prior administrations, the Treasury Secretary’s involvement in sanctions policy was intermittent and rare, leaving the day-to-day work and announcements of new sanctions to the director of OFAC or the Under Secretary for Terrorism and Financial Intelligence.  To the best of our knowledge, there has never been a Treasury Secretary so clearly enamored with the sanctions tool—an assessment supported by Mnuchin’s own September 2017 claim that he spends half of his time on national security and sanctions issues.[1] While the increasing use of sanctions is noteworthy and brings to mind concerns raised by observers about an “overuse” of sanctions, neither the administration nor Congress appears likely to cease their reliance on the tool as a “go to” instrument of coercion.  The past year saw increased sanctions pressure on Iran, Syria, Russia, and North Korea as well as a roll back of the Cuban sanctions relief provided under President Obama.  Congress responded, codifying and strengthening existing sanctions measures against Russia, Iran and North Korea by passing the unprecedented “Countering America’s Adversaries through Sanctions Act” (“CAATSA”).[2]  New sanctions on Venezuela were imposed and old sanctions on Sudan were removed. Even as the Trump administration sought to separate itself from the Obama team, many of the new sanctions imposed—such as those against Venezuela—appear to borrow explicitly from the Obama administration’s playbook.  Moreover, several core features of Obama’s sanctions policy remain broadly untouched—at least for now.  Key among them is the Joint Comprehensive Plan of Action (“JCPOA”), which President Trump described during the presidential campaign as “the worst deal ever negotiated.[3]  Despite uncertainty over its future, the JCPOA remains intact.[4] There were also some surprises.  On December 20, 2017, President Trump issued an unusually broad executive order to implement the Global Magnitsky Human Rights Accountability Act, a 2016 law that authorized sanctions for those responsible for human rights abuses and significant government corruption.[5]  The order was celebrated by the human rights and anti-corruption non-government communities,[6] and added more than four dozen individuals and entities from various countries—including Burma, China, the Democratic Republic of the Congo, the Gambia, Guatemala, Russia, and South Sudan, and even from core U.S. allies like Israel—to OFAC’s SDN List.[7] We would be remiss to omit reference to the pivotal role that sanctions played in the deteriorating diplomatic relationship between the United States and Russia, as well as many of the political controversies that dominated the headlines in 2017.  In 2012, the United States Congress passed an aggressive law intended to punish Russian officials responsible for the death of Sergei Magnitsky, a Russian accountant who was imprisoned after exposing a tax fraud scheme allegedly involving Russian government officials and who died under suspicious circumstances while in custody.[8]  Specifically, the Sergei Magnitsky Rule of Law Accountability Act (“2012 Magnitsky Act”)—passed unanimously by the U.S. Congress in December 2012—sought to block certain Russian government officials and businessmen from entering the United States, froze their assets held by U.S. banks, and banned future use of the U.S. banking system.[9]  Subsequent efforts to remove the 2012 Magnitsky Act sanctions serve as critical background for many of the allegations surrounding Russia’s purported efforts to interfere in the 2016 U.S. election.[10]  There are presently 49 individuals sanctioned under authority granted by the 2012 Magnitsky Act.[11] While events of the past year will give historians much fodder to assess the long-term geopolitical and even domestic political impact of economic sanctions, our purpose here is more limited: a recap of the continuing evolution of sanctions in 2017. I.     Major U.S. Program Developments A.     Russia Title II of CAATSA, the “Countering Russian Influence in Europe and Eurasia Act of 2017” (“CRIEEA”), strengthened OFAC’s sectoral and secondary sanctions targeting the Russian Federation in several significant and unprecedented ways.  CAATSA codified and amended the Russia sectoral sanctions that had been implemented during the Obama administration.[12]  By adopting the Obama-era executive orders as statutory law, Congress sought to ensure that only congressional action can weaken or eliminate these sanctions.[13]  CAATSA also authorized or mandated secondary sanctions with respect to certain activities, such as conducting malicious cyber-attacks or providing support to Russian energy export projects.  Moreover, the statute, for the first time in any sanctions law, explicitly limited the President’s ability to license (exempt) transactions from sanctions prohibitions if the licensing “significantly alters United States’ foreign policy with regard to the Russian Federation.”[14] In brief, CAATSA expanded the Obama administration’s sanctions targeting certain sectors of the Russian economy by reducing the maximum maturity period for new debt that U.S. persons can provide to designated Russian financial institutions from 30 to 14 days, and to designated Russian energy companies from 90 to 60 days.[15]  CAATSA also expanded the Obama administration’s prohibition on the provision of goods, support, or technology to designated Russian entities relating to the exploration or production for deepwater, Arctic offshore, or shale projects that have the potential to produce oil in the Russian Federation.[16]  CAATSA removed the limitation that such projects be located in Russia, instead targeting “new” oil projects worldwide in which a designated Russian person has a “controlling interest or a substantial non-controlling” ownership interest.[17] OFAC’s Russia Sanctions 101Whenever there is a change or expansion of U.S. sanctions policy, we find it useful to revisit some of the basic tenets of U.S. sanctions.  As a matter of first principles, U.S. sanctions have two principal means of targeting an activity: (1) sanctioning persons for engaging in those activities ; and/or (2) designating the activity as per se sanctionable. Primary vs. Secondary Sanctions:  When OFAC sanctions certain activities, it does so through primary or secondary sanctions.  Under “primary” sanctions, U.S. persons who engage in prohibited activities (including dealing with an SDN or a sanctioned country) could face civil and criminal penalties, as could any person (U.S. or non-U.S.) who causes a violation to occur in U.S. territory, such as by causing a U.S. financial institution to process a prohibited transaction.  Whereas U.S. persons often face civil and criminal penalties for engaging in prohibited transactions, secondary sanctions subject non-U.S. persons to indirect sanctions with different kinds of limitations that can vary from the relatively innocuous (e.g., blocking use of the U.S.’s export-import bank), to the severe (e.g., blocking use of the U.S. financial system or blocking all property interests). SDN vs. SSI Designations:  There are several types of ‘designations’ for purposes of OFAC’s Russia sanctions: most importantly, SDNs and Sectoral Sanctions Identifications (“SSIs”).  U.S. persons are generally prohibited from dealing with any person or entity on the “SDN List” and all assets under U.S. jurisdiction that are owned or controlled by an SDN are frozen.   Under the SSI or sectoral designations, U.S. persons are prohibited from engaging in certain types of activities with SSI entities.  A sectoral designation does not result in a complete prohibition on all interactions as with SDNs and SSI assets are not frozen.  The precise restrictions on SSI entities are set forth in a series of “directives.” CAATSA also sought to strengthen secondary sanctions targeting those non-U.S. persons who engage in activities ranging from undermining cybersecurity,[18] to investing in Russian crude oil projects,[19] evading sanctions and abusing human rights.[20]  In expanding these measures, Congress dramatically increased OFAC’s workload for the final quarter of 2017, as CAATSA created numerous interpretative issues, reporting and designation requirements that consumed the remainder of the year.  We analyze these measures in greater detail, as well as OFAC’s guidance and implementing regulations in Trump Administration Implements Congressionally Mandated Russia Sanctions – Significant Presidential Discretion Remains (November 21, 2017). Most recently, CAATSA required the imposition of secondary sanctions on any person the President determines to be engaging in “a significant transaction with a person that is part, or operates for or on behalf of, the defense or intelligence sectors of the Government Russia.”[21]  Those sanctions were due to be imposed within 180 days of the passage of CAATSA—by January 29, 2018.  On January 29, State Department representatives provided classified briefings to Congressional leaders to explain their decision not to impose any such sanctions under CAATSA.[22]  Though the briefings were classified, the State Department revealed that the Trump administration felt that CAATSA was already having a deterrent effect which removed any immediate need to impose sanctions.[23]  Some Members of Congress expressed disapproval of the administration’s lack of action and accused the White House of failing to implement the law.[24]  But the statutory language is nuanced, and the administration’s FAQs released in October 2017 indicated that—in line with similar language passed in 2010 with respect to sanctions on Iran—it would be taking a flexible approach to assessing violations under this provision.[25]  While it is unknown what was said in the classified briefings, we are aware of numerous outreach missions that administration representatives have undertaken in order to deter foreign governments and corporations from engaging in such transactions.  The publicized plans of certain governments to purchase substantial Russian munitions in 2018—such as Turkey’s proposal to procure S-400 surface-to-air missiles from Russia[26]—will test both the power of the law’s deterrence and potentially Congress’s patience. CAATSA also required the Treasury Department to publish—also by January 29—a report identifying “the most significant senior foreign political figures and oligarchs in the Russian Federation.”[27]  Just before midnight on January 29, the Treasury Department issued its report, publicly naming 114 senior Russian political figures and 96 oligarchs.[28]  The inter-agency team charged with drafting the report used objective standards in drafting these lists—senior political figures included members of the Russian Presidential administration, members of the Russian Cabinet and senior executives at Russian state-owned enterprises.  For the oligarch list, OFAC included Russians with a net worth of U.S. $1 billion or more.  All of these classifications appear to be based on information that is generally available in the public sphere.  Although the report apparently includes a lengthy classified annex, it was not immediately clear what kind of information was included in that material. Notably, there is no legal impact of appearing in this report.  The Treasury Department noted in numerous places that this report “is not a sanctions list,” and “the inclusion of individuals or entities in any portion of the report does not impose sanctions on those individuals or entities.”[29]  That there are no sanctions implications to such a listing was also a unique CAATSA innovation—never before has OFAC been charged with compiling and publishing a “name and shame” list with no concomitant sanctions.  As a consequence, many financial institutions and private corporations on the outside of government have been uncertain how to handle transactions with counterparties who now appear on this list.  To date, it appears that the breadth and objective nature of the list has substantially dulled the impact—a fact that many critics of the administration have noted.  Even in Russia the impact has been surprisingly muted.  It is noteworthy that even as President Putin’s senior representatives claimed that the list was the United States’ attempt to influence Russia’s upcoming presidential contest, Putin quickly announced that he would not be authorizing any retaliatory measures. Aside from the considerable efforts required to implement CAATSA, OFAC added 38 more individuals and entities involved in the Ukraine conflict to the SDN List in June 2017.[30]  The sanctioned parties included Ukrainian separatists and their supporters; entities operating in and connected to the Russian annexation of Crimea; entities owned or controlled by, or which have provided support to, persons operating in the Russian arms or materiel sector; and Russian Government officials.[31] B.     Iran As expected, the Trump administration has taken a harsh posture toward Iran, using existing sanctions programs to designate numerous individuals and entities—including the head of Iran’s judiciary[32]—and threatening to abandon the JCPOA.  Though specific licensing requests are confidential, our experience and understanding is that OFAC licensing of Iran-related transactions —even those in line with the JCPOA—has slowed considerably. On October 13, 2017, President Trump refused to certify, under the authority granted to him by the Iran Nuclear Agreement Review Act (“INARA”) of 2015, that the sanctions relief under the JCPOA is “appropriate and proportionate” to the measures taken by Iran with respect to its nuclear program.[33]  As we wrote this past October, President Trump’s refusal to make the certification kicked off a sixty-day period during which Congress could have enacted Iran-related sanctions legislation on an expedited basis.  Congress allowed the sixty-days to pass without taking action. But Congress was not inactive on the Iran sanctions front.  Although CAATSA’s Russia-related portions captured most of the headlines, Title I of CAATSA, the “Countering Iran’s Destabilizing Activities Act of 2017” (“CIDA”), imposed significant sanctions against Iran.  CIDA targeted Iran’s ballistic missile program, the Iranian Revolutionary Guard Corps (“IRGC”), Iranian human rights abuses, and weapons transfers benefitting Iran.  CAATSA also codified the designations of persons pursuant to two executive orders and purports to limit the President’s ability to remove those persons from the SDN list.[34]  We described the measures targeting Iran at length in our alerts, Congress Seeks to Force (and Tie) President’s Hand on Sanctions Through Passage of Significant New Law Codifying and Expanding U.S. Sanctions on Russia, North Korea, and Iran (July 28, 2017), and A Blockbuster Week in U.S. Sanctions (June 19, 2017). On January 12, 2018, President Trump announced that he was giving the deal another 120 days to be “fixed.”  Although the administration has not made clear the full nature of its concerns with the JCPOA, it has noted that the deal’s silence on Iran’s ballistic missile development and the existence of certain “sunset provisions” (after which any remaining sanctions would be permanently lifted) are high on the list of shortcomings.  The announcement of this deadline (which expires in May 2018) set off a feverish set of negotiations with core European partners (the UK, Germany and France) and with Congress to develop new measures that will satisfy the President.  As we have noted, the JCPOA is not a Senate-ratified treaty but rather an Executive Agreement.  As such the President has significant flexibility to remain in or to exit the Agreement.  Given the President’s apparent willingness to unilaterally remove the United States from agreements that the Obama team negotiated (such as the Paris Climate Accord) we assess that even though it remains unclear how the situation will evolve, the President’s threat is unlikely to be perceived as a mere a negotiating strategy. C.     North Korea The relationship between the United States and the Democratic People’s Republic of Korea (“DPRK” or “North Korea”) deteriorated rapidly in 2017, resulting in new sanctions that target non-U.S. persons and foreign financial institutions for doing business with the Pyongyang regime.  Unlike many other aspects of the Trump administration’s foreign policy, the DPRK efforts have been decidedly multilateral—several United Nations Security Council resolutions against DPRK have been passed since Trump took office.  These resolutions are described in greater detail in the European Union section of this Update. Although successive U.S. administrations had tightened sanctions on North Korea—declaring a “national emergency” under the IEEPA in 2008, blocking hundreds of North Korean individuals and entities, banning imports in 2011 and exports in 2016[35]—the perception of the threat and the potential for a U.S. military response escalated rapidly under the Trump administration.  In the early days of 2018, tensions between the United States and Pyongyang seem to have reached a fever pitch—with leaders on both sides claiming to have their finger on the nuclear launch button.[36] North Korea’s characteristic bellicosity was apparent in its efforts to ramp up its domestic missile program in 2017.  The DPRK fired more than 20 missiles from at least 16 different tests between February and December.[37]  In July 2017—as the U.S. Congress was drafting expansive legislation to impose sanctions on Iran and Russia—North Korea tested two intercontinental ballistic missiles, claiming they could reach “anywhere in the world.”[38]  In response, Congress added a new section targeting North Korea to the draft CAATSA, titled “Korean Interdiction and Modernization of Sanctions Act” (“KIMSA”).[39]  CAATSA expanded sanctions that had previously been set forth by Congress in the North Korea Sanctions and Policy Enhancement Act of 2016, enabling the President to impose sanctions on foreign individuals and entities that historically provided an economic lifeline to the Pyonyang regime.  CAATSA strengthened sanctions aimed at North Korean economic activities and required the Secretary of State to submit a determination as to whether North Korea meets the criteria for designation as a state sponsor of terrorism.  The Trump administration ultimately added North Korea to the state sponsors of terrorism list on November 20, 2017.[40] On September 20, 2017, the Trump administration issued Executive Order 13810, imposing additional sanctions on North Korea.[41]  This order borrowed from the Obama administration’s sanctions playbook by imposing sanctions on specific sectors and threatening to cut off access to the U.S. banking system for non-U.S. persons involved in North Korean trade.  In the words of Treasury Secretary Steven Mnuchin, the order effectively put foreign banks “on notice that, going forward, they can choose to do business with the United States, or with North Korea, but not both.”[42] This was not the first attempt to restrict North Korea’s access to the global banking community.  In 2016, OFAC’s ban on the export of goods, technology, and services to North Korea included a prohibition on financial services.[43]  Also in 2016, the Treasury Department classified North Korea as a “jurisdiction of primary money laundering concern” under Section 311 of the USA Patriot Act, 31 U.S.C. § 5318A, effectively prohibiting the use of correspondent accounts on behalf of North Korean financial institutions and requiring that U.S. financial institutions implement additional due diligence with regard to entities linked to North Korea.[44]  However, the threat of the potential application of correspondent and payable-through banking restrictions on non-North Korean financial institutions in Executive Order 13810 was expected to have a more significant impact on North Korea than these other measures. Executive Order 13810 also laid the groundwork for the imposition of sectoral sanctions by granting OFAC the authority to designate those involved in a long list of North Korean economic sectors: construction, energy, financial services, fishing, information technology, manufacturing, medical, mining, textiles, or transportation industries, as well as those who own, control, or operate any port in North Korea, and North Korean persons, including those engaged in commercial activity that generates revenue for the Government of North Korea or the Workers’ Party of Korea.  Unlike with the Russian sectoral sanctions, however, a designation under Executive Order 13810 results in the blocking of all property and interests in property.  Executive Order 13810 is described at length in our alert, In Latest Salvo, the Trump Administration Pressures Non-U.S. Companies and Persons to Cut Financial and Business Ties with North Korea. Given that several members of the Trump administration have noted that the North Korea threat—and the effort to denuclearize the Korean peninsula—is the President’s “number one” foreign policy priority, we assess that more sanctions are likely in the near term.  The Department of Justice (“DOJ”) has also been active in this arena—launching investigations, issuing grand jury subpoenas and acting against assets believed to be linked to North Korea.  In August 2017, the DOJ resolved an $11 million money laundering and asset forfeiture matter for actions alleged associated with North Korean financial facilitators.[45] Notably, in the last few weeks we have seen a warming relationship between North and South Korea.  Whether this signifies a permanent improvement in diplomatic relations on the Korean peninsula, or a brief respite ahead of the Winter Olympics, remains to be seen.  Either way, multinational corporations would be wise to observe any daylight that develops between Seoul and Washington sanctions policies with respect to the North Korea.  A divergence in the approach to North Korean sanctions between these major players could lead to significant challenges. D.     Cuba As we noted last year, the final year of the Obama administration brought about a series of important changes to the Cuba sanctions regime.  This summer, President Trump announced that he was “canceling” President Obama’s “one-side deal”[46] with Havana. In November, the Departments of the Treasury, Commerce, and State began to implement significant changes to the United States’ Cuba sanctions regime.  Though the previous administration’s actions were not entirely removed—and have not been as of this writing—the Trump administration did rollback several of the Obama administration’s changes to United States sanctions policy with respect to Cuba. As noted, on June 16, 2017, President Trump announced that his administration would reimpose some of the sanctions on Cuba that were relaxed under President Obama.  According to a fact sheet that the White House issued at the time, the new Cuba policy aims to keep the Grupo de Administración Empresarial (“GAESA”), a conglomerate run by the Cuban military, from benefiting from the opening in U.S.-Cuba relations.[47]  The fact sheet further elaborated that the new policy purports to enhance existing travel restrictions to “better enforce the statutory ban” on U.S. tourism to Cuba, including limiting travel for non-academic educational purposes to group travel and prohibiting individual travel permitted by the Obama administration.[48]  At the time, President Trump directed the Departments of the Treasury and Commerce to begin the process of issuing new regulations within 30 days of the announcement.[49]  We described the policy change in our alert, A Blockbuster Week in U.S. Sanctions (June 19, 2017). On November 8, 2017, OFAC, the Commerce Department’s Bureau of Industry and Security (“BIS”), and the State Department released amendments to the Cuban Assets Control Regulations (“CACR”) and Export Administration regulations (“EAR”), implementing the changes.[50]  Additionally, while certain transactions with Cuban parties by U.S. persons remain permitted, the CACR now prohibit transacting with entities listed on the State Department’s new “Cuba Restricted List” (or the “List”), which was released simultaneously and consists of Cuban entities that the administration considers to be “under the control of, or act for or on behalf of, the Cuban military, intelligence, or security services personnel.”[51] Notably, these provisions, when viewed together with the increased restrictions, muddy the already difficult-to-navigate regulatory waters.  The new OFAC and BIS amendments cover three main areas: The OFAC amendments now prohibit U.S. persons and entities from engaging in direct financial transactions with entities listed on the Cuba Restricted List, while the BIS amendments state that BIS will generally deny license applications for the export of items for use by entities on the list.[52]  The List includes over 175 entities and sub-entities that operate in a variety of economic sectors, notably, over 80 of which are hotels.[53]  The focus on hotels directly impacts the Obama-era sanctions relief that had led to an increase in U.S. visits to the island, as even permitted visitors will now have a difficult time finding appropriate accommodation.  These changes have already seen a retrenchment and reduction in U.S. visitors. The OFAC amendments restrict people-to-people travel that had previously been authorized, requiring, among other things, that nonacademic educational travel be conducted under “the auspices of an organization that is a person subject to U.S. jurisdiction and that sponsors such exchanges to promote people-to-people contact” and that such travelers are accompanied by a representative of that organization and participate in full-time schedule of activities.[54] BIS has simplified the Support for the Cuban People License Exception to the Cuba Embargo, now allowing for the export of all EAR99 items (and those controlled only for anti-terrorism reasons on the Commerce Control List ) to Cuba, provided the intended end user is in the Cuban private sector.[55] Three months after the issuance of these amendments, it is still unclear whether a complete pivot with respect to U.S. policy towards Cuba is in the making.  Undoubtedly, there are signals that a full reversal is possible:  in addition to President Trump’s rhetoric and the recent amendments, 2017 witnessed stories concerning attacks on U.S. (and other) diplomats in Havana and the expulsion of various Cuban diplomats from the United States.  At the very least, the Trump administration’s policy has served to chill the considerable interest that had developed in investments in Cuba. E.     Venezuela Throughout 2017, Venezuela’s President Nicolás Maduro and his supporters moved to consolidate their power.  In March 2017, Venezuela’s Tribunal Supremo de Justicia ruled that it was taking over all powers of the Asemblea Nacional.[56]  Although the court later revised its ruling, months of protests ensued, and Maduro supporters elected a purported replacement legislature, the Asemblea Constituyente, in an election that was widely boycotted by Maduro’s opposition.[57]  Amidst this political upheaval, Venezuela’s economy—which is largely dependent on the state-owned oil company, Petróleos de Venezuela, S.A. (“PdVSA”)—has been in sharp decline.  In response to the Maduro governments efforts to undermine their political opposition, the United States slowly increased and expanded its economic sanctions against Venezuela, focusing on blocking the property and interests of key figures in the Maduro government and on financial sanctions that make it more difficult for the Maduro government and PdVSA to raise new money. OFAC’s first steps against individual persons associated with the Maduro government took place in March 2015 blocking designations, and OFAC followed these with additional designations in May and November 2017.  OFAC’s initial March 2015 designations were made pursuant to EO 13692[58] and targeted a short list of seven officials in response to their role in the erosion of human rights guarantees, persecution of political opponents, curtailment of press freedoms, use of violence and human rights violations and abuses in response to antigovernment protests, and arbitrary arrest and detention of antigovernment protestors, and significant public corruption.  These officials occupied positions in Venezuela’s intelligence, security, prosecutorial, and defense services. The May and November 2017 designations targeted both former and current officials.  They included President Maduro (for engineering the election of the Asemblea Constituyente), eight members of Tribunal Supremo de Justicia (for efforts to obstruct Asemblea Nacional)[59] and members of the Consejo Nacional Electoral who interfered in regional elections in October 2015.  Others designated include the second VP of the Asemblea Constituyente, its former second VP and now Ambassador to Italy, the current Cultural Minister, and Minister of Urban Agriculture.[60]  Two government officials were also designated under authority of the Foreign Narcotics Kingpin Designation Act (Kingpin Act) for playing significant roles in narcotics trafficking. On August 24, 2017, President Trump issued an executive order imposing sanctions targeting transactions involving debt and equity of the Venezuelan government, including PdVSA.  These restrictions borrowed from the Russian sanctions from 2014 and were based on a similar set of policy constraints—namely, even though it might be possible for U.S. sanctions to enact devastating harm on economic targets in Venezuela, the collateral consequences of doing so (to the United States and its allies) would be potentially too serious.  Consequently a lesser set of sanctions—a “grey list”—was required. As such, the following activities are now prohibited without OFAC authorization.  As under other sanctions programs, the prohibitions apply not only to the entities specifically targeted in the executive order (i.e., the Government of Venezuela and PdVSA), but also to any entity that is at least 50% owned or controlled by the targeted entities (for example, subsidiaries of PdVSA or entities owned or controlled by the Government of Venezuela).[61] In brief, the executive order prohibits U.S. persons from transactions involving new debt of PdVSA with a maturity of greater than 90 days, or new debt of the Government of Venezuela (other than PdVSA) with a maturity of greater than 30 days.  U.S. persons are also prohibited from transacting in new equity of the Government of Venezuela, including PdVSA.  The term “equity,” as described in OFAC’s FAQs, “includes stocks, share issuances, depositary receipts, or any other evidence of title or ownership.”  This prohibition covers only equity “directly or indirectly” issued by the Government of Venezuela—including PdVSA—after the effective date of the sanctions, but, as described below, transactions involving equity issued by third parties may also be prohibited, if the Government of Venezuela is the seller.  This limitation on purely secondary market sales of debt is new and was not implemented in the Russia program. The executive order also prohibits U.S. persons from engaging in any transactions relating to Venezuelan government (or PdVSA) bonds, even if issued prior to the effective date of the sanctions, with the exception of those covered by the general license described below.  OFAC explains this provision (and others in the executive order) as an effort to “prevent U.S. persons from contributing to the Government of Venezuela’s corrupt and shortsighted financing schemes,” including the sale of bonds and other securities “for much less than they are worth at the expense of the Venezuelan people and using proceeds from these sales to enrich supporters of the regime.” The executive order also prohibits the involvement of U.S. persons in transactions relating to dividend payments to the Government of Venezuela from entities owned or controlled by the Government of Venezuela.  This provision restricts the flow of dividends from subsidiaries—including CITGO—up to PdVSA and the Venezuelan government.  This has proven a challenge for many companies active in Venezuela: the nationalization efforts under the prior Chavez regime converted the operations of many foreign firms into joint ventures majority held by PdVSA or the Government of Venezuela (the “empresa mixtas”).  Finally, U.S. persons are prohibited from purchasing any securities, including those issued by non-sanctioned third parties, directly or indirectly from the Government of Venezuela, except for new debt with maturities of less than 90 days (for PdVSA) or 30 days (for all other portions of the Venezuelan government). In connection with its financial sanctions, OFAC has issued four general licenses.  General License 1 provided for a wind down period of 30 days—until September 24, 2017—to carry out transactions that are “ordinarily incident and necessary to wind down contracts or other agreements that were in effect prior to August 25, 2017.”  The wind-down period did not apply to the prohibitions relating to dividends and distributions of profits, and persons engaging in such wind-down transactions were required to file a detailed report with OFAC.  General License 2 authorizes transactions involving the new debt or new equity issued by, or securities sold by, CITGO Holding, Inc. or its subsidiaries, provided that no other Government of Venezuela entity is involved in the transaction.  This very significant general license effectively carves CITGO out of the new sanctions, provided that U.S. persons are careful not to permit any other involvement by PdVSA or the Government of Venezuela in the transaction.  General License 3 exempts certain bonds, listed in an annex, from the prohibition on transactions involving Venezuelan bonds.  Several bonds issued by PdVSA are listed in the annex. General License 3 also exempts bonds issued by U.S. persons (e.g., CITGO) prior to the issuance of the executive order.  General License 4 authorizes certain transactions relating to new debt involving agricultural commodities (including food), medicine, or medical devices. In late 2017 Venezuela bonds fell into technical default as some of its payments were delayed.  Though the Government has appeared to continue juggling accounts to remain out of a more formalized default situation—which could have serious consequences as bonds could become due automatically and immediately—the sanctions have made traditional renegotiation of debt challenging.  Maduro has appointed two individuals, Vice President Tareck El Aissami and Economy Minister Simon Zerpa, to lead his government’s efforts in any renegotiation; both of those men are on the SDN List making it uncomfortable for any financial institution to enter into any negotiations with them.[62] An additional complexity in the Venezuelan situation came about with Maduro’s announcement that his government was issuing a new “cyber currency” to thwart any impact of restrictions on the U.S. dollar that came about due to sanctions.  In response OFAC issued its first FAQ discussing cyber currencies— though perhaps not broadly applicable to the world’s more mainstream cyber currencies, it is noteworthy that OFAC held that its jurisdiction explicitly extended to the use of any new Venezuelan cyber currencies and that U.S. persons could face sanctions consequences if they undertook dealings in the new currency.[63] F.     Sudan In January 2017, the Obama administration revoked most of the Sudanese Sanctions Regulations (“SSR”) by general license, subject to a six-month review period.[64]  After a brief extension of the review period, the Trump administration finalized the revocation of the SSR effective October 12, 2017.  Historically, the SSR had included a trade embargo, a prohibition on the export or re-export of U.S. goods, technology and services, a prohibition on transactions relating to Sudan’s petroleum or petrochemical industries, and a freeze on the assets of the Sudanese government.  Under the separate Darfur Sanctions Regulations (“DSR”), the United States blocked property belonging to those connected to the conflict in Darfur.  The DSR remain in place, as do the designations of numerous Sudanese persons. II.    U.S. Enforcement A.     Selected OFAC Enforcement Actions 2017 was a busy year for OFAC enforcement actions.  OFAC assessed over $119 million in collective civil penalties in 16 enforcement actions; however, four cases represent roughly 96% of the issued penalties.  Notably, one enforcement action against a Chinese entity, Zhongxing Telecommunications Equipment Corporation, which resulted in the highest penalty for the year and OFAC’s largest penalty ever imposed on a non-financial institution (over $100 million), may have foreshadowed a growing enforcement trend for 2018—cracking down on Chinese companies working with jurisdictions under comprehensive U.S. sanctions (such as Iran, North Korea, Cuba, Syria and the Crimea Region of Ukraine). Zhongxing Telecommunications Equipment Corporation[65] On March 7, 2017, Zhongxing Telecommunications Equipment Corporation and its subsidiaries and affiliates, (collectively, “ZTE”), agreed to settle its potential civil liability for 251 apparent violations of the Iranian Transactions and Sanctions Regulations (“ITSR”) for $100,871,266.  ZTE is a telecommunications corporation established in the People’s Republic of China. According to the settlement documents, from January 2010 to March 2016, ZTE developed and implemented a company-wide plan that used third-party companies to conceal ZTE’s illegal business activities with Iran.  ZTE’s highest-level management had specific knowledge of the legal risks of engaging in such activities prior to signing contracts with Iranian customers and supplying U.S.-origin goods to Iran.  Under these contracts, ZTE committed to the procurement and delivery of U.S.-origin goods to Iran.  Some of these delivered goods included those controlled for anti-terrorism, national security, regional stability, and encryption item purposes.  ZTE was also contractually obligated to and, did in fact, enhance the law enforcement surveillance capabilities and features of Iran’s telecommunications facilities and infrastructure. OFAC determined that ZTE willfully and recklessly demonstrated a disregard for U.S. sanctions requirements and that the 251 apparent violations constituted an egregious case.  In making its determination, OFAC considered the following facts and circumstances: (1) various executives and senior executives knew or had reason to know of the conduct that led to the apparent violations and engaged in a long-term pattern of conduct designed to hide and purposefully obfuscate its conduct; (2) the conduct was undertaken pursuant to directives and business processes that were illegitimate in nature and specifically designed and implemented to facilitate the violative behavior; (3) ZTE caused significant harm to the integrity of the ITSR and its associated policy objectives; and (4) ZTE is a sophisticated and experienced telecommunications company that has global operations and routinely deals in goods, services, and technology subject to U.S. laws. ExxonMobil Corp.[66] On July 20, 2017, ExxonMobil Corp. and its U.S. subsidiaries (collectively, “ExxonMobil”) were penalized in the amount of $2,000,000 for violating the Ukraine-Related Sanctions Regulations by engaging in business with Igor Sechin, the President of Rosneft OAO who has been identified on the SDN List. ExxonMobil and Mr. Sechin signed legal documents related to oil and gas projects in Russia when OFAC had already designated Mr. Sechin as an SDN approximately one month prior.  ExxonMobil explained that it interpreted the related White House press statements to be establishing a distinction between Mr. Sechin’s “professional” versus “personal” capacity, citing a news article that quoted a Treasury Department representative that a U.S. person would not be prohibited from participating in a meeting of Rosneft’s board of directors.  OFAC considered ExxonMobil’s arguments and determined that the penalty accurately reflects OFAC’s consideration of the underlying facts and circumstances.  Specifically, OFAC considered the following: (1) ExxonMobil failed to consider warning signs associated with Mr. Sechin; (2) ExxonMobil’s senior executives knew of Mr. Sechin’s status as an SDN; and ExxonMobil is a sophisticated and experienced oil and gas company that routinely deals in business activities subject to U.S. economic sanctions. This penalty—and in particular the seeming removal of any distinction between personal and professional capacities—was met with surprise and concern in the OFAC bar.  ExxonMobil is currently challenging OFAC’s decision in federal court. CSE Global Limited and CSE TransTel Pte. Ltd.[67] On July 27, 2017, CSE TransTel Pte. Ltd. (“TransTel”), a wholly owned subsidiary of CSE Global Limited (“CSE Global”), agreed to pay $12,027,066 to settle its potential civil liability for 104 apparent violations of the International Emergency Economic Powers Act (“IEEPA”) and the ITSR.  Both TransTel and CSE Global are located in Singapore and offer telecommunications and technological services around the world.  CSE Global appeared to expand OFAC jurisdiction—at least explicitly—to cases in which non-U.S. parties “cause” U.S. entities to violate their sanctions obligations. From August 25, 2010 through November 5, 2011, TransTel entered into contracts with multiple Iranian companies to deliver and install telecommunications equipment for several energy projects in Iran or its territorial waters.  To fulfill its contracts, TransTel hired and engaged a number of third-party vendors, including several Iranian companies, to provide goods and services on its behalf.  In April 2012, the Singaporean bank that maintains TransTel and CSE Global’s accounts sent them a letter regarding sanctions warnings, to which TransTel and CSE Global responded that they would not route any transactions related to Iran through the bank.  From June 2012 to March 2013, TransTel then used the bank’s services for its Iranian business activities by initiating wire transfers destined to multiple third-party vendors that supplied goods and services for its energy projects in Iran. OFAC determined these apparent violations to be an egregious case, and considered the following facts and circumstances in its decision: (1) TransTel willfully and recklessly caused apparent violations of U.S. economic sanctions by engaging in, and systematically obfuscating, conduct it knew to be prohibited; (2) TransTel’s senior management played an active role in the wrongful conduct; (3) TransTel’s actions conveyed significant economic benefit to Iran and persons on OFAC’s SDN List by processing dozens of transactions through the U.S. financial system that totaled $11,111,812 and benefited Iran’s oil, gas, and power industries; and (4) TransTel is a commercially sophisticated company that engages in business in multiple countries.  OFAC considered the following to be mitigating factors: (1) TransTel has not received a penalty notice or cautionary letter from OFAC in the five years preceding the violations; (2) TransTel and CSE Global have undertaken remedial steps to ensure compliance with U.S. sanctions programs; and (3) TransTel and CSE Global provided substantial cooperation during the course of OFAC’s investigation. DENTSPLY SIRONA Inc.[68] On December 6, 2017, DENTSPLY SIRONA INC. (“DSI”), a Delaware corporation, agreed to pay $1,220,400 to settle its potential civil liability for 37 apparent violations of the ITSR.  Specifically, two of DSI’s subsidiaries exported 37 shipments of dental equipment and supplies from the United States to distributors in third countries, with actual or constructive knowledge that the goods were destined for Iran. OFAC determined that the apparent violations constituted a non-egregious case and considered the following facts and circumstances: (1) DSI’s two subsidiaries acted willfully by exporting U.S.-origin dental products to third country distributors with knowledge or reason to know that the exports were ultimately destined for Iran; (2) personnel from these subsidiaries concealed the fact that the goods were destined for Iran, and in multiple cases continued to conduct business with these distributors after receiving confirmation that the distributors had re-exported DII products to Iran; (3) several supervisory personnel had actual knowledge of the conduct and appear to have deliberately concealed their awareness from DSI; (4) DSI has not received a penalty notice in the five years preceding the violations; (5) the harm to ITSR objectives was limited because the exports were likely eligible for specific license; and (6) DSI took remedial steps, including a voluntary expansion of the review to include a company-wide inquiry. Habib Bank Limited[69] In 2017, the New York Department of Financial Services (“DFS”) continued in its pursuit to enforce sanctions compliance for major banks.  In furtherance of this goal, DFS’s new regulation, Part 504, took effect on January 1, 2017, which sets forth the requirements for all DFS-licensed institutions and their use of sanctions screening programs.  On September 7, 2017, DFS issued a consent order against Habib Bank Limited (“Habib”) and its New York branch, imposing a $225 million penalty for persistent BSA/AML and sanctions compliance failures.  Habib is currently Pakistan’s largest bank.  Pursuant to the order, Habib agreed that it failed to maintain an effective AML and OFAC compliance program; failed to maintain true and accurate books and records; failed to operate in an unsafe and unsound manner; and violated provisions of a prior written agreement and consent order.  Prior to issuing the consent order, DFS had issued a “Notice of Hearing and Statement of Charges,” seeking to impose a nearly $630 million civil penalty against the Pakistani bank.  Habib will surrender its license to operate its New York Branch until it fulfills the conditions outlined in DFS’s separate Surrender Order.  As part of the conditions it must fulfill, Habib must complete an expanded transactional “lookback” to be conducted by an independent consultant.  As of this writing Habib has decided to cease operations in New York. III.     European Union In 2017, the European Union (the “EU”) stayed the course from 2016.  The key sanctions programs on Russia/Ukraine/Crimea and Iran were prolonged while further sanctions regulations were adopted, namely with respect to Mali and Venezuela.  Additional actions were also seen in the fast-moving DPRK sanctions and, in a noticeable development, an enhancement in sanctions enforcement actions across Europe. A.     Legislative developments Mali On September 28, 2017, the European Union Council Decision (CFSP) 2017/1775 implemented UN Resolution 2374 (2017), which imposes travel bans and assets freezes on persons who are engaged in activities that threaten Mali’s peace, security or stability. Interestingly, the imposition of this regime was requested by the Malian Government, due to repeated ceasefire violations by militias in the north of the country. Affected persons will be determined by a new Security Council committee, which has been set up to implement and monitor the operation of this new regime, and will be assisted by a panel of five experts appointed for an initial 13-month period. As yet no one has been designated under the Mali sanctions. Venezuela Finally following the U.S. lead on Venezuela sanctions, on November 13, 2017 the EU Council decided to impose an arms embargo on Venezuela, and also to introduce a legal framework for travel bans and asset freezes against those involved in human rights violations and non-respect for democracy or the rule of law.[70] Subsequently on, January 22, 2018 an initial list of seven individuals was published who were subject to these sanctions. Though these measures are not yet as severe as U.S. measures on Venezuela—and  the Council stated that the sanctions can be reversed if Venezuela makes progress on these issues— the Council was also explicit in its warning that the sanctions may be expanded if the situation exacerbates.[71] North Korea As noted above with respect to U.S. measures, the events on the Korean Peninsula in 2017 also gave rise to significant new EU measures against DPRK.  The UN has been very active on DPRK issues and the EU has both been supporting such measures and expending significant efforts to implement these measures across the bloc’s 28 members.  On June 2, the UN Security Council designated a further four entities and 14 officials subject to travel bans and asset freezes, including Cho Il U, believed to be the Director of North Korea’s overseas espionage operations and foreign intelligence collection. In early August, the UN Security Council unanimously passed Resolution 2371 (2017), which introduced fresh sanctions against North Korea, including: (i) a full ban on coal, iron and iron ore (which, at $1 billion, is estimated to represent about a third of North Korea’s export economy); (ii) the addition of lead and lead ore to the banned commodities subject to sectoral sanctions; (iii) a ban on seafood exports from North Korea; and (iv) the expansion of financial sanctions by prohibiting new or expanded joint ventures and cooperative commercial entities with the DPRK. Demonstrating the significant developments seen to North Korean sanctions in 2017, in August the EU consolidated its existing North Korean sanctions into Council Regulation 2017/1509, a move deemed necessary in view of the numerous amendments that had been made to the previous Council Regulation 329/2007. It also issued an updated decision, Council Decision (CFSP) 2017/1512, amending Council Decision (CFSP) 2016/849, to reflect these changes. The UN Security Council duly imposed Resolution 2375 (2017) on September 11, 2017, which includes: (i) a ban on textile exports (North Korea’s second-biggest export at over $700m per year); (ii) limits on imports of crude oil and oil products to the amount imported by the exporting country in the preceding year; (iii) a prohibition against all joint ventures or cooperative entities or the expansion of existing joint ventures with North Korean entities or individuals; and (iv) a ban on new visas for North Korean overseas workers. These measures were watered down from the original restrictions called for by the United States, so as to ensure that Russia and China would not veto the proposals. The United States had initially sought a total prohibition on exports of oil into North Korea, stricter restrictions on North Koreans working in foreign countries, enforced inspections of ships suspected of carrying UN sanctioned cargo, and a complete asset freeze against Kim Jong-Un. In November, the EU further imposed additional restrictions via Council Regulation (EU) 2017/2062, which: (i) broadened the ban on investment of EU funds in or with North Korea to all economic sectors; (ii) reduced the permissible amount of personnel remittances to North Korea from €15,000 to €5,000; and (iii) at the Council’s invitation to review the existing list of luxury goods subject to import/export bans, published a new list, which covers everything from caviar, cigars and horses to artwork, musical instruments and vehicles. Finally, rounding off the year, the UN imposed Resolution 2397 (2017) on December 22, which inter alia: (i) strengthens the measures regarding the supply, sale or transfer to North Korea of all refined petroleum products, including diesel and kerosene, and reduced to 500 million barrels per 12-month period the permitted maximum aggregate of refined petroleum product exports to North Korea; (ii) limits the supply, sale or transfer of crude oil by Member States to the DPRK to 4 million barrels or 525,000 tons per 12-month period; (iii) expands sectoral sanctions by introducing a ban on North Korean exports of food and agricultural products, machinery, electrical equipment, earth and stone, wood and vessels, as well as a prohibition against the sale of North Korean fishing rights; (iv) introduces a ban on the supply, sale or transfer to North Korea of all industrial machinery, transportation vehicles, iron, steel and other metals; (v) strengthens the ban on providing work authorizations for North Korean nationals by requiring Member States to repatriate all income-earning North Koreans and all North Korean government safety oversight attachés monitoring North Korean workers abroad by 22 December 2019; and (vi) strengthens maritime measures by requiring Member States to seize, inspect and freeze any vessel in their ports and territorial waters for involvement in banned activities. As North Korea’s missile and nuclear programs show no signs of being halted, we expect that the international community will continue to expand the restrictive measures imposed against North Korea in the coming year. Indeed already in 2018, the EU has designated a further 17 North Korean individuals through Regulation 2018/87.  Though it is unlikely that the EU will get ahead of the U.S. or the UN the bloc has been cohesive among the 28 in the necessity of applying pressure on the Pyongyang regime. Russian Federation On December 21, 2017, the EU once again extended the economic sanctions adopted in 2014 in response to Moscow’s annexation of the Crimea and Sevastopol and the continued and deliberate destabilization of Ukraine. The economic sanctions are currently extended until July 31, 2018. Also, the listing of numerous Russian entities and individuals as targets of financial sanctions including measures such as asset freezes and the prohibition to provide funds or economic resources remained in place and was further extended. These measures also continue to include a number of trade restrictions and limitations on the access to the EU capital markets for major Russian majority state-owned financial institutions and major Russian energy companies. In particular, in accord with U.S. measures, EU Sanctions Regulations prohibits the sale, supply, transfer or export of products to any person in Russia for oil and natural gas exploration and production in waters deeper than 150 meters, in the offshore area north of the Arctic Circle and for projects to have the potential to produce oil from resources located in shale formations by way of hydraulic fracturing.  The provision of associated services (such as drilling or well testing) is also prohibited, whilst authorization must be sought for the provision technical assistance, brokering services and financing relating to the above. The trade of dual-use goods and technology is also restricted to the extent that it is prohibited to sell dual-use goods and technology for the Russian military users and prior authorization must be sought for the sale of such good and technology for all non-military users in Russia. The provision of goods and technology listed in the Common Military List is prohibited, while the supply of certain fuels used for rockets and space technology is subject to prior authorization. Note that there are exceptions for certain contracts concluded before 2014, ancillary contracts necessary for the execution of contracts concluded before 2014, and when the provision of services is necessary to prevent an event likely to significantly impact human health. In addition, assets for certain natural and legal persons have been frozen, and member states may only authorize the release of certain frozen funds or economic resources to satisfy the persons and their dependents’ basic needs, for payment of reasonable professional fees, for payment for contracts concluded before the sanction and for claims secured to an arbitral decision rendered prior to the sanction. Statements made by the EU and the responsible German authority clearly indicated the importance of EU sanctions and their implementation. Unlike with the DPRK sanctions, the continuation of Russian sanctions continues to threaten dissent among some of the EU’s members.  Time will tell if this dissenting bloc will eventually coalesce around a shared position and formally prevent the EU from continuing any measures against Moscow. Crimea and Sevastopol As the EU still does not recognize the annexation of Crimea and Sevastopol by Russia, it imposes sanctions against these territories as Ukrainian territory.[72] The measures, which include an import ban on goods from Crimea and Sevastopol, restrictions on trade and investment relating to a wide variety of economic sectors and infrastructure projects, as well as an export ban for certain goods and technologies relating to the transport, telecommunication, energy and mineral resources sectors have been extended until June 23, 2018.[73]  These restrictions are nearly identical to those in place in the United States. Iran Divergence between U.S. and EU Sanctions:  A Hypothetical Any divergence between U.S. and EU sanctions has the potential to cause significant compliance hurdles for multinational companies.  To take a hypothetical example: a German company is selling a product to Iran, and the product and the Iranian counterparty are not subject to any EU sanctions, yet they are subject to U.S. sanctions. The contract is signed, the product is ready for shipping and the Iranian counterparty has set aside the necessary funds. To now conclude the transaction, the German company cannot rely on a U.S. dollar transaction, as the U.S. clearing bank is likely to reject the transaction or freeze the funds. The U.S. dollar transaction or any other U.S. related business dealings could create a U.S. nexus leaving the transaction and eventually the German company in breach of U.S. sanctions. Even if the German company had decided to finance the transaction in EURO, business practice since Implementation Day has shown that (because as most banks rely on the access to the U.S. financial system) only a very limited number of international banks are willing to take the risk of accommodating such a transaction, fearing retaliation from U.S. regulators. As set out in our 2016 Year-End Sanctions Update, the European Council lifted all nuclear related economic and financial EU sanctions against Iran on January 16, 2016 pursuant to Iran’s compliance with the JCPOA.  Nonetheless, some restrictions remain in force. The remaining measures in force include those related to violations of human rights adopted in 2011, and comprise an asset freeze and visa bans for individuals and entities responsible for grave human rights violations and a ban on exports to Iran of equipment which might be used for internal repression and of equipment for monitoring telecommunications, as well as nuclear and ballistic missile technology.  These measures where recently extended until April 13, 2018. EU Rosneft Judgement One European judicial outcome in 2017 is especially noteworthy.  In March 2017, the Court of Justice of the EU (CJEU) established its jurisdiction to rule on matters of the EU’s common foreign and security policy, which is an area of fierce contention between Brussels and national governments seeking to maintain sovereignty.[74] The case, which was referred by the UK High Court concerned Russian oil company Rosneft’s questioning of the validity of EU sanctions against Russia regarding a restricted access to the EU’s capital markets and on the provision of financial assistance related to the supply of key equipment for the Russian oil sector. While the CJEU in a first step confirmed the validity of the EU Russia sanctions, it also addressed important questions regarding the scope of the imposed sanctions.[75] In interpreting “financial assistance” under article 4(3)(b) of EU Regulation 833/2014 relating to the need for prior authorization if related to the sale, supply, transfer or export of specified equipment for the Russian oil sector, the UK government and the European Commission both interpreted the term broadly to include payment services.[76] However, the CJEU rejected this view and stated that financial assistance in this case “does not include the processing of a payment, as such, by a bank or other financial institution.”[77] This was in line with arguments made by Rosneft and the intervening German government that the mere processing of a third-party payment is different from providing active and substantive support and must be comparable to loans, credits or export credit insurance.[78] This interpretation threatens to further distance U.S. and EU sanctions.  This more limited approach is in opposition to U.S. views in which prohibitions on dealings with certain actors almost always include the use of financial institutions under U.S. jurisdiction to provide services to sanctioned parties.  It remains to be seen how European banks—eager to both engage in legal business but remain compliant with U.S. regulations so as to maintain their own U.S. correspondent banks—will adjust to this more flexible approach. IV.     United Kingdom Legislative developments Policing and Crime Act 2017 and accompanying guidance Part 8 of the Policing and Crime Act 2017, which came into force on April 1, 2017, strengthened the UK’s sanctions enforcement by increasing the maximum custodial sentence for violating sanctions rules from two to seven years.  Additionally, it expanded the list of offences amenable to a deferred prosecution agreement (“DPA”), giving the National Crime Agency and Office of Financial Sanctions Implementation (“OFSI”) more scope to offer DPAs—which can still only be entered into by the Serious Fraud Office and the Crown Prosecution Service—and impose Serious Organized Crime Prevention Orders. Importantly, it also gives OFSI new powers—this still new agency is slowly building up its authorities and has established a strong track record in its brief stint.  The Policing and Crime Act gives the agency the power to impose, as an alternative to criminal prosecution and by reference to the civil standard of proof, monetary penalties for infringements of EU/UK sanctions. OFSI can impose penalties of either £1 million or 50% of the value of the breach, whichever is greater. The lower evidential burden to impose the new civil penalties means that OFSI need only be satisfied on the balance of probabilities that a person (legal or natural) acted in breach of sanctions and knew or had reasonable cause to suspect they were in breach. The Act also addresses the delay between the United Nations Security Council adopting a financial sanctions resolution and the EU adopting an implementing regulation, which can take over a month. OFSI can adopt temporary regulations to give immediate effect to the UN’s resolutions, as if the designated person were included in the EU’s consolidated list. OFSI put this power into practice in June of this year by adding a militia leader, Hissene Abdoulaye, to its consolidated list of Central African Republican sanctions targets, before the EU had done so. Businesses relying on a version of the EU’s consolidated list prepared by the European Union, or by a member state other than the United Kingdom, may miss fast-track listings done by the UK in this manner. The UK has also enacted the Policing and Crime Act (Financial Sanctions) (Overseas Territories) Order 2017 to extend these short-term fast-track listings to its offshore financial centers of Cayman, British Virgin Islands and Turks and Caicos. In a number of interviews this year, OFSI head Rena Lalgie has given further indications of how the body will enforce sanctions compliance. According to Ms. Lalgie, “voluntary disclosure will be an important part of determining the level of any penalties that might be imposed.”  OFSI has already said that in its Guidance hat companies that voluntarily come forward will see reductions in fines of up to 50% in “serious” cases and 30% in the “most serious” cases.  This is a very similar process to the mitigation provided by OFAC to entities engaging in voluntary disclosure. Ms. Lalgie also made the following noteworthy comments: “preventing and stopping non-compliance and ensuring compliance improves in the future.” The agency has used its information powers numerous times to “require companies which haven’t complied to tell [OFSI] how they intend to improve their systems and controls in future.”  Any continuing sanctions non-compliance could lead to criminal prosecution, with fines “fill[ing] the gap between prevention and criminal prosecution“. The most important actions a company can take to avoid violating sanctions rules are to “know [its] customers and promote active awareness among relevant staff of high-risk areas“. Ms. Lalgie believes that a company also ought to know what sanctions are in place in the countries in which it does business and have appropriate, up-to-date procedures that are regularly monitored and understood by staff. In April 2017, and after a public consultation, OFSI published its final Guidance on the new financial sanctions framework providing detailed guidelines relating to the imposition of the new civil monetary penalties. For further information about the consultation, please see our 2016 Year-End United Kingdom White Collar Crime Alert. The final OFSI Guidance on monetary penalties was also published in April 2017. It provides a detailed overview of OFSI’s approach to investigating potential breaches, as well as the penalty process and procedures for review and appeal. Of note are the following key points from the guidance: Penalties can be imposed on natural or legal persons, meaning that separate penalties could be imposed on a legal entity and the officers who run it, if the officer consented to or connived in the breach, or the breach was attributable to the officer’s negligence; OFSI will regularly publish details of all monetary penalties imposed, including by reference to the name of the person or company in breach, and a summary of the case; and Under sections 147(3)-(6) of the Policing and Crime Act 2017, decisions to impose a penalty can be reviewed by a government minister and then by appeal to the Upper Tribunal. In OFSI’s “penalty matrix,” factors which may escalate the level of penalty imposed include the direct provision of funds or resources to a designated person, the circumvention of sanctions, and the actual or expected knowledge of sanctions and compliance systems of the person or business in breach. Voluntary and materially complete disclosure to OFSI is a mitigating factor that may reduce the level of penalty imposed by up to 50%. The European Union Financial Sanctions (Amendment of Information Provisions) Regulations 2017 On August 8 2017, the European Union Financial Sanctions (Amendment of Information Provisions) Regulations 2017 (the “IPR 2017”) came into force. Before the IPR 2017, financial services firms had a positive reporting obligation to notify HM Treasury of any known or suspected breach of financial sanctions, and to notify any known assets of those subject to financial sanctions. Failure to notify constituted a criminal offence. The IPR 2017 extends this reporting regime to: auditors; casinos; dealers in precious metals or stones; estate agents; external accountants; independent legal professionals; tax advisers; and trust or company service providers. OFSI has claimed in its Guidance (at 5.1.1) that all companies and individuals have a positive reporting obligation, but this is based on wording in the relevant EU regulations not implemented into English law. As such, the IPR 2017 represents a significant expansion of the scope of the financial sanctions reporting obligations in the UK. Moreover, this extension of the reporting obligation regime is specific to the UK—there is no EU equivalent. It should be noted that trade sanctions are on the whole excluded from this reporting regime, with the focus mostly on those included in the Consolidated List or the separate Ukraine List. As set out in the Explanatory Memorandum to the Regulations, this development occurred without a public consultation, impact assessment, or parliamentary scrutiny. The failings of the system as currently enacted are best seen by way of a comparison with the money laundering reporting obligations. In the field of AML: the maker of a bona fide suspicious activity report is protected by statute from liability for any loss or damage flowing from the SAR; there is a defense to any breach if the party has followed its regulator’s guidance; there is a defense of “reasonable excuse” for failing to make a SAR; there is an architecture for reporting, first within an organization and then for an MLRO who has personal criminal liability if they fail to report; and there is an exception to the obligation to make a SAR for lawyers and accountants, auditors or tax advisers, if the information came from the client—the so-called “privileged circumstances” exception. None of the certainty that comes with a clear reporting hierarchy is found in the IPR 2017, and none of these protections are present either. Most notably this may have an unintended chilling effect on companies seeking legal assistance in the conduct of an internal investigation. As they stand the IPR 2017 would require a company’s lawyers to report to OFSI any suspected breach of sanctions, thus robbing the client of the possibility of gaining any credit by self-reporting. Given that OFSI’s own guidance stresses the benefits of self-reporting, the IPR 2017 only serve to undermine this policy objective. It remains to be seen whether the government will revise the IPR 2017 to take account of these failings. Sanctions and Anti-Money Laundering Bill 2017 On October 18, 2017 a new Sanctions and Anti-Money Laundering Bill was introduced in the House of Lords, which aims to provide a legislative framework for the imposition and enforcement of sanctions after Brexit. Currently much of the UK Government’s authority to impose and enforce sanctions flow from the European Communities Act 1972. The proposed bill would give the Government authority to impose and implement sanctions by way of secondary legislation to comply with its obligations under the United Nations Charter and to support its foreign policy and national security goals. The European Union (Withdrawal) Bill 2017-19 (the “Bill”) which will give effect to Brexit, will freeze the current sanctions regimes and underlying designations on the date of the UK’s exit from the EU. The sanctions regime in place would quickly become out of date, and absent new legislation the UK would be unable to amend or lift the existing sanctions. The Sanctions and Money Laundering Bill seeks to provide the mechanism to resolve this issue. The proposed legislation has been through two readings before the House of Lords and is currently at the Committee Stage with the Report Stage scheduled for 15 and 17 January. Part I of the Bill as originally introduced provided the power to impose sanctions, giving an appropriate Minister, defined as the Secretary of State or the Treasury, the power to make “sanctions regulations” for a variety of purposes including: compliance with a UN obligation; compliance with another international obligation; to further the prevention of terrorism in the UK or elsewhere; in the interests of national security; in the interests of international peace and security; or to further a foreign policy objective of the UK government. In the process of going through the House of Lords further bases for imposing sanctions have been added to the current draft of the Bill. These are: promote the resolution of armed conflicts or the protection of civilians in conflict zones; promote compliance with international humanitarian and human rights law; contribute to multilateral efforts to prevents the spread and use of weapons and materials of mass destruction; and promote respect for human rights, democracy, the rule of law and good governance. The absence of “misappropriation” as a basis for sanctions is notable, when that is the basis for the current EU sanctions against Egypt and Tunisia and some of those against Ukraine. Another absence is an express reference to cyber-related sanctions. As discussed in our 2017 Mid-Year United Kingdom White Collar Crime Update earlier in 2017 the EU proposed sanctions as one of a panoply of responses to organized cyber-attacks.  