Richard Manfredi, Author at Gibson Dunn

Gibson Dunn has formed a Workplace DEI Task Force, bringing to bear the Firm’s experience in employment, appellate and Constitutional law, DEI programs, securities and corporate governance, and government contracts to help our clients develop creative, practical, and lawful approaches to accomplish their DEI objectives following the Supreme Court’s decision in SFFA v. Harvard. Prior issues of our DEI Task Force Update can be found in our DEI Resource Center. Should you have questions about developments in this space or about your own DEI programs, please do not hesitate to reach out to any member of our DEI Task Force or the authors of this Update (listed below).

Fearless Fund Oral Argument:

On January 31, 2024, the Eleventh Circuit heard oral argument in American Alliance for Equal Rights’ (AAER) appeal of the district court’s denial of its motion for preliminary injunction in American Alliance for Equal Rights v. Fearless Fund Management, LLC, No. 23-13138 (11th Cir. 2023). On the panel were Judge Robin S. Rosenbaum, Judge Kevin C. Newsom, and Judge Robert J. Luck.

During the argument, AAER asserted that Fearless Fund’s charitable grant program—which provides $20,000 grants to Black female entrepreneurs—is a racially discriminatory contract subject to Section 1981. But Fearless Fund, represented by Gibson Dunn, asserted that the program is expressive speech protected by the First Amendment, such that the traditional Section 1981 analysis does not apply.

Judge Rosenbaum addressed the First Amendment issue, asking counsel for AAER, Gilbert Dickey of Consovoy McCarthy, “if . . . the entire point of the organization and the donation is to send the message that . . . Black businesswomen are worthy and have been overlooked and left out, then why isn’t that speech?” Mr. Dickey responded that the case law does not permit consideration of an organization’s “previously expressed views to decide whether the actual conduct is expressive.” Pressed further by Judge Newsom to explain the “hydraulic relationship between whether [the program] is subject to Section 1981 and the First Amendment interests at stake,” Mr. Dickey questioned whether a donation in any circumstance could be considered expressive. And in response to Judge Rosenbaum’s hypothetical contest awarded to whoever “does the most to further Black businesswomen,” Mr. Dickey argued that “implications of this case for the First Amendment are pretty minor” because nonprofits would be “free to discriminate based on the message an organization is sending but not on protected characteristics.”

Arguing on behalf of Fearless Fund, Jason Schwartz of Gibson Dunn emphasized that Fearless Fund’s grant program is “core expressive activity” in line with the “proud tradition in this country” of charitable giving by organizations dedicated to specific causes. He called AAER’s suit an “unprecedented effort to use Section 1981 to force a charity to reverse its message or shut down.” Mr. Schwartz argued this inappropriate application of the Reconstruction-era statute would force an untenable result: “give to everyone or no one.”

Mr. Schwartz distinguished “traditional commercial transactions—employment, housing,” from “charitable giving . . . recognized as protected by the First Amendment,” emphasizing that “Americans speak with their money; they magnify their message with their money.” To explore this line between regulatable conduct and First Amendment-protected speech, Judge Luck posed several hypotheticals, including whether, under Fearless Fund’s reasoning, a charity’s contract for the purchase of office supplies would warrant similar protection. When Judge Luck pressed on the claim that “just because it’s a charity it falls outside of 1981 . . . that can’t be right,” Mr. Schwartz agreed, but contended that, here, “the core expressive activity of the Fearless Foundation is to send this message, which, for what it’s worth, is the message of Section 1981.”

Judge Newsom also presented Mr. Schwartz with a hypothetical from AAER’s brief—a “white man only contest”—to which Mr. Schwartz responded, “First of all, no matter how repugnant I might find that, the First Amendment protects all speech,” explaining that a program set up the same way as the Fearless Fund program may be protected, depending on how it is structured.

Mylan Denerstein of Gibson Dunn, also on behalf of the Fearless Fund, argued that AAER had not met the high bar for organizational standing, noting that AAER’s position would require “the court [to] grant a preliminary injunction when we don’t even know who the businesses are.” She emphasized that AAER “fail[ed] to state that they’ve applied for grants or need money or mentorship” and “don’t show the viability of their business,” which further weighed against finding injury sufficient for standing.

The panel did not indicate when it expects to issue a ruling.

Media Coverage:

Key Developments:

On January 30, 2024, Utah Governor Spencer Cox signed House Bill 261 (“HB 261”) into law. HB 261 prohibits state education institutions and government entities from using DEI statements in hiring and providing trainings promoting differential treatment based on personal identity characteristics. HB 261 also mandates that state education institutions replace DEI offices with general access “student success and support” offices. The bill defines maintaining any of these policies or programs as a “prohibited discriminatory practice.” HB 261 progressed rapidly through the legislature, passing only ten days after its introduction. Alongside it, another anti-DEI bill in Utah, House Bill 111 (“HB 111”), has been voted out of committee to the full House. As introduced, HB 111 would prohibit private employers from requiring training in or compelling beliefs about various DEI-related concepts, although the bill was significantly weakened in committee. We are tracking the progress of this bill and will provide additional updates if it passes.

On January 26, 2024, Students for Fair Admissions (“SFFA”) asked the Supreme Court to grant an emergency injunction in its ongoing battle against West Point, bringing its campaign against race-conscious admissions back to the nation’s highest court. SFFA sued West Point on September 19, 2023, arguing that the military academy’s continued use of race-conscious admissions after SFFA v. Harvard is unconstitutional. After the district court denied its request for a preliminary injunction on January 3, 2024, SFFA filed an emergency appeal to the Second Circuit the next day. Instead of waiting for the Second Circuit to rule, SFFA filed an emergency application for an injunction with the Supreme Court, requesting that the court enjoin West Point from considering applicants’ race after the school’s application window closes on January 31. SFFA argued that West Point should be subject to the same constitutional analysis as other schools, despite language in SFFA v. Harvard suggesting military academies might receive more deference. SFFA claimed West Point applicants will suffer irreparable harm if the Supreme Court does not act before West Point’s application cycle closes on January 31. On January 30, 2024, West Point filed its opposition to SFFA’s requested injunction, arguing that there is no “emergency” supporting the injunction, since West Point has been considering applications since August 2023, will continue to do so through May 2024, and has already issued offers to hundreds of candidates. West Point also noted that SFFA failed to establish irreparable harm because SFFA’s members remain eligible to apply to West Point for at least three additional admissions cycles. West Point asserted that the military’s judgment merits “substantial deference” and that a diverse officer corps is “necessary for an effective fighting force.”

On January 25, 2024, AFL filed a formal judicial conduct complaint with Chief Judge Diane S. Sykes of the United States Court of Appeals for the Seventh Circuit. The complaint accuses three judges on the United States District Court for the Southern District of Illinois—Chief Judge Nancy J. Rosenstengel, Judge Staci M. Yandle, and Judge David W. Dugan—of race and sex discrimination in violation of the Rule for Judicial-Conduct and Judicial-Disability Proceedings 4(a), Judicial Code of Conduct Canon 2(A), and the Fifth Amendment of the United States Constitution. Specifically, the complaint highlights the judges’ policies allowing parties to move for oral argument with the promise that, if the motion is granted, a “newer, female, [or] minority attorney” will argue the motion. AFL’s complaint maintains that these policies intentionally discriminate on the basis of sex and race, amounting to “cognizable judicial misconduct” under the applicable judicial rules. Further, AFL argues that allowing these policies to stand undermines judicial integrity and public trust in the judicial system as it gives some parties additional advocacy opportunities for their clients solely on the basis of an advocate’s race or gender.

On January 17, 2024, AFL filed an administrative complaint with the Department of Labor’s Office of Federal Contract Compliance Programs (“OFCCP”), seeking investigations into three airlines—American Airlines, United Airlines, and Southwest Airlines—for alleged violations of federal contract law. AFL claimed that the airlines’ race-based and gender-based hiring targets constitute race- and sex-based discrimination in violation of Executive Order 11246, which requires government contracts to contain an Equal Opportunity Clause prohibiting discrimination, and authorizes the Secretary of Labor to sanction government contractors via contract cancellation, ineligibility, and other penalties. AFL’s American Airlines letter mentioned the airline’s stated commitment to DEI and programs available to Black professionals, while the Southwest letter cited the increase in the company’s diverse hires as evidence of unlawful consideration of race and gender in hiring. Finally, the United letter cited DEI targets in the airline’s 2022 Corporate Responsibility Report and DEI initiatives that favor women and minority-owned subcontractors. These letters follow the November 1, 2023 civil rights complaints AFL submitted to the EEOC regarding the same airlines.

On January 17, 2024, AFL sent a FOIA request to the Federal Bureau of Investigation (FBI). AFL requested all records of communications to and from the FBI’s Chief Diversity Officer, Scott McMillion, from April 2021 to April 2023. Citing McMillion’s comments that “diversity, equity, inclusion and accessibility is literally within [the FBI’s] DNA” and an FBI diversity report that showed the agency has increased employee racial, ethnic, and gender diversity, AFL speculated that the FBI’s hiring process violates Title VII and the Equal Protection Clause.

On January 11, 2024, AFL filed a letter with the EEOC calling for the Commission to conduct an investigation of Nike. AFL accused Nike of knowingly and intentionally using race, color, sex, and national origin as motivating factors in numerous employment decisions in violation of Title VII. AFL sent a similar letter to Nike’s board, highlighting the same alleged violations. In the letters, AFL pointed to language on Nike’s website expressing the company’s intent to set “clear and ambitious targets . . . to increase diverse representation at Nike.” AFL claimed that one way Nike realizes this target is through the creation of “Employee Networks,” which are limited to members of eight specific “favored categories.” These categories focus on race, sex, or gender. AFL maintained that Nike’s explicit focus on only those categories demonstrates the company’s discriminatory intent to deprive “whites, males, and heterosexuals” of the opportunity to gain “real benefits” from inclusion in these Employee Networks. Additionally, AFL cited Nike’s self-reported data as evidence of the company’s express intent to discriminate in favor of certain historically underrepresented demographics. For example, AFL cited Nike’s Fiscal Year 2022 report, which states that the company achieved 51% gender diversity and 38.8% racial diversity. AFL claimed that featuring these statistics demonstrates Nike’s efforts to discriminate against other demographics.

Media Coverage and Commentary:

Below is a selection of recent media coverage and commentary on these issues:

New York Times, “‘America Is Under Attack’: Inside the Anti-D.E.I. Crusade” (January 20): The Times’s Nicholas Confessore reports on thousands of documents newly obtained by the newspaper, providing new details about the recent wave of anti-DEI bills being considered—and in some instances, passed—in state legislatures. Despite polls showing that most Americans support the values underlying DEI, over 20 states considered or passed anti-DEI legislation in 2023. The Times secured documents including emails, grant proposals, and draft reports that the article claims show how conservative activists, centered at California’s Claremont Institute, “formed a loose network of think tanks, political groups and Republican operatives in at least a dozen states” in an effort to “eliminat[e] ‘social justice education’ from American schools.” According to Confessore, the internal documents reveal that (at least in some cases) racist, sexist, and homophobic beliefs were motivating factors. Confessore also suggested that the documents signal the importance of the anti-DEI movement as a Republican fundraising tool and talking point that is anticipated to become even more prominent as the 2024 election nears.
Forbes, “Diversity In Leadership Increases Chances Of Success By 39%” (January 21): Julie Kratz, founder of DEI training organizations Next Pivot Point and Little Allies, reports on new research by McKinsey & Company describing a growing business case for DEI. The research suggests that there is a “39% increased likelihood of outperformance” for companies in the top quartile of ethnic and gender leadership diversity as compared to those in the bottom quartile. Kratz notes that business justifications for diversity are not new, but several factors—including limited diversity in C-suites and lack of accountability—hinder progress. To overcome these challenges, Kratz recommends that companies set aside the “‘one and done’ approach” to DEI training and focus on “a model of continuous learning.”
Wall Street Journal, “DEI Is Worth Saving From Its Excesses” (January 22): Roland Fryer, Harvard economist and founder of venture capital firm Equal Opportunity Ventures, writes in an opinion piece that “[o]pponents and supporters of DEI have very different ideas about what it is.” Fryer recognizes the need for companies to evaluate their diversity initiatives and to identify and eliminate illegal practices, but also advocates for maintaining commitment to developing diverse talent. Fryer suggests that employers should focus on eliminating racial bias “not only because discrimination is wrong but because it is a market failure that prevents the right people from being placed in the right positions.” Companies should be aware of these biases, evident in disparate rates of hiring, promotion, and starting compensation. Fryer recommends use of machine learning to help avoid bias in personnel decisions.

Law360, “EEOC’s Lucas Calls Mark Cuban ‘Dead Wrong’ In DEI Push” (January 29): Law360’s Patrick Hoff reports on a public exchange on the social media platform X between billionaire businessman Mark Cuban and EEOC Commissioner Andrea Lucas. In recent weeks, Cuban has taken to X to defend the business case for DEI. But when he posted on January 28 that, in hiring, “race and gender can be part of the equation,” Commissioner Lucas replied, calling Cuban “dead wrong on black-letter Title VII law.” According to Hoff, in an email to Law360, Cuban clarified that X “is a place to argue” and that he follows the law “in every way.” Although a spokesperson for the EEOC told Law360 that Lucas’s social media posts are her own and not reflective of the agency’s opinions, Lucas told the news outlet that she views public education “in any media” as part of her role. Hoff notes that, in the wake of SFFA, Lucas has stood alone among the EEOC’s commissioners in publicly denouncing race-based corporate DEI policies.

Case Updates:

Below is a list of updates in new and pending cases:

1. Contracting claims under Section 1981, the U.S. Constitution, and other statutes:

Mid-America Milling Company v. U.S. Department of Transportation, No. 3:23-cv-00072-GFVT (E.D. Ky. 2023): Two plaintiff construction companies sued the Department of Transportation, asking the court to enjoin DOT’s Disadvantaged Business Enterprise (DBE) Program, an affirmative action program that awards contracts to minority-owned and women‑owned small businesses in DOT-funded construction projects with the statutory aim of granting 10% of certain DOT-funded contracts to these businesses nationally. Plaintiffs allege that the program constitutes unconstitutional race discrimination in violation of the Fifth Amendment.
- Latest update: On January 16, 2024, DOT filed its motion to dismiss the complaint. DOT argued that the plaintiffs’ allegations that they lost contracts to DBE firms were conclusory and speculative because they failed to allege specific facts about the nature of the contracts, the type of industry, and whether or not those contracts were actually covered by the DBE program. DOT also argued that the plaintiffs failed to allege an injury sufficient for standing because, although they alleged they had bid for DBE contracts, they did not identify the contracts with enough specificity, as not all DOT contracts contain a DBE goal. Finally, DOT argued the plaintiffs failed to join as indispensable parties the state or local agencies who actually implement the DBE goals and channel DOT funds to contractors.
Landscape Consultants of Texas, Inc. v. City of Houston, No. 4:23-cv-3516–DH (S.D. Tx. 2023): Plaintiff landscaping companies owned by white individuals challenged Houston’s government contracting set-aside program for “minority business enterprises” that are owned by members of racial and ethnic minority groups. The companies claim the program violates the Fourteenth Amendment and Section 1981.
- Latest update: On January 12, 2024, the district court denied both the City of Houston’s and Midtown Management District’s motions to dismiss, without issuing a written opinion
Do No Harm v. Pfizer, No. 1:22-cv-07908–JLR (S.D.N.Y. 2022), on appeal at No. 23-15 (2d Cir. 2023): On September 15, 2022, plaintiff association representing physicians, medical students, and policymakers sued Pfizer, alleging that the company’s Breakthrough Fellowship Program, which provided minority college seniors summer internships, two years of employment post-graduation, and a scholarship, violated Section 1981, Title VII, and New York law. The association alleges that the program illegally excludes white and Asian applicants. The association is represented by Consovoy McCarthy PLLC, the firm that also represents American Alliance for Equal Rights in multiple lawsuits. In December 2022, the court granted Pfizer’s motion to dismiss, finding that the plaintiff did not have associational standing because they did not identify at least one member by name, instead only submitting declarations from anonymous members. The association appealed to the Second Circuit, which heard oral argument on October 3, 2023.
- Latest update: On December 21, 2023, Do No Harm filed a Rule 28(j) notice of supplemental authority to support its claim that it has standing despite its reliance on unnamed members. Pointing to a recent district court decision in SFFA v. U.S. Naval Academy that found standing on the basis of pseudonymous plaintiffs, the association argued that the district court misread Supreme Court precedent. On January 12, 2024, Pfizer responded with its own Rule 28(j) letter, contesting the plaintiff’s characterization of the Naval Academy decision and arguing that even if the use of pseudonymous members was sufficient to create standing, the pseudonymous members in the current case still lacked standing because they had declined to apply for Pfizer’s fellowship program after Pfizer changed the requirements—something Pfizer also argued served to moot the case.

2. Employment discrimination under Title VII and other statutory law:

Gerber v. Ohio Northern University, No. 2023-1107-CVH (Ohio. Ct. Common Pleas Hardin Cty. 2023): On June 30, 2023, a law professor sued his former employer, Ohio Northern University, for terminating his employment after an internal investigation determined that he bullied and harassed other faculty members. On January 23, 2024, the plaintiff, now represented by America First Legal, filed an amended complaint. The plaintiff claims that his firing was actually in retaliation for his vocal and public opposition to the university’s stated DEI principles and race-conscious hiring, which he believed were illegal. The plaintiff alleged that the investigation and his termination breached his employment contract, violated Ohio civil rights statutes, and constituted various torts, including defamation, false light, conversion, infliction of emotional distress, and wrongful termination in violation of public policy.
- Latest update: The defendant has until February 20, 2024 to respond to the plaintiff’s second amended complaint.
De Piero v. Pennsylvania State University, No. 2:23-cv-02281-WB (E.D. Pa. 2023): A white male professor sued his employer, Penn State University, claiming that university-mandated DEI trainings, discussions with coworkers and supervisors about race and privilege in the classroom, and comments from coworkers about his “white privilege” constituted a hostile work environment that led him to quit his job. He claimed that after he reported that he felt harassed and published an opinion piece objecting to the impact of DEI concepts in the classroom, the university retaliated against him by investigating him for bullying and aggressive behavior towards his colleagues. The plaintiff alleged harassment, retaliation, and constructive discharge in violation of Title VI, Title VII, Section 1981, Section 1983, the First Amendment, and Pennsylvania civil rights laws.
- Latest update: On January 11, 2024, the district court granted the defendant’s motion to dismiss in part, dismissing all of the plaintiff’s claims except for his hostile work environment claim. On that claim, the judge found that some of his allegations, including that he was required to attend trainings that “discussed racial issues in essentialist and deterministic terms” and “ascrib[ed] negative traits to white people . . . plausibly amount to ‘pervasive’ harassment.” The court made clear that “training on concepts such as ‘white privilege’ . . . can contribute positively . . . in an educational institution,” but that when those discussions occur “with a constant drumbeat of essentialist, deterministic, and negative language, they risk liability under federal law.”
Haltigan v. Drake, No. 5:23-cv-02437-EJD (N.D. Cal. 2023): A white male psychologist sued the University of California Santa Cruz, arguing that a requirement that prospective faculty candidates submit and be evaluated in part on the basis of statements explaining their views and understanding of DEI principles functioned as a loyalty oath that violated his First Amendment freedoms. The plaintiff claimed that because he is “committed to colorblindness and viewpoint diversity”––which he alleged was contrary to UC Santa Cruz’s position on DEI––he would be compelled to alter his political views to be a viable candidate for the position. The plaintiff sought a declaration that the University’s DEI statement requirement violated the First Amendment and a permanent injunction against the enforcement of the requirement.
- Latest update: On January 12, 2024, the district court granted UC Santa Cruz’s motion to dismiss with leave to amend, finding that the plaintiff lacked standing because he had not actually applied for a professor position. The court rejected the plaintiff’s claim that he had “competitor standing” because he only expressed a general interest in the position, and did not allege that he had undertaken any preparations or concrete steps to apply. The court also rejected the argument that the plaintiff had First Amendment prudential standing, sometimes recognized in license application cases, because he was seeking a job, not a license or a permit. Finally, the court found that the plaintiff had not sufficiently alleged that it would have been futile to apply without a DEI statement because UC Santa Cruz might have accepted his application notwithstanding his lack of a statement.
Weitzman v. Fred Hutchinson Cancer Center, No. 2:24-cv-00071-TLF (W.D.WA. 2024): On January 16, 2024, a white Jewish female former employee of a medical center sued her former employer, alleging that she was terminated for expressing her discomfort with DEI-related content shared in the workplace by coworkers, objecting to DEI-related training, and expressing her political opposition to DEI-aligned ideologies. She also claimed that her employer failed to act when she was allegedly discriminated against because of her religion and race by other coworkers. The plaintiff alleged her employer’s conduct constituted racial discrimination, a hostile work environment, and retaliation in violation of the Washington Law against Discrimination (WLAD) and Section 1981; discrimination and retaliation on the basis of political ideology in violation of the Seattle Municipal Code; and intentional infliction of emotional distress and wrongful termination in violation of public policy under common law.
- Latest update: The defendant has not yet responded to the complaint.

3. Challenges to agency rules, laws, and regulatory decisions:

Saadeh v. New Jersey State Bar Association, No. MID-L-006023-21 (N.J. Super. Ct. 2021), on appeal at A-2201-22 (N.J. Super. Ct. App. Div. 2023): On October 15, 2021, a Palestinian and Muslim attorney and bar member sued the New Jersey State Bar Association (NJSBA), alleging that the NJSBA’s practice of reserving certain trustee and committee positions for members of “underrepresented groups” including Black, Hispanic, Asian, women, and LGBTQ attorneys constituted racial discrimination in violation of New Jersey state civil rights laws.
- Latest update: On November 9, 2022, the trial judge ruled that the NJSBA’s practice was racially discriminatory, and ordered it to end the practice and consider all attorneys in good standing eligible for the positions. The court found that the practice was an illegal quota rather than a valid affirmative action program. The court also held that the First Amendment did not protect the NJSBA’s practices. The NJSBA appealed, and on January 18, 2024, the Appellate Division of the New Jersey Superior Court heard oral argument. The NJSBA argued that the trial court applied the incorrect Supreme Court precedent and that under the correct framework, the NJSBA’s practice is a valid, tailored affirmative action plan that redresses the historical underrepresentation of non-white attorneys in the positions at issue. The plaintiff argued that the practice is not legal affirmative action because it does not address the root causes of racial imbalances and is not based on a detailed analysis of the NJSBA’s membership and demographic data.
Palsgaard v. Christian, et al., No. 1:23-cv-01228-SAB (E.D. Cal. 2023): In August 2023, California community college professors filed suit and moved for a preliminary injunction against the state’s new DEI-related evaluation competencies and corresponding language in their faculty contract, which they allege requires them to endorse the state’s views on DEI concepts. The plaintiffs challenge the DEI rules and contract language as compelled speech in violation of the First and Fourteenth Amendments. On December 15, 2023 the defendants filed their motions to dismiss.
- Latest update: On January 19, 2024, the plaintiffs filed a joint opposition to the defendants’ motions to dismiss. Plaintiffs argued that they had standing to challenge the DEI rules and faculty contract and that they had not waived their First Amendment rights. Plaintiffs also argued that their constitutional claims should not be dismissed because the regulations compel them to espouse the state’s preferred message and that both the rules and faculty contract are overbroad and vague.
Earls v. North Carolina Judicial Standards Commission, No. 1:23-cv-00734-WO-JEP (M.D.N.C. 2023): On June 20, 2023, North Carolina Supreme Court Justice Anita Earls, the only non-white female justice on the court, made comments in an interview regarding the diversity of the appellate bench and of the attorneys who appear before the N.C. Supreme Court, and her opinion regarding implicit bias in the state judiciary and attempts to diversify the North Carolina courts. In response, on August 15, 2023, the North Carolina Judicial Standards Commission initiated an investigation into whether Justice Earls violated provisions of the judicial code requiring her to act in a manner that promotes “public confidence in the integrity” of the judicial system. On August 29, 2023, Justice Earls filed a lawsuit claiming that the Commission’s investigation was part of an ongoing effort to restrict and chill her free speech rights in violation of the First Amendment. She claimed that as a result of the investigation, she turned down opportunities to speak on matters related to diversity and equity, demonstrating the investigation’s chilling effect. On November 21, 2023, the district court denied Justice Earls’ request for a preliminary injunction on the grounds that the Commission’s actions likely met strict scrutiny because its investigation was justified by the compelling interest of safeguarding public confidence in the integrity and fairness of the judicial system, and the investigation process appeared narrowly tailored.
- Latest update: On January 17, 2024, Justice Earls voluntarily dismissed her case after the Commission dismissed the investigation against her without recommending disciplinary action.

4. Educational Institutions and Admissions (Fifth Amendment, Fourteenth Amendment, Title VI, Title IX):

Students for Fair Admissions, Inc. v. University of Texas at Austin, 1:20-cv-00763-RP (W.D. Tex. 2020): On July 20, 2020, SFFA sued the University of Texas, alleging that UT Austin’s methods of considering race in undergraduate admissions violated the Equal Protection Clause of the Fourteenth Amendment, Section 1981, Title VII, the Texas Constitution, and Texas state law.
- Latest update: On January 11, 2024, UT Austin replied to SFFA’s opposition to its motion to dismiss, renewing its argument that the case is moot because UT Austin has changed its admissions policies. It further argued that the case was not still live under the “voluntary cessation” doctrine because the policy change was compelled by the Supreme Court’s SFFA v. Harvard decision, and SFFA failed to show UT Austin’s change was not made in good faith. UT Austin also responded to SFFA’s summary judgment motion, asserting that SFFA’s evidence that UT still collects demographic information is not sufficient to show that it discriminates on the basis of race. Also on January 11, civil rights groups acting as intervenors on behalf of UT Austin opposed SFFA’s motion for summary judgment, arguing that SFFA is not entitled to summary judgment because it has not shown that UT’s facially neutral policy is being implemented in a discriminatory manner. They also replied to SFFA’s opposition to the motion to dismiss, arguing that SFFA lacks standing because none of its members have applied to UT Austin under the new policy, and that the case is moot because SFFA is challenging a policy that no longer exists.

The following Gibson Dunn attorneys assisted in preparing this client update: Jason Schwartz, Mylan Denerstein, Blaine Evanson, Molly Senger, Zakiyyah Salim-Williams, Matt Gregory, Zoë Klein, Mollie Reiss, Teddy Rube, Alana Bevan, Marquan Robertson, Elizabeth Penava, Skylar Drefcinski, and Mary Lindsay Krebs.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Labor and Employment practice group, or the following practice leaders and authors:

Jason C. Schwartz – Partner & Co-Chair, Labor & Employment Group
Washington, D.C. (+1 202-955-8242, jschwartz@gibsondunn.com)

Katherine V.A. Smith – Partner & Co-Chair, Labor & Employment Group
Los Angeles (+1 213-229-7107, ksmith@gibsondunn.com)

Mylan L. Denerstein – Partner & Co-Chair, Public Policy Group
New York (+1 212-351-3850, mdenerstein@gibsondunn.com)

Zakiyyah T. Salim-Williams – Partner & Chief Diversity Officer
Washington, D.C. (+1 202-955-8503, zswilliams@gibsondunn.com)

Molly T. Senger – Partner, Labor & Employment Group
Washington, D.C. (+1 202-955-8571, msenger@gibsondunn.com)

Blaine H. Evanson – Partner, Appellate & Constitutional Law Group
Orange County (+1 949-451-3805, bevanson@gibsondunn.com)

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

This briefing examines in depth the circulars and consultation paper issued by the SFC and HKMA in December 2023.