In the case of human trafficking, as mentioned further below, there have been a number of recent proposals to impose such sanctions. It is possible that some of the broad rubrics such as “protection of civilians in conflict zones” or “human rights law” or “international peace and security” will be extended to cover such sanctions. “Sanctions regulations” are defined as regulations which impose financial, immigration, trade, aircraft, or shipping sanctions, and expanded upon in clauses 2 to 6 of the Bill. In its comments on the Bill the House of Lords’ Constitution Committee has raised concerns in relation to the breadth of powers afforded to Ministers under the sanctions provisions, including in particular the power to create new forms of sanctions. The Bill is currently the subject of significant debate and it is not yet clear what final form it will take. The sanctions authorized by the Bill take a variety of forms. Financial sanctions can be imposed by way of asset freezes, and by the placement of restrictions on the provision of financial services, funds, or economic resources in relation to designated persons, persons connected with a prescribed country, or persons meeting a particular description. A person who is the subject of a travel ban may be refused leave to enter or to remain in the UK. Trade sanctions can prevent activities relating to target countries or to target specific sectors within those countries. Aircraft and shipping sanctions can have a variety of impacts, including preventing particular craft from entering the UK’s airspace or waters. Designated persons can include individuals, corporations, and organizations and can be identified by name or by description. The Bill enables Ministers to set out in regulations how designation powers are to be exercised. The Bill also includes provision for Ministers to create exceptions to any prohibition or requirement imposed by the regulations, or to issue licenses for prohibitions imposed by the regulations not to apply. Clause 16 is worthy of mention for, as explained in the accompanying Explanatory Notes, it provides a mechanism for a yet-further expansion of the obligatory reporting regime to all individuals and companies. Whether this provision survives parliamentary scrutiny, and the requirement to protect the right to a fair trial, will remain to be seen. Chapter 2 sets out the Bill’s provisions on revocation, variation and review of designations of persons under the Bill. The Bill provides that a designation may be varied or revoked by the Minister who made it at any time, and that at any time a designated person may request that the Minister vary or revoke the designation. However, after such a request, no further request may be made unless it relies on new grounds or raises a significant matter which has not previously been considered by the Minister.  The Bill also requires periodic review of designations by the appropriate Minister every three years. Where a designated person has been identified by a UN Security Council Resolution, they may ask the Secretary of State to use his or her best endeavors to have their name removed from the UN list. These provisions have attracted criticism, as they would appear to detract from the existing procedural safeguards available in relation to EU sanctions, which include an entitlement to challenge before the Courts. Similarly, the existing EU regime allows for review of designations every six to twelve months. Although the Bill adopts certain definitions from EU Sanctions measures, it also provides that new sanctions regulations may make provision as to the meaning of other concepts.  This may give rise to a divergence in the interpretation of sanctions legislation between the UK and the EU, which could increase uncertainty and the burden of those charged with compliance with multiple sanctions regimes. Criminal Finances Act 2017—”Magnitsky Sanctions” The CFA amended POCA to include a “Magnitsky amendment.”  This expands the definition of “unlawful conduct” for the purposes of civil recovery orders under Part 5 of POCA to include human rights abuses and applies to those who profited from or materially assisted in the abuses. The amendment is modelled on the US Magnitsky Act. By regulations made on January 20, 2018, this portion of the CFA will come into force on January 31, 2018. V.     United Kingdom and European Union Enforcement The year 2017 was a remarkable one for sanctions enforcement across the EU. Whether the level of enforcement seen in 2017 will become the new normal, or will soon be revealed as an aberration remains to be seen.  What we know is that it would be difficult to point to any other year in recent history that had as many enforcement actions from as wide a diversity of countries as we saw in 2017.  Last year saw successful enforcement in at least nine different member states including Denmark, France, Belgium, Germany, the Netherlands and Latvia.  Both companies and individuals faced censure and even penalties. Moreover, there was significant diversity in the sanctions regimes enforced: enforcement actions were made in light of violations against Russia, Crimea, Syria, Iran, Ukraine, DPRK, Al Qaida and Anti-Terrorism sanctions.  The enforcement theories were also varied and included cases in which broad systems and controls failings were noted, and others in which the focus was more limited trade sanctions and export controls violations. France In France the highest-profile enforcement action has been that against LafargeHolcim in relation to alleged breaches of Syrian sanctions. The allegation is that LafargeHolcim paid some $5.6 million between 2012 and 2014 to designated persons in order to secure protection for its factories in Syria. A formal judicial inquiry was commenced on June 13, 2017.[79] The French authorities have conducted raids at LafargeHolcim sites during November 2017, and interviewed a number of employees. On December 8, 2017 the former CEO Eric Olsen was formally charged in relation to the payments.[80] Belgium The Belgian authorities have also been investigating LafargeHolcim in relation to alleged breaches of Syrian sanctions, and in November 2017 the Belgian’s raised premises of a Lafarge-Holcim subsidiary in Belgium.[81] Netherlands The Dutch authorities have been particularly active during 2017 with a significant number of enforcement actions. Although the largest of the fines runs to €500,000, the Dutch have fined five different companies, obtained a number of custodial sentences, and commenced a number of new investigations. On February 17, 2017 the Dutch Central Bank obtained an administrative sanction against an unnamed Dutch trust office for failings in its transaction monitoring and client due diligence in breach of the Dutch Sanctiewet 1977 (“Sanctions Law 1977”).[82] On March 10, 2017, a man was sentenced to 3 years’ jail for breaches of the EU’s Al Qaida and Terrorism sanctions under the Sanctions Law 1977.[83] On April 21, 2017 a sentence of 19 years’ jail was upheld by the Court of Appeal for the supply of arms and munitions to the sanctioned government of Charles Taylor in Liberia.[84] On April 24, 2017, a fine of €50,000 was handed down to another Dutch logistics provider for the unlicensed shipping of unmanned aircraft on the EU Common Military List from the United States to Saudi Arabia. The goods were valued at $14 million.[85] On the same day, an unnamed Dutch airline was fined €40,000 (half suspended for two years), relating to the shipment of goods on the EU Common Military List from South Africa to Ecuador.[86] In May 2017, it was reported that the Dutch authorities were investigating trust companies within the BK Group for possible breaches of the Ukraine misappropriation sanctions.[87] On August 3, 2017 the Dutch Central Bank obtained a fine of €100,000 against an unnamed payment services provider company. The fine was reduced from €125,000 on appeal.[88] The fine relates to the failure to conduct any sanctions or PEP screening on a sample of files reviewed by the Bank. On September 4, 2017, a fine of €500,000 and a custodial sentence of 1 year and 8 months was obtained in relation to a prosecution for trade with an entity that was designated on the EU’s anti-nuclear sanctions against Iran.[89] On September 4, 2017 the Dutch International Development Ministry commenced an inquiry into the activities of the companies Dematec Equipment and Biljard Hydrauliek in providing equipment for the building of the Kerch Strait Bridge designed to join Russia and Crimea.[90] On November 9, 2017 the Dutch Public Prosecution Service obtained a criminal fine of €50,000 against an unnamed Dutch freight solutions company.[91] The Dutch authorities also sought a two-month suspended sentence for the company’s managing director.[92] The company had sought to ship radar equipment for Sukhoi jet fighters from Malaysia to Russia, but the consignment was intercepted at Schiphol Airport. The sale was in breach of both European export controls, as the products were military equipment listed in the Dutch Besluit Strategische Goederen (“Dutch Strategic Goods Order”), and in breach of Russian sanctions which would have prohibited the granting of an export licence even if one had been applied for. Lithuania On August 18, 2017, the Lithuanian Prosecutor General’s Office announced that the Lithuanian Financial Crime Investigation Service had opened an investigation into alleged breaches of the EU’s Crimean sanctions by three different enterprises: Pluosto Linija LLC, BT Invest, and Hanner Group OÜ.[93] Based on press reports the allegation are of investments and business dealings by Lithuanian nationals in Crimean companies and property developments.[94] Latvia On June 27, 2017, the Latvian Financial and Capital Market Commission entered into administrative agreements with three different Latvian Banks for failings related to breaches of North Korean sanctions. Each of the banks cooperated with the investigation and admitted the identified failings.[95] The press release highlights cooperation both with the FBI and with FINCEN, and that related investigations are ongoing. JSC Baltikums Bank and JSC PrivatBank were each fined €35,575 for “weaknesses in customer due diligence and transaction monitoring that led to the situation that bank had been used to circumvent international sanctions requirements imposed against North Korea”. Each of those banks also had imposed upon it an obligation to draw up an action plan “to enable the bank to further identify transactions that are aimed at circumventing or breaching of the international sanctions”. JSC Reģionālā investiciju Banka, by contrast, was fined €570,364, for the same failings, but also for “failure to ensure effective functioning of internal control system.”  To remedy this, the bank was undertaken to invest €2.8 million on “the improvement of its internal control system in 2017/2018”.  In addition official warnings were issued to those at the bank responsible for anti-money laundering and counter-terrorist financing controls.  The bank also undertook to “assess its AML/CTF internal control system and take the necessary measures to improve its functioning and effectiveness in line with the action plan, to perform external testing on the categorization of customer base and IT solutions, as well as assess the risks associated with cross-border enforcement of sanctions.” Germany As reported in our 2014 year-End Sanctions Update, the German authorities arrested three individuals in 2014 for alleged shipment of valves and other equipment for use in Iran’s nuclear program. It has now been reported that the trial in Berlin was stopped after 15 days when the Berlin Criminal Court ruled that the penalties sought against the indicted individuals were unconstitutional. The case has now been referred to the Federal Court which is expected to rule during the course of 2018.[96] Denmark The Danish Public Prosecutor for Serious Economic and International Crime has commenced an investigation into Nordea Bank and Danske Bank, and has conducted raids on both companies. The allegations relate to failings in AML systems and controls and a lack of sanctions screening.[97] Italy The only known enforcement in Italy during 2017 relates to the seizure in Italy of goods of Crimean origin what had been shipped to Italy in breach of Crimean sanctions.[98] United Kingdom As noted in our 2017 Mid-Year United Kingdom White Collar Crime Alert, the one publicly known instance of a company which had self-reported to the UK’s OFSI, Computer Sciences Corporation (“CSC”). According to an SEC filing in February 2017 CSC submitted an initial notification of voluntary disclosure to OFAC and OFSI.[99] The disclosure concerned possible breaches of sanctions law relating to insurance premiums and claims data by Xchanging, a company that CSC had recently acquired. There continues to be little information in the public domain regarding enforcement activity by OFSI, although in responding to a Freedom of Information request, OFSI has confirmed that it has opened 125 investigations since it commenced operations in early 2016, and that 60 of these involved financial services firms regulated by the Financial Conduct Authority or the Prudential Regulation Authority.[100] This should not be mistaken for a likely torrent of upcoming enforcement actions. At a recent event hosted by the English Law Society, a representative from OFSI confirmed that the vast majority of the breaches OFSI was investigating were very minor, and that 97% of the known breaches would not be pursued through any sort of enforcement action.  Such statistics are in line with those reported by OFAC where well over 90% of opened matters do not result in any formal enforcement action. It may, therefore, be some time before we are able to report on significant enforcement activity by OFSI. VI.     Conclusion From our vantage point at the beginning of the new year, all signs suggest that there will be an increasing reliance on sanctions globally in 2018.  In the first month of 2018, the United States sanctioned 120 individuals and entities; at this pace the Trump administration is on track to beat its record year last year and potentially add more than 1400 entities to the sanctions list.  Notably, the expansive grounds for sanctions provided in legislation such as CAATSA and the 2016 Global Magnitsky Act translates into a dramatic expansion of OFAC’s traditional authority which will test the resources of the Treasury Department.[101]  OFAC has limited means to meet the broad authorities it has been given under the Act, and many commentators have suggested—with no small degree of concern—that it will have to rely on the efforts of lobbyists and non-government organizations to assist in developing potential new targets.[102] The increased use of sanctions could also magnify differences between the United States and its allies.  EU leaders, accustomed to a more collaborative approach on sanctions policymaking during the Obama administration, are increasingly concerned that new measures imposed by the Trump White House will harm European companies.  Over the past few months, EU officials and European national leaders have openly stated their frustration regarding U.S. recalcitrance on the JCPOA, the substance of the new U.S. sanctions on Russia and the perceived lack of consultation during the process by which they were imposed.  As noted above, if the U.S. withdraws from the JCPOA and/or reimposes nuclear sanctions against Iran, the EU could “block” such measures.[103]  Such a blocking could be imposed using the expansion of a little-used EU power dating from the mid-1990s to prohibit compliance with certain U.S. sanctions then in force against Cuba, Libya and Iran.[104]  Expanding the application of this so-called “blocking statute” to include any renewed secondary sanctions against Iran has the potential to cause significant difficulties for many multinational companies. Other states and jurisdictions have also continued to expand the use of sanctions.  For example, actions taken by Saudi Arabia and the United Arab Emirates against the State of Qatar appear to borrow directly from the strategies employed by U.S. sanctions; Russian retaliatory measures against Western sanctions continue apace; the African Union continues to seek capacity assistance so that it can better leverage sanctions on its own, and the United Nations Security Council continues to resort to the measures when faced with threats to international peace and security. The result is an increasingly flexible use of sanctions by a growing diversity of actors which makes understanding the rules of the road, let alone complying with them, a constant and increasing challenge for the world’s companies. [1]      Secretary Steven Mnuchin, POLITICO Pro Policy Summit (Sept. 14, 2017). [2]      Pub. L. No. 115-44 (2017), H.R. 3364.  Though President Trump noted that he saw the bill as “seriously flawed,” he signed it into law on August 2, 2017.  See Statement by President Donald J. Trump on Signing the “Countering America’s Adversaries Through Sanctions Act” (Aug. 2, 2017), available at https://www.whitehouse.gov/the-press-office/2017/08/02/statement-president-donald-j-trump-signing-countering-americas. [3]      “Trump election puts Iran nuclear deal on shaky ground,” Reuters (Nov. 9, 2016), available at https://www.reuters.com/article/us-usa-election-trump-iran/trump-election-puts-iran-nuclear-deal-on-shaky-ground-idUSKBN13427E. [4]      The JCPOA was described in detail in our 2016 Year-End Sanctions Update. [5]      P.L. 114-328, Subtitle F.  The 2016 Global Magnitsky Human Rights Accountability Act—co-authored by Senators John McCain (R-AZ) and Ben Cardin (D-MD)—passed with bipartisan support and was signed into law by President Obama on December 23, 2016. [6]      The Trump White House has more power to constrain bad buys, The Economist (Feb. 1, 2018). [7]      U.S. Dep’t of Treasury, Issuance of Global Magnitsky Executive Order; Global Magnitsky Designations (Dec. 21, 2017), available at https://www.treasury.gov/resource-center/sanctions/OFAC-Enforcement/Pages/20171221.aspx.  Also on December 20, 2017, Treasury issued the Magnitsky Act Sanctions Regulations (31 C.F.R. pt. 584). U.S. Dep’t of Treasury, Publication of Magnitsky Act Sanctions Regulations; Magnitsky-Act Related Designations (Dec. 20, 2017), available at https://www.treasury.gov/resource-center/sanctions/OFAC-Enforcement/Pages/20171220_33.aspx.  Designations included Gulnara Karimova, the daughter of the former Uzbekistan president who has been accused by U.S. and Dutch authorities of taking bribes from telecoms companies; Israeli businessman Dan Gertler, and Ángel Rondón Rijo, a businessman in the Dominican Republic who has been tied to a corruption scheme involving the Brazilian company Odebrecht. [8]      Russia and Moldova Jackson-Vanik Repeal and Sergei Magnitsky Rule of Law Accountability Act of 2012, Pub. L. 112-208, 126 Stat. 1496 (2012). [9]      Id., see also Alex Horton, The Magnitsky Act, explained, (July 14, 2017), available at https://www.washingtonpost.com/news/the-fix/wp/2017/07/14/the-magnitsky-act-explained/?utm_term=.eba181a5e6a0. [10]     Natalia Veselnitskaya, the Russian lawyer who met with officials from President Trump’s campaign in June 2016, had been working to overturn the Magnitsky Act.  See Horton, The Magnitsky Act, explained, supra n.9. [11]     OFAC, SDN List, available at https://sanctionssearch.ofac.treas.gov/ (last visited Feb. 5, 2018). [12]     The six executive orders modified by CAATSA include E.O. No. 13660 (79 Fed. Reg. 13493), Blocking Property of Certain Persons Contributing to the Situation in Ukraine (Mar. 10, 2014); E.O. No. 13661 (79 Fed. Reg. 15535), Blocking Property of Additional Persons Contributing to the Situation in Ukraine (Mar. 19, 2014); E.O. No. 13662 (79 Fed. Reg. 16169) Blocking Property of Additional Persons Contributing to the Situation in Ukraine (Mar. 24, 2014); E.O. No. 13685 (79 Fed. Reg. 77357) Blocking Property of Certain Persons and Prohibiting Certain Transactions With Respect to the Crimea Region of Ukraine (Dec. 19, 2014); E.O. No. 13694 (80 Fed. Reg. 18077) Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities (Apr. 1, 2015); E.O. No. 13757 (82 Fed. Reg. 1), Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities (Dec. 28, 2016). [13]     Detailed analysis of the CAATSA sanctions—as well as OFAC’s implementing regulations and guidance—are described in our alerts, Trump Administration Implements Congressionally Mandated Russia Sanctions – Significant Presidential Discretion Remains (Nov. 21, 2017), Congress Seeks to Force (and Tie) President’s Hand on Sanctions Through Passage of Significant New Law Codifying and Expanding U.S. Sanctions on Russia, North Korea, and Iran (July 28, 2017), and A Blockbuster Week in U.S. Sanctions (June 19, 2017). [14]     See CAATSA Title II, § 216(a)(2)(A)(iii). [15]     CAATSA Title II, Section 223 (b) and (c); OFAC, Directive 1 (as amended on Sept. 29, 2017) under Executive Order 13662, https://www.treasury.gov/resource-center/sanctions/Programs/Documents/eo13662_directive1_20170929.pdf; OFAC, Directive 2 (as amended on Sept. 29, 2017) under Executive Order 13662, https://www.treasury.gov/resource-center/sanctions/Programs/Documents/eo13662_directive2_20170929.pdf.  OFAC maintains an updated list of the entities designated pursuant to each Directive in PDF, text, or a searchable list format at https://www.treasury.gov/resource-center/sanctions/SDN-List/Pages/ssi_list.aspx. [16]     OFAC, Directive 4 (as issued on Sept. 12, 2014) under Executive Order 13662, available at https://www.treasury.gov/resource-center/sanctions/Programs/Documents/eo13662_directive4.pdf. [17]     CAATSA, Title II, § 223(d) (defined as not less than a 33 percent interest).  The requirement that targeted projects be new ensures that the sanctions will not require U.S. energy businesses already engaged in projects that could be covered under the expanded sanctions to divest from such projects. [18]     CAATSA, Title II, § 224 directs the President to freeze the assets and block entry to the United States for persons he deems to have “knowingly engage[d] in significant activities undermining cybersecurity [defined in Section 224(d)] against any person, including a democratic institution, or government” on behalf of the Russian government; or “is owned or controlled by, or acts or purports to act for or on behalf of, directly or indirectly” such a person.  See also E.O. No. 13757 (82 Fed. Reg. 1), Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities (Dec. 28, 2016).  Notably, on February 2, 2017, OFAC issued a general license to allow U.S. companies to enter into limited transactions with the FSB, fixing a technical—and unintended—issue with the prior sanctions.  Because the FSB acts as a licensing agency for encryption technology, which includes most electronic devices, the general license was required to remove obstacles for U.S. companies selling devices like cellphones and tablets to Russia. [19]     CAATSA directed that the President “shall impose” sanctions on foreign persons that knowingly make a “significant investment” in a “special Russian crude oil project,” and on FFIs for certain specified activities.  Specifically, CAATSA Section 225’s primary change to the UFSA was to strike “may impose” and replace it with “shall impose, unless the President determines that it is not in the national interest of the United States to do so.”  See 22 U.S.C. §§ 8921 (9), 8924 (a).  President Obama had declined to implement the sanctions set forth in UFSA. [20]     CAATSA, Title II, § 228 (a). [21]     CAATSA, Title II, § 231 (a). Specifically, CAATSA Section 231(a) specified that the President shall impose five or more of the secondary sanctions described in Section 235 with respect to a person the President determines knowingly “engages in a significant transaction with a person that is part of, or operates for or on behalf of, the defense or intelligence sectors of the Government of the Russian Federation, including the Main Intelligence Agency of the General Staff of the Armed Forces of the Russian Federation or the Federal Security Service of the Russian Federation.”  The measures that could be imposed under Section 231 are discretionary in nature.  The language of the legislation is somewhat misleading in this regard.  Section 231 is written as a mandatory requirement—providing that the President “shall impose” various restrictions.  However, the legislation itself—and the October 27, 2017 guidance provided by the State Department—makes clear that secondary sanctions are only imposed after the President makes a determination that a party “knowingly” engaged in “significant” transactions with a listed party.  The terms “knowingly” and “significant” have imprecise meanings, even under the State Department guidance.  OFAC FAQ, No. 545, https://www.treasury.gov/resource-center/faqs/Sanctions/Pages/faq_other.aspx#ukraine (last updated Oct. 31, 2017). [22]     Press Release, U.S. Dep’t of State, Background Briefing on the Countering America’s Adversaries Through Sanctions Act (CAATSA) Section 231 (Jan. 30, 2018), available at https://www.state.gov/r/pa/prs/ps/2018/01/277775.htm. [23]     Id. [24]     Representative Maxine Waters called it “preposterous that it is the State Department’s position that the legislation has served as such a deterrent that not one person or entity is engaged in a significant transaction with the Russian defense or intelligence sectors”  Josh Delk, Maxine Waters Demands Answers from Mnuchin, Tillerson for Inactivity on Russia Sanctions, The Hill (Feb. 3, 2018 4:58 PM), available at http://thehill.com/homenews/house/372178-maxine-waters-demands-answers-from-mnuchin-tillerson-for-inactivity-on-russia.  Representative Eliot Engel accused the Trump administration of failing to “follow the law” and “cho[osing] instead to let Russia off the hook yet again.”  Press Release, Congressman Eliot L. Engel, Engel Statement on Trump Administration’s Failure To Impose New Sanctions On Russia (Jan. 29, 2018) available at https://engel.house.gov/latest-news1/engel-statement-on-trump-administrationss-failure-to-impose-new-sanctions-on-russia/. [25]     For instance, the FAQs defined “significant” very broadly and noted that truly civilian-related transactions with these counterparties would be unlikely to be found significant.  See Public Guidance on Sanctions with Respect to Russia’s Defense and Intelligence Sectors Under Section 231 of the Countering America’s Adversaries Through Sanctions Act of 2017, available at https://www.state.gov/t/isn/caatsa/275118.htm. [26]     Tuvan Gumrukcu, Ece Toksabay, Turkey, Russia sign deal on supply of S-400 missiles (Dec. 29, 2017), Reuters, available at https://www.reuters.com/article/us-russia-turkey-missiles/turkey-russia-sign-deal-on-supply-of-s-400-missiles-idUSKBN1EN0T5. [27]     CAATSA, Title II, Section 241. [28]     See U.S. Dep’t of the Treasury, Report to Congress Pursuant to Section 241 of the Countering America’s Adversaries Through Sanctions Act of 2017 Regarding Senior Foreign Political Figures and Oligarchs in the Russian Federation and Russian Parastatal Entities (Unclassified) (Jan. 29, 2018), available at https://www.scribd.com/document/370313106/2018-01-29-Treasury-Caatsa-241-Final. [29]     See, e.g., Press Release, U.S. Dep’t of the Treasury, Treasury Releases CAATSA Reports, Including on Senior Foreign Political Figures and Oligarchs in the Russian Federation (Jan. 29, 2018), available at https://home.treasury.gov/news/press-releases/sm0271. [30]     Press Release, U.S. Dep’t of the Treasury, Treasury Designates Individuals and Entities Involved in the Ongoing Conflict in Ukraine (June 20, 2017), available at https://www.treasury.gov/press-center/press-releases/Pages/sm0114.aspx. [31]     Id. [32]     Press Release, U.S. Dep’t of the Treasury, Treasury Sanctions Individuals and Entities for Human Rights Abuses and Censorship in Iran, and Support to Sanctioned Weapons Proliferators (Jan. 12, 2018), available at https://home.treasury.gov/news/press-releases/sm0250. [33]     INARA § 2(d)(6); Press Release, White House, Remarks by President Trump on Iran Strategy (Oct. 13, 2017), available at https://www.whitehouse.gov/briefings-statements/remarks-president-trump-iran-strategy/. [34]     CAATSA §§ 104-107. [35]     Exec. Order 13466, 73 Fed. Reg. 36787 (2008) (declaring state of emergency); Exec. Order No. 13570, 76 Fed. Reg. 22291 (2011) (banning imports); Exec. Order No. 13687, 80 Fed. Reg. 819 (2015) (designating DPRK officials); Exec. Order No. 13722, 81 Fed. Reg. 14,943 (2016) (banning exports). [36]     Stephen Collinson, The nuclear war tweet heard ’round the world,’ (January 3, 2018), CNN, available at http://www.cnn.com/2018/01/03/politics/donald-trump-nuclear-button-north-korea/index.html. [37]     Joshua Berlinger, North Korea’s missile tests:  What you need to know (Dec. 3, 2017), CNN, available at http://www.cnn.com/2017/05/29/asia/north-korea-missile-tests/index.html. [38]     Id.; Exec. Order No. 13810, 82 Fed. Reg. 44705 (September 20, 2017) (citing July 3 and July 28, 2017 intercontinental ballistic missile launches). [39]     Pub. L. No. 115-44 (2017), H.R. 3364, Title III. [40]     State Sponsors of Terrorism, U.S. Dep’t of State, available at https://www.state.gov/j/ct/list/c14151.htm (last visited January 5, 2018).  We wrote at length about the CAATSA North Korea sanctions in our alert, Congress Seeks to Force (and Tie) President’s Hand on Sanctions Through Passage of Significant New Law Codifying and Expanding U.S. Sanctions on Russia, North Korea, and Iran (July 28, 2017). [41]     Exec. Order No. 13810, 82 Fed. Reg. 44705 (Sept. 20, 2017). [42]     Banks won’t be allowed to do business with both U.S. and North Korea: Mnuchin, Reuters (Sept. 21, 2017), available at https://www.reuters.com/article/us-northkorea-missiles-usa-mnuchin/banks-wont-be-allowed-to-do-business-with-both-u-s-and-north-korea-mnuchin-idUSKCN1BW2RT?il=0. [43]     Exec. Order No. 13722, 81 Fed. Reg. 14,943 (2016). [44]     Press Release, U.S. Dep’t of the Treasury, “Treasury Takes Actions To Further Restrict North Korea’s Access to The U.S. Financial System” (June 1, 2016) available at https://www.treasury.gov/press-center/press-releases/Pages/jl0471.aspx; Imposition of Special Measure Against North Korea as a Jurisdiction of Primary Money Laundering Concern, 81 Fed. Reg. 78715 (Nov. 9, 2016) available at https://www.federalregister.gov/documents/2016/11/09/2016-27049/imposition-of-special-measure-against-north-korea-as-a-jurisdiction-of-primary-money-laundering. [45]     Press Release, U.S. Department of Justice, United States Files Complaints to Forfeit More Than $11 Million From Companies That Allegedly Laundered Funds To Benefit Sanctioned North Korean Entities(Aug. 22, 2017), available at https://www.justice.gov/usao-dc/pr/united-states-files-complaints-forfeit-more-11-million-companies-allegedly-laundered. [46]     Dan Merica, Trump Unveils New Restrictions on Travel, Business with Cuba, CNN (June 17, 2017), available at http://www.cnn.com/2017/06/16/politics/trump-cuba-policy/index.html. [47]     On June 16, 2017, President Trump issued a National Security Presidential Memorandum (NSPM) on Strengthening the Policy of the United States Toward Cuba.  See Fact Sheet on Cuba Policy, Whitehouse.gov (June 16, 2017), available at https://www.whitehouse.gov/blog/2017/06/16/fact-sheet-cuba-policy. [48]     Id. [49]     See id. [50]     See U.S. Dep’t of the Treasury, Fact Sheet, Treasury, Commerce, and State Department Implement Changes to the Cuba Sanctions Rules (Nov. 8, 2017), available at https://www.treasury.gov/resource-center/sanctions/Programs/Documents/cuba_fact_sheet_11082017.pdf. [51]     See id. [52]     See id. [53]     See 82 Fed. Reg. 52089 (Nov. 9, 2017), https://s3.amazonaws.com/public-inspection.federalregister.gov/2017-24449.pdf. [54]     31 C.F.R. § 515.565(b), https://s3.amazonaws.com/public-inspection.federalregister.gov/2017-24447.pdf?utm_campaign=pi%20subscription%20mailing%20list&utm_source=federalregister.gov&utm_medium=email. [55]     15 C.F.R. § 740.21, https://s3.amazonaws.com/public-inspection.federalregister.gov/2017-24448.pdf. [56]     Rafael Romo, Venezuela’s High Court Dissolved National Assembly, CNN (Mar. 30, 2017) available at http://www.cnn.com/2017/03/30/americas/venezuela-dissolves-national-assembly/index.html. [57]     Jennifer L. McCoy, Venezuela’s Controversial New Constituent Assembly Explained, Wash. Post (Aug. 1, 2017) available at https://www.washingtonpost.com/news/monkey-cage/wp/2017/08/01/venezuelas-dubious-new-constituent-assembly-explained/?utm_term=.27786fbb07fd. [58]     Executive Order 13692, 80 Fed. Reg. 12747, Blocking Property and Suspending Entry of Certain Persons Contributing to the Situation in Venezuela, (Mar. 8, 2015) available at https://www.treasury.gov/resource-center/sanctions/Programs/Documents/13692.pdf. [59]     Nicholas Casey, U.S. Blacklists Maduro Loyalists on Venezuela Supreme Court, (May 18, 2017) NY Times, available at https://www.nytimes.com/2017/05/18/world/americas/venezuela-sanctions-supreme-court-president-nicolas-maduro.html?action=click&contentCollection=Americas&module=RelatedCoverage&region=EndOfArticle&pgtype=article. [60]     Press Release, U.S. Dep’t of the Treasury, Treasury Sanctions Ten Venezuela Government Officials, (Nov. 9, 2017) available at https://www.treasury.gov/press-center/press-releases/Pages/sm0214.aspxAnd; Kirk Semple, U.S. Imposes Sanctions on 10 More Venezuelan Government Officials, NY Times (Nov. 9, 2017) available at https://www.nytimes.com/2017/11/09/world/americas/venezuela-maduro-us-sanctions.html. [61]     For more information regarding these measures, please see our September 1, 2017 alert, President Trump Issues New Sanctions Targeting Certain Activities of PdVSA and the Government of Venezuela. [62]     Voice of America, Flirting With Default, Venezuela Vows Debt Payment (Nov. 14, 2017) available at https://www.voanews.com/a/flirting-with-default-venezuela-vows-debt-payment/4115621.html (last visited Feb. 4, 2018). [63]     See OFAC, FAQ No. 552, available at https://www.treasury.gov/resource-center/faqs/Sanctions/Pages/faq_other.aspx#551. [64]     OFAC, Sudan and Darfur Sanctions, available at https://www.treasury.gov/resource-center/sanctions/Programs/pages/sudan.aspx (last visited Jan. 29, 2018). [65]     OFAC, Enforcement Information for March 7, 2017 (Mar. 7, 2017), available at https://www.treasury.gov/resource-center/sanctions/CivPen/Documents/20170307_zte.pdf. [66]     OFAC, Enforcement Information for July 20, 2017 (Jul. 20, 2017), available at https://www.treasury.gov/resource-center/sanctions/CivPen/Documents/20170720_exxonmobil.pdf. [67]     OFAC, Enforcement Information for July 27, 2017 (Jul. 27, 2017), available at https://www.treasury.gov/resource-center/sanctions/CivPen/Documents/20170727_transtel.pdf. [68]     OFAC, Enforcement Information for December 6, 2017 (Dec. 6, 2017), available at https://www.treasury.gov/resource-center/sanctions/CivPen/Documents/20171206_Dentsply.pdf. [69]     DFS Enforcement Information (Aug. 24, 2017; Sept. 7, 2017), available at http://www.dfs.ny.gov/about/ea/ea170824a.pdf and http://www.dfs.ny.gov/about/ea/ea170824c.pdf. [70]     COUNCIL DECISION (CFSP) 2017/2074, available at http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1516281850151&uri=CELEX:32017D2074. [71]    https://europeansanctions.com/category/venezuela/. [72]     Council Decision 2014/386/CFSP (OJ L 183/70, 24.6.2014). [73]     Council Decision (CFSP) 2017/1087, http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1516281366876&uri=CELEX:32017D1087. [74]     http://curia.europa.eu/juris/document/document.jsf;jsessionid=9ea7d2dc30d5788798fc77f149978503 f32526311ee6.e34KaxiLc3qMb40Rch0SaxyLaxb0?text=&docid=189262&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=274812; https://uk.reuters.com/article/uk-eu-russia-rosneft-court/eu-top-court-upholds-sanctions-against-russias-rosneft-idUKKBN16Z0RD. [75]     http://verfassungsblog.de/judicial-review-of-the-eus-common-foreign-and-security-policy-lessons-from-the-rosneft-case/. [76]     https://europeansanctions.com/2017/03/28/ecj-upholds-and-clarifies-eus-russia-sanctions-in-rosneft-judgment/. [77]     https://curia.europa.eu/jcms/upload/docs/application/pdf/2017-03/cp170034en.pdf. [78]     https://curia.europa.eu/jcms/upload/docs/application/pdf/2017-03/cp170034en.pdf. [79]     See https://uk.reuters.com/article/uk-lafargeholcim-syria/france-starts-inquiry-into-lafargeholcims-syria-activities-source-idUKKBN1940Q5. [80]     See http://www.france24.com/en/20171208-former-lafarge-ceo-charged-terror-financing-allegations. [81]     See http://www.france24.com/en/20171114-investigators-search-france-lafarge-offices-paris-alleged-links-syrian-jihadists. [82]     See http://deeplink.rechtspraak.nl/uitspraak?id=ECLI:NL:RBROT:2017:1219. [83]     See http://deeplink.rechtspraak.nl/uitspraak?id=ECLI:NL:GHDHA:2017:642. [84]     See http://deeplink.rechtspraak.nl/uitspraak?id=ECLI:NL:GHSHE:2017:1760. [85]     See http://deeplink.rechtspraak.nl/uitspraak?id=ECLI:NL:RBNHO:2017:3298. [86]     See http://deeplink.rechtspraak.nl/uitspraak?id=ECLI:NL:RBNHO:2017:3300. [87]     See https://fd.nl/ondernemen/1201271/om-onderzoekt-verdachte-transacties-bij-trustkantoor-bk-group. [88]     See http://deeplink.rechtspraak.nl/uitspraak?id=ECLI:NL:RBROT:2017:7264. [89]     See http://deeplink.rechtspraak.nl/uitspraak?id=ECLI:NL:RBOBR:2017:4666. [90]     See http://www.dutchnews.nl/news/archives/2017/09/dutch-companies-investigated-for-supplying-equipment-for-crimean-bridge/. [91]     See https://fullcirclecompliance.eu/dutch-freight-forwarder-fined-80000-euros/, with http://deeplink.rechtspraak.nl/uitspraak?id=ECLI:NL:RBAMS:2017:8591, which gives the figure as €50,000. [92]     He may have been acquitted, as it was reported on November 23, 2017 that a director of a transport company was acquitted of charges of shipping military goods to Russia.  See http://deeplink.rechtspraak.nl/uitspraak?id=ECLI:NL:RBAMS:2017:8592. [93]     See http://www.baltic-course.com/eng/legislation/?doc=132389. [94]     See http://munscanner.com/2017/07/lithuanians-criemea/. [95]     See http://www.fktk.lv/en/media-room/press-releases/6429-fcmc-in-collaboration-with-u-s-law-enforcement-authorities-identifies-weaknesses-and-imposes-monetary-fines-on-three-banks.html. [96] See http://www.businessinsider.com/iranian-nuclear-smuggling-ring-nuclear-weapons-deal-north-korea-2017-9?IR=T. [97]     See http://www.bankingtech.com/2017/08/nordea-and-danske-bank-being-investigated-for-money-laundering/. [98]     See http://www.telegraph.co.uk/news/2017/04/13/crimean-wine-confiscated-italian-drinks-fair-violates-sanctions/. [99]     See https://www.sec.gov/Archives/edgar/data/23082/000002308217000058/cscfy1710-k.htm. [100]   See https://www.law360.com/articles/974613/uk-financial-sanctions-enforcer-probing-60-cases. [101]   See Adam Dobrik, Broad sanctions programme for corrupt officials vulnerable to external influence (January 10, 2018), Global Investigations Review. [102]   Id. [103]   As stated by the EU ambassador to the United States, available at https://www.huffingtonpost.com/entry/europe-iran-sanctions-nuclear-deal_us_59c9772ce4b0cdc77333e758 [104]   See EU Council Regulations 2271/1996, as discussed in our alert Clash of the Sanctions. The following Gibson Dunn lawyers assisted in preparing this client update: Adam Smith, Judith Alison Lee, Benno Schwarz, Stephanie Connor, Attila Borsos, Laura Cole, Helen Galloway, Mark Handley, Yannick Hefti-Rossier, Meghan Higgins, Jesse Melman, Henry Phillips, Nathan Powell, Richard Roeder and Christopher Timura. Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the above developments.  Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following leaders and members of the firm’s International Trade Group: United States: Judith Alison Lee – Co-Chair, International Trade Practice, Washington, D.C. (+1 202-887-3591, jalee@gibsondunn.com) Ronald Kirk – Co-Chair, International Trade Practice, Dallas (+1 214-698-3295, rkirk@gibsondunn.com) Caroline Krass – Chair, National Security Practice, Washington, D.C. (+1 202-887-3784, ckrass@gibsondunn.com) Jose W. Fernandez – New York (+1 212-351-2376, jfernandez@gibsondunn.com) Marcellus A. McRae – Los Angeles (+1 213-229-7675, mmcrae@gibsondunn.com) Daniel P. Chung – Washington, D.C. (+1 202-887-3729, dchung@gibsondunn.com) Adam M. Smith – Washington, D.C. (+1 202-887-3547, asmith@gibsondunn.com) Christopher T. Timura – Washington, D.C. (+1 202-887-3690, ctimura@gibsondunn.com) Stephanie L. Connor – Washington, D.C. (+1 202-955-8586, sconnor@gibsondunn.com) Kamola Kobildjanova – Palo Alto (+1 650-849-5291, kkobildjanova@gibsondunn.com) Laura R. Cole – Washington, D.C. (+1 202-887-3787, lcole@gibsondunn.com) Europe: Peter Alexiadis – Brussels (+32 2 554 72 00, palexiadis@gibsondunn.com) Attila Borsos – Brussels (+32 2 554 72 10, aborsos@gibsondunn.com) Patrick Doris – London (+44 (0)207 071 4276, pdoris@gibsondunn.com) Penny Madden – London (+44 (0)20 7071 4226, pmadden@gibsondunn.com) Mark Handley – London (+44 (0)207 071 4277, mhandley@gibsondunn.com) Benno Schwarz – Munich (+49 89 189 33 110, bschwarz@gibsondunn.com) Richard Roeder – Munich (+49 89 189 33-160, rroeder@gibsondunn.com)     © 2018 Gibson, Dunn & Crutcher LLP, 333 South Grand Avenue, Los Angeles, CA 90071 Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

February 1, 2018 |
2017 Year-End Securities Litigation Update

Click for PDF 2017 brought a furious and nearly unprecedented rate of new filings, as well as several important developments in securities law.  This year-end update highlights what you most need to know in securities litigation developments and trends for the latter half of 2017: The Supreme Court heard oral argument in Cyan, which should resolve whether state courts have subject matter jurisdiction over class actions brought under the Securities Act of 1933.  Although there is evidence that the pace of filings of state securities lawsuits has slowed somewhat, defendants in pending state court cases have generally been unsuccessful in using Cyan to procure a stay or remove such cases to federal court. The Supreme Court also granted certiorari in China Agritech to address whether the filing of a class action tolls the statute of limitations for absent class members who bring subsequent class actions. A settlement by the parties in Leidos means the Supreme Court will not yet resolve the split between the Second and Ninth Circuits over whether omission of a disclosure required by Item 303 of the SEC’s Regulation S-K is actionable under Section 10(b) and Rule 10b–5 of the federal securities laws, leaving uncertainty as to the scope of companies’ disclosure obligations under Item 303. We explain important developments in Delaware courts, including the Court of Chancery’s application of Corwin, as well as the Delaware Supreme Court’s treatment of (1) deal price in appraisal litigation, (2) Caremark claims, (3) shareholder ratification of director self-compensation decisions, and (4) collateral estoppel in the context of prior determinations of demand futility. Finally, we highlight significant cases interpreting and applying the Supreme Court’s decisions in Omnicare and Halliburton II. I.     Filing and Settlement Trends The number of new securities class actions filed in federal court in 2017 significantly exceeded filings in previous years.  According to a newly-released NERA Economic Consulting study (“NERA”), 432 cases were filed in 2017, compared to 300 in 2016 and an average of 235 cases filed annually over the last five years.  The only year in the past two decades that remotely compares is 2001, but that year included a significant number of so-called “IPO laddering” cases.  Although there is not a similar singular explanation for the marked increase in filings in 2017, so-called “merger objection” cases appear to be one driving force.  According to NERA, nearly 200 merger objection cases were filed in federal court in 2017, more than double the number filed in 2017 (90), and quadruple the number filed in 2015 (46). The other big takeaway from the data may be more welcome news:  while the number of filings is up, both average and median settlement amounts were down in 2017.  More than 60% of settlements in 2017 were under $10 million, while only 8% were more than $100 million and none exceeded $500 million.  Most significantly, median settlement amounts as a percentage of investor losses continue to reflect a pattern that has persisted for decades.  In the last fifteen years, median settlement amounts have never exceeded 3% of total alleged investor losses.  In 2017, that percentage was 2.6%. The industry sectors most frequently sued in 2017 continue to be healthcare (26% of all cases filed), tech (14%), and finance (14%).  2017 also continued the upward trend in the percentage of cases filed against consumer products companies, which accounted for 10% of cases in 2017. A.     Filing Trends Figure 1 below reflects filing rates for 2017 (all charts courtesy of NERA).  Four hundred and thirty-two cases were filed this year.  This figure does not include the many class suits filed in state courts or the increasing number of state court derivative suits, including many such suits filed in the Delaware Court of Chancery.  Those state court cases represent a “force multiplier” of sorts in the dynamics of securities litigation today.  Figure 1: B.     Mix of Cases Filed in 2017 1.     Filings By Industry Sector Following a significant bump in the percentage of cases filed against healthcare companies last year, new 2017 filings show a relative decline in this sector.  Health technology and services still accounts for more than 1 out of every four 4 cases, however.  The percentage of new cases involving consumer products continues a three-year trend upward, now comprising 10% of all filings in 2017.  The proportion of cases in the electronics, finance, and energy sectors remained roughly consistent as compared to 2016.  See Figure 2 below. Figure 2:   2.     Merger Cases As shown in Figure 3 below, almost 200 “merger objection” cases were filed in 2017.  This is more than double the number of such cases filed in 2016, and more than quadruple the number filed in 2014 and 2015.  Note that this statistic only tracks cases filed in federal courts.  Most M&A litigation occurs in state court, particularly the Delaware Court of Chancery.  But as we have discussed in our prior updates, the Delaware Court of Chancery announced in early 2016 in In re Trulia Inc. Stockholder Litigation, 29 A.3d 884 (Del. Ch. 2016) that the much-abused practice of filing an M&A case followed shortly by an agreement on “disclosure only” settlement is just about at an end.  This is likely driving an increasing number of cases to federal court. Figure 3:   C.     Settlement Trends As Figure 4 shows, median settlements were $6 million in 2017, lower than the median amounts in any of the last dozen years.  In any given year, of course, the statistics can mask a number of important factors that contribute to any particular settlement value, such as (i) the amount of D&O insurance; (ii) the presence of parallel proceedings, including government investigations and enforcement actions; (iii) the nature of the events that triggered the suit, such as the announcement of a major restatement; (iv) the range of provable damages in the case; and (v) whether the suit is brought under Section 10(b) of the Exchange Act or Section 11 of the Securities Act.  Median settlement statistics also can be influenced by the timing of large settlements, any one of which can skew the numbers, but those big settlements were markedly absent this year. In 2017, the percentage of settlements above $100 million decreased sharply from 15% to 8% of all settlements, and there were no settlements over $500 million for the first time in the last decade. At the same time, the percentage of settlements below $10 million increased from 51% to 61%. Figure 4:   D.     Emerging Areas:  Data Breaches and Cryptocurrencies One much-publicized source of securities litigation in 2017 was corporate data breaches.  Although previous breach-related derivative suits have been largely unsuccessful, many believe that a significant increase in the number of securities fraud cases targeting companies’ disclosures related to major data breaches is likely.  In the second half of 2017 shareholders launched class actions against, among others, Equifax and PayPal that are currently pending.  The results of these cases could affect the number and scope of similar securities cases we see in 2018 and beyond. Another area to watch closely in the coming year is crytpocurrencies.  The dramatic rise in value of Bitcoin and series of initial coin offerings in 2017 have been met with increased attention not only from the media but also the SEC and securities litigation plaintiffs’ attorneys.  Indeed, the end of 2017 saw securities class actions filed against multiple cryptocurrency-related entities including Tezos, Centra Tech, Monkey Capital, ATBCOIN, and The Crypto Company. We will monitor these and other similar cases in 2018. II.     What to Watch for in the Supreme Court A.     Leidos Removed from Oral Argument Calendar after Parties Reach Settlement In our 2017 Mid-Year Securities Litigation Update, we highlighted Leidos v. Indiana Public Retirement System, No. 16-581, in which the Supreme Court was scheduled to hear oral argument on November 6, 2017.  As readers will recall, Leidos concerned a circuit split on whether a private class action under Section 10(b) and Rule 10b-5 could be premised on alleged omissions from disclosures required by Item 303 of the SEC’s Regulation S-K, 17 C.F.R. § 229.3030.  However, the Court has removed the case from its oral argument calendar after the parties informed the Court that they had agreed to settle the litigation.  The case is now being held in abeyance pending the district court’s approval of the parties’ settlement agreement.  See Stipulation of Settlement (Dkt. 179), In re SAIC, Inc. Secs. Litig., No. 1:12-cv-01353-DAB (S.D.N.Y. Dec. 13, 2017). We analyze the implications of the Leidos settlement, including the continuing unresolved split between, on one hand, the Second Circuit and, on the other hand, the Third and Ninth Circuits, in Section V below. Gibson Dunn represents petitioner in this case. B.     Making Sense of “Gibberish” – Cyan and the Securities Litigation Uniform Standards Act As readers will recall, the Supreme Court granted the petition for a writ of certiorari in Cyan v. Beaver County Employees Retirement Fund, No. 15-1439, on June 27, 2017.  The fundamental issue in Cyan is whether Congress intended to preclude state-court jurisdiction over “covered class actions” under the Securities Act of 1933 when it enacted the Securities Litigation Uniform Standards Act (“SLUSA”) in 1998.  As amended by SLUSA, the Securities Act provides for concurrent jurisdiction “except as provided in section 77p of this title with respect to covered class actions.”  15 U.S.C. § 77v(a). Federal courts have been sharply divided over this issue in recent years.  Of note, courts in the Second Circuit have favored exclusive federal jurisdiction while courts in the Ninth Circuit have permitted state courts to exercise concurrent jurisdiction.  This divergence is significant because the Second and Ninth Circuits handle more federal securities litigation than the other circuits combined.  California state courts have been particularly active in this area since 2011, when the California Court of Appeal held that states have concurrent jurisdiction.  See Luther v. Countrywide Fin. Corp., 195 Cal. App. 4th 789 (2011).  Indeed, Cyan originated in California state court, where the lower court denied the petitioners’ motion for a judgment on the pleadings for lack of subject matter jurisdiction. In their merits brief, petitioners (defendants below) argue that while state courts generally have concurrent jurisdiction to decide claims under the Securities Act, SLUSA constricted state courts’ jurisdiction to cases “except as provided in section 16 with respect to covered class actions [i.e., those involving fifty or more people].”  Brief for Petitioners at 10 (quoting 15 U.S.C. § 77v(a)).  In other words, petitioners contend that by referencing covered class actions within an “except” clause, Congress intended to define the “covered” Securities Act claims that could no longer be adjudicated by state courts. In their responsive brief on the merits, respondents (plaintiffs below) argue that Congress did not intend to alter the longstanding concurrent jurisdiction of state courts to hear claims under the Securities Act when it enacted SLUSA.  Brief for Respondents at 6.  Rather, respondents maintain that SLUSA only stripped state courts of jurisdiction to hear so-called “mixed claims,” or those covered class actions raising both state-law and federal Securities Act claims.  Id. at 13–14. The United States, appearing as amicus curiae, argues that SLUSA does not preclude state-court jurisdiction over Securities Act claims, but that it did permit removal of Securities Act suits “like this one”:  “class actions that assert claims only under the [Securities] Act.”  Brief for the United States as Amicus Curiae at 7. On November 28, 2017, the Supreme Court heard oral argument.  Several Justices, seemingly frustrated by the statute’s confusing language, characterized SLUSA’s jurisdictional limitation as “obtuse” at best and “gibberish” at worst.  See Transcript of Oral Argument at 11, 47.  Justice Alito in particular found the statute so poorly drafted that he asked the government’s lawyer whether there is “a certain point at which we say this means nothing, we can’t figure out what it means, and, therefore, it has no effect, it means nothing?”  Id. at 41.  On the other hand, Justice Gorsuch noted that that it was the Supreme Court’s “job to try and give effect whenever possible to Congress’s language.”  Id. at 47. We expect a decision in Cyan by the end of the 2017 Supreme Court Term in June 2018.  We will continue to monitor developments in this area and report on any updates in our 2018 Mid-Year Securities Litigation Update. C.     China Agritech and the Limits of American Pipe Tolling On December 8, 2017, the Supreme Court granted certiorari in China Agritech, Inc. v. Resh, No. 17-432, to consider whether a statute of limitations is tolled for absent class members who bring subsequent class actions outside the applicable limitations period.  While China Agritech does not directly affect substantive securities laws, the holding will likely be of great significance to securities litigators who routinely encounter class actions. China Agritech is set to address the familiar class action tolling rules announced by the Supreme Court in American Pipe and Construction Co. v. Utah, 414 U.S. 538 (1974), and Crown, Cork & Seal Co. v. Parker, 462 U.S. 345 (1983).  In American Pipe, the Supreme Court held that “the commencement of the original class suit tolls the running of the statute for all purported members of the class who make timely motions to intervene after the court has found the suit inappropriate for class action status.”  414 U.S. at 553.  In Crown, the Supreme Court extended the American Pipe rule to “class members . . . choos[ing] to file their own suits.”  462 U.S. at 354.  Accordingly, “[o]nce the statute of limitations has been tolled, it remains tolled for all members of the putative class until class certification is denied.”  Id. at 354.  If class certification is denied, the Court explained that “class members may [then] choose to file their own suits or to intervene as plaintiffs in the pending action.”  Id. The procedural history of China Agritech highlights the need for further development of American Pipe and Crown.  On June 30, 2014, Michael Resh, an individual stockholder, filed a putative class action against China Agritech and several individual defendants, alleging that they violated federal securities laws by making material misstatements in the company’s SEC filings in 2008 and 2009.  The complaint was based on the same facts and circumstances, and on behalf of the same would-be class, as two previously filed class actions that had been dismissed several months before.  Of note, Resh filed the suit seventeen months after the relevant two-year statute of limitations would have expired absent tolling.  The district court granted the defendants’ motion to dismiss on December 1, 2014, concluding that the rules in American Pipe and Crown would only toll the statute of limitations for Resh’s individual claims, and not for a subsequent class action.  Resh v. China Agritech, 2014 WL 12599849, at *5 (C.D. Cal. Dec. 1, 2014).  To hold otherwise, the district court opined, “would allow tolling to extend indefinitely as class action plaintiffs repeatedly attempt to demonstrate suitability for class certification on the basis of different expert testimony and/or other evidence.”  Id. On May 24, 2017, the Ninth Circuit reversed.  Resh v. China Agritech, Inc., 857 F.3d 994 (9th Cir. 2017).  The court held that American Pipe tolls the limitations period for otherwise untimely class actions and that a plaintiff who seeks to bring a new class action raising the same issues is barred only by “the criteria of Rule 23” and “comity [and] preclusion principles.”  Resh, 857 F.3d at 1005. China Agritech filed a petition for a writ of certiorari to the Supreme Court on September 21, 2017.  It contended that the Ninth Circuit’s holding “cannot be reconciled with the principles animating American Pipe tolling and would lead to significant adverse policy consequences,” primarily that “the tolling period ends only when previously absent plaintiffs stop trying to certify new class actions.”  Petition for Writ of Certiorari at 22.  Such a rule, petitioner argued, would make it difficult to settle disputes in a timely manner, among other practical problems.  See id. at 26.  Petitioner also identified a three-way circuit split on the issue.  It posited that the First, Second, Fifth, and Eleventh Circuits reject American Pipe tolling for subsequent class actions, while the Sixth, Seventh, and Ninth Circuits take the opposite position and extend American Pipe tolling to the limitations period for otherwise untimely class actions.  Petitioner further noted that the Third and Eighth Circuits split the difference by allowing tolling for successive class actions in some circumstances but not when class certification was previously considered and denied.  See id. at 11–18.  The Resh plaintiffs filed their opposition brief on October 23, 2017, disputing the existence of a circuit split regarding American Pipe‘s application to subsequent class actions as well as petitioners’ contention that the Ninth Circuit’s opinion permits endless re-litigation of class certification determinations.  See id. at 15–21. As noted above, the Supreme Court granted certiorari in December 2017.  We expect that the parties will submit their briefing to the Supreme Court in the Spring of 2018, with oral argument to follow in the coming months.  We will continue to monitor this appeal and provide an update in our 2018 Mid-Year Securities Litigation Update. Gibson Dunn represents the Chamber of Commerce and Retail Litigation Center as amici curiae supporting petitioner in this case. D.     Recent Developments in SEC Enforcement Litigation – Lucia and Digital Realty The Supreme Court has also been active in cases relevant to both SEC enforcement and civil securities litigation. On July 21, 2017, Raymond Lucia and Raymond Lucia Companies, Inc., filed a petition for a writ of certiorari to review the D.C. Circuit’s opinion that SEC administrative law judges (“ALJs”) are not officers of the United States within the meaning of the Appointments Clause and, therefore, do not need to be nominated by the President and confirmed by the Senate.  Lucia v. SEC, No. 17-130.  Notably, the Tenth Circuit recently held the contrary in Bandimere v. SEC, 844 F.3d 1168 (10th Cir. 2016), which called into question the validity of many ALJs’ prior rulings.  Moreover, while the SEC took the position in the courts of appeals that its ALJs were mere “employees,” the Solicitor General now takes the position in the Supreme Court that ALJs are “Officers.”  The Supreme Court granted review on January 12, 2018, and will hear oral arguments in April.  Gibson Dunn represents petitioners in this case. Separately, on November 28, 2017, the Supreme Court heard oral argument in Digital Realty Trust, Inc. v. Somers, No. 16-1276.  Digital Realty concerns whether the anti-retaliation provision for “whistle-blowers” in the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 extends to individuals who have not reported a violation of the securities laws to the SEC and thus fall outside the Act’s literal definition of a “whistle-blower.”  We expect a decision by June 2018. For further analysis of Lucia and Digital Realty, please see our 2017 Year-End Securities Enforcement Update. III.     Delaware Developments A.     Corwin Doctrine In Corwin v. KKR Financial Holdings LLC, the Delaware Supreme Court held that the business judgment standard of review should be applied to transactions approved (and thereby ratified or “cleansed”) by a non-coerced, fully informed stockholder vote in the absence of a controlling stockholder.  125 A.3d 304 (Del. 2015).  As discussed in our 2017 Mid-Year Update, the Court of Chancery declined to extend the Corwin doctrine under the circumstances in In re Massey Energy, Co. Derivative & Class Action Litigation, where plaintiffs filed Caremark claims to hold defendant directors personally liable for their roles in deliberately flouting mining safety laws and permitting a massive explosion that claimed the lives of twenty-nine miners.  160 A.3d 484, 507 (Del. Ch. 2017) (reasoning that Corwin was not meant to “exonerate[e] corporate fiduciaries for any and all of their actions or inactions preceding their decision to undertake a transaction for which stockholder approval is obtained”).  In the second half of 2017, the Court of Chancery continued to apply the Corwin doctrine where fully informed, uncoerced stockholders approved an underlying transaction.  E.g., van der Fluit v. Yates, 2017 WL 5953514, at *7–8 (Del. Ch. Nov. 30, 2017) (finding stockholders were not fully informed, and thus Corwin was not satisfied, where the company failed to disclose which of its representatives were involved at key stages of negotiations); Morrison v. Berry, 2017 WL 4317252, at *1 (Del. Ch. Sept. 28, 2017) (applying Corwin in “an exemplary case of the utility of the ratification doctrine”). In one exceptional case, however, the Court of Chancery declined to extend the Corwin doctrine to books-and-records-requests under Section 220 of the Delaware General Corporation Law.  Lavin v. West Corp., 2017 WL 6728702 (Del. Ch. Dec. 29, 2017).  There, the plaintiff’s stated purpose for inspecting the company’s books and records was to “determine whether wrongdoing and mismanagement had taken place” in connection with the underlying merger, and “to investigate the independence and disinterestedness” of the selling company’s board.  Id. at *1.  The defendant company moved to dismiss the plaintiff’s complaint, arguing that the plaintiff failed to state a credible basis of wrongdoing against the company’s board because the company’s disinterested stockholders’ voluntary, fully informed vote “cleansed” any purported breaches of fiduciary duty by satisfying the Corwin doctrine.  Id.  But the Court of Chancery rejected this argument.  Instead, the court held that “Corwin does not fit within the limited scope and purpose of a books and records action in this court,” and explained that “Delaware courts generally do not evaluate the viability of the demand based on the likelihood that the stockholder will succeed in a plenary action.”  Id. at *9. B.     The Delaware Supreme Court Reaffirmed The Role Of Deal Price In Appraisal Litigation—But Stopped Short Of Establishing A Bright-Line Presumption In our 2017 Mid-Year Update, we reported on a clear trend in Delaware appraisal litigation in which courts increasingly defer to deal prices following a robust sale process.  