Throughout the course of 2023, the Hong Kong Securities and Futures Commission (“SFC”) and the Hong Kong Monetary Authority (“HKMA”) showed clear indications of their increased openness to virtual assets (“VA”), including through the implementation of the SFC’s Hong Kong virtual asset trading platform (“VATP”) regime,[1] and the release of multiple circulars liberalising the regulatory approach to this area.[2] This trend continued through until the very end of 2023, with the SFC and HKMA being very active in this space in late December. In particular, the SFC on December 22, 2023 issued a circular significantly relaxing the approach to virtual asset exchange traded funds (“VA ETFS”) and other funds with exposure to VA, followed by a joint SFC-HKMA circular in relation to intermediaries’ virtual asset-related activities and an HKMA consultation paper setting out a proposed legislative regime for the issuance of stablecoins. This client briefing examines the two circulars and consultation paper in further depth.

I. SFC Circular on SFC-Authorised Funds With Exposure to Virtual Assets

On December 22, 2023, the SFC published a circular on SFC-authorised funds with exposure to virtual assets (“SFC Circular”), and sets out the requirements under which the SFC will consider authorising funds with exposure to VA of more than 10% of their net asset value (“NAV”) (“SFC-authorised VA Funds”).[3] The SFC Circular supersedes an earlier circular on VA futures ETFs issued on October 31, 2022 (“October 2022 Circular”).[4] The key practical effect of the replacement of the October 2022 Circular is to expand the scope of VA ETFs that may be authorised by the SFC, as the October 2022 Circular only provided for the authorisation of VA ETFs with Bitcoin futures and Ether futures traded on the Chicago Mercantile Exchange (“CME”) as the underlying assets. The SFC Circular removes this requirement.

However, all funds with either direct (i.e. as a result of purchasing of tokens directly by the fund) or indirect investment exposure to VA seeking SFC authorisation must comply with a range of requirements, as summarised in the table below.[5] Further, (i) funds having or intending to have VA exposure of more than 10% of NAV that wish to seek the SFC’s authorisation or (ii) existing SFC-authorised funds that plan to obtain VA exposure of more than 10% of their NAV should consult and seek prior approval from the SFC by contacting the relevant case officer of the Investment Products Division.

Area	Key changes from the October 2022 Circular and/or key requirements
Eligible underlying VA	SFC-authorised VA Funds should only invest (indirectly or directly) in VA tokens that are accessible to Hong Kong public for trading on SFC-licensed VATPs.
Investment strategy	As noted above, the SFC Circular has removed the requirement under the October 2022 Circular that VA ETFs must only have as their underlying Bitcoin futures and Ether futures traded on Chicago Mercantile Exchange. However, the SFC Circular does allow SFC-authorised VA Funds to only have exposure to VA futures traded on conventional regulated futures exchanges. Further, the management company of such funds must be able to demonstrate that: (i) the relevant VA futures have adequate liquidity and (ii) the roll costs of the relevant VA futures are manageable and how such roll costs will be managed. Indirect exposures to eligible VA via other exchange-traded products are subject to applicable requirements in the UT Code and other requirements which may be imposed by the SFC. SFC-authorised VA Funds must not have leveraged exposure to VA at the fund level. SFC-authorised VA Funds that primarily adopt a futures-based investment strategy are expected to adopt an active investment strategy to allow flexibility in portfolio composition, rolling strategy and handling of any market disruption events.
Transactions and direct acquisitions of spot VA	Transactions and acquisitions of spot VA by SFC-authorised VA Funds should be conducted through SFC-licensed VATPs or authorised institutions (“AIs”) or their subsidiaries in accordance with any applicable HKMA requirements. For in-cash subscriptions and redemptions, SFC-authorised spot VA ETFs should acquire and dispose of spot VA through SFC-licensed VATPs, either on or off platform. For in-kind subscriptions, participating dealers (“PDs”) should transfer spot VA to SFC-authorised spot VA ETFs’ custody accounts with SFC-licensed VATPs or AIs (and vice versa where in-kind redemptions are concerned). Both in-cash and in-kind subscription and redemption are permitted for SFC-authorised spot VA ETFs. For ETFs that invest in spot VA, PDs should be SFC-licensed corporations or registered institutions.
Custody	The trustee/custodian of an SFC-authorised VA Fund should only delegate its VA custody function to an SFC-licensed VATP or an AI (or a subsidiary of a locally incorporated AI) which meets the expected standards for VA custody issued by the HKMA from time to time. The trustee/custodian and any delegate responsible for taking custody of VA holdings of an SFC-authorised VA Fund should comply with additional requirements: (i) it should ensure segregation between the VA holdings and its own assets as well as the assets it holds for other clients; (ii) it should store most of the VA holdings in a cold wallet, and minimise the amount and duration of VA held in a hot wallet; (iii) it should ensure the seeds and private keys are securely stored in Hong Kong, tightly restricted to authorised personnel, and sufficiently resistant to speculation or collusion, and properly backed up to mitigate any single point of failure.
Management companies	Management companies of SFC-authorised VA Funds should have a good track record of regulatory compliance, and at least one competent staff member with relevant experience in the management of VA or related products. The SFC’s Licensing Department may also impose additional terms and conditions on such management companies.
Valuation	When valuing spot VA, the management companies of SFC-authorised VA Funds should adopt an indexing approach based on VA trade volume across major VA trading platforms (i.e. a benchmark index published by a reputable provider that reflects a significant share of trading activities in the underlying spot VA).
Service providers	Management companies should confirm that all necessary service providers (such as fund administrators, participating dealers, market makers and index providers) are competent, available and ready to support the SFC-authorised VA Funds.
Disclosure and investor education	The offering documents (including the product key facts statements (“KFS”)) of SFC-authorised VA Funds should disclose the investment limits and key risks related to the funds’ VA exposures. Product KFSs for SFC-authorised VA Funds should contain upfront disclosure of the investment objectives and the key risks associated with the underlying VA exposures, such as: (i) price risk, custody risk, cybersecurity risk and fork risk for investments in spot VA; and (ii) potentially large roll costs and operational risks for investments in VA futures.
Distribution	Please refer to Section II below.

II. SFC and HKMA Joint Circular on Intermediaries’ Virtual Asset-Related Activities

On December 22, 2023, the SFC and HKMA issued a joint circular on intermediaries’ virtual asset-related activities (“Joint Circular”) which provides updated guidance to intermediaries carrying on VA-related activities, in respect of (i) the distribution of investment products with exposure to VAs; (ii) the provision of VA dealing services; (iii) the provision of VA advisory services; and (iv) the management of portfolios investing into VAs.[6] The Joint Circular supersedes an earlier joint circular published on October 20, 2023.[7]

The Joint Circular emphasises that VA-related products[8] will very likely be considered complex products and that intermediaries distributing VA-related products considered to be complex products will generally be required to comply with the SFC’s requirements on the sale of complex products (including most notably ensuring suitability of VA-related products, regardless of whether the intermediary has solicited or recommended that its clients invest in the product in question).

However, the SFC and HKMA have also imposed two additional investor protection measures on the distribution of VA-related products to address specific risks related to these products:

Restrictions on sale: Subject to certain exceptions (as discussed further below), the SFC and HKMA have indicated that VA-related complex products should only be offered to professional investors (“PIs”); and
VA knowledge test: Intermediaries must assess whether clients (other than institutional PIs and qualified corporate PIs) have knowledge of investing in virtual assets or VA-related products prior to effecting a transaction in VA-related products on their behalf. Where a client does not have the requisite knowledge, the intermediary may only proceed if it has provided sufficient training to the client on the nature and risks of VAs and the clients have sufficient net worth to bear potential losses from trading VA-related products.[9]

However, while the above investor protection measures appeared in the earlier joint circular dated October 20, 2023, the SFC and HKMA have in the Joint Circular stated that the selling restrictions above will not apply to SFC-authorised VA Funds (i.e. funds approved for public offering), subject to intermediaries complying with the following additional safeguards:

For SFC-authorised VA Funds listed and traded on the Hong Kong Stock Exchange (“SEHK”), client orders can be executed on exchange without the need to comply with the suitability requirement or minimum information and warning statements requirements,[10] providing there has been no solicitation or recommendation by the intermediary.
For SFC-authorised VA Funds that are not listed, or for listed funds where trading occurs off exchange, intermediaries will still have to comply with the abovementioned requirements, as well as undertaking the VA knowledge test set out above on the clients concerned.

Further, the SFC and HKMA have also reminded intermediaries that where these SFC-authorised VA funds are also VA derivative funds, intermediaries also need to comply with the requirements for derivative products set out in the Joint Circular.

To assist intermediaries in determining whether an investment product with exposure to VA is complex and the corresponding selling requirements that may apply to the product, the Joint Circular also includes a flowchart which sets out the relevant factors and the corresponding selling requirements.[11]

III. Legislative Proposal on Issuance of Stablecoins

On December 27, 2023, the Financial Services and the Treasury Bureau (“FSTB”) and the HKMA jointly issued a public consultation paper regarding their proposed legislative regime for the regulation of stablecoins (“Legislative Proposal”).[12] This followed the HKMA’s January 2022 discussion paper inviting feedback on its proposed regulatory approach towards crypto-assets and stablecoins (“Discussion Paper”) (as covered in our previous client alert)[13] and its January 2023 consultation conclusions (“Consultation Conclusions”)[14] (as covered in a subsequent client alert).

The introduction of the Legislative Proposal is driven by the potential interconnectedness between the virtual assets (“VA”) market and the traditional financial system. Specifically, the FSTB and HKMA view stablecoins, especially fiat-referenced stablecoin (“FRS”) as a key monetary and financial stability risk area which could lead to a spill-over from the VA sector to the traditional financial system, and vice versa.

A. Legislative Scope and Approach

The FSTB and HKMA have proposed that, rather than amending existing legislation (including the Payment Systems and Stored Value Facilities Ordinance (“PSSVFO”)), their intention is to introduce a new piece of legislation which will address specific features of stablecoins and could more readily serve as the foundation for the extension of the regulatory regime to other forms of VAs down the track. The FSTB and HKMA have also proposed that the issuance of an FRS by an FRS licensee would be excluded from the scope of existing regulatory regimes, including those applicable to securities (e.g. collective investment schemes) and SVFs.

The FSTB and HKMA have proposed that initially, the licensing regime will apply only to issuers of fiat-referenced stablecoins (“FRS”) – that is, stablecoins which have as their specified asset one or more fiat currencies.[15] The FSTB and HKMA have noted that while a FRS which derives value from arbitrage or algorithm will be caught by the regulatory regime, it is highly unlikely (as explained further below) that such FRS will be able to meet the HKMA’s licensing requirements.

That said, the FSTB and HKMA have left the door open to extend the regulatory regime to other forms of VAs (presumably including other types of stablecoins) by describing the proposed FRS issuance regime as a “first step” in the regulation of virtual assets. Notably, the FSTSB and HKMA have proposed that the legislative regime should empower the “authorities” to modify the parameters of in-scope stablecoins and activities, but have not specified if this power would be reserved to the HKMA specifically or to the HKMA in consultation with the FSTB (for example). In exercising any such power to modify the regime, the “authorities” would be required to consider a number of factors (such as the risks posed to the monetary and financial stability of Hong Kong), and the materiality of the case (such as the market share and the value in circulation) before exercising this power.

B. Licensing Requirements for FRS Issuers

Under the Legislative Proposal, an FRS issuer will have to be licensed with the HKMA before it can:

Issue, or hold itself out as issuing, an FRS in Hong Kong;

Issue, or hold itself out as, issuing a stablecoin that purports to maintain a stable value with reference to the value of the Hong Kong dollar; or
Actively market its issuance of FRS to the Hong Kong public.

In order to be licensed, the FRS issuer must demonstrate that it could meet the following licensing requirements, as summarised below:

Licensing Requirements		Description
Management of reserves and stabilisation mechanism	Full backing	The value of the reserve assets backing an FRS must be at least equal to the par value of the FRS (at a minimum) at all times. Issuers of FRS which derive value from arbitrage or algorithms will not be granted a license, given the inherent difficulties of maintaining a stabilisation mechanism in the absence of any backing assets.
	Investment limitations	The reserve assets must be of high quality and high liquidity with minimal market, credit and concentration risk. Reserve assets must be held in the referenced currency, although flexibility may be allowed on a case-by-case basis subject to the HKMA’s approval. The composition of the reserved assets should be determined with reference to the FRS’s liquidity requirements, including how liquidity requirements will be met through the management and investment of reserve assets. The HKMA will need to be satisfied of the appropriateness of the types of assets held by the FRS issuer, and expects that each issuer will have a regularly reviewed investment policy regarding assets that are suitable for holding as reserve assets.
	Segregation and safekeeping of reserve assets	FRS issuers will be expected have effective trust arrangements to ensure that reserve assets are appropriately segregated and available to satisfy FRS holders’ redemption, as well as their legal right and priority claim in the event of insolvency. Reserve assets must be stored in segregated accounts with licensed banks or with other asset custodians (subject to the HKMA’s approval of the proposed arrangements). FRS issuers must maintain effective internal controls to protect the reserve assets from operational risks, including risks of theft, fraud and misappropriation.
	Risk management and controls	FRS issuers must put in place adequate policies, guidelines and controls for the proper management of all investment activities associated with the management of the reserve assets. This includes having comprehensive liquidity risk management practices which address the approach to large scale redemptions – i.e. run scenarios or other scenarios of liquidity stress. FRS issuers must also conduct periodic stress tests to monitor the adequacy and the liquidity of the reserve assets.
	Disclosure and reporting	FRS issuers must regularly publish the total amount of FRS in circulation, the mark-to-market value of reserve assets and the composition of reserve assets. FRS issuers will also be expected to (in consultation with the HKMA) engage a qualified and independent auditor to perform regular attestations in relation to their FRS, including the (i) composition and market value of the reserve assets; (ii) the par value of FRS in circulation; (iii) whether the reserve assets are adequate to fully back the value of FRS in circulation and are sufficient liquid (as of the last business day of the period covered by the attestation); and (iv) whether the conditions on the reserves management as imposed by the HKMA have all been fulfilled. The Legislative Proposal recommends that the total amount of FRS in circulation and the value of reserve assets be disclosed at least daily, the composition of reserve assets be disclosed at least weekly, and attestation by the independent auditor be performed at least monthly.
	Prohibition on paying interest	FRS issuers must not pay interest to FRS users. Any income or loss from the reserve assets, including but not limited to interest payments, dividends or capital gains or losses are attributable to the FRS issuer.
	Effective stabilisation	The FRS issuer is ultimately responsible for ensuring the effective functioning of the stabilisation mechanism of its FRS, notwithstanding any engagement of third parties to carry out the stabilisation activity.
Redemption requirements		The HKMA expects for FRS users to have the right to redeem their FRS at par value with the FRS issuer to have a claim on the reserve assets (or the issuer if the issuer is not able to meet redemption obligations). An FRS issuer is expected to process redemption requests without undue costs and on a timely basis. The issuer must not impose unreasonable conditions on redemption, such as a very high minimum threshold amount. In the event that fees for redemption are charged, such fees must be clearly communicated to FRS users and must be proportionate, at a level that do not deter redemption. The FRS issuer must meet the redemption request at par value by paying in the fiat currency underlying the relevant FRS. Where channels for FRS users to exchange their FRS into fiat currency become unavailable (e.g. due to disruption to infrastructure), the FRS issuer must nevertheless still be able to ensure direct redemption for all FRS users at part in a reasonably timely manner. The FRS issuer is expected to draw up and maintain a contingency plan to enable orderly redemption of FRS by FRS users in the event that the FRS issuer is unable to meet redemption requests (including in the case of suspension or revocation of the issuer’s licence).
Restrictions on business activities[16]		The HKMA’s approval must be sought before an FRS issuer can commence any new lines of business. To this end, the FRS issuer must conduct a risk assessment and demonstrate to the HKMA that adequate resources are allocated to the issuance and maintenance of the FRS, that the new business will not introduce significant risks, and that proper risk controls are in place to ensure that the new line of business will not impair its functions as an FRS issuer. However, provided that the FRS issuer have adequate systems for the segregation and safekeep of FRS and handling of deposit and withdrawal requests for FRS, the FRS issuer will be allowed to conduct activities ancillary or incidental to its issuance of FRS, such as providing wallet services for the FRS it issues. The FRS issuer is prohibited from carrying on lending and financial intermediation or other regulated activities (e.g. regulated activities under the SFO).
Physical presence in Hong Kong[17]		The FRS issuer must be a company incorporated in Hong Kong with a registered office in Hong Kong. Its key personnel and senior management must be based in Hong Kong, and must be empowered with effective management and control of FRS issuance and related activities.
Financial resources requirements[18]		The FRS issuer is expected to maintain a minimum paid-up share capital to be HKD 25,000,000 or 2% of the par value of FRS in circulation, whichever is higher.
Disclosure requirements		The FRS issuer is expected to disclose general information about the issuer itself, the rights and obligations of its FRS users, the FRS stabilisation mechanism, reserves management arrangements, the underlying technology and the risks through a published white paper. The FRS issuer must also disclose their redemption policies, including the timeframe for the redemption process, the applicable fees and the right of FRS users to redemption.
Governance, knowledge and experience		Controllers, chief executives and directors of an FRS issuer must be fit and proper. Their appointment and any changes to the ownership and management of the FRS issuer are subject to HKMA approval. The FRS issuer is expected to have an adequate system of control for the appointment of the senior management team and suitable staff under a robust corporate governance structure.
Risk management requirements		An FRS issuer is expected to implement appropriate risk management processes and measures, such as adequate security and internal controls, effective fraud monitoring and detection measures; technological risk management measures; and contingency arrangements to address operational disruptions. The FRS issuer must also perform risk assessments on a sufficiently frequent basis and at a minimum, on an annual basis, to ensure adequacy of its internal controls.
Audit requirements		The FRS issuer are required to submit audited financial statements to the HKMA annually. Where required by the HKMA, the FRS issuer must submit reports prepared by external independent auditors and assessors to validate the management and operational soundness of the FRS issuance, such as whether the FRS issuer has adequate systems of control for the management of reserve assets, cybersecurity and the integrity of smart contracts.
Anti-money laundering and counter-financing of terrorism requirements		The FRS issuer must ensure that the design and implementation of its issuance business has adequate and appropriate systems of control for preventing or combating possible money laundering and terrorism financing, and for ensuring compliance with the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (“AMLO”) and any other related rules or regulations issued by the HKMA. This includes ensuring that the FRS issuer has adequate customer due diligence measures in relation to FRS issuance, redemption, transaction monitoring and travel rule requirements.

Notwithstanding the above, the HKMA will have the power to impose, amend and cancel ongoing licensing conditions on an FRS issuer, where necessary. These additional conditions can include requirements on reserve assets and restrictions on the types of services that could be undertaken by the FRS issuer.

Licenses granted under the FRS issuer licensing regime will be open-ended, i.e. licences will remain valid until or unless revoked by the HKMA or the FRS issuer ceases to operate. However, the issue of any new FRS (i.e. other than that which the FRS issuer received a licence to issue) will require the consent of the HKMA before it can issue any new FRS under its license. Further, all licensed FRS issuers must display their licence number on any advertising materials and consumer facing materials or software applications.

C. Custody and offering of FRS

With regard to offering of FRS, the FSTB and HKMA have indicated that they consider that FRS issued by unlicensed entities are unsuitable for use by the public. As a result, their intention is that only licensed FRS issuers, authorized institutions, licensed corporations and licensed VATPs can offer FRS in Hong Kong or actively market such offerings in Hong Kong. Meanwhile, authorized institutions, licensed corporations and licensed VATPs can offer FRS issued by unlicensed entities to professional investors only.

With regard to custody, we understand that the FSTB, HKMA and the SFC are continuing to examine the appropriate regulatory approach for such activities. Further regulatory guidance on this topic (including guidance from the HKMA on the provision of VA custodial services by authorised institutions) is expected in the short to medium term.

D. Supervisory Powers of the HKMA

Mirroring similar provisions under the Banking Ordinance, the Legislative Proposal confers supervisory powers on the HKMA to act in the event that a licensee (i) has become or is likely to become insolvent or unable to meet its obligations; (ii) is carrying on its business in a manner detrimental to the interests of its users or its creditors; or (iii) has contravened any of its licensing conditions or provisions of the proposed regulatory regime. In these circumstances, the HKMA will have the power to:

Require a licensee to implement any action relating to the licensee’s affairs, business or property that the HKMA considers as necessary, including restricting the licensee’s business of FRS issuance;
Direct a licensee to seek advice on the management of its affairs, business and property from an advisor appointed by the HKMA; and
Require a licensee’s affairs, business and property to be managed by a HKMA-appointed manager.

The HKMA’s consent will also be required for changes in ownership or management of FRS issuers, including with regard to any proposed amalgamation, sale or disposal of all or part of the business of an FRS issuer, change of control (including change of majority or minority shareholder controller, or indirect controller) and the appointment of chief executives and directors.

Additionally, the HKMA will also have the power to gather information, including request information or documents from licensees, or to conduct on-site examinations at the licensee’s premises. Where the HKMA has reasonable cause to suspect non-compliance, the HKMA will have the power to conduct investigations into the licensee and persons relevant to the suspected contravention. The HKMA will also have the power to give directions to bring an FRS issuer into compliance with its statutory obligation to ensure the protection of the FRS issuer. Finally, the HKMA will also have the power to make regulations to operationalise the FRS regulatory regime and issue guidelines regarding the way in which it expects to perform its functions with regards to this new regime.

E. Disciplinary Framework

The Legislative Proposal contemplates the creation of both a criminal and a civil framework. It will be a criminal offence to:

Issue an FRS in Hong Kong without a licence;
Advertise the issuance of FRS by an unlicensed issuer;
Fail to produce documents or information as required by the HKMA;
Provide false information to the HKMA; and
Contravene other conditions imposed by the HKMA in connection with the FRS licensing regime.

Separately, the HKMA will also have the power to impose civil and supervisory sanctions, including:

Issuing a caution, warning, reprimand or order to take specified action(s);
Issuing a temporary suspension, suspension or revocation of an FRS issuer’s license;
A pecuniary penalty not exceeding HK$10,000,000 or 3 times the amount of profit gained or loss avoided as a result of the contravention, whichever is higher; and
Any combination of the above.

As a check and balance, an appeal tribunal mechanism will be set up to address appeals against the HKMA’s disciplinary decisions. A person dissatisfied with the decision of the appeal tribunal will be able to appeal to the Court of Appeal against the determination on a point of law.

F. Transitional Arrangements

The FRS Issuer Licensing Regime is proposed to commence one month upon gazettal of the proposed new ordinance. However, the FSTB and HKMA have proposed a transitional arrangement to ensure the smooth transition into the new regime. Under this transitional regime, pre-existing FRS issuers conducting FRS issuance with a meaningful and substantial presence in Hong Kong prior to the commencement of the regime can continue to operate under a non-contravention period of six months, subject to submitting a licence application to the HKMA within the first three months of the commencement of the regime. This comparatively short transitional period (if not extended in the final version of the legislative regime) means that stablecoin issuers will need to take steps to quickly prepare licence applications (and establish a meaningful and substantial presence in Hong Kong if they do not already have one) following the gazettal of the new ordinance. Those pre-existing FRS issuers which fail to submit a licence application to the HKMA within the first three months will need to wind down its business by the end of the fourth month of the commencement of the regime.

__________

[1] See “Hong Kong SFC Consults On Licensing Regime For Virtual Asset Trading Platform Operators”, published by Gibson, Dunn & Crutcher (March 2, 2023), available at https://www.gibsondunn.com/hong-kong-sfc-consults-on-licensing-regime-for-virtual-asset-trading-platform-operators/; and “New Hong Kong Regulatory Requirements and Licensing Regime for Virtual Asset Trading Platforms Finalised as Legislation Takes Effect”, published by Gibson, Dunn & Crutcher (June 7, 2023), available at https://www.gibsondunn.com/new-hong-kong-regulatory-requirements-and-licensing-regime-for-virtual-asset-trading-platforms-finalised-as-legislation-takes-effect/.

[2] “Hong Kong’s SFC Updates Guidance on Tokenised Securities-Related Activities”, published by Gibson, Dunn & Crutcher (November 10, 2023), available at https://www.gibsondunn.com/hong-kong-sfc-updates-guidance-on-tokenised-securities-related-activities/.

[3] “Circular on SFC-Authorised Funds With Exposure to Virtual Assets”, published by the Securities and Futures Commission (December 22, 2023), available at https://apps.sfc.hk/edistributionWeb/gateway/EN/circular/products/product-authorization/doc?refNo=23EC65.

[4] “Circular on Virtual Asset Futures Exchange Traded Funds”, published by the Securities and Futures Commission (October 31, 2023), available at https://apps.sfc.hk/edistributionWeb/gateway/EN/circular/doc?refNo=22EC60.

[5] These requirements are in addition to meeting the applicable requirements in the Overarching Principles Section and the Code on Unit Trusts and Mutual Funds in the SFC Handbook for Unit Trusts and Mutual Funds, Investment-Linked Assurance Schemes and Unlisted Structured Investment Products.

[6] “Joint Circular on Intermediaries’ Virtual Asset-Related Activities”, jointly published by the Securities and Futures Commission and the Hong Kong Monetary Authority (December 22, 2023), available at https://apps.sfc.hk/edistributionWeb/gateway/EN/circular/doc?refNo=23EC67.

[7] “Joint Circular on Intermediaries’ Virtual Asset-Related Activities”, jointly published by the Securities and Futures Commission and the Hong Kong Monetary Authority (October 20, 2023), available here.

[8] “VA-related products” are defined as products which (a) have a principal investment objective or strategy to invest in virtual assets; (b) derive their value principally from the value and characteristics of virtual assets; or (c) track or replicate the investment results or returns which closely match or correspond to virtual assets.

[9] See Appendix 1 of the Joint Circular for the non-exhaustive criteria for assessing whether a client can be regarded as having knowledge of virtual assets.

[10] The minimum information and warning statements requirements require intermediaries to provide clear and easily comprehensible information and warning statements to clients in relation to VA-related products and information on the underlying VA investments; and provide to clients risk disclosure statements (which can be a one-off disclosure) specific to VAs.

[11] See Appendix 3 of the Joint Circular.

[12] “Legislative Proposal to Implement the Regulatory Regime for Stablecoin Issuers in Hong Kong Consultation Paper”, jointly published by the Financial Services and the Treasury Bureau and the Hong Kong Monetary Authority (December 27, 2023), available at https://www.hkma.gov.hk/media/eng/doc/key-information/press-release/2023/20231227e4a1.pdf.

[13] “Another Step Towards the Regulation of Cryptocurrency in Hong Kong: HKMA Releases Discussion Paper on Stablecoins”, published by Gibson, Dunn & Crutcher (September 19, 2022), available at https://www.gibsondunn.com/another-step-towards-the-regulation-of-cryptocurrency-in-hong-kong-hkma-releases-discussion-paper-on-stablecoins/.

[14] “Hong Kong Monetary Authority Introduces Plans To Regulate Stablecoins”, published by Gibson, Dunn & Crutcher (February 7, 2023), available at https://www.gibsondunn.com/hong-kong-monetary-authority-introduces-plans-to-regulate-stablecoins/.

[15] For completeness, the Legislative Proposal defines “stablecoin” to mean “a cryptographically secured digital representation of value that, among other things – (a) is expressed as a unit of account or a store of economic value; (b) is used, or is intended to be used, as a medium of exchange accepted by the public, for the purpose of payment for goods or services; discharge of a debt; and/or investment; (c) can be transferred, stored or traded electronically; (d) uses a distributed ledger or similar technology that is not controlled solely by the issuer; and (e) purports to maintain a stable value with reference to a specified asset, or a pool or basket of assets.” To avoid overlap with the SVF regulatory regime, the FSTB and HKMA have expressly carved out “deposits, including its tokenized or digitally represented form; certain securities or future contracts (mainly authorized collective investment schemes and authorized structured products); float stored in SVFs or SVF banks; and certain digital representations of fiat currencies issued by or on behalf of central banks; and certain digital representation of value that has a limited purpose” from the definition of “stablecoins”.