Recently, the Delaware Supreme Court affirmed this trend in Dell, Inc. v. Magnetar Global Event Driven Master Fund Ltd., 2017 WL 6375829, at *1–2 (Del. Dec. 14, 2017).  There, the Supreme Court reversed the Court of Chancery’s decision to accord the negotiated deal price no weight, concluding that, “[t]aken as a whole, the market-based indicators of value—both Dell’s stock price and deal price—have substantial probative value.”  Id. at *25.  In particular, the Supreme Court noted, “when the evidence of market efficiency, fair play, low barriers to entry, outreach to all logical buyers, and the chance for any topping bidder to have the support of [management’s] own votes is so compelling, then failure to give the resulting price heavy weight because the trial judge believes there was mispricing missed by all the [company] stockholders, analysts, and potential buyers abuses even the wide discretion afforded the Court of Chancery in these difficult cases.”  Id. at *26. Nonetheless, the Supreme Court also declined to adopt “a presumption that the deal price reflects fair value if certain preconditions are met, such as when the merger is the product of arm’s-length negotiation and a robust, non-conflicted market check, and where bidders had full information and few, if any, barriers to bid for the deal,” because the appraisal statute “require[s] that the Court of Chancery consider ‘all relevant factors'” in its analysis.  Id. at *14 (quoting 8 Del. C. § 262(h)). 1.     The Court of Chancery accorded deal price no weight The Court of Chancery relied on three central premises in concluding deal price was “not the best evidence of [Dell’s] fair value” and assigning it no weight.  Id. at *10.  First, the court hypothesized that the bidding over Dell was anchored at an artificially low price due to a “valuation gap” between the company’s stock price and its intrinsic value resulting from “investor myopia” and fatigue from a recent company transformation.  Id. at *16.  Second, the court suggested that the deal price was below fair value because of the absence of pre-signing competition from a strategic buyer in the sale process.  Id. at *16; see also In re Appraisal of Dell Inc., 2016 WL 3186538, at *28, *36 (Del. Ch. May 31, 2016).  In particular, the court found that “[t]he factual record in this case demonstrates that the price negotiations during the pre-signing phase were driven by the financial sponsors’ willingness to pay based on their LBO pricing models, rather than the fair value of [Dell].”  Id. at *30.  Third, the court concluded that factors endemic to MBOs further eroded the deal price’s credibility.  Dell, 2017 WL 6375829, at *16.  In particular, the Court of Chancery identified structural issues that the Court found inhibited the effectiveness of the go-shop, including the size and complexity of Dell and that bidders considering a proposed MBO “rarely submit topping bids because they have no realistic pathway to success.”  Id. at *23. 2.     The Delaware Supreme Court held that deal price deserved heavy weight under the circumstances On appeal, the Delaware Supreme Court held that “[t]here is no requirement that a company prove that the sale process is the most reliable evidence of its going concern value in order for the resulting deal price to be granted any weight,” id. at *25, and reversed the Court of Chancery “because the reasoning behind the trial court’s decision to give no weight to any market-based measure of fair value runs counter to its own factual findings.”  Id. at *12. In particular, the Supreme Court found that “[t]he three central premises that the Court of Chancery relied upon to assign no weight to the deal price were flawed.”  Id. at *16.  First, the Supreme Court found that the record “provides no rational, factual basis for … a ‘valuation gap.'”  Id. at *17.  According to the Supreme Court, “the record shows that Dell had a deep public float, was covered by over thirty equity analysts in 2012, boasted 145 market makers, was actively traded with over 5% of shares changing hands each week, and lacked a controlling stockholder.”  Id. at *17 (internal citations omitted). Second, the Supreme Court reaffirmed its prior holding that a buyer’s status as a financial sponsor is not rationally related to whether the deal price is fair (a “private equity carve out”) and rejected the lack of strategic bidders as a credible basis for disregarding deal price.  Id. at *20.  “Here,” the Supreme Court explained, “it is clear that Dell’s sale process bore many of the same objective indicia of reliability that we [previously] found persuasive enough to diminish the resonance of any private equity carve out or similar such theory….”  Id. (citing DFC Global Corp. v. Muirfield Value Partners, 172 A.3d 346, —, 2017 WL 3261190, at *22–23 (Del. Aug. 1, 2017)).  Other facts contradicting the trial court’s conclusion include that an independent committee armed with the power to say “no” persuaded the buyer to raise its bid six times, investment bankers canvassed 67 potential buyers—20 of which were strategic acquirers, and that “the go-shop’s overall design rais[ed] fewer structural barriers than the norm.”  Id. at *20–21. Third, the Supreme Court found that the case presented none of the three features “endemic to MBOs” that theoretically could have undermined the reliability of the deal price.  Id. at *22.  For example, the Supreme Court found that the structure of the go-shop provided rival financial bidders “a realistic pathway to succeeding if they desired,” and even the petitioner’s expert characterized the go-shop as “rais[ing] fewer structural barriers than the norm.”  Id. at *23.  As for the potential for a “winner’s curse,” competing bidders were permitted “to undertake extensive due diligence, diminishing the information asymmetry that might otherwise facilitate a winner’s curse,” and “[t]he trial court even concluded that the [c]ommittee appears to have addressed the problem of information asymmetry and the risk of the winner’s curse as best they could.”  Id. C.     Caremark Claims Generally, a Caremark claim seeks to hold directors personally accountable for damages to the company arising from a failure to properly monitor or oversee employee misconduct or violations of law.  The Delaware Supreme Court recently affirmed dismissal of a complaint for failure to adequately plead a Caremark claim in City of Birmingham Retirement & Relief System v. Good, 2017 WL 6397490 (Del. Dec. 15, 2017) (“Duke Energy“). The Duke Energy plaintiffs asserted that they were not required to make a demand on Duke Energy’s board prior to instituting litigation because the board’s management of the company’s environmental policies amounted to a Caremark violation when a ruptured storm pipe caused twenty-seven million gallons of coal ash slurry and wastewater to spill into the Dan River—ultimately leading the company to plead guilty to nine misdemeanor violations of the Federal Clean Water Act and pay a $102 million fine.  The Court of Chancery, however, dismissed the plaintiffs’ derivative complaint, holding that “to hold directors personally liable for a Caremark violation, the plaintiffs must allege that the directors intentionally disregarded their oversight responsibilities such that their dereliction of fiduciary duty rose to the level of bad faith,” and “reports from management relied on by the board to address coal ash storage problems negated any reasonable pleading-stage inference of bad faith conduct by the board.”  Id. at *1. The Delaware Supreme Court agreed, emphasizing that “plaintiff[s] must allege with particularity that the directors acted with scienter, meaning ‘they had actual or constructive knowledge that their conduct was legally improper,'” and that “[i]nferences that are not objectively reasonable cannot be drawn in the plaintiff[s’] favor.”  Id. at *5 (internal citations and quotations omitted).  The Court rejected plaintiffs’ description of the information presented to the Board as unfair, concluding that a fair characterization of management’s board presentations “do[es] not lead to the inference that the board consciously disregarded its oversight responsibility by ignoring environmental concerns.” Id. at *8.  The Court also rejected as inadequate plaintiffs’ allegations that Duke Energy illegally colluded with a corrupt regulator, noting that “general allegations regarding a regulator’s business-friendly policies are insufficient to lead to an inference that the board knew Duke Energy was colluding with a corrupt regulator.”  Id. at *11. D.     Ratification Defense Limited In Executive Compensation Context Considering stockholder ratification of director self-compensation decisions for the first time in more than fifty years, in In re Investors Bancorp, Inc. Stockholder Litigation, the Delaware Supreme Court limited the ratification defense when directors make equity awards to themselves under the general parameters of an equity incentive plan.  2017 WL 6374741, at *1 (Del. Dec. 13, 2017).  Absent stockholder approval, directors must prove that, when challenged by stockholders, equity incentive awards they grant to themselves are entirely fair to the company.  Similar to the Corwin doctrine, when a majority of fully informed, uncoerced, and disinterested stockholders approve a challenged equity incentive award that directors granted to themselves, the ordinary entire fairness standard of review shifts to business judgment review.  Before Investors Bancorp, this was generally true with respect to equity incentive plans with fixed terms and discretionary terms, like those at issue in Investors Bancorp, id. at *11, so long as discretionary terms have “meaningful limits” on the awards directors can make to themselves. In Investors Bancorp, however, the Supreme Court extended Sample v. Morgan, 914 A.2d 647 (Del. Ch. 2007), which “underline[d] the need for continued equitable review of self-interested discretionary director self-compensation decisions,” Investors Bancorp, 2017 WL 6374741, at *11.  In this case, the plaintiffs alleged stockholders were told initially that the plan would reward future performance, but that the board instead granted themselves awards to reward past efforts.  Id. at *12.  Additionally, the rewards were purportedly unusually higher than peer companies’.  Id.  The Supreme Court found that “[t]he plaintiffs have alleged facts leading to a pleading stage reasonable inference that the directors breached their fiduciary duties,” and “[b]ecause the stockholders did not ratify the specific awards the directors made under the [plan], the directors [were required to] demonstrate the fairness of the awards to the [c]ompany.”  Id. at *13. E.     Delaware Supreme Court Rules On The Application Of Collateral Estoppel To Prior Judgments Of Demand Futility On January 25, 2018, the Delaware Supreme Court in California State Teachers Retirement System v. Alvarez unanimously affirmed a previous Court of Chancery decision by Chancellor Andre Bouchard that stockholders who were pursuing derivative claims were collaterally estopped from continuing because, in a parallel case, a federal court in Arkansas had held that demand was not futile.  As discussed in our 2016 Year-End Securities Litigation Update, the Delaware Court of Chancery had then recently been exploring the contours of the application of collateral estoppel to prior judgments of demand futility.  Among these decisions was the decision by Chancellor Bouchard, granting the Defendants’ Motion to Dismiss in this case, that applied the Delaware Supreme Court’s decision in Pyott v. Lampers, 74 A.3d 612, 618 (Del. 2013), to hold that a federal stockholder derivative plaintiff’s election not to use books and records procedures under Section 220 of Delaware’s General Corporation Law did not bar the application of preclusion doctrines in subsequent stockholder derivative suits. After initial briefing and a hearing on appeal, the Delaware Supreme Court remanded to the Court of Chancery for the limited purpose of further discussing potential Due Process issues raised by the dismissal on the grounds of collateral estoppel.  Reconsidering his prior ruling, Chancellor Bouchard’s supplemental opinion recommended that the Delaware Supreme Court adopt a rule proposed, in dictum, in In re EZCORP, Inc. Consulting Agreement Derivative Litigation, 130 A.3d 934, 948 (Del. Ch. 2016).  Under the EZCORP rule, a judgment could not bind “the corporation or other stockholders in a derivative action until the action has survived a Rule 23.1 motion to dismiss, or the board of directors has given the plaintiff authority to proceed by declining to oppose the suit.”  Id. On return from remand, the Delaware Supreme Court declined to adopt the EZCORP rule, aligning instead with federal courts that “each arrived at the same conclusion: the Due Process rights of subsequent derivative plaintiffs are protected, and dismissal based on issue preclusion is appropriate, when their interests were aligned with and were adequately represented by the prior plaintiffs.”  California State Teachers Retirement System v. Alvarez, No. 295, 2016, 2018 WL 547768 at *11 (Del. Jan. 25, 2018).  Further, “the ‘dual’ nature of a derivative action does not transform a stockholder’s standing to sue on behalf of the corporation into an individual claim belonging to the stockholder,” because “[t]he named plaintiff, at this stage, only has standing to seek to bring an action by and in the right of the corporation and never has an individual cause of action.”  Id. at *16.  This “highlights a fundamental distinction from class actions, where the named plaintiff initially asserts an individual claim and only acts in a representative capacity after the court certifies that the requirements for class certification are met.”  Id. The Delaware Supreme Court also found—applying Arkansas law and noting that federal decisions on privity in derivative actions come to the same conclusion—that privity applies between different groups of stockholder derivative plaintiffs.  Id. at *15-18.  Thus “the evaluation of the adequacy of the prior representation becomes the primary protection for the Due Process rights of subsequent derivative plaintiffs.”  Id. at *19. The court went on to find that the Arkansas Plaintiffs’ representation was adequate because (1) the interests of the plaintiffs were aligned, (2) both groups of plaintiffs recognized that a judgment in their case could impact the other stockholders and thus the derivative plaintiffs understood they were acting in a representative capacity, and (3) it was undisputed that Delaware Plaintiffs had notice of the Arkansas action (although the court noted it did not need to resolve whether such notice was required).  Id. at *19-20.  The court also reasoned that representation was adequate under the framework of the Restatement, because the Arkansas Plaintiffs were not grossly deficient in their representation and their economic interests were not antagonistic to other stockholders.  Id. at *20-21.  The Delaware Supreme Court agreed with the previous decision of the Court of Chancery that the Arkansas Plaintiffs’ failure to seek books and records did not make them grossly deficient.  Id. at *21. The court emphasized that “our state’s interest in governing the internal affairs of Delaware corporations must yield to the ‘stronger national interests that all state and federal courts have in respecting each other’s judgments'”—and concluded that adopting the EZCORP rule would impair this “delicate balance.”  Id. at *23. IV.     State Securities Suits and the PSLRA – Status of State Securities Act Class Action Filings in Light of Cyan As reported above, the United States Supreme Court’s decision in Cyan may have a transformational impact on Securities Act class actions filed in state courts.  Unsurprisingly, this pending sea change has brought uncertainty to the bar and courts.  But anecdotal evidence suggests that the status quo has remained in place pending the Court’s decision.  Plaintiffs have continued to file securities class actions in state courts that are historically hospitable to such suits—though there is evidence the pace has slowed.  Defendants, in light of Cyan, seem more eager to try their luck at removal, even when such efforts have been historically unsuccessful.  And, consistent with prior rulings on this jurisdictional issue, federal courts—especially those in California—have generally found in favor of state court jurisdiction and refused to stay cases pending the decision in Cyan. Though full-year 2017 data has not yet been compiled, it appears that, at least in California, the pace of Securities Act class actions filed in state court has slowed somewhat.  As we reported in the Mid-Year Update, since 2011, Securities Act Section 11 filings skyrocketed in California after a California Court of Appeal held that states have concurrent jurisdiction over Securities Act class actions.  See Luther v. Countrywide Fin. Corp., 195 Cal.App.4th 789 (2011).  As the Cyan petitioners noted, between 1998 and 2011, only six class actions alleging violations of Section 11 were filed in California state court.  See Petitioners’ Br. at 8 n. 6.  By contrast, 14 were filed in 2015 alone.  Id.  And in 2016, 18 were filed.  However, “[i]n the first half of 2017, there were four [such] cases brought in California state courts, distinctly fewer than observed in either the first or second halves of 2016.”  See Cornerstone Research, Securities Class Actions Filings – 2017 Midyear Assessment at 4 (2017).  The Cyan respondents argue that this is a return to the norm after the 2016 aberration.  See Resp. Supp. Br. at 1. Defendants in these suits in California have attempted to use the pending Cyan decision as an opportunity to again try their luck at removal—without much success.  In multiple California cases, defendants sought to remove state-filed securities class actions to federal court, where they then sought an order of a stay pending the Cyan decision.  See, e.g., Guo v. ZTO Express (Cayman) Inc., Case No. 17-cv-05357-JST, Dkt. No. 41 (N.D. Cal. Dec. 22, 2017); Seafarers Officers & Empls. Pension Plan v. Apigee Corp., Case No. 17-cv-04106-JD, Dkt. No. 16 (N.D. Cal. Sep. 1, 2017); Bucks Cty. Empls. Ret. Fund v. NantHealth, Inc., No. 2:17-cv-03964-SVW-SS, 2017 WL 3579889, at *2 (C.D. Cal. Aug. 18, 2017); Olberding v. Avinger, Inc., No. 17-CV-03398-CW, 2017 WL 3141889, at *3 (N.D. Cal. July 21, 2017); Book v. ProNAi Therapeutics, Inc., No. 5:16-CV-07408-EJD, 2017 WL 2533664, at *1 (N.D. Cal. June 12, 2017).  In each case, the district court denied defendants’ request.  These courts cited the unanimity in the Ninth Circuit that such cases should be remanded and found that there was no basis for a stay pending the decision in Cyan.  See, e.g., Seafarers Officers, Case No. 17-cv-04106-JD, Dkt. No. 16. Though California has dominated the scene when it comes to these filings, federal courts in other states confronting this issue in 2017 have generally come to the same conclusion.  See e.g., Christians v. KemPharm, Inc., 265 F. Supp. 3d 971, 984 (S.D. Iowa 2017).  However, one court did break from the majority and granted a stay pending the outcome in Cyan.  See City of Birmingham Ret. & Relief Sys. v. ZTO Express (Cayman), Inc., No. 2:17-CV-1091-RDP, 2017 WL 3750660 (N.D. Ala. Aug. 29, 2017).  Though that court acknowledged that “most of the district courts in the First, Seventh, Ninth, and Eleventh circuits have remanded [similar] cases back to state court,” it nonetheless denied the motion to remand without prejudice and granted a stay.  Id. at *1.  Notably, the City of Birmingham court did not expound on its reasoning, other than to say that “it is prudent to await the Supreme Court’s guidance” in Cyan. A decision in Cyan is expected in June 2018.  We will report back on the impact of this decision in our 2018 Mid-Year or Year-End Securities Litigation Update. V.     Leidos. Scope of Item 303 Liability Remains Uncertain After Settlement Forestalls Supreme Court’s Consideration of Issue As noted in Section II(A) above, in light of a settlement reached between the parties in the closely watched Leidos case, the Supreme Court announced in October that it would not address an important question of federal securities law:  whether omitting information required to be disclosed under Item 303 of SEC Regulation S-K, which governs the contents of the Management’s Discussion & Analysis section of a company’s quarterly and annual reports, gives rise to a private claim for securities fraud under Section 10(b) of the Securities Exchange Act of 1934 and Rule 10b-5. The Supreme Court’s anticipated visitation of this question was significant, as it would have resolved a circuit split over the extent of a company’s Section 10(b) liability premised on violations of Item 303.  The Supreme Court has long held that “[s]ilence, absent a duty to disclose, is not misleading under Rule 10b–5.”  Basic, Inc. v. Levinson, 485 U.S. 224, 239 n.17 (1988) (internal quotation marks omitted).  Indeed, the Supreme Court has held that a duty to disclose under Section 10(b) and Rule 10b–5 arises only when an omission would render an affirmative statement misleading or would violate a special duty founded in a relationship of trust and confidence; thus, companies can “control what they have to disclose . . . by controlling what they say to the market.” Against this backdrop, the Second Circuit nevertheless held in Indiana Public Retirement System v. SAIC, Inc. (“SAIC“) that an omission under Item 303 can give rise to Section 10(b) and Rule 10b–5 liability.  818 F.3d 85, 94–95 (2d Cir. 2016).  The plaintiffs in SAIC had brought claims in the Southern District of New York under various securities laws, including Section 10(b), alleging that Leidos’s predecessor, SAIC, Inc., made material omissions by failing to disclose federal and state investigations into the company’s unlawful overbilling practices in connection with a government contract with the City of New York.  Id. at 88.  Plaintiffs charged that SAIC should have disclosed this allegedly known and potentially significant exposure in its March 2011 Form 10-K because Item 303 requires that such disclosures “[d]escribe any known trends or uncertainties that have had or that the registrant reasonably expects will have a material favorable or unfavorable impact on net sales or revenues or income from continuing operations,” 17 C.F.R. § 229.303(a)(3)(ii).  Id. The district court dismissed this claim for failure to plead facts establishing that “management (1) had knowledge that the company could be implicated in the . . . fraud or (2) could have predicted a material impact on the company.”  In re SAIC, Inc. Securities Litigation, 2014 WL 407050, at *4 (S.D.N.Y. Jan. 30, 2014).  Thus, while not disagreeing with the proposition that an Item 303 omission could be actionable under Section 10(b) and Rule 10b–5, the district court found insufficient allegations that SAIC had a disclosure obligation under Item 303 with the facts as pled. On appeal, the Second Circuit vacated the portion of the district court’s ruling related to Item 303 and remanded it for further proceedings.  SAIC, 818 F.3d at 88.  The Second Circuit agreed that Item 303 requires the registrant to disclose only those trends, events, or uncertainties that it “actually knows of”—as opposed to those that it “should have known”—when it files with the SEC, but it concluded that SAIC was allegedly “aware of the fraud” at the time of the report.  Id. at 94. The Second Circuit’s decision in SAIC on the Item 303 issue placed it in conflict with earlier-issued decisions by the Ninth and Third Circuits, which held that violations of Item 303 are not actionable under Section 10(b) and Rule 10b–5.  In 2014, the Ninth Circuit in In re NVIDIA Corp. Sec. Litig. held that “Item 303 does not create a duty to disclose for purposes of Section 10(b) and Rule 10b–5.”  768 F.3d 1056 (9th Cir. 2014).  In so holding, the Ninth Circuit relied on a Third Circuit decision authored in 2000 by then-Circuit Judge Samuel Alito, Oran v. Stafford, where the Third Circuit declared that “a violation of the disclosure requirements of Item 303 does not lead inevitably to the conclusion that such disclosure would be required under Rule 10b–5,” and, accordingly, “that a violation of SK-303’s reporting requirements does not automatically give rise to a material omission under Rule 10b-5.”  226 F.3d 275, 287–88 (3d Cir. 2000). This circuit split between the Second Circuit on the one hand, and the Ninth and Third Circuits on the other, teed up the issue for resolution by the Supreme Court, which granted certiorari in Leidos on March 27, 2017, and had set oral argument for November 6, 2017.  But exactly one month prior to the scheduled arguments, on October 6, 2017, the parties filed a joint motion advising the Court that they had “reached an agreement in principle to settle” the dispute.  On October 17, 2017, the Supreme Court granted the parties’ motion, and ordered that same day that the case be removed from the November 6, 2017 argument calendar. With Leidos no longer before the Supreme Court, the Second-Ninth Circuit split over the scope of Item 303 liability remains.  As things currently stand, Leidos continues to control in the Second Circuit, while In re NVIDIA Corp. Sec. Litig. still controls in the Ninth Circuit.  This lingering divide, according to some legal commentary, will have important implications for litigants, for the courts themselves, and for companies seeking to avoid Item 303 liability going forward. For one, in light of the Leidos decision, which effectively endorsed a private right of action under Section 10(b) for violations of Item 303, plaintiffs will likely continue to flock to the Second Circuit to litigate securities fraud claims premised on Item 303 deficiencies.  Conversely, the Ninth Circuit, which has shown itself to be far less amenable to such claims, will likely see far fewer shareholders bring their claims in that court. Furthermore, because the Second and Ninth Circuits together handle more federal securities cases than the rest of the circuits combined, the existing circuit split may well create a deepening fissure among those two circuits.  And other courts that have yet to take up the issue will likely follow either one of the Second or Ninth Circuits’ approaches, leading to a further divergent development of caselaw.  In addition to looking to Second and Ninth Circuit authority, these as-yet-decided courts may also choose to take note of the amicus brief filed by the SEC in Leidos, which was consistent with the Second Circuit’s ultimate holding in that case.  Specifically, the Commission asserted in its brief, “[a] reasonable investor, reading an MD&A in the applicable legal context, understands it to contain all the information required by Item 303.  An MD&A that discloses only some of the information Item 303 requires therefore is misleading.” The Leidos settlement, and the circuit split that remains in its wake, may also have important implications for companies trying to ascertain the scope of their disclosure obligations under Item 303.  Until the Supreme Court weighs in on this issue, uncertainty is likely to abound for companies over, what, exactly, are considered to be “known trends and uncertainties,” among other relevant issues.  Accordingly, in an effort to stave off legal challenges further down the road, companies susceptible to jurisdiction in the Second Circuit may choose to over-disclose. Despite the present uncertainty, the Supreme Court will certainly be petitioned again upon the next circuit court decision on the matter.  (Indeed, regardless of whether the next decision is plaintiff- or defendant-friendly, the issue will be ripe for appeal given the existing circuit split.)  One candidate to reignite a Supreme Court resolution is Plumbers and Steamfitters Local 137 Pension Fund v. Am. Express Co., 2017 WL 4403314 (S.D.N.Y. Sept. 30, 2017).  In Plumbers, a group of purchasers of American Express’s common stock brought a putative class action against American Express, asserting claims under Section 10(b) and Rule 10b-5 in connection with American Express’s non-renewal of its co-brand agreement with Costco (an agreement under which the two companies had partnered to offer co-branded cards for consumers and small businesses).  Plaintiffs alleged, in relevant part, that American Express violated its duty to quantify and disclose “the expected impact of known trends and uncertainties in Amex’s business,” in violation of Item 303.  Plumbers, WL 4403314, at *17.  Specifically, plaintiffs argued that American Express failed to disclose 1) the expected impact that increased competition with respect to obtaining co-branded agreements would have on American Express’s business, and 2) its uncertainty regarding renewal of its agreement with Costco, as well as the impact of nonrenewal of the agreement—omissions that, plaintiffs asserted, gave rise to Section 10(b) liability.  Id.  The district court disagreed.  In dismissing plaintiffs’ complaint, it noted that American Express had complied with Item 303 by sufficiently disclosing the trend at issue (“[w]e also face substantial and increasingly intense competition for partner relationships”), and how that negative trend could affect its business (“we could lose partner relationships”).  Id. at *19.  Accordingly, the court concluded, American Express had met its disclosure obligations and did not omit required quantitative information under Item 303, thus precluding Section 10(b) liability on that basis.  Id.  Plaintiffs subsequently appealed the decision to the Second Circuit. If the Second Circuit reverses the district court’s finding that American Express met its Item 303 disclosure obligations, the matter could again be teed up for resolution by the Supreme Court.  Gibson Dunn will continue to monitor for developments in connection with this topic. VI.     Falsity of Opinions – Omnicare Update Federal courts continue to put flesh onto the bones of the Supreme Court’s 2015 decision in Omnicare, Inc. v. Laborers Dist. Council Constr. Indus. Pension Fund, 135 S. Ct. 1318 (2015).  That decision addressed the scope of liability for false opinion statements under Section 11 of the Securities Act.  The Court held that “a sincere statement of pure opinion is not an ‘untrue statement of material fact,’ regardless of whether an investor can ultimately prove the belief wrong.”  135 S. Ct. at 1327.  An opinion statement can give rise to liability only when the speaker does not “actually hold[] the stated belief,” or when the opinion statement contains “embedded statements of fact” that are untrue.  Id. at 1326–27.  In addition, the Court held that an omission gives rise to liability when the omitted facts “conflict with what a reasonable investor would take from the statement itself.”  Id. at 1329.  Put differently, an opinion statement becomes misleading “if the real facts are otherwise, but not provided.”  Id. at 1328. In the second half of 2017, two courts issued notable opinions regarding the threshold question of what constitutes a statement of opinion under Omnicare.  First, the Ninth Circuit held that the statement “FDA clearance risk has been achieved” – made on behalf of drug company Atossa Genetics regarding certain drug tests – is a statement of opinion.  See In re Atossa Genetics Inc. Sec. Litig., 868 F.3d 784, 801 (9th Cir. 2017).  The court reasoned that whether FDA clearance risk has been “achieved” is not definite enough to be a statement of fact, as this could mean that FDA clearance risk is completely eliminated or just that an acceptable level of risk has been eliminated; “[i]ndeed, it is the speaker’s personal definition of ‘achieved’ that here produces the opinion.”  See id. In what is sure to be a controversial decision, the court in Bielousov v. GoPro Inc., No. 16-cv-06654-CW, 2017 WL 3168522, at *4–5 (N.D. Cal. July 26, 2017), decided that a statement that seemingly met the requirements of the PSLRA’s safe harbor for forward-looking statements was nonetheless an actionable statement of opinion.  One of the statements challenged by plaintiff was the CFO’s statement that “we believe” that GoPro was “on track” to meet its previously-issued revenue guidance.  See id. at *4.  Although defendants argued this was a forward-looking statement protected by the safe harbor, the court held that by including the phrase “we believe” the CFO “was representing his and GoPro’s existing state of mind” which is “a statement of present opinion . . . not covered by the PSLRA safe harbor provision.”  See id. at *5.  Taken to its logical conclusion, the GoPro court’s reasoning would turn most statements previously considered forward-looking in nature into actionable statements of opinion.  While this appears to be an outlier opinion, we will monitor further developments in this area of securities law. Numerous recent opinions showcase the difficulty of pleading the falsity of opinion statements after Omnicare.  In Markette v. XOMA Corp., No. 15-CV-03425-HSG, 2017 WL 4310759, at *5 (N.D. Cal. Sept. 28, 2017), the court held that conclusory allegations that defendants did not believe in their opinion statements are insufficient to plead falsity.  While the court did not analyze this issue in depth, the court implicitly reasoned that a plaintiff must allege specific facts showing that a defendant did not believe in his stated opinion in order for plaintiff’s claim to survive a motion to dismiss.  In Wilbush v. Ambac Fin. Grp., Inc., the court reaffirmed the principle that plaintiffs cannot state a claim by pleading “fraud by hindsight” – that is, a plaintiff cannot show that an opinion was false when made solely by pointing to subsequent developments that are inconsistent with that opinion.  See No. 16 Civ. 5076-RMB, 2017 WL 4125364, at *10 (S.D.N.Y. Sept. 5, 2017) (opinion about adequacy of loss reserves for investments not false solely because company ultimately suffered losses on investments).  Finally, the court in Jaroslawicz v. M&T Bank Corp., No. 15-897-RGA, 2017 WL 4856864 (D. Del. Oct. 27, 2017), highlighted what plaintiffs need to allege to plead an actionable omission of “material facts about the issuer’s inquiry into or knowledge concerning a statement of opinion.”  See Omnicare, 135 S. Ct. at 1329.  In this Section 14(a) case, the court rejected as insufficient “hypotheticals” about what defendants could have done to make an inquiry before rendering an opinion about the company’s compliance with banking laws, holding that plaintiffs needed to instead plead “particular facts about what Defendants did or did not do in forming the compliance opinion” at issue.  See 2017 WL 4856864 at *6 (dismissing allegations that opinion about legal compliance would have been shown to be false if defendants performed “adequate due diligence” or hired a “trained, independent consultant”). Of course, if plaintiffs can plead specific facts as to the falsity of an opinion statement, courts are willing to allow plaintiffs’ cases to proceed.  In the Atossa Genetics case, for example, the Ninth Circuit held that plaintiffs sufficiently pleaded the opinion that “FDA clearance risk has been achieved” was misleading by omission because they alleged (i) only part of the multi-part drug test at issue had been approved by the FDA, and (ii) the FDA had expressed concerns to Atossa about this lack of complete clearance.  See 868 F.3d at 802.  These facts, the court held, “relate directly to the basis for” the opinion statement, and “conflict with what a reasonable investor would take away from the statement.”  Id.  And in Perez v. Higher One Holdings, Inc., No. 3:14-cv-755-AWT, 2017 WL 4246775, at *6 (D. Conn. Sept. 25, 2017), the court – after dismissing plaintiffs’ previous complaint with leave to amend – denied a motion to dismiss the amended complaint as to an opinion that Higher One Holdings does “not expect any further losses as a result of” an FDIC investigation that led to a consent order in 2012.  Because the amended complaint alleged specific facts showing that defendants were violating the 2012 consent order and were specifically warned “about their ongoing violative conduct,” the court held that plaintiffs sufficiently pleaded falsity because “defendants could not have reasonably believed their own statements of corporate optimism.”  See id. As reported in previous updates, we continue to see courts applying Omnicare outside of the Section 11 context.  Most of the foregoing decisions arose out of complaints alleging violations of Section 10(b) of the Exchange Act, which continues a trend we highlighted in previous updates.  Additionally, courts are applying Omnicare in actions asserting claims under a variety of other securities laws.  See Jaroslawicz v. M&T Bank Corp., 2017 WL 4856864 (Section 14(a) of the Exchange Act); Knurr v. Orbital ARK, Inc., No. 1:16-cv-1031, 2017 WL 4286273 (E.D. Va. Sept. 26, 2017) (Section 14(a) of the Exchange Act); Fed. Hous. Fin. Agency v. Nomura Holding Am., Inc., 873 F.3d 85 (2d Cir. 2017) (Section 12(a) of the Securities Act).  And, in a natural extension of Omnicare, given its roots in disclosure-based law, the court in Hutton v. McDaniel, 264 F. Supp. 3d 996, 1021 (D. Ariz. 2017), applied Omnicare to a state law breach of fiduciary duty claim arising out of directors’ alleged failure to disclose information to shareholders. VII.     Halliburton II Market Efficiency and Price Impact Cases As discussed in our 2017 Mid-Year Update, courts across the country continue to grapple with implementing the Supreme Court’s landmark ruling in Halliburton Co. v. Erica P. John Fund, Inc., 134 S. Ct. 2398 (2014) (Halliburton II), and several recent decisions are beginning to shape the post-Halliburton II landscape.  In Halliburton II, the Supreme Court preserved the “fraud-on-the-market” presumption—a presumption enabling plaintiffs to maintain the common proof of reliance that is essential to class certification in a Rule 10b-5 case—but made room for defendants to rebut that presumption at the class certification stage with evidence that the alleged misrepresentation had no impact on the price of the issuer’s stock.  Two key questions continue to recur:  first, how should courts reconcile the Supreme Court’s explicit ruling in Halliburton II that direct and indirect evidence of price impact must be considered at the class certification stage, Halliburton II, 123 S. Ct. at 2417, with its previous decisions holding that plaintiffs need not prove loss causation or materiality until the merits stage, see Erica P. John Fund, Inc. v. Halliburton Co., 563 U.S. 804 (2011) (“Halliburton I“); Amgen Inc. v. Conn. Ret. Plans & Trust Funds, 133 S. Ct. 1184 (2013).  And second, what standard of proof must defendants meet to rebut the Basic presumption with evidence of no price impact? As discussed in our January 18, 2018 Client Alert, the Second Circuit recently addressed both of these issues in two substantive opinions: Waggoner v. Barclays, 875 F.3d 79 (2d Cir. 2017) and Ark. Teachers Ret. Sys. v. Goldman Sachs, — F.3d –, Case No. 16-250, 2018 WL 385215 (S.D.N.Y. Jan. 12, 2018).  In so doing, the Second Circuit joined the Eighth Circuit as the only federal circuit courts of appeals to interpret Halliburton II since it was issued.  In Goldman Sachs, the Second Circuit directed that price impact evidence must be analyzed prior to certifying a class, even though “price impact touches on materiality,” which is to be reserved for trial.  Goldman Sachs, 2018 WL 385215, at *7-8.  However, the Barclays and Goldman Sachs decisions leave the Second Circuit at odds with the Eighth Circuit’s 2016 decision in IBEW Local 98 Pension Fund v. Best Buy Co., 818 F.3d 775 (8th Cir. 2016) on the standard of proof defendants must meet to rebut the Basic presumption. A.     Evidence Properly Considered at the Class Certification Stage In Goldman Sachs the Second Circuit vacated the district court’s order certifying a class, and remanded for further proceedings to determine whether the defendants had presented sufficient evidence to demonstrate that the alleged misstatements did not impact Goldman Sachs’ stock price.  The Second Circuit encouraged the district court to hold any evidentiary hearing or oral argument it finds appropriate to address the issue on remand. In the district court, defendants attempted to rebut the presumption of reliance by presenting evidence that the statements at issue had no impact on Goldman Sachs’ stock price.  They offered evidence that (1) the stock price did not increase on the days when the alleged misstatements were made and (2) the stock price did not decrease when those statements were “corrected” by news that was publicly revealed on thirty-four separate occasions before the alleged corrective disclosure dates.  Goldman Sachs, 2018 WL 385215 at *7.  If the prior disclosures “correcting” the alleged misstatements did not negatively impact the company’s stock price, defendants reasoned, then the alleged misstatements themselves “did not affect the price of Goldman stock and plaintiffs could not have relied on them in choosing to buy shares at that price.”  Id. at *4.  The district court rejected defendants’ evidence regarding the lack of price impact based on these earlier “corrective” press reports, labeling the argument a premature “materiality” argument. The Second Circuit acknowledged that price impact “touches on materiality,” but nonetheless instructed the trial court, on remand, to consider defendants’ price impact evidence.  Goldman Sachs, 2018 WL 385215 at *8.  The court explained that price impact and materiality are distinct, and that price impact “refers to the effect of a misrepresentation on a stock price.”  Id. (quoting Halliburton I, 563 U.S. at 814).  “Whether a misrepresentation was reflected in the market price at the time of the transaction—whether it had price impact—” the court explained, “‘is Basic‘s fundamental premise.'”  Id.  (quoting Halliburton II, 134 S. Ct. at 2416).  Therefore, a defendant’s evidence of a lack of price impact must be fully considered at the class certification stage.  Id. B.     Standard of Proof to Rebut the Presumption In Barclays, the Second Circuit’s only substantive Halliburton II discussion addressed the standard of proof required to rebut the presumption of reliance.  There, the court upheld the district court’s certification of a class, holding that once a plaintiff establishes that the presumption applies, the defendant bears the burden of persuasion to rebut it.  This standard, reaffirmed in Goldman Sachs, puts the Second Circuit at odds with the Eighth Circuit, which cited Rule 301 of the Federal Rules of Evidence (“Rule 301”) when reversing that trial court’s certification order.  Best Buy, 818 F.3d at 782.  Rule 301 assigns only the burden of production—i.e., producing some evidence—to the party seeking to rebut a presumption, but “does not shift the burden of persuasion, which remains on the party who had it originally.”  By its own terms, Rule 301 applies in all civil cases “unless a federal statute or these rules provide otherwise.”  In both Barclays and Goldman Sachs, the Second Circuit panels reasoned that “the Basic presumption is a substantive doctrine of federal law that derives from the securities fraud statutes” in departing from the standard burden-shifting paradigm of Rule 301.  Goldman Sachs, 2018 WL 385215, at *6-7 (citing Barclays, 875 F.3d at 102–03). We will continue to monitor the Goldman Sachs remand and cases in all courts throughout the year. The following Gibson Dunn lawyers assisted in the preparation of this client update:  Monica Loseman, Matt Kahn, Brian Lutz, Laura O’Boyle, Mark Perry, Lissa Percopo, Travis Andrews, Jefferson Bell, Scott Campbell, Vivek Gopalan, Michael Kahn, Kim Kirschenbaum, Mark Mixon, Emily Riff, Samantha Weiss, Christopher White and Zachary Wood. Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding these developments.  Please contact the Gibson Dunn lawyer with whom you usually work, or any of the following members of the Securities Litigation Practice Group Steering Committee: Robert F. Serio – Co-Chair, New York (+1 212-351-3917, rserio@gibsondunn.com) Meryl L. Young – Co-Chair, Orange County (+1 949-451-4229, myoung@gibsondunn.com) Brian M. Lutz – Co-Chair, San Francisco/New York (+1 415-393-8379/+1 212-351-3881, blutz@gibsondunn.com) Thad A. Davis – San Francisco (+1 415-393-8251, tadavis@gibsondunn.com) Jennifer L. Conn – New York (+1 212-351-4086, jconn@gibsondunn.com) Ethan Dettmer – San Francisco (+1 415-393-8292, edettmer@gibsondunn.com) Barry R. Goldsmith – New York (+1 212-351-2440, bgoldsmith@gibsondunn.com) Mark A. Kirsch – New York (+1 212-351-2662, mkirsch@gibsondunn.com) Gabrielle Levin – New York (+1 212-351-3901, glevin@gibsondunn.com) Monica K. Loseman – Denver (+1 303-298-5784, mloseman@gibsondunn.com) Jason J. Mendro – Washington, D.C. (+1 202-887-3726, jmendro@gibsondunn.com) Alex Mircheff – Los Angeles (+1 213-229-7307, amircheff@gibsondunn.com) Robert C. Walters – Dallas (+1 214-698-3114, rwalters@gibsondunn.com) Aric H. Wu – New York (+1 212-351-3820, awu@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

January 29, 2018 |
International Cybersecurity and Data Privacy Outlook and Review – 2018

Click for PDF In honor of Data Privacy Day—an international effort to raise awareness and promote privacy and data protection best practices—we recently offered Gibson Dunn’s sixth annual Cybersecurity and Data Privacy Outlook and Review.  This year again, in addition to that U.S.-focused report, we offer this separate International Outlook and Review. Like many recent years, 2017 saw significant developments in the evolution of the data protection and cybersecurity landscape outside the United States: Following the adoption of a General Data Protection Regulation governing the collection, processing and transfer of personal data in 2016 (“GDPR”),[1] several Member States of the European Union started to adapt their national legal frameworks in light of the future entry into application of the GDPR on 25 May 2018, and the Article 29 Working Party (“WP29”) provided details regarding the implementation thereof. The first proposals for an upcoming European regulation with respect to private life and the protection of personal data in electronic communications, intended to repeal the currently applicable legal framework, were made public (“ePrivacy Regulation”). The Member States of the European Union started working on the transposition into national law of the directive on the security of network and information systems (“NIS Directive”). The framework for international data transfers between the U.S. and the European Union—the Privacy Shield—was subjected to various legal challenges. We cover these topics and many more in this year’s International Cybersecurity and Data Privacy Outlook and Review. Table of Contents __________________________________________ I.     European Union A.   Privacy Shield 1.    Reviews of the European Commission and the WP29 2.    Challenges to Privacy Shield B.   EU Data Protection Regulation and Reform 1.    GDPR 2.    Principal Elements of the GDPR 3.    National Data Protection Reforms Implementing the GDPR C.   EU Cyber Security Directive 1.    Digital Service Providers 2.    Member State Obligations 3.    Minimum Harmonization and Coordination Among EU Member States D.   Other EU Developments 1.    Reform of the ePrivacy Directive – the Draft EU ePrivacy Regulation 2.    CJEU Case Law 3.    Article 29 Working Party (WP29) Opinions II.   Asia-Pacific and Other Notable International Developments __________________________________________ I.     European Union A.     Privacy Shield On 12 July 2016, the European Commission formally approved the EU-U.S. Privacy Shield (“Privacy Shield”), a framework for navigating the transatlantic transfer of data from the EU to the United States.  The Privacy Shield replaces the EU-U.S. Safe Harbor framework, which was invalidated by the European Court of Justice (“ECJ”) on 6 October 2015 in Maximilian Schrems v. Data Protection Commissioner (the “Schrems” decision).[2]  We provided an in-depth discussion of the Schrems decision in a previous Outlook and Review.[3] 1.     Reviews of the European Commission and the WP29 Following the adoption of the Privacy Shield, the WP29—an advisory body that includes representatives from the data protection authorities of each EU Member State—stated that “the national representatives of the WP29 will not only assess if the remaining issues have been solved but also if the safeguards provided under the EU-U.S. Privacy Shield are workable and effective” during a joint annual review of the Privacy Shield mechanism.[4] The first review was conducted in mid-September 2017 by the European Commission and U.S. authorities.  The European Commission published its report on 18 October 2017.[5]  It concluded that the Privacy Shield continues to ensure an adequate level of protection, noting that various important structures and procedures have been put in place by U.S. authorities—namely, new redress possibilities for EU nationals, a complaint-handling and enforcement procedure, an increased level of cooperation with EU data protection authorities, and necessary safeguards for government access to personal data.  Overall, the European Commission determined that the framework, including the self-certification process, is functioning well, and the European Commission continues to support the Privacy Shield.  The European Commission did, however, make several recommendations to further improve the Privacy Shield’s functioning: More proactive and regular monitoring of companies’ compliance with their obligations under the Privacy Shield by the U.S. Department of Commerce, including the use of review questionnaires or annual compliance reports. Increased searches for and enforcement against companies that falsely claim to participate in the Privacy Shield by U.S. authorities. Raising awareness of how EU individuals can exercise their rights under the Privacy Shield, particularly how they can submit complaints. Closer cooperation between EU and U.S. authorities to achieve a consistent interpretation and to develop guidance for companies and enforcers. The appointment of a permanent Privacy Shield Ombudsman and the appointment of additional members to the Privacy and Civil Liberties Oversight Board (“PCLOB”). A codification of Presidential Policy Directive 28 (“PPD-28”), as part of the reauthorization and reform of Section 702 of the Foreign Intelligence Surveillance Act (“FISA”). It should be noted on this last point that on 19 January 2018 the United States renewed FISA Section 702 without enshrining the protections set forth in the PPD-28.[6]  It remains to be seen how this, and the success of efforts to follow up on the other recommendations, will affect the next annual review of the Privacy Shield in fall 2018. On 28 November 2017, the WP29 released its own opinion on the first annual joint review of the Privacy Shield mechanism.[7]  The WP29’s findings are quite different from the Commission’s, as the WP29 identified “significant concerns” with the Privacy Shield’s mechanisms as currently operated.  While the WP29 recognized the Privacy Shield as an improvement compared to the invalidated Safe Harbor mechanism, and welcomed the increased transparency of the U.S. government and legislator regarding the use of their surveillance powers, the WP29 set forth several recommendations, namely: U.S. authorities should provide more guidance on the principles of the Privacy Shield, particularly regarding transfers, available rights, and recourses and remedies, to make it easier for companies to interpret their obligations and individuals to exercise their rights. More oversight by U.S. authorities concerning compliance with Privacy Shield principles—for instance, compliance with limits on monitoring—and more proactive supervision of the participating organizations. Distinguishing the status of processors and controllers established in the U.S., as the opinion notes there is currently no differentiation made during the application process between the two. Increasing the level of protection concerning profiling data or automated decision-making by creating specific rules to provide sufficient safeguards. Avoiding exceptions for the processing of Human Resources (“HR”) data, as according to the WP29 the U.S. Department of Commerce considers HR data too narrowly, allowing for the transfer of some HR data as commercial data. Shoring up safeguards against the access of data by U.S. public authorities. Addressing the lack of a permanent and independent Ombudsman and the several vacancies on the PCLOB. The WP29 warned that should their concerns fail to be addressed, the group would then take appropriate actions, including challenging the Privacy Shield before national courts.  The WP29 therefore called on the European Commission and U.S. authorities to resume discussions, and to set up an action plan to demonstrate that these concerns will be addressed. 2.     Challenges to Privacy Shield Advocacy groups have already filed challenges to the Privacy Shield.  Specifically, in October 2016 Digital Rights Ireland (“DRI”) filed a challenge with a Luxembourg-based General Court, a lower court of the ECJ, to annul the European Commission’s 12 July 2016 Adequacy Decision, which approved and adopted the Privacy Shield.[8]  However, this action was dismissed by the General Court of the European Union on 22 November 2017.[9]  The European judges held that DRI neither had an interest in bringing proceedings in its own name nor had standing to act in the name of its members and supporters or on behalf of the general public. This is not the only challenge to the Privacy Shield, however:  In 2016, a French privacy advocacy group also challenged the Adequacy Decision in a legal action to the ECJ, claiming that the U.S. Ombudsman redress mechanism is not sufficiently independent and effective and therefore the Adequacy Decision must be annulled.[10]  This case remains ongoing.[11] B.     EU Data Protection Regulation and Reform 1.     GDPR On 15 December 2015, the European Commission, the European Parliament, and the European Council agreed to an EU data protection reform to boost the EU Digital Single Market.  The bill was adopted by the European Council and the European Parliament in early April 2016 and came into force on 24 May 2016 as the GDPR.  However, the GDPR provides for a two-year “grace period,” such that it will not become fully applicable until 25 May 2018.  The GDPR replaces the EU Data Protection Directive[12] and constitutes a set of data protection rules that are directly applicable to the processing of personal data across EU Member States (for additional details regarding the main requirements of the GDPR, please refer to Section 2 below). 2.     Principal Elements of the GDPR The core substantive elements of the GDPR, which will become fully applicable in May 2018, include the following: Extraterritorial Scope:  The GDPR will cover not only data controllers established in the EU, but will also apply to organizations that offer goods or services to residents in the EU, even if these organizations are not established in the EU and do not process data using servers in the EU.[13] Transparency Principle:  Under the GDPR, transparency is a general requirement applicable to three central areas: (i) the provision of information to data subjects; (ii) the way data controllers communicate with data subjects in relation to their rights under the GDPR; and (iii) how data controllers allow and facilitate the exercise of their rights by data subjects.  In late 2017, the WP29 made draft Guidelines on transparency public.[14]  Even though the final version of this document is not available yet, the purpose of such Guidelines is to provide practical guidance and interpretative assistance on the new transparency obligations as resulting from the GDPR. Consent of the Data Subjects:  The GDPR put emphasis on the notion of consent of data subjects by providing further clarification and specification of the requirements for obtaining and demonstrating valid consent.  In November 2017, the WP29 adopted Guidelines specifically dedicated to the concept of consent and focusing on the changes in this respect resulting from the GDPR.[15] “Right to Be Forgotten”:  The GDPR further develops the “right to be forgotten” (formally called the “right to erasure”) whereby personal data must be deleted when an individual no longer wants his or her data to be processed by a company and there are no legitimate reasons for retaining the data.[16]  This right was already introduced in the EU Data Protection Directive, and was the object of the litigation before the CJEU in Google Spain SL and Google Inc. v. AEPD and Mario Costeja González.[17] Among other points, the GDPR clarifies that this right is not absolute and will always be subject to the legitimate interests of the public, including the freedom of expression and historical and scientific research.  The GDPR also obliges controllers who have received a request for erasure to inform other controllers of such request in order to achieve the erasure of any links to or copy of the personal data involved.  This part of the GDPR may impose significant burdens on affected companies, as the creation of selective data destruction procedures often leads to significant costs. Data Breach Notification Obligation:  The GDPR requires data controllers to provide notice of serious security breaches to the competent Data Protection Authority/ies (“DPA(s)”) without undue delay and, in any event, within 72 hours after having become aware of any such breach.  The WP29 has issued Guidelines in order to explain the mandatory breach notification and communication requirements of the GDPR as well as some of the steps data controllers and data processors can take to meet these new obligations.[18] Profiling Activities:  The GDPR specifically addresses the use of profiling and other automated individual decision-making. In 2017, the WP29 made Guidelines public in this respect.[19]  These clarify the provisions of the GDPR regarding profiling, in particular by defining in more detail what profiling is. Data Protection Impact Assessment (“DPIA”):  Where processing activities are deemed likely to result in high risk to the rights and freedoms of data subjects, the GDPR requires that data controllers carry out, prior to the contemplated processing, an assessment of the impact thereof on the protection of personal data.[20]  However, the GDPR does not specifically detail the criteria to be taken into account for determining whether given processing activities represent “high risk.”  Instead, the GDPR provides a non-exhaustive list of examples falling within this scope.  Similarly, no process for performing DPIAs is detailed as part of the GDPR.  Considering the need for additional information in this respect, the WP29 issued Guidelines in 2017 intended to clarify which processing operations must be subject to DPIAs and how they should be carried out.[21]  These Guidelines were subsequently revised throughout the year.[22] Privacy-Friendly Techniques and Practices:  “Privacy by design” is the idea that a product or service should be conceived from the outset to ensure a certain level of privacy for an individual’s data.  “Privacy by default” is the idea that a product or service’s default settings should help ensure privacy of individual data.  The GDPR establishes privacy by design and privacy by default as essential principles.  Accordingly, businesses should only process personal data to the extent necessary for their intended purposes and should not store it for longer than is necessary for those purposes.  These principles will require data controllers to design data protection safeguards into their products and services from the inception of the product development process. Data Portability:  The GDPR establishes a right to data portability, which is intended to make it easier for individuals to transfer personal data from one service provider to another.According to the WP29, as a matter of good practice, companies should develop the means that will contribute to answering data portability requests, such as download tools and Application Programming Interfaces.  Companies should guarantee that personal data is transmitted in a structured, commonly used and machine-readable format, and they should be encouraged to ensure the interoperability of the data format provided in the exercise of a data portability request.  The WP29 has also called industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability.[23]  In 2017, the WP29 issued revised Guidelines on the right to data portability providing guidance on the way to interpret and implement the right to data portability introduced by the GDPR.[24] Competent Supervisory Authority:  To date, in the EU the monitoring of the application of data protection rules has fallen almost exclusively under the jurisdiction of national DPAs.  Subject to the EU Data Protection Directive and the case law of the CJEU, DPAs only had jurisdiction to find a violation of their data protection laws and impose fines where, inter alia, their respective national laws were applicable.[25]With the adoption of the GDPR, a complex set of rules has been established to govern the applicability of the rules to data controllers that have cross-border processing practices.  First, where a case relates only to an establishment of a data controller or processor in a Member State or substantially affects residents only in a Member State, the DPA of the Member State will have jurisdiction to deal with the case.[26] Second, in other cases concerning cross-border data processing, the DPA of the main establishment of the controller or processor within the EU will have jurisdiction to act as lead DPA for the cross-border processing of this controller or processor.[27]  Articles 61 and 62 provide for mutual assistance and joint operations mechanisms, respectively, to ensure compliance with the GDPR.  Furthermore, the lead DPA will need to follow the cooperation mechanism provided in Article 60 with other DPAs “concerned.”  Ultimately, the European Data Protection Board (“EDPB,” where all EU DPAs and the European Commission are represented) will have decision-making powers in case of disagreement among DPAs as to the outcome of specific investigations.[28]  Third, the GDPR establishes an urgency procedure that any DPA can use to adopt time-barred measures regarding data processing in case of urgency.  These measures will only be applicable in the DPA’s own territory, pending a final decision by the EDPB.[29] In 2016, the WP29 issued Guidelines that aim to assist controllers and processors in the identification of their lead DPA.[30]  These Guidelines were updated in 2017, in particular for addressing circumstances involving joint data controllers.[31] Governance: Data controllers and processors may be required to designate a Data Protection Officer (“DPO”) in certain circumstances.  Small and medium-sized enterprises will be exempt from the obligation to appoint a data protection officer insofar as data processing is not their core business activity.  The WP29 has issued Guidelines that clarify the conditions for the designation, position and tasks of the DPO to ensure compliance with the GDPR; these Guidelines were revised in 2017.[32] These requirements will be supplemented by a much more rigid regime of fines for violations.  DPAs will be able to fine companies that do not comply with EU rules up to 4% of their global annual turnover. 3.     National Data Protection Reforms Implementing the GDPR Because the GDPR is a regulation, there is no need for Member States of the European Union to transpose its provisions in order to render them applicable within their national legal systems.  However, some Member States nonetheless have adapted their legal frameworks regarding data protection in light of the GDPR. The GDPR contains provisions granting flexibility to the Member States to implement such adaptations.  For example, Article 8 of the GDPR provides specific rules regarding the processing of personal data of children below the age of 16.  Nevertheless, Member States may provide by law for a lower age provided it is not below 13 years.  Another example is to be found under Article 58 of the GDPR, as Member States may provide by law that their supervisory authorities have additional powers beyond those already specified under the GDPR. Below is an overview of the national data protection reforms implemented throughout the European Union during 2017: Member State Status of National Data Protection Reform Austria The Datenschutz-Anpassungsgesetz 2018 was published in July 2017.  This act is expected to support the application of the GDPR and will enter into effect by 25 May 2018.  The Datenschutzgesezt 2000 will be replaced accordingly. Belgium Belgium is currently adapting its national data protection legal framework by: reforming the Belgian Privacy Commission (the draft bill in this respect was adopted by the Parliament on 16 November 2017 and was submitted for the King’s approval); and preparing a framework law for addressing the national considerations resulting from the GDPR (although no draft has been disclosed yet). Bulgaria In 2017, Bulgaria did not enact or propose a bill concerning GDPR-related privacy issues. Croatia In 2017, Croatia did not enact or propose a bill concerning GDPR-related privacy issues. Cyprus In 2017, Cyprus did not enact or propose a bill concerning GDPR-related privacy issues. Czech Republic A draft Data Protection Act, intended to adapt the current national legal framework to the GDPR, was discussed by the government.  The upcoming Data Protection Act is expected to replace the current act on data protection. Denmark On 25 October 2017, a proposal for a new Data Protection Act implementing the GDPR was made public.  This proposal was discussed by the Danish Parliament in late 2017 and is expected to pass in the first months of 2018. Estonia The Ministry of Justice rendered public a first draft of the legislation intended to implement the GDPR.  However, the draft was not submitted to Parliament for review in 2017. Finland A working group set up by the Ministry of Justice issued a report in June 2017 proposing to replace the current Finnish Data Protection Act with a new act intended to supplement the GDPR when the GDPR enters into application. France A draft data law intended to modify the current French Data Protection Act was made public in December 2017.  It is likely that this initial draft will go through subsequent modifications before the final law is eventually passed. Germany In June 2017, Germany adapted its Data Protection Act to the GDPR.  The previous version of the German Data Protection Act will remain in force until 25 May 2018. Greece In 2017, Greece did not enact or propose a bill concerning GDPR-related privacy issues. Hungary In 2017, Hungary launched a public consultation on a proposal to amend the current Hungarian Data Protection Act.  This proposal is expected to become final in early 2018. Ireland In May 2017, Ireland issued a General Scheme of Data Protection Bill providing a general scheme for the act intended to give effect to and complement the GDPR. Italy On 6 November 2017, the Italian Parliament passed a law (Law No. 163) adopting specific provisions with respect to the GDPR.  The currently applicable Italian Data Protection Code is to be modified within 6 months from the passage of Law No. 163. Latvia Latvia made public a draft Personal Data Processing Law in October 2017. Lithuania The law applicable in Lithuania (i.e., the Lithuanian Law on Legal Protection of Personal Data) is currently being amended so as to integrate the requirements of the GDPR. Luxembourg The government of Luxembourg proposed a bill specifically addressing data protection in order to adapt the local law to the requirements of the GDPR. Malta In 2017, Malta did not enact or propose a bill concerning GDPR-related privacy issues. Netherlands The data protection law currently applicable in the Netherlands results from the Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens).  