[16] This licensing requirement will not apply to FRS issuers which are authorized institutions, considering that these authorized institutions are already subject to relevant requirements under banking regulation.

[17] This licensing requirement will not apply to FRS issuers which are authorized institutions, considering that these authorized institutions are already subject to relevant requirements under banking regulation.

[18] This licensing requirement will not apply to FRS issuers which are authorized institutions, considering that these authorized institutions are already subject to relevant requirements under banking regulation.

The following Gibson Dunn lawyers prepared this client alert: William Hallatt, Emily Rumble, and Jane Lu.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. If you wish to discuss any of the matters set out above, please contact any member of Gibson Dunn’s Global Financial Regulatory team, including the following members in Hong Kong and Singapore:

William R. Hallatt – Hong Kong (+852 2214 3836, whallatt@gibsondunn.com)
Grace Chong – Singapore (+65 6507 3608, gchong@gibsondunn.com)
Emily Rumble – Hong Kong (+852 2214 3839, erumble@gibsondunn.com)
Arnold Pun – Hong Kong (+852 2214 3838, apun@gibsondunn.com)
Becky Chung – Hong Kong (+852 2214 3837, bchung@gibsondunn.com)

This update provides an overview of key class action-related developments during the fourth quarter of 2023 (October to December).

Table of Contents

Part I reviews decisions from the Sixth and Tenth Circuits reaffirming the importance of courts conducting a “rigorous” analysis of each Rule 23 factor before certifying a class;
Part II provides an update on cases analyzing the need for plaintiffs to demonstrate a classwide method of proving injury to meet the predominance requirement of Rule 23(b)(3); and

Part III discuses a Ninth Circuit decision scrutinizing the adequacy of a lead plaintiff in a class settlement.

I. Circuit Courts Continue to Emphasize the Importance of “Rigorously” Analyzing Each Rule 23 Class Certification Factor

In its landmark decision in Wal-Mart Stores, Inc. v. Dukes, 564 U.S. 338 (2011), the Supreme Court held (among other things) that before certifying a class, district courts must conduct a “rigorous analysis” of the Rule 23 factors. Id. at 351. This critical requirement remains alive and well, as we’ve covered in previous updates, including here and here. And this past quarter, circuit courts have continued to emphasize that district courts cannot grant class certification with a rubber stamp.

In Brayman v. KeyPoint Government Solutions, Inc., 83 F.4th 823 (10th Cir. 2023), the Tenth Circuit vacated an order granting class certification because “[a] rigorous analysis requires more” than a one-paragraph discussion of predominance. Id. at 838–39. The district court had certified a class of employees who alleged their employer required them to work uncompensated overtime. Although the Tenth Circuit declined to conduct the commonality or predominance analyses itself in the first instance, it provided suggestions about “some of the questions that the district court would need to consider when determining what issues in the class action were common issues, what issues were individual issues, and which predominate.” Id. at 839–41.

As one example, the Tenth Circuit considered how the plaintiffs would prove that an employee worked uncompensated overtime. The plaintiffs contended that each class member would testify about how many hours they worked per week, yet they failed to present any “expert testimony, statistical data, or representative evidence” showing how this was a common, rather than an individual, issue. Id. at 839. As another example, the Tenth Circuit noted that to succeed on their claims, the plaintiffs had to establish that their employer knew of this overtime work, but the plaintiffs’ “unelaborated” interrogatory answers and deposition testimony were not “sufficiently specific and representative to be ‘common’ evidence that would be admissible in each [putative class member]’s individual case” about the employer’s knowledge for that particular individual. Id. at 840.

Similarly, in In re Ford Motor Co., 86 F.4th 723 (6th Cir. 2023), the Sixth Circuit concluded the district court did not conduct a rigorous analysis of commonality, cautioning that Rule 23 “requires a named plaintiff to offer ‘[s]ignificant’ evidentiary proof that he can meet all four of [its] criteria.” Id. at 726 (emphasis added). In re Ford involved allegations about alleged brake design defects in pickup trucks over a five-year period. Id. Although the district court certified Rule 23(c)(4) “issue” classes to resolve three primary issues related to the purported defects, it did so with “cursory treatment of commonality.” Id. In particular, the district court’s analysis did “not make clear that the three certified issues can each be answered ‘in one stroke.’” Id. at 727 (quoting Dukes, 564 U.S. at 350). For instance, one certified issue concerned whether the brakes in the pickup trucks were defective. Although the plaintiffs alleged this was a common issue, the district court failed to “grapple” with the evidence that certain redesigns and manufacturing changes over the class period made a material difference to the alleged defect. Id. at 728. The Sixth Circuit reminded trial judges that they “must evaluate whether each of the four Rule 23(a) factors is actually satisfied, not merely that the factors are properly alleged.” Id. at 729 (citations omitted) (emphases added).

II. Circuit Courts Continue to Require Classwide Method of Proving Injury Before Certifying Rule 23(b) Classes

Two decisions from this quarter, Huber v. Simon’s Agency, Inc., 84 F.4th 132 (3d Cir. 2023), and Sampson v. United Services Automobile Ass’n, 83 F.4th 414 (5th Cir. 2023), reaffirmed the principle that plaintiffs must demonstrate a classwide method of proving injury to meet the predominance requirement of Rule 23(b)(3).

Huber concerned a putative class action against a medical debt collection agency that allegedly provided misleading and confusing notices to debtors. See 84 F.4th at 141. The named plaintiff claimed she incurred extensive financial costs as a result of the misleading information. See id. at 143. The district court certified a class of individuals who received the same information from the defendant. Id. at 142.

On appeal, the Third Circuit held that under TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), and circuit precedent, merely receiving a misleading notice, without allegations of financial loss, was insufficient to establish Article III standing. Huber, 84 F.4th at 148–49. While the Third Circuit ruled that the class action was justiciable because the named plaintiff herself had standing, it reasoned that unnamed class members would need to put forward specific information about their financial circumstances to meet the justiciability requirement. Id. at 147–54. The Third Circuit therefore vacated the certification order and remanded to the district court to assess “the implications of [the] individualized showings [the unnamed class members need to make] for the predominance requirement.” Id. at 157.

In remanding, the Third Circuit offered guidance as to how the predominance inquiry should unfold: if few class members are able to show that they suffered concrete financial injuries, then the class should not be considered sufficiently cohesive to warrant certification. Id. at 157–58. On the other hand, if many class members appear likely to have standing or “if there is a plausible straightforward method to sort them out at the back end of the case,” then the case may be able to proceed on behalf of the class. Id.

In a similar case, Sampson v. United Services Automobile Ass’n, 83 F.4th 414 (5th Cir. 2023), the Fifth Circuit vacated a class certification order because the plaintiffs failed to identify a classwide way of establishing the defendant’s liability. Sampson was a breach of contract action against an insurance company based on its use of a particular method of vehicle valuation. See id. at 417. The plaintiffs-insureds claimed that if the defendant had used a different valuation method, they would have gotten bigger payouts when they totaled their cars. Id.

One of the questions on appeal was whether the plaintiffs could establish classwide injury—an essential element of the claims at issue—by relying on their preferred vehicle-valuation standard. Id. at 421. According to the plaintiffs, the choice of the appropriate vehicle-valuation standard was only a damages question, and district courts have wide discretion to choose among damages models at the class-certification stage. Id. The Fifth Circuit acknowledged that district courts generally do have such discretion, but the purported damages issue was actually entwined with the question of injury. Id. at 421–22. Because the selection of the appropriate vehicle-valuation standard was not just a choice between “imperfect damages models,” but rather went to the question of liability, the Fifth Circuit concluded that “a district court’s wide discretion to choose an imperfect estimative-damages model at the certification stage” had no application. Id. at 422–23.

III. The Ninth Circuit Vacates Approval of Class Settlement, Holding that Class Representative Who Was Subject to Arbitration Agreement Could Not Adequately Represent Class Members Who Were Not

As reported in several previous updates (including here and here), circuit courts have continued the trend of taking more active roles in scrutinizing class settlements. This past quarter, the Ninth Circuit vacated the approval of a class settlement in a case against a dating app, holding that the lead plaintiff was not an adequate representative of the class due to her conflict of interest and failure to vigorously litigate on behalf of all 240,000 class members. See Kim v. Allison, 87 F.4th 994 (9th Cir. 2023).

In Kim, the plaintiff alleged a dating app’s age-based pricing scheme violated California law. Id. at 999. The defendant successfully moved to compel arbitration as to the lead plaintiff because she had agreed to a version of the app’s terms of use that included an arbitration clause. Id. While the plaintiff was appealing the order compelling arbitration, she negotiated a class settlement.

In this second appeal from the settlement approval, objectors focused their arguments on the lead plaintiff’s lack of adequacy, arguing that “unlike the remainder of the class, [the plaintiff] was subject to a binding arbitration order” and the class definition did not account for that important difference. 87 F.4th at 999. The Ninth Circuit agreed that the plaintiff was an inadequate representative and vacated the settlement.

With respect to the plaintiff’s conflict of interest, the Ninth Circuit emphasized that she was subject to an agreement to arbitrate, while potentially 7,000 other class members were not. Id. at 1001. The court reasoned that the plaintiff had a strong interest in settling her claims since she has “no chance of going to trial,” even “at the cost of a broad release of other claims that are not subject to arbitration.” Id. The conflict was “exacerbated” by other provisions in the version of the terms of use that she accepted, including a Texas choice-of-law provision and limitation on liability that did not bind other class members. Id. The court also faulted the plaintiff for making inadequate efforts to conduct discovery before reaching a settlement, and said her “approach to opposing [the defendant]’s motion to compel [arbitration was] not suggestive of vigor” because she “belatedly raised formation challenges” when opposing that motion and failed to make “obvious arguments until after they were forfeited.” Id. at 1002–03.

The following Gibson Dunn lawyers contributed to this update: Swathi Sreerangarajan, Jenna Bernard, Maura Carey*, Wesley Sze, Lauren Blas, Bradley Hamburger, Kahn Scolnick, and Christopher Chorba.

Gibson Dunn attorneys are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Class Actions, Litigation, or Appellate and Constitutional Law practice groups, or any of the following lawyers:

Theodore J. Boutrous, Jr. – Los Angeles (+1 213.229.7000, tboutrous@gibsondunn.com)
Christopher Chorba – Co-Chair, Class Actions Practice Group – Los Angeles (+1 213.229.7396, cchorba@gibsondunn.com)
Theane Evangelis – Co-Chair, Litigation Practice Group, Los Angeles (+1 213.229.7726, tevangelis@gibsondunn.com)
Lauren R. Goldman – New York (+1 212.351.2375, lgoldman@gibsondunn.com)
Kahn A. Scolnick – Co-Chair, Class Actions Practice Group – Los Angeles (+1 213.229.7656, kscolnick@gibsondunn.com)
Bradley J. Hamburger – Los Angeles (+1 213.229.7658, bhamburger@gibsondunn.com)
Michael Holecek – Los Angeles (+1 213.229.7018, mholecek@gibsondunn.com)
Lauren M. Blas – Los Angeles (+1 213.229.7503, lblas@gibsondunn.com)

*Maura Carey is an associate practicing in the firm’s Palo Alto office who is not yet admitted to practice law.

I. Introduction

In contrast to previous years, the 2023 privacy and cybersecurity landscape in the United States was not shaped by an overarching event like the COVID-19 pandemic or Russia’s invasion of Ukraine. 2023 was nonetheless another groundbreaking year for privacy and cybersecurity on the regulatory and enforcement fronts.

Congress’s failure to pass a comprehensive privacy bill left the White House and federal agencies—along with state legislators and agencies—to lead the charge in regulating privacy and cybersecurity in the United States. The White House doubled down on its push to implement a national strategy on cybersecurity, with important implications for federal, state, and private entities. Numerous federal agencies—including the FTC, SEC, CFPB, and HHS—promulgated privacy and data protection regulations and guidance on a range of issues, including cyber-incident disclosure, children’s online privacy, biometric and genetic data, artificial intelligence (“AI”), and algorithmic decision making. Many agencies also brought enforcement actions against companies and (increasingly) individuals for privacy, data security, and related violations.

States were similarly active in 2023, passing and enforcing a flurry of new comprehensive state privacy laws. State agencies like the New York Department of Financial Services took aggressive steps to tighten data protection regulations for entities under their umbrella. And, while this publication does not focus on AI (a topic which will be covered in detail by Gibson Dunn’s forthcoming Artificial Intelligence Legal Review), the rapid rise and proliferation of AI technology was a defining feature of the privacy and cybersecurity landscape in 2023. Litigation likewise remained active, with notable upticks in claims by private litigants and government entities related to data breaches, federal and state wiretapping laws, and state biometrics laws. We expect these trends to accelerate in 2024 and beyond, as the body of privacy and cybersecurity regulation matures and expands.

This Review contextualizes these and other 2023 developments by addressing: (1) the regulation of privacy and data security, other legislative developments, enforcement actions by federal and state authorities, and new regulatory guidance; (2) trends in civil litigation around data privacy and security in areas including data breach, digital, telecommunications, wiretapping, and biometric information privacy laws; and (3) trends related to data innovations and governmental data collection. Information on developments outside the United States—which are relevant to domestic and international companies alike—will be covered in detail by Gibson Dunn’s forthcoming International Cybersecurity and Data Privacy Outlook and Review.

Table of Contents

I. INTRODUCTION

II. REGULATION OF PRIVACY AND DATA SECURITY

A. Regulation of Privacy and Data Security

1. State Legislation and Related Regulations

a. Comprehensive State Privacy Laws

i. Applicability
ii. Exemptions
iii. Data Subject Rights
iv. Data Controller Obligations
v. Enforcement

b. Other State Privacy Laws

i. Washington’s My Health My Data Act
ii. Montana’s Genetic Information Privacy Act
iii. California’s Delete Act
iv. New York Department of Financial Services’ Amendments to Part 500 Cybersecurity Rules
v. New Child Social Media Laws

2. Federal Legislation

a. Comprehensive Federal Privacy Legislation
b. Other Introduced Legislation

B. Enforcement and Guidance

1. Federal Trade Commission

a. FTC Organization Updates
b. Algorithmic Bias and Artificial Intelligence
c. Commercial Surveillance and Data Security

i. FTC’s Approach to Data Security
ii. Rulemaking on Commercial Surveillance and Data Security

d. Notable FTC Enforcement Actions
e, Financial Privacy
f. Children’s and Teens’ Privacy
g. Biometric Information

2. Consumer Financial Protection Bureau

a. Personal Financial Data Rights Rulemaking
b. Increased Oversight of Non-bank Entities
c. Increased Scrutiny of Data Brokers
d. Artificial Intelligence and Algorithmic Bias

3. Securities and Exchange Commission

a. Regulation
b. Enforcement

4. Department of Health and Human Services and HIPAA

a. Rulemaking on HIPAA Compliance and Data Breaches
b. Telehealth and Data Security Guidance
c. Reproductive and Sexual Health Data
d. HHS Enforcement Actions

5. Other Federal Agencies

a. Department of Homeland Security
b. Department of Justice
c. Department of Commerce
d. Department of Energy
e. Department of Defense
f. Federal Communications Commission

6. State Agencies

a. California
b. Other State Agencies
c. Major Data Breach Settlements

III. CIVIL LITIGATION REGARDING PRIVACY AND DATA SECURITY

A. Data Breach Litigation

1. The Impact of TransUnion v. Ramirez on Standing in Data Breach Actions
2. Cybersecurity Related Securities Litigation

B. Wiretapping and Related Litigation Concerning Online “Tracking” Technologies
C. Anti-Hacking and Computer Intrusion Statutes

1. CFAA
2. CDAFA

D. Telephone Consumer Protection Act Litigation
E. State Law Litigation

1. California Consumer Privacy Act Litigation

a. Potential Anchoring Effect of CCPA Statutory Damages
b. Requirements for Adequately Stating a CCPA Claim
c. CCPA Violations Under the UCL
d. The CCPA’s 30-Day Notice Requirement
e. Guidance on Reasonable Security Measures in Connection with the CCPA

2. State Biometric Information Litigation

a. Illinois Biometric Information Privacy Act

i. Expansion of BIPA’s Scope
ii. New Recognized Limitations Under BIPA

b. Texas Biometric Privacy Law Litigation
c. New York Biometric Privacy Law Litigation

F. Other Noteworthy Litigation

A. Data-Intensive Technologies—Privacy Implications and Trends
B. Emerging Privacy Enhancing Technologies (PETs)
C. Governmental Data Collection

V. CONCLUSION

II. Regulation of Privacy and Data Security

Since 2018, 14 states have enacted comprehensive data privacy legislation. Five of these are currently effective, and the remaining nine will go into effect between 2024 and 2026. A number of additional state legislatures considered comprehensive consumer privacy laws this past year but have yet to enact them. In addition, several states have passed narrower data privacy laws governing the use of specific categories of information, such as health and genetic information. These laws demonstrate the states’ efforts to ensure the protection of consumers’ data in the absence of a comprehensive federal data privacy law. We highlight several of these state privacy laws below and provide an overview of key similarities and differences.

A. Regulation of Privacy and Data Security

1. State Legislation and Related Regulations

a. Comprehensive State Privacy Laws

California was the first state to adopt a comprehensive data privacy law with the enactment of the California Consumer Privacy Act (“CCPA”) in 2018. The California Privacy Rights Act (“CPRA”) amended the CCPA in 2020. Since then, 13 other states—Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia—have followed California in enacting comprehensive privacy laws. As shown in the below list of comprehensive state privacy laws enacted to date, five went into effect in 2023, an additional four will go into effect in 2024, four in 2025, and one in 2026. Most of these generally align with the standard template created by the comprehensive state privacy laws in Virginia, Colorado, Connecticut, and Utah, with a few having unique features, which are highlighted below. Please see last year’s Review for a more detailed assessment of the comprehensive data privacy laws in California, Virginia, Colorado, Connecticut, and Utah, which have all now gone into effect.

Table 1: Comprehensive State Privacy Laws

Law	Enacted Date	Effective Date
California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA)[1]	CCPA: June 28, 2018 CPRA: November 3, 2020	CCPA: January 1, 2020 CPRA: January 1, 2023
Virginia Consumer Data Protection Act (VCDPA)[2]	March 2, 2021	January 1, 2023
Colorado Privacy Act (CPA)[3]	July 7, 2021	July 1, 2023
Connecticut Data Privacy Act (CTDPA)[4]	May 10, 2022	July 1, 2023
Utah Consumer Privacy Act (UCPA)[5]	March 24, 2022	December 31, 2023
Florida Digital Bill of Rights (FDBR)[6]	June 6, 2023	July 1, 2024
Texas Data Privacy and Security Act (TDPSA)[7]	June 18, 2023	July 1, 2024
Oregon Consumer Privacy Act (OCPA)[8]	July 18, 2023	July 1, 2024
Montana Consumer Data Privacy Act (MTCDPA)[9]	May 19, 2023	October 1, 2024
Iowa Consumer Data Protection Act (ICDPA)[10]	March 29, 2023	January 1, 2025
Delaware Personal Data Privacy Act (DPDPA)[11]	September 11, 2023	January 1, 2025
New Jersey Data Privacy Act (NJDPA)[12]	January 16, 2024	January 15, 2025
Tennessee Information Protection Act (TIPA)[13]	May 11, 2023	July 1, 2025
Indiana Consumer Data Protection Act (INCDPA)[14]	May 1, 2023	January 1, 2026

The tables below review core aspects of these laws, including applicability, exemptions, data subject rights, data controller obligations, and enforcement.

i. Applicability

Each comprehensive state privacy law applies to entities that conduct business in that state or provide products and services to residents of that state, and that meet certain applicability thresholds. As shown in Table 2 below, these thresholds typically relate to a company’s annual gross revenue and/or the number of individuals whose personal information the business processes or controls. California is unique in applying its comprehensive privacy law to companies that derive 50% or more of their revenue from selling California residents’ personal information, without pairing that requirement with a minimum number of consumers whose data is processed. Florida and Texas also have distinct requirements: Florida’s statutory thresholds are designed to limit the application of the law to large companies, and Texas’s law does not carry any fixed numerical thresholds with respect to gross revenue or number of consumers’ whose data is processed. Unless otherwise indicated, all thresholds listed below are disjunctive requirements.

Table 2: Applicability of Comprehensive State Privacy Laws

ii. Exemptions

All comprehensive state privacy laws also have exemptions for certain entities and categories of data. For example, non-profit entities and entities subject to the GLBA are exempt under most comprehensive state privacy laws. HIPAA-regulated data (but not necessarily entities regulated by HIPAA generally), employee data, and business contact data are likewise typically exempt under all comprehensive state privacy laws, except for in California. California is the only state whose GLBA exemption applies only at the data level, but not the entity level. Other exemptions not included below might include entities or data regulated by other laws, such as the Fair Credit Reporting Act, Driver’s Privacy Protection Act, Children’s Online Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, and the Airline Deregulation Act. Table 3 below provides a non-exhaustive list of common exemptions.

Table 3: Exemptions in Comprehensive State Privacy Laws

Law	Non-Profits (generally)	Consumers Engaged in a Commercial or Employment Context (i.e., employees and business contacts)	HIPAA Exemption (at the data level, entity level, or both)	GLBA Exemption (at the data level, entity level, or both)
CCPA/CPRA (California)	N	N	Data	Data
VCDPA (Virginia)	N	Y	Both	Both
CPA (Colorado)	Y	Y	Data	Both
CTDPA (Connecticut)	N	Y	Both	Both
UCPA (Utah)	N	Y	Both	Both
FDBR (Florida)	N	Y	Both	Both
TDPSA (Texas)	N	Y	Both	Both
OCPA (Oregon)	Y	Y	Data	Data
MTCDPA (Montana)	N	Y	Both	Both
ICDPA (Iowa)	N	Y	Both	Both
DPDPA (Delaware)	Y	Y	Data	Both
NJDPA (New Jersey)	N	Y	Data	Both
TIPA (Tennessee)	N	Y	Both	Both
INCDPA (Indiana)	N	Y	Both	Both

iii. Data Subject Rights

All comprehensive state privacy laws that have been enacted or are in effect provide consumers with the right to access their data, data portability, opt-out of the sale of their data and use of certain data in connection with targeted advertising, and the right to not be discriminated against for exercising their rights. They also provide covered entities with the ability to verify or authenticate the identity of a consumer looking to exercise her rights. However, there are additional rights that are provided by some, but not all, comprehensive state privacy laws. These are outlined in Table 4 below.

Table 4: Data Subject Rights in Comprehensive State Privacy Laws

Law	Correct Inaccurate Data	Request a List of Third Parties with Whom Data Has Been Disclosed	Opt-Out of the Use of Data for Certain Profiling	Limit the Use and Disclosure of Sensitive Data	Appeal the Denial of Data Subject Rights Requests	Right to Appoint Authorized Agents to Submit Data Subject Rights Requests	Have Opt-Out Signals Recognized	Days to Respond to Requests
CCPA/CPRA (California)	Y	N	Y	Limit use	N	Y	Y	15 business days for requests to opt-out and limit use; 45 calendar days for other requests
VCDPA (Virginia)	Y	N	Y	Opt-in	Y	N	N	45 calendar days
CPA (Colorado)	Y	N	Y	Opt-in	Y	Y	Y	45 calendar days
CTDPA (Connecticut)	Y	N	Y	Opt-in	Y	Y	Y	45 calendar days
UCPA (Utah)	N	N	N	Opt-out	N	N	N	45 calendar days
FDBR (Florida)	Y	N	Y	Opt-in	Y	N	N	45 calendar days
TDPSA (Texas)	Y	N	Y	Opt-in	Y	Y	Y	45 calendar days
OCPA (Oregon)	Y	Y	Y	Opt-in	Y	Y	Y	45 calendar days
MTCDPA (Montana)	Y	N	Y	Opt-in	Y	N	N	45 calendar days
ICDPA (Iowa)	N	N	N	Opt-out	Y	N	N	90 calendar days
DPDPA (Delaware)	Y	N	Y	Opt-in	Y	Y	Y	45 calendar days
NJDPA (New Jersey)	Y	N	Y	Opt-in[15]	Y	Y	Y	45 calendar days
TIPA (Tennessee)	Y	N	Y	Opt-in	Y	N	N	45 calendar days
INCDPA (Indiana)	Y	N	Y	Opt-in	Y	N	N	45 calendar days

iv. Data Controller Obligations

All comprehensive state privacy laws impose certain obligations on data controllers (entities that determine the purposes and means of processing of personal data). These include: data minimization; purpose limitations; maintaining privacy policies; maintaining reasonable administrative, technical, and physical data security controls; and contractually obligating personal data processors or service providers to comply with the applicable law. Data minimization in particular may be a significant requirement, as it requires companies to only keep data as long as they have a business need and promptly delete it thereafter. Some of the privacy laws impose additional obligations, which are outlined in Table 5 below. Specifically, some laws require (a) data protection impact assessments, which are designed to identify and minimize data protection risks, (b) financial incentive notices, which disclose discounts or other incentives that are provided in exchange for providing personal information, and (c) specific contractual requirements that set forth how vendors that process data on a business’s behalf will act.

Table 5: Data Controller Obligations in Comprehensive State Privacy Laws

Law	Data Protection Impact Assessment	Financial Incentive Notice	Third-Party/Contractor Contract Requirement
CCPA/CPRA (California)	Y (not finalized)	Y	Y
VCDPA (Virginia)	Y	N	N
CPA (Colorado)	Y	Y	N
CTDPA (Connecticut)	Y	N	N
UCPA (Utah)	N	N	N
FDBR (Florida)	Y	N	N
TDPSA (Texas)	Y	N	N
OCPA (Oregon)	Y	N	N
MTCDPA (Montana)	Y	N	N
ICDPA (Iowa)	N	N	N
DPDPA (Delaware)	Y	N	N
NJDPA (New Jersey)	Y	N	Y
TIPA (Tennessee)	Y	N	N
INCDPA (Indiana)	Y	N	N

v. Enforcement

Finally, there are differences between how each of these comprehensive state privacy laws are enforced and the penalties for noncompliance. As a general matter, comprehensive state privacy laws provide state attorneys general with sole enforcement authority. To date, the state laws have notably not provided for a private right of action. The only outlier is the CCPA/CPRA, which provides a limited private right of action for consumers affected by data breaches, under certain circumstances. Many states also provide for a right to cure, meaning that a plaintiff must provide a putative defendant with notice and an opportunity to cure the violation prior to bringing suit. The enforcement mechanisms provided for by each comprehensive state privacy law are outlined in Table 6 below.

Table 6: Enforcement of Comprehensive State Privacy Laws

Law	Private Right of Action	Enforcement Authority	Right to Cure	Financial Penalties
CCPA/CPRA (California)	Y[16]	California Attorney General and California Privacy Protection Agency	N/A	Up to $2,500 per violation or $7,500 per intentional violation or violation involving the personal information of minors.
VCDPA (Virginia)	N	Virginia Attorney General	30 days	Up to $7,500 per violation.
CPA (Colorado)	N	Colorado Attorney General and local district attorneys	60 days (provision expires January 1, 2025)	Up to $20,000 per violation, with a total maximum penalty of $500,000.
CTDPA (Connecticut)	N	Connecticut Attorney General	60 days (provision expires January 1, 2025)	Up to $5,000 per violation.
UCPA (Utah)	N	Utah Attorney General and Utah Division of Consumer Protection	30 days	Up to $7,500 per violation.
FDBR (Florida)	N	Florida Department of Legal Affairs	45 days (except for violations involving a known child)	Up to $50,000 per violation, or triple that where the violation involves a FL consumer under 18 years old, failure to delete or correct applicable personal information, or the continuing to sell or share the personal information after a consumer opts out of such sale or sharing.
TDPSA (Texas)	N	Texas Attorney General	30 days	Up to $7,500 per violation.
OCPA (Oregon)	N	Oregon Attorney General	30 days (provision expires January 1, 2026)	Up to $7,500 per violation.
MTCDPA (Montana)	N	Montana Attorney General	60 days (provision expires April 1, 2026)	Up to $7,500 per violation.
ICDPA (Iowa)	N	Iowa Attorney General	90 days	Up to $7,500 per violation.
DPDPA (Delaware)	N	Delaware Department of Justice	60 days (provision expires January 1, 2026)	Up to $10,000 per willful violation.
NJDPA (New Jersey)	N	New Jersey Attorney General	30 days (provision expires 18 months after enactment)	Up to $10,000 for the first violation and $20,000 for subsequent violations.
TIPA (Tennessee)	N	Tennessee Attorney General	60 days	Up to $7,500 per violation.
INCDPA (Indiana)	N	Indiana Attorney General	30 days	Up to $7,500 per violation.

b. Other State Privacy Laws

In addition to the comprehensive state privacy laws discussed above, states have continued to legislate in narrower areas, particularly with relation to health or genetic information.

i. Washington’s My Health My Data Act

On April 27, 2023, Washington Governor Jay Inslee signed the “My Health My Data Act” (“MHMDA”) into law, modifying the legal landscape with respect to health-related data for certain Washington entities.[17] The MHMDA creates a privacy regime focused on personal health data.