This Act will no longer be applicable after the GDPR enters into effect in May 2018. Poland In September 2017, Poland published a draft Personal Data Protection Act, intended to provide a legal framework for the GDPR.  This draft was made subject to public consultations and is expected to be enacted in 2018, prior to the entry into application of the GDPR. Portugal In 2017, Portugal did not enact or propose a bill concerning GDPR-related privacy issues. Romania Draft legislation for implementing the GDPR was disclosed and submitted for public debate in 2017. Slovakia On 29 November 2017, the Slovakian Data Protection Act was adopted by the Slovak Parliament with an entry into force on the same date as the GDPR. Slovenia The currently applicable Slovenian Data Protection Act is expected to be repealed by a new data protection act (“ZVOP-2”) intended to ensure the proper implementation of data protection requirements following the entry into application of the GDPR.  ZVOP-2 was subject to the legislative process in 2017 and is likely to be adopted in early 2018. Spain A bill regarding data protection intended to amend the current legal framework was published and made subject to debate, with an eye toward eventual approval by the Spanish Parliament. Sweden A report of the Swedish government proposing provisions intended to complement the GDPR was issued in May 2017, but no government bill was passed in this respect during 2017. United Kingdom On 14 September 2017, the Data Protection Bill was published with the aim to modernize data protection law.  Even though the Data Protection Bill has a wider scope than the mere adaptation of national law to the GDPR, one of its core features includes detailing how the UK uses the flexibility granted by the GDPR to Member States with respect to specific data protection issues. C.     EU Cyber Security Directive On 6 July 2016, the European Parliament officially adopted the Network and Information Security (“NIS”) Directive[33] which is expected to be fully applicable (via national regulations) as of May 2018.  The NIS Directive is the first set of cybersecurity rules to be adopted on the EU level, adding to an already complex array of laws with which companies must comply when implementing security and breach response plans.  It aims to set a minimum level of cybersecurity standards and to streamline cooperation between EU Member States at a time of growing cybersecurity breaches. In February 2017, the European Agency for Network and Information Security (“ENISA”) issued guidelines related to incident notification for digital service providers in the context of the NIS Directive, in order to provide practical information on the cases covered by the NIS Directive and the actions to be taken in such a case.[34] More details as to how the NIS Directive will be implemented at local level were also disclosed in 2017 as Member States started to adopt national legislation to transpose the NIS Directive.  For example, in France on 19 December 2017, a national bill for transposing the NIS Directive was adopted by the French Senate.  This bill specifies fines up to EUR 100,000 if officers of essential services providers do not comply with the security requirements specified by the French Prime Minister and fines up to EUR 75,000 if such officers do not comply with the obligation to provide notifications of data breaches.  Regarding legal persons, the fines for non-compliance with the security requirements specified by the French Prime Minister can be up to EUR 500,000, and up to EUR 375,000 in case data breaches are not duly notified. The final text of the NIS Directive sets out separate cybersecurity obligations for essential service and digital service providers: Essential service providers include actors in the energy, transport, banking and financial markets, as well as health, water and digital infrastructure[35] sectors. Digital service providers will include online marketplaces, search engines and cloud services (with an exemption for companies with less than 50 employees) but not social networks, app stores or payment service providers. In terms of geographic scope, the NIS Directive aims to address potential incidents taking place “within the [European] Union“[36] and will apply to all entities providing the above services[37] within the EU territory/to EU residents, regardless of their physical location.  In particular, all digital service providers that are not established in the EU, but offer services covered by the NIS Directive within the EU, are required to designate an EU-based representative.[38] Companies covered by the NIS Directive will have to ensure that their digital infrastructure is robust enough to withstand cyber-attacks and may need to report major security incidents to the national authorities.  Businesses will also be required to apply procedures demonstrating effective use of security policies and measures. 1.     Digital Service Providers Digital service providers will be obliged to report all incidents that have a “substantial impact” on their services (in terms of the duration, geographic spread and the number of users affected by the incident).[39]  It will be up to regulators to decide whether to inform the public about these incidents after consulting the company involved.  As a practical matter, the NIS Directive states that jurisdiction over a digital service provider should be attributed to the Member State in which it has its main EU establishment, which in principle corresponds to the place where the provider has its head office in the EU.[40]  Digital service providers not established in the EU will be deemed to be under the primary jurisdiction of the Member State where their EU representative has been appointed.[41] Notably, where an incident involves personal data, there may be an additional requirement to report to DPAs under the GDPR, which will come into effect on 25 May 2018.  As indicated above, the GDPR will also have a reporting provision for data breaches, although the notification obligation will focus on the protection of personal information, in contrast to the NIS Directive’s data reporting requirement which is aimed at improving computer and information technology systems overall.  Thus, it is possible that a single cybersecurity breach will need to be notified to more than one authority in each EU Member State affected. 2.     Member State Obligations The NIS Directive itself is not directly applicable.  It will first have to be transposed and implemented into national law by the Member States by May 2018.  Member States will need to, for example, designate the competent national authorities, identify operators of essential services, indicate which types of incidents they must report and establish sanctions for failure to notify.[42]  National procedural rules (for both administrative and court proceedings) will govern the application of the NIS Directive and the relevant national laws to affected entities.[43] In addition, each Member State is to adopt a national strategy to maintain the security of network and information systems and will designate one or more national competent authorities to monitor the application of the NIS Directive.  They are also to designate one or more Computer Security Incident Response Teams (“CSIRTs”) responsible for monitoring and responding to incidents and providing early warnings about risks. 3.     Minimum Harmonization and Coordination Among EU Member States The clear aim of the NIS Directive is to harmonize the EU Member State rules applicable to the security levels of network and information systems across the EU.  However, given the strategic character of certain services covered by the NIS Directive, the NIS Directive gives some powers and margin of discretion to Member States.  For example, the NIS Directive mandates each EU Member State to adopt a national strategy on the security of network and information systems, defining objectives, policies and measures envisaged with a view to achieve the aims of the NIS Directive.[44]  Thus, despite the ability of Member States to seek the assistance of the ENISA, the development of a strategy will remain a national competence.  Furthermore, as far as operators of essential services are concerned, EU Member States will identify the relevant operators subject to the NIS Directive and may impose stricter requirements than those laid down in the NIS Directive (in particular with regard to matters affecting national security).[45] In contrast, Member States should not identify digital service providers (as the NIS Directive applies to all digital service providers within its scope) and, in principle, may not impose any further obligations on such entities.[46]   The European Commission retains powers to adopt implementing rules regarding the application of the security and notification requirements rules applicable to digital service providers.[47]  It is expected that these rules will be developed in cooperation with the ENISA and stakeholders, and will enable uniform treatment of digital service providers across the EU.  In addition, the competent authorities will be able to exercise supervisory activities only when provided with evidence that a digital service provider is not complying with its obligations under the NIS Directive. Another tool for coordination among authorities will be the envisaged “Cooperation Group,” similar to the WP29 operating currently under the 1995 Data Privacy Directive.  The Cooperation Group will bring together the regulators of all EU Member States, who have different legal cultures and hold different approaches to IT and security matters (e.g., affecting national security).  It is therefore expected that the European Commission will play an active role in building trust and consensus among the Cooperation Group’s members with a view of providing meaningful and clear guidance to businesses. D.     Other EU Developments 1.     Reform of the ePrivacy Directive – the Draft EU ePrivacy Regulation 2016 has seen the initiation of the procedures for the reform of the EU’s main set of rules on ePrivacy, the ePrivacy Directive.  In this context, further to a public consultation held by the European Commission, a draft of the future EU ePrivacy Regulation (the “draft ePrivacy Regulation”) was leaked in December 2016.[48]  Such draft was followed by the release of the European Commission’s final proposal on 10 January 2017,[49] which, despite some changes, is mostly similar to the leaked version.  Later in 2017, the European Commission’s proposal was followed by an Opinion of the WP29 released on 4 April 2017.[50]  The European Parliament also proposed an amended version thereof on 20 October 2017,[51] and discussions at the Council of the European Union are still ongoing to date to adopt a final proposal, even though a first redraft has already been published.[52] a.     The European Commission’s ePrivacy Regulation proposal The Commission’s ePrivacy Regulation proposal released in January 2017 seeks to accommodate the reform of the ePrivacy regime to the feedback received from stakeholders and the WP29.  In summary, the draft ePrivacy Regulation prepared by the European Commission constitutes a more comprehensive piece of legislation that aims to fix and close certain open issues identified in the application of the ePrivacy Directive: Regulation versus Directive: The draft instrument that is deemed to replace the ePrivacy Directive is a Regulation.  Under EU law, a Directive is an instrument that only binds EU Member States as to its content and objectives; it cannot be directly applied against individuals, and needs to be transposed into national laws and regulations for its terms to be fully effective.  The ePrivacy Directive has been incorporated into numerous different acts and regulations at national level, which are subject to uneven enforcement by the respective national authorities.The European Commission’s proposal to replace the ePrivacy Directive with a Regulation means that its terms will in principle apply directly across all EU Member States.  This decision is consistent with the approach adopted with regard to the GDPR.  Although Member States will still be given some freedom to deviate from the ePrivacy Regulation (particularly in the area of national security), the choice to adopt a Regulation will increase the homogeneous application of the ePrivacy Regulation across all EU Member States. Alignment with the GDPR:  A number of provisions in the draft ePrivacy Regulation demonstrate alignment with the GDPR.  For example, as with the GDPR, the draft ePrivacy Regulation has a broad territorial scope and applies to the provision of electronic communication services (e.g., voice telephony, SMS services) from outside the EU to residents in the EU.As indicated below, the draft ePrivacy Regulation also aims to close the gap with the GDPR from an enforcement perspective, by empowering DPAs to monitor the application of the privacy-related provisions of the draft ePrivacy Regulation under the conditions established in the GDPR.  The regime for sanctions is also aligned with the GDPR, foreseeing the possibility that organizations be imposed fines up to EUR 20 million or 4% of their worldwide annual turnover for certain infringements (e.g., breaches of secrecy requirements, cookies requirements and the rules on the use of metadata).From a substantive perspective, the definition of a number of legal concepts used in both the GDPR and in the draft ePrivacy Regulation has also been aligned (e.g., the conditions for “consent,” the “appropriate technical and organization measures to ensure a level of security appropriate to the risks”). Inclusion of OTT Service Providers:  In response to the feedback of stakeholders, the draft ePrivacy Regulation indicates that the new Regulation will apply to providers of services that run over the Internet (referred to as “over-the-top” or “OTT” service providers), such as instant messaging services, video call service providers and other interpersonal communications services.[53]  This expansion in scope is achieved by the broad definition of “electronic communications services” of the draft, and is consistent with the current regulatory overhaul that is ongoing in the field of electronic communications.[54] Cookies and Other Connection Data:  Like the ePrivacy Directive, the draft ePrivacy Regulation contains a provision that addresses the circumstances under which the storage and collection of data on users’ devices is lawful.  These practices can continue to be based on the prior consent obtained from users.  Absent users’ consent, according to the draft ePrivacy Regulation, it will still be possible to carry out these practices provided that:[55] they serve the purpose of carrying out (not facilitating) the transmission of a communication over an electronic communications network; or they are necessary (albeit not strictly necessary) for providing: (i) a service requested by the end user; or (ii) first-party web audience measuring. The recitals of the draft ePrivacy Regulation suggest that the circumstances in which consent is not required can be interpreted more broadly than under the current ePrivacy Directive.[56]  For example, first-party analytics cookies, cookies used to give effect to users’ website preferences and cookies required to fill out online forms could be understood to be exempt from the consent requirement.[57] The ePrivacy Regulation contains a new set of seemingly more stringent rules applicable to the “collection of information emitted by terminal equipment to enable it to connect to another device and, or to network equipment.”  Under the current draft, this collection may only occur “if it is done exclusively in order to, for the time necessary for, and for the purpose of establishing a connection,” and is subject to significant information and consent requirements.[58]    Marketing Communications: The draft ePrivacy Regulation requires all end users (including corporate and individual subscribers) to consent to direct marketing communications undertaken via electronic communications services.  While telephone marketing continues to be permitted on an opt-out basis, the draft ePrivacy Regulation requires entities placing marketing calls to use a specific code or prefix identifying it as a marketing call.[59] Supervisory Authorities and EDPB:  One of the novelties introduced by the draft ePrivacy Regulation is a section devoted to the appointment and powers of national supervisory authorities.[60]  The relevant provisions clarify that the DPAs responsible for monitoring the application of the GDPR shall also be responsible for monitoring the application of the provisions of the draft ePrivacy Regulation related to privacy in electronic communications, and that the rules on competence, cooperation and powers of action of DPAs foreseen in the GDPR also apply to the draft ePrivacy Regulation.  Finally, the EDPB is empowered to ensure the consistent application of the relevant provisions of the draft ePrivacy Regulation. Implementation:  The draft provides for the ePrivacy Regulation to enter into force on 25 May 2018, at the same time as the GDPR.  However, it is highly unlikely to come into force on that date, or even any time later in 2018. b.     The WP29 Opinion on the European Commission Proposal Following the release of the European Commission’s proposal, the WP29 released its opinion on the proposed regulation in April 2017[61]. The WP29 stated that it “welcomes the proposal” and “the choice for a regulation as the regulatory instrument.”  More broadly, it supported the approach of the regulation and its broad scope, along with its principle of “broad prohibitions and narrow exceptions.”  However, it highlighted four points of “grave concern” that would “lower the level of protection enjoyed under the GDPR” if adopted, and made recommendations in this respect concerning: The rules concerning the tracking of the location of terminal equipment, for instance WiFi tracking, which are inconsistent with the rules of the GDPR.  The WP29 advised the European Commission to “promote a technical standard for mobile devices to automatically signal an objection against such tracking.” The conditions under which the content and metadata can be analyzed should be limited:  Consent of all end-users (senders and recipients) should be the principle with limited exceptions for “purely personal purposes.” Barriers used by some websites to completely block access to the service unless visitors agree to third-party tracking, known as “tracking walls,” should be explicitly prohibited to give individuals the choice to refuse such tracking while still being able to access the website. Terminal equipment and software should offer “privacy protective settings” by default, in addition to allowing the user to adjust these settings.  It is interesting to note that this was initially in the Commission’s leaked draft but not in its final proposal. The WP29 expects that their concerns will be addressed during the ongoing legislative process. c.     The European Parliament’s amended proposal In October 2017, the European Parliament proposed an amended version of the European Commission’s proposal.[62]  It draws on some of the propositions made by the WP29.  For example, the Parliament’s version is more stringent on the use of personal data, and users’ privacy.  Some of the notable changes include: The prohibition to block access to a service solely because the user has refused the processing of personal data which is not necessary for the functioning of the service. The requirement for providers of electronic communications services to ensure the confidentiality of the data, for instance with end-to-end encryption and the prohibition of backdoors. The requirement for browsers to block third-party cookies by default until the user has adjusted his/her cookie settings. The prohibition of “cookie walls” and cookie banners that prevent the use of the service unless users agree to all cookies. In addition to the Parliament’s version, the Council of the European Union has also published a working proposal.[63]  However it is merely a draft of the presidency of the Council, which has yet to adopt a final proposal.  Bulgaria, which takes the presidency of the Council of the European Union during the first half of 2018 has indicated it intends to focus on moving negotiations ahead on the ePrivacy Regulation.[64]  Tripartite negotiations will then need to begin in order to agree upon a common text to be adopted. In any case, it most likely will not be adopted by May 2018 as initially planned. 2.     CJEU Case Law 2017 has also witnessed important cases before the Court of Justice of the European Union (“CJEU”). a.     The Determination of the Data Controller and Applicable Law Under the EU Data Protection Directive, the applicability of the data protection laws of a Member State depends primarily on the existence of a relevant “establishment” in that Member State.  In the past years, the concept of “establishment” gave rise to considerable debate.  (See, for example, the 2016 ruling in the Verein für Konsumenteninformation v. Amazon EU Sàrl case[65], repeating the CJEU’s findings in the Weltimmo judgment of 1 October 2015[66] where it defined broadly the concept of “establishment” contained in Article 4(1)(a) of the EU Data Protection Directive.)  While the CJEU has indicated that the absence of “a branch or subsidiary in a Member State does not preclude [the controller] from having an establishment there within the meaning of Article 4(1)(a)” (e.g., through the existence of other stable arrangements, like an office), such an establishment cannot be presumed to exist “merely […] because the undertaking’s website is accessible there.” Regarding the interpretation of the notion of “establishment,”, additional information was brought to light in the course of 2017.  Indeed, on 24 October 2017 Advocate General Bot made his opinion public regarding the determination of the applicable law in a case where data processing activities were performed through a social media page.[67]  A German company set up a fan page through a U.S.-based social network, which provided statistics based on the personal data of the visitors (such as their preferences and habits) to the company administrating the fan page.  The data protection authority of Schleswig-Holstein required the German company to shut down its fan page as neither the social media site nor the company itself allegedly informed visitors that their personal data was used for this particular purpose. The German Federal Administrative Court sought a preliminary ruling from the CJEU, requesting clarification.  In his opinion, Advocate General Bot first determined that the company administrating the fan page was a joint controller with the social media company regarding the collection of personal data. Second, Advocate General Bot held that data processing is carried out in the context of the activities of an establishment of the controller on the territory of a Member State when an undertaking, operating a social network, sets up in that Member State a subsidiary which is intended to promote and sell advertising space offered by that undertaking and which directs its activities toward residents in that Member State.[68] It is worth noting yet that the opinion of Advocate General Bot in this respect is controversial. A ruling from the CJEU, which could either follow the opinion of Advocate General Bot or depart therefrom, is expected in 2018. b.     Claims Assignment On 14 November 2017, Advocate General Bobek delivered his opinion on the Maximilian Schrems v. Facebook Ireland Limited case pending in the CJEU.[69] Mr. Schrems had started legal proceedings against Facebook Ireland Limited before a court in Austria, which raised the question of whether jurisdiction was established in the domicile of a consumer claimant who was assigned claims by other consumers, thus opening up the possibility of collecting consumer claims from around the world.  Advocate General Bobek held that a consumer cannot invoke, at the same time as his own claims, claims on the same subject assigned by other consumers domiciled in other places in the same Member State, in other Member States, or in non-member States. c.     Outlook On 3 October 2017, the Irish High Court referred the issue of the validity of the standard contractual clauses decisions to the CJEU for a preliminary ruling.[70]  If the CJEU were to decide to invalidate the standard contractual clauses, this ruling would in all likelihood have tremendous impact on businesses around the world, many of which rely on these legal warranties to ensure an adequate level of data protection to data transfers outside the European Union. 3.     Article 29 Working Party (WP29) Opinions As indicated above, during 2017 the WP29 issued several Guidelines concerning the application of the GDPR to the right to data portability, the appointment and duties of DPOs, the identification of lead DPAs, the concepts of consent and transparency, and other issues.  In parallel, within the framework of the GDPR, the WP29 also adopted Guidelines intended for use by the supervisory authorities to ensure better application and enforcement of the GDPR regarding the application and setting of administrative fines.[71] In addition to the abovementioned Guidelines, the WP29 issued various opinions regarding the key issues of the Law Enforcement Directive No. 2016/680,[72] data processing in the context of Cooperative Intelligent Transport Systems (C-ITS),[73] and data processing at work,[74] as well as the draft ePrivacy Regulation proposal.[75] The WP29 also rendered public some working documents on the adequacy referential within the framework of data transfers to third countries[76] and the elements and principles to be found in Binding Corporate Rules.[77] II.     Asia-Pacific and Other Notable International Developments In an increasingly connected world, 2017 also saw many other countries try to get ahead of the challenges within the cybersecurity and data protection landscape.  Several international developments bear brief mention here: On 1 June 2017, China’s Cybersecurity Law went into effect, becoming the first comprehensive Chinese law to regulate how companies manage and protect digital information.  The law also imposes significant restrictions on the transfer of certain data outside of the mainland (data localization) enabling government access to such data before it is exported.[78]Despite protests and petitions by governments and multinational companies, the implementation of the Cybersecurity Law continues to progress with the aim of regulating the behavior of many companies in protecting digital information.[79]  While the stated objective is to protect personal information and individual privacy, and according to a government statement in China Daily, a state media outlet, to “effectively safeguard national cyberspace sovereignty and security,” the law in effect gives the Chinese government unprecedented access to network data for essentially all companies in the business of information technology.[80]  Notably, key components of the law disproportionately affect multinationals because the data localization requirement obligates international companies to store data domestically and undergo a security assessment by supervisory authorities for important data that needs to be exported out of China.  Though the law imposes more stringent rules on critical information infrastructure operators (whose information could compromise national security or public welfare) in contrast to network operators (whose information capabilities could include virtually all businesses using modern technology), the law effectively subjects a majority of companies to government oversight.  As a consequence, the reality for many foreign companies is that these requirements would likely be onerous, will increase the costs of doing business in China, and will heighten the risk of exposure to industrial espionage.[81]  Despite the release of additional draft guidelines meant to clarify certain provisions of the law, there is a general outlook that the law is still a work in progress, with the scope and definition still vague and uncertain.[82]  Nonetheless, companies should endeavor to assess their data and information management operations to evaluate the risks of the expanding scope of the data protection law as well as their risk appetite for compliance with the Chinese government’s access to their network data. With the growing threat of hacking and identity theft, the Personal Data Protection Commission of Singapore issued proposed advisory guidelines on 7 November 2017 for the collection and use of national registration identification numbers.  The guidance, which covers a great deal of personal and biometric data, emphasized the obligations of companies to ensure policies and practices are in place to meet the obligations for data protection under the Personal Data Protection Act of 2012.  The Commission is giving businesses and organizations 12 months from publication to review their processes and implement necessary changes to ensure compliance.[83] Several other countries, such as Australia and Turkey, also sought to address privacy issues and published important guidelines regarding procedures for deleting, destroying, and anonymizing personal data.  Other countries like Argentina forged ahead with an overhaul of the country’s data protection regime by publishing a draft data protection bill that would align the country’s privacy laws with the GDPR requirements of the European Union.[84] There has also been civic engagement with the public as a number of countries solicited public comments to certain proposed regulations.  For example, Canada opened up for comments a proposed regulation that would mandate reporting of privacy breaches under its Personal Information Protection and Electronic Documents Act of 2015, while India recently issued a white paper inviting comments that would inform the legal framework for drafting a data protection bill to “ensure growth of the digital economy while keeping personal data of citizens secure and protected.”[85] [1]   See Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, pp. 1-88, available at http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679. [2]   Case C-362/14, Maximillian Schrems v. Data Protection Commissioner (Oct. 6, 2016), European Court of Justice. [3]   For a detailed analysis of the Schrems decision, please see Gibson Dunn Client Alert: Cybersecurity and Data Privacy Outlook and Review: 2016 (Jan. 28, 2016) available at http://www.gibsondunn.com/publications/Pages/Cybersecurity-and-Data-Privacy-Outlook-and-Review–2016.aspx. [4]   http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2016/20160726_wp29_wp_statement_eu_us_privacy_shield_en.pdf. [5]   http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=605619. [6]   https://www.whitehouse.gov/briefings-statements/statement-president-fisa-amendments-reauthorization-act-2017/. [7]   http://ec.europa.eu/newsroom/just/document.cfm?doc_id=48782. [8]   http://curia.europa.eu/juris/document/document.jsf?text=&docid=185146&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=320298 [9]   Order of the General Court of the European Union, Digital Rights Ireland v. Commission, 22 November 2017, T-670/16. [10]  http://curia.europa.eu. [11]  http://curia.europa.eu. [12]  See Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23.11.1995, pp. 31-50. [13] See GDPR, at Article 3. [14]  See WP29, Guidelines on Transparency under Regulation 2016/679 (WP260; draft not adopted yet), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [15]  See WP29, Guidelines on Consent under Regulation 2016/679 (WP259; 28 November 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [16] See GDPR, at Article 17. [17] See EU Data Protection Directive, at Articles 12 and 14; and Case C-131/12 Google Spain SL and Google Inc. v. AEPD and Mario Costeja González ECLI:EU:C:2014:317. [18]  See WP29, Guidelines on Personal Data Breach Notification under Regulation 2016/679 (WP250; 3 October 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [19]  See WP29, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (WP251; 3 October 2017). [20]  See GDPR, at Article 35. [21]  See WP29, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (WP248; 4 April 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [22]  See WP29, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (WP248; 4 October 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [23]  See WP29, Guidelines on the right to data portability (WP 242; 13 December 2016), available at http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp242_en_40852.pdf. [24]  See WP29, Guidelines on the right to data portability (WP242 rev.01; 5 April 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [25]  See EU Data Protection Directive, at Articles 4(1) and 28; and Case C-230/14 Weltimmo s.r.o v. Nemzeti Adatvédelmi és Információszabadság Hatóság ECLI:EU:C:2015:639. [26]  See GDPR, at Article 56(2). [27]  See GDPR, at Article 56(1). [28]  See GDPR, at Article 63. [29]  See GDPR, at Article 66. [30]  See WP29, Guidelines for Identifying a Controller or Processor’s Lead Supervisory Authority (WP 244; 13 December 2016), available at http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp244_en_40857.pdf. [31] See WP29, Guidelines for Identifying a Controller or Processor’s Lead Supervisory Authority (WP244 rev.01; 5 April 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [32]  See WP29, Guidelines on Data Protection Officers (‘DPOs’) (WP243 rev.01; 5 April 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [33]  See Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union, OJ L 194, 19.7.2016, pp. 1-30, available at http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG&toc=OJ:L:2016:194:TOC. [34]  See ENISA, Incident Notification for DSPs in the Context of the NIS Directive: A Comprehensive Guideline on How to Implement Incident Notification for Digital Service Providers, in the Context of the NIS Directive, February 2017, available at https://www.enisa.europa.eu/publications/incident-notification-for-dsps-in-the-context-of-the-nis-directive/. [35]  E.g., domain name systems (DNS) providers and top level domain (TLD) registries; see Article 4, NIS Directive. [36]  See NIS Directive, at Article 1(1). [37]  With regard to essential services, the NIS Directive will apply to all entities identified by the respective national authorities as “essential” providers of such services in that Member State, see NIS Directive, at Article 5(2). [38]  See NIS Directive, at Article 18(2). [39]  See NIS Directive, at Article 16(3). [40]  See NIS Directive, at Article 18(1).  This criterion will not depend on whether the network and information systems are physically located in a given place. See NIS Directive, at Recital 64. [41]  See NIS Directive, at Article 18(2). [42]  Member States will have an additional six months after the transposition into national law to identify operators of essential services (i.e., a total of 27 months). See NIS Directive, at Article 5(1). [43]  These should respect the fundamental rights of the effective remedy and the right to be heard.  See NIS Directive, at Recital 75. [44]  See NIS Directive, at Article 7. [45]  See NIS Directive, at Recital (57) and Article 3. [46]  See NIS Directive, at Article 16(10). [47]  See NIS Directive, at Articles 16(8) and (9). [48]  See Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and personal data in electronic communications and repealing Directive 2002/58/EC (‘Privacy and Electronic Communications Regulation’), available at http://www.politico.eu/wp-content/uploads/2016/12/POLITICO-e-privacy-directive-review-draft-december.pdf. [49] https://ec.europa.eu/digital-single-market/en/proposal-eprivacy-regulation. [50] http://ec.europa.eu/newsroom/document.cfm?doc_id=44103. [51] http://www.europarl.europa.eu/sides/getDoc.do?type=REPORT&reference=A8-2017-0324&language=EN. [52] https://iapp.org/resources/article/council-of-the-eu-eprivacy-regulation-proposal-december-2017/. [53]  See draft ePrivacy Regulation, at Recital (13).  See Explanatory Memorandum, at Section 3.2. [54]  See, e.g., Proposal for a Directive of the European Parliament and of the Council establishing the European Electronic Communications Code (Recast), COM/2016/0590, available at http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=comnat:COM_2016_0590_FIN. [55]  See draft ePrivacy Regulation, at Article 8(1). [56]  However, in practice, the WP29 had already expressed the possibility that operators do not obtain consent for the setting and receipt of cookies in some of the circumstances now covered in the draft ePrivacy Regulation, provided that certain conditions are met.  See WP29, Opinion 04/2012 on Cookie Consent Exemption (WP 194; 7 June 2012), available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf. [57]  See draft ePrivacy Regulation, at Recital (25). [58]  See draft ePrivacy Regulation, at Article 8(2). [59]  See draft ePrivacy Regulation, at Article 16. [60]  See draft ePrivacy Regulation, at Articles 18 ff. [61]  See WP29, Opinion 01/2017 on the Proposed Regulation for the ePrivacy Regulation (2002/58/EC) (WP247; 4 April 2017) available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [62]  See European Parliament’s proposal available at http://www.europarl.europa.eu/sides/getDoc.do?type=REPORT&reference=A8-2017-0324&language=EN. [63]  See Council of the European Union’s working proposal available at http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CONSIL:ST_11995_2017_INIT&from=EN. [64]  https://www.euractiv.com/section/digital/news/bulgaria-makes-telecoms-overhaul-a-focus-during-council-presidency/. [65]  See Case C-191/15 Verein für Konsumenteninformation v. Amazon EU Sàrl available at http://curia.europa.eu/juris/document/document.jsf?text=&docid=182286&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=1126849. [66]  See Case C-230/14 Weltimmo s.r.o v. Nemzeti Adatvédelmi és Információszabadság Hatóság ECLI:EU:C:2015:639. [67]  See, Case C-210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v. Wirtschaftsakademie Schleswig-Holstein GmbH. [68]  See Opinion of Advocate General Bot delivered on 24 October 2017, Case C-210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v. Wirtschaftsakademie Schleswig-Holstein GmbH. [69]  See Opinion of Advocate General Bobek on Case C-498/16 Maximilian Schrems v. Facebook Ireland Limited. [70]  See Irish High Court Commercial, The Data Protection Commissioner v. Facebook Ireland Limited and Maximilian Schrems, 2016 No. 4809 P. [71]  See WP29, Guidelines on the Application and Setting of Administrative Fines for the Purposes of the Regulation 2016/679 (WP253; 3 October 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [72]  See WP29, Opinion on Some Key Issues of the Law Enforcement Directive (EU 2016/680) (WP258; 29 November 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [73]  See WP29, Opinion 03/2017 on Processing Personal Data in the Context of Cooperative Intelligent Transport Systems (C-ITS) (WP252; 4 October 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [74]  See WP29, Opinion 2/2017 on Data Processing at Work (WP249; 8 June 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [75]  See WP29, Opinion 01/2017 on the Proposed Regulation for the ePrivacy Regulation (2002/58/EC) (WP247; 4 April 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [76]  See WP29, Adequacy Referential (updated) (WP254; 28 November 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [77]  See WP29, Working Document Setting up a Table with the Elements and Principles to be Found in Binding Corporate Rules (WP256 and WP257; 29 November 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [78]  See FT Cyber Security, “China’s cyber security law rattles multinationals,” Financial Times (30 May 2017), available at https://www.ft.com/content/b302269c-44ff-11e7-8519-9f94ee97d996. [79]  Alex Lawson, “US Asks China Not To Implement Cybersecurity Law,” Law360 (Sept. 27, 2017) available at https://www.law360.com/articles/968132/us-asks-china-not-to-implement-cybersecurity-law. [80]  Sophie Yan, “China’s new cybersecurity law takes effect today, and many are confused,” CNBC.com (1 June 2017), available at https://www.cnbc.com/2017/05/31/chinas-new-cybersecurity-law-takes-effect-today.html. [81]  Christina Larson, Keith Zhai, and Lulu Yilun Chen, “Foreign Firms Fret as China Implements New Cybersecurity Law”, Bloomberg News (24 May 2017), available at https://www.bloomberg.com/news/articles/2017-05-24/foreign-firms-fret-as-china-implements-new-cybersecurity-law. [82]  Clarice Yue, Michelle Chan, Sven-Michael Werner and John Shi, “China Cybersecurity Law update: Draft Guidelines on Security Assessment for Data Export Revised!,” Lexology (Sept. 26, 2017), available at https://www.lexology.com/library/detail.aspx?g=94d24110-4487-4b28-bfa5-4fa98d78a105. [83]  Singapore Personal Data Protection Commission, Proposed Advisory Guidelines on the Personal Data Protection Act For NRIC Numbers, published 7 November 2017, available at https://www.pdpc.gov.sg/docs/default-source/public-consultation-6—nric/proposed-nric-advisory-guidelines—071117.pdf?sfvrsn=4. [84]  Office of the Australian Information Commissioner, “De-identification Decision-Making Framework”, Australian Government (Sept. 18, 2017), available at https://www.oaic.gov.au/agencies-and-organisations/guides/de-identification-decision-making-framework; Lyn Nicholson, “Regulator issues new guidance on de-identification and implications for big data usage”, Lexology (Sept. 26, 2017) available at https://www.lexology.com/library/detail.aspx?g=f6c055f4-cc82-462a-9b25-ec7edc947354; “New Regulation on the Deletion, Destruction or Anonymization of Personal Data,” British Chamber of Commerce of Turkey (Sept. 28, 2017), available at https://www.bcct.org.tr/news/new-regulation-deletion-destruction-anonymization-personal-data-2/64027; Jena M. Valdetero and David Chen, “Big Changes May Be Coming to Argentina’s Data Protection Laws,” Lexology (5 June 2017), available at https://www.lexology.com/library/detail.aspx?g=6a4799ec-2f55-4d51-96bd-3d6d8c04abd2. [85]  Naïm Alexandre Antaki and Wendy J. Wagner, “No escaping notification: Government releases proposed regulations for federal data breach reporting & notification”, Lexology (Sept. 6, 2017), available at https://www.lexology.com/library/detail.aspx?g=0a98fd33-1f2c-4a52-98c0-cf1feeaf0b90; Ministry of Electronics & Information Technology, “White Paper of the Committee of Experts on a Data Protection Framework for India,”  Government of India (Nov. 27, 2017), available at http://meity.gov.in/white-paper-data-protection-framework-india-public-comments-invited. The following Gibson Dunn lawyers assisted in the preparation of this client alert:  Ahmed Baladi, Alexander Southwell, Ryan Bergsieker and Bastien Husson. Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues.  For further information, please contact the Gibson Dunn lawyer with whom you usually work or any of the following leaders and members of the firm’s Privacy, Cybersecurity and Consumer Protection practice group: Europe Ahmed Baladi – Paris (+33 (0)1 56 43 13 00, abaladi@gibsondunn.com) James A. Cox – London (+44 (0)207071 4250, jacox@gibsondunn.com) Patrick Doris – London (+44 (0)20 7071 4276, pdoris@gibsondunn.com) Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, bgrinspan@gibsondunn.com) Penny Madden – London (+44 (0)20 7071 4226, pmadden@gibsondunn.com) Jean-Philippe Robé – Paris (+33 (0)1 56 43 13 00, jrobe@gibsondunn.com) Michael Walther – Munich (+49 89 189 33-180, mwalther@gibsondunn.com) Nicolas Autet – Paris (+33 (0)1 56 43 13 00, nautet@gibsondunn.com) Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com) Sarah Wazen – London (+44 (0)20 7071 4203, swazen@gibsondunn.com) Emmanuelle Bartoli – Paris (+33 (0)1 56 43 13 57, ebartoli@gibsondunn.com) Alejandro Guerrero Perez – Brussels (+32 2 554 7218, aguerreroperez@gibsondunn.com) Asia Kelly Austin – Hong Kong (+852 2214 3788, kaustin@gibsondunn.com) Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com) United States Alexander H. Southwell – Chair, PCCP Practice, New York (+1 212-351-3981, asouthwell@gibsondunn.com) Caroline Krass – Chair, National Security Practice, Washington, D.C. (+1 202-887-3784, ckrass@gibsondunn.com) M. Sean Royall – Dallas (+1 214-698-3256, sroyall@gibsondunn.com) Debra Wong Yang – Los Angeles (+1 213-229-7472, dwongyang@gibsondunn.com) Richard H. Cunningham – Denver (+1 303-298-5752, rhcunningham@gibsondunn.com) Howard S. Hogan – Washington, D.C. (+1 202-887-3640, hhogan@gibsondunn.com) Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, jjessen@gibsondunn.com) Kristin A. Linsley – San Francisco (+1 415-393-8395, klinsley@gibsondunn.com) Shaalu Mehra – Palo Alto (+1 650-849-5282, smehra@gibsondunn.com) Karl G. Nelson – Dallas (+1 214-698-3203, knelson@gibsondunn.com) Eric D. Vandevelde – Los Angeles (+1 213-229-7186, evandevelde@gibsondunn.com) Benjamin B. Wagner – Palo Alto (+1 650-849-5395, bwagner@gibsondunn.com) Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, mwong@gibsondunn.com) Ryan T. Bergsieker – Denver (+1 303-298-5774, rbergsieker@gibsondunn.com) Questions about SEC disclosure issues concerning data privacy and cybersecurity can also be addressed to the following leaders and members of the Securities Regulation and Corporate Disclosure Group: James J. Moloney – Orange County, CA (+1 949-451-4343, jmoloney@gibsondunn.com) Elizabeth Ising – Washington, D.C. (+1 202-955-8287, eising@gibsondunn.com) Lori Zyskowski – New York (+1 212-351-2309, lzyskowski@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

January 25, 2018 |
U.S. Cybersecurity and Data Privacy Outlook and Review – 2018

Click for PDF In honor of Data Privacy Day—an international effort to raise awareness and promote privacy and data protection best practices—we offer this sixth edition of Gibson Dunn’s Cybersecurity and Data Privacy Outlook and Review.  In 2017, companies were again challenged to navigate a constantly evolving landscape of cybersecurity and privacy issues.  Last year revealed some of the largest data breaches in history, saw a new administration’s shift in priorities regarding cybersecurity, and exposed new challenges posed by increasingly “smart” and connected devices. Among other key regulatory developments this year, the Trump administration issued an executive order addressing the cybersecurity of federal networks and critical infrastructure.  The Securities and Exchange Commission (“SEC”) announced a new Cyber Unit focused on targeting cyber-related misconduct and pursued cases involving novel cyber issues, including insider trading in the wake of a data breach.  The Federal Trade Commission (“FTC”) remained active in the privacy and cybersecurity space, but indicated a shift of focus to cases involving “substantial consumer injury.”  The Department of Health and Human Services (“HHS”) continued enforcement of regulations under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), announcing several notable settlements.  The Federal Communication Commission’s (“FCC”) role in privacy enforcement was substantially adjusted following the repeal of privacy rules put in place in 2016.  And state attorneys general were active at the forefront of concerted efforts to bring enforcement actions and develop privacy and cybersecurity regulations.  Indicative of this collaboration, 2017 saw the largest state data breach settlement in history. Last year also saw frequent data breaches of varying magnitudes.  Throughout the year, hackers targeted government agencies and companies in every industry, seeking personally identifiable information (“PII”), customer login information, payment information, and health care information, among others.  As litigation—especially class action litigation—quickly followed many of the announced breaches, courts continued to grapple with standing issues in the wake of Spokeo, Inc. v. Robins.  New class actions related to connected devices, such as TVs and cars, were also filed in 2017, and 2018 will likely see developments in this arena as more courts begin assessing standing in the context of the Internet of Things. Overlapping international privacy frameworks also posed significant challenges for U.S. companies in 2017.  With the quickly approaching May 2018 deadline for compliance with Europe’s General Data Protection Regulation (“GDPR”), companies worked to put in place appropriate policies and other safeguards.  Last year also saw many other countries impose new or updated cybersecurity and data privacy regulations. We cover these topics and many more in this year’s Review: (I) U.S. regulation of privacy and data security; (II) civil litigation; (III) international regulation of privacy and data security; and (IV) government data collection and device unlocking.  For additional coverage of international developments, please see our separate International Cybersecurity and Data Privacy Outlook and Review. Table of Contents __________________________________________ I.         U.S. Regulation of Privacy and Data Security A.  Enforcement and Guidance 1.   Federal Trade Commission (“FTC”)       2.   Department of Health and Human Services (“HHS”)       3.   Securities and Exchange Commission (“SEC”)       4.   Federal Communications Commission (“FCC”)       5.   Consumer Financial Protection Bureau (“CFPB”)       6.   State Attorneys General       7.   New York Department of Financial Services (“NYDFS”)       8.   Trump Administration Actions B.  Legislative Developments       1.   Federal Developments       2.   State Developments II.        Civil Litigation A.  Standing After Spokeo       1.   Background       2.   Post-Spokeo Standing Decisions in Privacy Cases       3.   Looking Ahead B.  Data Breach Litigation       1.   Litigation       2.   Settlement Trends       3.   Shareholder Derivative Suits C.  Interceptions and Eavesdropping       1.   Email Scanning       2.   Call Recording       3.   Other “Interceptions” D.  Telephone Consumer Protection Act E.   Video Privacy Protection Act F.   California’s Song-Beverly Credit Card Act and Point-of-Service Data Collection G.  Biometric Information Privacy Acts H.  Internet of Things and Device Hacking       1.   Connected and Autonomous Vehicles       2.   Routers, Cloud Storage, and Connected Cameras       3.   Smart TVs       4.   Smart Toys       5.   Regulatory Guidance I.    Civil Litigation: Cybersecurity Insurance       1.   State of the Market       2.   State of the Law – Key Cases J.    Fair Credit Reporting Act III.       Government Data Collection A.  Challenge to Government “Gag Orders” B.  Carpenter v. United States and the Collection of Cell Phone Data C.  Electronic Communications Privacy Act Reform Efforts D.  Device Unlocking E.   Extraterritoriality of Subpoenas and Warrants F.   Collection of Records from Third-Party Cloud Providers G.  Foreign Intelligence Surveillance Act Section 702 IV.       International Regulation of Privacy and Data security A.  The European Union       1.   General Data Protection Regulation (“GDPR”)       2.   EU-U.S. Privacy Shield B.  China and Other International Developments V.        Conclusion __________________________________________ I.     U.S. Regulation of Privacy and Data Security Companies doing business in (and with) the United States continue to face a morass when it comes to government regulation of privacy and data security due to the competing and overlapping efforts of myriad federal and state government regulators in this space.  Nearly every major federal agency has now weighed in on data security issues in one form or another, as have most states.  Below, we cover the most notable enforcement efforts, regulatory guidance, and legislative developments from the past year. A.    Enforcement and Guidance 1.     Federal Trade Commission (“FTC”) In 2017, the FTC remained one of the most active and far-reaching government agencies regulating privacy and data security.  All told, the FTC announced 12 enforcement actions related to privacy and data security issues, while also making headlines with its related public statements and guidance.  We address the most notable enforcement actions and guidance from the FTC below. a.      Data Security and Privacy Enforcement Equifax .   In September 2017, the FTC announced it had begun investigating the massive data breach at Equifax Inc., the Atlanta-based consumer credit bureau. [1]   The week before the announcement, Equifax revealed that in May, hackers had exploited a flaw in the company’s website that allowed them to access the account information of up to 143 million customers, including driver’s license numbers, addresses, birthdates, and Social Security numbers.  This breach represented one of the largest in recent memory and, given the centrality of credit-reporting agencies to activity throughout the economy and the sensitive nature of the information involved, sparked renewed public scrutiny of data security issues. The FTC did not elaborate on the scope of its investigation, but the announcement itself was significant given that the Commission rarely comments on ongoing investigations. TaxSlayer .      Further underscoring the FTC’s increased attention to companies that store consumer financial data, in August 2017 the Georgia-based online tax preparation service TaxSlayer, LLC, agreed to settle FTC allegations that it allowed hackers to access nearly 9,000 user accounts between October and December 2015. [2]   The hackers then used this information to fraudulently obtain tax returns.  The FTC alleged that TaxSlayer failed to implement adequate security measures, such as requiring strong passwords, providing a clear and conspicuous privacy notice, or conducting risk assessments.  As part of the settlement, TaxSlayer agreed to obtain biennial third-party assessments of its compliance with data privacy regulations, but neither confirmed nor denied liability. LabMD .  As we highlighted in our 2016 Year-End Update , the now-defunct medical testing laboratory LabMD appealed an FTC order finding that the company failed to reasonably protect its customers’ personal information from data breaches and requiring it to establish a comprehensive information security program to safeguard against such breaches in the future. [3]   In 2008, billing information for approximately 9,300 consumers became accessible on a peer-to-peer network, and other personal information for at least 500 consumers ended up in the hands of identity thieves. [4]   The FTC’s order overturned the initial ruling of its own Administrative Law Judge, which had dismissed the Commission’s charges because they failed to show that the company’s conduct created a probability of harm. [5]   In November 2016, the Eleventh Circuit granted the company’s request for a stay pending appeal of the Commission’s decision, [6]   and this past June the court heard oral argument in the case.  The Eleventh Circuit’s ruling could significantly reshape the FTC’s authority to regulate data privacy harms.  At issue in the oral argument was whether the FTC must show proof of actual consumer harm to bring a data security enforcement action under Section 5 of the FTC Act.  LabMD argued that the FTC overstepped its enforcement authority because no consumer suffered an actual injury as a result of the company’s data breach.  The FTC countered that it nevertheless could exercise its enforcement authority under Section 5 because the unauthorized exposure of health care information constitutes a substantial injury under traditional principles of privacy tort law.  The panel was expected to issue a ruling in the months after the oral argument, but it has not yet done so. D-Link .  In January 2017, the FTC filed suit against the network equipment manufacturer D-Link Corp. over the company’s allegedly inadequate security measures in its routers and internet cameras. [7]   In its complaint, the FTC alleged that the company’s failure to properly secure its routers and cameras left consumers vulnerable to hackers, particularly through their live video and audio feeds.  Further, the complaint alleged that the company misled consumers by advertising on its website that its products are “Easy to Secure” and contain “Advanced Network Security.”  In September, the district court granted in part and denied in part the company’s motion to dismiss the FTC’s complaint. [8]   The district court’s ruling may have a dramatic impact on the FTC’s ability to bring claims against companies for putting consumers’ information at risk.  The court found that three of the complaint’s six counts were pled inadequately or with insufficient particularity, and gave the FTC until late October to re-plead its claims.  Specifically, the court found that, for the three dismissed claims, the FTC failed to adequately plead harm because it relied “solely on the likelihood that [D-Link] put consumers at ‘risk’ because ‘remote attackers could take simple steps, using widely available tools, to locate and exploit defendants’ devices, which were widely known to be vulnerable,'” [9] and that this amounts to “a mere possibility of injury at best.” [10]   D-Link submitted its amended answer on October, and fact discovery is ongoing. Vizio .   In February 2017, TV manufacturer Vizio Inc. entered into a settlement with the FTC and the New Jersey Attorney General over allegations that it secretly gathered users’ viewing data and shared it with third parties. [11]   The settlement is significant given the increasing ubiquity of so-called “smart” devices, from televisions to thermostats to electronic assistants.  Specifically, the regulators alleged that beginning in February 2014, Vizio began collecting second-by-second information about the content displayed on its “smart TVs,” including content from cable, broadband, set-top boxes, streaming devices, and DVDs.  Vizio allegedly appended this information with its users’ personal information, such as users’ age, sex, income level, marital status, household size, education level, home ownership, and home value.  Vizio would then sell this information to third parties.  As part of the settlement, Vizio agreed to pay $2.2 million and overhaul its data collection practices, as well as delete data obtained prior to March 1, 2016, and obtain affirmative consent from consumers regarding the company’s data collection practices.  Notably, Acting Chairwoman Maureen Ohlhausen issued a concurring statement expressing skepticism that Vizio’s conduct caused, or was likely to cause, a substantial injury to consumers.  As part of the settlement, Vizio neither admitted nor denied liability. Lenovo .   In September 2017, the FTC announced that it had entered into a settlement, along with 32 state Attorneys General, with Lenovo Inc. over allegations that the company preloaded some of its computers with invasive software that compromised consumers’ privacy and security. [12]   The Commission alleged that, beginning in August 2014, Lenovo began selling laptops in the U.S. with a software program called VisualDiscovery, created by a company called Superfish, Inc., that would access consumers’ personal information transmitted via the internet, such as login info for websites, Social Security numbers, medical information, and financial and payment information.  The software would then send some of this information to the software company’s servers, where the information was allegedly stored insecurely.  This settlement is significant given the high value digital companies place on leveraging data regarding consumers’ preferences to target their advertisements.  As part of the settlement, Lenovo must get consumers’ affirmative consent before preinstalling this sort of software; must implement a comprehensive software security program, which is subject to third-party audits for a period of 20 years; and must pay $3.5 million to state regulators.  Lenovo neither admitted nor denied liability as part of the settlement. b.      Data Breach Guidance With the arrival of the Trump administration, and 3 open seats on the Commission, companies and commentators have been watching carefully for any signal of whether, and how, the FTC’s regulatory focus and enforcement priorities will change in coming years.  Several recent statements provide some indication—albeit not definitive answers—about what the future may hold under the Trump administration. In September, Acting FTC Chairwoman Maureen Ohlhausen said during a speech at the Federal Communications Bar Association that the FTC should focus on “substantial consumer injury” in determining which cases to pursue, rather than “hypothetical” harms. [13]   “Government does the most good with the fewest unintended side effects when it focuses on stopping substantial consumer injury instead of expending resources to prevent hypothetical injuries,” Ohlhausen said. “So understanding consumer injury in the context of privacy and data security is very important for the commission.” [14] While the FTC thus seems poised to cede some regulatory ground by moving away from regulating speculative harms, Acting Chairwoman Ohlhausen has also signaled that the Commission may adopt a broader definition of what constitutes a “substantial” injury.  In a speech at a cybersecurity event at the Georgetown University Law Center in May, Ohlhausen noted that the FTC historically has focused on direct financial harms to consumers, but that this understanding may be too narrow. [15]   Health and safety risks, such as those posed by the sharing of real-time and highly accurate location data that may leave consumers vulnerable to stalking, could also constitute a substantial injury, as could the disclosure of sensitive medical information.  Whether Joseph J. Simons, whom President Trump in October announced that he intended to nominate to head the FTC, will take positions similar to those of Acting Chairwoman Ohlhausen is yet to be seen. In her September speech, Ohlhausen announced a December workshop at which the FTC would examine the consumer harms that stem from informational injury.  Leading up to the workshop, a host of pro-business groups including the U.S. Chamber of Commerce, the Association of National Advertisers, and the Retail Industry Leaders Association, issued public comments urging the Commission to adopt a regulatory framework designed to regulate actual injuries, rather than conjectural ones. [16]   In contrast, several consumer groups such as the Electronic Privacy Information Center, encouraged the FTC to focus on the rise in data breaches and the concomitant increased risk of identity theft.  The workshop took place on December 12, but the FTC has not yet announced any shifts in enforcement priorities as a result. c.       Scope of Authority—Common Carriers As we mentioned in our last update, in May the Ninth Circuit granted the FTC’s petition to rehear en banc a dispute between the Commission and AT&T over the company’s allegedly deceptive “data throttling.” [17]   AT&T argued that it was not subject to the FTC’s authority because it is a common carrier, a category that Section 5 of the FTC Act excludes from the FTC’s jurisdiction.  In August 2016, a Ninth Circuit panel agreed with AT&T that, because the company engaged in non-common carrier activities such as providing consumers with mobile data and email services, it fell outside the Commission’s regulatory ambit. The full Ninth Circuit held oral argument in September but has not yet issued a ruling.  An affirmance could significantly curtail the FTC’s jurisdiction. 2.     Department of Health and Human Services (“HHS”) The flurry of HHS activity in 2016 related to the protection of patient privacy continued in 2017.  As HHS continued the second-phase of its audit program to assess compliance with patient privacy provisions of the Health Insurance Portability and Accountability Act (“HIPAA”), [18]   HHS also announced several multimillion-dollar settlements with health care companies for alleged HIPAA violations. Matching the largest-ever HIPAA-related settlement, Memorial Healthcare Systems agreed to pay $5.5 million and implement a “robust corrective action plan” to settle claims that its employees had improperly accessed and disclosed information for over 115,000 patients. [19]   HHS alleged that Memorial Health Care Systems failed to implement and manage user access rights and, despite results of previous risk analyses, failed to regularly review information system activity by employees and users at affiliated physician practices on applications that maintain protected information. HHS also fined Children’s Medical Center of Dallas $3.2 million for alleged HIPAA violations after two data breaches involving lost or stolen devices that contained unencrypted patient medical information. [20]   The investigation by the Office for Civil Rights (“OCR”) found that the medical center failed to implement risk management plans and failed to use encryption on its devices despite previous warnings to do so. In addition, St. Luke’s Roosevelt Hospital Center Inc. agreed to a settlement and corrective action plan following a complaint alleging that the hospital had faxed sensitive information concerning a patient’s HIV status. [21]   Although the total settlement amounted only to $387,000, the agreement stemmed from only two disclosures of Protected Health Information (“PHI”), highlighting the potential impact of even seemingly limited events. HHS also announced several “firsts” in its HIPAA enforcement efforts, including the first enforcement action involving delayed reporting of a patient information breach and the first settlement with a wireless services provider.  In the former, Presence Health agreed to pay $475,000 and revise its policies governing the privacy of patient information following allegations that it failed to properly notify more than 800 of its patients within 60 days of discovering that their personal information had been stolen. [22]   In the latter, CardioNet, which provides remote mobile monitoring for patients at risk for cardio arrhythmias, agreed to pay $2.5 million and implement a corrective action plan for the alleged disclosure of unsecured electronic protected health information (“ePHI”) after an employee’s laptop was stolen from a parked vehicle. [23]   OCR found that CardioNet had insufficient risk analysis and risk management processes in place at the time of the theft, as well as a lack of final policies and procedures implementing ePHI safeguards and the HIPAA Security Rule. Closing out the year, HHS OCR announced that 21st Century Oncology, Inc. agreed to pay $2.3 million and adopt a comprehensive corrective action plan to settle alleged violations of the HIPAA Privacy and Security Rules that were uncovered after a hacker gained access to more than 2.2 million patient records, some of which were later sold to undercover agents from the FBI. [24] Finally, following Acting HHS Secretary Eric Hargan’s declaration of the opioid crisis as a public health emergency, HHS issued guidance regarding the circumstances in which health care providers may share a patient’s PHI with family members, friends, or legal representatives. [25]   Focusing on patients who are in crisis or incapacitated, such as during an opioid overdose, the guidance interprets current HIPAA regulations as allowing health care providers to share information in certain emergency or dangerous situations, including with persons who are in a position to prevent or lessen a serious and imminent threat to a patient’s health or safety.  The guidance also discusses factors to consider in assessing a patient’s decision-making capacity and provides direction on health care providers’ ability to share PHI in different situations, including when unable to obtain a patient’s consent and after the patient has had an opportunity to object. 3.     Securities and Exchange Commission (“SEC”) a.      Cybersecurity Focus In 2017, the SEC maintained the previous year’s focus on cybersecurity incidents with respect to both its external oversight responsibilities and the internal operations of the agency.  Since the issuance of its cybersecurity guidance in 2011, the SEC has continued to emphasize proper communications regarding cybersecurity issues within a company’s management as well as proper disclosure of cybersecurity risks by registrants. [26] The SEC announced in November that it will likely issue new guidance to public companies regarding disclosure and reporting of cybersecurity incidents. [27]   Signaling this potential guidance, Acting Enforcement Director Stephanie Avakian stated in April that she could “absolutely” envision circumstances where enforcement would be necessary in light of a company’s failure to report cyber incidents and risks. [28]   The new guidance may also include provisions encouraging companies to consider how they handle stock sales by corporate insiders around the time of a cybersecurity breach. [29]   In November, Director of the SEC’s Division of Corporate Finance, William Hinman, stated, “it would be wise for folks to re-examine their insider trading policies.” [30] Two cybersecurity incidents with potential insider trading consequences that may influence the SEC’s new guidance were disclosed in the fall of 2017.  After Equifax discovered its massive breach in July—but before it was publicly reported in September—Equifax executives sold nearly $2 million in company stock. [31]   Once the news of the breach broke, stock prices dropped significantly. [32]   While the SEC has not confirmed or denied any SEC investigation of the executives for insider trading, Equifax reported in its third quarter 10-Q that the SEC had subpoenaed the company “regarding trading activities by certain employees in relation to the cybersecurity incident.” [33]   The second incident occurred this fall when the SEC faced its own cybersecurity threat.  On September 20, 2017, as part of its “Statement on Cybersecurity,” the SEC disclosed that a 2016 intrusion into EDGAR, the Commission’s electronic filing system for public company disclosures, may have allowed hackers to gain access to and trade on the basis of the non-public information exposed. [34]   The SEC stated it did not believe the intrusion was the result of a systemic risk or that it led to the exposure of any personally identifiable information. [35]   Days after the statement, the SEC announced the establishment of a Cyber Unit to “focus on targeting cyber-related misconduct.” [36] b.      Cyber Unit’s First Charges On December 4, 2017, the SEC announced the first charges filed by the newly established Cyber Unit. [37]   The SEC’s complaint alleges that Dominic Lacroix and his company, PlexCorp, operated an Initial Coin Offering (“ICO”) fraud that raised over $15 million from investors by selling a security called PlexCoin, a cryptocurrency, and promising a 1,354 percent profit in less than one month. [38]   The charges filed against PlexCorp, Lacroix, and his partner Sabrina Paradis-Royer [39] include violations of the anti-fraud provisions contained in Section 10(b) of the Exchange Act and Rule 10b-5, Section 17(a) of the Securities Act, as well as registration provisions in Sections 5(a) and 5(c) of the Securities Act. [40]   The district court issued an emergency order freezing the assets of the company and the executives charged, and the SEC is seeking permanent injunctions and disgorgement plus interest and penalties.  The SEC is also seeking a Final Judgment prohibiting the two executives from offering digital securities in the future. [41] 4.     Federal Communications Commission (“FCC”) a.      FCC Rulemaking i.     FCC Privacy Regulations for Broadband Providers Repealed On April 3, 2017, President Trump signed a resolution repealing FCC privacy rules adopted in the prior year. [42]   In 2016, the FCC adopted sweeping new regulations governing the ways in which providers of broadband Internet access service use and share their customers’ personal information. [43]   There were three key components to the regulations for broadband providers: (1) notice to consumers of data collection and use policies; (2) an opt-out provision for “non-sensitive” information used or shared by the providers and a requirement to obtain affirmative opt-in consent before they can use or share “sensitive” customer data; and (3) more stringent and specific requirements for notification of any data breaches.  The resolution was passed under the Congressional Review Act, which allows Congress to repeal agency rules through simple majority votes. ii.     FCC Approves Next-Gen Broadcasting Technology On November 16, 2017, the FCC voted 3-2 to permit the use of a new broadcast transmission standard, known as ATSC 3.0 or Next Gen TV.  This new broadcast standard will allow more precise geolocating of television signals, ultra-high definition picture quality, more interactive programming, and localized safety warnings that have the ability to turn on televisions as necessary to transmit emergency broadcasts. [44]   Privacy advocates argue that ATSC 3.0 allows broadcasters to collect data on viewing habits, spurring user-targeted ads similar to those on the Internet.  During a House Communications Subcommittee FCC oversight hearing in November, Representative Debbie Dingell requested that the FCC address the types of information broadcasters will be able to collect from consumers and how it will be handled and protected. [45] b.      Cell Phone Cybersecurity On August 24, 2017, the FCC’s Public Safety and Homeland Security Bureau released Public Notice DA 17-799.  This Notice was a result of Congress asking the FCC to tackle “fundamental security threats” to cell phones, since Congress felt current oversight by police and private entities “neither adequately addressed these serious cybersecurity vulnerabilities nor warned its customers about the risks they face.”  The Notice encourages communications service providers to implement recommended security countermeasures to prevent exploitation of carrier Signaling System 7 (“SS7”) network infrastructure. [46]   According to the Notice, security vulnerabilities present within SS7 networks allow attackers to obtain subscriber information, eavesdrop on subscriber traffic, engage in financial theft, and conduct denial-of-service attacks.  The March 2017 recommendations for best practices to reduce SS7 security risks include: (1) awareness and protection, which covers the set of industry recommendations that advocate increased awareness of SS7 signaling and protective measures that can be deployed by telecommunication service providers; and (2) security best practices, which covers the set of industry recommendations that deal with best security best practices for SS7 communications. c.       FCC Settlements / Enforcement i.     $100M Settlement for Squatting on Spectrum Licenses On January 12, 2017, a wireless spectrum trading company settled a dispute with the FCC over allegations it lied about its buildout of wireless infrastructure for $100 million and possible divestment from its spectrum licenses. [47]   Because wireless spectrum is a scarce public resource, the FCC requires companies that license spectrum to put it to good use.  In 2013 and 2014, the spectrum company received licenses in the 28GHz and 39GHz bands, which are identified for use in the next generation of cellular network, on the condition that it use them to provide services. [48]  A November 2015 anonymous report alleged that the company never built several of the 39GHz systems it had told the FCC were completed. [49]  As part of the settlement, the company agreed to pay a $100 million civil penalty, to surrender its licenses in the 39GHz spectrum, and to sell the remainder of its license portfolio. ii.     Robocall Fines On June 22, 2017, FCC Chairman Ajit Pai stated that robocalls were the Commission’s top enforcement priority. [50]   That same day, the FCC voted to fine a Miami man a record-breaking $120 million for allegedly making 96 million spoofed robocalls to consumers in three months in violation of the Truth in Caller ID Act. [51]   Spoofing refers to deliberately falsifying caller ID information to disguise an identity with the intent to harm or defraud consumers, or wrongfully obtain anything of value.  The calls—which appeared to come from local numbers—purported to offer vacation deals from major companies like TripAdvisor, Expedia, and others.  Consumers who “pressed 1” were transferred to foreign call centers where operators attempted to sell them timeshares.  TripAdvisor alerted the FCC to the robocalls after fielding complaints from its customers.  In July and August, the FCC levied fines of nearly $3 million and $82 million against other companies for unsolicited robocalls, the magnitude of the latter due in part to the targeting of vulnerable consumers, including the elderly, the infirm, and low income families. [52] 5.     Consumer Financial Protection Bureau (“CFPB”) The CFPB was not particularly active in the area of data privacy and security in 2017.  However, on October 18, 2017, the CFPB announced a series of non-binding Consumer Protection Principles to address the developing market for financial “aggregation services.” [53]   Such companies offer a broad range of products and services that are developed using consumer-provided financial data.  This data is collected and aggregated by financial services companies, “fintech” firms, and other companies.  The services offered range from the provision of financial advice to the facilitation of underwriting or fraud-screening.  The release of the Principles followed a November 2016 Request for Information to stakeholders in the “aggregation services” market.  The Principles, intended to protect consumers who authorize third parties to collect their financial data to provide these services, are not intended to alter or interfere with the scope of existing consumer protections in this market.  The CFPB simultaneously released a summary of the stakeholder insights underlying the development of the Principles. [54]   The CFPB identified the following nine principles that providers of “aggregation services” should follow, all of which are anchored by the core belief that users should retain control over their information: [55] Access:   Users should be able to request and obtain information about their ownership or use of a financial product or service from the provider. Data Scope and Usability:  The scope of financial data subject to consumer and consumer-authorized access includes, but is not limited to, information about any transaction and the terms of an account.  Information should be made available in a usable format for consumers and consumer-authorized third parties. Control and Informed Consent:   Consumers should be entitled to a full and effective disclosure of the authorized terms of access, storage, use and disposal of information.  Consumers should also be able to readily revoke authorization to access, use or store their data. Authorizing Payments:   A user’s consent to the access of data does not constitute consent for payment authorization.  Providers may request both types of authorization from a consumer requesting its services. Security:   Consumer data must be maintained securely.  Parties with access to data must have adequate processes in place to protect against and effectively respond to data breaches. Access Transparency:  Users should be able to obtain information regarding the uses to which their information will be put and the parties to which it will be provided. Accuracy:  Consumer data gathered by “aggregation services” must be accurate and up-to-date. Ability to Dispute and Resolve Unauthorized Access:   Users should have the ability to dispute and resolve incidents involving unauthorized access and data sharing. Efficient and Effective Accountability Mechanisms:   Commercial participants should be incentivized to protect consumer-provided data, but also must be held responsible for any risks they introduce to consumers. The agency emphasized that the Principles do not “establish binding requirements or obligations relevant to the Consumer Bureau’s exercise of its rulemaking, supervisory, or enforcement authority.” [56]   Nor are they intended to “provide guidance on existing statutes and regulations that apply in this market.” [57]   Nevertheless, the CFPB stated that the Principles “express the Bureau’s vision for realizing a robust, safe, and workable data aggregation market” and suggested that the Bureau “will continue to monitor closely developments in this market.” [58]   Thus, it is possible that as “aggregation services” and “fintech” firms become increasingly prevalent, the CFPB will become more involved with the regulation of data privacy-related issues. 6.     State Attorneys General State attorneys general play a key role in data privacy and security matters.  During the past year, state attorneys general were at the forefront of concerted efforts to bring enforcement actions and develop privacy and cybersecurity regulations. a.      Collaboration Among Attorneys General During the past year, states increasingly coordinated their enforcement efforts with each other and with other government agencies to settle multi-state litigations involving mega-data breach cases.  In May 2017, the Target Corporation (“Target”) reached an $18.5 million settlement—the largest state data breach settlement in history—with 47 states and the District of Columbia.  The settlement brought an end to investigations jointly led by state attorneys general into Target’s November 2013 data breach involving unauthorized access to portions of Target’s computer systems that process payment card transactions at Target’s retail stores and to portions that store Target customer contact information. [59]   Under the terms of the agreement, Target will be required to develop, implement, and maintain a comprehensive information security program, to hire a third party to conduct a security assessment, and implement additional administrative safeguards to further strengthen the company’s data security. [60] In August 2017, 33 state attorneys general reached a $5.5 million multi-state settlement with Nationwide Mutual Insurance Company (“Nationwide”) and its wholly owned subsidiary Allied Property & Casualty Insurance Company (“Allied”) over a 2012 data breach. [61]   The personal information of 1.27 million people was stolen when hackers exploited a vulnerability in Nationwide/Allied’s web application hosting software—a vulnerability that allegedly could have been remedied with a previously available software patch that Nationwide/Allied had failed to apply. [62] As described more fully above, in September 2017 Lenovo reached a $3.5 million multi-state settlement to resolve charges brought by 32 state attorneys general and the FTC. [63]   Of the 23 states involved in the settlement, California received the largest share, amounting to $389,204, based largely on its size and leadership role in the investigation. [64] Following the public announcement of the Equifax breach in September, Massachusetts became the first state to sue Equifax, claiming that Equifax failed to maintain the appropriate safeguards to protect consumer data, despite being aware of the vulnerabilities in its system for months. [65]   On November 30, 2017, the Judicial Panel on Multidistrict Litigation held a hearing on the pending motion to consolidate and transfer the numerous cases filed (and cases to be filed in the future) against Equifax to the U.S. District Court for the Northern District of Georgia, near the company’s headquarters in Atlanta. [66] b.      Developments Within States The California Attorney General settled a number of data breach and consumer protection cases.  On November 22, 2017, the Attorney General settled a case with Cottage Health System (“Cottage Health”) and its affiliated hospitals to resolve allegations resulting from two separate and unrelated data breach incidents in 2013 and 2015. [67]   The Attorney General alleged that Cottage Health failed to implement basic, reasonable safeguards to protect personal medical information, in violation of California’s Confidentiality of Medical Information Act, Unfair Competition Law, and HIPAA. [68]   Under the terms of the settlement, Cottage Health agreed to update its security measures and pay a $2 million penalty. [69]   Cottage Health was also required to hire a data privacy security officer to ensure it develops and follows appropriate procedures, as well as to begin completing annual privacy risk assessments. [70] The New York Attorney General’s Office remained active in combatting violations of data security.  On October 31, 2017, the New York Attorney General, along with the Vermont Attorney General, reached a $700,000 settlement with Hilton Domestic Operating Company, Inc., formerly known as Hilton Worldwide, Inc. (“Hilton”) as a result of two separate data security incidents in 2015 which exposed credit card numbers. [71]   The investigation allegedly revealed that Hilton did not adequately protect consumers’ information and failed to provide timely notice of the breach, as New York General Business Law § 899-aa(2) requires notice to customers in the “most expedient time possible and without unreasonable delay.” [72]   The reached settlement, among other things, requires Hilton to maintain a comprehensive information security program designed to protect consumer cardholder data and to conduct annual data security assessments. As noted earlier, on February 6, 2017 the New Jersey Attorney General reached a settlement agreement with Vizio, Inc., a smart TV maker, for alleged violations of consumer protection laws by collecting and sharing data on the viewing habits of its smart TV users without their consent. [73]   Vizio agreed to pay $2.2 million and to change its data collection practices to resolve allegations, ending parallel investigations conducted by the Attorney General and the FTC. [74]   The state obtained $1 million and the FTC obtained $1.5 million in the settlement. [75] The Washington Attorney General released its second edition of the Annual Data Breach Report, containing a summary of the data collected from the data breach notifications required by Washington’s notification laws. [76]   Since the 2015 amendment to Washington’s data breach laws, the Attorney General has actively enforced compliance with the state’s notification regulations. 7.     New York Department of Financial Services (“NYDFS”) In 2017, New York’s Department of Financial Services (“NYDFS”) adopted groundbreaking regulations that broadly regulate cybersecurity within the financial services industry.  NYDFS is the New York state regulator of financial services licensed in the state and thus supervises many large banks and insurance companies.  Effective March 1, 2017, the NYDFS regulations require banks, insurance companies, and other financial services institutions subject to regulation by the NYDFS to establish and maintain a comprehensive cybersecurity program. [77]   “Covered Entities” are required, among other things, to perform a risk assessment to assess their cyber risks, implement a written cybersecurity policy, and maintain a comprehensive cybersecurity program. [78]   While some security measures were mandated by August 28, 2017, others are mandated by September 3, 2018, with a final compliance date of March 1, 2019. [79] The final regulations, codified in 23 NYCRR Part 500, are largely the same as the proposed rules discussed in last year’s 2016 Year-End Update , but differ in the following key ways: Cybersecurity programs must be based on the risk assessment performed by each Covered Entity. Risk assessments must be performed “periodically” instead of “annually.” The company’s cybersecurity plan can be reviewed by either a senior officer or the board of directors, but does not need to be reviewed by both. Covered Entities must hold records, schedules, and data supporting the certificate of compliance for five years, and make this documentation of compliance available to NYDFS upon request.  However, the record retention for audit trails designed to detect and respond to cybersecurity events is limited to three years. There is a limited small business exemption for Covered Entities that have fewer than ten New York employees and less than $5 million in gross annual revenue or under $10 million in year-end total assets. The Chief Information Security Officer (“CISO”) does not need to be an internal employee, but instead can be employed by the Covered Entity, one of its affiliates or a third-party service provider. Companies do not need to encrypt nonpublic information in transit over external networks if doing so is “infeasible.”  Instead, they may secure the information using “alternative compensating controls reviewed and approved” by the CISO. [80] This fall, Governor Cuomo directed the NYDFS to extend the regulations to credit bureaus, expanding the reach of both the rules and the NYDFS itself, which had not previously had oversight over credit reporting agencies.  Under the proposed regulation, all consumer credit reporting bureaus that operate in New York must register with the NYDFS annually, beginning on or before February 1, 2018.  The compliance schedule will begin on April 4, 2018. [81] 8.     Trump Administration Actions a.      Presidential Executive Order On May 11, 2017, President Trump issued an executive order entitled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” which lays out the administration’s priorities in three areas of focus:  (1) cybersecurity of federal networks, (2) cybersecurity of critical infrastructure, and (3) cybersecurity of the nation. [82]   The order directed a thoroughgoing review of existing policies regarding cybersecurity in a variety of different sectors. For cybersecurity of federal networks , the Executive Order stated that the President would hold agency heads accountable for managing the cybersecurity risks to their agencies, and directed them to use The Framework for Improving Critical Infrastructure Cybersecurity, developed by the National Institute of Standards and Technology, to manage cybersecurity risk. [83]   The Executive Order also directed the agency heads to submit a risk management report to Homeland Security and the Office of Management and Budget (“OMB”) within 90 days, outlining their existing risk mitigation strategies and each agency’s action plan to implement the Framework, and then contemplated that the Director of the OMB would submit its own determination to the President within 60 days. [84] The Executive Order also articulated the administration’s policy to “build and maintain a modern, secure, and more resilient executive branch IT architecture,” directing the Director of the American Technology Council—created by the President on May 1, 2017—to coordinate a report on the feasibility of transitioning all agencies to “one or more consolidated network architectures” or to “shared IT services.” [85]   The American Technology Council issued a detailed report to the President on federal IT modernization in the fall of 2017, and delivered the final Federal IT Modernization report on December 13, 2017. [86] For cybersecurity of critical infrastructure , the Executive Order stated the administration’s policy to “support the cybersecurity risk management efforts of the owners and operators” of critical infrastructure. [87]   First, it directed the Secretary of Homeland Security to coordinate with other senior administration officials to identify the greatest risk of attacks to infrastructure that could result in wide-scale effects on public health, economic security or national security, and to deliver a report setting forth its findings and recommendations within 180 days. [88]   Second, it directed the Secretary of Homeland Security to work with the Secretary of Commerce to determine whether existing federal policy sufficiently promotes “market transparency of cybersecurity risk management practices.” [89]   Third, it directed the Secretary of Homeland Security with the Secretary of Commerce to work together with “appropriate stakeholders to improve the resilience of the internet and communications ecosystem” to “threats perpetrated by automated and distributed attacks (e.g., botnets).” [90]   In response to the Executive Order, on January 5, 2018, both agencies released for public comment a report on enhancing the resilience of the Internet and communications ecosystem against botnets and other automated, distributed threats. [91]   Fourth, it directed the Secretary of Energy and the Secretary of Homeland Security to coordinate with state and local governments to prepare an assessment of the Nation’s vulnerability to prolonged power outages resulting from cyber incidents. [92]   Fifth, it directed the Secretary of Defense, again in coordination with the Department of Homeland Security, to prepare an assessment of the risks facing the defense industry. [93] For cybersecurity for the nation , the Order states the administration’s policy to ensure that the internet “remains valuable for future generations.” [94]   First, the Order directs various agencies to prepare a report to the President “on the Nation’s strategic options for deterring adversaries and better protecting the American people from cyber threats.” [95]   Second, the Order directs agency heads to prepare a report on the agencies’ “international cybersecurity priorities” to the Secretary of State, who would then prepare a report “documenting an engagement strategy for international cooperation in cybersecurity.” [96]   Finally, the Order solicits three different reports in the area of “workforce development,” focused on the education and development of an American cybersecurity workforce, on the United States’ competitiveness with peer programs in other countries, and on the United States’ national-security-related cyber capabilities. [97] Although the release of the Executive Order was met with praise across party lines, critics in the months since it was released have noted gaps in its implementation.  To date, it is unclear which federal agencies have complied with the review process set forth in the Executive Order, and in September 2017, a commentator observed that “the goal of a speedy review process . . . ha[d] not materialized.” [98]   The administration has seen some turnover in cybersecurity-related posts. [99]   In December 2017, the administration affirmed that cybersecurity remained a key priority and suggested that it would build on the Executive Order by releasing a new strategy for cybersecurity. [100] b.      Release of the Vulnerabilities Equities Process (“VEP”) On November 15, 2017, the Trump administration publicly disclosed the Vulnerabilities Equities Process (“VEP”), a set of guidelines used by government agencies and departments to determine when to inform market actors of security vulnerabilities in their software and hardware. [101]   The unclassified document states that the purpose of the VEP is to “balance[] whether to disseminate vulnerability information to the vendor/supplier in the expectation that it will be patched, or to temporarily restrict the knowledge . . . for national security and law enforcement.” [102]   The VEP describes an Equities Review Board for interagency deliberation, consisting of representatives from several government agencies, with the National Security Agency (“NSA”) serving as the VEP Executive Secretariat. [103]   Generally, an agency that learns of a vulnerability will submit information regarding the vulnerability, together with a recommendation whether to disseminate or restrict the vulnerability, to the VEP Executive Secretariat once the vulnerability reaches a certain threshold. [104]   The VEP Executive Secretariat then notifies points of contacts at relevant agencies.  Interested agencies then state whether they concur with the recommendation to disseminate or restrict the vulnerability. [105]   The VEP states that the purpose of distributing information is to obtain a consensus regarding dissemination or restriction, but also provides procedures for resolving contested preliminary determinations. [106]   The VEP outlines the considerations that bear on determining whether to disseminate or restrict information regarding a vulnerability. [107] B.     Legislative Developments 1.     Federal Developments Last year did not see much congressional legislation in the area of cybersecurity.  The most significant piece of privacy legislation to reach President Trump’s desk was not new legislation, but a repeal of FCC broadband provider privacy rules that were set to take effect at the end of 2017.  In addition to rolling back the FCC broadband rules, Congress also took steps toward addressing foreign surveillance, cybersecurity, and data breach notification, but as of the date of this review, few of those bills have yet to become law. a.      Repeal of Broadband Privacy Rules In March 2017, both the House and Senate passed resolutions under the Congressional Review Act to repeal FCC broadband privacy rules that were set to take effect at the end of 2017.   Entitled “Protecting the Privacy of Customers of Broadband and Other Telecommunication Services,” 81 Fed. Reg. 87274 (December 2, 2016), the rules would have imposed certain privacy regulations on internet service providers (“ISPs”), such as requiring them to provide adequate privacy notices and comply with data breach notification requirements.  The most controversial of these rules was the requirement that ISPs obtain consumers’ opt-in consent before sharing consumer information (such as browsing history) with third parties, as certain commentators argued that the proposed rules placed ISPs at a disadvantage when compared to other online companies such as Google and Facebook. [108]   FCC Chairman Ajit Pai stated his support for the repeal in part on the belief that the rules “were designed to benefit one group of favored companies.” [109]   Chairman Pai’s announcement also indicated that the FCC will “be working with the FTC to restore its authority to police internet service providers’ privacy practices,” and to “end the uncertainty and confusion that was created in 2015 when the FCC intruded in this space.” [110]   On April 3, 2017, President Trump signed the repeal into law. [111] b.      Foreign Surveillance With Section 702 of the Foreign Intelligence Surveillance Act (“FISA”) [112] initially set to expire at the end of 2017, there has been significant debate over the appropriate scope of the U.S. government’s foreign surveillance powers.  Section 702 allows the U.S. government to gather foreign intelligence information without a warrant, subject to certain restrictions. [113]   Even before legislation on this topic was introduced, government and industry groups began advocating for their respective positions.  For example, on April 18, 2017, the Office of the Director of National Intelligence released a report supporting a reauthorization of Section 702, including controversial aspects such as “upstream” collection whereby the “NSA obtains communications directly from the Internet backbone, with the compelled assistance of companies that maintain those networks.” [114]   With the deadline for reauthorization approaching, the House Judiciary Committee introduced the FISA Amendments Reauthorization Act of 2017 to renew Section 702 for four years while making “key reforms” to the program to “strengthen privacy protections for Americans.” [115]  The Senate Intelligence Committee also advanced a reauthorization bill. [116]  The White House and Congress subsequently pushed the deadline for reauthorization from December 31, 2017 forward to January 19, 2018. [117]   On January 11, 2018, the House of Representatives voted to extend Section 702 for six years with minimal changes, rejecting a push by a bipartisan group of lawmakers to impose privacy limits on the U.S. government’s ability to gather emails and other personal communications. [118]   The Senate approved the FISA reauthorization bill on January 18, 2018, [119] and President Trump signed the bill into law on January 19, 2018. [120]   FISA is now set to expire in December 2023. [121] c.       Email Collection by Law Enforcement Congress continues to introduce legislation to reform the Electronic Communications Privacy Act (“ECPA”), [122] but has yet to finalize a bill for the President’s signature.  ECPA addresses, among other issues, procedures for law enforcement to obtain stored electronic communications.  For example, ECPA currently requires only a subpoena for the U.S. government to collect emails over 180 days old, while emails under 180 days old require a warrant.  In February 2017, the House unanimously passed a bill called the Email Privacy Act [123] to reform ECPA. [124]   Among other changes, the House bill would require a warrant to obtain emails over 180 days old.  In July 2017, Senators Patrick Leahy and Mike Lee proposed the ECPA Modernization Act, a Senate version of ECPA reform. [125]   The ECPA Modernization Act marks the third time in five years that the bipartisan team has attempted to reform the ECPA.  The bill currently languishes in the Senate. d.      Cybersecurity and Data Breach Notification In 2016 the House and Senate each passed legislation related to cybersecurity without finalizing any bills to be signed into law.  This past year, Congress similarly attempted to address cybersecurity measures with limited success in enacting new law.  For example, on May 16, 2017, the House overwhelmingly passed the Strengthening State and Local Cyber Crime Fighting Act of 2017, which formalizes the Secret Service’s National Computer Forensic Institute as the entity responsible for coordinating investigations into cyberattacks and other computer hacking, as well as providing training to state and local agencies on dealing with cybercrimes. [126]   After the Senate passed a version of the same bill, President Trump signed the bill into law on November 2, 2017. [127] Following the Equifax data breach, the Senate and House have been considering the Consumer Privacy Protection Act of 2017. [128]   The bill requires that companies report data breaches “as expediently as possible” or face civil penalties.  Congress has previously considered similar bills, however, without adopting a nationwide data breach notification standard. [129]   Thus data breach notification requirements continue to vary among the 48 states that have adopted laws on the subject. [130] 2.     State Developments In 2017, at least 42 states introduced over 240 bills related to cybersecurity and data privacy. [131]   Key areas of legislative activity include ISP data collection and tracking, data breach notification, cybersecurity committees, computer crimes, employee monitoring notice, and cybersecurity training. a.      ISP Data Collection and Tracking A number of states introduced legislation requiring ISPs to obtain consumer consent before gathering and sharing online data with third parties.  This flurry of legislative activity comes on the heels of Congress’s rollback of FCC regulations that were poised to expand online privacy rules and to require ISPs to notify customers before selling data to a third party. [132]   While only Nevada and Minnesota have actually passed privacy laws protecting consumers’ data privacy in the wake of the now-repealed FCC regulations, nearly 30 other states have introduced similar legislation.  Both Nevada’s and Minnesota’s legislation prohibit disclosure of personal identifying information to third parties.  Beyond personal identifying information, Minnesota’s legislation also requires ISPs to obtain permission before disclosing subscribers’ online usage and browser history.  Common features across other state bills include requiring consent before collecting customers’ personal identifying information, specifying the form of ISP data collection notice, and prohibiting discounts for customers who consent to their personal identifying information being shared with third parties.  In California, a recent ballot initiative would impose even greater restrictions, by requiring medium and large-sized businesses and ISPs to compile and maintain detailed records of disclosed consumer information and requiring ISPs to maintain the same level of service for all customers—regardless of whether they opt out of information-sharing. [133]   Beyond these common features, all of the proposed legislation in this area varies as to the liability extended beyond ISPs, including website operators, as well as the form of consent that must be given before gathering and sharing consumer data. b.      Data Breach Notification Forty-eight states—and the District of Columbia, Guam, Puerto Rico, and the Virgin Islands—have now passed legislation requiring both private companies and government entities to notify individuals regarding security breaches of personal identifying information.  Alabama and South Dakota are the only two exceptions.  Since our last update, New Mexico passed legislation on April 6, 2017, effective June 16, 2017, requiring notification upon the unauthorized acquisition of personal identifying information. [134]   Delaware took legislative action to expand its definition of “personal identifying information,” to include, in addition to the usual triggers like passport numbers and state identification card numbers, health insurance policy numbers or other health insurance identifiers, medical history or diagnosis information, and DNA profiles. [135] c.       Cybersecurity Committees Another trend in 2017 was the continued establishment of state committees on cybersecurity.  Four states—Georgia, Massachusetts, North Carolina, and Pennsylvania—introduced bills to form cybersecurity committees to study and improve cybersecurity preparedness and enhance state-wide responses to security threats.  Illinois introduced legislation that would form an International Cybersecurity Task Force to review reports from the Department of Homeland Security and the FBI on “Russian Malicious Cyber Activity” and develop strategies to implement or reject the recommendations espoused by those reports. [136]   Puerto Rico also enacted legislation directing the Senate and House Committees on Public Safety to research computer security with an eye towards understanding how new technologies might help ensure the proper handling of confidential information. [137] d.      Computer Crimes In 2017, states continued to pass legislation to target computer crimes, with increased penalties for such offenses.  For example, Connecticut passed legislation establishing the crime of computer extortion by the use of ransomware as a felony. [138]   This bill was introduced after the WannaCry attack, in which a ransomware worm targeted Microsoft Windows, disrupting the normal functions of numerous organizations, including hospitals, ambulances, health clinics, shipping companies, and schools.  Connecticut’s legislature framed the bill as a preventative measure to protect against and deter similar cyberattacks.  Wyoming passed legislation to create the criminal offense of computer extortion, a felony punishable by a prison term of up to ten years and a fine of $10,000, and to expand the computer crimes to be investigated by Wyoming’s division of criminal investigation. [139]   A number of other states also introduced legislation concerning computer crimes that remains pending.  For example, New Jersey introduced a bill that clarifies the scope of the crime of unlawful access to password-protected communications—limiting it to access that is “knowingly” without authorization—and provides for imprisonment terms of up to 18 months for the most serious version of this offense. [140]   New York also introduced bills to provide for the calculation of damages caused by computer tampering, requiring that cyber terrorism be classified as a Class B felony [141] and increasing penalties for crimes involving the use of personal information, fraud, tampering, theft, and use of a computer to commit crimes. [142] e.       Notice of Monitoring Employee Communications and Internet Access In 2017, a handful of states introduced legislation requiring private or government employers to notify employees before monitoring employees’ email communications or Internet access and browsing histories.  Specifically, Colorado and Tennessee passed legislation providing that government entities operating electronic mail communications systems must adopt written policies on monitoring activities that specify when employee correspondence may be considered a public record. [143]   Connecticut and Delaware now require private and public employers to give notice to employees before monitoring employee email communications or Internet usage behavior. [144]   The ramifications of non-compliance for Connecticut employers are civil penalties of $500 for the first offense, $1,000 for the second offense, and $3,000 for each subsequent offense. [145]   The ramifications of non-compliance for Delaware employers are civil penalties of $100 per violation. [146] f.       Cybersecurity Training This year, several states introduced legislation to improve state employee cybersecurity training.  Illinois passed a bill that requires state employees to participate in annual training by the Department of Innovation and Technology to enhance cybersecurity preparedness. [147]   New Jersey and Oregon introduced similar bills. [148]   Relatedly, California introduced legislation that would direct the Regents of the University of California and other higher education institutions to evaluate their cybersecurity education and training programs to ensure that “the state is meeting the workforce needs of the cybersecurity industry.” [149] II.     Civil Litigation Privacy-related civil litigation was again prevalent in 2017, which witnessed one of the largest private data breaches in history.  Numerous data breaches announced in 2017 led to civil actions, including actions on behalf of government entities.  Courts grappled with issues related to standing post-Spokeo, approved settlements of numerous class action suits, and presided over shareholder derivative suits alleging that directors and officers breached their fiduciary duties in overseeing corporate cybersecurity. In addition to breach-related litigation, plaintiffs filed multiple class action lawsuits alleging that technology companies violated state and federal laws by scanning user emails for targeted advertising and other business purposes.  Last year also continued the recent trend of civil and criminal cases being brought against both businesses and individuals for recording phone calls without the requisite consent and against companies for violating the Telephone Consumer Protection Act (“TCPA”) and the Video Privacy Protection Act (“VPPA”).  Additionally, there was an increase in regulatory guidance and regulatory and private actions related to the “Internet of Things,” i.e., smart and connected devices. A.     Standing After Spokeo 1.     Background In 2017, litigation over standing often predominated in data privacy actions as a result of the Supreme Court’s 2016 decision in Spokeo, Inc. v. Robins. [150]   As discussed further in our 2016 Year-End Update , the Supreme Court held in Spokeo that “a bare procedural violation” of a statute without a resulting “concrete” injury does not satisfy the “injury-in-fact” requirement of Article III standing. [151]   The Court emphasized that “Article III standing requires a concrete injury even in the context of a statutory violation.” [152] We thus observed last year that, on its face, Spokeo seemed poised to favor defendants in data privacy litigation, but noted that lower courts’ subsequent interpretation and application of Spokeo had been decidedly mixed.  That trend continued in 2017, as appellate courts continued to split on the question of whether the risk of future identity theft stemming from data breaches that resulted in stolen personal information is enough to confer standing without present injury.  Further, while courts continued to favor plaintiffs in cases brought under the Video Privacy Protection Act (“VPPA”) and the Telephone Consumer Protection Act (“TCPA”) in 2017, they often ruled for defendants on standing challenges in lawsuits concerning unlawful data retention. 2.     Post-Spokeo Standing Decisions in Privacy Cases a.      Data Breach Last year, the circuit courts diverged on the question of whether plaintiffs have standing to sue based on the possibility that they may become victims of identity theft following a data breach. For example, in January 2017, the Third Circuit reversed a district court dismissal, finding that a putative class of customers sufficiently pled standing in a Fair Credit Reporting Act (“FCRA”) case based on allegations that the defendant inadequately protected personal information stolen from that company. [153]   The court agreed with the plaintiffs that the purported “violation of their statutory right to have their personal information secured against unauthorized disclosure constitute[d], in and of itself, an injury in fact,” and that establishing standing did not require additional “specific harm,” such as economic damages. [154]   It further emphasized that the wrongful “dissemination of [the plaintiffs’] own private information” was “the very injury that FCRA is intended to prevent,” rather than a de minimis technical infraction that would be insufficient under Spokeo. [155]   Likewise, the D.C. Circuit found standing in a data breach case based on allegations that the plaintiffs “face[d] a substantial risk of identity theft” resulting from their stolen personal information. [156] Conversely, in an unpublished decision, the Second Circuit affirmed dismissal of a suit predicated on alleged theft of credit card information, because the plaintiff failed to plead “a particularized and concrete injury suffered from the attempted fraudulent purchases,” since she was never asked to pay for an unauthorized transaction. [157]   Moreover, the court held that there was no risk of future harm because the “stolen credit card was promptly canceled after the breach and no other personally identifying information . . . [was] alleged to have been stolen.” [158]   The Fourth Circuit reached a similar conclusion in a data breach case concerning personal information obtained from veterans’ medical care facilities after determining that the “threatened injury of future identity theft” was speculative rather than sufficiently imminent. [159]   A number of district courts also dismissed data breach claims for lack of standing where the risk of prospective harm from a data breach was, in their view, hypothetical. [160] The Eighth Circuit reached a split decision on the question of standing based on the possibility of identity theft following a data breach in In re SuperValu, Inc., a multi-district litigation involving several putative classes that sued retail grocery stores that had suffered two cyber-attacks. [161]   The plaintiffs alleged theft of their personal information and violations of, among other things, various state data breach notification statutes. [162]   The Eighth Circuit agreed with the district court that the plaintiffs had failed to adequately plead injury based on the risk of future identity theft, and it noted that its sister circuits—as discussed above and in our last review—had reached “differing conclusions on the question of standing” in similar data breach cases. [163]   Observing that “this out-of-circuit precedent . . . ultimately turned on the substance of the allegations before each court,” the Eighth Circuit concluded that the plaintiffs in SuperValu had not plausibly alleged that the “defendants’ data breaches create[d] a substantial risk that [the] plaintiffs [would] suffer credit or debit card fraud.” [164]   However, the court also found that one named plaintiff had sufficiently pled a present injury based on actual misuse of his credit card information, and it accordingly reversed the dismissal of that particular individual’s claims. [165] b.      Unlawful Disclosure Standing decisions in unlawful disclosure cases in 2017 turned on whether dissemination of the information at issue posed a material risk of harm to a plaintiff’s statutory interests.  In keeping with Spokeo, lower courts dismissed lawsuits predicated on de minimis procedural infractions. After the Supreme Court vacated and remanded Spokeo for further consideration of whether the plaintiff had pled a concrete injury under the FCRA, the Ninth Circuit answered in the affirmative. [166]   It held that the inaccurate information disclosed in the credit report at issue implicated “material facts” about the plaintiff’s life and “could be deemed a real harm” to, inter alia, his employment prospects. [167]   The Ninth Circuit similarly found standing in Syed v. M-I, LLC, an FCRA case concerning the alleged failure of an employer to inform job applicants that it would check their credit histories as part of the application process, [168] as well as in a VPPA action based on allegations that the defendant disclosed information about the plaintiff’s video-watching habits. [169]   In the latter decision, the court held that, “although the FCRA outlines procedural obligations that  sometimes protect individual interests, the VPPA identifies a substantive right to privacy that suffers  any time a video service provider discloses otherwise private information.” [170]   The Eleventh Circuit issued an identical ruling in another VPPA appeal. [171]   A number of district courts also reached similar decisions in cases concerning failures to comply with the FCRA’s and the Fair Debt Collections Practices Act’s (“FDCPA”) disclosure requirements. [172] However, in contrast to Syed, the Seventh Circuit found in Groshek v. Time Warner Cable, Inc. that a plaintiff did not suffer “a concrete informational injury” under the FCRA based on a prospective employer’s purported failure to properly obtain an applicant’s permission before procuring a credit report. [173]   The court distinguished Syed on the ground that the “Ninth Circuit had factual allegations from which it could infer harm, whereas” the plaintiff in Groshek  “present[ed] no factual allegations plausibly suggesting that he was confused by the disclosure form or the form’s inclusion of a liability release . . . .” [174]   Likewise, in an FCRA class action based on a credit reporting agency’s inclusion of a defunct credit card company on its reports, the Fourth Circuit found that the named plaintiff had failed to demonstrate how he had been injured by the erroneous information and therefore had “suffered no real harm, let alone the harm Congress sought to prevent in enacting the FCRA.” [175]   Accordingly, the court vacated the judgment awarding damages to the class. [176]   The Second Circuit similarly affirmed dismissals of two Fair and Accurate Credit Transactions Act (“FACTA”) suits predicated on the disclosure of credit card information on restaurant and retail receipts after finding that the purported injuries did not pose a “material risk of harm” to the plaintiffs’ statutory interests. [177]   District courts have followed course in other FACTA actions. [178] c.       Unlawful Retention Unlawful retention cases have continued to trend in defendants’ favor on the question of standing.  For instance, earlier this year in Gubala v. Time Warner Cable, Inc., the Seventh Circuit determined that there was no standing in a Cable Communications Privacy Act (“CCPA”) action based on allegations that the defendant had retained the plaintiff’s personal information after the plaintiff canceled a cable subscription. [179]   The court determined that there was no cognizable injury because the plaintiff failed to allege that the defendant had “ever given away or leaked or lost any of his personal information or intend[ed] to give it away or [was] at risk of having the information stolen from it.” [180] d.      Unlawful Acquisition/Use The courts have continued to split on the question of standing in unlawful acquisition and use cases.  In Santana v. Take-Two Interactive Software, Inc., for example, the Second Circuit affirmed the district court’s dismissal of a Biometric Information Privacy Act (“BIPA”) lawsuit predicated on the defendant’s alleged unlawful collection, dissemination, and retention of biometric data used to create 3D models of players’ faces in basketball video games, for lack of standing. [181]   The court held that the purported BIPA violations were procedural and did not pose a “material risk of harm” to the plaintiffs’ statutory interests sufficient to establish an Article III injury. [182]   Conversely, over the past year, district courts found standing for a Wiretap Act claim predicated on use of a smartphone application to track users’ physical movements, [183] as well as for VPPA, Wiretap Act, and state law claims based on the collection of video-viewing information through smart TVs. [184]   Courts also found standing in the context of Driver’s Privacy Protection Act claims stemming from the sale of vehicle accident reports containing personal information to third parties for solicitation purposes. [185] e.       TCPA Claims In TCPA cases, courts have continued to find that unsolicited electronic communications constitute a concrete injury to statutory privacy rights.  For example, the Ninth Circuit held that spam-like text messages about gym memberships violated “the substantive [TCPA] right to be free from certain types of phone calls and texts absent consumer consent,” [186] and the Second and Third Circuits found that plaintiffs adequately alleged harm in actions based on unwanted, prerecorded telephone calls. [187]   A number of district courts have reached identical conclusions in TCPA cases; [188] however, one court refused to certify a proposed TCPA class after determining that some prospective class members had consented to receive the calls at issue and thus did not suffer a cognizable injury. [189] 3.      Looking Ahead Spokeo did not provide a bright-line rule squarely prohibiting plaintiffs from suing for intangible injuries.  Accordingly, lower courts have continued to grapple with its application in the data privacy space.  There appears to be an emerging pro-plaintiff consensus in VPPA and TCPA actions, and courts have continued to favor defendants in retention suits.  However, the circuit courts have adopted divergent views on whether data breaches resulting in stolen personal information and the associated risk of future identity theft are, by themselves, enough to confer standing absent allegations of present harm.  On December 6, 2017, Spokeo again petitioned for certiorari and sought review of the Ninth Circuit’s latest standing determination. [190]  However, shortly before publication of this review, the Supreme Court rejected Spokeo’s petition, [191] thereby declining the opportunity to clarify its precedent. B.     Data Breach Litigation 1.     Litigation a.      High-Profile Breaches in 2017 Last year witnessed one of the largest data breaches in history, when it was reported that Equifax, Inc., one of the three major American credit bureaus, had its systems compromised, affecting more than 143 million Americans.  But Equifax was not alone in suffering massive data breaches: for example, a white hat hacker revealed in July that a political data analytics company had left the voting information of nearly 200 million Americans exposed.  Throughout the year hackers targeted government agencies and companies in every industry, seeking out personally identifiable information (“PII”), customer login information, payment information, and health care information, among others.  Litigation quickly followed many of the announced breaches, including civil actions and suits on behalf of government entities. i.     Credit Bureau Attacks In the Equifax attack, hackers were able to access names, Social Security numbers, addresses, and other PII, making the breach not just one of the largest in terms of the number of individuals affected, but also in terms of the breadth and sensitivity of PII lost.  The hackers gained entry by exploiting a website application vulnerability, and were not discovered until after they had accessed dozens of sensitive databases and created over 30 different entry points into Equifax’s computer systems. [192] To date, over 240 class action lawsuits by consumers have been filed against Equifax in the U.S., including a “50-state” complaint seeking to consolidate dozens of individual suits. [193]   Those suits allege a variety of common law and statutory claims, seeking monetary damages, injunctive relief, and other related relief. [194]   Equifax also faces municipal suits by Chicago and San Francisco generally alleging violations of state laws and local ordinances regarding protection of personal data, consumer fraud, business practices, and breach notice requirements. [195]    Additionally, the Massachusetts Attorney General has filed a suit against the credit reporting agency in relation to the data breach. [196]   Financial institutions including banks and credit unions also filed suit, seeking monetary relief for data breach costs to the financial institutions, such as canceling and reissuing credit cards and absorbing the cost of any fraudulent charges. [197]   Shareholders have also sued Equifax, alleging violations of securities laws and seeking damages against the company and its top officers. [198] Equifax moved to consolidate the lawsuits it faces, which continue to proliferate. [199]   As a result, a Judicial Panel on Multidistrict Litigation ordered centralization of the cases on December 6, 2017. [200]   Going forward, litigation will be heard in the Northern District of Georgia. Equifax was not the only bureau to have sensitive information left vulnerable.  On December 20, 2017, security firm UpGuard announced that it had discovered a cache of materials on an unsecured server, this time maintained by Alteryx, a data analytics company that is partnered with the major credit bureau Experian. [201]   Sensitive personal information on 123 million U.S. households was left unsecured, including datasets from Experian and the U.S. Census Bureau. [202]   The exposed data included home addresses, contact information, purchasing behavior, and financial information. [203]   At least two lawsuits have already been filed against Alteryx, in California and Oregon. [204] ii.     Political Breaches The U.S. government continued investigating the July 2016 cyberattack on the Democratic National Committee, with related lawsuits drawing attention throughout 2017.  Such suits included a complaint under the Freedom of Information Act filed by the Electronic Privacy Information Center against the FBI, seeking records relating to its investigation into the attack, [205] and lawsuits brought by Microsoft against command-and-control servers used by KGB hacking group “Fancy Bear” to covertly direct malware onto victims’ computers. [206] Then, on June 19, 2017, UpGuard announced that they had discovered that Deep Root Analytics, LLC, a data analytics company contracted by the Republican National Committee to gather voting data, had stored information on more than 198 million Americans on an unsecured storage server. [207]   This information included names, birth dates, addresses, voter registration details, and social media posts. [208]   While it is unclear whether any nefarious parties accessed the data, the breach did lead to a class action lawsuit against Deep Root. [209]   That lawsuit was dismissed by the plaintiffs with prejudice in November. [210] Additionally, the U.S. Department of Homeland Security announced in September 2017 that it appeared Russia had undertaken extensive efforts to hack state election systems in the lead-up to the presidential election. [211]   Illinois had its systems breached, while 20 other states were targeted but are not believed to have been breached. [212] iii.     Customer Information Fast Food Restaurant Chains .  2017 was a particularly notable year for data breaches at American fast food restaurants.  In February, Arby’s Restaurant Group Inc. revealed a breach of customer data from malicious software accessing point-of-sale systems at its restaurants; suits sprang up almost immediately. [213]   In April, Chipotle Mexican Grill, Inc. announced that it had detected a security breach in its processing and transmission of customer and employee data, leading to lawsuits from financial institutions. [214]   In September, Sonic Corp. was confronted with multiple suits following a data breach announced by a security analyst, in which millions of credit and debit card users may have had their accounts pilfered. [215]   Then, in October, Pizza Hut Inc. announced that it had discovered what it deemed to be a “temporary security intrusion” that compromised the PII of nearly 60,000 customers who completed orders on its website or mobile app between October 1 and 2, 2017. [216] On November 7, 2017, a class action suit was filed against the company in Washington. [217] Hotel Groups .  2017 was not any kinder to hotel groups.  Lawsuits were filed in July against Sabre Hospitality Solutions, a vendor whose electronic reservation system services thousands of travel agencies and hotels, which announced that it had suffered a data breach compromising the information of customers who made reservations using the system between August 2016 and March 2017. [218]   Credit card information and cardholder names were stolen.  Intercontinental Hotels Group (“IHG”) is facing its own class action lawsuit, after it announced a data breach that affected 12 of its properties.  Malware was found on servers which processed payments made at on-site restaurants and bars during the second half of 2016. [219]   The matter is currently being briefed by IHG for dismissal. Whole Foods .  Whole Foods Market Group, Inc. found itself the target of a lawsuit following its September 28, 2017 announcement that its point-of-sale systems at taprooms and full-service restaurants (but not its grocery stores) had been hacked.  The suit, a class action filed by a customer, alleges negligence on the part of Whole Foods for failing to protect her information, as well as violations of the Fair Credit Reporting Act and Ohio’s Consumer Sales Practices Act. [220] iv.     Health Information The number of data breaches affecting health care providers continued to rise in 2017, with over 340 incidents reported to the Department of Health and Human Services. [221]    The past year did not, however, witness any massive breaches comparable to the 2015 attack on Anthem, which resulted in the disclosure of more than 78 million patients’ PII. [222]   Interestingly, of the five largest health care-related breaches in 2017, only one has resulted in litigation so far. Commonwealth Health Corporation .  In March 2017, Commonwealth Health Corporation’s Kentucky-based Med Center Health announced that up to 697,800 individuals may have had their billing and health information stolen via a breach that occurred in 2014-15. [223]   No hacking was involved with the breach; rather, a former employee accessed the information without authorization.  This is believed to be the largest breach of a health care provider in 2017, in terms of number of records compromised. [224]   While federal investigators look into the matter, at least one lawsuit has been filed against the company by affected patients. [225] v.       Law Firms and Business Information Cyberattacks affected two large international law firms, amongst others, in 2017.  While DLA Piper suffered a ransom- or wiper-ware attack that disabled the firm’s communications systems for several days, no lawsuits have been filed by its clients as yet. [226]   Litigation followed a data breach at the Cayman Islands-based law firm Appleby; however, it was Appleby going on the attack, suing the BBC and The Guardian over their reporting of offshore transactions by the firm’s clients. [227]   Millions of documents, dubbed the “Paradise Papers” by the media, were leaked to journalists detailing the arrangements and offshore activities of Appleby’s clients. [228]   Appleby sued the two media companies in British court in order to force the disclosure of the documents that formed the basis of their investigation. [229] b.      Update on High-Profile Data Breach Cases from Prior Years While many prior data breach cases headed for settlement instead of being decided by the courts (as discussed in detail in the Settlements section below), some cases received significant rulings in the past year.  Others continue to be litigated. i.     District Court Litigation Yahoo.   On August 30, 2017, a district court in the Northern District of California granted in part and denied in part Yahoo’s motion to dismiss data breach litigation, opening the way for class action lawsuits to proceed against the web portal, now owned by Verizon Communications. [230]   The district court ruled that some of the named plaintiffs had alleged Article III standing at the pleading stage, because they had “alleged a risk of future identity theft, in addition to loss of value of their [personal identification information].” [231]   The court dismissed certain claims in the consolidated actions, but allowed the actions to continue and the plaintiffs to amend their complaints. [232] Office of Personnel Management .  The District Court for the District of Columbia dismissed a class action data breach suit stemming from the attack against the Office of Personnel Management, which compromised the personal data of current, former, and prospective U.S. government employees. [233]   The court ruled that the theft of data alone was not enough to establish standing for the class and that they must allege unreimbursed out-of-pocket expenses from the alleged identity theft to state an injury in fact. [234]   While the court held that two plaintiffs had alleged such expenses, it found that their claims were insufficient to establish standing because they had not sufficiently tied those injuries to the breach. [235]   The court also dismissed the case on sovereign immunity and contractor immunity grounds, and found that the complaint failed to state a claim under the Privacy Act, the Little Tucker Act, and the Constitution. [236]   Gibson Dunn represented OPM’s co-defendant, contractor KeyPoint Government Solutions, in this litigation. VTech .  The litigation arising from a 2015 cyberattack on digital learning toy-maker VTech’s servers continued to wind its way through the Northern District of Illinois.  VTech won its motion to dismiss the cases against it on July 5, 2017, as the court ruled that the plaintiffs had failed to show how the data breach could lead to future harm. [237]   Specifically, the court held that plaintiffs did not explain how the stolen data would be used to perpetrate identity theft. [238]   However, the court did not dismiss the claims with prejudice; accordingly, plaintiffs’ counsel brought an amended complaint against the company in August. [239]   The case settled in early 2018. [240] Uber.   Uber won its motion to dismiss a lawsuit stemming from a 2014 data breach.  The court held that the plaintiffs did not “plausibly allege an immediate, credible risk of harm” and thus lacked standing. [241]   In particular, the named plaintiff did not allege that any passwords, PINs, or Social Security numbers were among the data obtained. [242] Gibson Dunn represents Uber in this dispute, which is ongoing following Plaintiffs’ filing of a Third Amended Complaint. Noodles & Co.   Noodles & Co. won its motion to dismiss a proposed class action brought by financial institutions over its data breach suffered in early 2016. [243]   The court found that the chain had no obligation towards the credit unions that had brought the suit. [244]   The court ruled that the claims were barred under the economic loss rule. [245]   Because the duties allegedly breached were contained in a network of interrelated contracts, the rule applied; because the rule only allows for recovery of damages on a breach of contract claim, the negligence claims brought by the credit unions were invalid. ii.     Appellate Litigation CareFirst BlueCross BlueShield .  