Covered Entities. The MHMDA applies to “regulated entities” that process “consumer health data.” The law defines “regulated entity” as any “legal entity” that: (1) “[c]onducts business in Washington or produces or provides products or services that are targeted to consumers in Washington”; and (2) “determines the purpose and means of collecting, processing, sharing, or selling of consumer health data,” whether “alone or jointly with others.”[18] Practically, the law applies to any entity that does business in Washington and collects or processes consumer health data. Government agencies, tribal nations, and service providers that are contracted to process consumer health data on behalf of a government agency are exempt from this definition and not considered regulated entities.[19] “Small businesses” are not exempt from the MHMDA, but are given an extra three months to comply.[20]

Covered Data. The law defines “consumer health data” as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.”[21] Examples of this type of data include surgeries or other health-related procedures, reproductive or sexual health information, and genetic data.[22] The primary statutory carveout from the definition of “consumer health data” is information “used to engage in public or peer-reviewed scientific, historical, or statistical research.”[23] However, the research must be monitored by an independent oversight entity that implements safeguards to mitigate privacy risks, including the risk associated with the reidentification of consumer data.[24] The Washington Attorney General, who is charged with enforcing the MHMDA, has explained that purchases of “toiletry products (such as deodorant, mouthwash, and toilet paper)” do not qualify as “consumer health data,” even though they relate to “bodily functions,” whereas “an app that tracks someone’s digestion or perspiration is collecting consumer health data.”[25]

Key Requirements. The MHMDA prohibits regulated entities from collecting or sharing consumer health data without first satisfying certain notice and consent requirements, including: requiring regulated entities to maintain a “consumer health data privacy policy” linked to on their homepage that discloses:

the categories of consumer health data collected and the purpose for which the data is collected;
the categories of sources from which the consumer health data is collected;
the categories of consumer health data shared; and
a list of the categories of third parties and specific affiliates with whom the regulated entity shares the consumer health data.[26]

Regulated entities may only collect or share consumer health data if a consumer provides a prior “clear affirmative act” expressing consent, or if the collection is “necessary to provide a product or service that the consumer . . . has requested.”[27]

Consumer Rights. The MHMDA also provides consumers with a number of protections, including the right to: (1) confirm whether a regulated entity is collecting, sharing, or selling their consumer health data; (2) access that data; (3) withdraw consent for the collection and sharing of their consumer health data; and (4) delete their data.[28]

Enforcement. A violation of the MHMDA is considered a violation of the Washington Consumer Protection Act.[29] The Washington Attorney General may enforce the law.[30] Consumers may also pursue private actions for violations of the MHMDA.[31]

ii. Montana’s Genetic Information Privacy Act

On June 7, 2023, Montana Governor Greg Gianforte signed into law the “Montana Genetic Information Privacy Act” (“MTGIPA”). The MTGIPA applies to any entity that offers consumer genetic testing products or services directly to a consumer, or collects, uses, or analyzes genetic data.[32] “Genetic data” is defined as “any data, regardless of format, concerning a consumer’s genetic characteristics.”[33] The MTGIPA requires covered entities to provide a privacy policy and notice regarding their use of genetic data and to obtain a consumer’s “express consent” in order to collect, use, or disclose a consumer’s genetic data.[34] The MTGIPA also requires an entity to “develop, implement, and maintain a comprehensive security program to protect a consumer’s genetic data against unauthorized access, use, or disclosure.”[35] The Montana Attorney General has sole authority to enforce the MTGIPA.[36]

iii. California’s Delete Act

On October 10, 2023, California Governor Gavin Newson signed the “Delete Act” into law.[37] The law revises California’s data broker registration law and gives consumers the right to manage data held by data brokers free of charge by submitting a single deletion request to a centralized website.[38] After a deletion request is submitted, a data broker is required to delete data within 45 days, and continue deleting any personal information collected about that consumer at least every 45 days thereafter.[39] After a consumer has submitted a deletion request, data brokers are also prohibited from selling or sharing new personal information about the consumer in the future.[40] Consumers will have the option to “selectively exclude” data brokers when submitting a deletion request.[41] The law also requires data brokers to “undergo an audit by an independent third party to determine compliance” with the law.[42]

Under the law, a “data broker” is defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”[43] But the law includes exemptions for entities covered by the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Insurance Information and Privacy Protection Act, the Confidentiality of Medical Information Act, or HIPAA, and business associates of covered entities under the Confidentiality of Medical Information Act or HIPAA.[44]

iv. New York Department of Financial Services’ Amendments to Part 500 Cybersecurity Rules

On November 1, 2023, the New York State Department of Financial Services (“NYDFS”) issued its Second Amendment to 23 NYCRR Part 500 (“Part 500”), which establishes numerous cybersecurity requirements for regulated entities.[45] As discussed in more depth in our recent client alert, the amendments to Part 500 include: expanded responsibility for senior governing bodies, obligations to implement additional safeguards, new requirements for larger companies, new and increased obligations related to written policies and procedures, heightened requirements around audits and risk assessments, and additional reporting requirements for cybersecurity incidents. NYDFS is responsible for enforcing Part 500 and has brought several enforcement actions against various financial entities, including banks, money transfer service providers, and cryptocurrency service providers.[46]

v. New Child Social Media Laws

Several states passed laws restricting social media apps, but those laws have been challenged in the courts. For example, Utah’s Social Media Regulation Act[47] requires social media companies with at least 5,000,000 account holders worldwide to verify the age of adults seeking to maintain or open social media accounts; obtain parental consent for users under the age of 18 to open an account; imposes restrictions on children’s accounts; and prohibits collections of certain data and targeted advertising.[48] The law may be enforced by either the Division of Consumer Protection or through a private right of action.[49] Plaintiffs may obtain up to $2,500 in statutory damages per violation, in addition to attorney’s fees and costs.[50] The law has been challenged in two different suits that are ongoing.[51]

A similar law in Arkansas that would require parental permission for children to create certain social media accounts was blocked by a federal judge.[52] The judge concluded in granting the preliminary injunction that the law, as written, was unconstitutionally vague because it failed to adequately define “social media company,” and therefore which entities were subject to its requirements.[53] The judge also agreed that the law likely violates the First Amendment because the age verification process would chill speech by deterring adults from signing up for social media accounts and that the law is unnecessarily overbroad insofar as it attempts to protect minors from harmful or obscene content.[54] And a Montana federal judge blocked a law in that state that would prohibit mobile application stores from offering TikTok to Montana users.[55] The court, in granting the preliminary injunction, found that plaintiffs were likely to succeed on the merits of their arguments—namely, that an outright ban on a specific app likely violates the First Amendment, the Commerce Clause, and is preempted by federal national security law, among other reasons.[56]

2. Federal Legislation

a. Comprehensive Federal Privacy Legislation

Comprehensive federal privacy legislation remains a popular, yet unrealized, objective despite recent congressional efforts.

The American Data Privacy and Protection Act (“ADPPA”) introduced in 2022 was the most advanced attempt to-date at enacting a comprehensive federal privacy bill. However, the bill died when it failed to advance to the House or Senate floors before the last Congress adjourned in January 2023.[57] As proposed, the ADPPA bill required covered companies to engage in “data minimization” and adopt “privacy by design” principles.[58] The ADPPA also prohibited covered entities from designing and employing discriminatory algorithms, and required them to study the impacts of their algorithms.[59]

Government enforcement of the ADPPA would have been left largely to the FTC at the federal level, alongside state attorneys general and other key state officials.[60] But the ADPPA’s addition of a private right of action was a source for serious concern due to the burden and cost of class action lawsuits.[61] The bill also explicitly preempted most state privacy laws—a fact that some believe was largely responsible for the bill’s demise.[62]

Calls for comprehensive federal privacy legislation continued throughout 2023 despite the ADPPA’s failure. In the spring, Congress held hearings on the continuing need for such legislation.[63] President Biden echoed these calls in an executive order (which also enacted AI safety measures).[64] In his 2023 State of the Union address, the President likewise called for stronger online privacy protections for children.[65]

b. Other Introduced Legislation

Congress did not pass any privacy laws in 2023, although a significant number of consumer and individual privacy-related legislation was introduced.[66] This proposed privacy legislation covered a range of topics, including surveillance technologies, health privacy, privacy for children online, facial recognition, AI, and cybersecurity.

Many of the measures attracted significant bipartisan support, but lawmakers remained divided over the same two issues that sunk more comprehensive federal privacy legislation: (1) whether federal privacy laws should preempt state laws (a position attracting more Republican support) and (2) whether it should include a private right of action (which more Democrats favor). Nevertheless, in the absence of comprehensive federal privacy legislation, Congress may still be more likely to enact legislation on a narrower topic that draws more bipartisan support, such as children’s online safety, in the future.[67]

Lawmakers focused in particular on digital privacy and safety in 2023, especially for children on social media. They held widely publicized hearings on the topic, bringing in social media executives for questioning, with more hearings to come in 2024.[68] In July 2023, the U.S. Senate Commerce Committee advanced a pair of measures seeking to put more responsibility on social media platforms to ensure child safety online: the Kids Online Safety Act, which would require platforms to enact measures to prevent harms to minors and to restrict targeted advertising for children under 13;[69] and COPPA 2.0, which would upgrade and expand the original children’s online privacy law, including by adding protections for teens ages 13 to 16.[70]

Other privacy bills introduced in 2023 include: the Informing Consumers about Smart Devices Act (requiring manufacturers to disclose that a camera or microphone is part of a device before purchase),[71] the Stop Spying Bosses Act (requiring disclosure of or prohibiting surveillance, monitoring, and collection of worker data),[72] the UPHOLD Privacy Act (establishing protection for personally identifiable health and location data),[73] the DELETE Act (requiring the FTC to establish a system allowing individuals to request that data brokers delete their personal information),[74] the Data Care Act of 2023 (imposing duty of care, loyalty, and confidentiality on online service providers),[75] the Online Privacy Act of 2023 (establishing individual privacy rights and creating a private right of action and Digital Privacy Agency),[76] and others described in this Review.

Congress also considered cybersecurity-related legislation: the Federal Cybersecurity Vulnerability Reduction Act of 2023 (requiring certain government contractors to adopt vulnerability disclosure policies),[77] the Modernizing the Acquisition of Cybersecurity Experts Act of 2023 (generally barring agencies from setting minimum educational requirements for cybersecurity workers),[78] and the Federal Cybersecurity Workforce Expansion Act (providing training and apprenticeships for cybersecurity workers).[79]

B. Enforcement and Guidance

In 2023, government regulators remained active in enforcement and regulatory efforts related to data privacy, cybersecurity, and new technology. This section summarizes notable regulatory and enforcement efforts by the Federal Trade Commission (“FTC”), Consumer Financial Protection Bureau (“CFBP”), Securities and Exchange Commission (“SEC”), Department of Health and Human Services (“HHS”), and other federal and state agencies.

1. Federal Trade Commission

The FTC remained active in the regulation and enforcement of cybersecurity and data privacy in 2023—and continued to aggressively pursue new regulatory, enforcement, and litigation matters in other areas as well. Several actions, such as its rulemaking on junk fees, have had important impacts on online businesses. For example, the proposed junk fees rule was introduced in direct response to President Biden’s announced priorities for consumer protection’ and following his call for transparency in consumer pricing.[80] The FTC extended the comment period for the rule through February 7, 2024.[81] As currently drafted, the rule would ban “hidden fees”—or fees that are mandatory, even if provided by a different entity. It would also ban “misleading fees,” essentially requiring disclosure of the purpose and refundability of any fees charged.

The FTC also continued to prioritize algorithmic bias and AI, commercial surveillance, data security, and children’s privacy. Further, the FTC expanded its regulatory and enforcement scope related to biometric information. This section discusses the FTC’s notable actions on these topics in 2023.

a. FTC Organization Updates

In March 2023, Republican Commissioner Christine Wilson resigned abruptly from the FTC, publicly citing her disagreements with Chair Lina Khan’s vision and management of the FTC.[82] This created an additional vacancy on the five-member commission, following the departure of Commissioner Noah Phillips in October 2022.

In July 2023, President Joe Biden nominated two Republican replacements: Virginia Solicitor General Andrew Ferguson and Utah Solicitor General Melissa Holyoak.[83] Prior to his current appointment as Virginia Solicitor General, Ferguson served in numerous roles on the Hill, including as Chief Counsel to Senate Minority Leader Mitch McConnell, as Chief Counsel for Nominations and the Constitution to then-Judiciary Committee Chairman Lindsey Graham, and as Senior Special Counsel to then-Judiciary Committee Chairman Chuck Grassley. Holyoak previously served as President and General Counsel of a nonprofit public-interest law firm that advocates for free markets, free speech, and limited government. In their confirmation hearing, both Holyoak and Ferguson demonstrated interest in regulating big technology companies. Holyoak specifically called out the importance of protecting children online.[84]

Both nominations are currently held up in the Senate.[85] If confirmed, the new Commissioners will not change the Republican-Democrat balance of power at the FTC, which has been led by a Democratic majority since Commissioner Bedoya was confirmed in 2022.

b. Algorithmic Bias and Artificial Intelligence

The FTC continues to signal that AI and algorithms are an enforcement priority. In a mid-year public editorial, for instance, FTC Chair Lina Kahn warned of the risks AI poses, including producing discriminatory outcomes and potential privacy violations.[86]

As reflected in Chair Khan’s editorial, the FTC is particularly concerned about the effects algorithms may have on consumer privacy, including the use of consumer data to train large language models and inadvertent disclosure of personally identifiable information (“PII”) through chatbots. In a series of AI-focused blog posts published from February to August 2023, the FTC warned businesses that they should avoid using automated tools that result in biased or discriminatory impacts. One post further noted that businesses “can’t just blame a third-party developer of the technology” when reasonably foreseeable failures occur; instead, businesses should investigate and identify the foreseeable risks and impact of AI before using it in a consumer-facing setting.[87] In March 2023, the FTC also specifically called out AI technology that simulates human activity and can be used by third-party bad actors to, among other things, target communities of color with fraudulent schemes.”[88] It warned that businesses considering launching tools with such risks must employ deterrents that go beyond “bug corrections or optional features that third parties can undermine via modification or removal.”[89] Other use cases highlighted by the FTC as targets for enforcement include: technology that enables “deepfakes” and “voice cloning,”[90] customizing ads to specific people or groups in a manner that “trick[s] people into making harmful choices[,]”[91] and tools that purport to detect generative AI content.[92]

For a more detailed discussion of regulatory developments in AI, please see Gibson Dunn’s forthcoming Artificial Intelligence Legal Review.

c. Commercial Surveillance and Data Security

i. FTC’s Approach to Data Security

In a February 2023 blog post, the FTC’s Deputy Chief Technology Officer Alex Gaynor highlighted three best practices for effectively protecting user data drawn from recent FTC orders: (i) requiring multi-factor authentication (for consumers and employees); (ii) requiring a company’s systems connections to be encrypted and authenticated; and (iii) requiring data retention schedules to be published and followed.[93] Gaynor warns that these practices alone “are not the sum-total of everything the FTC expects from an effective security program.”[94] He nevertheless suggests a security program is highly likely to be effective if it incorporates these practices.[95]

ii. Rulemaking on Commercial Surveillance and Data Security

As described in Gibson Dunn’s prior alert, the FTC’s Advance Notice of Proposed Rulemaking on commercial surveillance and data security would overhaul the regulatory landscape for corporate internet use. FTC Consumer Protection Chief Samuel Levine noted in a speech in September 2023 that the FTC is currently reviewing over 11,000 comments received in response to the request for comment, which closed on November 21, 2022.[96] If adopted, the rule will have widespread impact, implicating every facet of the internet from advertising to algorithmic decision-making. The advanced notice for the proposed rule, for instance, seeks comment on issues as wide ranging as whether consumer consent is still an effective gatekeeper for corporate data practices, whether the FTC should forbid or limit the development, design, and use of certain automated decision-making systems, and whether the FTC should adopt workplace, teen, or industry-specific (e.g., health- or finance-related) rules around data collection and use. The FTC is expected to take final action on the proposed rule in 2024.[97]

d. Notable FTC Enforcement Actions

In 2023, the FTC maintained its aggressive stance on privacy enforcement, which has been a hallmark of Chair Khan’s tenure. In addition to enforcement actions that hold companies responsible for the activities discussed, there has also been a rise in actions brought against individuals. Below we discuss some of the FTC’s most notable enforcement actions in 2023.

Video Game and Software Developer. In March 2023, the FTC finalized an order in an action originally described in last year’s Review, which will require a large video game and software developer to pay $245 million to refund affected consumers and bans the company from charging consumers through the use of “dark patterns” or otherwise charging consumers without obtaining their affirmative consent.[98] The order also bars the company from blocking consumers’ access to their accounts if the consumer is disputing unauthorized charges.

Home Security Camera Company. The FTC brought an action under Section 5(a) of the FTC Act,[99] challenging a security camera company’s representations regarding security, and alleging that employees and contractors were able to access private videos.[100] A proposed settlement would require deletion of certain data and affected data products “such as data, models, and algorithms derived from videos it unlawfully reviewed,” establishment of a privacy and data security program, obtaining assessments by a third party, and cooperation with a third-party assessor.[101]

Tax Preparation Firms. The FTC issued Notices of Penalty Offenses to five tax preparation firms about the use of information collected for tax preparation services to solicit loan borrowers. A Notice of Penalty Offense is intended to put companies on notice of prior successful enforcement actions against other companies, but does not mean the FTC has found the recipients are violating the law.[102] However, the FTC’s Notice warned that the companies could face civil penalties of up to $50,120 per violation if they use or disclose consumer confidential data collected for tax preparation for other purportedly unrelated purposes, such as advertising, without express consumer consent.[103]

Voice Assistant. In May, DOJ brought an action on behalf of the FTC against a major technology company that includes, among its products, a voice assistant.[104] The FTC alleged that the company improperly prevented parents from deleting their children’s data and retained and risked exposure of sensitive data. The FTC’s settlement with the company, approved in July 2023, requires the company to overhaul its deletion practices, as well as implement stronger privacy safeguards to settle Children’s Online Privacy Protection Act Rule (“COPPA Rule”) claims and deception claims about its data deletion practices.[105]

Telehealth and Prescription Drug Provider. The FTC brought its first enforcement action under the Health Breach Notification Rule, which was originally adopted in 2009 and requires vendors of personal health records and related entities to notify consumers, the FTC, and, in some cases, the media, when such data is disclosed or acquired without consumers’ authorization.[106] The FTC alleged that the company failed to notify consumers, the FTC, and the media about its disclosure of individually identifiable health information to certain online services. This enforcement action followed a 2021 FTC policy statement that purported to require health apps and other online services to comply with the Health Breach Notification Rule.[107] The company agreed to pay a $1.5 million civil penalty and is barred from sharing user health data with third parties for advertising.[108] The FTC also proposed amendments to the Health Breach Notification Rule, with a public comment period that ended on August 8, 2023.[109]

Genetic Testing Firm. The FTC settled allegations against a genetic testing firm for allegedly leaving user data unprotected, misleading users about their ability to delete their data, and retroactively changing its privacy policy without proper notice to consumers. In addition to monetary penalties of $75,000, as part of the final order, the company is required to take remedial actions including instructing third-party contractors to destroy all DNA samples retained beyond a specified timeframe, notifying the FTC of any unauthorized disclosure of consumer personal health data, and implementing a comprehensive information security program.[110]

In-Store Surveillance and Facial Recognition. For the first time, the FTC alleged that the use of facial recognition technology may be an unfair practice or deceptive under Section 5 of the FTC Act.[111] The FTC alleged that a national pharmacy chain deployed AI-facial recognition technology to identify shoplifters and other problematic shoppers. The FTC’s complaint alleged that the company failed to take reasonable measures to prevent harm to consumers who were erroneously accused by employees of wrongdoing because the technology incorrectly flagged the consumers as matching the profile of a known shoplifter or troublemaker. The FTC banned the retailer’s use of facial recognition technology for five years. While the FTC also alleged the company violated the terms of a 2010 consent decree by failing to comply with its own information security program’s policies and contractual requirements for facial technology vendors, the FTC did not seek civil penalties, and imposed a no-money, no-fault order. The case helpfully articulates what the FTC deems as “best practices” for the use of facial recognition technologies, including the usage of cameras and smartphones by retailers to detect and stop shoplifting and to mitigate risks of misidentification.

e. Financial Privacy

The FTC approved further changes to its Standards for Safeguarding Customer Information Rule (“Safeguards Rule”) in 2023. The Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe. The rule was initially amended in October 2021 in response to “widespread data breaches and cyberattacks” by introducing more robust data security requirements for financial institutions to protect their customers’ data.[112] In 2023, the FTC further amended the rule to require financial institutions to report certain data breaches directly to the FTC.[113] Many provisions of the 2021 rule changes went into effect on January 10, 2022, but certain provisions of the Safeguards Rule did not take effect until June 9, 2023.[114] These sections require financial institutions to:

Designate a qualified individual to oversee their information security program;
Develop a written risk assessment;
Limit and monitor who can access sensitive customer information;
Encrypt all sensitive information;
Train security personnel;
Develop an incident response plan;
Periodically assess the security practices of service providers; and
Implement multifactor authentication or another method with equivalent protection for any individual accessing customer information.[115]

The FTC’s 2023 amendments include more specific criteria for what safeguards financial institutions must implement as part of their information security program, and requirements to explain their information-sharing practices and designate a single qualified individual to oversee their information security program and report periodically to an organization’s board of directors, or a senior officer in charge of information security.[116] These amendments will not take effect until mid-2024.

f. Children’s and Teens’ Privacy

On December 20, 2023, the FTC announced long-awaited proposed amendments to the Children’s Online Privacy Protection Rule (“COPPA Rule”).[117] If adopted, the proposed amendments would be the first changes to the COPPA Rule in a decade.[118] The amendments aim to modernize the COPPA framework and shift the burden for protecting children’s privacy and security from parents to service providers.[119] The proposed changes include:

Requiring separate opt-in for targeted advertising;
Prohibiting conditioning a child’s participation on collection of personal information;
Limiting the support for the internal operations exception, which allows operators to collect persistent identifiers without first obtaining verifiable parental consent as long as the operator does not collect any other personal information;
Imposing restrictions on educational technology companies, including prohibiting these companies’ use of students’ data for commercial purposes;
Increasing accountability for Safe Harbor programs, including by requiring each program to publicly disclose its membership list and report additional information to the Commission;
Strengthening data security requirements; and
Limiting data retention.[120]

The FTC also recently sought comments from the Entertainment Software Rating Board and others for a new mechanism for obtaining parental consent under the COPPA Rule: “Privacy-Protective Facial Age Estimation” technology, which analyzes the geometry of a user’s face to accurately confirm a user’s age.[121] The FTC’s request for comments focused on whether such age verification methods would satisfy the COPPA Rule’s requirements and whether it poses a privacy risk to children’s biometric and other personal information.[122]

In 2023, the FTC pursued enforcement action against major technology companies in relation to children’s and teen’s’ privacy. For example, the FTC alleged a technology company violated the COPPA Rule by collecting and illegally retaining personal information from children who signed up for a gaming service without parental consent.[123] The company agreed to pay $20 million and take steps to increase privacy protection for children users to settle the case.[124] The FTC has also proposed changes to its 2020 order with another technology company, alleging in part that the company has not fully complied with the order because it misled parents about their ability to control with whom their children communicated.[125] Among other things, the proposed changes would prohibit the company from monetizing data it collects from users under 18.[126]

g. Biometric Information

On May 18, 2022, the FTC signaled an increased focus on preventing the misuse of biometric information in a policy statement.[127] The policy statement is a first-of-its-kind comprehensive breakdown of the FTC’s view that the commercial use of biometric information poses certain privacy risks to consumers, and it builds on prior workshops and statements analyzing consumer protection issues related to specific technologies that can implicate biometric information.[128]

In the policy statement, the FTC broadly defines biometric information as data depicting or describing a person’s physical, biological, or behavioral traits, characteristics, or measurements, including facial features, iris or retina, fingerprints or handprints, voice, genetics, or characteristic movements or gestures.[129] The FTC warned that certain conduct relating to the use of biometric information and biometric information technologies constitutes an unfair or deceptive practice under Section 5 of the FTC Act, including:

Making false or unsubstantiated marketing claims regarding the validity, reliability, accuracy, performance, fairness, or efficacy of technologies relying on biometric information;
Making deceptive statements about the collection and use of biometric information;
Failing to protect consumers’ biometric information using reasonable data security practices;
Collecting biometric information that consumers meant to conceal or keep private (including by implementing “privacy-invasive default settings”);
Selling technologies that permit harmful or illegal conduct, such as covert tracking; and
Using or selling discriminatory technologies.[130]

To avoid liability under the FTC Act, the FTC recommends that businesses communicate the use and capabilities of biometric information technologies to consumers, ensure biometric information technologies operate fairly and accurately, and implement safeguards to prevent unauthorized access to biometric information. Relying on the policy statement for the first time, the FTC filed a complaint in December 2023 alleging that a drugstore chain surreptitiously used facial recognition technology to identify—sometimes falsely—shoplifters and other customers it deemed problematic, as described above.[131]

2. Consumer Financial Protection Bureau

Notwithstanding increasing congressional antagonism directed at the Consumer Financial Protection Bureau (“CFPB”), the CFPB did not decrease its attention on privacy issues in 2023. Last year, the CFPB issued a long-awaited proposed rule regarding consumer personal financial data rights and signaled an intent to increase its oversight of non-bank entities providing digital wallets and peer-to-peer apps, as well as data brokers that sell certain types of consumer data. The CFPB also parroted the FTC’s concerns with privacy risks associated with AI.

a. Personal Financial Data Rights Rulemaking

On October 19, 2023, the CFPB released a long-awaited Notice of Proposed Rulemaking on Personal Financial Data Rights.[132] If adopted, this rule would establish a regulatory framework where consumers have the power “to break up with banks that provide bad service and would forbid companies that receive data from misusing or wrongfully monetizing the sensitive personal financial data.”[133] The proposed rule would also require covered financial entities to share a consumer’s financial data with authorized third parties upon the consumer’s request.[134] The proposed rule is the first proposal to implement Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”), which authorizes the CFPB to prescribe rules under which consumers may access information about themselves from their financial service providers.[135]

Although Section 1033 applies to all consumer financial products or services covered under the Dodd-Frank Act,[136] the proposed rule would limit the scope of covered entities, or “data providers,” to Regulation Z card issuers, Regulation E financial institutions, and other payment facilitation providers, while generally exempting data providers that do not have a consumer interface.[137] Under the proposed rule, data providers must provide consumers and authorized third parties with “covered data,” such as transaction information, account balance, and upcoming bill information, “in an electronic form usable by consumers and authorized third parties,” as provided by Section 1033 of the Dodd-Frank Act.[138]

In addition to requiring third parties to obtain “express informed consent” from the consumer to become authorized to access covered data, the proposed rule would also prohibit such authorized third parties from collecting, using, or retaining the consumer’s relevant data beyond what is “reasonably necessary” to provide the requested product or service to a consumer.[139] The proposal does not define what is “reasonably necessary,” but instead enumerates activities that do not qualify: (i) targeted advertising; (ii) cross-selling of other products or services; or (iii) the sale of covered data.[140] The proposed rule also imposes data accuracy and data security obligations, among other obligations, on authorized third parties.[141]

The comment period for the proposed rule closed on December 29, 2023; CFPB Director Rohit Chopra said that the agency intends to finalize the rule by fall 2024.[142]

b. Increased Oversight of Non-bank Entities

On November 7, 2023, the CFPB issued a proposed rule that, if adopted, would establish supervisory power over big technology firms and other nonbank entities that offer services allowing consumers to digitally transfer money.[143] The proposed rule would apply to “larger participant” nonbank entities that handle more than five million payment transactions per year through digital wallets, peer-to-peer apps, payment apps, and other “covered payment functionalities.”[144] This oversight authority would allow the CFPB to conduct examinations to ensure that these nonbank entities are adhering to applicable laws governing funds transfer, privacy, and consumer protection.[145] The comment period for this proposed rule closed on January 8, 2024.[146]

c. Increased Scrutiny of Data Brokers

In March 2023, the CFPB launched an inquiry into data brokers to inform whether existing Fair Credit Reporting Act (“FCRA”) rules reflect the market realities of “[m]odern data surveillance practices [that] have allowed companies to hover over our digital lives and monetize our most sensitive data.”[147] The agency’s request for information defined “data brokers” broadly as “an umbrella term to describe firms that collect, aggregate, sell, resell, license, or otherwise share consumers’ personal information with other parties.”[148] That definition could sweep in companies, like credit unions and banks, that are not typically considered data brokers.