The D.C. Circuit Court revived a class action lawsuit brought by policyholders of CareFirst BlueCross BlueShield health insurance, which suffered a cyberattack in 2014 leading to the theft of 1.1 million members’ personal information, including names, birthdates, addresses, and subscriber ID numbers. [246]   The circuit court found that the breach likely exposed Social Security and credit card numbers and other personal data such that fraudulent medical claims could result, resulting in harm concrete enough to establish standing under the Supreme Court’s Spokeo decision. [247]   Although the district court had dismissed the complaint, finding that it was based on statutory violations and not concrete harm, the appellate court found that it was plausible to infer that the hackers had the intent and ability to use the stolen data for ill, leading to concrete harm. [248] Veterans Affairs .  Conversely, the Fourth Circuit dismissed a class action suit arising from the theft of a laptop from a Veterans Affairs medical facility, which contained the unencrypted personal information of patients. [249]   The circuit court agreed with the district court’s ruling, finding that the plaintiffs’ fear of harm from future identity theft was too speculative to confer standing, even if the plaintiffs took actions to mitigate that speculative future harm. [250]   The court reasoned that the allegations of harm rested on an attenuated chain of possibilities, including the assumption that the laptop thief planned to misuse the personal information on the laptop, and planned to misuse the plaintiffs‘ personal information specifically. [251]   This chain of logic was not sufficient to establish standing under Spokeo. c.      Trends in Data Breach Cases in 2017 Courts continued to grapple with specific issues in 2017, including issues that some had thought would be settled from Supreme Court precedent in past years, such as the Spokeo decision. i.      Standing Post-Spokeo As seen in the appellate litigation above, the circuit courts are split when it comes to interpreting the high court’s decision in Spokeo (and Clapper v. Amnesty International) regarding the tests for sufficient imminence and concrete harm to confer standing.  The D.C. Circuit found in Attias that there was concrete harm from the CareFirst data breach, because it was plausible to infer that the hackers had the intent and ability to wrongfully use the stolen data. [252]   But the Fourth Circuit found in Beck that there was no concrete harm from a stolen laptop containing patient information, because the harm rested on a logical chain requiring misuse of the plaintiff’s specific personal information. [253]   The Second Circuit used similar reasoning in Whalen v. Michaels Stores, Inc., finding that a data breach leading to stolen credit card information was not sufficient to allege concrete harm, because the plaintiff had promptly canceled her card and there were no specifics alleged regarding any other particularized or concrete injury. [254] Like the D.C. Circuit, the Seventh, Third, and Sixth Circuits have found that risk of identity theft or credit card fraud was enough to grant constitutional standing to those who had been hacked. [255] The Eight Circuit added a new split in September in reviving a class action lawsuit brought against SuperValu Inc., by reasoning that while there was not sufficient personal information lost to allow plaintiffs to rely on risk of imminent harm due to stolen identities, there was standing because someone had used a plaintiff’s credit card to make an unauthorized purchase. [256]   That allegation was sufficient to meet the concrete injury test, even though SuperValu’s attorneys argued that there was no indication the purchase was a result of the breach. [257] ii.      Companies on the Attack 2017 has seen an uptick in firms taking the offensive in wielding litigation as a tool to fight hackers.  For instance, Microsoft has focused its attention on the command-and-control servers used by one of the most sophisticated hacking collectives attempting to direct malware onto victims’ computers.  To do so, it sued Fancy Bear in the Eastern District of Virginia. [258]   Microsoft argued that it had standing to sue because Fancy Bear had been using domain names that contained the names of Microsoft’s products to setup websites containing malware. [259]   Thereafter, Microsoft won orders from the court to compel domain name registrars to alter domains to point to Microsoft, instead of to Fancy Bear’s sites. [260]   Microsoft is now seeking a permanent injunction to give Microsoft ownership of the domains it has targeted. [261] In a different vein, as noted above, Appleby has wielded litigation against journalists who reported on the Paradise Papers. [262] Ultimately, these actions point to the possibility that other companies will take the fight to hackers, especially companies in the tech industry whose products are often targeted in order to foster data breaches. 2.      Settlement Trends As in 2016, companies facing major data breach litigation in 2017 have continued to choose to settle claims on a class-wide basis.  As discussed more fully below, Anthem Inc., one of the nation’s largest health insurance providers, agreed to settle a class action lawsuit brought by consumers stemming from a 2015 data security breach for $115 million. [263]   Given the financial, regulatory, and reputational risks attendant to data breach litigation, this trend is understandable.  Other trends emerged in 2017 as well.  First, defendants in data breach litigation are continuing to settle with financial institution-plaintiffs in addition to consumer-plaintiffs.  Additionally, in the aftermath of data breach settlements, some class members have objected to various elements of the settlements or proceedings.  Lastly, as is discussed more fully below, defendants facing data breach enforcement have increasingly entered into settlement agreements with state attorneys general. a.      Anthem’s Settlement In 2015, Anthem, one of the nation’s largest health insurance providers, announced that it had been the victim of a data breach in which hackers gained access to individuals’ personal information. [264]   Customer-plaintiffs brought numerous class action lawsuits against Anthem and its affiliates that were ultimately consolidated in the Northern District of California. [265]   After the court denied the defendants’ motion to dismiss in part, [266] the parties entered into a settlement on May 31, 2017. [267]   The court preliminarily approved the settlement at the end of August. [268] The broad strokes of the Anthem settlement are familiar.  As part of the settlement, the defendants agreed to make a $115 million payment into a settlement fund. [269]   The fund will be used, in part, to cover reimbursement for out-of-pocket costs and credit monitoring services for class members, [270] and to pay up to $37.95 million in attorneys’ fees. [271]   In addition, the defendants agreed to implement improved data security practices for at least three years and to engage an independent consultant to ensure that these practices are followed. [272] b.      Home Depot Settles with Financial Institutions Following a 2014 data breach, in 2016 Home Depot settled a class action lawsuit brought on behalf of over 50 million of its customers for $13 million. [273]   However, the settlement did not include coexisting claims brought by a consolidated class of financial institutions claiming that they were harmed by Home Depot’s failure to prevent the data breach because they were required to issue consumers new credit cards and to reimburse any fraudulent charges stemming from the data breach. [274]   In early 2017 Home Depot entered into an additional settlement with the financial intuitions and agreed to pay $25 million into a settlement fund intended for distribution among the class members. [275]   In September 2017, the Northern District of Georgia approved this settlement. [276] c.       Developments Regarding the Target Settlement In 2015, Target agreed to settle a consumer class action arising out of a 2013 data breach for $10 million. [277]   The ultimate disposition of the case and distribution of the settlement fund, however, have been significantly delayed due to various claims by objectors. [278]   For instance, in May 2017, the District of Minnesota rejected an objector’s claim that the class representatives in the case had a conflict of interest with other class members such that the settlement was inadequate. [279]   As of this writing, the objector’s appeal is pending before the Eighth Circuit Court of Appeals. [280] In addition, in May 2017 Target agreed to pay $18.5 million to 47 states and the District of Columbia as part of a settlement that arose out of a multi-state investigation into the same breach. [281] d.      Historical Context for Settlements of Data Breach Claims As demonstrated in the chart below, the data breach settlements in 2017 appear to be similar to those of recent years. Defendant Approval  Data Type Relief to the Class Service Awards, Fees, & Costs Home Depot (Financial Institution Class) [282] September 22, 2017 Card Data $25 million for class claims; up to $2.25 million to certain sponsored entities; security practice changes Up to $2,500 for each class representative; $710,000 in litigation costs; $15.3 million in fees Anthem [283] August 25, 2017 (preliminary approval) Personal Information $115 million for, among other things, class members’ out-of-pocket expenses and credit monitoring services; security practice changes Up to $3 million in costs and $37.95 million in fees, to be covered by $115 million settlement payment Home Depot (Consumer Class) [284] August 23, 2016  Card Data Up to $13 million for class claims; up to $6.5 million for 18 months of credit monitoring services; security practices changes $1,000 for each representative plaintiff; $166,925 in costs; $7.536 million in fees Target Corp. (Financial Institution Class) [285] May 12, 2016 Card data Up to $20.25 million for class claims; $19.108 million to MasterCardReportedly up to $67 million for Visa’s claims against Target [286] $20,000 for 5 representative plaintiffs; $2.109 million in costs; $17.8 million in fees Sony Pictures Entertainment, Inc. [287] April 6, 2016 Login and Personal Information Up to $2 million for preventative losses; up to $2.5 million for claims for identity theft losses; up to two years of credit monitoring services $3,000 for each named plaintiff; $1,000 for each plaintiff who initially filed an action; $2.588 million in fees St. Joseph Health System [288] February 3, 2016 Health Information $7.5 million in cash payment; up to $3 million for class claims; one year of credit monitoring services (offered during remediation); security practice changes $50,000 in incentive payments for class representatives; $7.45 million in fees and costs Target Corp. (Consumer Class) [289] November 17, 2015 Card Data Up to $10 million for claims; security practice changes $1,000 for three deposed plaintiffs; $500 for other plaintiffs; $6.75 million in fees LinkedIn [290] September 15, 2015 Login Information Up to $1.25 million for claims; security practice changes $5,000 for the named plaintiff; $26,609 in costs; $312,500 in fees Adobe Systems, Inc. [291] August 13, 2015 Voluntary Dismissal Login and Card Data Security practice changes and audit $5,000 to each individual plaintiff; $1.18 million in fees Sony Gaming Networks [292] May 4, 2015 Card Data and Personal Information Up to $1 million for identity theft losses; benefit options including free games and themes or month subscription, unused wallet credits, virtual currency; some small cash payments $2.75 million in fees 3.      Shareholder Derivative Suits In recent years, shareholders have occasionally responded to data breaches by filing derivative lawsuits against corporate directors and officers for breach of fiduciary duty in overseeing corporate cybersecurity.  From 2014 to 2017, shareholders brought five such high-profile derivative lawsuits on behalf of Wyndham Worldwide, Target, Home Depot, Wendy’s, and Yahoo.  However, these suits have generally struggled to move past the motion-to-dismiss stage.  Both the Wyndham and Target lawsuits were dismissed after courts respectively found that the Wyndham board’s actions were protected under the business judgment rule, [293] and that pursuing legal action against Target’s directors and officers was not in the corporation’s best interest. [294]   The Home Depot case was similarly dismissed in 2015; however, the parties reached a settlement this year after the plaintiffs filed an appeal of the dismissal.  The outcomes of the Wendy’s and Yahoo litigations remain to be seen. The Home Depot .  After news broke that hackers stole the email addresses and credit card information of more than 50 million Home Depot customers, a number of the company’s shareholders filed a derivative lawsuit in September 2015 in the Northern District of Georgia, alleging that the board of directors breached its fiduciary duty by disbanding Home Depot’s infrastructure committee and moving too slowly in addressing the security breach.  On November 30, 2016, the district court dismissed the action on grounds that the shareholders failed to either demand that the board take action or demonstrate with particularized facts that such a demand would have been futile. [295]   Plaintiffs subsequently filed an appeal in the Eleventh Circuit.  However, on April 28, 2017, the parties reached a settlement pursuant to which Home Depot agreed to adopt certain cybersecurity-related corporate governance reforms and to pay the plaintiffs’ legal fees, totaling around $1.1 million. [296]   The promised reforms included maintaining an executive committee on data security, documenting the responsibilities of the company’s corporate information security officer, and requiring regular reports on the company’s IT and cybersecurity budget. [297] Wendy’s .   On December 16, 2016, just two weeks after the district court’s dismissal of the Home Depot suit, plaintiff shareholders filed a derivative action in the Southern District of Ohio against The Wendy’s Co. (“Wendy’s”) and certain of the company’s directors and officers.  The lawsuit stemmed from a data breach that occurred between October 2015 and June 2016, which affected 1,025 Wendy’s franchises and spawned a series of consumer protection lawsuits. [298]   The complaint asserted claims for breach of fiduciary duty, waste of corporate assets, unjust enrichment, and gross mismanagement. [299]  The plaintiffs sought money damages, corporate governance reforms, and restitution of benefits and compensation.  In an attempt to avoid the fate of the Home Depot shareholder litigation, the Wendy’s plaintiffs provide detailed allegations to support their claim of demand futility, arguing that the controlling shareholder defendants have familial or past business ties with certain directors, resulting in these directors being “beholden to the controlling shareholder defendants.” [300]   On March 10, 2017, the Wendy’s board responded with a motion to dismiss, arguing failure to state a claim and failure to make a demand or adequately plead demand futility. [301]   The board members contended that the complaint was nothing more than speculation and failed to include any specific allegations that they breached any corporate duty in regard to data security protocols. [302]  At the time of this writing, the board’s motion to dismiss was still pending. Yahoo .  The Yahoo data breach has given rise to two shareholder derivative suits.  On February 16, 2017, a Yahoo shareholder filed a lawsuit on behalf of the company in the Northern District of California. [303]  On February 23, 2017, another group of Yahoo Inc. shareholders filed a second derivative lawsuit in Delaware Chancery Court. [304]   Both cases have since been stayed, the former pending the entry of final judgments in the securities and consumer class actions also filed against Yahoo in the wake of the breach. [305] C.     Interceptions and Eavesdropping 1.      Email Scanning As in past years, 2017 saw key developments in class action lawsuits alleging technology companies violated state and federal laws by scanning user emails for targeted advertising and other business purposes.  Companies operating electronic communications services should continue to monitor such lawsuits, as they allege privacy violations based on what many consider to be standard industry practices, concern potentially massive proposed classes including all or many users of such services, and analyze the disclosures that satisfy consent to information collection and use. Matera v. Google Inc.   Plaintiffs in Matera v. Google Inc. filed a class action against Google in September 2015, alleging that Gmail violates the CIPA and ECPA by intercepting emails of non-Gmail users in order to provide targeted advertising.  In 2016, the court denied Google’s motion to dismiss as to the merits of plaintiffs’ claims, [306] and granted in part and denied in part Google’s motion to dismiss based on lack of standing. [307]   Most significantly, the court concluded that based on “the historical practice of courts recognizing that the unauthorized interception of communication constitutes cognizable injury” and “the judgment of Congress and the California Legislature [that] alleged violations of . . . the Wiretap Act and CIPA constitute injury in fact,” the plaintiffs’ complaint survived Spokeo. [308]   However, the court also held that plaintiffs lacked standing to enjoin Google from engaging in the alleged “intercepting and scanning,” which Google confirmed it had ceased. [309] In November 2016, the parties requested a stay of the proceedings and announced that they had successfully mediated a resolution of the case and finalized a settlement agreement. [310]   In a preliminary approval hearing held on March 9, 2017, the parties explained that, pursuant to the agreement, Google would be enjoined from “scanning in transit email for the sole purpose of collecting advertising data.” [311]   However, Google would be allowed to scan incoming in-transit email for “the ‘dual purpose’ of (1) detecting spam and malware and (2) obtaining information that would be ‘later used for advertising.'” [312]   Google also agreed to pay $2.2 million in attorneys’ fees, $2,000 for each of the two lead plaintiffs, and $123,500 for the settlement administrator. [313] On March 15, 2017, the court rejected this settlement offer, stating that the class settlement notice was “inadequate” because it was “difficult to understand.” [314]   In particular, the preliminary settlement failed to clearly disclose the “dual purpose” to which Google agreed or “the fact that Google intercepts, scans, and analyzes the content of emails sent by non-Gmail users to Gmail users for the purpose of creating user profiles” for targeted advertising. [315]   Furthermore, the court found that it was not clear whether the changes Google planned to make would bring Google into compliance with the CIPA and ECPA. [316] On July 21, 2017, the parties proposed a new settlement, which included a “plain language” recap of the changes Google plans to make. [317]   The summary stated that for three years, Google would “cease all automated scanning of emails sent to Google accounts for advertising purposes while the emails are in transmission prior to delivery to the Gmail user’s inbox.”  The settlement does not prohibit Google from scanning email for the prevention of spam or malware.  In addition, Google stated that it is making “business-related” changes to Gmail, whereby it “will no longer scan the contents of emails sent to Gmail accounts for advertising services,” either during the transmission process or after the emails have been delivered.  These changes are not subject to the three-year time period, and are independent of the settlement. [318]  The court preliminarily approved the revised settlement on August 31, 2017. [319]   A final fairness hearing is scheduled for February 8, 2018. Cooper v. Slice Technologies, Inc. & UnrollMe Inc.   In Cooper v. Slice, plaintiffs brought a class action for damages and injunctive relief, alleging that UnrollMe and its parent company, Slice Technologies, violated the ECPA and SCA by failing to adequately disclose UnrollMe’s practice of scanning emails and selling data to third parties. [320]   UnrollMe is a web service that unsubscribes users from mailing lists, newsletters, and other unwanted emails. [321]   Plaintiffs asserted that UnrollMe intercepted and accessed user’s emails without consent or authorization, or exceeded authorization by accessing emails for the purpose of extracting and selling consumer data. [322] Defendants moved to dismiss the lawsuit on October 12, 2017. [323]   Among other things, defendants argued that plaintiffs failed to allege injury in fact to establish Article III standing under Spokeo, since plaintiffs did not allege their actual emails were sold to other companies, or that anonymized data that was extracted from plaintiffs’ emails was reidentified after being sold.  Defendants also asserted that plaintiffs failed to state a claim under the Wiretap Act because defendants purportedly disclosed the activities at issue in their privacy policy, and because plaintiffs alleged only access to their stored emails, whereas the Wiretap Act applies to the “interception” of communications. 2.     Call Recording In recent years, there have been a number of civil and criminal cases brought against both businesses and individuals for recording phone calls without the requisite consent.  The recording of telephone conversations is governed by a patchwork of federal and state law.  At the federal level, the Wiretap Act permits the recording of phone calls, so long as one party to the call consents to the recording. [324]   The vast majority of states have similarly adopted a “one-party” consent requirement. [325]   A minority of states have arguably adopted either a “two-party” or “all-party” consent requirement. [326] Most of the call recording cases brought in recent years have been against companies for large-scale recordings of commercial calls, rather than individual illicit recordings.  Although nearly a dozen states have all-party consent laws, much of the litigation surrounding unauthorized recordings has arisen out of California’s Invasion of Privacy Act (“CIPA”), California Penal Code § 630, et seq. [327]   Most call recording litigation based on CIPA has focused on §§ 632 and 632.7, which prohibit eavesdropping on calls to landlines and cell phones, respectively. Recently, courts have held that non-California plaintiffs may assert CIPA claims against California defendants where the alleged violations occurred in California. [328]   Indicative of this national reach, California business owners brought suit in Illinois against various banks and telemarketers alleging illegal recordings of discussions containing sensitive business information. [329]   The various defendants filed motions to dismiss, transfer, and sever the case, but the case is still pending in the Northern District of Illinois.  Significantly, some of the defendants have sought to change venue based on forum selection clauses in their customer or user agreements, rather than challenging the ability of plaintiffs to bring CIPA claims outside of California, indicating that few litigants are willing to challenge the national reach of CIPA. Also in the realm of jurisdictional issues related to CIPA, the Ninth Circuit recently reversed a decision to remand a CIPA class action back to state court, concluding that the plaintiff had failed to demonstrate that two-thirds of the class actually resided in California, as required by the Class Action Fairness Act (“CAFA”). [330]   Specifically, CAFA exempts from federal jurisdiction “home-state controversies,” where at least two-thirds of the proposed class and the primary defendants are all citizens of the State in which the action was originally filed. [331]   Plaintiffs’ proof that two-thirds of all class members were Californians was lacking, according to the Ninth Circuit, because, although the class contained an indeterminate number of people who were “located in” California when they received the allegedly improperly recorded phone calls, the allegations never specified how many of them were California citizens or even how large the whole class was. [332]   In reaching its decision, the court noted that Plaintiffs were aware of the class definition issue and failed to carry their burden of proving the citizenship of a sufficient number of class members. [333] In the class certification context, in Raffin v. Medicredit, Inc., the Central District of California certified a CIPA class action against Medicredit, a debt collector, for recording cell phone calls and failing to inform plaintiffs of the recording. [334]   The action sought certification of a § 632.7 class, which prohibits the recording of cell phone communications. [335]   Notably, the court concluded that the class was ascertainable for certification purposes, even though it may be necessary to undertake the challenging process of using cell site location information to verify that putative class members were in California when called. [336]   In analyzing § 632.7 more generally, the court also concluded that a party must be informed “at the outset,” meaning “prior to any recording of the plaintiff’s communication,” that the call is being recorded. [337]   Subsequent courts have adopted this interpretation of § 632.7, suggesting a broadening of the law’s scope. [338] If this becomes settled law, it would align the law under § 632.7 with that under § 632, which already requires notification “at the outset” for any recordings of calls over a landline.  However, class certification appears to be more difficult under § 632 than § 632.7, as the more generous test applied in Raffin diverges from the stricter analysis in Saulsberry v. Meridian Financial Services, Inc., decided last year. [339]  This may be an indicator of a unique area of divergence in the interpretation of two statutes that are otherwise converging, or it may represent a reversal of the trend of denying class certification.  Ultimately, very few §§ 632 and 632.7 class certification cases have been decided this year, but all three have granted class certification. [340] Adding to the body of law regarding the scope of § 632.7, the court in Ronquillo-Griffin concluded that § 632.7, like § 632, applies to parties to a communication, not just third parties, adding to the already significant number of district courts who have so interpreted § 632.7. [341]   Like the Raffin case discussed above, this indicates an increasing overlap between § 632 and § 632.7, generating a more consistent body of law between call recordings over landlines and cell phones. On the criminal side, the California Court of Appeal invalidated part of CIPA. [342]   California Penal Code § 632(d) renders inadmissible as evidence recordings obtained without all parties’ consent.  However, California’s constitution contains a “Right to Truth-in-Evidence” provision, which permits all relevant evidence to be admitted unless the legislature provides otherwise by a two-thirds majority vote. [343]   The Court of Appeal concluded that this provision abrogated the inadmissibility component of CIPA, rendering recordings that otherwise violate CIPA admissible. [344] Outside of California, there has also been some litigation regarding the scope of local eavesdropping statutes.  The Arizona Court of Appeals confirmed that a phone message may be shared by the recipient of the message, even if the person leaving the message does not consent. [345]   In State v. Smith, the defendant had argued that, when leaving a voice message, there is only one “participant,” to the call, but the court rejected this logic, concluding that the recipient of the message is also a participant and may consent to sharing the recorded voicemail. [346]   In a similar case—also captioned State v. Smith —the Supreme Court of Washington considered whether an inadvertent recording through the voicemail function of a cell phone falls within the purview of Washington’s all-party consent statute. [347]   The Court concluded that “the plain language of the act confirms that even an inadvertent recording of a private conversation falls within the purview of the act.” [348] 3.     Other “Interceptions” Emails and telephone calls are not the only communications that can be intercepted, and plaintiffs are increasingly bringing lawsuits based on novel theories of interception and collection of data.  This year saw a number of developments in ongoing lawsuits, as well as several actions alleging new theories of Wiretap Act violations. Opperman et al v. Kong Technologies, Inc. et al.  In April 2017, several major tech companies, including Twitter, Yelp, Instagram, Foursquare, and Path, agreed to settle a putative class action accusing them of violating the ECPA and the Texas Wiretap Act, among other common law privacy rights. [349]   The putative class action complaint, originally filed in 2012, alleged that the defendants’ applications access user contact information without their consent. [350]   For instance, plaintiffs claimed that Twitter’s “Find Friends” feature violated consumer privacy by scanning users’ address books to see which of their contacts are on Twitter.  Twitter, on the other hand, argued users were informed of the process and gave their permission for the service to scan their address books.  Path users alleged that the photo sharing and messaging app was accessing their contacts and calendar information without permission.  Path later issued an apology.  Plaintiffs agreed to pay a consolidated $5.3 million as part of a deal, which covers a proposed class of an estimated 7 million claimants who downloaded the companies’ iOS apps on their Apple devices and activated the “Add Friends,” “Find Friends” or “Suggested Friends” feature offered by the relevant application. [351]   A final approval hearing was held on December 14, 2017. In re Vizio, Inc., Consumer Privacy Litig .   In this putative class action complaint, plaintiffs alleged that Vizio violated the ECPA and the VPPA, as well as several state law fraud, negligent misrepresentation, and consumer protection claims, by using their smart TVs to secretly collect, and distribute to advertisers, information on customer viewing habits so that advertisers could deliver targeted advertising in real time. [352]   On March 2, 2017, the court granted Vizio’s motion to dismiss plaintiffs’ Wiretap Act, state law video privacy, negligent misrepresentation, affirmative fraud, and California false advertising claims with leave to amend.  Vizio’s motion was denied as to plaintiffs’ VPPA, fraudulent omission, state privacy law, and unjust enrichment claims.  With respect to the Wiretap Act claims, the court found that plaintiffs failed to adequately plead simultaneous interception (relying instead on vague allegations about how Vizio’s data collection occurred in “real time”), but did not reach Vizio’s argument that its collection and disclosure software does not capture the “contents” of electronic communication. [353]   On March 23, 2017, plaintiffs filed a second consolidated complaint that dropped all of the dismissed causes of action except the Wiretap Act claims. [354]   Addressing the deficiencies in the prior complaint, plaintiffs now alleged that Vizio’s software takes samples of the programming displayed on a TV at any point in time and sends fingerprints of those samples to the centralized fingerprint matching server to compare against already existing fingerprints in the database, a process that operates sufficiently fast to provide “at least some context-sensitive content substantially simultaneously with at least one targeted video.” [355] On April 13, 2017, Vizio moved to dismiss plaintiffs’ Wiretap Act claims for failure to state a claim, attacking only whether its software captures the “contents” of electronic communications. [356]   Denying dismissal on July 25, 2017, the court ruled that because the intended message conveyed by Vizio’s software communication is the program being watched, the intercepted data extends beyond metadata to samples of the actual content. [357]   The court also dismissed Vizio’s assertion that its software does not collect the contents of electronic communications because the samples are “tiny” and “unrecognizable,” noting that the standard for determining whether information qualifies as content data does not depend on how much content is collected or whether the intercepted information would be “recognizable.” [358] In its motion to dismiss, Vizio also argued that plaintiffs’ demand for injunctive relief was moot because a recent agreement with the FTC and New Jersey Attorney General—in which Vizio was fined $2.2 million and agreed to obtain affirmative express consent before collecting any consumer data—ensured the offensive data collection had stopped. [359]  Finding that the agreements were insufficient to ensure that Vizio’s improper data collection would not recur, the court denied Vizio’s motion to dismiss on mootness grounds. [360] Satchell v. Sonic Notify, Inc.  In a class action filed in August 2016, plaintiff alleged that the Golden State Warriors’ mobile app, developed by YinzCam, uses the phone’s microphone to track users’ locations by picking up on sonic beacons built by Signal360, and violates the Wiretap Act by secretly recording users’ conversations in the process. [361]   Defendants moved to dismiss on November 1, 2016, and on February 13, 2017, the court granted the motion in part and denied it in part. [362]   The court ruled that although plaintiff alleged sufficient facts to demonstrate she suffered an injury in fact from the purported spying, she did not sufficiently allege a violation of the Wiretap Act because she failed to show how the defendants intercepted and then used those oral communications. [363]   Plaintiff filed an amended complaint on March 13, 2017, [364] in which the court determined she cured those defects by alleging sufficient facts to show defendants intercepted an oral communication. [365]   In a November 20, 2017 decision denying defendants’ motion to dismiss, the court explained, “Plaintiff cites at least four instances where she had her phone with her, the app was running and she had conversations about private matters, including nonpublic information during a business meeting and private financial matters.” [366]  However, the court dismissed YinzCam from the lawsuit, ruling that plaintiff failed to demonstrate that the company was more than a conduit for the alleged communications that were intercepted by the Warriors and Signal 360. [367] Rackemann v. Lisnr, Inc. et al.   In October 2016, the NFL’s Indianapolis Colts, and audio software companies involved in creating the Colt’s mobile app, faced similar allegations that beacon technology was used to spy on the conversations of fans using the teams’ app. [368]   Defendants moved to dismiss, and on September 29, 2017, the court denied defendants’ motion with respect to plaintiff’s interception claims and granted it with respect to their use claims.  Regarding interception, the court rejected defendants’ argument that plaintiff need allege specific details of communications that may have been intercepted, finding that it was reasonable to infer that plaintiff’s smartphone was activated while he was engaged in a private conversation over a four-year period. [369]  The court also found that plaintiff adequately plead that his communications were captured and the content acquired, as he asserted that the app recorded portions of audio, including private conversations, captured by the phone’s microphone, and that audio was analyzed by defendants. [370]   Following the Sixth Circuit’s recent decision in Luis v. Zang, the court refused to dismiss Adept Mobile, the audio software company that, among other things, maintained the code for the app and integrated the audio technology into the app. [371]   Citing the Sixth Circuit, the court explained that “allegations of defendants working in concert or participating in the interception of communications can suffice to state a claim.” [372]   The court did, however, dismiss plaintiff’s claim that defendants “used” intercepted data, as plaintiff pled no facts showing that the contents of plaintiff’s communications, as opposed to beacon signals, were used to send targeted advertising. [373] Zak v. Bose Corp.  In a putative class action, plaintiff accused Bose of violating the Wiretap Act and the Illinois Eavesdropping Statute by secretly collecting, transmitting, and disclosing the private music selections of customers who downloaded Bose’s mobile app. [374]   Bose’s app allows users to pair their mobile devices with Bose wireless headphones and access key features, such as controlling the content they play. [375]   Plaintiff asserted that when he used the Bose app to view information about and control music playing on his Bose headphones, Bose collected and retained the song information displayed in the app. [376]   Plaintiff alleged that this collection constitutes an interception of electronic communications between Bose users and streaming music providers such as Spotify. [377] In a motion to dismiss filed on August 3, 2017, Bose argued that the Wiretap Act does not apply to Bluetooth communications between an app and headphones because such communications operate between devices in close physical proximity, and do not effect interstate or foreign commerce. [378]   Furthermore, Bose contended that the Wiretap Act and the Eavesdropping Statute do not apply to communications where the interceptor is one of the parties, and the communications at issue occurred between plaintiff’s Bose headphones and Bose’s app. [379] Allen v. Quicken Loans Inc. and Navistone, Inc.   In December 2017, Quicken Loans was hit with a proposed class action alleging it breached the Wiretap Act by installing software on its website that secretly tracks visitors’ keystrokes, mouse clicks, and other electronic communications in order to gather personally identifiable information and de-anonymize their names and addresses. [380]   This action, which was filed in the District of New Jersey, follows two nearly identical lawsuits brought by the same plaintiff’s firm against mattress seller Casper and retailer Moosejaw. [381] D.     Telephone Consumer Protection Act The past year has been eventful for actions under the TCPA. [382] Perhaps the most anticipated TCPA topic in 2017—the D.C. Circuit’s ruling in ACA International v. FCC—remains outstanding. [383]   ACA International interprets the FCC’s 2015 omnibus Declaratory Ruling and Order (the “omnibus order”) that, among other things, defined an autodialer to include any equipment with the “potential ability” to store or produce telephone numbers to be called or to call those numbers, as opposed to equipment with the current capability to do this. [384]   The omnibus order also changed the means through which a consumer can revoke consent.  Under the omnibus order, not only may “a called party . . . revoke consent at any time and through any reasonable means,” but “[a] caller may not limit the manner in which revocation [of consent] may occur.” [385]   Oral argument was held in October 2016 and lasted for over two hours, but the D.C. Circuit has yet to issue a decision. In Congress, both sides of the aisle appeared interested in amending the TCPA.  In late 2016, the House Energy and Commerce Committee’s Subcommittee on Communications and Technology held a hearing on the TCPA wherein a Democratic ranking member applauded a move to modernize the TCPA, [386] and the Republican subcommittee chairman stated “it is increasingly clear that the law is outdated and in many cases, counterproductive.” [387]   Though Congress has not yet acted, some of Congress’s possible changes to the TCPA could be to cap statutory damages at $500,000 (matching the Truth in Lending Act’s cap) [388] or to update the TCPA to reflect the increased use of text messaging and the creation of apps that could turn a smartphone into an autodialer. Yet Democrats and Republicans have not agreed on every TCPA issue in 2017.  For example, in March 2017, the FCC received a petition from All About the Message LLC seeking a declaration that the use of ringless robocalls that go straight to voicemail do not violate the TCPA. [389]   After the FCC issued a request for public comment, eleven Democratic Senators sent a letter to the FCC urging it to protect consumers from such calls, while the Republican National Committee voiced support for the petition. [390] Even though Congress did not pass legislation amending the act, FCC leadership changed in 2017.  The FCC, which has interpretative authority over the TCPA, is statutorily required to have two commissioners from each party, and, for the past several years, was led by three Democrats and two Republicans. [391]   Following the inauguration of President Trump, the FCC now has three Republicans and two Democrats. [392]   In the upcoming year, it is likely that the Republican commissioners will scale back FCC enforcement of the TCPA. [393]   Commissioner Michael O’Reilly, a Republican, vehemently disagreed with the FCC’s 2015 omnibus order, and Chairman Ajit Pai applauded the D.C. Circuit’s March ruling in Yaakov v. FCC, which held that the FCC lacked the authority under the TCPA to require opt-out notices on solicited faxes. [394]   Chairman Pai previously has been critical of plaintiff’s counsel’s choice of litigation targets, noting that these “lawyers have found legitimate, domestic businesses a much more profitable target” for TCPA litigation, rather than “go[ing] after the illegal telemarketers, the over-the-phone scam artists, and the foreign fraudsters.” [395]  The sentiment of the current leadership suggests some regulatory restraint in 2018. The past year also saw the resolution of several closely-watched cases.  In Krakauer v. Dish Network LLC, a jury awarded damages to a class of plaintiffs who allegedly received unwanted phone calls. [396]   The court ordered treble damages on the basis that Dish allegedly had knowledge that its marketing firm had repeatedly violated the TCPA. [397] In United States v. Dish Network LLC, the district court found that Dish Network violated the TCPA and state laws through both its direct telephone marketing and third-party telephone marketing campaigns. [398]   The civil penalties ordered in the case included awards to both the federal government and the state participants in the suit: California, Illinois, North Carolina, and Ohio. [399]   The matter is currently on appeal. [400] In Birchmeier v. Caribbean Cruise Line, Inc., the parties agreed to a $76 million settlement of a class action accusing several cruise marketing companies of robocalling. [401]   The agreement provides a minimum of $135 per call where the vast majority of class members claimed three calls, leaving plaintiffs with a much higher payment than is typical in a TCPA class action settlement of this size. [402] E.     Video Privacy Protection Act In 2017, courts resolved some significant VPPA-related cases that had been filed in previous years.  The VPPA, which was enacted in 1998 following a D.C. newspaper’s disclosure of Supreme Court nominee Judge Robert Bork’s video rental records, [403] prohibits “video tape service providers” from “knowingly” disclosing “personally identifiable information concerning any consumer” to third parties. [404]   The VPPA was originally intended as a straightforward rule to prevent video stores from disclosing the video-rental habits of its patrons.  Over 20 years later, courts continue to grapple with applying this antiquated law to constantly changing technologies. This year, courts addressed three main issues as related to the VPPA: (1) standing, (2) the definition of “personally identifiable information,” and (3) the definition of “consumer” or “subscriber.”  While there is an emerging consensus on the procedural issue of standing, courts remain split on how to apply the more substantive provisions of the statute. Both circuit courts to address the issue of standing this year found that an allegation of mere disclosure in violation of the VPPA is sufficient to meet Article III’s standing requirements.  In Eichenberger v. ESPN, Inc., plaintiffs alleged that ESPN had disclosed users’ “personally identifiable information” to Adobe Analytics, a third-party analytics company, in violation of the VPPA. [405]   Joining every circuit court [406] and all district courts [407] that have addressed the issue post-Spokeo, the three-judge panel held that the plaintiff did not need to allege any further harm beyond a disclosure of “personally identifiable information” to plead Article III standing. [408]   As described above, in Spokeo v. Robins the Supreme Court strengthened the requirements for Article III standing, requiring allegations of a concrete injury rather than a mere statutory violation. [409]   In finding that disclosure in and of itself constitutes a concrete harm, the Ninth Circuit in Eichenberger explained that the VPPA confers a substantive right to privacy, meaning that “every disclosure” of an individual’s personally identifiable information and video-viewing history “offends the interests” the VPPA protects. [410]   Earlier this year, in Perry v. Cable News Network, the Eleventh Circuit similarly found that a disclosure alone, even without any alleged misuse of information, satisfied Article III standing requirements. [411]   The precedent set by these decisions sets a low barrier for entry for plaintiffs to bring suit under the VPPA, which may yield an increase in VPPA litigation. Circuit courts have taken different approaches in addressing the scope of “personally identifiable information,” but the significance of any differences between the two tests is yet to be determined.  The VPPA defines “personally identifiable information” to “include[] information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” [412]   As discussed in our 2016 Year-End Update , the First and Third Circuits articulated two separate tests to determine what information Congress intended to cover in this statute.  In Yershov v. Gannett, the First Circuit diverged from virtually all district courts in embracing a broader definition of “personally identifiable information,” holding that it extends beyond a person’s name to include “information reasonably and foreseeably likely to reveal which . . . videos [a person] has obtained.” [413]   The court concluded that GPS coordinates and a device ID fell within this definition. [414]   In contrast, in In re Nickelodeon Consumer Privacy Litigation, the Third Circuit adopted an “ordinary person” test, finding that “personally identifiable information” includes only information that “would readily permit an ordinary person to identify a specific individual’s video-watching behavior.” [415]   In finding that digital identifiers such as MAC addresses and IP addresses did not constitute “personally identifiable information,” it explained that Congress’s purpose in passing the VPPA was narrowly restricted to preventing “disclosures of information that would, with little or no extra effort, permit an ordinary recipient to identify a particular person’s video-watching habits.” [416]   In January 2017, the Supreme Court denied certiorari, [417] declining to address what some have characterized as a split between the two circuit courts. In Eichenberger, Ninth Circuit considered both of these standards, but ultimately adopted the narrower “ordinary person” test promulgated by the Third Circuit.  Notably, the court instructed that the statute “looks to what information a video service provider discloses, not to what the recipient of that information decides to do with it.” [418]   The court held that the information allegedly disclosed to Adobe by ESPN—(1) the serial number of the plaintiff’s Roku device, and (2) the identity of videos the plaintiff had watched on the WatchESPN Channel application—could not be used by an “ordinary person” to identify an individual.  The fact that Adobe might be able to identify the individual with other personal information in its possession, that ESPN never shared nor possessed, was irrelevant.  The court reasoned that this test “fits most neatly” with congressional intent, stating that “the advent of the Internet did not change the disclosing-party focus of the statute.” [419]   By assessing liability based on the information disclosed from the disclosing party’s perspective, companies should be able to better assess their compliance with the law.  Although these courts have applied different standards, both the Third and Ninth Circuits assert that the practical differences may be minimal. [420] On the other hand, the Central District of California applied the First Circuit standard in In re Vizio, Inc. Consumer Privacy Litigation .  In that case, plaintiffs alleged that Vizio violated the VPPA and the ECPA by using their televisions to secretly collect, and distribute to advertisers, information on customer viewing habits. [421]   In denying in part defendants’ motion to dismiss, the court held that the disclosure of “consumers’ MAC addresses and information about other devices connected to the same network” could qualify as “personally identifiable information” under the VPPA because MAC addresses are “frequently linked to an individual’s name and can be used to acquire highly specific geolocation data.” [422]   This case will be one to watch this year; the district court denied Vizio an immediate appeal of the decision to the Ninth Circuit, [423] and the next filing regarding a motion to compel was due on January 3, 2018. The final issue considered by courts this year was the issue of who is a “subscriber,” and thus a “consumer,” under the statute.  In Perry v. Cable News Network, the plaintiff alleged that CNN violated the VPPA by tracking his views of news articles and videos on the CNN app and disclosing this information to third parties.  In affirming the dismissal of the putative class action, the court found that the plaintiff did not qualify as a “subscriber”  because he had not established an account with CNN, provided any personal information, made any payments, become a registered user, received a CNN ID, or established a CNN profile. [424]   Thus, he had not “demonstrated an ongoing commitment or relationship with CNN.” [425]   In In re Vizio, on the other hand, the court held that plaintiffs are “subscribers” based on the allegation that Vizio charges them a premium for its smart TVs because of the video content it provides. [426]   Additionally, the court found that plaintiffs plausibly alleged that Vizio is a “video tape service provider” because it is engaged in the business of delivering video content. [427] In 2017, courts sought to add more clarity to VPPA jurisprudence.  With the exception of the First Circuit and Central District of California, most courts have interpreted the VPPA narrowly and relieved media companies of liability.  Nevertheless, plaintiffs who can clear the Spokeo standing bar are likely to continue to bring suit under the VPPA in the hope of winning substantial statutory damages. F.     California’s Song-Beverly Credit Card Act and Point-of-Service Data Collection There were few cases this year arising under California’s Song-Beverly Credit Card Act, which prohibits merchants from requesting and recording “personal identification information” concerning the cardholder during credit card transactions. [428]   The lack of cases is likely due to the impact of the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins, [429]  which defendants have invoked to defeat class actions brought under Song-Beverly.  Indeed, in the one significant case this year, Medellin v. IKEA U.S.A. W., Inc., the representative plaintiff alleged that IKEA had requested and collected her ZIP code as part of her credit card purchases, but conceded that “she alleged only a bare procedural violation of the [Song-Beverly] statute and suffered no other cognizable harm” as required for standing. [430]   The Ninth Circuit consequently vacated the district court’s judgment and remanded the case with instructions to dismiss without prejudice for lack of standing—due to the fact that the plaintiff’s claim did not “satisfy the injury-in-fact requirement of Article III.” [431]   IKEA appealed to the U.S. Supreme Court, seeking to expand the Spokeo doctrine, but the Supreme Court declined certiorari on October 2, 2017. [432] The lack of significant Song-Beverly cases in 2017 may be explained a number of ways.  It is likely that some plaintiffs decided to wait for the outcome of the Supreme Court’s certiorari decision in Medellin before moving forward with their case.  It is also likely that possible plaintiffs are exploring how best to argue that their violations of Song-Beverly satisfy Article III standing requirements, especially after the Medellin plaintiff conceded that her allegations did not.  Regardless, we can expect that after Spokeo and Medellin, many plaintiffs were forced to revise their litigation strategy to adapt to these decisions or determine whether California state courts may be a preferred venue, given that Spokeo has evidently narrowed federal class action doctrine.  As a result, we may see new cases with novel arguments for standing brought in 2018. G.    Biometric Information Privacy Acts In 2017, companies have continued to integrate biometric technology into both their products and their day-to-day operations.  In previous years, Texas and Illinois enacted legislation regulating the collection and use of certain biometric data.  In July of 2017, Washington became the third state to enact such legislation, requiring in certain circumstances that commercial entities “provid[e] notice, obtain[] consent, or provid[e] a mechanism to prevent the subsequent use” of biometric data before collecting such information.  However, like Texas’s law, and unlike the Illinois Biometric Information Privacy Act (“BIPA”), the Washington bill does not provide a private right of action. The private right of action allowed by the Illinois BIPA continues to energize the plaintiff’s bar, which in 2017 filed dozens of class actions against companies for their allegedly improper collection of alleged biometric information.  Plaintiffs in these cases have generally fallen under one of two categories: (1) employees of companies that allegedly utilize biometric information, such as fingerprints, for time keeping purposes; and (2) customers of companies (often in the technology industry) that use alleged biometric information to enhance the consumer experience, such as photo sharing and social media services. The first category of plaintiffs represents a relatively new trend in BIPA litigation, as 2017 witnessed a surge of class actions by employees of companies using alleged biometric timekeeping methods.  For example, in October, employees of Illinois trucking company RJW Transport filed suit against the company, alleging that it captured and stored their fingerprints for timekeeping purposes, “without obtaining informed written consent or publishing its data retention and deletion policies,” as required by statute.  Similarly, employees of hotel chain Hyatt filed an action against their employer, claiming that they suffered “serious and irreversible privacy risks,” such as risk of identity theft, as a result of the collection of their fingerprints.   These suits are just two of many class actions filed in relation to alleged biometric timekeeping systems in the past year; however, these cases may come to a quick end in light of a December decision from the Illinois Second District Appellate Court in which the court held that “[i]f a person alleges only a technical violation of the Act without alleging any injury or adverse effect, then he or she is not aggrieved and may not recover under” BIPA. [433] Consumer class actions were the second primary category of BIPA cases facing courts this year.  There have been two major issues arising out of consumer-driven litigation recently: (1) Article III standing; and (2) the photograph exception of BIPA.  Several court opinions in 2017 addressed these issues and will likely affect plaintiffs’ litigation strategies moving forward. First is the matter of Article III standing.  Our 2016 Year-End Update described defendant’s motion to dismiss in In re Facebook Biometric Information Privacy Litigation, a suit in which plaintiffs alleged that Facebook’s facial recognition and photo tagging system violated the Illinois BIPA.  Facebook argued that plaintiffs had not suffered a concrete harm sufficient to establish Article III standing.  The court stayed Facebook’s motion pending the Ninth Circuit’s decision on remand in Robins v. Spokeo, Inc.  The court heard oral argument in November 2017 after that Spokeo decision came down, but has not yet issued a ruling. Meanwhile, in November, the Second Circuit affirmed dismissal of the complaint in Santana v. Take-Two Interactive Software, Inc. on the ground that plaintiffs, consumers of a video game that used facial recognition technology to create life-like player personas, alleged harms that were merely procedural, and did not show a “risk of real harm” under Spokeo absent allegations that the company was misusing the collected biometric information.  This decision will likely make it difficult, at least in the Second Circuit, for consumer plaintiffs to bring class actions for mere procedural violations of BIPA. The second key issue impacting consumer class actions this year was whether BIPA covers the practice of scanning facial features from digital photographs; specifically, whether such scanning technologies are excluded from BIPA’s protection of “biometric identifiers” under the statute’s exception for “photographs.”  In 2016, in Facebook, the court held that this alleged conduct did not fall under the photographs exception, reasoning that the term “photographs” is listed along with other “low-tech” categories of data in the statute—such as writing samples and physical descriptions—and thus was only intended to refer to “paper prints of photographs, not digitized images.” In 2017, the Northern District of Illinois reached a similar conclusion about facial scanning technologies, but under a different analysis.  In Rivera v. Google, Inc., plaintiffs alleged that Google extracted biometric identifiers from digitized photographs without users’ consent.   Google argued in its motion to dismiss that the statute did not regulate biometric data derived from these photograph based on a plain reading of the exception.  The judge rejected Google’s argument, reasoning that although the photographs exception did excuse Google’s storage of the photographs themselves, it did not cover the collection of face geometry data derived therefrom .   Furthermore, the judge wrote, there was nothing in the text of the legislation to suggest that biometric identifiers must be derived from a person in real time.  Google has since appealed the district court’s decision. H.    Internet of Things and Device Hacking The Internet of Things (“IoT”) is continuously expanding as traditional devices are becoming increasingly “smart” and connected.  Throughout 2017, corresponding with an increase in the IoT, there was an increase in regulatory guidance and regulatory and private actions related to smart and connected devices. 1.      Connected and Autonomous Vehicles Concerns about security breaches and privacy violations related to self-driving and other automobile software have played an important role during recent legislative developments in this area.  The House passed the Safely Ensuring Lives Future Deployment and Research in Vehicle Evolution, or SELF DRIVE, Act on September 6, 2017. [434]  The bill largely allows automakers to set their own cybersecurity standards, including a plan to deal with “reasonably foreseeable vulnerabilities” in their systems. [435]  On October 4, 2017, the Senate approved its own version of the bill, the American Vision for Safer Transportation through Advancement of Revolutionary Technologies (“AV START”) Act. [436]  A recent amendment requires that manufacturers develop, maintain, and execute a written plan for identifying and reducing cybersecurity risks to the motor vehicle safety of automated vehicles.  The Senate Commerce Committee plans to hold a hearing on self-driving and other auto technologies on January 24, 2018. [437]  For further detail, please see our 2017 client alert Accelerating Progress Toward a Long-Awaited Federal Regulatory Framework for Autonomous Vehicles in the United States . On June 28, 2017, the FTC and the National Highway Traffic Safety Administration (“NHTSA”) hosted a workshop to examine the consumer privacy and security issues posed by automated and connected cars among industry representatives, consumer advocates, academics, and government officials. [438]  In her opening remarks, Acting FTC Chairman Maureen Ohlhausen emphasized the potential benefits of connected cars and stressed that while the FTC would use its enforcement powers under the FTC Act, its approach would be one of “regulatory humility”—aiming to “avoid unnecessary or duplicative regulation that could slow or stop innovation.”  She urged Congress to consider data security and data breach notification legislation to “strengthen the Commission’s existing data security enforcement tools and require companies to notify consumers when there is a security breach.” [439]  Highlighting the importance of collaboration between industry and regulators, stakeholders also pointed to self-regulatory efforts such as the Alliance of Automobile Manufacturers’ Privacy Principles for Vehicle Technologies and Services voluntary industry standards, which went into effect in January 2016. [440] Developments continued on the litigation front as well.  In July 2015, Chrysler and Harmon International Industries voluntarily recalled their vehicles because the vehicle computer system (“uConnect”) had design vulnerabilities that could allow hackers to take remote control of the vehicle’s functions. [441]  In Flynn v. FCA US LLC, plaintiffs alleged that these vulnerabilities violated the Magnuson-Moss Warranty Act and Michigan, Illinois, and Missouri state laws. [442]  In August 2017, the court dismissed all claims that possible future car-hacking could cause injury or death, but allowed plaintiffs to pursue claims that they overpaid for the vehicles in light of the alleged system vulnerabilities. [443]  On October 13, 2017, plaintiffs asked the court to certify a class of 1.4 million car owners. [444]  Automaker FCA US LLC moved for summary judgment on all plaintiffs’ claims on October 5 and subsequently filed alternative motions for summary judgment against particular plaintiffs. [445]  On November 6, 2017, plaintiffs opposed these motions. [446] In November 2015, in Cahen v. Toyota Motor Corp., the court granted Toyota, Ford, and General Motors’ motions to dismiss a class action complaint alleging, among other claims, that the vehicles’ computers were vulnerable to hacking and privacy violations related to their computer software. [447]  In September 2016, plaintiffs appealed to the Ninth Circuit, arguing that the district court erred in holding that plaintiffs failed to establish standing to assert their claims. [448]  On December 21, 2017, the Ninth Circuit affirmed the district court’s dismissal, noting that the alleged risks and defects were speculative and that plaintiffs had not pleaded sufficient facts demonstrating how the aggregate collection and storage of non-individually identifiable driving history and vehicle performance data caused an actual injury. [449] 2.      Routers, Cloud Storage, and Connected Cameras On January 5, 2017, the FTC sued D-Link, a provider of wireless routers and IP-connected cameras, in the Northern District of California for alleged violations of the FTC Act. [450]  As outlined in our 2016 Year-End Update , the FTC alleged that D-Link engaged in unfair and deceptive practices by advertising its routers and cameras as containing “Advanced Network Security,” while flaws in D-Link’s security allow hackers to easily access consumers’ information and cameras. [451]   The complaint against D-Link alleges one count of unfairness relating to D-Link’s failure to secure consumer’s information and five counts of misrepresentation relating to D-Link’s advertising and statements that its routers and internet cameras are secure. [452]  On September 19, 2017, the court dismissed the FTC’s unfairness claim and two of the misrepresentation claims under Section 5 of the FTC Act.  The district court ruled that, in the absence of a breach, the FTC had failed to allege that device security flaws caused or were likely to cause substantial consumer harm, and that two misrepresentation claims, which centered on alleged misrepresentations in promotional materials for IP cameras and graphic user interfaces (“GUI”s) for routers, lacked specificity as to the deceptive conduct alleged. [453]  The district court allowed the remaining three misrepresentation claims to continue. [454] 3.      Smart TVs Private actions against smart television manufacturers have continued apace along with the rapid growth of consumer demand for the devices.  In the most prominent case, plaintiffs alleged that Vizio violated the VPPA and the ECPA by using their televisions to secretly collect, and distribute to advertisers, information on customer viewing habits. [455]   In July 2017, the court denied Vizio’s motion to dismiss, finding that the agreement the company struck with the Federal Trade Commission and New Jersey’s Attorney General  was insufficient to ensure that Vizio’s improper data collection would not recur. [456]   Similarly, in March 2017, a proposed class action was filed against Samsung Electronics America Inc. and its parent company Samsung Electronics Co. Ltd., claiming that smart TV devices with the capability to respond to human voices through a built-in “always on” recording device were being used by the company to intercept and record consumers’ private communications inside their homes for profit, violating the New Jersey Consumer Fraud Act. [457]   The case was dismissed without prejudice on September 27, 2017. [458] Sling Media Inc. fared better in the Second Circuit, which in November 2017 affirmed the dismissal of a class action complaint against Sling Media that alleged deceptive business practices in connection with Sling’s introduction of unwanted advertisements into its television streaming service. [459]   In a summary order, the panel affirmed the district court’s holding that the complaint and proposed amendments to the complaint failed to plausibly allege a violation of New York General Business Law Section 349, because plaintiffs failed to point to any affirmative statement or omission made by Sling Media that would have misled a reasonable consumer into believing that the service would never include advertisements. [460] 4.      Smart Toys On August 8, 2017, a proposed class action was brought against Viacom by parents of children who, while playing online games via smart phone apps, allegedly had their personal information collected and sold to advertisers. [461]   Plaintiffs allege that Viacom makes and markets to children games that collect user data which is then cross-referenced with the child’s activity across other apps and platforms and used for targeted advertising. [462]   Plaintiffs assert violations of the federal Children’s Online Privacy Protection Act and, on behalf of a California subclass, violations of the California constitutional right to privacy. [463] 5.      Regulatory Guidance On June 21, 2017, the FTC released an updated guidance document for complying with the Children’s Online Privacy Protection Act (“COPPA”), which explicitly identifies connected toys and other IoT devices as being covered under COPPA. [464]   The FTC then issued a clarification on October 23, 2017 that it would not take enforcement action against an operator who—without first obtaining verifiable parental consent—collected an audio file containing a child’s voice solely as a replacement for written words, such as to perform a search or fulfill a verbal instruction or request (provided the audio that was sought did not contain personal information), and only maintained the file for the brief time necessary for that purpose. [465]   The privacy and data security risks for emerging and novel connected devices were further emphasized when, in July 2017, the FBI warned consumers that internet-connected toys present privacy and safety risks for children. [466] The FTC has identified IoT as a privacy enforcement priority and has taken several actions against IoT manufacturers. [467]   In addition to the private actions against Vizio described above, the FTC also brought an enforcement action against Vizio, asserting that the company had violated the unfairness and deception prongs of Section 5 of the FTC Act and that Vizio’s actions caused or were likely to cause “substantial injury” to consumers. [468]   In February 2017, Vizio agreed to pay a $2.2 million fine to resolve allegations by the FTC and the New Jersey Attorney General. [469]  In addition to the fine, the agreement also required Vizio to obtain affirmative express consent prior to collecting any consumer data. [470] The rapid adoption of internet-connected devices has spurred action on international as well as state level.  The European Union Agency for Network and Information Security has joined several semiconductor makers in calling for baseline privacy and cybersecurity requirements for connected devices. [471]   The proposed requirements include certification and labeling of trusted devices. [472]   States also continue to explore new legislation to address this issue.  One of a number of bills pending in state legislatures is California’s SB-327. [473]  If passed, it would require disclosure to consumers of the extent to which “connected devices” are capable of collecting biometric data. [474] I.      Civil Litigation: Cybersecurity Insurance 1.      State of the Market Although still a nascent industry, the cybersecurity insurance market is expected to experience massive growth throughout 2018. [475]   This anticipated market expansion is based on persistent cyber threats and new state, federal, and international regulatory schemes. [476] This cybersecurity regulatory fabric includes the already complex web of individual state regulations, as well as a new federal regulatory agency and the European Union’s General Data Protection Regulation (“GDPR”).  Several states—including New York, [477] California, Illinois, Colorado, and Maryland—already contribute to the vast web of regulatory requirements. [478]   For example, as discussed above, a series of class action lawsuits have arisen from Illinois’ Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1, et seq., presenting new questions for insurers on how cyber liability insurance policies relate to these actions. [479] The regulation expansion will not only yield industry growth, but will also present significant challenges for insurance companies catering to this complex regulatory landscape. [480]   Ultimately, recent figures estimate that “total annual cyber premiums are expected to rise from $2.5 billion in 2017 to $10 billion by 2020.” [481] 2.      State of the Law – Key Cases a.      Computer Fraud Insurance Provisions One frequently recurring debate in this year’s cases was whether computer fraud insurance provisions covered variations in hacking, intrusions, or cyber-fraud schemes.  The Ninth, Sixth, and Second Circuits all heard arguments or decided cases on these issues. Although each decision depended heavily on the precise wording of an individual insurance policy, several courts held that computer fraud coverage did not apply to email spoofing schemes where the policy holder voluntarily wired money.  For example, in Taylor Lieberman v. Federal Insurance Co., the Ninth Circuit held that a policy’s coverage for computer fraud did not apply when wire transfers were made in response to a hacker who was masquerading as a client. [482]   The court rejected the plaintiff’s claims that the fraudulent email constituted an unauthorized entry or trespass into the plaintiff’s computer system. [483]   The Sixth Circuit recently heard arguments on the scope of a computer fraud policy as well in American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America . [484]   The litigation was triggered after plaintiff, a tool manufacturer, received an email from a cyber-attacker posing as a vendor and requesting payment. [485]   The plaintiff wired the cyber fraudsters $800,000 as a result of the sham. [486]   When the insurance company denied coverage, the tooling manufacturer sued.  The district court granted summary judgment for the insurance company, reasoning that, “[a]lthough fraudulent emails were used to impersonate a vendor and dupe [the plaintiff] into making a transfer of funds, such emails do not constitute the ‘use of any computer to fraudulently cause a transfer.'” [487]   Relying on the Ninth Circuit’s reasoning, the district court adopted the interpretation that the phrase “fraudulently cause a transfer” required the “unauthorized transfer of funds.” [488]   The district court therefore concluded that plaintiff did not “suffer a ‘direct loss’ that was ‘directly caused by computer fraud.'” [489]   On appeal, petitioner contended that such intervening steps should not be dispositive of the analysis when use of a computer is at the heart of the fraud. [490] The Second Circuit heard arguments in November 2017 in a very similar case, Medidata Solutions, Inc. v. Federal Insurance Co. [491]   Cybercriminals spoofed the email account of the company’s president, resulting in the wiring of $4.7 million from the plaintiff to the cybercriminals. [492]   The insurance company, as in the Sixth Circuit case, disputed whether the insurance agreement’s computer fraud provision covered the incident. [493]   Here, however, the district court determined that the policy provided coverage for the losses. [494]   The court considered that “the fraud on Medidata was achieved by entry into Medidata’s email system with spoofed emails armed with a computer code that masked the thief’s true identity.” [495]   And the losses were a direct cause of a computer violation. [496]   The Medidata court distinguished the Ninth Circuit’s decision in Taylor & Lieberman, reasoning that, in Medidata, “Medidata did not suffer a loss from spoofed emails sent from one of its clients,” but rather “[a] thief spoofed emails armed with a computer code into the email system that Medidata used,” and that “the fraud caused transfers out of Medidata’s own bank account.” [497]   The district court therefore held that the policy did in fact cover the fraud, reasoning that the fraudster’s approach in Medidata’s case is the type of unauthorized, “deceitful and dishonest access” contemplated by the ruling in Universal American Corp. v. National Union Fire Insurance Co. [498]   In its amicus brief on appeal, the Surety & Fidelity Association of America contended that “‘[o]utwitting of the computer system is a very different risk than misleading the insured’s human employees — who have the ability to take reasonable steps to confirm the legitimacy of a wire transfer request or direction received by email — and who then make an authorized transfer based upon such request or direction.'” [499] In a separate type of scheme, a debit card processor’s system flaw allowed pre-paid debit card holders to reuse card balances multiple times. [500]   The district court considered whether this scheme constituted a “computer fraud” within the meaning of the policy and under Georgia law. [501]   The court held that, because the “cardholders ‘used’ telephones to provide responses to prompts from a computer that [plaintiff] owned and operated,” a computer did not perpetrate the scheme. [502]   The computer fraud provision therefore did not cover any losses from the scheme. [503] b.      Litigation Costs Another significant area of contention was the coverage for data breach litigation costs.  For example, the Fifth Circuit recently heard arguments in Spec’s Family Partners, Ltd. v. The Hanover Insurance Co. where the plaintiff’s card payment system experienced two data breaches, prompting litigation between the plaintiff and its third-party transaction service provider. [504]   The plaintiff submitted claims to the defendant, its insurance company, to pay for litigation expenses. [505]   Defendant refused to pay. [506]   In the ensuing case, the district court considered the meaning of the “duty to defend,” where plaintiff received demand letters and also instituted its own litigation vis-à-vis the third-party provider. [507]   The court looked to the eight corners rule in ascertaining whether the insurer had a duty to defend. [508]   That is, the court compared the words of the insurance policy with the allegations of plaintiff’s complaint “to determine whether any claim asserted in the pleading is potentially within the policy’s coverage.” [509]   Here, the policy provided that the insurer had “the right and duty to defend ‘Claim,’ even if the allegations in such ‘Claims’ are groundless[.]” [510]   The definition of a “Claim” included a written demand for damages or non-monetary relief, or “[a]ny complaint or similar pleading initiating a judicial, civil, administrative, regulatory, alternative dispute, or arbitration proceeding[.]” [511]   Because the demand letters were not separate claims against plaintiff Spec’s specifically, they did not meet the definition of a “claim” under the policy. [512]   Moreover, the court agreed with defendant insurer that “the only claim Spec’s asserted is [the third-party’s] demand for indemnification based on the Merchant Agreement – which is expressly excluded from policy coverage.” [513] The court therefore granted the defendant’s motion for judgment on the pleadings on all grounds. [514] In a similar matter, a hospital inadvertently sent out the private information of 20,000 patients to job applicants, triggering a lawsuit. [515]   The hospital’s insurer then declined to provide a defense in the underlying action because it considered its policy only excess coverage. [516]   Upon removal to federal court, the hospital contended that the denial of coverage to cover its defense in the ensuing litigation constituted a breach of contract and a breach of the covenant of good faith. [517]   Finally, in Innovak International, Inc. v. The Hanover Insurance Co., the district court held that an insurance company was not responsible for the defense of a database software company where the claims in the underlying action—failure to implement proper security measures—were not the type of claims covered by the insurance policy, which only covered claims for “personal and advertising injury.” [518] J.      Fair Credit Reporting Act Credit agencies and employers continued to face Fair Credit Reporting Act class action claims in 2017, which were on the rise from last year [519] despite continued uncertainty resulting from inconsistent lower-court applications of the Supreme Court’s decision in Spokeo, Inc. v. Robins. [520]  Enacted in 1970, the Fair Credit Reporting Act (“FCRA”) promotes the accuracy, fairness, and privacy of consumer information in the files of consumer reporting agencies and protects consumers from the willful and/or negligent inclusion of inaccurate information in their background check reports. [521]   The FCRA provides for penalties of up to $1000 per “willful” violation, actual damages for negligent violations, punitive damages, and attorney’s fees. [522] A substantial verdict against TransUnion awarded this year may spur further litigation regarding the accuracy of credit agency reporting. [523]   In June 2017, a California jury awarded $60 million in statutory and punitive damages to a class of more than 8,000 members claiming TransUnion hindered their ability to obtain credit and adversely affected other eligibility decisions by unreasonably linking them with similarly named terrorists and criminals from a government watch list and failing to properly notify them of their rights once discovered. [524]   TransUnion has since filed a notice of appeal to the Ninth Circuit. [525] Meanwhile, courts remain split on how to interpret the FCRA’s requirement of “maximum possible accuracy” in credit reports. [526]   In an August 2017 ruling, the Eleventh Circuit, in dicta, agreed with the Fourth, Fifth, and D.C. Circuit Courts that the standard requires “information that is both technically accurate and not misleading or incomplete,” whereas some courts, including District Courts in Maryland, Connecticut and the Northern District of Alabama, have ruled that the standard requires only that credit reporting agencies report information that is “technically accurate.” [527]   The Eleventh Circuit explained that the difference between the two standards is like “the difference between report[ing] that a person was ‘involved’ in a credit card scam and report[ing] that he was in fact one of the victims of the scam.” [528] Also increasing in frequency are class action suits alleging that employers ran background checks on prospective hires without prior expressed, written consent in “a document that consists solely of the disclosure,” as required by the FCRA. [529]   With mixed success so far, plaintiffs have pursued litigation against, among others, Amazon, [530] Wells Fargo, [531] Michaels Stores, [532] and Home Depot [533] this year.  Many of these cases involve online employment applications that include pages containing FCRA disclosures, putting at issue how to interpret the statute’s definition of “a document that consists solely of the disclosure” in a world where more companies are turning to web-based forms.  However, while some cases are proceeding, other courts, in light of Spokeo, have been dismissing similar suits for the lack of an injury sufficient to confer Article III standing. III.     Government Data Collection Unsurprisingly, this past year has witnessed continued friction between tech companies and privacy advocates, on the one hand, and law-enforcement and national security entities on the other.  Two major decisions are expected from the Supreme Court in the coming months, both addressing the scope of the government’s powers under the Stored Communications Act.  These cases are described in greater detail below.  One major debate in 2017, over the future of the Foreign Intelligence Surveillance Act (FISA), ended with a whimper.  Although FISA was set to expire at the end of last year, it is now clear that the status quo will remain in place, if only because lawmakers could not agree about how to amend the law. A.    Challenge to Government “Gag Orders” As we reported in our 2017 Data Privacy Outlook and Review, Microsoft Corporation sued the U.S. Department of Justice in April 2016 alleging the unconstitutionality of 18 U.S.C. §§ 2703 and 2705(b)—which permit the federal government to issue “[p]reclusion of notice” or “gag” orders preventing cloud storage companies from disclosing government warrants for seizure of user data. [534]   These orders, which may last “for such period as the court deems appropriate,” must be issued upon application by a government agency if a court finds “reason to believe” that disclosure of the warrant at issue will endanger public safety, jeopardize an ongoing investigation, or unduly delay trial. [535]   Microsoft stated that it had received over 3,250 such orders in the 20 months ending in May 2016. [536] A number of organizations filed amicus briefs in support of Microsoft, including a group of law professors represented in part by Gibson Dunn; [537] civil liberties organizations such as the Electronic Frontier Foundation; [538] news organizations, including the Associated Press and Fox News; [539] and technology companies, including Apple and Mozilla. [540] In February 2017, the District Court for the Western District of Washington partially denied the government’s motion to dismiss Microsoft’s claims, finding that the gag orders’ indefinite limitation on Microsoft’s ability to speak about warrants issued under § 2703 was a First Amendment injury sufficient to support standing. [541]   The court also found that Microsoft had sufficiently stated a claim that indefinite § 2705(b) gag orders were unconstitutional prior restraints and content-based restrictions on speech, whether subject to a strict scrutiny analysis or a lesser standard of review. [542]   However, the court rejected Microsoft’s effort to assert its customers’ Fourth Amendment right against unreasonable search and seizure, finding third-party standing disfavored by the Supreme Court and the Ninth Circuit in a wide range of contexts, despite acknowledging that “some of Microsoft’s customers will be practically unable to vindicate their own Fourth Amendment rights.” [543] Following the lawsuit, the Office of the Deputy Attorney General issued new guidance to federal prosecutors last October that substantially tightens requirements for obtaining protective orders under § 2705(b). [544]   Most notably, the new policy bars Department of Justice attorneys from seeking protective orders that delay notice for more than one year “[b]arring exceptional circumstances.” [545]  It also requires that prosecutors explain which of the five conditions set forth in subsection (b) apply to the case at hand and seek protective orders under § 2705(b) only “when circumstances require.” In response to the policy, Microsoft promptly filed an unopposed motion to voluntarily dismiss its lawsuit, in which it acknowledged that “the new Policy significantly improves DOJ practices under Section 2705(b),” and the motion was granted. [546] B.     Carpenter v. United States and the Collection of Cell Phone Data On November 29, 2017, the Supreme Court heard oral argument in Carpenter v. United States, a case addressing another aspect of the Stored Communications Act.  Specifically, the Court is considering whether the government violates the Fourth Amendment by obtaining historical cell tower location data pursuant to a court order issued under 18 U.S.C. § 2703(d) rather than a probable cause warrant.  Carpenter is expected to test the limits of the so-called “third-party doctrine,” which holds that government acquisition of information voluntarily provided to a third party—such as call records—is not a search for Fourth Amendment purposes and thus does not require a warrant. The Carpenter petitioner was convicted of robbing several stores in 2010 and 2011. [547]   During its investigation, the government obtained court orders pursuant to § 2703(d) to obtain “cell site information for [petitioner’s] telephone,” which identified the cell towers to which petitioner’s phone connected when making and receiving calls during a 127-day period encompassing the robberies. [548]   This data permitted only a rough estimation of petitioner’s location at the times of the calls, but nonetheless allowed the government to place petitioner’s phone in the vicinities of the robberies when they occurred. [549]   Petitioner moved to suppress the cell-site records, arguing that their acquisition without a probable cause warrant violated the Fourth Amendment, and the district court denied his motion. [550]   On appeal, the Sixth Circuit affirmed, analogizing cell tower information to “mailing addresses, phone numbers, and IP addresses”—non-content information used to “facilitate personal communications” in which a person has no reasonable expectation of privacy. [551]   In reaching its decision, the Sixth Circuit relied on two landmark third-party doctrine precedents:  Smith v. Maryland, which held that use of a “pen register” to capture dialed telephone numbers did not implicate a reasonable expectation of privacy, [552] and United States v. Miller, which held that a customer had no reasonable expectation of privacy in account statements, deposit slips, and cancelled checks held by a bank. [553] On appeal to the Supreme Court, the government also cites Smith and Miller in arguing that the third-party doctrine encompasses cell site data, and that its acquisition was not a Fourth Amendment search of petitioner. [554]   In the alternative, the government argues that if that acquisition did constitute a search, it was reasonable in light of the 18 U.S.C. § 2703(d) requirement that the government show “specific articulable facts” to support a court order and the importance of cell site records to law enforcement investigations. [555]   Petitioner argues that the retrospective acquisition of long-term cell site data is a Fourth Amendment search, analogizing it to “longer term GPS monitoring.” [556]   Petitioner also urges the Court to look to the future, asserting that “the rule [the Court] adopt[s] must take account of more sophisticated systems that are already in use or development,” and noting that cell site data is becoming both more precise and more voluminous. [557] The case has garnered significant public attention, with a variety of amici filing briefs in support of petitioner (including, among others, the Center for Democracy and Technology, [558] the Competitive Enterprise Institute, [559] the Electronic Privacy Information Center, [560] the Reporters Committee for Freedom of the Press and a group of nineteen media organizations, [561] a group of 42 privacy and criminal procedure scholars, [562] and a group of 19 technology experts [563] ), the government (including, among others, the National District Attorneys Association, [564] a group of 19 state Attorneys General, [565] and Professor Orin Kerr [566] ), and of neither party (a group of 15 technology companies including Apple, Google, Facebook, Microsoft, Twitter, Verizon, and others [567] ). C.    Electronic Communications Privacy Act Reform Efforts There are currently two bills pending before Congress to reform the ECPA in ways that would address the issues raised by both the Microsoft gag order litigation and the warrantless collection of geolocation data in Carpenter v. United States.  The Email Privacy Act, [568] introduced by Senators Patrick Leahy (D-Vermont), Mike Lee (R-Utah), and others on July 27, 2017, is a companion bill to the Email Privacy Act passed by the House of Representatives by voice vote in February. [569]   Most significantly, the Email Privacy Act would require law enforcement to obtain a probable cause warrant to acquire the content of all emails or other electronic communications (under 18 U.S.C. § 2703 the government can currently obtain the contents of electronic communications that are more than 180 days old via a court order). [570] Also on July 27, Senators Leahy and Lee introduced the ECPA Modernization Act of 2017. [571]   Like the Email Privacy Act, this bill would require a warrant for acquisition of electronic communication content, [572] but would also add a variety of additional reforms.  First, it would substantially amend 18 U.S.C. § 2705(b) by adding a requirement that a court issuing a § 2705(b) nondisclosure order find “specific articulable facts” supporting its issuance, and by limiting § 2705(b) nondisclosure orders to 90 days (extendable by one or more periods of not more than 90 days). [573]   This change would eliminate the government’s ability to obtain nondisclosure orders of indefinite duration—one of the central issues identified by Microsoft in challenging § 2705(d) and addressed in the Deputy Attorney General’s subsequent guidance document that generally bars “gag” orders lasting more than one year. [574] Second, the ECPA Modernization Act would amend 18 U.S.C. § 2703 to permit government officials to obtain “stored geolocation information” [575] only pursuant to a warrant supported by probable cause, and would require notice to the subscriber whose geolocation information was accessed within ten days. [576]   Under current law, acquisition of stored geolocation information does not require a warrant, but rather only a court order supported by “specific articulable facts” showing that the information is “relevant and material to an ongoing criminal investigation.” [577]   The constitutionality of warrantless acquisition of this kind of information is the question currently before the Supreme Court in Carpenter v. United States. Other significant changes proposed in the ECPA Modernization Act include requiring the government to notify a subscriber within 10 days of obtaining the contents of the subscriber’s  wire or electronic communications or geolocation information from a third-party cloud storage provider, [578] and explicitly providing a suppression remedy for cloud content or stored or real-time geolocation information obtained without a warrant or otherwise in violation of the law. [579] A variety of research, advocacy, and technology industry groups and companies have publicly expressed support for the ECPA Modernization Act of 2017, including the Electronic Frontier Foundation, [580] the American Civil Liberties Union, [581] FreedomWorks, [582] Citizens Against Government Waste, [583] the Consumer Technology Association, [584] the Center for Democracy and Technology, [585] the National Association of Criminal Defense Lawyers, [586] and Microsoft. [587] D.    Device Unlocking The use of biometric security systems—such as facial recognition, fingerprint unlocking, and iris scanning—in mobile devices has become increasingly prevalent in recent years, and has received even greater attention with the introduction of Apple’s Face ID technology in September 2017.  While there remains some division among courts about whether police violate the Fifth Amendment by compelling a suspect to unlock an electronic device using a traditional passcode, [588] courts have recently held—although not without exception—that unlocking a device using a thumbprint is not “testimonial” and thus does not implicate a suspect’s Fifth Amendment right against self-incrimination. [589]   There is currently no case law addressing whether the government may compel a suspect to unlock a device using facial features as opposed to a thumbprint, but the same reasoning is likely to apply.  Thus, while biometric security may offer sufficient protection from intrusion by hackers, it may offer less protection against government access than traditional security measures such as passcodes or PINs.  A new feature in Apple’s most recent operating system iOS 11 would provide one means of addressing this concern.  Pressing the power button on an iOS 11-equipped device five times in rapid succession disables biometric unlocking and thus requires a PIN or passcode to unlock it. [590] E.     Extraterritoriality of Subpoenas and Warrants Before the end of the 2017-18 term, the Supreme Court will determine the scope of the government’s power to obtain information stored overseas under the Stored Communications Act (“SCA”).  This case, now styled United States v. Microsoft, Inc., arose in December 2013, when the Southern District of New York issued a warrant under Section 2703 of the SCA requiring Microsoft to produce the contents of an email account. [591]   Microsoft filed a motion to quash, arguing that the data was stored in a server in Ireland and the warrant was an inappropriate extraterritorial application of the SCA. [592]   On April 25, 2014, the district court denied Microsoft’s motion to quash, holding that a warrant under Section 2703 requires the recipient to produce all information in its possession, custody, or control, even if the information is stored abroad. [593]   On July 14, 2016, the Second Circuit reversed and remanded on appeal. [594]   The court concluded that SCA warrants are not equivalent to subpoenas which may require the production of communications stored overseas, and further held that the case involved an extraterritorial application of the statute because the focus of the SCA is on privacy and a privacy invasion occurs where a customer’s content is accessed. [595] The government requested rehearing en banc.  On January 24, 2017, the Second Circuit denied the motion in a split four-to-four decision. [596]   The concurring opinion reiterated the view that the SCA’s focus is on privacy and that the statute protects privacy at the place that data is stored. [597]   Four judges, however, authored dissents, each taking issue with a distinct aspect of Microsoft’s argument. [598]   In particular, Judge Jacobs rejected Microsoft’s analogy to paper documents and reasoned that it is irrelevant where the contents are stored if they are accessible in the US; [599] Judge Cabranes found the conduct at issue to be disclosure, not access, and cautioned that the panel’s decision burdened legitimate law enforcement efforts [600] ; and Judge Droney opined that there are no extraterritoriality concerns because the service provider is located domestically. [601] Since the Second Circuit’s decision, district courts in other circuits have taken the opposing approach.  The District of the District of Columbia, the Northern District of California, and the Eastern District of Pennsylvania each ordered Google to comply with SCA warrants that were directed to the contents of email accounts stored overseas. [602]   The courts found that the focus of the SCA is disclosure and that whether a service provider must produce records if it has sufficient control over the evidence, regardless of where the records are located. [603] On October 16, 2017, the Supreme Court granted certiorari. [604] In its brief filed on December 6, 2017, the government first argues that the focus of Section 2703 is on the disclosure of information, not storage. [605]   Even if privacy is the focus of the provision, no search or seizure would occur in Ireland because Microsoft does not interfere with a customer’s possessory interests or reasonable expectation of privacy when it gathers or moves materials in its control. [606]   Rather, any invasion to privacy would occur domestically, when Microsoft discloses information to a third party. [607]   Next, the government asserts that an SCA warrant resembles a subpoena because it is directed at a person rather than a place, and Microsoft thus must produce all documents under its control. [608]   Lastly, the government contends that its ability to collect information for legitimate law enforcement purposes should not be subject to a company’s business decision of where to store its data. [609] On January 11, 2018, Microsoft filed its brief, in which it argues that the SCA’s focus is where electronic communications are stored and that a search and seizure occurs in the jurisdiction of the storage. [610]   Thus, according to Miscrosoft, the disclosure of communications stored abroad is an impermissible extraterritorial application of the SCA. [611]   Oral argument is scheduled for February 27, 2018, and a decision will likely follow this summer. F.     Collection of Records from Third-Party Cloud Providers On December 13, 2017, the Computer Crime and Intellectual Property Section of the Department of Justice issued internal guidance that instructs prosecutors to request electronic records directly from companies and not third-party cloud service providers. [612]   Compelling information from cloud computing services may raise several complications, such as delays and the inability of the cloud provider to preserve, access, extract, and decrypt the data. [613]   The guidance permits exceptions if law enforcement believes the company is unwilling to comply, is engaged in criminal conduct, or is unable to disclose the necessary information. [614]   In response to the memorandum, Microsoft praised the policy as “a win” for cloud and enterprise customers. [615] G.    Foreign Intelligence Surveillance Act Section 702 The Foreign Intelligence Surveillance Act (FISA) [616] was passed in 1978 and amended in 2008.  FISA was enacted in order to allow the United States government to conduct electronic surveillance “to acquire foreign intelligence information.” [617]   Foreign intelligence information is defined in the act as information that relates to terrorism, an attack by a foreign power, or national defense generally. [618]   The Act established a tribunal – the Foreign Intelligence Surveillance Court [619] – to decide based on classified ex parte proceedings whether to approve government requests to collect data through FISA.  The FISA Court famously approved the National Security Agency’s PRISM Program, which allowed the agency to clandestinely collect certain data on American citizens from American internet companies, such as Google. [620] FISA Section 702 specifically allows the U.S. government to target the electronic communications of persons reasonably believed to be outside the United States for intelligence collection without a warrant.  The data collected often includes the communications of American citizens who interact with targeted foreigners, so-called “incidental collection.” [621]   Some believe FISA, including Section 702, is constitutionally sufficient in light of the need to protect U.S. national security, [622] while others believe that the Act violates the First and Fourth Amendments to the Constitution. [623]   This controversial law was set to expire in January 2018 unless reauthorized by Congress.  Both the Senate and House reauthorized Section 702 for an additional six years without any changes, and President Trump signed the bill into law on January 19. [624] The past year had seen numerous attempts in the House and Senate to reauthorize or overhaul FISA Section 702.  Last October, the Senate Intelligence Committee voted in favor of sending the FISA Amendments Reauthorization Act of 2017 – which was said by its drafters to contain greater protections to civil liberties while maintaining FISA as a powerful tool for national security – to the full Senate. [625] The proposed bill would have required law enforcement to obtain court approval before using information gathered about U.S. citizens in the course of conducting surveillance on foreign nationals, among other changes. [626]   Another FISA reauthorization bill, which passed through the House Intelligence Committee in December 2017 and similarly contained additional restrictions on the use of data collected about U.S. citizens, would have renewed Section 702 for four more years, to the end of 2021. [627]   However, the January 2018 reauthorization of FISA closed the book on the attempts to amend the law to include greater constitutional protections. Congress’ eleventh-hour reauthorization of FISA after months of debate generated uncertainty around the role of the Act in national defense.  The debate over the constitutionality of FISA is sure to continue and may even impact the 2020 presidential election. IV.     International Regulation of Privacy and Data security We address international developments in more detail in our separate International Cybersecurity and Data Privacy Outlook and Review, but below we highlight several international developments that are likely to have important implications for U.S companies. A.    The European Union 1.      General Data Protection Regulation (“GDPR”) One of the most important and pressing issues for U.S.-based companies over the coming year is the upcoming implementation and enforcement of the GDPR. [628]   For a more complete overview, please see our recently published primer specifically on the GDPR, accessible here .  But as an introduction, here is a quick run-down of some of the most salient facets of the GDPR that are relevant to U.S.-based companies. The GDPR requires compliance by all companies that process personal data of data subjects within the EU, regardless of whether the company is located in the EU. [629]   It also requires compliance by companies that process data related to monitoring behavior within the EU. [630]   Most international companies will therefore be subject to the GDPR. The GDPR establishes a high bar for ensuring that a data subject has consented voluntarily to a company’s processing of the subject’s personal data.  A request for consent cannot be obtained through pressure and must be “clearly distinguishable” from other matters in a written agreement. [631]  The data subject has the right to withdraw consent at any time and must be informed of this right when initially granting consent. [632]   These standards are more stringent than the U.S. standards. If a company subject to the GDPR performs data processing that will likely entail a high risk to individual privacy rights, the company must conduct a data protection impact assessment (“DPIA”). [633]  The GDPR recommends a DPIA, in particular, when a company is using new technologies. [634]  The DPIA must include a detailed description of the processing operations, an assessment of the necessity and proportionality of the operations relative to their purpose, an assessment of the rights of the subjects, and the measures that will be implemented to protect those rights. [635] The GDPR ensures that its protections will not be undermined by the transfer of data outside the EU or to international organizations that lack the protections of the GDPR.  Data transfers can only take place under the GDPR’s guidelines. [636]   Data transfers to the U.S. from the EU are currently permissible under the EU-U.S. Privacy Shield, discussed below, as well as under Binding Corporate Rules (“BCRs”) and the use of model contractual clauses. It remains unclear exactly how substantial penalties under the GDPR will be after enforcement begins on May 25, 2018.  Individual countries will be responsible for enforcing the GDPR within their borders, so enforcement likely will vary.  Notably, the GDPR authorizes substantial penalties for non-compliance—up to 4% of a company’s annual global turnover or €20 million, whichever is greater. [637] 2.      EU-U.S. Privacy Shield As noted above, one way that a company may comply with the EU’s requirements for secure data transfers is through the EU-U.S. Privacy Shield Framework.  Administered in the U.S. by the Department of Commerce, the Privacy Shield allows companies to participate voluntarily by establishing a commitment to privacy compliance and self-certifying annually. The EU-U.S. Privacy Shield has been challenged by groups in Europe that claim its protections are inadequate.  But on October 18, 2017, the EU Commission published a report that established that the Privacy Shield, unlike the Safe Harbor framework that preceded it, “ensures an adequate level of protection for personal data that has been transferred from the European Union to organi[z]ations in the U.S.” [638]   Thus, as of this publication, the Privacy Shield stands as a valid option for companies to comply with the GDPR. However, the Commission also noted that “the practical implementation of the Privacy Shield framework can be further improved in order to ensure that the guarantees and safeguards provided therein continue to function as intended.” [639]   The Commission will continue to review the adequacy of the Privacy Shield annually and has provided some recommendations for the U.S. in maintaining the Privacy Shield’s adequacy. [640]   For now, participation in the Privacy Shield can protect companies that perform data transfers between the EU and the U.S.  But companies must be sure they actually are adhering to the Privacy Shield, and not merely paying lip service to it.  Indeed, U.S. regulators at the FTC have already taken action against several companies that allegedly deceived consumers by falsely claiming participation in the Privacy Shield framework. [641] B.     China and Other International Developments In an increasingly connected world, 2017 also saw many countries outside of the United States try to get ahead of the challenges within the cybersecurity and data protection landscape.  Several international developments bear brief mention here: On June 1, 2017, China’s Cybersecurity Law went into effect, becoming the first comprehensive Chinese law to regulate how companies manage and protect digital information.  The law also imposes significant restrictions on the transfer of certain data outside of the mainland (data localization) enabling government access to such data before it is exported. [642] Despite protests and petitions by governments and multinational companies, the implementation of the Cybersecurity Law continues to progress with the aim of regulating the behavior of many companies in protecting digital information. [643]   While the stated objective is to protect personal information and individual privacy, and according to a government statement in China Daily, a state media outlet, to “effectively safeguard national cyberspace sovereignty and security,” the law in effect gives the Chinese government unprecedented access to network data for essentially all companies in the business of information technology. [644]   Notably, key components of the law disproportionately affect multinationals because the data localization requirement obligates international companies to store data domestically and undergo a security assessment by supervisory authorities for important data that needs to be exported out of China.  Though the law imposes more stringent rules on critical information infrastructure operators (whose information could compromise national security or public welfare) in contrast to network operators (whose information capabilities could include virtually all businesses using modern technology), the law effectively subjects a majority of companies to government oversight.  As a consequence, the reality for many foreign companies is that these requirements would likely be onerous, will increase the costs of doing business in China, and will heighten the risk of exposure to industrial espionage. [645]   Despite the release of additional draft guidelines meant to clarify certain provisions of the law, there is a general outlook that the law is still a work in progress, with the scope and definition still vague and uncertain. [646]  Nonetheless, companies should endeavor to assess their data and information management operations to evaluate the risks of the expanding scope of the data protection law as well as their risk appetite for compliance with the Chinese government’s access to their network data. With the growing threat of hacking and identity theft, the Personal Data Protection Commission of Singapore issued proposed advisory guidelines on November 7, 2017 for the collection and use of national registration identification numbers.  The guidance, which covers a great deal of personal and biometric data, emphasized the obligations of companies to ensure policies and practices are in place to meet the obligations for data protection under the Personal Data Protection Act of 2012.  The Commission is giving businesses and organizations twelve months from publication to review their processes and implement necessary changes to ensure compliance. [647] Several other countries, such as Australia and Turkey, also sought to address privacy issues and published important guidelines regarding procedures for deleting, destroying, and anonymizing personal data.  Other countries like Argentina forged ahead with an overhaul of the country’s data protection regime by publishing a draft data protection bill that would align the country’s privacy laws with the GDPR requirements of the European Union. [648] There has also been civic engagement with the public as a number of countries solicited public comments to certain proposed regulations.  For example, Canada opened up for comments a proposed regulation that would mandate reporting of privacy breaches under its Personal Information Protection and Electronic Documents Act of 2015, while India recently issued a white paper inviting comments that would inform the legal framework for drafting a data protection bill to “ensure growth of the digital economy while keeping personal data of citizens secure and protected.” [649] V.     Conclusion We expect 2018 to be another significant year in the development and application of data privacy and cybersecurity law.  As technology and data collection become more sophisticated, companies and governments will continue to explore the potential permissible uses of personal information.  At the same time, the public will continue to debate the ideal balance between the benefits of big data and concerns for privacy and security.  We will be tracking these important issues in the year ahead. [1] Susan Heavey and Dustin Volz, FTC Probes Equifax, Top Democrat Likens It To Enron, Reuters (Sept. 14, 2017), available at https://www.reuters.com/article/us-equifax-cyber-ftc/ftc-probes-equifax-top-democrat-likens-it-to-enron-idUSKCN1BP1VX. [2] Press Release, Federal Trade Commission, Operator of Online Tax Preparation Service Agrees to Settle FTC Charges That it Violated Financial Privacy and Security Rules (Aug. 29, 2017), available at https://www.ftc.gov/news-events/press-releases/2017/08/operator-online-tax-preparation-service-agrees-settle-ftc-charges. [3] Final Order at 1, In the Matter of LabMD, Inc., No. 9357 (F.T.C. July 28, 2016). [4] Press Release, Federal Trade Commission, FTC Files Complaint Against LabMD for Failing to Protect Consumers’ Privacy (Aug. 29, 2013), available at https://www.ftc.gov/news-events/press-releases/2013/08/ftc-files-complaint-against-labmd-failing-protect-consumers. [5] Initial Decision at 13–14, In the Matter of LabMD, Inc., No. 9357 (F.T.C. Nov. 13, 2015). [6] LabMD, Inc. v. Fed. Trade Comm’n , 678 F. App’x 816, 817 (11th Cir. 2016). [7] Press Release, Federal Trade Commission, FTC Charges D-Link Put Consumers’ Privacy at Risk Due to the Inadequate Security of Its Computer Routers and Cameras (Jan. 5, 2017), available at https://www.ftc.gov/news-events/press-releases/2017/01/ftc-charges-d-link-put-consumers-privacy-risk-due-inadequate. [8] Fed. Trade Comm’n v. D-Link Sys., Inc. , No. 3:17-CV-00039-JD, 2017 WL 4150873, at *1 (N.D. Cal. Sept. 19, 2017). [9] Id . at *5. [10] Id . [11] Press Release, Federal Trade Commission, VIZIO to Pay $2.2 Million to FTC, State of New Jersey to Settle Charges It Collected Viewing Histories on 11 Million Smart Televisions without Users’ Consent (Feb. 6, 2017), available at https://www.ftc.gov/news-events/press-releases/2017/02/vizio-pay-22-million-ftc-state-new-jersey-settle-charges-it. [12] Press Release, Federal Trade Commission, Lenovo Settles FTC Charges it Harmed Consumers with Preinstalled Software on its Laptops that Compromised Online Security (Sept. 5, 2017), available at https://www.ftc.gov/news-events/press-releases/2017/09/lenovo-settles-ftc-charges-it-harmed-consumers-preinstalled. [13] Press Release, Federal Trade Commission, Painting the Privacy Landscape: Informational Injury in FTC Privacy and Data Security Cases (Sept. 19, 2017), available at https://www.ftc.gov/public-statements/2017/09/painting-privacy-landscape-informational-injury-ftc-privacy-data-security. [14] Id. [15] Bryan Koenig, FTC’s Definition Of Cyber Injury Getting Broader, Chief Says , Law360 (May 17, 2017), available at https://www.law360.com/articles/925071/ftc-s-definition-of-cyber-injury-getting-broader-chief-says. [16] Allison Grande, Biz Groups Push FTC To Avoid ‘Theoretical’ Privacy Harms, Law360 (Nov. 1, 2017), available at https://www.law360.com/articles/980724/biz-groups-push-ftc-to-avoid-theoretical-privacy-harms . [17] Fed. Trade Comm’n v. AT&T Mobility LLC , 864 F.3d 995 (9th Cir. 2017). [18] Press Release, Department of Health and Human Services,OCR Launches Phase 2 of HIPAA Audit Program, (no date), available at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/phase2announcement/ . [19] Press Release, Department of Health and Human Services, $5.5 million HIPAA settlement shines light on the importance of audit controls (Feb. 16, 2017), available at https://www.hhs.gov/about/news/2017/02/16/hipaa-settlement-shines-light-on-the-importance-of-audit-controls.html . [20] Press Release, Department of Health and Human Services, Lack of timely action risks security and costs money (Feb. 1, 2017), available at https://www.hhs.gov/about/news/2017/02/01/lack-timely-action-risks-security-and-costs-money.html . [21] Press Release, Department of Health and Human Services, Careless handling of HIV information jeopardizes patient’s privacy, costs entity $387k (May 23, 2017), available at https://www.hhs.gov/about/news/2017/05/23/careless-handling-hiv-information-costs-entity.html . [22] Press Release, Department of Health and Human Services, First HIPAA enforcement action for lack of timely breach notification settles for $475,000 (Jan. 9, 2017), available at http://wayback.archive-it.org/3926/20170127111957/https://www.hhs.gov/about/news/2017/01/09/first-hipaa-enforcement-action-lack-timely-breach-notification-settles-475000.html [23] Press Release, Department of Health and Human Services, $2.5 million settlement shows that not understanding HIPAA requirements creates risk (Apr. 24, 2017), available at https://www.hhs.gov/about/news/2017/04/24/2-5-million-settlement-shows-not-understanding-hipaa-requirements-creates-risk.html . [24] Press Release, Department of Health and Human Services, Failure to protect the health records of millions of persons costs entity millions of dollars (Dec. 28, 2017), available at https://www.hhs.gov/about/news/2017/12/28/failure-to-protect-the-health-records-of-millions-of-persons-costs-entity-millions-of-dollars.html . [25] Department of Health and Human Services, How HIPAA Allows Doctors to Respond to the Opioid Crisis (no date), available at https://www.hhs.gov/sites/default/files/hipaa-opioid-crisis.pdf . [26] SEC Division of Corporation Finance, CF Disclosure Guidance:Topic No. 2—Cybersecurity (Oct. 13, 2011), available at https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm . [27] Ed Beeson, SEC Likely To Revisit Cybersecurity Guidance, Official Says , Law360 (Nov. 9, 2017, 8:48 PM), https://www.law360.com/cybersecurity-privacy/articles/983742/sec-likely-to-revisit-cybersecurity-guidance-official-says . [28] Jimmy Hoover, SEC Suits Over Cyber Reporting Could Be On Horizon, Law360 (Apr. 20, 2017, 1:25 PM), https://www.law360.com/privacy/articles/915377/sec-suits-over-cyber-reporting-could-be-on-horizon . [29] Beeson, supra note 27. [30] Id. [31] Chris Isidore, Equifax is investigating executive stock sales, CNN Money (Sept. 29, 2017, 3:19 PM), http://money.cnn.com/2017/09/29/news/companies/equifax-investigation/index.html . [32] Tom Schoenberg, Anders Melin, and Matt Robinson, Equifax Stock Sales Are the Focus of U.S. Criminal Probe, Bloomberg (Sept. 18, 2017, 12:20 PM), https://www.bloomberg.com/news/articles/2017-09-18/equifax-stock-sales-said-to-be-focus-of-u-s-criminal-probe . [33] Equifax Inc., Quarterly Report (Form 10-Q) at 40 (Nov. 9, 2017), available at https://otp.tools.investis.com/clients/us/equifax/SEC/sec-show.aspx?Type=html&FilingId=12372346&CIK=0000033185&Index=10000 ; see also Hayley Tsukayama, Equifax faces hundreds of class-action lawsuits and an SEC subpoena over the way it handled its data breach , Washington Post (Nov. 9, 2017), https://www.washingtonpost.com/news/the-switch/wp/2017/11/09/equifax-faces-hundreds-of-class-action-lawsuits-and-an-sec-subpoena-over-the-way-it-handled-its-data-breach/?utm_term=.ceebfb8dc054 . [34] Public Statement, SEC Chairman Jay Clayton,Statement on Cybersecurity, SEC (Sept. 20, 2017), available at https://www.sec.gov/news/public-statement/statement-clayton-2017-09-20#_ftnref10 . [35] Id. [36] Press Release, SEC, SEC Announces Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors , SEC (Sept. 25, 2017), available at https://www.sec.gov/news/press-release/2017-176 . [37] Press Release, SEC, SEC Emergency Action Halts ICO Scam, SEC (Dec. 4, 2017), available at https://www.sec.gov/news/press-release/2017-219 . [38] Id. [39] The SEC alleges that Paradis-Royer, believed to be Lacroix’s romantic partner, helped to cover up the scheme when she, amongst other conduct, registered payments in her name, and attempted to resist Quebec authorities when they arrived at Lacroix and Paradis-Royer’s residence and warn Lacroix of the search.  See Compl., ECF No. 1, SEC v. PlexCorps et. al., 1:17-CV-07007, at ¶¶ 24, 63, 92 (E.D.N.Y. Dec 1, 2017), available at https://www.sec.gov/litigation/complants/2017/comp-pr2017-219.pdf . [40] See Compl., ECF No. 1, SEC v. PlexCorps et. al., 1:17-CV-07007 (E.D.N.Y. Dec 1, 2017), available at https://www.sec.gov/litigation/complants/2017/comp-pr2017-219.pdf ; see also Press Release, SEC, supra note 37. [41] Press Release, SEC, supra note 37. [42] David Shepardson, Trump Signs Repeal of U.S. Broadband Privacy Rules, Reuters (April 3, 2017, 7:50 PM), available at https://www.reuters.com/article/us-usa-internet-trump/trump-signs-repeal-of-u-s-broadband-privacy-rules-idUSKBN1752PR . [43] See Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, Report & Order (“Commission Order”), FCC Dkt. No. 16-148 (Nov. 2, 2016), available at http://transition.fcc.gov/Daily_Releases/Daily_Business/2016/db1103/FCC-16-148A1.pdf. [44] David Shepardson, FCC Approves TV Technology that Gives Better Pictures but Less Privacy , Reuters (Nov. 16, 2017, 3:25 PM), available at https://www.reuters.com/article/us-usa-television-technology/fcc-approves-tv-technology-that-gives-better-pictures-but-less-privacy-idUSKBN1DG2XF . [45] See John Eggerton, Dingell has Privacy Concerns over ATSC 3.0, Broadcasting Cable, (Nov. 8, 2017, 4:52 PM), http://www.broadcastingcable.com/news/washington/dingell-has-privacy-concerns-over-atsc-30/169962 . [46] SS7 is a signaling protocol that supports call setup, routing, exchange, and billing functions in communications networks by transmitting messages between fixed and mobile service providers.  See FCC’s Public Safety & Homeland Security Bureau Encourages Implementation of CSRIC Signaling System 7 Security Best Practices , DA-17-799 (Aug. 24, 2017), https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0ahUKEwi8_tXflYrYAhXC5CYKHTC4BroQFggwMAE&url=https%3A%2F%2Fapps.fcc.gov%2Fedocs_public%2Fattachmatch%2FDA-17-799A1.docx&usg=AOvVaw3NB4Lc5YhzWjjTAxZv9Hss ; see also Jenna Ebersole, Dem Lawmakers Urge FCC Action On Cellphone Cybersecurity, Law360 (March 28, 2017, 8:05 PM), https://www.law360.com/articles/906956/dem-lawmakers-urge-fcc-action-on-cellphone-cybersecurity . [47] FCC, Order, Straight Path Communications Inc., Ultimate Parent Company of Straight Path Spectrum, LLC, Straight Path Spectrum LLC, File No. EC-SED-16-00022575, Acct. No. 201732100003, FRN: 0022779334 (Jan. 12, 2017), https://apps.fcc.gov/edocs_public/attachmatch/DA-17-40A1.pdf. [48] Stephen Lawson, FCC looks to higher frequencies for 5G mobile (Oct. 22, 2015, 1:44 PM), https://www.computerworld.com/article/2996149/mobile-wireless/fcc-looks-to-higher-frequencies-for-5g-mobile.html . [49] FCC, Order, Straight Path Communications Inc., Ultimate Parent Company of Straight Path Spectrum, LLC, Straight Path Spectrum LLC, File No. EC-SED-16-00022575, Acct. No. 201732100003, FRN: 0022779334 (Jan. 12, 2017), https://apps.fcc.gov/edocs_public/attachmatch/DA-17-40A1.pdf. [50] Blog of FCC Chairman Ajit Pai, Consumer Protection Month at the FCC (June 22, 2017, 2:20 PM), https://www.fcc.gov/news-events/blog/2017/06/22/consumer-protection-month-fcc . [51] Press Release, Federal Communications Commission, Robocall Scammer Faces $120 Million Proposed Fine for Massive Caller ID Spoofing Operation (June 22, 2017), https://apps.fcc.gov/edocs_public/attachmatch/DOC-345470A1.pdf . [52] Kelcee Griffis, FCC Fines Co. $2.8M For Powering Robocalls To Cellphones, Law360 (July 13, 2017, 4:27 PM), https://www.law360.com/articles/944001/fcc-fines-co-2-8m-for-powering-robocalls-to-cellphones ; Press Release, Federal Communications Commission, FCC Proposes $82 Million Fine for Spoofed Telemarketing Robocalls (Aug. 3, 2017), https://apps.fcc.gov/edocs_public/attachmatch/DOC-346059A1.pdf. [53] Consumer Protection Principles:  Consumer-Authorized Financial Data Sharing and Aggregation, Consumer Financial Protection Bureau (Oct. 18, 2017), available at http://files.consumerfinance.gov/f/documents/cfpb_consumer-protection-principles_data-aggregation.pdf. [54] Stakeholder Insights that Inform the Consumer Protection Principles, Consumer Financial Protection Bureau (October 18, 2017), available at http://files.consumerfinance.gov/f/documents/cfpb_consumer-protection-principles_data-aggregation_stakeholder-insights.pdf. [55] See supra note 54. [56] Press Release, Bureau Seeks to Ensure a Workable Data Aggregation Market that Gives Consumers Protection and Value (Oct. 18, 2017), available at https://www.consumerfinance.gov/about-us/newsroom/cfpb-outlines-principles-consumer-authorized-financial-data-sharing-and-aggregation/. [57] Id. [58] See supra note 54. [59] Assurance of Voluntary Compliance, In the Matter of Investigation by Eric T. Schneiderman, Attorney General of the State of New York, of Target Corporation , No. 17-094 (May 15, 2017) , available at https://ag.ny.gov/sites/default/files/nyag_target_settlement.pdf [60] Id .; see also Press Release, A.G. Schneiderman Announces $18.5 Million Multi-State Settlement With Target Corporation over 2013 Data Breach (May 23, 2017), available at https://ag.ny.gov/press-release/ag-schneiderman-announces-185-million-multi-state-settlement-target-corporation-over. [61] Assurance of Voluntary Compliance, In Re Nationwide Mutual Ins. Co. and Allied Prop. & Casualty Ins. Co ., (Aug. 3, 2017), available at https://ag.ny.gov/sites/default/files/nationwide-aod.pdf; see also Press Release, A.G. Schneiderman Announces $5.5 Million Multi-State Settlement With Nationwide Mutual Insurance Company Over 2012 Data Breach (Aug. 9, 2017), available at https://ag.ny.gov/press-release/ag-schneiderman-announces-55-million-multi-state-settlement-nationwide-mutual. [62] Id . [63] Press Release, Lenovo Settles FTC Charges it Harmed Consumers With Preinstalled Software on its Laptops that Compromised Online Security (Sept. 5, 2017), available at https://www.ftc.gov/news-events/press-releases/2017/09/lenovo-settles-ftc-charges-it-harmed-consumers-preinstalled. [64] Press Release, Attorney General Becerra Announces $3.5M Settlement with Lenovo for Preinstalling Software that Compromised Security of its Computers (Sept. 5, 2017), available at https://oag.ca.gov/news/press-releases/attorney-general-becerra-announces-35m-settlement-lenovo-preinstalling-software. [65] Press Release, AG’s Office Alleges Company Failed to Protect Personal Information of Nearly Three Million Massachusetts Residents, Despite Knowing its System was Vulnerable to Hackers (Sept. 19, 2017), available at http://www.mass.gov/ago/news-and-updates/press-releases/2017/2017-09-19-equifax-lawsuit.html;see also Complaint, Commonwealth of Massachusetts v. Equifax, Inc., (Suffolk Sup. Ct. Sept. 19, 2017). [66] Memorandum In Support of Plaintiffs’ Motion For Transfer of Actions to the Northern District of Georgia And For Consolidation Pursuant to 28 U.S.C. 1407, In Re: Equifax Inc., Consumer Data Security Breach Litigation , MDL Dkt. No. 2800 (Judicial panel on Multi-district Litigation, Sept. 11, 2017), available at: http://www.almcms.com/contrib/content/uploads/sites/292/2017/09/Equifax-MDL-motion.pdf. [67] Press Release, Attorney General Becerra Announces $2 Million Settlement Involving Santa Barbara-based Cottage Health System Over Failure to Protect Patient Medical Records (Nov. 22, 2017), available at https://www.oag.ca.gov/news/press-releases/attorney-general-becerra-announces-2-million-settlement-involving-santa-barbara. [68] Id .; see also Complaint for Injunction, Civil Penalties, and Other Equitable Relief, California v. Cottage Health et al ., No. 17CV05269 (Sup. Ct. County of Santa Barbara, November 15, 2017), available at https://www.oag.ca.gov/system/files/attachments/press_releases/Conformed%20Cottage%20Complaint%20SIGNED.PDF. [69] Stipulation for Entry of Final Judgment and Permanent Injunction, California v. Cottage Health, et al., No. 17CV05269 (Sup. Ct. County of Santa Barbara, November 15, 2017). [70] Id . [71] Press Release, A.G. Schneiderman Announces $700,000 Joint Settlement With Hilton After Data Breach Exposed Hundreds of Thousands of Credit Card Numbers (Oct. 31, 2017), available at https://ag.ny.gov/press-release/ag-schneiderman-announces-700000-joint-settlement-hilton-after-data-breach-exposed . [72] Id .; N. Y. Gen. Bus. Law § 899-aa(2) (McKinney 2017). [73] Press Release, New Jersey Division of Consumer Affairs, Federal Trade Commission Reach $2.5 Million Settlement with Smart TV Manufacturer to Settle Allegations of Invasive Data Collection (Feb. 6, 2017), available at http://nj.gov/oag/newsreleases17/pr20170206a.html. [74] Id .; see also Stipulated Order for Permanent Injunction and Monetary Judgment, Federal Trade Commission, et al. v. Vizio, Inc., No. 2:17-cv-00758 (D. N.J. Feb. 6, 2017), available at http://nj.gov/oag/newsreleases17/Vizio-Order.pdf. [75] Id . [76] Washington State Attorney General’s Office, 2017 Data Breach Report, available at http://agportal-s3bucket.s3.amazonaws.com/uploadedfiles/Home/Safeguarding_Consumers/Data_Breach/2017%20Data%20Breach%20Report%20Final.pdf. [77] 23 NYCRR 500, available at http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf. [78] Id . [79] Id .  See also Key Dates under New York’s Cybersecurity Regulation (23 NYCRR Part 500) , N.Y. Dep’t of Fin. Servs., http://www.dfs.ny.gov/about/cybersecurity.htm (last visited Jan. 23, 2018). [80] Id. [81] Proposed Financial Services Regulations , N.Y. Dep’t of Fin. Servs., http://www.dfs.ny.gov/legal/regulations/proposed/propdfs.htm (last visited Jan. 23, 2018). [82] Executive Order 13,800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure , May 11, 2017. [83] Id. at 1. [84] Id. at 1-2. [85] Id. at 4. [86] See Press Release, Final IT Modernization Report, Dec. 13, 2017, available at https://www.whitehouse.gov/articles/final-modernization-report/ ; Report to the President on Federal IT Moderization, available at https://itmodernization.cio.gov/. [87] Executive Order, at 5. [88] Id. at 5-6. [89] Id. at 6. [90] Id. [91]            A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats , National Telecommunications and Information Administrations, U.S. Dep’t of Commerce, Jan. 5, 2018, available at https://www.ntia.doc.gov/report/2018/report-president-enhancing-resilience-internet-and-communications-ecosystem-against . [92] Id. at 6-7. [93] Id. at 7. [94] Id. [95] Id. [96] Id. at 7-8. [97] Id. at 8-9. [98] Lily Hay Newman, Taking Stock of Trump’s Cybersecurity Executive Order so Far , WIRED, Sept. 3, 2017, available at https://www.wired.com/story/trump-cybersecurity-executive-order/. [99] See, e.g., Sonam Sheth, Over a Quarter of the Members on Trump’s Cybersecurity Advisory Council Have Resigned En Masse , Business Insider, Aug. 28, 2017, available at http://www.businessinsider.com/members-of-trump-cybersecurity-council-resign-2017-8. [100] Joseph Marks, Trump Administration Plans a New Cybersecurity Strategy, Defense One, Oct. 25, 2017, available at http://www.defenseone.com/technology/2017/10/trump-administration-plans-new-cybersecurity-strategy/142042/. [101] Vulnerabilities Equities Policy and Process for the United States Government, Nov. 15, 2017, available at https://www.whitehouse.gov/sites/whitehouse.gov/files/images/External%20-%20Unclassified%20VEP%20Charter%20FINAL.PDF. [102] Id. at 1. [103] Id. at 3-4. [104] Id. at 6-7. [105] Id. [106] Id. at 7-8. [107] Id. at 13-14. [108] David Shepardson, Trump Signs Repeal of U.S. Broadband Privacy Rules, Reuters, Apr. 3, 2017, https://www.reuters.com/article/us-usa-internet-trump/trump-signs-repeal-of-u-s-broadband-privacy-rules-idUSKBN1752PR. [109] Richard Lawler, Trump Signs Bill Rolling Back FCC Privacy Rules for ISPs, Engadget, Apr. 3, 2017, https://www.engadget.com/2017/04/03/trump-signs-bill-rolling-back-fcc-privacy-rules-for-isps/. [110] Id. [111] Shepardson , supra note 109. [112] See generally 50 U.S.C. § 1881 (2012). [113] See, e.g. , 50 U.S.C. § 1881a. [114] The FISA Amendments Act:  Q &A , Office of the Director of National Intelligence, https://www.dni.gov/files/icotr/FISA%20Amendments%20Act%20QA%20for%20Publication.pdf. [115] H.R. 139, 115th Cong. (2017). [116] S. 2010, 115th Cong. (2017); see also David Shortell, Senate Intel Advances Bill to Reauthorize Spying Program with Minimal Reform , CNN, Oct. 27, 2017, http://www.cnn.com/2017/10/26/politics/fisa-702-reauthorization-bill-advanced/index.html. [117] Pub. L. 115-96 (2017); see also Matthew Kahn, Congress Buys Itself Another Three Weeks on Section 702, Lawfare, Dec. 22, 2017, https://www.lawfareblog.com/year-review-fisa-section-702. [118]   H. 137, 115th Cong. (2017); see also Charlie Savage, Eileen Sullivan & Nicholas Fandos, House Extends Surveillance Law, Rejecting New Privacy Safeguards , N.Y. T IMES, Jan. 11, 2018, https://www.nytimes.com/2018/01/11/us/politics/fisa-surveillance-congress-trump.html. [119]   See Ted Barrett and Ashley Killough, Senate Passes FISA Section 702 Reauthorization, CNN Politics, Jan. 18, 2018, http://www.cnn.com/2018/01/18/politics/fisa-reauthorization-senate-vote/index.html. [120]   See Gregory Korte and Erin Kelly, Trump signs bill extending surveillance law – the same law he says was used to spy on him , USA Today, Jan. 19, 2018, https://www.usatoday.com/story/news/politics/onpolitics/2018/01/19/trump-signs-bill-extending-surveillance-law-same-law-he-says-used-spy-him/1049663001/. [121]   See Andrew Liptak, President Donald Trump Has Signed the FISA Reauthorization Bill , The Verge, Jan. 20, 2018, https://www.theverge.com/2018/1/20/16913534/president-donald-trump-signed-fisa-amendments-reauthorization-act-of-2017-section-702. [122] See 18 U.S.C. § 2510 (2012). [123] H.R. 387, 115th Cong. (2015). [124] Mario Trujillo, House Unanimously Passes Email Privacy Bill, The Hill, Apr. 27, 2016, http://thehill.com/policy/technology/277897-house-unanimously-passes-bill-to-protect-email-privacy. [125] S. 1654, 115th Cong. (2017). [126] H.R. 1616, 115th Cong. (2017); see also Michael Macagnone, House Authorizes National Cyber Security Center, Law360, May 16, 2017, https://www.law360.com/privacy/articles/924495. [127]   Pub. L. No. 115-76 (2017). [128] H.R. 4081, 115th Cong. (2017); S. 2124, 115th Cong. (2017). [129] Mike Lennon, U.S. Senators Introduce SEC Cybersecurity Disclosure Legislation , Security Week, Dec. 18, 2015, http://www.securityweek.com/us-senators-introduce-sec-cybersecurity-disclosure-legislation. [130] See Security Breach Notification Laws , National Conference of State Legislatures, Jan. 4, 2016, http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx (listing the 47 states, along with the District of Columbia, Guam, Puerto Rico, and the Virgin Islands that have passed data breach notification laws). [131] See Nat’l Conference of State Legislatures, Cybersecurity Legislation 2017, http://ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2017.aspx (last visited Jan. 22, 2018). [132] See Act of Apr. 3, 2017, Pub. L. No. 115-22, 131 Stat. 88 (2017) (disapproving Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, Report and Order, 81 Fed. Reg. 87,274 (Dec. 2, 2016)). [133] See California Consumer Privacy Act of 2018, Initiative No. 17-0027 (Cal. 2018), available at https://oag.ca.gov/system/files/initiatives/pdfs/17-0027%20%28Consumer%20Privacy%29_1.pdf . [134] Data Breach Notification Act, H.B. 15 (N.M. 2017), available at https://legiscan.com/NM/text/HB15/2017 (defining “personal identifying information” as an “[i]ndividual’s first name or last initial and last name in combination with one or more of the following data elements that relate to the individual, when the data elements are not protected through encryption or redaction or otherwise rendered unreadable or unusable:  social security number; driver’s license number; government issued identification number; account number, credit card number or debit card number in combination with any required security code, access code, or password that would permit access to a person’s financial account; or biometric data”). [135] Act to Amend Title 6 of the Delaware Code Relating to Breaches of Security Involving Personal Information, H.B. 180 (Del. 2017), available at https://legis.delaware.gov/BillDetail/26009. [136] H.J.R. 59, 100th Gen. Assemb., 1st Sess. (Ill. 2017), available at http://ilga.gov/legislation/fulltext.asp?DocName=10000HJ0059eng&GA=100&SessionId=91&DocTypeId=HJR&LegID=107003&DocNum=59&GAID=14&Session=&print=true. [137] See Nat’l Conference of State Legislatures, Cybersecurity Legislation 2017, http://ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2017.aspx (last visited Jan. 22, 2018) (discussing H.R. 353 (P.R. 2017)); see also H.R. 353 (P.R. 2017), available at http://www.oslpr.org/2017-2020/%7B89C0F2C716C0425EA321DE9FC40CC10A%7D.docx (Spanish-language version). [138] H.B. 7304 (Conn. 2017), available at https://www.cga.ct.gov/2017/act/pa/pdf/2017PA-00223-R00HB-07304-PA.pdf. [139] S.B. 33, 64th Legis. Sess. (Wy. 2017), available at https://legiscan.com/WY/text/SF0033/2017. [140] S.B. 1028, 217th Leg. (N.J. 2017), available at https://legiscan.com/NJ/text/S1028/2016. [141] Assemb. B. 2765 (N.Y. 2017), available at http://assembly.state.ny.us/leg/?default_fld=&bn=A02765&term=2017&Summary=Y&Actions=Y&Text=Y&Committee%26nbspVotes=Y&Floor%26nbspVotes=Y. [142] S.B. 2406-A (N.Y. 2017), available at http://legislation.nysenate.gov/pdf/bills/2017/S2406A. [143] Colo. Rev. Stat. Ann. § 24-72-204.5 (West 2017); Tenn. Code. Ann. § 10-7-512 (West 2017). [144] Conn. Gen. Stat. Ann. § 31-48d (West 2017); Del. Code Ann. tit. 19, § 705 (West 2017). [145]   Conn. Gen. Stat. Ann. § 31-48d(c). [146]   Del. Code Ann. tit. 19, § 705(c). [147] H.B. 2371, 100th Gen. Assemb., 1st Sess. (Ill. 2017), available at http://www.ilga.gov/legislation/fulltext.asp?DocName=&SessionId=91&GA=100&DocTypeId=HB&DocNum=2371&GAID=14&LegID=103007&SpecSess=&Session=. [148] Assemb. B. 4936, 217th Leg. (N.J. 2017), available at https://legiscan.com/NJ/text/A4936/2016; H.B. 3221, 79th Legis. Sess. (Or. 2017), available at https://olis.leg.state.or.us/liz/2017R1/Downloads/MeasureDocument/HB3221. [149] Assemb. B. 276 (Cal. 2017), available at https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB276. [150]   Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016). [151]   Id. at 1545. [152]   Id. [153]  In re Horizon Healthcare Servs. Inc. Data Breach Litig ., 846 F.3d 625, 634–35 (3d Cir. 2017). [154]   Id. at 634–35. [155]   Id. at 640 (footnotes omitted); see also id. (“There is thus a de facto injury that satisfies the concreteness requirement for Article III standing.”) (footnote omitted). [156]   Attias v. Carefirst, Inc., 865 F.3d 620, 627 (D.C. Cir. 2017). [157]   Whalen v. Michaels Stores, Inc., 689 F. App’x 89, 90 (2d Cir. 2017). [158]   Id. [159]   Beck v. McDonald, 848 F.3d 262, 274–75 (4th Cir.), cert. denied sub nom. Beck v. Shulkin, 137 S. Ct. 2307 (2017). [160]   See e.g., In re U.S. Office of Pers. Mgmt. Data Sec. Breach Litig., No. MC 15-1394 (ABJ), 2017 WL 4129193, at *34–35 (D.D.C. Sept. 19, 2017) (“Neither complaint directly alleges, or marshals any facts that would support an inference, that those behind this attack are likely to use the information for credit card fraud or identify theft purposes, that they are likely to make it available to other criminals for that purpose, or that the breach has enabled other bad actors to have greater access to the information than they did before.”), appeals docketed, No. 17-5217 (D.C. Cir. Sep. 27, 2017), No. 17-5232 (D.C. Cir. Oct. 12 2017), No. 18-1182 (Fed. Cir. Nov. 15, 2017); In re VTech Data Breach Litig., No. 15 CV 10889, 2017 WL 2880102, at *4 (N.D. Ill. July 5, 2017) (“Plaintiffs here fail to make the connection between the data breach they allege and the identity theft they fear.  