On August 15, 2023, Director Chopra also announced that the CFPB will be developing new rules that define a data broker that sells certain types of consumer data as a “consumer reporting agency” (“CRA”) under FCRA.[149] Defining data brokers as CRAs would impose new obligations on data brokers to comply with FCRA’s demanding standards for data accuracy and privacy, including consumer access and consent rights.[150] Director Chopra also announced a second proposal under consideration that will clarify the extent to which credit header data, such as name, date of birth, and social security number, constitute a consumer report, and thereby limit the ability of CRAs to impermissibly disclose identifying contact information.[151] The CFPB intends to propose these changes for public comment in 2024.[152]

d. Artificial Intelligence and Algorithmic Bias

In an April 25, 2023 joint statement with the DOJ, FTC, and Equal Employment Opportunity Commission, the CFPB reaffirmed its commitment to enforce consumer financial protection laws to prevent harmful uses of AI and algorithmic bias.[153] Since then, the CFPB has highlighted risks associated with AI in multiple contexts:

Chatbots. In June 2023, the CFPB released an issue spotlight on the risks associated with the use of chatbots by financial institutions, including consumer financial protection compliance risks and failures to protect consumer privacy and data, diminished trust and customer service, and harm to consumers resulting from inaccurate information.[154]

Home Appraisals. In June 2023, the CFPB also proposed a rule that would govern automated home valuations.[155] The rule would require institutions that employ automated valuation models to take certain steps to minimize inaccuracy and bias by adopting policies, practices, procedures, and control systems to ensure that models adhere to quality control standards designed to ensure a high level of confidence in the estimates produced.[156] Under the proposal, institutions would also be required to protect against the manipulation of data, seek to avoid conflicts of interest, require random sample testing and reviews, and comply with applicable nondiscrimination laws.[157] The public comment period ended on August 21, 2023.[158]

Credit Decisions. In September 2023, the CFPB issued a Consumer Protection Circular titled “Adverse Action Notification Requirements and the Proper Use of the CFPB’s Sample Forms Provided in Regulation B,” concerning lenders’ obligations when using AI to make consumer credit decisions.[159] The guidance emphasizes that creditors must provide accurate and specific reasons for adverse decisions made by complex algorithms, and this requirement is not automatically satisfied by use of a sample adverse action checklist.[160]

3. Securities and Exchange Commission

In 2023, the SEC continued to focus on transparency around cybersecurity risk management and incident disclosure, as made evident by the Commission’s rulemaking and enforcement activity. Most notably, the SEC finalized rules requiring public companies to report material cybersecurity incidents within four business days of determining materiality, as well as periodic disclosures relating to cybersecurity risk management, strategy, and governance. The SEC was also active on the enforcement front, pursuing actions against companies and individuals in connection with cyber incidents. In 2024, we expect to see heightened enforcement activity as the newly adopted cyber rules take effect and as the SEC takes final action on proposed rulemaking for registered entities, particularly those implicating personal information or sensitive data.

a. Regulation

March 2023 – SEC Proposes Rules to Amend Regulation S-P

On March 15, 2023, the SEC proposed rules that would amend Regulation S-P to update and close certain gaps in the requirements pertaining to the protection of customer information.[161] Most importantly, if adopted, the amendments would require broker-dealers, investment companies, registered investment advisers, and transfer agents (“Covered Institutions”) to adopt written policies and procedures for responding to unauthorized access to or use of customer information.[162] The amendments would also require Covered Institutions to notify individuals of unauthorized use of or access to their sensitive information “as soon as practicable,” but not later than 30 days, after discovery of a data breach.[163]

As explained in the adopting release, the rules would also amend other aspects of Regulation S-P, including:

Extending the protections of the safeguards and disposal rules to both nonpublic personal information that a Covered Institution collects about its own customers and to nonpublic personal information that a covered institution receives about customers of other financial institutions;
Extending the safeguards rule, as amended, to registered transfer agents, and expanding the disposal rule to include transfer agents registered with another appropriate regulatory agency; and
Conforming Regulation S-P’s existing provisions relating to the delivery of an annual privacy notice for consistency with a statutory exception created by Congress in 2015.[164]

The public comment period closed on June 5, 2023, but the SEC has not indicated whether and when it will take final action on the proposed amendments.

July 2023 – SEC Adopts New Cybersecurity Disclosure Rules for Public Companies

On July 26, 2023, as reported in Gibson Dunn’s client alert, the SEC adopted a final rule to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the reporting requirements of the SEC Act of 1934 (the “Exchange Act”).[165] The final rule requires: (i) Form 8-K disclosure of material cybersecurity incidents within four business days of the company’s determination that the cybersecurity incident is material; and (ii) annual disclosures in Form 10-K regarding the company’s cybersecurity risk management, strategy, and governance.[166] For foreign private issuers, the final rule amends Form 20-F to include requirements parallel to Item 106 regarding risk management, strategy, and governance.[167] In addition, the final rule adds “material cybersecurity incidents” to the items that may trigger a current report on Form 6-K.[168] Under the new rule, foreign private issuers will be required to furnish on Form 6-K information about material cybersecurity incidents that the issuers disclose or otherwise publicize in a foreign jurisdiction, to any stock exchange or to security holders.[169]

Compliance Dates

The Form 8-K disclosure requirement went into effect on December 18, 2023 for most registrants (smaller companies will have until June 5, 2024 to comply); all registrants will have to comply with the annual disclosure requirements beginning with their Form 10-K or 20-F filing for the fiscal year ending on or after December 15, 2023.[170]

Reporting Material Cybersecurity Incidents

Under the final rules, when a company experiences a material cybersecurity incident, it must disclose on Form 8-K, the material aspects of the nature, scope, and timing of the incident, and the material impact or “reasonably likely” material impact on the company, including on its financial condition and results of operations.[171] Importantly, this disclosure must be made within four business days of the company determining that it has experienced a material cyber incident, a determination which must be made “without unreasonable delay after discovery of the incident.”[172] In circumstances where a company has determined that a cybersecurity incident is material but does not have all of the information that is required to be disclosed when the Form 8-K filing is due, the company must later update the disclosure through a Form 8-K amendment.[173]

The final rule permits companies to delay reporting material cyber incidents up to an initial period of 30 days, if the U.S. Attorney General notifies the SEC in writing that immediate disclosure would pose a substantial risk to national security or public safety.[174] However, as confirmed by guidelines released by the Department of Justice,[175] the Attorney General will only permit delayed disclosures in very limited circumstances, so public companies should be prepared to disclose virtually all material cyber incidents within four days after determining materiality.[176] The DOJ guidelines also make clear that even where the Attorney General grants a delay, the delay may not delay filing the Form 8-K in its entirety, but may only pertain to some of the information that is required to be disclosed.[177]

Annual Reporting Requirements

The final rule also requires that public companies include on their Form 10-K filings certain disclosures regarding the company’s cybersecurity risk management, strategy and governance.[178] The final rule also includes parallel requirements for a foreign private issuer’s risk management, strategy, and governance disclosures on Form 20-F.[179]

Risk management strategy and governance disclosure. Companies are required to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes, including information regarding:

Whether and how any such processes have been integrated into the company’s overall risk management system or processes;
Whether the company engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
Whether the company has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.[180]

Public companies are also required to describe whether and how any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company, including its business strategy, results of operations, or financial condition.[181] Notably, the final rule requires disclosure of “processes” (as opposed to “policies and procedures”) in order to avoid requiring disclosure of operational details that could be exploited by threat actors and make clear that companies without written policies and procedures need not disclose that fact.

Governance Disclosures. The final rule also requires public companies to describe on Form 10-K how the board of directors oversees the company’s cybersecurity risks. This includes identifying, if applicable, any board committee or subcommittee responsible for the oversight of cybersecurity risks and describing the processes by which the board or such committee is informed about such risks.[182] Additionally, companies must describe management’s role in assessing and managing the company’s material cybersecurity risks from cybersecurity.[183]

September 2023 – SEC Approves Revised Privacy Act Rule

On September 20, 2023, the SEC approved a final rule, adopting amendments to the SEC’s regulations under the Privacy Act of 1974, which governs the federal government’s handling of personal information.[184] The final rule updates and streamlines the SEC’s Privacy Act regulations, including the process for submitting and receiving responses to Privacy Act requests and administrative appeals and provides electronic methods to verify an individual’s identity.[185] Given the extensive nature of the amendments, the final rule replaces entirely the current version of the Privacy Act regulations which was last updated in 2011. The final rule went into effect on October 26, 2023.

Cyber Rules for Registered Investment Advisers, Registered Investment Companies, and Business Development Companies Expected in April 2024.

In February 2022, the SEC proposed cybersecurity rules for registered investment advisers, registered investment companies, and business development companies (the “RIA Rules”).[186] If adopted, the RIA Rules would require covered companies to, among other things, (i) adopt written cybersecurity policies and procedures to address cybersecurity risk, and (ii) report significant cybersecurity incidents, which are those that “significantly affect the critical operations” of a covered company or lead to “unauthorized access or use of information that results in substantial harm” to a covered company, or its clients, funds, or investors.[187] As noted on the SEC’s June 13, 2023 rulemaking agenda, the RIA Rules have entered the final rule stage[188] and are expected to be finalized in April 2024.[189]

Looking ahead, the SEC Division of Examinations announced its priorities for 2024, which stated that it plans to continue focusing on “registrant’s policies and procedures, internal controls, oversight of third-party vendors (where applicable), governance practices, and responses to cyber-related incidents.”[190] SEC Chair Gary Gensler emphasized that the “Division’s efforts, as laid out in the 2024 priorities, enhance trust in our ever-evolving markets.”[191] Information security and cybersecurity will remain a key area of regulation and enforcement for the SEC in 2024.

b. Enforcement

In addition to new rules, in 2023 the SEC continued to pursue enforcement actions at a historically high level against public companies, investment firms, law firms, and individuals.[192] The SEC obtained orders totaling nearly $5 billion in financial remedies in fiscal year 2023, the second-highest amount in SEC history following a record-setting nearly $6.5 billion in fiscal year 2022.[193] Notably, the SEC continued to focus on individuals, with about two-thirds of the SEC’s cases in fiscal year 2023 involving individuals.[194] The SEC also obtained orders that barred 133 individuals from serving as officers or directors for public companies, the highest such number in a decade.[195]

We expect these trends to continue in 2024, particularly as they relate to cybersecurity when the SEC’s newly adopted cyber rules take effect and additional cyber rules are finalized. Below is a summary of some of the most notable cyber-related enforcement actions brought by the SEC in 2023.

Broker-Dealer Username/Password Handling Litigation. In September, 2023, the SEC alleged that a broker-dealer and its parent company allegedly made materially false and misleading statements and omissions regarding information barriers intended to prevent the misuse of sensitive customer information.[196] The SEC alleged that the broker-dealer operated two businesses that were purportedly walled off from each other by data safeguards: a trade order execution service for institutional customers that typically operated on commission, and a proprietary trading business. However, during a 15-month period from 2018 to 2019, the broker-dealer allegedly failed to adequately safeguard a database of post-trade information regarding customer orders that included customer identifying information and further material nonpublic information.[197] The broker-dealer allegedly rendered the database accessible to virtually anyone at its affiliates by leaving the data accessible via “two sets of widely known and frequently shared generic usernames and passwords.”[198] The SEC asserts that this alleged failure to safeguard the information posed significant risk that proprietary traders could abuse it or distribute it outside the entity.[199] The litigation remains pending.

Settlement for Allegedly Misleading Statements Related to 2020 Ransomware Attack. In March 2023, the SEC imposed a $3 million civil penalty to settle allegations it brought against a public company for making allegedly misleading disclosures concerning a 2020 ransomware attack that had impacted over 13,000 customers.[200]

The SEC alleged that, on July 16, 2020, the company announced a ransomware attacker had not gained access to customer bank account information or Social Security Numbers.[201] Within days of the announcement, however, technology and customer relations personnel allegedly learned that the attacker had accessed and exfiltrated that sensitive information.[202] The employees nonetheless allegedly failed to communicate this information to senior management accountable for its public disclosure because, in the SEC’s view, the company failed to maintain adequate disclosure controls and procedures.[203] As a result, the company’s 10-Q report filed in August 2020 did not include this information about the cyberattack, which the SEC views as an omission of material information. In addition, the SEC alleged that the company’s description of the risk of disclosure of sensitive customer information as a hypothetical risk was misleading.[204]

SEC Alleges Fraud Against Public Company and its CISO. In October 2023, the SEC alleged that a network monitoring software company and its Chief Information Security Officer (“CISO”) engaged in fraud and internal controls violations.[205] The SEC alleges that the company and its CISO overstated its cybersecurity practices and understated or failed to disclose known cybersecurity risks.[206] The SEC’s complaint alleges that the company’s public statements conflicted with its internal assessments.[207] The complaint also alleges that the CISO was aware of the company’s cybersecurity risks, but failed to resolve the issues or sufficiently elevate them.[208] The SEC alleged that the cybersecurity shortfalls rendered the company unable to provide reasonable assurances that its most valuable assets were sufficiently protected.[209] The lapses in cybersecurity practices allegedly resulted in a two-year cyberattack campaign against the software company and some of its customers, including federal and state government agencies.[210] The cyberattack was first disclosed publicly in December 2020, though the SEC alleged that disclosure was incomplete.[211] According to the SEC, the company and CISO allegedly “paint[ed] a false picture of the company’s cyber controls environment.”[212] The SEC alleged that the company and CISO violated antifraud provisions of the securities laws, that the company violated reporting and internal controls provisions, and that the CISO aided and abetted the company’s violations.[213] The SEC seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer-and-director bar against the CISO.[214]

Going forward, we expect to see a significant uptick in enforcement activity, particularly around cybersecurity disclosures, given the adoption of the SEC’s cyber disclosure rules which went into effect in December 2023 and other proposed cyber rules pending finalization, as discussed above.

4. Department of Health and Human Services and HIPAA

On February 27, 2023, the Department of Health and Human Services (“HHS”) announced three new divisions within the Office of Civil Rights (“OCR”): an Enforcement Division, a Policy Division, and a Strategic Planning Division.[215] OCR enforces HIPAA and the Health Information Technology for Economic and Clinical Health Act of 2009, among additional privacy-related and other statutes.[216] OCR explained that its caseload has increased 69 percent from 2017 and 2022.[217] OCR thus created the new divisions to “improve[] OCR’s ability to effectively respond to complaints, put[ting] OCR in line with its peers’ structure and mov[ing] OCR into the future.”[218] The addition of three new divisions in OCR signals and underscores the heightened importance of data privacy and security within HHS.

a. Rulemaking on HIPAA Compliance and Data Breaches

On December 13, 2023, HHS finalized a rule implementing the 21st Century Cures Act that enhances the Office of the National Coordinator for Health Information Technology Certification Program, aimed at advancing interoperability, transparency, and the access, exchange, and use of electronic health information.[219] The final rule is designed to increase algorithm transparency and information sharing for healthcare providers.[220] The provisions of the rule are based on the principles of “fairness, appropriateness, validity, effectiveness and safety,” and include certification criteria for “decision support interventions,” “patient demographics and observations,” “electronic case reporting,” and the “exchange and use” of electronic health information.[221] The final rule goes into effect on February 8, 2024.[222]

b. Telehealth and Data Security Guidance

HHS released a fact sheet in early 2023 identifying what will change as a result of the expiration of the federal Public Health Emergency for COVID-19 on May 11, 2023.[223] HHS stated that the “vast majority” of current Medicare telehealth flexibilities (such as waivers of geographic and originating site restrictions and the allowance of audio-only telehealth services) will remain in place through December 2024.[224] The agency also made some Medicare changes permanent so that they will stay in place now that the public health emergency has ended. These include allowing Federally Qualified Health Centers and Rural Health Centers to “serve as a distant site provider for behavioral/mental telehealth services,” allowing Medicare patients to “receive telehealth services for behavioral/mental health care in their home,” and allowing “behavioral/mental telehealth services” to “be delivered using audio-only communication platforms.”[225]

On July 20, 2023, the FTC and HHS issued a joint letter to 130 hospital systems and telehealth providers, warning them to “exercise extreme caution” with respect to certain online technologies that are incorporated in their websites and apps given the potential privacy risks these technologies may pose to patient data.[226] The letter also reminded healthcare providers about their obligations under HIPAA and the FTC’s Health Breach Notification Rule.[227] Relatedly, on September 15, 2023, the FTC and HHS issued an updated publication addressing businesses’ potential questions related to collecting, using, and sharing consumer health information, and provided links to more detailed guidance.[228]

c. Reproductive and Sexual Health Data

On June 24, 2023, HHS Secretary Xavier Becerra released a statement[229] on the one-year anniversary of Dobbs v. Jackson Women’s Health Org., which reversed Roe v. Wade and ended federal protection for abortion access.[230] The statement highlights HHS’s efforts to protect and expand access to reproductive care, and outlines three “priority areas”:

“Reaffirming the Department’s commitment to protecting the right to abortion care in emergency settings under the Emergency Medical Treatment and Labor Act (EMTALA)”;
“Clarifying protections for birth control coverage under the Affordable Care Act”; and
“Protecting medical privacy – including empowering patients to protect their medical information on smart phones, apps, and other platforms.”[231]

On April 12, 2023, HHS proposed measures to strengthen patient-provider confidentiality related to reproductive health care through a Notice of Proposed Rulemaking for the Privacy Rule.[232] The proposed rule would prohibit the use or disclosure of protected health information (“PHI”) to identify, investigate, sue, or prosecute “patients, providers, and others involved in the provision of legal reproductive health care, including abortion.”[233] The public comment period closed on June 16, 2023; and the proposed rule is expected to be finalized in March 2024.[234]

d. HHS Enforcement Actions

OCR continued to enforce the HIPAA Privacy Rule throughout 2023, which has been a continued focus of the agency in recent years. For example, OCR settled claims against a New York-based non-profit academic medical center for alleged violations in 2020 of the HIPAA Privacy Rule.[235] A national newspaper published an article about the medical center’s COVID-19 emergency response, “which included photographs and information about the facility’s patients” exposing patient information, including COVID-19 diagnoses, medical statuses and prognoses, vital signs, and treatment plans.[236] OCR alleged that the facility disclosed three patients’ protected health information to the press “without first obtaining written authorization from the patients.”[237] The settlement required the facility to pay $80,000 and agree to implement a corrective action plan “to develop written policies and procedures that [complied] with the HIPAA Privacy Rule.”[238]

HHS also focused its enforcement efforts around the HIPAA Right of Access Initiative, which was launched in 2019 and requires covered entities to provide individuals with “timely access to their health information for a reasonable cost” under the HIPAA Privacy Rule.[239] As of December 15, 2023, OCR had brought 46 cases pursuant to the HIPAA Right of Access Initiative.[240] These actions were largely brought against covered entities for failing to provide individuals with copies of protected health information within the required timeframe and/or in accordance with permitted fees.[241]

Data breaches have been another recent priority. In February 2023, a nonprofit health system in Arizona agreed to pay $1.25 million to resolve alleged HIPAA Security Rule violations arising from a 2016 data breach, which disclosed the protected health information of 2.81 million individuals.[242] In addition to the monetary penalty, the hospital system agreed to implement a corrective action plan, and two years of OCR monitoring, to address alleged deficiencies relating to the protection of electronic PHI, including pertaining to risk assessment, vulnerability management, monitoring, authentication and protection of data transit.[243]

In December 2023, OCR also entered into a settlement with a Louisiana-based medical group for $480,000, stemming from a phishing attack that exposed the personal information of over 34,000 individuals.[244] OCR alleged that the group failed to conduct a risk analysis of potential vulnerabilities, as required under HIPAA.[245] As with Banner Health, Lafourche agreed to implement a corrective action plan that OCR will monitor for two years [246]

5. Other Federal Agencies

a. Department of Homeland Security

In 2023, the Department of Homeland Security (“DHS”) continued to pursue various cybersecurity initiatives aimed at securing critical infrastructure and helping organizations respond to the rapidly evolving cyber threat landscape. The year marked an increased focus on cyber incident information sharing and reporting through public-private and cross-border partnerships. On March 2, 2023, DHS Secretary Alejandro N. Mayorkas released a statement about working to implement President Biden’s National Cybersecurity Strategy and emphasized the role of public-private sector collaboration and work with DHS’s Cyber Safety Review Board and Cybersecurity and Infrastructure Security Agency (“CISA”).[247] As required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”), DHS and the Cyber Incident Reporting Council issued recommendations to Congress for streamlining the reporting of cyber incidents by establishing standard definitions, timelines, and triggers for reporting; creating a model incident reporting form for federal agencies; and creating a central reporting web portal.[248] These recommendations will inform CISA’s ongoing rulemaking process, as it works towards publishing a Notice of Proposed Rulemaking related to CIRCIA’s reporting requirements by March 2024.[249] Secretary Mayorkas also hosted cyber leaders from 21 nations at the Western Hemisphere Cyber Conference to discuss bilateral and multilateral initiatives to respond to, and facilitate increased information sharing about, cybersecurity challenges, including around critical infrastructure and cyber-enabled crimes and ransomware.[250]

DHS also released multiple reports and advisories outlining recommendations to mitigate risks posed by threat actor groups and vulnerabilities affecting critical infrastructure, including malware attacks by the ransomware group CL0P against users of certain file-transfer software;[251] targeting of industry-standard security tools by threat actor group Lapsus$;[252] and a ransomware variant used to exploit a vulnerability that threatened critical infrastructure.[253]

DHS also increased its State and Local Cybersecurity Grant Program funding from $185 million in FY22 to $374.9 million in FY23, signaling the growing importance of protecting communities from cyber threats.[254]

b. Department of Justice

In 2023, DOJ continued to focus on and expand its capacity to address cyber threats, especially those related to national security. In a series of press releases, DOJ touted certain accomplishments in its ongoing fight against organized cybercrime. For example, it publicized actions it had taken against several ransomware groups, including the Hive and Blackcat, as well as the malware code Qakbot. DOJ also announced significant developments regarding its approach to the issue of algorithmic bias, including an innovative resolution reached with a large social media company and the filing of a statement of interest in a case alleging racial discrimination against rental applicants.

As part of its continued and expanding efforts to counter cyber-related national security threats arising from nation-state actors, DOJ created the National Security Cyber Section (“NatSec Cyber”) within the National Security Division (“NSD”).[255] DOJ noted that NatSec Cyber “will allow NSD to increase the scale and speed of disruption campaigns and prosecutions of nation-state threat actors, state-sponsored cybercriminals, associated money launderers, and other cyber-enabled threats to national security.”[256]

DOJ continued its aggressive, multifaceted efforts to disrupt domestic and international organized cybercrime via collaboration between the FBI and foreign law enforcement organizations. For example, in January 2023, DOJ announced that its months-long campaign against a ransomware-as-a-service network called the “Hive” culminated in the seizure of thousands of decryption keys that were then distributed to victims of the Hive’s activities, as well as the shutting down of servers and websites used by the Hive to coordinate attacks.[257] The Hive’s ransomware campaign impacted more than 1,500 victims, “including hospitals, school districts, financial firms, and critical infrastructure,” across more than 80 countries, and sought to extort hundreds of millions of dollars in ransomware payments.[258] In May 2023, DOJ publicized an operation code-named “MEDUSA,” which involved the deployment of an FBI-developed tool named “PERSEUS” to disrupt the ability of the highly sophisticated cyber espionage malware named “Snake” to compromise infected computers.[259] Snake, whose development the U.S. government attributes to a unit in the Federal Security Service of the Russian Federation, has been used and adapted for the last nearly 20 years to steal and covertly transfer sensitive information from computer networks in over 50 countries, often in service of Russian interests.[260] In August 2023, DOJ announced another multinational effort to degrade and avert attacks from Qakbot, a malware code used by cybercriminals to create malicious botnets and perpetrate “ransomware, financial fraud, and other cyber-enabled criminal activity.”[261] Finally, in December 2023, DOJ announced that the FBI had successfully built a decryption tool that allowed victims of the ransomware-as-a-service group Blackcat (also known as ALPHV or Noberus) to regain control of their systems.[262] This was in addition to taking control of websites associated with the group, which had previously carried out attacks targeting “government facilities, emergency services, defense industrial base companies, critical manufacturing, and healthcare and public health facilities—as well as other corporations, government entities, and schools,” costing victims hundreds of millions of dollars in ransom payments, incident response costs, and losses from data damage and theft.[263]

DOJ also waded into issues around algorithmic bias. In January 2023, for example, DOJ announced a resolution reached with a large social media company to address alleged algorithmic bias on its platforms.[264] This development came as part of a settlement stemming from a June 2022 lawsuit filed in the U.S. District Court for the Southern District of New York that asserted the company engaged in discriminatory delivery of housing advertisements based on algorithms partially relying on protected characteristics in violation of the Fair Housing Act (“FHA”).[265] The settlement agreement required the company to create a system (dubbed the Variance Reduction System) to promote the “equitable distribution of ads” across its platforms, subject to certain compliance metrics, oversight by the court, and ongoing monitoring by a third-party reviewer through June 27, 2026.[266] A DOJ official praised the agreement and the company for setting “a new standard for addressing discrimination through machine learning” and called for others to follow the company’s lead.