Specifically, plaintiffs do not explain how the stolen data would be used to perpetrate identity theft.”); Nayab v. Capital One Bank, N.A., No. 3:16-CV-3111-CAB-MDD, 2017 WL 2721982, at *2–3  (S.D. Cal. June 23, 2017) (finding that allegations of “increased risk” of identity theft were “speculative and conjectural”), appeal docketed, No. 17-55944 (9th Cir. July 5, 2017). [161]   In re SuperValu, Inc., 870 F.3d 763 (8th Cir. 2017). [162]   Id. at 765–67 . [163]   Id. at 769 (citing Attias, 865 at 625–29; Whalen, 689 F. App’x at 89–91;Beck, 848 F.3d at 273–76; Galaria v. Nationwide Mut. Ins., 663 F. App’x. 384, 387–90  (6th Cir. 2016); Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963, 966–69 (7th Cir. 2016); and Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 692–93  (7th Cir. 2015)). [164]   Id. at 769, 771 (citation omitted). [165]   Id. at 772–74. [166]   See Robins v. Spokeo, Inc., 867 F.3d 1108, 1117 (9th Cir. 2017), petition for cert. filed, No. 17-806 (U.S. Dec. 6, 2017). [167]   Id. [168]   Syed v. M-I, LLC, 853 F.3d 492, 499–500  (9th Cir. 2017), cert. denied, No. 16-1524, 2017 WL 2671483 (U.S. Nov. 13, 2017). [169]   Eichenberger v. ESPN, Inc., 876 F.3d 979, 983 (9th Cir. 2017). [170]   Id. [171]   See Perry v. Cable News Network, Inc., 854 F.3d 1336, 1340–41  (11th Cir. 2017) (“We conclude that violation of the VPPA constitutes a concrete harm. . . . The structure and purpose of the VPPA supports the conclusion that it provides actionable rights.”) (citations omitted). [172]   See e.g., Aguirre v. Absolute Resolutions Corp., No. 15 C 11111, 2017 WL 4280957, at *5 (N.D. Ill. Sept. 27, 2017) (FDCPA case); Hargrett v. Amazon.com DEDC LLC, 235 F. Supp. 3d 1320, 1326 (M.D. Fla. 2017) (FCRA case);  Bock v. Pressler & Pressler, LLP, 254 F. Supp. 3d 724, 734–737 (D.N.J. 2017) (FDCPA case). [173]   See Groshek v. Time Warner, Inc., 865 F.3d 884, 887 (7th Cir. 2017). [174]   Id. at 889. [175]   Dreher v. Experian Info. Sols., Inc., 856 F.3d 337, 346–47 (4th Cir. 2017). [176]   See id. at 347. [177]   See Crupar-Weinmann v. Paris Baguette Am., Inc., 861 F.3d 76, 81–82 (2d Cir. 2017); Katz v. Donna Karan Co., L.L.C., 872 F.3d 114, 121 (2d Cir. 2017) (“FACTA does not prohibit printing the [credit card] issuer identity on a receipt . . . .”). [178]   See e.g., Fullwood v. Wolfgang’s Steakhouse, Inc., No. 13 CIV. 7174 (KPF), 2017 WL 5157466, at *5–6 (S.D.N.Y. Nov. 3, 2017); Kamal v. J. Crew Grp., Inc., No. CV 2:15-0190 (WJM), 2017 WL 2443062, at *4–5 (D.N.J. June 6, 2017). [179]   See Gubala v. Time Warner Cable, Inc., 846 F.3d 909, 913 (7th Cir. 2017). [180]   Id. at 910. [181]   See Santana v. Take-Two Interactive Software, Inc., — F. App’x —-, 2017 WL 5592589, at *5 (2d Cir. Nov. 21, 2017). [182]   Id. at *2–3. [183]   See Satchell v. Sonic Notify, Inc., 234 F. Supp. 3d 996, 1005 (N.D. Cal. 2017) (holding that the plaintiff alleged an adequate injury based on allegation that the “[d]efendants captured and listened to private conversations without her knowledge or consent”). [184]   See In re Vizio, Inc., Consumer Privacy Litig., 238 F. Supp. 3d 1204, 1215–17 (C.D. Cal. 2017). [185]   E.g., Whitaker v. Appriss, Inc., 229 F. Supp. 3d 809, 812–17 (N.D. Ind. 2017); Hatch v. Demayo, No. 1:16CV925, 2017 WL 4357447, at *3–6 (M.D.N.C. Sept. 29, 2017). [186]   Van Patten v. Vertical Fitness Grp., LLC, 847 F.3d 1037, 1043 (9th Cir. 2017). [187]   See Leyse v. Lifetime Entm’t Servs., LLC, 679 F. App’x 44, 46 (2d Cir. 2017); Susinno v. Work Out World Inc., 862 F.3d 346, 352 (3d Cir. 2017). [188]   See e.g., Melito v. Am. Eagle Outfitters, Inc., No. 14-CV-2440 (VEC), 2017 WL 3995619, at *7 (S.D.N.Y. Sept. 11, 2017) (certifying class and approving class settlement over objections, and holding that the “receipt of an unconsented to voicemail message was sufficient to establish a concrete injury”),appeal docketed, No. 17-3277 (2d Cir. Oct 10, 2017); Heather McCombs, D.P.M., L.L.C. v. Cayan LLC, No. 15 C 10843, 2017 WL 1022013, at *4 (N.D. Ill. Mar. 16, 2017) (holding “that in pleading the receipt of an unsolicited fax advertisement in violation of the TCPA, Plaintiff has alleged a particularized and concrete injury sufficient to satisfy Article III”),  appeal dismissed, No. 17-1946, 2017 WL 5185363 (7th Cir. July 7, 2017). [189]   Legg v. PTZ Ins. Agency, Ltd., 321 F.R.D. 572, 577–78 (N.D. Ill. 2017), appeal docketed, No. 17-8018 (7th Cir. Aug. 31, 2017). [190]   Allison Grande,Spokeo Wants Justices To Revisit Last Year’ s Standing Ruling, Law360 (Dec. 13, 2017, 10:50 PM), https://www.law360.com/cybersecurity-privacy/articles/994507/spokeo-wants-justices-to-revisit-last-year-s-standing-ruling. [191]   Allison Grande, Spokeo Standing Fight Won’t Go Another Round At High Court , Law360 (Jan. 22, 2018, 4:15 PM), https://www.law360.com/cybersecurity-privacy/articles/1004192/spokeo-standing-fight-won-t-go-another-round-at-high-court.  [192]  Michael Riley, Jordan Robertson, and Anita Sharpe, The Equifax data breach has the hallmarks of state-sponsored pros , Bloomberg Businessweek (Sept. 29, 2017), https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros.  [193]  See, e.g., Compl., Allen et al v. Equifax, Inc., No. 1:17-cv-04544 (N.D. Ga. Nov. 10, 2017); see also Wolf Richter, Equifax’s data breach will cost it for months to come, Business Insider (Nov. 11, 2017), http://www.businessinsider.com/equifax-data-breach-will-keep-costing-it-for-months-to-come-2017-11 .  [194]  Id.  [195]  See Compl., People of the State of California v. Equifax, Inc., No. CGC-17-561529 (Sep. 26, 2017); Compl., City of Chicago v. Equifax, Inc., 2017-CH-13047 (Sep. 28, 2017).  [196]  Compl., Commonwealth of Massachusetts v. Equifax, Inc., No. 1784CV03009 (Sep. 19, 2017).  [197]  Renae Merle, After the breach, Equifax now faces the lawsuits, Washington Post (Sep. 22, 2017), https://www.washingtonpost.com/news/business/wp/2017/09/22/after-the-breach-equifax-now-faces-the-lawsuits/?utm_term=.185a237742fb .  [198]  Compl., Kuhns et al. v. Equifax, Inc., No. 1:17-cv-03463 (N.D. Ga. Sep. 8, 2017).  [199]  See, e.g., Knepper v. Equifax Information Servs., LLC., No. 2:17-CV-02368 (D. Nev. Oct. 2, 2017) (order granting motion to stay pending consolidation).  [200]  In re Equifax, Inc. Customer Data Security Breach Litigation , MDL No. 2800 (J.P.M.L. Dec. 6, 2017).  [201]  Teri Robinson, Open AWS S3 bucket exposes sensitive Experian and census info on 123 million U.S. households , SC Magazine (Dec. 20, 2017), https://www.scmagazine.com/open-aws-s3-bucket-exposes-sensitive-experian-and-census-info-on-123-million-us-households/article/720067/ .  [202]  Id.  [203]  Id. [204]   Ray Schultz, Alteryx Slammed with Two Data Breach Suits, Email Marketing Daily (Dec. 22, 2017), https://www.mediapost.com/publications/article/312126/alteryx-slammed-with-two-data-breach-suits.html. [205] Elec. Privacy Info. Ctr. v. FBI , No. 1:17-cv-00121 (D.D.C. Jan. 18, 2017). [206] Compl., Microsoft Corp. v. Does 1-12, No.2016-cv-00993 (E.D. Va. Filed Aug. 3, 2016), at ECF No. 1; see also Kevin Poulsen, Putin’s Hackers Now Under Attack – From Microsoft, Daily Beast (July 20, 2017), https://www.thedailybeast.com/microsoft-pushes-to-take-over-russian-spies-network . [207] Selena Larson, Data of almost 200 million voters leaked online by GOP analytics firm , CNN (June 19, 2017), http://money.cnn.com/2017/06/19/technology/voter-data-leaked-online-gop/index.html?iid=EL . [208] Id . [209] Compl., McAleer et al v. Deep Root Analytics, LLC, No. 6:17-cv-01142 (M.D. Fl. June 21, 2017). [210] Order, McAleer et al v. Deep Root Analytics, LLC, No. 6:17-cv-01142 (M.D. Fl. Nov. 7, 2017). [211]   Callum Borchers, What we know about the 21 states targeted by Russian hackers , Washington Post (Sept. 23, 2017), https://www.washingtonpost.com/news/the-fix/wp/2017/09/23/what-we-know-about-the-21-states-targeted-by-russian-hackers/?utm_term=.28d2dcb475c7 . [212]   Id. [213] See, e.g. , Compl., Weiss et al. v. Arby’s Restaurant Group, Inc., No. 1:17-cv-01035 (N.D. Ga., Mar. 22, 2017). [214] See, e.g. , Compl., Bellwether Comm. Credit Union v. Chipotle Mexican Grill, Inc. , No. 1:17-cv-01102 (D. Colo., May 4, 2017). [215] See, e.g. , Order, In re Sonic Corp. Customer Data Security Breach Litig., No. 2807 (JPML, Dec. 15, 2017); David P. Willis, Sonic Drive-In hit by security breach, Asbury Park Press (Sept. 27, 2017), https://www.usatoday.com/story/tech/2017/09/27/sonic-drive-hit-security-breach/708850001/ . [216] Josh Magness & Donovan Harrell, Pizza Hut was hacked, company says, Miami Herald (Oct. 14, 2017, updated Oct. 18, 2017), https://www.usatoday.com/story/tech/2017/09/27/sonic-drive-hit-security-breach/708850001/ . [217] Compl., Yoachim et al. v. Pizza Hut Inc., No. 17-cv-1675 (W.D. Wash., Nov. 7, 2017). [218] Jamie Biesiada, Sabre sued for data breach of hotel res system, Travel Weekly (July 14, 2017), http://www.travelweekly.com/Travel-News/Travel-Technology/Sabre-sued-for-data-breach-of-hotel-res-system . [219] Compl., Orr v. InterContinental Hotels Group, PLC, No. 1:17-cv-01622 (N.D. Ga., May 5, 2017). [220] Compl., Banus v. Whole Foods Market Group, Inc., No. 1:17-cv-02132 (N.D. Ohio, Oct. 10, 2017). [221]   Largest Healthcare Data Breaches of 2017, HIPAA J. (Jan. 4, 2018), https://www.hipaajournal.com/largest-healthcare-data-breaches-2017/. [222]   Id. [223] Marianne Kolbasuk McGee, Breach involving encrypted devices raises questions, Health Care Info Security (Mar. 23, 2017), https://www.healthcareinfosecurity.com/breach-involving-encrypted-devices-raises-questions-a-9789 . [224]   Largest Healthcare Data Breaches of 2017, HIPAA J. (Jan. 4, 2018), https://www.hipaajournal.com/largest-healthcare-data-breaches-2017/. [225] Compl., Palmer v. Bowling Green-Warren Cnty. Comm. Hosp. Corp., No. 17-CI-00579 (Cir. Ct. Warren Cnty., May 12, 2017). [226] Jeff John Roberts, Law firm DLA Piper reels under cyber attack, fate of files unclear , Fortune (June 29, 2017), https://www.healthcareinfosecurity.com/breach-involving-encrypted-devices-raises-questions-a-9789 . [227] Guardian to fight legal action over Paradise Papers , The Guardian (Dec. 18, 2017), https://www.theguardian.com/uk-news/2017/dec/18/guardian-bbc-legal-action-paradise-papers?CMP=Share_iOSApp_Other . [228] Id . [229] Id . [230] See Order, In re: Yahoo! Inc. Customer Data Sec. Breach Litigation, No. 16-MD-02752-LHK, 2017 WL 3727318 (N.D. Cal. Aug. 30, 2017). [231] Id. at *17. [232] Id . at *53. [233] In re: U.S. Office of Pers. Mgmt. Data Sec. Breach Litig., 266 F. Supp. 3d 1 (D.D.C. 2017). [234] Id . at 20, 28. [235] Id . at 36-38. [236] Id . at 39-47, 49-50. [237] In re VTech Data Breach Litig., No. 1:15-cv-10889, -10891, -11620, -11885, 2017 WL 2880102, at *4 (N.D. Ill. July 5, 2017). [238] Id . [239] Amended Complaint, In re VTech Data Breach Litig., No. 1:15-cv-10889, -10891, -11620, -11885 (N.D. Ill. Aug. 17, 2017). [240]   Electronic Toy Maker VTech Settles FTC Allegations That It Violated Children’s Privacy Law and the FTC Act , Fed. Trade Comm’n (Jan. 8, 2018), https://www.ftc.gov/news-events/press-releases/2018/01/electronic-toy-maker-vtech-settles-ftc-allegations-it-violated. [241]   Id. at 14. [242]   Id. at 12. [243] SELCO Comm. Credit Union v. Noodles & Co. , 267 F. Supp. 3d 1292 (D. Colo. 2017). [244] Id . [245] Id . [246] Attias v. CareFirst, Inc. , 865 F.3d 620, 622-23 (D.C. Cir. 2017). [247] Id . at 628. [248] Id . [249] Beck v. McDonald , 848 F.3d 262, 267 (4th Cir. Feb. 6, 2017). [250] Id . at 274, 276-77. [251] Id . at 275. [252] Attias , 865 F.3d at 628. [253] Beck , 848 F.3d at 275. [254] Whalen v. Michaels Stores, Inc. , 689 Fed. App’x 89, 90-91 (2d Cir. 2017). [255] See Alison Frankel, 8th Circuit Adds to Data Breach Litigation Uncertainty, Ahead of SCOTUS Petition , Reuters (Sept. 1, 2017), https://www.reuters.com/article/us-otc-databreach/8th-circuit-adds-to-data-breach-litigation-uncertainty-ahead-of-scotus-petition-idUSKCN1BC5OJ. [256] In re SuperValu, Inc., Customer Data Sec. Breach Litig., 870 F.3d 763, 770-72 (8th Cir. 2017). [257]   Id. at 772. [258] Complaint, Microsoft Corp. v. Does 1-12, No. 2016-cv-00993 (E.D. Va. Aug. 3, 2016), ECF No. 1; see also Kevin Poulsen, Putin’s Hackers Now Under Attack – From Microsoft, Daily Beast (July 20, 2017), https://www.thedailybeast.com/microsoft-pushes-to-take-over-russian-spies-network. [259] Id . [260] Preliminary Injunction Order, Microsoft Corp. v. Does 1-12 , No. 2016-cv-00993 (E.D. Va. Aug. 12, 2016), ECF No. 33. [261] Motion for Default Judgment and Permanent Injunction, Microsoft Corp. v. Does 1-12, No. 2016-cv-00993 (E.D. Va. Jun. 29, 2017), ECF No. 55. [262] Guardian to Fight Legal Action over Paradise Papers , The Guardian (Dec. 18, 2017), https://www.theguardian.com/uk-news/2017/dec/18/guardian-bbc-legal-action-paradise-papers. [263] Settlement Agreement and Release at 11, In re Anthem, Inc. Data Breach Litig. (“In re Anthem “), No. 5:15-md-02617-LHK, (N.D. Cal. June 23, 2017). [264] See In re Anthem, 162 F. Supp. 3d 953, 967 (N.D. Cal. 2016). [265] See id. at 968. [266] Id. at 1016. [267] Settlement Agreement and Release at 4, In re Anthem, No. 5:15-md-02617-LHK (N D. Cal. June 23, 2017). [268] See generally Order Granting Motion for Preliminary Approval of Class Action Settlement, In re Anthem, No. 5:15-md-02617-LHK, (N.D. Cal. Aug. 25, 2017). [269] Settlement Agreement and Release at 11, In re Anthem, No. 5:15-md-02617-LHK, (N.D. Cal. May 31, 2017). [270] Id. [271] Id. at 11, 23. [272] Id. at 10. [273] See Memorandum of Law in Support of Consumer Plaintiffs’ Motion for Preliminary Approval of Class Settlement, In re: The Home Depot, Inc., Customer Data Sec. Breach Litig.  (“In re Home Depot“), No. 1:14-md-02583-TWT (N.D. Ga. Aug. 23, 2016). [274] See Final Order and Judgment at 1–2, In re Home Depot, No. 1:14-md-02583-TWT (N.D. Ga. Sept. 22, 2017). [275] Id. at 3. [276] Id. at 13. [277] See Memorandum and Order at 3, In re: Target Corp. Customer Data Sec. Breach Litig., No. 14-md-2522 (PAM) (D. Minn. May 17, 2017). [278] See id. [279] See id. at 19-21. [280] See generally Objector Olson’s Amended Notice of Appeal, In re: Target Corp. Customer Data Sec. Breach Litig., No. 14-md-2522 (PAM) (D. Minn. June 2, 2017). [281] Press Release, N.Y. State Office of the Attorney Gen., A.G. Schneiderman Announces $18.5 Million Multi-State Settlement with Target Corporation over 2013 Data Breach (May 23, 2017), https://ag.ny.gov/press-release/ag-schneiderman-announces-185-million-multi-state-settlement-target-corporation-over. [282] See Final Order and Judgment at 3–6, In re Home Depot, No. 1:14-md-02583-TWT (N.D. Ga. Sept. 22, 2017), ECF No. 343 (adopting Settlement Agreement, ECF No. 327-3). [283] See Settlement Agreement and Release at 10–18, 23, In re Anthem, No. 5:15-md-02617-LHK, (N.D. Cal. Jun. 23, 2017), ECF No. 869-8. [284] Order Granting Final Approval of Class Action Settlement and Final Judgment, In re Home Depot, No. 1:14-md-02583-TWT (N.D. Ga. Aug. 23, 2016), ECF No. 260 (adopting Settlement Agreement, ECF No. 181-2); Order Granting Consumer Plaintiffs’ Motion For Service Awards, Attorneys’ Fees and Litigation Expense Reimbursement, No. 1:14-md-02583-TWT (N.D. Ga. Aug. 23, 2016), ECF No. 261 (adopting Settlement Agreement, ECF No. 181-2). [285] Mem. and Order Granting Mot. for Final Approval of Financial Institutions’ Class Action Settlement and Mot. for Att’y Fees and Expenses and Service Payments, In re Target, No. 0:14-md-02522-PAM (D. Minn. May 12, 2016), ECF No. 758 (adopting Settlement Agreement, ECF No. 653-1). [286]   Robin Sidel, Target to Settle Claims Over Data Breach, Wall St. J. (Aug. 18, 2015, 5:10 PM ET), http://www.wsj.com/articles/target-reaches-settlement-with-visa-over-2013-data-breach-1439912013. [287] Final Approval of Class Settlement, In re Sony, No. 2:14-cv-09600-RGK-E (C.D. Cal. Apr. 6, 2016), ECF No. 165 (approving Settlement Agreement, ECF No. 146-1); Order on Mot. for Att’y Fees, Costs, and Service Awards at 3, In re Sony, No. 2:14-cv-09600-RGK-E (C.D. Cal. Apr. 12, 2016), ECF No. 166. [288] St. Joseph Health System Med. Info. Cases , JCCP No. 4716 (Cal. Sup. Ct.). [289] Mem. and Order Granting Mot. for Final Approval of Consumer Settlement and Mot for Payment of Service Awards and Fees and Expenses, In re Target, No. 0:14-md-02522-PAM (D. Minn. Nov. 16, 2016), ECF No. 645 (approving Settlement Agreement, ECF No. 358-1). [290] Order Granting Final Approval of Class Action Settlement, In re LinkedIn User Privacy Litig., No. 12-CV-03088-EJD (N.D. Cal. Sept. 15, 2015), ECF No. 147 (approving Settlement Agreement, ECF No. 145-1). [291] Mot. for Approval of Voluntary Dismissal, In re Adobe Systems Inc. Privacy Litig., No. 5:13-CV-05226-LHK (N.D. Cal. June 9, 2015), ECF No. 87; Settlement Agreement, In re Adobe Systems Inc. Privacy Litig., No. 5:13-CV-05226-LHK (N.D. Cal. June 9, 2015), ECF No. 87-2. [292] Min. Order Granting Motion for Settlement, In re Sony Gaming Networks & Customer Data Sec. Breach Litig ., No. 3:11-md-02258 (S.D. Cal. May 4, 2015), ECF No. 210; Settlement Agreement, In re Sony Gaming Networks, No. 3:11-md-02258 (S.D. Cal. June 13, 2014), ECF No. 190-2. [293] Opinion at 3, 9–11, Palkon et al. v. Holmes et al., No. 2:14-cv-01234 (SRC) (D.N.J. Oct. 20, 2014), ECF No. 49. [294] Order Granting Motion to Dismiss, In re Target Corp. S’holder Derivative Litig., No. 0:14-cv-00203 (PAM/JJK) (D. Minn. July 7, 2016), ECF No. 19; Target Corporation Report of the Special Litigation Committee at 2, In re Target Corp. S’holder Derivative Litig., No. 0:14-cv-00203 (PAM/JJK) (Mar. 30, 2016), ECF No. 62-2; see also Memorandum of Law of the Special Litigation Committee of the Board of Directors of Target Corporation in Support of its Motion for Approval and Dismissal, In re Target Corp. S’holder Derivative Litig., No. 0:14-cv-00203 (PAM/JJK) (D. Minn. May 6, 2016), ECF No. 59. [295] Opinion and Order at 11, In re The Home Depot, Inc. S’holder Derivative Litig., No. 1:15-cv-2999-TWT (N.D. Ga. Nov. 30, 2016), ECF No. 62. [296] Unopposed Motion for Order for Preliminary Approval of Shareholder Derivative Settlement with Brief In Support, In re The Home Depot, Inc. S’holder Derivative Litig., No. 1:15-cv-2999-TWT (N.D. Ga. Apr. 28, 2017), ECF No. 73; Notice of Proposed Settlement at 5, In re The Home Depot, Inc. S’holder Derivative Litig., No. 1:15-cv-2999-TWT (N.D. Ga. Apr. 28, 2017), ECF No. 74-4. [297] Notice of Proposed Settlement at 4-5, In re The Home Depot, Inc. S’holder Derivative Litig., No. 1:15-cv-2999-TWT (N.D. Ga. Apr. 28, 2017), ECF No. 74-4. [298]   See Updates Related to Investigation of Unusual Payment Card Activity at Wendy’s, WENDYS.COM, (last visited Jan. 21, 2018), https://www.wendys.com/en-us/about-wendys/the-wendys-company-updates. [299] Verified Shareholder Derivative Complaint at 71-74, Graham v. Peltz et al, No. 1:16-cv-01153-TSB (S.D. Ohio Dec. 16, 2016), ECF No. 1. [300] Id. at 4. [301] Memorandum in Support of Defendants’ Motion to Dismiss Verified Shareholder Derivative Complaint, Graham v. Peltz et al, No. 1:16-cv-01153-TSB (S.D. Ohio Mar. 10, 2017), ECF No. 9-1. [302] Id. at 15. [303] Complaint, In re: Yahoo! Inc. Shareholder Derivative Litigation, No. 5:17-cv-00787-LHK (N.D. Cal. Feb. 16, 2017), ECF No. 1. [304] Complaint, Okla. Firefighters Pension And Ret. Sys. v. Brandt, et al. , No. 2017-0133-SG, 2017 WL 771182 (Del. Ch. Feb. 23, 2017). [305] Order Staying Case Pending Entry of Final Judgments in Securities and Customer Class Actions, In re: Yahoo! Inc. Shareholder Derivative Litigation, No. 5:17-cv-00787-LHK (N.D. Cal. Sep. 25, 2017), ECF No. 40. [306]   Order Denying Motion to Dismiss, Matera v. Google, Inc., No. 5:15-cv-04062-LHK (N.D. Cal. Aug. 12, 2016), ECF No. 49. [307]   Matera v. Google Inc., No. 15-CV-04062, 2016 WL 5339806, at *14 (N.D. Cal. Sept. 23, 2016). [308]   Id. [309]   Id. at *16 (“[I]t appears that there is no ‘real and immediate threat of repeated injury in the future.'”). [310]   Stipulation Staying Proceedings, Matera v. Google, Inc., No. 5:15-cv-04062-LHK (N.D. Cal. Nov. 28, 2016), ECF No. 60. [311]   Matera v. Google Inc., 2017 WL 1365021, at *2 (N.D. Cal. 2017). [312]   Id. [313]   Motion for Preliminary Approval of Class Action Settlement, Matera v. Google, Inc., No. 5:15-cv-04062-LHK (N.D. Cal. Dec. 13, 2016), ECF No. 62. [314]   Id. [315]   Id. [316]   Id. [317]   Motion for Preliminary Approval of Class Action Settlement, Matera v. Google, Inc., 5:15-cv-04062-LHK (N.D. Cal. July 21, 2017), ECF No. 79. [318]   Id. [319]   Order Granting Preliminary Approval of Class Action Settlement, Matera v. Google, Inc., 5:15-cv-04062-LHK (N.D. Cal. Aug. 31, 2017), ECF No. 89. [320]   Amended Complaint, Cooper & Parikh v. Slice Technologies, Inc., & UnrollMe Inc. , No. 1:17-cv-07102-JPO (N.D. Cal. July 10, 2017), ECF No. 29. [321]   Id. [322]   Id. [323]   Motion to Dismiss, Cooper & Parikh v. Slice Technologies, Inc., & UnrollMe Inc. , No. 1:17-cv-07102-JPO (N.D. Cal. Oct. 12, 2017), ECF No. 54. [324] 18 U.S.C. § 2511(2)(d). [325] See Ala. Code §§ 13A-11-30(1), 31; Alaska Stat. Ann. §§ 42.20.300(a), 310(a)(1); Ariz. Rev. Stat. Ann. §§ 13-3012(5(c)), (9); Ark. Code Ann. § 5-60-120; Colo. Rev. Stat. Ann. § 18-9-303(1); Conn. Gen. Stat. Ann. §§ 53a-187, -189 but see § 52-570d; D.C. Code Ann. § 23-542(b)(3); Ga. Code Ann. §§ 16-11-62, 66(a); Haw. Rev. Stat. Ann. § 803-42(3)(A); Idaho Code Ann. § 18-6702(2)(d); Ind. Code Ann. § 35-31.5-2-176; Iowa Code Ann. §§ 727.8, 808B.2 (2)(c); Kan. Stat. Ann. § 21-6101; Ky. Rev. Stat. Ann. §§ 526.010, 526.020; La. Stat. Ann. § 15:1303(c)(4); Me. Stat. tit. 15, § 710; Mich. Comp. Laws § 750.539(c) but see Sullivan v. Gray, 324 N.W.2d 58 (Mich. Ct. Ap.. 1982); Minn. Stat. Ann. § 626A.02(d); Miss. Code. Ann. § 41-29-531(e); Mo. Ann. Stat. § 542.402(2)(3); Neb. Rev. Stat. Ann. §§ 86-276, -290(2)(c); N.J. Stat. Ann. §§ 2A:156A-2, -4(d); N.M. Stat. Ann. § 30-12-1(C); N.Y. Penal Law §§ 250.00(1), 250.05; N.C. Gen. Stat. Ann. § 15A-287(a); N.D. Cent. Code Ann. § 12.1-15-02; Ohio Rev. Code Ann. §§ 2933.51, 2933.52(B)(4); Okla. Stat. tit. 13, §§ 176.2, 176.4; Or. Rev. Stat. Ann. §§ 165.535, 165.540; R.I. Gen. Laws Ann. §§ 11-35-21, 12-5.1-1; S.C. Code Ann. §§ 17-30-15, -30; S.D. Codified Laws §§  23A-35A-1, -20; Tenn. Code Ann. §§ 39-13-601, -604, 40-6-303; Tex. Penal Code Ann. § 16.02; Tex. Code Crim. Proc. Ann. art. 18.20; Utah Code Ann. § 77-23a-3, -4; Va. Code Ann. § 19.2-62; W. Va. Code Ann. § 62-1D-3; Wis. Stat. Ann. §§ 968.27, 968.31 but see Wis. Stat. Ann. § 885.365(1) (rendering inadmissible as evidence in civil cases recordings obtained without the consent of all parties); Wyo. Stat. Ann. § 7-3-702. Vermont has no applicable statute or definitive cases on consent to record a phone conversation. [326] Cal. Penal Code § 632; Del. Code Ann. tit. 11, § 1335(a)(4) but see § 2402(c)(4); Fla. Stat. § 934.03(3)(d); 720 Ill .Comp. Stat. 5/14-2(a); Md. Code Ann., Cts. & Jud. Proc. § 10-402(c)(3); Mass. Gen. Laws Ann. ch. 272, § 99; Mont. Code Ann. § 45-8-213; Nev. Rev. Stat. Ann. §§ 200.620, 200.650 but see Lane v. Allstate Ins. Co., 969 P.2d 938 (Nev. 1998); N.H. Rev. Stat. Ann. § 570-A:2(I-a); 18 Pa. Stat. and Cons. Stat. Ann. §§ 5702, 5704; Wash. Rev. Code Ann. § 9.73.030. [327] Cal. Penal Code § 630, et seq. [328] See Bona Fide Conglomerate, Inc. v. SourceAmerica , No. 3:14-CV-00751-GPC, 2016 WL 3543699, at *6 (S.D. Cal. June 29, 2016) (citing Valentine v. NebuAd, Inc., 804 F. Supp. 2d 1022, 1028 (N.D. Cal. 2011); see also Carrese v. Yes Online Inc., No. 16-CV-05301-SJO, 2016 WL 6069198, at *4 (C.D. Cal. Oct. 13, 2016). [329] Complaint, Wang, et al. v. Wells Fargo Bank, N.A., et al., 1:16-CV-11223 (N.D. Ill. Dec. 9, 2017), ECF No. 1. [330] Brinkley v. Monterey Fin. Servs., Inc. , 873 F.3d 1118, 1122-23 (9th Cir. 2017). [331] 28 U.S.C. § 1332(d)(4)(B). [332] Brinkley , 873 F.3d at 1121-23. [333] Id. [334] Raffin v. Medicredit, Inc. , No. 15-CV-4912, 2017 WL 131745 (C.D. Cal. Jan. 3, 2017). [335] Id. at *1.  § 632 prohibits recordings over landlines. [336] Id. at *3. [337] Id. at *8. [338] See, e.g. , Zaklit v. Nationstar Mortg. LLC, 5:15-CV-2190-CAs, 2017 WL 3174901 (C.D. Cal. July 24, 2017); Ronquillo-Griffin v. Telus Commc’ns, Inc., No. 17-CV-129-JM, 2017 WL 2779329 (S.D. Cal. June 27, 2017). [339]   Compare Raffin, 2017 WL 131745, at *3 with Saulsberry v. Meridian Fin. Servs., Inc., No. 14-CV-6256, 2016 WL 3456939, at *15-16 (C.D. Cal. Apr. 14, 2016). [340]   See Raffin, 2017 WL 131745; Zaklit, 2017 WL 3174901; Reyes v. Educational Credit Mgmt. Corp., No. 15-CV-00628, 2017 WL 4169720 (S.D. Cal. Sept. 20, 2017). [341] See Ronquillo Griffin , 2017 WL 2779329, at *3-4; Carrese, 2016 WL 6069198, at *8 n.8 (collecting cases); but see Granina v. Eddie Bauer LLC, No. BC569111, 2015 WL 9855304 (L.A. Cty. Super. Ct. Dec. 2, 2015). [342] People v. Guzman , 217 Cal. Rptr. 3d 509 (Cal. Ct. App. 2017). [343] Cal. Const., art. I, § 28, subd. (f), ¶ (2). [344] Guzman , 217 Cal. Rptr. 3d at 514-19. [345] State v. Smith , No. 1 CA-CR 16-0259 PRPC, 2017 WL 3481244 (Ariz. Ct. App. Aug. 15, 2017). [346] Id. at *4. [347] State v. Smith , 405 P.3d 997 (Wash. 2017). [348] Id. at 1001. [349]   Class Action Settlement Agreement, Opperman et al v. Kong Technologies, Inc. et al., No. 3:13-cv-00453-JST (N.D. Cal, April 3, 2017), ECF No. 884. [350]   Complaint, Opperman et al v. Kong Technologies, Inc. et al., No. 3:13-cv-00453-JST (W.D. Texas Mar. 12, 2012), ECF No. 1. [351]   Class Action Settlement Agreement, supra note 246. [352]   Complaint, In re Vizio, Inc., Consumer Privacy Litig., No. 8:16-ml-02693-JLS-KES (C.D. Cal. Mar. 23, 2017), ECF No. 1. [353]   In re Vizio, Inc., Consumer Privacy Litigation, 238 F.Supp.3d 1204, 1228 (C.D. Cal. 2017). [354]   Second Consolidated Complaint, In re Vizio, Inc., Consumer Privacy Litigation, 8:16-ml-02693-JLS-KES (C.D. Cal March 23, 2017), ECF No. 136. [355]   Id. [356]   Motion to Dismiss Second Consolidated Complaint and Motion to Strike Class Allegations, In re Vizio, Inc., Consumer Privacy Litigation, 8:16-ml-02693-JLS-KES (C.D. Cal April 13, 2017), ECF No. 145. [357]   Order Denying Defendants’ Motion to Dismiss and Strike, In re Vizio, Inc., Consumer Privacy Litigation, 8:16-ml-02693-JLS-KES (C.D. Cal July 25, 2017), ECF No. 199. [358]   Id. [359]   Id. [360]   Id. [361]   Complaint, Satchell v. Signal360, Inc. et al, No. 4:16-cv-04961-JSW (N.D. Cal Aug. 29, 2017), ECF No. 1. [362]   Satchell v. Sonic Notify, Inc., 234 F.Supp.3d 996 (N.D.Cal. 2017). [363]   Id. at 1005-1009. [364]   Amended Complaint, Satchell v. Signal360, Inc. et al, No. 4:16-cv-04961-JSW (N.D. Cal Mar. 13, 2017), ECF No. 58. [365]   Order Granting In Part and Denying In Part Motions to Dismiss, Satchell v. Sonic Notify, Inc., et al., No. 4:16-cv-04961-JSW (N.D. Cal Nov. 20, 2017), ECF No. 89. [366]   Id. at 10. [367]   Id. at 10-12. [368]   Complaint, Rackemann v. Lisnr, Inc. et al., No. 2:16-cv-01573-AJS (W.D. Penn. Oct. 16, 2016), ECF No. 1. [369]   Rackemann v. LISNR, Inc., 2017 WL 4340349, at *5 (S.D. Ind. 2017). [370]   Id. at *5-8. [371]   Id. at *8. [372]   Id. at *8 (citing Luis v. Zang, 833 F.3d 619, 633 (6th Cir. 2016)). [373]   Id. at *9. [374]   Amended Complaint, Zak v. Bose Corp., No. 1:17-cv-02928 (N.D. Ill. July 10, 2017), ECF No. 24. [375]   Id. [376]   Id. [377]   Id. [378]   Motion to Dismiss Plaintiffs’ Second Amended Complaint, Zak v. Bose Corp., No. 1:17-cv-02928 (N.D. Ill. Aug. 3, 2017), ECF No. 28. [379]   Id. [380]   Complaint, Allen v. Quicken Loans Inc. & Navistone, Inc., No. 2:17-cv-12352-ES-MAH (D. N.J. Dec. 1, 2017), ECF No. 1. [381]   Complaint, Cohen v. Casper Sleep Inc. & Navistone, No. 1:17-cv-09325 (S.D.N.Y. Nov. 28, 2017), ECF No. 1; Complaint, Cohen v. New Moosejaw, LLC & Navistone, No. 1:17-cv-09391 (S.D.N.Y. Nov. 30, 2017), ECF No. 1. [382] 47 U.S.C. §§ 227 et seq. [383] ACA International v. FCC, et al , No. 15-1211 (D.C. Cir. filed July 10, 2015). [384] Rules & Regs. Implementing the Tel. Consumer Prot. Act of 1991, 30 FCC Rcd. 7961, 7975–76 ¶ 19 (2015). [385] Id. at 7989–90 ¶ 47. [386]   Modernizing the Telephone Consumer Protection Act: Hearing Before the Subcomm. on Communications and Technology of the H. Comm. on Energy and Commerce, 114th Cong. 8-9 (2016) (statement of Representative Anna Eshoo). [387] Id. at 3-41 (statement of Subcommittee Chairman Greg Walden). [388]         12 C.F.R. § 1002.16(b). [389] Pet. for Declaratory Ruling of All About The Message, LLC, In re Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991 , CG Docket No. 20-278 (FCC Mar. 31, 2017). [390] Eric Zorn, Hang Up Now On The Idea Of ‘Ringless Voicemail’ , Chi. Trib., June 2, 2017, http://www.chicagotribune.com/news/opinion/zorn/ct-ringless-voicemail-20170602-column.html ; Letter from Edward J. Markey et al., U.S. Senate, to Ajit Pai, Chairman of the FCC (June 14, 2017), https://apps.fcc.gov/edocs_public/attachmatch/DOC-345975A4.pdf. [391] What We Do , About the FCC, https://www.fcc.gov/about-fcc/what-we-do (last visited Jan. 22, 2018). [392] Organizational Charts of the Federal Communications Commission, Federal Communications Commission, https://www.fcc.gov/sites/default/files/fccorg-08112017.pdf ; Jim Puzzanghera, Here Are The Five Officials Who Will Decide The Controversial Changes to Net Neutrality Rules , L.A. Times (Nov. 22, 2017), http://www.latimes.com/business/la-fi-net-neutrality-fcc-20171122-htmlstory.html. [393] See, e.g. , Ajit Pai, The FCC Shouldn’t Enable More TCPA Lawsuits, The Daily Caller (June 16, 2015), http://dailycaller.com/2015/06/16/the-fcc-shouldnt-enable-more-tcpa-lawsuits/2/. [394] Yaakov v. FCC , No. 14-1234 (D.C. Cir. Mar. 31, 2017); Statement of FCC Chairman Ajit Pai, FCC News (Mar. 31, 2017), https://apps.fcc.gov/edocs_public/attachmatch/DOC-344186A1.pdf . [395]   Dissenting Statement of Commissioner Pai, Re: In the Matter of Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991 , CG Docket No. 02-278, WC Docket No. 07-135 (FCC July 10, 2015). [396] Krakauer v. Dish Network LLC , No. 1:14-333, 2017 WL 2242952 (M.D.N.C. Oct. 3, 2017). [397] Id. at *12. [398] United States v. Dish Network LLC , 256 F. Supp. 3d 810 (C.D. Ill. June 5, 2017). [399] Id. at 991. [400]   United States v. Dish Network LLC, No. 09-3073-SEM-RSH (C.D. Ill. notice of appeal filed June 16, 2017). [401] Birchmeier v. Caribbean Cruise Line, Inc. , No. 1:12-cv-04069 (N.D. Ill. Mar. 2, 2017). [402] Id. [403] See Andrea Peterson, How a Failed Supreme Court Bid Is Still Causing Headaches For Hulu and Netflix, Washington Post (Dec. 27, 2013), available at https://www.washingtonpost.com/news/the-switch/wp/2013/12/27/how-a-failed-supreme-court-bid-is-still-causing-headaches-for-hulu-and-netflix/. [404] 18 U.S. § 2710(b)(1). [405] Eichenberger v. ESPN, Inc. , 876 F.3d 979, 982(9th Cir. 2017). [406] In re Nickelodeon Consumer Privacy Litig. , 827 F.3d 262, 272–75 (3d Cir. 2016);  Sterk v. Redbox Automated Retail, LLC, 770 F.3d 618, 623 (7th Cir. 2014). [407] See, e.g. , Yershov v. Gannet Satellite Info. Network, Inc., 204 F. Supp. 3d 353, 358-61 (D. Mass. 2016); Boelter v. Advance Magazine Publishers Inc., 210 F. Supp. 3d 579, 590 (S.D.N.Y. 2016); Austin-Spearman v. AMC Network Entm’t LLC, 98 F. Supp. 3d 662, 666 (S.D.N.Y. 2015); In re Hulu Privacy Litig., No. C 11-03764 LB, 2013 WL 6773794, at *5 (N.D. Cal. Dec. 20, 2013); Ellis v. Cartoon Network, Inc., No. 1:14-CV-484-TWT, 2014 WL 5023535, at *2 (N.D. Ga. Oct. 8, 2014), aff’d on other grounds, 803 F.3d 1251 (11th Cir. 2015). [408] Eichenberger , 876 F.3d at 984. [409] Spokeo, Inc. v. Robins , 136 S. Ct. 1540 (2016). [410] Eichenberger , 876 F.3d at 983. [411] Perry v. Cable News , 854 F.3d 1336, 1340-41 (11th Cir. 2017). [412] 18 U.S.C. § 2710(a)(3). [413] Yershov v. Gannett Satellite Information Network Inc. , 820 F.3d 482, 486 (1st Cir. 2016) (emphasis added). [414] Id. [415] In re Nickelodeon Consumer Privacy Litig. , 827 F.3d 262, 290 (3d Cir. 2016) (emphasis added). [416] Id. at 284. [417] C.A.F. v. Viacom, Inc. , 137 S.Ct. 624 (2017). [418] Eichenberger , 876 F.3d at 985. [419] Id . [420] Id . at 986 (quoting Yershov, 820 F.3d at 486); Nickelodeon Consumer Privacy Litig., 827 F.3d at 290. [421] In re Vizio, Inc. Consumer Privacy Litig. , 238 F. Supp. 3d 1204, 1225 (C.D. Cal. 2017). [422] Id . at 1224-25. [423] In re Vizio, Inc. Consumer Privacy Litig. , Case No. 8:16-ml-02693-JLS-KES (C.D. Cal. October 13, 2017), Dkt no. 224. [424] Perry , 854 F.3d at 1342. [425] Id. [426] Vizio , 238 F. Supp. 3d at 1223. [427] Id. at 1221-22. [428]   Cal. Civ. Code § 1747.08. [429]   Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016). [430]   Medellin v. IKEA U.S.A. W., Inc., 672 F. App’x 782, 783 (9th Cir. 2017), cert. denied, 138 S. Ct. 220 (2017). [431]   Id. (citing Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1549 (2016)). [432]   IKEA U.S.A. W., Inc. v. Medellin, 138 S. Ct. 220 (2017). [433]   Rosenbach v. Six Flags Entertainment Corp., 2017 IL App (2d) 170317 (Ill. Ct. App. Dec. 21, 2017). [434] H.R. 3388, 115th Cong. (2017), available at https://www.congress.gov/bill/115th-congress/house-bill/3388/text [435] Id ., at § 30130(a)(1)(A). [436] Press Release, U.S. Senate Committee on Commerce, Science and Transportation (Oct. 24, 2017), available at https://www.commerce.senate.gov/public/index.cfm/pressreleases?ID=BA5E2D29-2BF3-4FC7-A79D-58B9E186412C [437] U.S. Senate Committee on Commerce, Science and Transportation, Notice of Hearing ” Driving Automotive Innovation and Federal Policies” on Jan. 24, 2018, available at https://www.commerce.senate.gov/public/index.cfm/hearings?ID=68CDF867-FFB6-425B-BD24-9542E35AC767 [438] Press Release, Federal Trade Commission (Jun. 28, 2017), available at https://www.ftc.gov/news-events/events-calendar/2017/06/connected-cars-privacy-security-issues-related-connected [439] Federal Trade Commission, Acting Chairman’s Opening Remarks, Connected Car Workshop, Jun. 28, 2017, at 5, available at https://www.ftc.gov/system/files/documents/public_statements/1227733/ohlhausen_-_connected_cars_workshop_opening_remarks_6-28-17.pdf [440] Jimmy H. Koo, Regulators, Carmakers Plot Road to Connected Car Privacy, Security , Bloomberg News, Jun. 29, 2017, available at https://www.bna.com/regulators-carmakers-plot-n73014460960/ [441] Flynn v. FCA US LLC , No. 15-cv-00855-MJR-DGW, 2016 WL 5341749, at *1 (S.D. Ill. Sept. 23, 2016). [442] Id . at *2–4. [443] Flynn v. FCA US LLC , No. 15-cv-00855-MJR-DGW, 2017 WL 3592040, at *5 (S.D. Ill. Aug. 21, 2017). [444] Plaintiffs’ Motion for Class Certification at 1, Flynn v. FCA US LLC, No. 15-cv-00855-MJR-DGW (S.D. Ill. Oct. 13, 2017), ECF No. 266. [445] See FCA US LLC’s Motion for Summary Judgment and Brief in Support at 1, Flynn v. FCA US LLC, No. 15-cv-00855-MJR-DGW (S.D. Ill. Oct. 5, 2017), ECF No. 256. [446] See Plaintiffs’ Memorandum in Opposition to FCA US LLC’s Motion for Summary Judgment (Filed Under Seal and Redacted in Its Entirety), Flynn v. FCA US LLC, No. 15-cv-008855-MJR-DGW (S.D. Ill. Nov. 6, 2017), ECF No. 278. [447] Cahen v. Toyota Motor Corp., 147 F. Supp. 3d 955, 974 (N.D. Cal. 2015). [448] See Cahen v. Toyota Motor Corp. , No. 16-15496, 2017 WL 6525501, at *1 (9th Cir. Dec. 21, 2017).    [449]           Id. [450]   Complaint, Fed. Trade Comm’n v. D-Link Sys., Inc., No. 17-CV-00039-JD (N.D. Cal. Jan. 5, 2017), ECF No. 1. [451] Id . at 5–6, 8, 11–13. [452] Id . at 10–13. [453]   See Fed. Trade Comm’n v. D-Link Sys., Inc., No. 3:17-cv-00039-JD, 2017 WL 4150873, at *1–2 (N.D. Cal. Sept. 19, 2017). [454]   See id. at 6. [455] In re Vizio, Inc., Consumer Privacy Litig. , No. 8:16-ml-02693 (C.D. Cal. Apr. 11, 2016). [456]   Order Denying Defendants’ Motion to Dismiss and Strike, In re: Vizio, Inc., Consumer Privacy Litigation, 8:16-ml-02693-JLS-KES (C.D. Cal July 25, 2017), ECF No. 199; s ee supra pp. 2, 35-36, 41 and infra p. 46. [457] Siegel v. Samsung Electronics America, Inc. et al ., No. 2:17-cv-01687 (D.N.J. Mar. 10. 2017), ECF. No. 1. [458]   Id., ECF No. 18. [459] In re Sling Media Slingbox , No. 17-1094 (2d. Cir. Apr. 18, 2017). [460] Id. [461] Rushing v. Viacom Inc., No. 3:17-CV-4492 (N.D. Cal. Aug. 7, 2017). [462]   Id., at 20-21. [463]   Id., at 22. [464] Press Release, Federal Trade Commission (June 21, 2017), available at https://www.ftc.gov/news-events/blogs/business-blog/2017/06/ftc-updates-coppa-compliance-plan-business [465] Press Release, Federal Trade Commission (Oct. 23, 2017), available at https://www.ftc.gov/system/files/documents/public_statements/1266473/coppa_policy_statement_audiorecordings.pdf [466] Federal Bureau of Investigation, Consumer Notice: Consumer Notice: Internet-Connected Toys Could Present Privacy and Contact Concerns for Children (July 17, 2017), available at https://www.ic3.gov/media/2017/170717.aspx . [467]           Internet of Things: Privacy & Security in a Connected World, FTC Staff Report (January 2015), available at https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf . [468]   Federal Trade Commission, Attorney General of the State of New Jersey v. Vizio Inc. et al, 2:17-cv-00758 (Feb. 6, 2017) [469] The FTC asserted that Vizio violated the unfairness and deception prongs of Section 5 of the FTC Act and that Vizio’s actions caused or were likely to cause “substantial injury” to consumers—a conclusion about which Acting Chair Maureen Ohlhausen expressed skepticism in a concurring statement.  Concurring Statement of Acting Chairman Maureen K. Ohlhausen, In the Matter of Vizio, Inc., Matter No. 1623024 (Feb. 6, 2017) . [470]   Federal Trade Commission, Attorney General of the State of New Jersey v. Vizio Inc. et al , 2:17-cv-00758, at 3 (Feb. 6, 2017). [471] Press Release: ENISA works together with European semiconductor industry on key cybersecurity areas, European Union Agency for Network and Information Security (May 22, 2017), available at https://www.enisa.europa.eu/news/enisa-news/enisa-works-together-with-european-semiconductor-industry-on-key-cybersecurity-areas. [472] Id. [473] California Legislative Information, SB-327 Information Privacy: connected devices, available at https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327 . [474] Text of proposed bill available at https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327 . [475]   Najiyya Budaly, Data Rules to Bring Cyber Insurance Surge, Report Says, Law360 (Dec. 13, 2017), https://www.law360.com/articles/994267/data-rules-to-bring-cyber-insurance-surge-report-says. [476]   Id.; William Shaw, Insurers Urge Leniency On Profiling Under EU Data Laws, Law360 (Dec. 5, 2017), https://www.law360.com/cybersecurity-privacy/articles/991522/insurers-urge-leniency-on-profiling-under-eu-data-laws. [477]   Evan Weinberger, Banks, Insurers Get More Time for NY Cybersecurity Rule, Law360 (Dec. 21, 2016), https://www.law360.com/articles/875764/banks-insurers-get-more-time-for-ny-cybersecurity-rule. [478]   Cybersecurity Legislation 2017, National Conference of State Legislatures (Oct. 30, 2017), http://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2017.aspx. [479]   Jeff Sistrunk, A Guide to Insurance Coverage for Biometric Privacy Suits, Law360 (Nov. 6, 2017), https://www.law360.com/cybersecurity-privacy/articles/981980/a-guide-to-insurance-coverage-for-biometric-privacy-suits. [480]   See Jeff Sistrunk, Small Cos. Slow To Pick Up Cyberinsurance, Lawmakers Hear, Law360 (July 26, 2017), https://www.law360.com/articles/947964/small-cos-slow-to-pick-up-cyberinsurance-lawmakers-hear. [481]   Budaly, supra note 477. [482]   Taylor & Lieberman v. Fed. Ins. Co., 681 F. App’x 627, 629 (9th Cir. 2017). [483]   Id. [484]   American Tooling Ctr., Inc. v. Travelers Cas. and Sur. Co. of Am. , No. 16-12108, 2017 WL 3263356 (E.D. Mich. Aug. 1, 2017); Jeff Sistrunk, Travelers Tells 6th Circ. To Uphold Email Scam Coverage Win , Law360 (Dec. 13, 2017), https://www.law360.com/articles/994258/travelers-tells-6th-circ-to-uphold-email-scam-coverage-win. [485]   American Tooling Ctr., 2017 WL 3263356 at *1. [486]   Sistrunk, supra note 486. [487]   American Tooling Ctr., Inc., 2017 WL 3263356 at *3. [488]   Id. [489]   Id. [490]   Sistrunk, supra note 486. [491]   Medidata Sols., Inc. v. Fed. Ins. Co., No. 15-CV-907 (ALC), 2017 WL 3268529, at *1 (S.D.N.Y. July 21, 2017). [492]   Id. at * 1–2. [493]   Id. at *4. [494]   Id. at *4. [495]   Id. at *6. [496]   Id. at *7. [497]   Id. at *6. [498]   Id. at *5; Universal American Corp. v. National Union Fire Insurance Co ., 37 N.E.3d 78 (N.Y. 2015). [499]   Jeff Sistrunk, Email Scam Not a Covered Fraud, Insurer Org. Tells 2nd Circ. , Law360 (Nov. 29, 2017), https://www.law360.com/articles/989344/email-scam-not-a-covered-fraud-insurer-org-tells-2nd-circ-; See also Posco Daewoo Am. Corp. v. Allinex USA, Inc., No. 17-483, 2017 WL 4922014, at *5–6 (D. N.J. Oct. 31, 2017) (granting defendant’s motion to dismiss on the grounds that an email spoofing scheme and plaintiff’s voluntary wire transfer did not meet the definition of computer fraud). [500]   InComm Holdings, Inc. v. Great Am. Ins. Co., 1:15-cv-2671-WSD, 2017 WL 1021749, at * 1–2 (N.D. Ga. Mar. 16, 2017). [501]   Id. at *6–7. [502]   Id. at *8–9. [503]   Id. at *11. [504]   Spec’s Family Partners, Ltd. v. The Hanover Ins. Co., No. H-16-438, 2017 WL 3278060, at *1 (S.D. Tex. Mar. 15, 2017). [505]   Id. [506]   Id. [507]   Id. at * 4–9. [508]   Id. at *3. [509]   Id. (internal quotation marks omitted). [510]   Id. [511]   Id. [512]   Id.at *4. [513]   Id. at *5. [514]   Id. at *8. [515]   Dave Simpson, Children’s Hospital Sues Insurer for Data Breach Coverage, Law360 (Nov. 20, 2017), https://www.law360.com/cybersecurity-privacy/articles/987237/children-s-hospital-sues-insurer-for-data-breach-coverage. [516]   Id. [517]   Id. [518]   Innovak Int’l, Inc. v. Hanover Ins. Co., No. 8:16-cv-2453-MSS-JSS, 2017 WL 5632718, at * 6–7 (M.D Fla. Nov. 17, 2017); Jeff Sistrunk, Insurer Doesn’t Owe Defense of Data Breach Suit, Judge Says , Law360 (Nov. 17, 2017), https://www.law360.com/cybersecurity-privacy/articles/986792/insurer-doesn-t-owe-defense-of-data-breach-suit-judge-says. [519] Report: TCPA Consumer Litigation Filings on Track to End 2017 Under Recent Annual Totals , ACA International (Nov. 28, 2017), https://www.acainternational.org/news/report-tcpa-consumer-litigation-filings-on-track-to-end-2017-under-recent-annual-totals. [520] Spokeo, Inc. v. Robins , 136 S. Ct. 1540, 1545, 1549–50 (2016). [521] 15 U.S.C. § 1681 et seq. [522] 15 U.S.C. §§ 1681(n), 1681(o). [523] Judgement, Sergio L. Ramirez v. Trans Union, LLC, No. 12-cv-00632-JSC (June 21, 2017) ECF No. 309; see also Order Re: Plaintiff Sergio Ramirez’s Motion for a Service Award, Sergio L. Ramirez v. Trans Union, LLC, No. 12-cv-00632-JSC (Nov. 7, 2017) ECF No. 345. [524] Id. [525] Sergio Ramirez v. Trans Union LLC ,  No. 17-17244 (9th Cir. docketed Nov. 02, 2017). [526] See 15 U.S.C. § 1681e(b). [527] Pedro v. Equifax, Inc. , 868 F.3d 1275, 1281 (11th Cir. 2017) (internal quotation marks omitted) (finding credit reporting agency’s interpretation of the FCPA was not objectively unreasonable given judicial precedent, though expressing preference for a more exacting interpretation). [528] Id. at 1283 (Rosenbaum, R., concurring) (internal quotation marks omitted) (citing Alexander v. Moore & Assocs., Inc., 553 F. Supp. 948, 952 (D. Haw. 1982)). [529] See 15 U.S.C. § 1681b(b)(2)(A). [530] Hargrett v. Amazon.com DEDC LLC , 235 F. Supp. 3d 1320 (M.D. Fla. 2017) (denying defendant’s motion to dismiss for lack of Article III standing for FCRA claims). [531] Anderson v. Wells Fargo Bank, N.A. , 266 F. Supp. 3d 1175 (D.S.D. 2017) (holding plaintiffs’ claims were time-barred though they would have had Article III standing to pursue FCRA claims). [532] In re Michaels Stores, Inc., Fair Credit Reporting Act (FCRA) Litig. , No. 2615, 2017 WL 354023 (D.N.J. Jan. 24, 2017) (dismissed for lack of Article III standing). [533] Saltzberg vs. Home Depot U.S.A., Inc. , No. 2:17-CV-05798, 2017 WL 4776969 (C.D. Cal. Oct. 18, 2017) (dismissed for lack of Article III standing). [534] See Compl., Microsoft Corp. v. U.S. Dep’t of Justice (“Microsoft”), No. 2:16-cv-00538-JLR (W.D. Wash. Apr. 14, 2016), ECF No. 1. [535] 18 U.S.C. § 2705(b).  Specifically, a court must grant a government application for a nondisclosure order if it finds reason to believe that disclosure will result in: (1) Endangering the life or physical safety of an individual; (2) Flight from prosecution; (3) Destruction or tampering with evidence; (4) Intimidation of potential witnesses; or (5) Otherwise seriously jeopardizing an investigation or unduly delaying a trial. Id. [536] See First Am. Compl., ¶ 5, Microsoft, No. 2:16-cv-00538-JLR (W.D. Wash. June 17, 2016), ECF No. 28. [537]   Unopposed Motion for Leave to File Brief of Amici Curiae, Microsoft, No. 2:16-cv-00538-JLR (W.D. Wash. June 17, 2016), ECF No. 49. [538]   Motion for Leave to File Brief of Amici Curiae, Microsoft, No. 2:16-cv-00538-JLR (W.D. Wash. June 17, 2016), ECF No. 58. [539]   Stipulated Motion for Leave to File Brief of Amici Curiae, Microsoft, No. 2:16-cv-00538-JLR (W.D. Wash. June 17, 2016), ECF No. 56. [540]   Unopposed Motion for Leave to File Brief as Amici Curiae, Microsoft, No. 2:16-cv-00538-JLR (W.D. Wash. June 17, 2016), ECF No. 66. [541] See Microsoft Corp. v. U.S. Dep’t of Justice , 233 F. Supp. 3d 887, 889–902 (W.D. Wash. 2017). [542] Id . at 907–08. [543] Id. at 915–16. [544] U.S. Dep’t of Justice, Memorandum re Policy Regarding Applications for Protective Orders Pursuant to 18 U.S.C. § 2705(b) (Oct. 19, 2017), available at https://www.justice.gov/criminal-ccips/page/file/1005791/download. [545] Id. at 2.  The policy memo cites “national security investigations that materially differ from routine criminal investigations” as an example of what might constitute “exceptional circumstances.” Id. at 2 n.3. [546]   See Microsoft Corporation’s Unopposed Motion for Voluntary Dismissal at 2, Microsoft, No. 2:16-cv-00538-JLR (W.D. Wash. Oct. 24, 2017), ECF No. 117; see also Order Granting Microsoft Corporation’s Unopposed Motion for Voluntary Dismissal (W.D. Wash. Oct. 25, 2017), ECF No. 119. [547] United States v. Carpenter , 819 F.3d 880, 884–85 (6th Cir. 2016). [548] Id. at 884–86. [549] Id. at 885. [550] Id. at 884. [551] Id. at 887. [552] Smith v. Maryland , 442 U.S. 735, 740 (1979). [553] United States v. Miller , 425 U.S. 435, 440 (1976). [554] Brief for United States at 15–18, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 4311113. [555] Id. at 43–52. [556] Brief for Petitioner at 15, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 3575179; see also United States v. Jones, 565 U.S. 400, 430 (2012) (Alito, J., concurring in the judgment) “[T]he use of longer term GPS monitoring in investigations of most offenses impinges on expectations of privacy.”). [557] Id. at 26–29. [558] Brief of the Center for Democracy and Technology as Amicus Curiae, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 3530958. [559] Brief for the Competitive Enterprise Institute, et al. as Amici Curiae, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 3530955. [560] Brief of Amici Curiae Electronic Privacy Information Center (EPIC) and Thirty-Six Technical Experts, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 3530960. [561] Brief Amici Curiae for The Reporters Committee for Freedom of the Press and 19 Media Organizations, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 3530966. [562] Brief for Scholars of Criminal Procedure and Privacy as Amici Curiae, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 3614233. [563] Brief for Technology Experts as Amici Curiae, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 3530967. [564] Amicus Curiae Brief for National District Attorneys Association, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 4417212. [565] Brief for the States of Alabama, et al. as Amici Curiae, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 4417211. [566] Brief of Professor Orin S. Kerr as Amicus Curiae, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 4417210. [567] Brief for Technology Companies as Amici Curiae, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 3601390. [568] S. 1654, 115th Cong. (2017). [569] H.R. 387, 115th Cong. (2017). [570] S. 1654, 115th Cong. § 3 (2017). [571] S. 1657, 115th Cong. (2017). [572] S. 1657, 115th Cong. § 2 (2017). [573] S. 1657, 115th Cong. § 4 (2017). [574]   U.S. Dep’t of Justice, Memorandum re Policy Regarding Applications for Protective Orders Pursuant to 18 U.S.C. § 2705(b) (Oct. 19, 2017), available at https://www.justice.gov/criminal-ccips/page/file/1005791/download. [575] The ECPA Modernization Act of 2017 defines “geolocation information” to mean “any information concerning the past or current location of an electronic communications device that is in whole or in part generated by or derived from the operation or use of the electronic communications device,” and defines “geolocation service” to mean “the provision of a service or functionality that uses or collects geolocation information.”  S. 1657, 115th Cong. § 5 (2017). [576] S. 1657, 115th Cong. § 2 (2017). [577] 18 U.S.C. § 2703(d). [578] Id . [579] S. 1657, 115th Cong. § 5 (2017). [580] Sophia Cope, EFF Supports Senate Email and Location Privacy Bill, Eff.org (Jul. 27, 2017), https://www.eff.org/deeplinks/2017/07/eff-applauds-senate-email-and-location-privacy-bill (last visited Dec. 20, 2017). [581] American Civil Liberties Union, ACLU Statement On Introduction Of Electronic Communications Privacy Modernization Act , aclu.org (Jul. 27, 2017), https://www.aclu.org/news/aclu-statement-introduction-electronic-communications-privacy-modernization-act (last visited Dec. 20, 2017). [582] Adam Brandon, Support the ECPA Modernization Act, S. 1657, Freedomworks.org (Jul. 31, 2017), http://www.freedomworks.org/content/support-ecpa-modernization-act-s-1657 (last visited Dec. 20, 2017). [583] Deborah Collier, ECPA Modernization Act of 2017 Introduced , cagw.org (Jul. 27, 2017), https://www.cagw.org/thewastewatcher/ecpa-modernization-act-2017-introduced (last visited Dec. 20, 2017). [584] Consumer Technology Association, CTA Applauds Senate for Bipartisan ECPA Reform Bill, cta.tech (Jul. 27, 2017), https://www.cta.tech/News/Press-Releases/2017/July/CTA-Applauds-Senate-for-Bipartisan-ECPA-Reform-Bil.aspx (last visited Dec. 20, 2017). [585] Chris Calabrese, The Bill Our Privacy Desperately Needs in the Digital Age, Cdt.org (Jul. 27, 2017), https://cdt.org/blog/the-bill-our-privacy-desperately-needs-in-the-digital-age/ (last visited Dec. 20, 2017). [586] Ivan Dominguez, Ezra Dunkle-Polier, Alexandra Funk, NACDL News: NACDL Welcomes Introduction of Bipartisan ECPA Modernization Act of 2017 (Aug. 2017), nacdl.org, https://www.nacdl.org/Champion.aspx?id=48305 (last visited Dec. 20, 2017). [587] Brad Smith, DOJ acts to curb the overuse of secrecy orders. Now it’s Congress’ turn , Microsoft.com (Oct. 23, 2017), https://blogs.microsoft.com/on-the-issues/2017/10/23/doj-acts-curb-overuse-secrecy-orders-now-congress-turn/ (last visited Dec. 20, 2017). [588] Compare In re Grand Jury Subpoena Duces Tecum Dated Mar. 25 , 2011, 670 F.3d 1335, 1346 (11th Cir. 2012) (holding that providing a password is a testimonial act), and Order Denying Application to Compel Decryption, In re The Decryption of a Seized Data Storage System, Case No. 13-M-449 (E.D. Wisc. Apr. 19, 2013) (same), with United States v. Fricosu, 841 F. Supp. 2d 1232, 1237 (D. Colo. 2012) (holding production of unencrypted drive by defendant did not implicate Fifth Amendment right against self-incrimination), and Commonwealth v. Gelfgatt, SUCR2010-10491 (Sup. Ct. Mass. Nov. 6, 2014) (holding defendant in contempt for failure to unlock password protected drives), and State v. Stahl, 206 So. 3d 124, 135 (Fla. Dist. Ct. App. 2016) (quashing order denying motion to compel production of cell phone passcode and noting that “we are not inclined to believe that the Fifth Amendment should provide greater protection to individuals who passcode protect their iPhones with letter and number combinations than to individuals who use their fingerprint as the passcode”). [589] See, e.g. , Com. v. Baust, 89 Va. Cir. 267 (Va. Cir. Ct. 2014) (granting motion to compel defendant to unlock phone with fingerprint and noting that “like physical characteristics that are non-testimonial, the fingerprint of Defendant if used to access his phone is likewise non-testimonial and does not require Defendant to ‘communicate any knowledge’ at all.”); State v. Diamond, 890 N.W.2d 143, 150 (Minn. Ct. App. 2017), review granted (Mar. 28, 2017) (“By being ordered to produce his fingerprint, [defendant] was not required to disclose any knowledge he might have or to speak his guilt.”); but see Opinion and Order at 11-14, In re Application for a Search Warrant, No. 1:17-mc-00081 (N. D. Il. Feb. 16, 2017), ECF No. 1 (denying application for warrant to compel all individuals present during execution to use fingerprints to unlock “any Apple iPhone, iPad, or other Apple brand device” and noting that “[t]he connection between the fingerprint and Apple’s biometric security system, shows a connection with the suspected contraband.”) [590] See Oleg Afornin, New Security Measures in iOS 11 and Their Forensic Implications , Elcomsoft.com (Sep. 7, 2017), https://blog.elcomsoft.com/2017/09/new-security-measures-in-ios-11-and-their-forensic-implications/ (last visited Dec. 20, 2017). [591] In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp. , 15 F. Supp. 3d 466, 467 (S.D.N.Y. 2014), rev’d, 829 F.3d 197 (2d Cir. 2016). [592] Brief for Microsoft at 17-18, In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp. , 15 F. Supp. 3d 466, 467 (S.D.N.Y. 2014), rev’d, 829 F.3d 197 (2d Cir. 2016). [593] In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp. , 15 F. Supp. 3d at 467, rev’d, 829 F.3d 197 (2d Cir. 2016). [594] Matter of Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp. , 829 F.3d 197, 201 (2d Cir. 2016), cert. granted, United States v. Microsoft Corp., No. 17-2, 2017 WL 2869958 (U.S. Oct. 16, 2017). [595] Id. at 214-20. [596] Matter of Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp. , 855 F.3d 53, 76 (2d Cir. 2017) (Carney, J., concurring) (denying rehearing en banc). [597] Id. at 55-56 (Carney, J., concurring). [598]   Id. at 61 (Jacobs, J., dissenting); Id. at 63, 66 (Cabranes, J., dissenting); Id. at 70 (Raggi, J., dissenting); Id. at 75 (Droney, J., dissenting). [599]   Id. at 61 (Jacobs, J., dissenting). [600]   Id. at 63, 66 (Cabranes, J., dissenting). [601]   Id. at 75 (Droney, J., dissenting). [602] In re Search of Info. Associated with [redacted]@gmail.com that Is Stored at Premises Controlled by Google, Inc. , No. 16-MJ-00757 (BAH), 2017 WL 3445634 (D.D.C. July 31, 2017); Matter of Search of Content Stored at Premises Controlled by Google Inc. , No. 16-MC-80263-RS, 2017 WL 3478809 (N.D. Cal. Aug. 14, 2017); In re Search Warrant No. 16-960-M-1 to Google, No. 16-1061, 2017 WL 3535037 (E.D. Pa. Aug. 17, 2017). [603] In re Search of Info. Associated with [redacted]@gmail.com that Is Stored at Premises Controlled by Google, Inc. , 2017 WL 3445634, at *16, *23-24; Matter of Search of Content Stored at Premises Controlled by Google Inc. , 2017 WL 3478809, at *3; In re Search Warrant No. 16-960-M-1 to Google, 2017 WL 3535037, at *7-9. [604] United States v. Microsoft Corp. , No. 17-2, 2017 WL 2869958, at *1 (U.S. Oct. 16, 2017). [605] Brief for Petitioner at 21-25, United States v. Microsoft Corp., No. 17-2, 2017 WL 2869958 (U.S. Dec. 6, 2017). [606] Id. at 29-31. [607] Id. at 26-28. [608] Id. at 32-37. [609] Id. at 42-43. [610]   Brief for Respondent at 20-37, United States v. Microsoft Corp., No. 17-2, 2017 WL 2869958 (U.S. Jan. 11, 2018). [611]   Id. at 19. [612] Comput. Crime & Intellectual Prop. Section, Criminal Div., U.S. Dep’t of Justice, Seeking Enterprise Customer Data Held by Cloud Service Providers, at 1 (Dec. 2017), https://www.justice.gov/criminal-ccips/file/1017511/download. [613] Id. at 2. [614] Id. at 2-3. [615] Neal Suggs, DOJ’s Newly Released Recommended Practices Are a Win for Cloud and Enterprise Customers , Microsoft (Dec. 14, 2017), https://blogs.microsoft.com/on-the-issues/2017/12/14/new-doj-guidelines-win-cloud-enterprise-customers. [616] 50 U.S.C. §§ 1801-1885. [617] 50 U.S.C. § 1802(a)(1). [618] 50 U.S.C. § 1801(e). [619] See http://www.fisc.uscourts.gov/ (last visited Dec. 20, 2017). [620] Barton Gellman and Laura Poitras, U.S., British intelligence mining data from nine U.S. Internet companies in broad secret program , The Washington Post, available at https://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html [621] See Decoding 702: What is Section 702 , Elec. Frontier Found., https://www.eff.org/702-spying . [622] See Reauthorizing FISA Section 702 , The Heritage Found., http://www.heritage.org/reauthorizing-fisa-section-702 . [623] See Decoding 702: What is Section 702 , Elec. Frontier Found., https://www.eff.org/702-spying . [624]   Dustin Volz, Trump signs bill renewing NSA’s internet surveillance program , Reuters (Jan. 19, 2018), https://www.reuters.com/article/us-usa-trump-cyber-surveillance/trump-signs-bill-renewing-nsas-internet-surveillance-program-idUSKBN1F82MK. [625] FISA Amendments Reauthorization Act of 2017, S. 2010, 115th Congr., available at https://www.congress.gov/bill/115th-congress/senate-bill/2010 ; see also Daniel Wilson, Senate Intel Panel Approves Renewal of Surveillance Powers , Law 360, https://www.law360.com/articles/978227/senate-intel-panel-approves-renewal-of-surveillance-powers . [626] See id. [627] Daniel Wilson, House Panel Approves Surveillance Renewal Bill, Law 360, https://www.law360.com/articles/989972/house-panel-approves-surveillance-renewal-bill . [628]   Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, available at http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf. [629] Art. 3, ¶ 2, GDPR. [630] Art. 3, ¶ 2(b), GDPR. [631] Art. 7, GDPR. [632] Id. [633] Art. 35, GDPR. [634] Id. [635] Id . [636] Art. 44–48, GDPR. [637]   Art. 83, ¶¶ 4–5, GDPR. [638] European Commission, Report from the Commission to the European Parliament and the Council on the first annual review of the functioning of the EU-U.S. Privacy Shield 2 (2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=605619. [639] Id. at 4. [640]   Id. at 4–7. [641]   Press Release, Federal Trade Commission, FTC Gives Final Approval to Settlements with Companies that Falsely Claimed Participation in Privacy Shield (Nov. 29, 2017), available at https://www.ftc.gov/news-events/press-releases/2017/11/ftc-gives-final-approval-settlements-companies-falsely-claimed . [642] See FT Cyber Security, “China’s cyber security law rattles multinationals,” Financial Times (May 30, 2017), available at https://www.ft.com/content/b302269c-44ff-11e7-8519-9f94ee97d996 . [643] Alex Lawson, “US Asks China Not To Implement Cybersecurity Law,” Law360 (Sept. 27, 2017) available at https://www.law360.com/articles/968132/us-asks-china-not-to-implement-cybersecurity-law. [644] Sophie Yan, “China’s new cybersecurity law takes effect today, and many are confused,” CNBC.com (June 1, 2017), available at https://www.cnbc.com/2017/05/31/chinas-new-cybersecurity-law-takes-effect-today.html. [645] Christina Larson, Keith Zhai, and Lulu Yilun Chen, “Foreign Firms Fret as China Implements New Cybersecurity Law”, Bloomberg News (May 24, 2017), available at https://www.bloomberg.com/news/articles/2017-05-24/foreign-firms-fret-as-china-implements-new-cybersecurity-law . [646] Clarice Yue, Michelle Chan, Sven-Michael Werner and John Shi, “China Cybersecurity Law update: Draft Guidelines on Security Assessment for Data Export Revised!,” Lexology (Sept. 26, 2017), available at https://www.lexology.com/library/detail.aspx?g=94d24110-4487-4b28-bfa5-4fa98d78a105 . [647] Singapore Personal Data Protection Commission, Proposed Advisory Guidelines on the Personal Data Protection Act For NRIC Numbers,  published 7 November 2017, available at https://www.pdpc.gov.sg/docs/default-source/public-consultation-6—nric/proposed-nric-advisory-guidelines—071117.pdf?sfvrsn=4 . [648] Office of the Australian Information Commissioner, “De-identification Decision-Making Framework”, Australian Government (Sept. 18, 2017), available at https://www.oaic.gov.au/agencies-and-organisations/guides/de-identification-decision-making-framework ; Lyn Nicholson, “Regulator issues new guidance on de-identification and implications for big data usage”, Lexology (Sept. 26, 2017) available at https://www.lexology.com/library/detail.aspx?g=f6c055f4-cc82-462a-9b25-ec7edc947354 ; “New Regulation on the Deletion, Destruction or Anonymization of Personal Data,”  British Chamber of Commerce of Turkey (Sept. 28, 2017), available at https://www.bcct.org.tr/news/new-regulation-deletion-destruction-anonymization-personal-data-2/64027 ; Jena M. Valdetero and David Chen, “Big Changes May Be Coming to Argentina’s Data Protection Laws,” Lexology (June 5, 2017), available at https://www.lexology.com/library/detail.aspx?g=6a4799ec-2f55-4d51-96bd-3d6d8c04abd2. [649] Naïm Alexandre Antaki and Wendy J. Wagner, “No escaping notification: Government releases proposed regulations for federal data breach reporting & notification”, Lexology (Sept. 6, 2017), available at https://www.lexology.com/library/detail.aspx?g=0a98fd33-1f2c-4a52-98c0-cf1feeaf0b90 ; Ministry of Electronics & Information Technology, “White Paper of the Committee of Experts on a Data Protection Framework for India,”  Government of India (Nov. 27, 2017), available at  http://meity.gov.in/white-paper-data-protection-framework-india-public-comments-invited .   The following Gibson Dunn lawyers assisted in the preparation of this client alert:  Alexander Southwell, Joshua Jessen, Caroline Krass, Eric Vandevelde, Ryan Bergsieker, Abbey Barrera, Kamola Kobildjanova, Lindsey Young, Amy Chmielewski, Melissa Goldstein, Alex Murchison, Reid Rector and Ilissa Samplin, with contributions from Angelica Agishi, Jacob Arber, Stephanie Balitzer, Melinda Biancuzzo, Sheli Chabon, Alli Chapin, Soolean Choy, Josiah Clarke, Tim Deal, Amanda George, Zoey Goldnick, Christian Hudson, Jordan Jacobsen, Miranda Lievsay, Ian Long, Cary McClelland, Jon Newmark, Sheri Pan, Nathan Powell, Jacob Rierson, Alon Sachar, Nick Scheiner, Sydney Sherman, Frances Smithson, Sam Spears, Marc Takagaki, Kayla Wieche and Alex Zbrozek. Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues.  For further information, please contact the Gibson Dunn lawyer with whom you usually work or any of the following leaders and members of the firm’s Privacy, Cybersecurity and Consumer Protection practice group: United States Alexander H. Southwell – Chair, PCCP Practice, New York (+1 212-351-3981, asouthwell@gibsondunn.com) Caroline Krass – Chair, National Security Practice, Washington, D.C. (+1 202-887-3784, ckrass@gibsondunn.com) M. Sean Royall – Dallas (+1 214-698-3256, sroyall@gibsondunn.com) Debra Wong Yang – Los Angeles (+1 213-229-7472, dwongyang@gibsondunn.com) Richard H. Cunningham – Denver (+1 303-298-5752, rhcunningham@gibsondunn.com) Howard S. Hogan – Washington, D.C. (+1 202-887-3640, hhogan@gibsondunn.com) Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, jjessen@gibsondunn.com) Kristin A. Linsley – San Francisco (+1 415-393-8395, klinsley@gibsondunn.com) Shaalu Mehra – Palo Alto (+1 650-849-5282, smehra@gibsondunn.com) Karl G. Nelson – Dallas (+1 214-698-3203, knelson@gibsondunn.com) Eric D. Vandevelde – Los Angeles (+1 213-229-7186, evandevelde@gibsondunn.com) Benjamin B. Wagner – Palo Alto (+1 650-849-5395, bwagner@gibsondunn.com) Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, mwong@gibsondunn.com) Ryan T. Bergsieker – Denver (+1 303-298-5774, rbergsieker@gibsondunn.com) Europe Ahmed Baladi – Paris (+33 (0)1 56 43 13 00, abaladi@gibsondunn.com) James A. Cox – London (+44 (0)207071 4250, jacox@gibsondunn.com) Patrick Doris – London (+44 (0)20 7071 4276, pdoris@gibsondunn.com) Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, bgrinspan@gibsondunn.com) Penny Madden – London (+44 (0)20 7071 4226, pmadden@gibsondunn.com) Jean-Philippe Robé – Paris (+33 (0)1 56 43 13 00, jrobe@gibsondunn.com) Michael Walther – Munich (+49 89 189 33-180, mwalther@gibsondunn.com) Nicolas Autet – Paris (+33 (0)1 56 43 13 00, nautet@gibsondunn.com) Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com) Sarah Wazen – London (+44 (0)20 7071 4203, swazen@gibsondunn.com) Emmanuelle Bartoli – Paris (+33 (0)1 56 43 13 57, ebartoli@gibsondunn.com) Alejandro Guerrero Perez – Brussels (+32 2 554 7218, aguerreroperez@gibsondunn.com) Asia Kelly Austin – Hong Kong (+852 2214 3788, kaustin@gibsondunn.com) Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com) Questions about SEC disclosure issues concerning data privacy and cybersecurity can also be addressed to the following leaders and members of the Securities Regulation and Corporate Disclosure Group: James J. Moloney – Orange County, CA (+1 949-451-4343, jmoloney@gibsondunn.com) Elizabeth Ising – Washington, D.C. (+1 202-955-8287, eising@gibsondunn.com) Lori Zyskowski – New York (+1 212-351-2309, lzyskowski@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.