DOJ also filed a Statement of Interest in an FHA case pending in a Massachusetts federal district court brought by two Black rental applicants alleging unlawful algorithmic tenant screening practices.[267] Plaintiffs alleged that the screening system discriminated “against Black and Hispanic rental applicants in violation of the FHA.”[268] According to DOJ, the Statement confirms its “commitment to ensuring that the Fair Housing Act is appropriately applied in cases involving algorithms and tenant screening software.”[269]

c. Department of Commerce

On March 7, 2023, a bipartisan group of senators proposed the Restricting the Emergence of Security Threats that Risk Information and Communications Technology (“RESTRICT”) Act, which would give the Commerce Secretary the power to ban foreign‐owned technologies if they are found to pose national security threats.[270] The bill, which received support from the Department of Commerce,[271] was referred to the Committee on Commerce, Science, and Transportation, and is currently awaiting further action.[272]

On June 14, 2023, Senator Wyden introduced the Protecting Americans’ Data From Foreign Surveillance Act of 2023, which would update the Protecting Americans’ Data From Foreign Surveillance Act of 2022 that was introduced in June 2023 but not passed.[273] This bill would bar exports of sensitive data to high‐risk countries, as determined by the Department of Commerce.[274] The Department of Commerce would also be tasked with defining sensitive data, though the bill broadly covers data, including browsing history and location data.[275] However, the new export rules would not apply to data encrypted with technology approved by the National Institute of Standards and Technology (“NIST”).[276] The bill was referred to the Committee on Banking, Housing, and Urban Affairs, and currently awaits further progress.[277]

d. Department of Energy

Through the Infrastructure Investment and Jobs Act, the Department of Energy (“DOE”) has provided significant funding to a series of new cybersecurity programs.[278] On September 12, 2023, the DOE announced $39 million of funding for nine new “National Laboratory” projects to strengthen the cybersecurity of distributed energy resources (“DER”).[279] The funding is intended to “support targeted research, development, and demonstration related to different elements of the DER landscape.”[280]

Despite investing in improved cybersecurity for DER, the DOE itself continues to attract scrutiny of its cybersecurity practices, especially from the DOE’s Office of Inspector General (“OIG”). Ongoing concerns regarding the department’s cybersecurity capabilities stem in part from three apparent cyberattacks against DOE national laboratories in late 2022, which were serious enough to prompt House lawmakers to seek details concerning them in early 2023.[281] In November 2023, the OIG released a report discussing “management challenges” at the DOE, including numerous cybersecurity-related deficiencies.[282] In discussing these deficiencies, the report noted structural and resource-based challenges to an effective organization-wide cybersecurity program, some of which stemmed from inconsistent and outdated practices by DOE contractors.[283] Thus, contractors/vendors doing business with the DOE should expect a greater emphasis on and scrutiny of their cybersecurity practices going forward.

e. Department of Defense

In December 2023, the Department of Defense (“DoD”) released a proposal designed to implement its Cybersecurity Maturity Model Certification (“CMMC”) program, broadly aimed at increasing the security of controlled, unclassified information across the defense industry.[284] The CMMC will set three “levels” of cybersecurity requirements based on the nature of information held by contractors, while ultimately creating a baseline level of cybersecurity for almost all DoD contract solicitations.[285] The program will be implemented in phases over several years, giving companies time to study and understand its requirements and prepare staff to comply with them.[286]

f. Federal Communications Commission

The Federal Communications Commission (“FCC”) was particularly focused on the Telephone Consumer Protection Act (“TCPA”) and cybersecurity issues in 2023. In June 2023, the FCC unveiled a new Privacy and Data Protection Task Force that will “coordinate across the agency on the rulemaking, enforcement, and public awareness needs in the privacy and data protection sectors.”[287] The task force will address issues such as data breaches of telecommunication providers linked to cyber intrusions and supply chain vulnerabilities.[288]

TCPA Rulemaking. In January 2023, the FCC announced that new rules promulgated under Section 8 of the Telephone Robocall Abuse Criminal Enforcement and Deterrence (“TRACED”) Act[289] would go into effect on July 20, 2023.[290] Among other things, the FCC’s new rules provide additional clarity on exemptions from the TCPA, including establishing limits on the number of exempt calls that can be made to a residence during a 30-day period (for non-commercial, non-advertising, or nonprofit purposes); requiring callers to obtain consent before exceeding the numerical limits on exempt calls; and mandating ways that consumers can opt out of exempted calls to residential lines.[291]

In the last quarter of 2023, the FCC took additional regulatory steps to curb robocalls. On October 23, 2023, FCC Chairwoman Jessica Rosenworcel announced the FCC was opening an inquiry into the impact of artificial intelligence technology on robocalls, particularly for more vulnerable consumers such as seniors and those on fixed incomes.[292] Following that announcement, the FCC sought public input to better understand the impact of emerging AI technologies on unwanted telephone calls and text messages.[293] It seems likely that the FCC will continue to assess AI’s impact in this area.

On December 18, 2023, the FCC also approved new TCPA rules that require lead generators, comparison shopping websites, and similar companies to obtain a consumer’s prior express written consent to receive automated calls from each marketing partner.[294] The rule is intended to end companies’ prior practice of relying on a single consent to receive automated calls from multiple marketing partners. The new rule has closed this loophole, and requires one-to-one consent for each marketing partner.[295] There will be an implementation period of at least 12 months to allow companies to make necessary changes to ensure consent complies with the new rules.[296]

Cyber Trust Mark. In July 2023, the FCC, in coordination with the White House, announced a proposal to create a “U.S. Cyber Trust Mark” label for devices that meet certain cybersecurity and privacy criteria set by the National Institute of Standards and Technology, with voluntary commitments to the standard to be made by manufacturers and retailers.[297] Examples of contemplated features offered by labeled devices include “unique and strong default passwords, data protection, software updates, and incident detection capabilities.”[298] In August 2023, the FCC released a Notice of Proposed Rulemaking regarding the proposal to collect public input, noting that if it votes to establish the program, it could be “up and running” by late 2024.[299]

VoIP and TRS Rules. In December 2023, the FCC approved modifications to data breach notification rules for providers of telecommunications, interconnected Voice over Internet Protocol (“VoIP”), and telecommunications relay services (“TRS”).[300] The modifications expand reportable personally identifiable information and the definition of a “breach,” and require carriers or TRS providers to notify the FCC of breaches, in addition to other existing reporting requirements.[301]

Enforcement. The FCC also levied fines against companies for lax data security standards. In July 2023, the FCC sought a combined $20 million fine against two mobile carriers for alleged violations of FCC rules, which mandate that customer identity be properly authenticated before online access to Customer Proprietary Network Information (“CPNI”) is granted to them.[302] The FCC’s investigation concluded that the companies used “readily available” information to provide online access to CPNI and fell below other compulsory data security standards in violation of multiple parts of the FCC’s rules, thereby placing sensitive customer personal data at risk.[303]

6. State Agencies

Throughout 2023, state privacy enforcers, particularly in California, wielded their authority to attempt to expand the ambit of existing privacy laws.

a. California

California Privacy Protection Agency

On the rulemaking front, the California Privacy Protection Agency (“CPPA”) released draft rules for automated decision-making technology (“ADMT”) on November 27, 2023.[304] The draft focuses on two areas: notice requirements on the use of ADMT and enforcement of two new consumer rights: the right to opt-out of ADMT processing and the right to access information about a business’s use of ADMT.

The draft rules require businesses to provide a “Pre-use Notice” which would allow consumers to exercise these two rights. The notice must inform consumers of the business’s use of ADMT and permit them to opt-out of ADMT processing. It also requires businesses to describe the purpose behind the use of ADMT in specific terms. Consumers may opt-out of ADMT for decisions that produce “legal or similarly significant effects” (1) as an employee, student, job applicant or independent contractor or (2) in publicly accessible places (e.g., via surveillance or facial recognition). Formal rulemaking is expected to begin in early 2024.

The CPPA has also begun to spin up its enforcement division, which began inquiring into manufacturers of connected vehicles, meaning vehicles embedded with features like location sharing, web-based entertainment, smartphone integration, and cameras, in an effort to better understand whether companies in this space are complying with applicable rules.[305]

California Attorney General

The California Attorney General (“CA AG”) has announced several privacy-related enforcement “sweeps” in 2023 in a variety of industries. In early 2023, the CA AG sent out letters to an unspecified number of mobile apps in the retail, travel, and food service industries that purportedly failed to comply with the CCPA, specifically by failing to honor consumer requests to opt out of the sale of their personal data or providing mechanisms for opting out of sale of the personal data.[306] In July 2023, the CA AG announced a separate sweep of large employers’ compliance with CCPA as it related to employee and job applicant information.[307] Businesses are required to provide a way for consumers, workers, and job applicants to be able to access, delete, and opt-out of the sale of their personal information. Despite these regular sweeps, however, the CA AG has not announced any enforcement actions or settlements related to the CCPA.

Although there have not been any CCPA settlements disclosed in 2023, the CA AG did announce a $93 million settlement with a large technology company related to allegations that its location-privacy practices violated California’s Unfair Competition Law, a follow-on to a multistate settlement announced in 2022.[308] The complaint alleged that the company deceived people into consenting to the perpetual collection and use of their location data by asking users if they wanted to “enhance” their “experience.” The complaint also alleged that, even if users turned off their location history, their precise location data was nevertheless collected if other settings remained enabled. Finally, the CA AG alleged that the company continued to use real-time location information to show users ads, even if they turned off ad personalization. Under the terms of the settlement, the company will have to provide a pop-up notification to users who have certain location-tracking toggles enabled, provide additional disclosures to users (including in the account-creation flow) and obtain express affirmative consent prior to sharing precise location information with advertisers, among other requirements. The company will also have to submit an annual compliance report and independent assessor reports.

b. Other State Agencies

New York

In January 2023, the New York Attorney General (“NY AG”) sent a letter to a large live-entertainment company about its use of facial recognition technology that allegedly was preventing entry into its venue by attorneys whose firms are engaged in litigation against the company.[309] The NY AG’s letter requests the company provide justifications for its policy, identify efforts to comply with applicable laws, and ensure that its use of this technology will not lead to discrimination.

In November 2023, the New York State Department of Financial Services announced that a title insurer will pay $1 million for allegedly violating state cybersecurity regulations.[310] The insurer allegedly failed to ensure “full and complete implementation” of its cybersecurity policies and procedures prior to a May 2019 data breach that exposed its customers’ nonpublic information.[311]

Washington

The Washington Attorney General (“WA AG”) announced a $39.9 million settlement with a large technology company related to the WA AG’s lawsuit over its location-tracking practices.[312] The WA AG, like the CA AG, filed a separate lawsuit from the multistate effort that had been settled in November 2022. Similar to the California suit, the WA AG alleged that the company collects location data even when consumers had disabled their location history and that it tracked devices even when location access was turned off. In addition to the monetary penalty, the company agreed to disclose additional information to users where they enabled location-related account setting, ensured that users see information about location tracking and gave users detailed information about types of location data that the company collects and how it will be used.

c. Major Data Breach Settlements

While 2023 did not see as many high-profile data breach settlements as in recent years, with the number of data breach-related case filings reaching new records, major settlements are likely on the horizon.

Many of the notable 2023 settlements were reached with state attorneys general. A software provider in the healthcare and education space agreed to a $49.5 million settlement with numerous state attorneys general (led by Indiana and Vermont) to resolve claims stemming from a ransomware attack that impacted the company and nearly 13,000 customers in 2020.[313] In another notable data breach settlement, the attorneys general of New York, Connecticut, Florida, Indiana, New Jersey, and Vermont entered into a $6.5 million settlement with a major financial services provider arising from two instances in which customer data inadvertently left the company’s custody.[314] And a vision insurance company entered a $2.5 million settlement with the attorneys general of New Jersey, Oregon, Florida, and Pennsylvania stemming from a breach which impacted the health care information of 2.1 million individuals.[315]

Class actions have also resulted in significant settlements. A law firm recently announced that it reached a tentative class settlement with plaintiffs whose personal information was allegedly compromised in a data breach.[316] Once finalized, this settlement will resolve four consolidated lawsuits stemming from the firm’s alleged three-month delay in notifying affected individuals of the breach. And in July 2023, the Southern District of Florida approved a $3 million settlement in a class action suit against a health care network and its parent company arising from a 2021 data breach in which over three million individuals were affected.[317]

III. Civil Litigation Regarding Privacy and Data Security

A. Data Breach Litigation

Cybercrimes targeting consumer data have been increasingly pervasive and this trend continued in 2023. The Identity Theft Resource Center, which compiles statistical information on data breaches, reported 2,116 data breaches in the first nine months of 2023.[318] This number surpasses the 2021 record of 1,862 data breaches and represents a nearly 64% increase of the number of data breaches reported over the same nine-month period in 2022.[319] These trends suggest companies will continue to face more widespread and sophisticated attacks by cybercriminals and the risk of litigation remains elevated for companies dealing with the aftermath of a cyberattack.

One of the largest and most significant data breach litigations in history was filed this year. After the developer of a popular file transfer service announced that its service had been exploited by a Russian cybergang in a data breach that exposed the personally identifiable information of more than 55 million people, more than 200 cases were filed.[320] These actions were centralized in an MDL that is now pending in the District of Massachusetts.[321] At the time of publication, the MDL remains in its early stages, but we expect this case will be one that practitioners will watch closely.

This section summarizes key developments in data breach litigation last year.

1. The Impact of TransUnion v. Ramirez on Standing in Data Breach Actions

Many data breach cases are litigated in federal court, given large numbers of potentially affected individuals and jurisdictional provisions of the Class Action Fairness Act. Plaintiffs pursuing claims in federal court must satisfy the standing requirements of Article III of the U.S. Constitution, and data breach actions raise significant questions about whether plaintiffs can satisfy this requirement. In 2021, the U.S. Supreme Court decided TransUnion v. Ramirez, a landmark decision that increased the burden on plaintiffs to demonstrate standing in actions for money damages brought in federal court.[322] The Court held that the mere risk of future harm is insufficient to satisfy the concrete injury that Article III requires, especially where the plaintiff is unaware of the risk of future harm.[323] This holding is especially significant in data breach cases where a plaintiff’s data has been breached but not yet misused.

Although TransUnion went a long way towards clarifying how risks of future harm should be analyzed under Article III, appellate courts have continued to grapple with the bounds of the Court’s holding and divergent approaches to the issue of standing persisted in 2023.

Some courts have interpreted TransUnion narrowly and concluded that notwithstanding its holding, plaintiffs can establish standing even if their data has not yet been misused. For example, in Webb v. Injured Workers Pharmacy, LLC, the First Circuit held that a “material risk of future harm can satisfy the concrete-harm requirement” for standing, reasoning that data compromised in targeted attacks (as opposed to inadvertent disclosures) is more likely to be misused, especially when the data is sensitive and other personal information in the exposed data has already been misused.[324] Moreover, to satisfy TransUnion’s requirement of “alleg[ing] a separate, concrete present harm” to have standing to seek damages, the court held that the plaintiffs’ “time spent responding to a data breach can constitute a concrete injury sufficient to confer standing, at least when that time would otherwise have been put to profitable use.”[325] Similarly, the Second Circuit held that a plaintiff suffered “concrete harms as a result of the risk of future harm occasioned by the exposure” of her personal information, in particular because she incurred expenses attempting to mitigate the consequences of the breach.[326] Moreover, the plaintiff’s name and Social Security number were compromised in the targeted attack, and the court reasoned that the exposure of this type of sensitive data led to concrete present harms due to the increased risk that her identity would be stolen in the future.[327]

Other courts have interpreted TransUnion to mandate a stricter approach to standing. For example, in Holmes v. Elephant Insurance Co., a trial court dismissed for lack of standing claims alleging that the plaintiffs’ personal information was compromised in a 2022 data breach.[328] Despite a potential heightened risk of future identity theft, the court found that this risk alone did not constitute an injury in fact unless it was “certainly impending.”[329] Even though two of the three named plaintiffs had alleged their driver’s license information had appeared on the dark web, the court reasoned that unless combined with additional personal information, a driver’s license number could not be used to create a full identity profile, and therefore only constituted a threat of future identity theft.[330] The court also found there was insufficient support for the contention that the risk of identity theft was “certainly impending” without assuming that the plaintiffs were specifically targeted in the breach, that the perpetrator was actively compiling full profiles of plaintiffs, and that the perpetrator would “imminently and successfully attempt to use th[e] information [at issue] to steal the plaintiffs’ identities.”[331] In reaching this conclusion, the court also diverged from the approach taken by the First Circuit in Webb, finding that absent an imminent threat of identity theft, the cost of mitigative measures, such as time spent monitoring financial information, does not constitute an injury sufficient to support standing.[332]

A California district court in Burns v. Mammoth Media, Inc., appeared to agree with this approach, suggesting that “an increased risk of identity theft may constitute a credible threat of real and immediate harm sufficient to constitute an injury in fact for standing purposes.”[333] However, the court ultimately denied standing and dismissed the claims because there were insufficient allegations to establish an increased threat of identity theft based on the type of data compromised. In particular, the plaintiff alleged only that his name, email address, gender, profile creation date, user name, user ID, password, and access token were exposed, but he failed to explain how the specific data compromised was sufficiently sensitive to create a risk of identity theft.[334]

Questions about standing are also significant to class certification, as putative classes that contain large numbers of uninjured class members are frequently not viable.[335] One case from 2023 illustrating this issue is Attias v. CareFirst, Inc., where the District Court for the District of Columbia denied class certification because “the proposed classes . . . would appear to sweep in significant numbers of people who have suffered no injury in fact in light of TransUnion.”[336] Even though the named plaintiffs had adequately demonstrated standing “because they ha[d] spent at least some amount of time or money protecting against the risk of future identity theft,” there was a “serious predominance problem” because not all the putative class members had done the same, thereby necessitating “individualized proof of injury.”[337] These “logistical hurdles of identifying class members who were injured or determining what kinds of mitigation measures might qualify an individual for class membership” meant the court “[could not] conclude that the common issues predominate over individualized inquiries.”[338]

2. Cybersecurity-Related Securities Litigation

In the aftermath of a cybersecurity incident, companies and their officers also frequently face shareholders suits. Although the pace of data breach-related securities case filings has slowed,[339] the past year still saw a fair share of new litigation. For instance, in March 2023, shareholders filed a securities class action under Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 against a television service provider, alleging that the company overstated its operational efficiency in public statements and SEC filings and maintained deficient cybersecurity infrastructure, leaving the company unable to secure customer data and leaving it vulnerable to cyberattacks and service issues.[340] In another action filed in 2023, shareholders alleged that a financial services technology company violated Sections 12(a)(2) and 15 of the Securities Act of 1933 in connection with the compromise of customer data.[341] The plaintiffs alleged that the company failed to accurately describe its data security capabilities, among other things, in its securities filings. This case remains in the early stages.

Defendants have had success in getting shareholder data-breach claims dismissed on the pleadings, including for failure to plead falsity or scienter with the requisite particularity.[342] For example, the Northern District of California dismissed a shareholder suit related to a January 2022 data security incident.[343] The plaintiffs in that case sued under Section 10(b) and 20(a) of the Securities Exchange Act of 1934, alleging that the company and certain officers made false and misleading statements in the company’s disclosures about its data security practices.[344] The court dismissed these allegations, finding that the plaintiffs failed to allege either falsity or scienter based on the defendants’ general statements about the company’s commitment to data security.[345]

B. Wiretapping and Related Litigation Concerning Online “Tracking” Technologies

Last year’s Review noted a deluge of lawsuits brought under federal and state wiretapping statutes. This trend continued in 2023, with recent lawsuits alleging that various businesses invade consumers’ privacy rights and violate federal and state wiretapping statutes by allegedly failing to obtain sufficient and valid consent when using various online “tracking” technologies, such as session replay, pixels, and chat software. Plaintiffs in these cases generally allege that their interactions with businesses’ websites or apps are “communications” between them and the business, which are being “recorded” and “intercepted” by the business through a third-party pixel, software development kit, chat, or session-replay service provider.[346]

Many of these cases focus on claims for violations of wiretapping statutes. Wiretapping statutes were initially intended to prevent surreptitious recording of, or eavesdropping on, phone calls without the consent of the parties involved, but they have evolved to cover other forms of electronic and digital communications. The federal Wiretap Act of 1968, as amended by the Electronic Communications Privacy Act of 1986,[347] is a “one-party” consent statute that allows communications to be intercepted (with certain exceptions) so long as “one of the parties to the communication has given prior consent[.]”[348] Almost all 50 states also have some form of wiretapping statute; most of them are also one-party consent statutes, but a significant minority require “two-party” (or “all-party”) consent.[349] Many recent lawsuits have brought claims under both the federal Wiretap Act and various state statutes, with litigation heavy in all-party consent states like California (where statutory damages can run as high as $5,000 per violation), Pennsylvania, and Florida.[350]

In addition to alleged violations of wiretapping statutes, lawsuits concerning online tracking technologies frequently raise a host of interrelated legal issues.

For example, a plaintiff in a Northern District of California case alleged that a pixel tool was embedded in a university-owned hospital website where the plaintiff entered private medical information concerning her cardiovascular health.[351] Because this information was allegedly redirected to a third-party company, the plaintiff claimed that the defendant violated the California Invasion of Privacy Act (“CIPA”), three separate sections of the Confidentiality of Medical Information Act (“CMIA”), and the California Constitution. The plaintiff also alleged common law causes of action including breach of contract, unjust enrichment, and the right to privacy. The court allowed the common law privacy and two CMIA claims to move forward and dismissed the remaining claims, largely on the basis that the university is an immune public entity. Similarly, in Jackson v. Fandom Inc.,[352] another Northern District of California judge denied the defendant’s motion to dismiss a proposed class action alleging that the defendant, a hosting service for user-generated wikis, violated the federal Video Privacy Protection Act (“VPPA”) by sharing users’ personally identifiable information (“PII”) through pixels. Specifically, the judge found that associating viewing history with the plaintiff’s unique user ID may have constituted unlawful disclosure of PII.[353]

In yet another notable decision, a federal judge dismissed claims against a technology company alleging it had shared information about the plaintiffs’ online activity with a third party via a pixel without the plaintiffs’ consent.[354] The plaintiffs claimed that the company’s terms of use did not inform users that the platform was sharing information with the third party and that its failure to disclose this information was fraud by omission in violation of both California’s Unfair Competition Law (“UCL”) and its Consumer Legal Remedies Act (“CLRA”). They also asserted claims under VPPA and for unjust enrichment. In granting the company’s motion to dismiss these claims, the court reasoned that Rule 9(b)’s heightened pleading standard applied because the alleged fraud stemmed from alleged misrepresentations in the company’s terms of use.[355] The court therefore granted the company’s motion to dismiss the CLRA and UCL claims. In November 2023, the company moved for summary judgment on that claim, which remains pending.

These cases are representative of many others, and we expect plaintiffs to leverage their mixed outcomes to continue to bring and attempt to extract settlements in similar matters.

C. Anti-Hacking and Computer Intrusion Statutes

The federal Computer Fraud and Abuse Act (“CFAA”) generally makes it unlawful to “intentionally access a computer without authorization” or to “exceed[] authorized access.”[356] In recent years, several high-profile court decisions, including the U.S. Supreme Court’s 2021 decision in Van Buren v. United States, have limited the CFAA’s scope.[357] In 2022, these decisions also prompted the Department of Justice to narrow its CFAA enforcement policies,[358] as described in last year’s Review.

1. CFAA

In 2023, courts around the country have continued to grapple with the CFAA’s outer bounds. Summarized below are three cases of particular interest, including a case from the Second Circuit analyzing venue considerations in CFAA actions and a pair of district court cases reaching somewhat different conclusions on whether software constitutes a “computer” under the statute.

Venue in CFAA Criminal Cases. In July 2023, the Second Circuit upheld a criminal CFAA conviction against a venue challenge.[359] The case involved a defendant, a disgruntled former employee, who deleted information from her company’s online database, which was hosted on servers outside of New York.[360] Her deletion of the database prevented some employees in New York from accessing it.[361] A criminal action was brought against the defendant in the Southern District of New York and the defendant argued venue was improper because the data she deleted resided on servers in Virginia and California, and therefore she could not have damaged a computer in New York.[362] The Second Circuit rejected this claim, holding that even though the data was stored on cloud servers elsewhere, the defendant had still “damaged” a computer in New York, because she had “impair[ed] . . . the integrity or availability of data, a program, a system, or information” on a computer there.[363] The Supreme Court denied certiorari.[364] The case is notable not just because of its expansive view of venue in CFAA criminal cases, but also because it raises new questions about the scope of covered harm to “protected computers” in CFAA criminal and civil cases alike—an especially important issue given the interconnectedness of computer networks.

Cloud Computing Systems As Covered “Computers.” In July 2023, an Illinois federal district court held that a “cloud-based system of data storage” constitutes a “computer” under the civil enforcement sections of the CFAA.[365] The defendants in this case allegedly accessed a former employer’s Microsoft Office 365 cloud services after their employer terminated them—by logging in with old and phony credentials.[366] The defendants moved to dismiss the employer’s CFAA claim, arguing a cloud service is not a protected “computer” under the CFAA.[367] The court disagreed.[368] The court reasoned that the CFAA broadly defines a “computer” as “an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device.”[369] Because a cloud system involves storing data on remote servers, and “[s]ervers fit within the plain language” of a computer under the Act, the plaintiff had sufficiently alleged that the defendants improperly accessed a “computer” under the CFAA.[370] The court also rejected the premise that CFAA liability could attach only if the plaintiff, rather than Microsoft, actually owned the remote servers that supported the cloud service.[371]

Software Not a Covered “Computer.” By contrast, in April 2023, a New Jersey federal district court held that “software” does not constitute a protected computer under the CFAA.[372] In this case, the plaintiff claimed that he was hired to install certain software he created on a bank’s computers, but a dispute arose over whether the bank had paid for a license to use the software.[373] The plaintiff sued, claiming, among other things, that by using the software without permission and by locking him out of his bank computer (which allegedly contained the software), the bank violated the CFAA.[374] The court summarily disagreed, noting that the plaintiff had presented “no authority indicating that software is a ‘computer’ within the meaning of the CFAA,” and dismissed the claim.[375]

Generative AI and the CFAA. Another notable development from this past year was the bevy of lawsuits filed against generative AI companies, challenging the companies’ alleged practice of scraping or otherwise obtaining data to train their AI models. Some of these lawsuits claim that these practices—which involve allegedly harvesting publicly accessible data from the Internet or obtaining user data through the use of “plug-ins” installed on third-party websites—violate the CFAA for exceeding authorized access to plaintiffs’ computers.[376] These cases are still at their early stages and will likely need to grapple with the Ninth Circuit’s 2022 decision in hiQ Labs, Inc. v. LinkedIn,[377] which held that the CFAA’s concept of “without authorization” may not apply “when a computer network generally permits public access to its data”—although the Ninth Circuit noted there may be other common law and statutory claims available for those who believe they have been the victims of data scraping.[378]

2. CDAFA

The Comprehensive Data Access and Fraud Act (“CDAFA”) is California’s sister statute to the CFAA, and it creates a private right of action against any person who “[k]nowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.”[379] “Access” means to “cause output from” the “logical, arithmetical, or memory function resources of a computer.”[380]

In 2023, several district courts considered the interaction between the CDAFA and the recent wave of litigation related to website tracking technologies, including web pixels. Below are two such cases of interest.

Private Browsing Modes and Online Advertising Technologies. In August 2023, a California district court denied a motion for summary judgment on a CDAFA claim. Plaintiffs alleged that a prominent internet company improperly tracked user activity when users were using “private browsing modes.”[381] Plaintiffs claimed that, when third parties embedded certain advertising technologies into their websites, those technologies sent data about the users’ online activities to the company, even if the users were using a private browsing mode.[382] The company sought summary judgment on plaintiffs’ CDAFA claim, arguing that the company could not have “accessed” plaintiffs’ computers under the CDAFA because “website developers,” not the defendant, embed the code that directs users’ browsers to send requests to the company’s servers.”[383] The court rejected this argument, holding that the fact that “website developers chose to embed [the company’s] services onto their websites at most creates a triable issue as to whether developers and not the company . . . ‘cause output from’ plaintiffs’ computers” under the CDAFA.[384] The company separately argued that plaintiffs had suffered no “damage or loss” under the CDAFA, but the court rejected this argument, too, holding that “plaintiffs [had] proffer[ed] evidence that there is a market” for their browsing history data.[385] On December 26, 2023, the parties announced that they had reached a preliminary settlement agreement.[386]

“Technical Barriers” for First-Party Websites. In October 2023, a California district court dismissed with prejudice a CDAFA claim premised on the theory that a chatbox on a developer’s website transmitted certain user information to third parties.[387] The developer argued that it did not act “without permission” under the CDAFA because it did not overcome any “technical or code-based barriers” to insert the third-party code into its own website and allegedly transmit user information.[388] The district court agreed, holding that there are “no technical barriers blocking Defendant from using its own Website” in the manner alleged.[389] The district court also dismissed the claim on the basis that plaintiff had failed to allege any damage or loss under the CDAFA.[390]

D. Telephone Consumer Protection Act Litigation

Originally enacted in 1991, the Telephone Consumer Protection Act (“TCPA”) regulates certain forms of telemarketing and the use of automatic telephone dialing systems (“ATDS”).[391] Historically, much of TCPA litigation centered on issues concerning the technical definition of an ATDS, but that issue was largely clarified through the Supreme Court’s 2021 opinion in Facebook Inc. v. Duguid, which favored a narrower definition that limited it to devices that store or produce telephone numbers by using a random or sequential number generator. [392] Nonetheless, the TCPA continues to be an area of significant regulatory and litigation activity. 2023 was defined by increased regulation and enforcement by the FCC, as well as ongoing federal litigation addressing the scope of the TCPA.

TCPA cases continue to make their way up to the federal appellate courts, which frequently present the issue of whether receipt of a single unsolicited call is sufficient to confer Article III standing. Some circuits have answered in the affirmative. For example, the Sixth Circuit held that a consumer who had received a ringless voicemail had standing to sue under the TCPA.[393] The plaintiff argued, successfully, that the receipt of the unsolicited ringless voicemail was comparable to the common law tort of intrusion upon seclusion.[394] Similarly, in Drazen v. Pinto, an en banc panel of the Eleventh Circuit held that individuals who received even a single unwanted telemarketing text message had standing to sue under the TCPA, overruling the court’s prior decision that held the opposite.[395]

In another notable decision, Hall v. Smosh Dot Com, Inc., the Ninth Circuit held that a phone line subscriber has standing to sue for TCPA violations, even if the subscriber is not the recipient of the call.[396] Even though the plaintiff’s son in that case had received the unwanted text messages, the Ninth Circuit stated that the TCPA does not require that “the owner of a cell phone must also be the phone’s primary or customary user to be injured by unsolicited phone calls or text messages sent to its number.”[397]

Not all courts have read the TCPA so expansively, and appellate courts continue to find communications not covered by the language of the TCPA. For example, in January 2023, the Third Circuit held that faxes sent by a drug testing laboratory, promoting a free educational seminar about opioid use and medication monitoring, did not qualify as “unsolicited advertisements” under the TCPA.[398] In another notable case, the Ninth Circuit held that text messages did not violate the TCPA’s prohibition on “prerecorded voices,” because text messages are not “voice” messages.[399]

In the face of newly implemented rules, shifting case law, and new communications technology, we expect the TCPA to continue to be an area to watch.

E. State Law Litigation

1. California Consumer Privacy Act Litigation

While the regulatory atmosphere around the CCPA evolved in 2023, the litigation landscape remained fairly constant. Consumers, individually or as a class, continued to litigate under the CCPA, making claims for both pecuniary and statutory damages.

a. Potential Anchoring Effect of CCPA Statutory Damages

As discussed in last year’s Review, the CCPA’s provisions for statutory damages have continued to frame settlement negotiations. The CCPA provides that consumers exercising their private right of action for a data breach may recover the greater of statutory damages between $100 and $750 per consumer, per incident, or actual damages.[400] The cases summarized below provide color on how these statutory damages have impacted settlement terms in the CCPA context.

Automobile Manufacturers and Marketing Vendor. In this case, previously discussed in last year’s Review, residents of California and Florida filed class actions alleging that auto manufacturers and a marketing vendor failed to adequately secure customers’ personal information, allowing hackers to steal information such as driver’s license numbers, Social Security numbers, financial account numbers and more.[401] The plaintiffs asserted causes of action for negligence, breach of implied contract, violation of the CCPA, violation of California’s Unfair Competition Law, and breach of contract. The parties agreed to a settlement which was granted final approval on May 31, 2023.[402] The terms of the settlement reflect the potential effects of the CCPA, as California residents whose sensitive personal information was affected received $350, while the non-California residents whose sensitive personal information was exposed would receive only $80 (about 77% less than their California peers).[403]

Ticket Retailer. Consumers who bought tickets from a ticket retailer brought suit after a data breach was disclosed. Plaintiffs alleged that “skimmers” placed on the defendant’s checkout webpage stole their personal sensitive data.[404] Plaintiffs asserted a variety of claims, including negligence, breach of contract, violation of California’s Unfair Competition Law, and violation of the CPPA.[405] The parties reached a $3 million settlement, which was granted final approval on October 30, 2023. The settlement fund provides California sub-class members with an additional $100 “California Statutory Award benefit.”[406]

b. Requirements for Adequately Stating a CCPA Claim

Courts continued to give shape to the requirements to plead a CCPA claim. The decisions below address the facts and allegations required to bring a CCPA action under its limited private right of action, which applies only to data breaches.

Software Company Automatic Renewal Case. The Ninth Circuit recently affirmed the dismissal of a case alleging violations of the CCPA. The plaintiff alleged his data was shared with a credit card processor without his authorization due to the automatic renewal of his subscription. The trial court dismissed his claim because the plaintiff had agreed to the defendant’s End-User License Agreement, which stated his subscription would renew every 12 months unless terminated.[407] The trial court found the disclosure of his personal information was not “without authorization” and was not caused by a failure to implement reasonable security procedures and practices.[408] The Ninth Circuit affirmed.[409]

Online Banking. Plaintiff alleged that the defendant bank violated the CCPA when an unknown individual accessed his bank account, changed his contact information, and obtained new account cards to make purchases. The bank, on a motion to dismiss, argued that the plaintiff had not alleged that a data breach occurred. The court disagreed, finding that plaintiff’s allegations that his account was accessed and personal information obtained because of the failure to implement reasonable security procedures were sufficient to state a claim under the CCPA.[410]

c. CCPA Violations Under the UCL

Violations of the CCPA cannot serve as the predicate for a cause of action under a separate statute including California’s Unfair Competition Law (“UCL”).[411] While there has been no change regarding the inability to use a CCPA violation as the predicate “unlawful” claim under the UCL, one court has found the CCPA may create a property interest upon which a UCL claim may be brought. That decision is summarized below.

Search Engine Company. Originally filed in June 2020, this class action alleges that a large technology company unlawfully collected data from users while using the company’s browser in incognito or private mode.[412] The plaintiffs brought claims, including under the federal Wiretap Act, the California Invasion of Privacy Act (CIPA), and California’s UCL.[413] On summary judgment, the defendant argued that plaintiffs had no economic injury as required for a UCL claim, as they had not lost money or property as a result of the data collection.[414] Plaintiffs argued that their private data has monetary value and they have a property interest in that data “because the [CCPA] affords them the right to exclude Google from selling their data to third parties.”[415] The court agreed with plaintiffs, holding that “plaintiffs have identified an unopposed property interest for at least a portion of the class period under the California Consumer Privacy Act.”[416] The court further found that money damages are not an adequate remedy alone, and that injunctive relief is necessary to address the ongoing data collection.[417]

d. The CCPA’s 30-Day Notice Requirement

The CCPA requires that a “consumer provide[] a business 30 days’ written notice identifying the specific provisions of [the CCPA] the consumer alleges have been or are being violated.”[418] The written notice initiates a 30-day period during which the business may cure any violation. While this cure provision was eliminated by the CPRA, cases addressing the notice-and-cure provisions have continued to move through the courts. Last year’s Review discussed a case dismissing a suit with prejudice where plaintiffs did not comply with the 30-day notice period.[419] The cases below have departed from that decision, illustrating the boundaries of the cure provision as a safeguard.

Consumer Debt Collector. Plaintiffs alleged that their personal information was stolen in a data breach because the information was unencrypted and improperly safeguarded.[420] Plaintiffs brought claims under the CCPA for actual and statutory damages, even though they provided no pre-suit notice for the defendant to cure as required under the CCPA.[421] The court noted that no pre-suit notice is required to the extent plaintiffs sought pecuniary damages, but dismissed the statutory damages claims without prejudice.[422] In dismissing the claim for statutory damages without prejudice, the court expressly declined to follow Griffey, which we discussed in last year’s Review. The Griffey court had dismissed a CCPA claim with prejudice, reasoning that the purpose of the pre-suit notice is to allow the defendant time to cure the violation out of court.[423] Allowing a plaintiff to file a complaint, then send a notice, and then file an amended complaint defeats this remedial purpose of the statutory notice-and-cure provision. The Western District of Washington expressly rejected Griffey’s rationale, concluding that dismissal without prejudice “accords with the remedial nature of the CCPA’s notice provision.”[424]

Money Services Business. After a data breach, plaintiffs brought suit claiming negligence, breach of implied contract, and violation of the CCPA due to the disclosure of their names, Social Security numbers, and driver’s license numbers.[425] Defendant moved to dismiss the CCPA claim, arguing it was barred due to the notice-and-cure provision. Defendant “claimed to have enhanced its security measures” after receiving notice of the alleged violation, and thus “cured all alleged violations within the requisite time period.”[426] The court found this straightforward assertion insufficient because “the implementation and maintenance of reasonable security procedures and practices . . . following a breach does not constitute a cure with respect to that breach.”[427] The court pointed out that the defendant had not provided any additional detail on the nature of its cure, concluding that this was insufficient at the motion-to-dismiss stage.[428]

e. Guidance on Reasonable Security Measures in Connection with the CCPA

In addition to the cases highlighted by last year’s Review,[429] courts have continued to weigh in on what qualifies as reasonable data security measures under the CCPA.

Moving Company. Plaintiffs brought suit after their personal information was stolen by hackers in a cyberattack. Plaintiffs asserted violations of the CCPA for failure to take reasonable precautions to protect their personal information.[430] The court declined to dismiss the CCPA claim, and identified a number of measures the defendants could have taken prior to the breach. Plaintiffs specifically alleged that the defendant’s security measures were inadequate because they failed to implement “adequate filtering software,” “adequate[] training,” “multi-factor authentication,” encryption, and destruction when the personal information was no longer in use.[431] The court also pointed to plaintiff’s complaint, which “identif[ied] fourteen cybersecurity best practices that defendant should have followed but allegedly did not.”[432]

Large National Bank. Plaintiffs brought numerous claims arising out of prepaid benefits payment cards issued by the bank.[433] Plaintiffs alleged that these cards were targeted by bad actors, and the information was easily accessible since the cards had magnetic strips instead of chips. Plaintiffs claimed that erroneous charges and unauthorized transactions resulted in the loss of their funds and alleged violations of the CCPA due to the debit cards’ lack of chip technology, asserting that use of chip technology is a necessary reasonable security measure to protect their personal information. The court agreed, finding that the allegations stated a claim under the CCPA.[434] The court also found that plaintiffs’ allegation that the bank failed to subject its agents to background checks was adequate to state a claim based on failure to implement and maintain reasonable security measures and practices.[435]

2. State Biometric Information Litigation

a. Illinois Biometric Information Privacy Act

2023 was another active year for Illinois’s biometrics law, with courts continuing to expand the scope of the Biometric Information Privacy Act (“BIPA”), but also recognizing new limitations. Perhaps unsurprisingly, Illinois also continued as the leading state with respect to biometrics-related litigation.

i. Expansion of BIPA’s Scope

BIPA’s Statute of Limitations Under Section 15. The Supreme Court of Illinois found that claims brought under Section 15 of BIPA (which relates to retention, collection, disclosure, storage, and use of biometric information) have a five-year statute of limitations, reversing an appellate court’s ruling that placed a one-year limit on such claims.[436] Under Illinois law, “actions . . . to recover damages for an injury done to property, real or personal . . . and all civil actions not otherwise provided for, shall be commenced within 5 years next after the cause of action accrued.”[437] Part of the court’s justification for finding that the default Illinois statute of limitations five-year catchall applied was because a shorter limit would “thwart [the] legislative intent” of BIPA to provide redress for persons aggrieved and “shorten the amount of time a private entity would be held liable for noncompliance with the Act.”[438] Additionally, upon a certified question from the Seventh Circuit, the Supreme Court of Illinois ruled in a 4-3 decision that BIPA claims “accrue under the Act each time a private entity scans or transmits an individual’s biometric identifier or information in violation of section 15(b) or 15(d).”[439] The court dismissed ongoing policy-based concerns about massive damages by reiterating that the court “has repeatedly recognized the potential for significant damages awards under the Act” and that such high damages operate as an incentive for private entities to conform to state law.[440] While noting trial courts presiding over a class action “possess the discretion to fashion” a fair yet less-deleterious award, the court concluded that the legislature was the best vehicle to address policy concerns and the plain language of the statute authorized accrual of claims.[441]

BIPA Claims Survive Death. Also in 2023, a federal court in Illinois, hearing a class action case where the named plaintiff passed away, held that BIPA created a personal property interest and claims survive the plaintiff’s death.[442]

ii. New Recognized Limitations Under BIPA

Even so, courts recognized limitations to claims brought under BIPA in 2023.

“Active Steps” In Furtherance of Collecting Biometric Data. For example, an Illinois federal judge dismissed two claims in a proposed class action where an employer used third-party timekeeping software that registered and scanned employee fingerprints which were then stored on a vendor’s cloud storage service.[443] The judge held that the cloud storage vendor did not take an “active step” in furtherance of collecting biometric information merely by contracting with the third party to provide access to the vendor’s cloud storage system, but instead was “merely a vendor to the third party that provided the biometric timekeeping technology and services to [the employer].”[444]

Exceptions to Collections of Biometric Data: In some cases, courts found that certain exceptions privileged the collection of biometric data—for example, one trial court held that the “general health care exemption” to BIPA covered a virtual try-on tool for sunglasses, finding sunglasses to be a Class I medical device under the FDA.[445] Another court denied the plaintiff’s motion to strike the defendant’s affirmative defense that “the biometric identifiers it collects fall within [the general health care] exception because they are collected along with medical information provided by a donor,” such as fingerprints taken prior to donating plasma used to identify the patient during each donation.[446] The court noted that BIPA does not define the term “patient” nor does it define the term “health care” and found that the defendant’s arguments as to why the exception applied were sufficient to survive a motion to strike.[447]

b. Texas Biometric Privacy Law Litigation

As discussed in last year’s Review, in February 2022, Texas Attorney General Ken Paxton brought the first enforcement action under the Texas Capture and Use of Biometric Identifier Act (“CUBI”) more than two decades after its passage in 2001.[448] AG Paxton asserted a CUBI claim against a large social media company alleging that the company’s collection of “facial geometries” in connection with its facial recognition and tagging feature that it deprecated in November 2021 violated CUBI, in addition to bringing claims under Texas’ Deceptive Trade Practices Act.[449] The parties continued to conduct discovery in the case throughout 2023.

In late October 2022, Texas filed a similar action against another large technology company for alleged violations of CUBI.[450] The case is still in the early stages of discovery. These two cases remain the only actions brought under CUBI. Given the preliminary enforcement efforts by the state of Texas, companies can continue to expect heightened state-level scrutiny and enforcement in the biometrics arena in 2024.

c. New York Biometric Privacy Law Litigation

2023 also saw challenges under the N.Y.C. Biometric Privacy Law. On May 19, 2023, two plaintiffs filed a class action against a large live-entertainment company for its alleged use of facial recognition software to keep banned individuals out of its venues.[451] The plaintiffs allege that the company collects biometric information from every person who enters its venues, and then compares that information to an internal database of banned individuals.[452] The complaint further alleges that the company shares this biometric information with at least one third-party vendor, and that the company ultimately benefits in the form of reduced litigation costs.[453]

The plaintiffs allege that this undisclosed collection, use, and disclosure of customers’ biometric data violates the 2021 New York City Biometric Identifier Information Law and the right to privacy guaranteed by Article 5 of the New York Civil Rights Law.[454] Plaintiffs also pleaded an unjust enrichment claim, maintaining that the company wrongfully obtained benefits from the proposed plaintiff class in the form of valuable data.[455]

On January 9, 2024, a federal magistrate judge released a report recommending dismissal of the civil rights and unjust enrichment claims.[456] On the civil rights law claim, the court found that the limitations period of one year had already run for one plaintiff.[457] For the other plaintiff, the court found that the defendant’s alleged collection and use of biometric information to remove banned individuals could not plausibly be understood “as seeking to draw trade at its venues”—a necessary element of a claim under the civil rights statute.[458] The magistrate also recommended dismissing the unjust enrichment claim on the ground that “New York courts have long recognized the Civil Rights Law as ‘preempting all common law claims based on unauthorized use of name, image, or personality, including unjust enrichment claims.’”[459] Thus, under New York law, there can be no unjust enrichment claim arising from use of one’s personal image.[460] The magistrate recommended allowing the New York City Biometric Identifier Law claim to proceed, finding that the defendant’s alleged conduct is consistent with the text and legislative history of the statute.[461]

F. Other Noteworthy Litigation

Supreme Court Declines to Address Scope of Section 230. In last year’s Review, we noted that the U.S. Supreme Court granted certiorari in two cases that could affect the scope of Section 230 of the Communications Decency Act of 1996, which protects “interactive computer services” from liability for user-published content. In each case, Twitter, Inc. v. Taamneh[462] and Gonzalez v. Google LLC,[463] plaintiffs alleged that social media companies were liable under the Anti-Terrorism Act (ATA) for aiding and abetting acts of terrorism that resulted in the deaths of plaintiffs’ family members. According to the plaintiffs, ISIS allegedly used the defendants’ websites to fundraise and recruit new members, with little interference by content moderators—and sometimes even active promotion by the defendants’ algorithms. Both cases came from the Ninth Circuit Court of Appeals, which had allowed the Taamneh case to proceed[464] but held that Section 230 barred most of the claims in Gonzalez.[465]

The U.S. Supreme Court unanimously reversed the Ninth Circuit’s decision in Taamneh, holding that the plaintiffs had not stated a claim under the ATA because they failed to show “any concrete nexus between defendants’ services” and the attack.[466] On the same day, the Court declined to address the Ninth Circuit’s holding regarding Section 230 in Gonzalez, instead remanding the case for reconsideration in light of Taamneh.[467] Thus the Court effectively sidestepped the question of whether Section 230 bars platform liability for algorithmic amplification of user-published content by resolving one case on ATA grounds alone and remanding the other.

Large Technology Companies Continue to Face VPPA-Related Litigation. Several lawsuits were filed in 2023 concerning companies’ collection and management of users’ video-related information. For example, with respect to a lawsuit relating to one major technology company’s management of user video history information, a federal district court dismissed with prejudice a claim that the company’s alleged retention of the plaintiff’s video rental history violated the New York Video Consumer Privacy Act and the Minnesota Video Privacy Law.[468] The court observed that, like the VPPA, these state analogue statutes were meant to prevent unauthorized disclosure of video-related data rather than mere retention of it.[469]

In another video-related case,[470] a federal court held that the plaintiff had adequately pleaded a VPPA violation by alleging that a company disclosed information about the plaintiff’s online activity to his school district, which was using the company’s platform for digital learning during the COVID-19 pandemic.[471] The company moved to dismiss this claim on two grounds: First, it argued that the plaintiff was not a “subscriber” within the meaning of the VPPA, since his account with the defendant was a byproduct of his relationship with the school district.[472] Second, the company argued that any disclosure of PII was permitted by the VPPA because it was done “in the regular course of business” with the school district.[473] The court rejected both arguments, finding that the plaintiff, who held an account directly with the defendant, was plausibly a subscriber.[474] The court also said it was not appropriate to decide the second issue at the motion to dismiss stage, as the company’s contract with the district was not part of the court’s record.[475]

Employers May Be Potentially Liable for Failing to Secure Employees’ Personally Identifiable Information. 2023 also saw new lawsuits focusing on employee data privacy and seeking to hold employers liable for failing to secure employees’ PII or failing to implement appropriate safeguards. For example, the United States Court of Appeals for the Eleventh Circuit ruled that a plaintiff had plausibly alleged a negligence claim against a former employer that failed to protect PII in the employer’s possession.[476] The complaint alleges that as a condition of employment, the plaintiff and members of the proposed class were required to give the defendant certain PII like their names and Social Security numbers.[477] However, the employer did not maintain adequate security measures to protect that information, and the PII was subsequently leaked in a ransomware attack on the employer’s system.[478]

The court held that such an attack was reasonably foreseeable for a large employer like the defendant; that the plaintiff adequately pleaded that the former employer owed him a duty of care; and that failure to comply with standard data security practices was plausibly a breach of that duty.[479] Thus, the court allowed the plaintiff’s negligence claim to move forward.

Likewise, a major car manufacturer was sued for allegedly failing to protect the personal information of 75,000 current and former employees that was exposed in a data breach carried out by former employees of the company.[480] The complaint alleges that the company failed to implement or follow reasonable data security procedures as required by law, and failed to protect the sensitive information of class members from unauthorized action.[481] The case is in its early stages, and there has not yet been any dispositive-motion practice.

IV. Trends Related to Data Innovations and Governmental Data Collection

A. Data-Intensive Technologies—Privacy Implications and Trends

With the continued proliferation of data-intensive technologies, big data processing and its privacy implications continued to be an area of great focus in 2023. In addition to innovations and issues pertaining to AI, which are covered in detail in Gibson Dunn’s forthcoming Artificial Intelligence Legal Review, there was a renewed focus on smart cities, edge computing and privacy-enhancing technologies (PETs).

Smart Cities. The trend over the past decade of cities getting “smarter” continued at a rapid clip in 2023. A “smart city” leverages technology, data-driven decision-making, and digitally connected infrastructure to optimize the quality of municipal services, promote safe and sustainable communities, and achieve operational efficiencies.[482] Most of the technologies that smart cities are currently using do not collect or process personal data. For example, smart street-lighting technologies allow cities to turn on, turn off, and dim street lights based on the time of day and weather events and smart water management technologies allow cities to detect chemicals in drinking water and wastewater systems.[483] However, given that smart city technology applications are fueled by and necessitate large scale collection and processing of data as well as government partnership with the private sector, privacy advocates and policy makers are increasingly concerned about the privacy implications of such technology. These concerns largely relate to:

Data security: Smart cities can be vulnerable to cyberattacks because they rely on internet of things (“IoT”) devices, which are common and often insecure targets.[484] Furthermore, local governments often lack the resources to obtain secure technologies, update them, and employ cybersecurity experts.[485] In fact, a recent survey found that nearly one-third of local governments would be unable to detect whether their systems had been hacked.[486]
Commercial use of data: Smart city data may be used commercially if a city partners with a private company to pay for technologies and in exchange gives the company access to data the city collects.[487] A privacy concern arises if the city shares sensitive data with private partners.
Government surveillance: Some privacy advocates are concerned that governments will use smart city technologies to surveil individuals by obtaining data the government could not otherwise compel access to or by pulling data from different sources to build behavior profiles on individual residents.[488] Critics assert that cities are already theoretically able to aggregate enough data from smart city technologies to build detailed behavior profiles on their residents.[489] Ultimately, these debates may be settled by courts, which will decide if these data collection practices violate U.S. privacy laws or the Fourth Amendment.[490]

Although there has not been any legislation seeking to specifically regulate smart city technologies, many of the existing or pending privacy regulations are potentially applicable. However, as smart city technologies, particularly those implicating personal information or sensitive data, continue to grow in number and capability, we expect to see more specific legislation targeting such technology and use cases.

Edge Computing. The enormous volume of data being generated and processed by data-intensive technologies—e.g., IoT devices—has strained traditional computing models. This has led organizations to increasingly embrace “edge computing”—an emerging decentralized computing paradigm where data is processed closer to where it is generated, thus allowing processing of greater data volumes at greater speed.[491] Experts predict that spending on edge technology will continue to soar.[492] Due to deployment of strong internet infrastructures and a growing awareness of the importance of IoT across industries, the edge computing market is estimated to grow at a compound annual growth rate of 21.6% to hit an estimated $132.11 million in 2028.[493] The number of endpoint devices in use is also expected to skyrocket, with estimates of up to 55.7 billion total IoT devices deployed worldwide in the next few years.[494] Telecommunication companies are expected to play a large role in the growth of edge computing, as their widespread infrastructure and expansive reach position them well, literally (based on their close physical proximity to potential customers) and figuratively, to tap the edge computing market.[495]

Although the rise of edge computing is largely a function of the benefits to data processing speed and volume, edge computing has important data privacy and security benefits. For example, edge computing can mitigate some of the privacy risks innate to centralized storage and processing,[496] by diffusing data and thus reducing the scope and impact of a data breach. Edge computing may also reduce the incentives for malicious actors, as an edge device with one or a few users’ data is a less desirable target than a cloud database with millions of users’ data.[497] However, by the same token, storing and processing data on devices outside of a centralized corporate network potentially makes the data less secure, given that personal edge devices are often less secure than corporate devices.[498]

Some commentators have also suggested that edge computing may be an effective compliance tool, particularly with respect to cross-border data transfer laws. For example, one commentator believes that corporations will be able to use edge computing to manage personal data in adherence with local privacy laws by “placing certain locali[z]ed proxy policies that will not allow certain types of data to leave that legal jurisdiction.”[499] Traces of this can be found in the EU’s federated cloud infrastructure model, GAIA-X, which aims to let national governments apply local laws to cloud-hosted data.[500]

Given the rapid proliferation of data-intensive technologies, we expect organizations to continue to focus on alternative computing paradigms like edge computing, which will bring new benefits and challenges for data privacy and security.

B. Emerging Privacy Enhancing Technologies (PETs)

In March 2023, the White House Office of Science and Technology Policy (“OSTP”) published its “National Strategy to Advance Privacy-Preserving Data Sharing and Analytics.” In sum, the report and strategy calls for development and implementation of PETs in order to mitigate the privacy risks inherent in, and thus unlock the innovative and economic benefits of, large-scale data processing.[501] Examples of PETs include:

Homomorphic encryption: Homomorphic encryption is a differential privacy technique (adding noise to the data to prevent an adversary from determining whether any individual’s data was or was not included in the original dataset)[502] that allows computing over encrypted data to produce results in an encrypted form.[503] In other words, the data retains its relevant statistical characteristics for analysis, while hiding the data itself.[504] Then, only authorized users can extract the result from its encrypted format or see the original data.[505] However, homomorphic encryption is currently somewhat limited by higher computational costs and time.[506]
Secure multi-party computation: Secure multi-party computation allows several parties to simultaneously perform agreed-upon computations over their data, while permitting each individual entity to learn only the final output.[507] Accordingly, distributed datasets can be computed over without revealing the source data.[508] However, the requirement of joint collaboration can lead to higher communication and computational costs, making it difficult to scale.[509]
Federated learning: Federated learning allows multiple entities to collaborate and build machine-learning algorithms to process data on edge devices, such as smartphones.[510] Accordingly, the underlying data is not aggregated. Instead, the locally trained models are aggregated in the cloud.[511] In this way, participants do not have to share their raw data, providing inherent privacy protection. However, federated learning has recently been shown to be vulnerable to model inversion attacks.[512] Research into closing these vulnerabilities and creating privacy-preserving federated learning is ongoing.[513]
Zero-knowledge proof: Zero-knowledge proof allows one party, the “prover,” to offer proof to another party, the “verifier,” that a statement is true without revealing any sensitive information.[514] Some digital assets use this technique to prove statements about transactions without revealing additional metadata,[515] and neural networks are using zero-knowledge proof schemes to show that prediction tasks are being carried out, without disclosing any information about the model itself.[516] However, zero-knowledge proof currently has some cost and scalability limitations.[517]

According to the OSTP report, the impetus for a national strategy on PETs is the White House’s belief that large-scale data processing is crucial for innovation and the economy. However, given the complex domestic and international regulatory landscape, the White House recognizes that inherent in such processing are significant privacy risks for data subjects and organization data subjects and organizations.[518] Accordingly, the strategy calls for the adoption of PETs, which can mitigate the privacy risks of large-scale data processing and thus unlock the benefits of data processing to fuel innovation and the economy.

The OSTP report enumerates 16 recommendations across five strategic priorities to advance the development and use of PETs.[519] Importantly, the report specifically calls for the use of secure multi-party computation and zero-knowledge proofs, as well as increased public and private sector partnership and U.S. partnerships/collaboration with foreign governments.

In the absence of a comprehensive federal privacy law and/or regulations specifically focused on privacy-preserving technologies, the OSTP’s strategy signifies what may be the beginning of a burgeoning national standard for the development and use of PETs.

C. Governmental Data Collection

EU-US Data Privacy Framework. In July 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework, concluding that U.S. protection of cross-border data transfers is comparable to the protection offered by the EU.[520] Speaking during a press conference announcing adoption of the U.S. adequacy decision, EU justice commissioner Didier Reynders said, “[w]ith the adoption of the adequacy decision, personal data can now flow freely and safely from the European Economic Area to the United States without any further conditions or authorizations.”[521]

The decision resolved the legal uncertainty surrounding exports of EU users’ personal data by U.S. companies that had existed since the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield in 2020.[522] However, legal challenges are expected, with critics claiming that the Data Privacy Framework merely “paper[s] over the same fundamental legal conflict between EU privacy rights and U.S. surveillance powers.”[523] Nonetheless, Reynders emphasized that the “new framework is substantially different than the EU-U.S. Privacy Shield as a result of the Executive Order issued by President Biden [in 2022]” and highlighted the reworked redress mechanism that will boast “an independent and impartial tribunal that is empowered to investigate complaints lodged by Europeans and to issue binding remedial decisions.”[524] Finally, Reynders cautioned U.S. technology giants that “[i]t will be for the companies to show that they’re in full compliance with the GDPR [General Data Protection Regulation].”[525]

On July 17, 2023, the Department of Commerce launched the new Data Privacy Framework program website, dataprivacyframework.gov.[526] The website allows U.S. companies to self-certify their participation in and commitment to the EU-U.S. Data Privacy Framework (“DPF”), and, optionally, the UK Extension or Swiss-U.S. DPF Principles, in order to participate in cross-border transfers of personal data.

Government Surveillance Reform Act (GSRA). In November 2023, a bipartisan group of senators introduced the Government Surveillance Reform Act (“GSRA”), which would reform the Foreign Intelligence Act (“FISA”) and amend the Electronic Communications Privacy Act (“ECPA”). Importantly, the GSRA proposes significant restrictions on government surveillance and access to data—including, among other things, (i) protecting Americans from warrantless backdoor searches, (ii) requiring warrants for Americans’ location data, web browsing and search records, and vehicle data, (iii) restricting government collection of Americans’ information as part of large datasets and prohibiting the government from purchasing Americans’ data from data brokers, and (iv) prohibiting the collection of Americans’ domestic communications.[527]

FISA, Section 702 was set to expire at the end of 2023,[528] but Congress approved a short-term extension in December 2023.[529] Under Section 702, the government could collect communications by non-Americans located abroad, without a warrant.[530] However, the private phone calls, emails, and text messages of U.S. persons were captured by the blanket surveillance techniques deployed under Section 702.[531]

In response, several lawmakers vowed not to reauthorize Section 702 without “significant reforms.”[532] The GSRA would ban officials from conducting searches for Americans’ communications unless they first obtain a warrant in a criminal investigation or a FISA Title I order in a foreign intelligence investigation.[533] The new warrant requirement would provide for narrow exceptions in cases of: (1) consent, (2) exigent circumstances, or (3) a government attempt to identify targets of cyberattacks by searching for malicious code embedded in Americans’ communications.[534]

The GSRA would also significantly overhaul the ECPA—which addresses wiretapping, access to stored electronic communications, and other information-collection devices.[535] These changes would alter the rights and obligations of entities already covered by the ECPA and expand the reach of the ECPA to entities not currently subject to it.[536] The GSRA would:

Expand the scope of companies subject to the ECPA to include any online service provider.[537] The GSRA would add a new category of service providers—broadly defined as “any information service, system, or access software provider that provides or enables computer access by multiple users to a computer server”[538]—to the Stored Communications Act’s (“SCA”) provision governing compelled disclosures to governmental entities.[539]
Effectively codify the Sixth Circuit’s decision in Warshak v. United States, 631 F.3d 266 (6th Cir. 2010), which held that law enforcement must obtain a warrant to compel the disclosure of the contents of user communications.[540] Further, the GSRA would effectively codify Carpenter v. United States, 138 S. Ct. 2206 (2018), by requiring law enforcement to obtain a warrant to compel the disclosure of location information, web browsing records, online search queries, and covered vehicle data.[541]
Prohibit the government from purchasing the personal data of U.S. persons (U.S. citizens and lawful permanent residents) or people reasonably believed to be located inside the United States.[542]
Exempt congressional subpoenas from the ECPA, allowing political officials to subpoena the communications and personal data of U.S. persons without any statutory protection.[543]

Dueling Surveillance Bills in the U.S. House of Representatives. In December 2023, the House postponed a planned vote on two competing surveillance bills under a procedural rule called “Queen of the Hill,” whereby the bill with the most votes is sent to the Senate.[544] The House Intelligence Committee advanced the first bill, the FISA Reform and Reauthorization Act of 2023, which faced backlash from privacy rights groups.[545] More than 50 organizations signed a letter demanding the bill’s rejection.[546] By contrast, the second bill, proposed by the House Judiciary Committee, entitled The Protect Liberty and End Warrantless Surveillance Act, received support from privacy advocates.[547] Both bills are still pending in the House.

V. Conclusion

In 2023, the privacy and cybersecurity landscape in the U.S. was defined by an expansion of regulatory and enforcement activity led by federal and state agencies, as well as civil litigation brought by private plaintiffs. This was driven in large part by the rapid development and advances in data-intensive technologies like AI and IoT; the unrelenting cyber threat posed by malicious actors; and related litigation arising from these trends. We expect these trends to continue in 2024 as existing technologies and use cases take hold and new ones emerge. In the absence of comprehensive federal legislation (which is unlikely in an election year), we expect federal and state agencies to continue to lead the charge on the regulatory front and aggressively pursue enforcement actions against companies and individuals. We will continue to track and analyze these developments in the year ahead.

__________

[1] Cal. Civ. Code § 1798.100 et seq.

[2] Va. Code Ann. §§ 59.1-575 to 59.1-585.

[3] Colo. Rev. Stat. Ann. § 6-1-1308.

[4] Conn. Gen. Stat. Ann. § 42-520.

[5] Utah Code §§ 13-61-101 to 13-61-404.

[6] S.B. 262, 125 Reg. Sess. (Fla. 2023) (to be codified in Fla. Stat. § 501.701-22).

[7] H.B. 4, 88 Reg. Sess. (Tex. 2023) (to be codified in Tex. Bus. & Com. Code §§ 541.001 to 541.205).

[8] S.B. 618, 82 Leg. Assemb., Reg. Sess. (Or. 2023) (to be codified in Or. Laws Ch. 369).

[9] S.B. 384, 68 Reg. Sess. (Mont. 2023) (to be codified in Mont. Code § 30-14-2801 to 30-14-2817).

[10] S.F. 262, 89th Gen. Assemb., Reg. Sess. (Iowa 2023) (to be codified in Iowa Code § 715D.1 to 715D.9).

[11] H.B. 154, 152 Gen. Assemb., Reg. Sess. (Del. 2023) (to be codified in 6 Del. Code § 12D).

[12] S.B. 332, 220 Leg. Assemb., Reg. Sess. (N.J. 2023).

[13] H.B. 1181; S.B. 73, 112 Gen. Assemb., Reg. Sess. (Tenn. 2023) (to be codified in Tenn. Code §§ 47-18-3301 to 47-18-3315).

[14] S.B. 5, 123 Gen. Assemb., Reg. Sess. (Ind. 2023) (to be codified in Ind. Code §§ 24-15-1-1 to 24-15-11-2).

[15] Notably, under the NJDPA, “financial information” is included as a form of sensitive data, which is defined as including “a consumer’s account number, account log-in, financial account, or credit or debit number, in combination in combination with any required security code, access code, or password that would permit access to a consumer’s financial account.”

[16] Under Civil Code section 1798.150, the damages available for a private right of action to pursue statutory damages between $100 and $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief, and “any other relief the court deems proper.” A number of limitations also exist. For example, under Section 1798.150(b), a consumer must give a business an opportunity to “cure” the alleged violation by sending written notice prior to filing suit. If cured within 30 days and the consumer receives “an express written statement” indicating that the violations have been cured and shall not recur, a claim for statutory damages cannot be pursued.

[17] Protecting Washingtonians’ Personal Health Data and Privacy, Wash. Att’y Gen., https://www.atg.wa.gov/protecting-washingtonians-personal-health-data-and-privacy.

[18] Wash. Rev. Code § 19.373.010(23).

[19] Id. § 19.373.010(23).

[20] Id. §§ 19.373.010(28), 19.373.030(2).

[21] Id. § 19.373.010(8)(a).

[22] Id. § 19.373.010(8)(b).

[23] Id. § 19.373.010(8)(c).

[24] Id.

[25] Protecting Washingtonians’ Personal Health Data and Privacy, Wash. Att’y Gen., https://www.atg.wa.gov/protecting-washingtonians-personal-health-data-and-privacy.

[26] Wash. Rev. Code §§ 19.373.020; 19.373.030.

[27] Id. §§ 19.373.010(6)(a); 19.373.030.

[28] Id. § 19.373.040(a)–(c).

[29] Id. § 19.373.090.

[30] Id. § 19.255.040.

[31] Id.

[32] Mont. Code § 30-23-102(4).

[33] Id. § 30-23-102(6).

[34] Id. § 30-23-104(1)–(2).

[35] Id. § 330-23-104(5).

[36] Id. § 30-23-106.

[37] Press Release, Senator Josh Becker, Governor Newsom Signs First in the Nation Bill to Protect Consumers’ Data from Unknown Third Parties (Oct. 10, 2023), https://sd13.senate.ca.gov/news/press-release/october-10-2023/governor-newsom-signs-first-in-the-nation-bill-to-protect.

[38] Cal. Civ. Code §§ 1798.99.84; 1798.99.86(a)–(b).

[39] Id. § 1798.99.86(c)–(d).

[40] Id. § 1798.99.86(d)(2).

[41] Id. § 1798.99.86(a)(3).

[42] Id. § 1798.99.86(e)(1).

[43] Id. § 1798.99.80(c).

[44] Id. § 1798.99.80(c)(1)(4).

[45] N.Y. Dep’t of Fin. Servs., Cybersecurity Resource Center, https://www.dfs.ny.gov/industry_guidance/cybersecurity.

[46] N.Y. Dep’t of Fin. Servs., Enforcement and Discipline, https://dfs.ny.gov/industry_guidance/enforcement_actions.

[47] Press Release, Utah Governor Spencer J. Cox, Gov. Cox Signs Bills Focused on Social Media and Youth Mental Health in Utah (Mar. 23, 2023), https://governor.utah.gov/2023/03/23/gov-cox-signs-bills-focused-on-social-media-in-utah/.

[48] Utah Code § 13-63-101, et seq.

[49] Id. §§ 13-63-201–301.

[50] Id. § 13-63-301.

[51] NetChoice, LLC v. Reyes, No. 2:23-cv-00911 (D. Utah); Zoulek v. Hass, No. 2:24-cv-00031 (D. Utah).

[52] NetChoice, LLC v. Griffin, No. 5:23-CV-05105, 2023 WL 5660155, at *7 (W.D. Ark. Aug. 31, 2023).

[53] Id. at *13.

[54] Id. at *17, 40–41.

[55] Alario v. Knudsen, No. CV 23-56-M-DWM, 2023 WL 8270811 (D. Mont. Nov. 30, 2023).

[56] Id. at *4.

[57] American Data Privacy and Protection Act (“ADPPA”), H.R. 8152, 117th Cong. (2022).

[58] Id. §§ 101(a)–(b), 103(a).

[59] Id. § 207(a)(1).

[60] Id. §§ 207(b), 401, 402(a).

[61] Id. § 403(a).

[62] Id. § 404(b)(1).

[63] See Innovation, Data, and Commerce Subcommittee Hearing: “Addressing America’s Data Privacy Shortfalls: How a National Standard Fills Gaps to Protect Americans’ Personal Information,” U.S. House Energy & Commerce Comm. (Apr. 27, 2023), https://energycommerce.house.gov/events/innovation-data-and-commerce-subcommittee-hearing-addressing-america-s-data-privacy-shortfalls-how-a-national-standard-fills-gaps-to-protect-americans-personal-information; Innovation, Data, and Commerce Subcommittee Hearing: “Promoting U.S. Innovation and Individual Liberty through a National Standard for Data Privacy,” U.S. House Energy & Commerce Comm. (Mar. 1, 2023), https://energycommerce.house.gov/events/innovation-data-and-commerce-subcommittee-hearing-promoting-u-s-innovation-and-individual-liberty-through-a-national-standard-for-data-privacy.

[64] Exec. Order No. 14,110, 88 Fed. Reg. 75191 (Oct. 30, 2023); see also Press Release, White House, FACT SHEET: President Biden Issues Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence (Oct. 30, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/10/30/fact-sheet-president-biden-issues-executive-order-on-safe-secure-and-trustworthy-artificial-intelligence.

[65] Remarks of President Joe Biden – State of the Union Address as Prepared for Delivery, White House (Feb. 7, 2023), https://www.whitehouse.gov/briefing-room/speeches-remarks/2023/02/07/remarks-of-president-joe-biden-state-of-the-union-address-as-prepared-for-delivery.

[66] See Eric McDaniel, Congress Passed So Few Laws This Year That We Explained Them All in 1,000 Words, NPR (Dec. 22, 2023), https://www.npr.org/2023/12/22/1220111009/congress-passed-so-few-laws-this-year-that-we-explained-them-all-in-1-000-words; Müge Fazlioglu, US Federal Privacy Legislation Tracker: Introduced in the 118th Congress (2023-2024), IAPP (last updated Sept. 2023), https://iapp.org/media/pdf/resource_center/us_federal_privacy_legislation_tracker.pdf.

[67] Müge Fazlioglu, U.S. Privacy Legislation in 2023: Something Old, Something New?, IAPP (July 26, 2023), https://iapp.org/news/a/u-s-federal-privacy-legislation-in-2023-something-old-something-new.

[68] Press Release, U.S. Senate Judiciary Comm., Durbin, Graham Announce January 2024 Hearing with Five Big Tech CEOs on their Failure to Protect Children Online (Nov. 29, 2023), https://www.judiciary.senate.gov/press/releases/durbin-graham-announce-january-2024-hearing-with-five-big-tech-ceos-on-their-failure-to-protect-children-online; Full Committee Hearing: “TikTok: How Congress Can Safeguard American Data Privacy and Protect Children from Online Harms,” U.S. House Energy & Commerce Comm. (Mar. 23, 2023), https://energycommerce.house.gov/events/full-committee-hearing-tik-tok-how-congress-can-safeguard-american-data-privacy-and-protect-children-from-online-harms.

[69] Kids Online Safety Act, S. 1409, 118th Cong. (2023).

[70] Children and Teens’ Online Privacy Protection Act, S. 1418, 118th Cong. (2023).

[71] Informing Consumers about Smart Devices Act, S. 90, 118th Cong. (2023).

[72] Stop Spying Bosses Act, S. 262, 118th Cong. (2023).

[73] UPHOLD Privacy Act of 2023, S. 631, 118th Cong. (2023).

[74] DELETE Act, H.R. 4311, 118th Cong. (2023).

[75] Data Care Act of 2023, S. 744, 118th Cong. (2023).

[76] Online Privacy Act of 2023, H.R. 2701, 118th Cong. (2023).

[77] Federal Cybersecurity Vulnerability Reduction Act of 2023, H.R. 5255, 118th Cong. (2023).

[78] Modernizing the Acquisition of Cybersecurity Experts Act of 2023, H.R. 4502, 118th Cong. (2023).

[79] Federal Cybersecurity Workforce Expansion Act, S. 2256, 118th Cong. (2023).

[80] See Press Release, White House, President Biden Recognizes Actions by Private Sector Ticketing and Travel Companies to Eliminate Hidden Junk Fees and Provide Millions of Customers with Transparent Pricing (June 15, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/06/15/president-biden-recognizes-actions-by-private-sector-ticketing-and-travel-companies-to-eliminate-hidden-junk-fees-and-provide-millions-of-customers-with-transparent-pricing/. See also Press Release, White House, FACT SHEET: Executive Order on Promoting Competition in the American Economy (July 9, 2021), https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/09/fact-sheet-executive-order-on-promoting-competition-in-the-american-economy/.

[81] Trade Regulation Rule on Unfair or Deceptive Fees, 88 Fed. Reg. 77420 (Nov. 9, 2023), https://www.federalregister.gov/documents/2023/11/09/2023-24234/trade-regulation-rule-on-unfair-or-deceptive-fees; Trade Regulation Rule on Unfair or Deceptive Fees, 89 Fed. Reg. 38 (Jan. 2, 2024).

[82] Christine Wilson, Letter to President Joseph R. Biden (Mar. 2, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/p180200wilsonresignationletter.pdf.

[83] See Press Release, White House, President Biden Announces Nominees to Bipartisan Boards and Commissions (July 3, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/07/03/president-biden-announces-nominees-to-bipartisan-boards-and-commissions.

[84] Melissa Holyoak, Statement Before the U.S. Senate Committee on Commerce, Science, and Transportation (Sep. 20, 2023), https://www.commerce.senate.gov/services/files/51CBECA7-1810-4CCD-8046-0AE99CA34CC4.

[85] Hawley Holds Nominees, Calls for Further Evaluation of McConnell Nominees, Senate Office of Josh Hawley (Dec. 20, 2023), https://www.hawley.senate.gov/hawley-holds-nominees-calls-further-evaluation-mcconnell-nominees.

[86] Lina Khan, Lina Khan: We Must Regulate A.I. Here’s How, New York Times (May 3, 2023), https://www.nytimes.com/2023/05/03/opinion/ai-lina-khan-ftc-technology.html.

[87] Michael Atleson, Keep Your AI Claims in Check, Federal Trade Commission (Feb. 27, 2023), https://www.ftc.gov/business-guidance/blog/2023/02/keep-your-ai-claims-check.

[88] Michael Atleson, Chatbots, Deepfakes, and Voice Clones: AI Deception for Sale, Federal Trade Commission (Mar. 20, 2023), https://www.ftc.gov/business-guidance/blog/2023/03/chatbots-deepfakes-voice-clones-ai-deception-sale.

[89] Id.

[90] Id.

[91] Michael Atleson, The Luring Test: AI and the Engineering of Consumer Trust, Federal Trade Commission (May 1, 2023), https://www.ftc.gov/business-guidance/blog/2023/05/luring-test-ai-engineering-consumer-trust.

[92] Michael Atleson, Watching the Detectives: Suspicious Marketing Claims for Tools that Spot AI-Generated Content, Federal Trade Commission (May 1, 2023), https://www.ftc.gov/business-guidance/blog/2023/07/watching-detectives-suspicious-marketing-claims-tools-spot-ai-generated-content.

[93] Alex Gaynor, Security Principles: Addressing Underlying Causes of Risk in Complex Systems, Federal Trade Commission (February 1, 2023), https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2023/02/security-principles-addressing-underlying-causes-risk-complex-systems.

[94] Id.

[95] Id.

[96] Samuel Levine, Chief, Federal Trade Commission, Remarks of Chief Samual Levine at the Consumer Data Industry Association Law and Industry Conference (September 21, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/cdia-sam-levine-9-21-2023.pdf.

[97] Mike Swift, US FTC still pondering ‘commercial surveillance’ rulemaking, Slaughter tells tech industry, MLex (Jan. 10, 2024), https://content.mlex.com/#/content/1535579.

[98] Press Release, Federal Trade Commission, FTC Finalizes Order Requiring Fortnite maker Epic Games to Pay $245 Million for Tricking Users into Making Unwanted Charges (Mar. 14, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/03/ftc-finalizes-order-requiring-fortnite-maker-epic-games-pay-245-million-tricking-users-making.

[99] 15 U.S.C. § 45(a).

[100] Complaint, FTC v. Ring LLC, Case No. 1:23-cv-1549 (May 31, 2023).

[101] Proposed Stipulated Order, FTC v. Ring LLC, Case No. 1:23-cv-1549 (May 31, 2023); Press Release, Federal Trade Commission, FTC Says Ring Employees Illegally Surveilled Customers, Failed to Stop Hackers from Taking Control of Users’ Cameras (May 31, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-says-ring-employees-illegally-surveilled-customers-failed-stop-hackers-taking-control-users.

[102] Notices of Penalty Offenses, Federal Trade Commission, https://www.ftc.gov/enforcement/penalty-offenses.

[103] Press Release, Federal Trade Commission, FTC Warns Tax Preparation Companies About Misuse of Consumer Data (Sep. 18, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/09/ftc-warns-tax-preparation-companies-about-misuse-consumer-data.

[104] Complaint, U.S. v. Amazon.com, Inc., and Amazon.com Services LLC, Case No. 2:23-cv-00811 (May 31, 2023).

[105] Amazon Alexa, Federal Trade Commission (July 21, 2023), https://www.ftc.gov/legal-library/browse/cases-proceedings/amazon-alexa.

[106] Press Release, Federal Trade Commission, FTC Enforcement Action to Bar GoodRx from Sharing Consumers’ Sensitive Health Info for Advertising (Feb. 1, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/02/ftc-enforcement-action-bar-goodrx-sharing-consumers-sensitive-health-info-advertising.

[107] Press Release, Federal Trade Commission, FTC Warns Health Apps and Connected Device Companies to Comply With Health Breach Notification Rule (Sep. 21, 2023), https://www.ftc.gov/news-events/news/press-releases/2021/09/ftc-warns-health-apps-connected-device-companies-comply-health-breach-notification-rule.

[108] Press Release, Federal Trade Commission, FTC Enforcement Action to Bar GoodRx from Sharing Consumers’ Sensitive Health Info for Advertising (Feb. 1, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/02/ftc-enforcement-action-bar-goodrx-sharing-consumers-sensitive-health-info-advertising.

[109] Health Breach Notification Rule, 88 Fed. Reg. 37819, 37839 (June 9, 2023), https://www.federalregister.gov/documents/2023/06/09/2023-12148/health-breach-notification-rule; see also Press Release, Federal Trade Commission, FTC Proposes Amendments to Strengthen and Modernize the Health Breach Notification Rule (May 18, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-proposes-amendments-strengthen-modernize-health-breach-notification-rule.

[110] Press Release, Federal Trade Commission, FTC Finalizes Order with 1Health.io Over Charges it Failed to Protect Privacy and Security of DNA Data and Unfairly Changed its Privacy Policy (Sep. 7, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/09/ftc-finalizes-order-1healthio-over-charges-it-failed-protect-privacy-security-dna-data-unfairly.

[111] FTC v. Rite Aid Corp., No. 2:23-cv-05023 (E.D. Pa. Dec. 19, 2023).

[112] Press Release, Federal Trade Commission, FTC Strengthens Security Safeguards for Consumer Financial Information Following Widespread Data Breaches (Oct. 27, 2021), https://www.ftc.gov/news-events/news/press-releases/2021/10/ftc-strengthens-security-safeguards-consumer-financial-information-following-widespread-data.

[113] Press Release, Federal Trade Commission, FTC Amends Safeguards Rule to Require Non-Banking Financial Institutions to Report Data Security Breaches (October 27, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/10/ftc-amends-safeguards-rule-require-non-banking-financial-institutions-report-data-security-breaches.

[114] Press Release, Federal Trade Commission, Compliance deadline for certain revised FTC Safeguards Rule provisions extended to June 2023 (November 15, 2022), https://www.ftc.gov/business-guidance/blog/2022/11/compliance-deadline-certain-revised-ftc-safeguards-rule-provisions-extended-june-2023.

[115] Id.

[116] Press Release, Federal Trade Commission, FTC Strengthens Security Safeguards for Consumer Financial Information Following Widespread Data Breaches (Oct. 27, 2021), https://www.ftc.gov/news-events/news/press-releases/2021/10/ftc-strengthens-security-safeguards-consumer-financial-information-following-widespread-data.

[117] Press Release, Federal Trade Commission, FTC Proposes Strengthening Children’s Privacy Rule to Further Limit Comanies’ Ability to Monetize Children’s Data (December 20, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/12/ftc-proposes-strengthening-childrens-privacy-rule-further-limit-companies-ability-monetize-childrens.

[118] Id.

[119] Id.

[120] Id.; Children’s Online Privacy Protection Rule, 89 Fed. Reg. 2034 (Jan. 11, 2024). https://www.federalregister.gov/documents/2024/01/11/2023-28569/childrens-online-privacy-protection-rule.

[121] Press Release, Federal Trade Commission, FTC Seeks Comment on New Parental Consent Mechanism Under COPPA (July 19, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/07/ftc-seeks-comment-new-parental-consent-mechanism-under-coppa.

[122] Id.

[123] Press Release, Federal Trade Commission, FTC Will Require Microsoft to Pay $20 million over Charges it Illegally Collected Personal Information from Children without Their Parents’ Consent (June 5, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/06/ftc-will-require-microsoft-pay-20-million-over-charges-it-illegally-collected-personal-information.

[124] Id.

[125] Press Release, Federal Trade Commission, FTC Proposes Blanket Prohibition Preventing Facebook from Monetizing Youth Data (May 3, 2023) https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-proposes-blanket-prohibition-preventing-facebook-monetizing-youth-data.

[126] Id.

[127] Policy Statement of the Federal Trade Commission on Biometric Information and Section 5 of the Federal Trade Commission Act, Federal Trade Commission (May 18, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/p225402biometricpolicystatement.pdf.

[128] Press Release, Federal Trade Commission, FTC to Host Identity Authentication Workshop (Feb. 21, 2007) https://www.ftc.gov/news-events/news/press-releases/2007/02/ftc-host-identity-authentication-w; You Don’t Say: An FTC Workshop on Voice Cloning Technologies, Federal Trade Commission (Jan. 28, 2020), https://www.ftc.gov/newsevents/events/2020/01/you-dont-say-ftc-workshop-voice-cloning-technologies; Face Facts: A Forum on Facial Recognition Technology, Federal Trade Commission (Dec. 8, 2011), https://www.ftc.gov/newsevents/events/2011/12/face-facts-forum-facial-recognition-technology; Facing Facts: Best Practices for Common Uses of Facial Recognition Technology, Federal Trade Commission (Oct. 2012), https://www.ftc.gov/reports/facing-facts-best-practices-common-uses-facial-recognition-technologies.

[129] Policy Statement of the Federal Trade Commission on Biometric Information and Section 5 of the Federal Trade Commission Act, Federal Trade Commission (May 18, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/p225402biometricpolicystatement.pdf.

[130] Id.

[131] Press Release, Federal Trade Commission, Rite Aid Banned From Using AI Facial Recognition After FTC Says Retailer Deployed Technology without Reasonable Safeguards (Dec. 19, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/12/rite-aid-banned-using-ai-facial-recognition-after-ftc-says-retailer-deployed-technology-without.

[132] Press Release, Consumer Financial Protection Bureau, CFPB Proposes Rule to Jumpstart Competition and Accelerate Shift to Open Banking (Oct. 19, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-proposes-rule-to-jumpstart-competition-and-accelerate-shift-to-open-banking/.

[133] Id.

[134] See id.; Required Rulemaking on Personal Financial Data Rights, 88 Fed. Reg. 74796, 74809 (Oct. 31, 2023) (to be codified at 12 C.F.R. pts. 1001, 1033), https://www.federalregister.gov/documents/2023/10/31/2023-23576/required-rulemaking-on-personal-financial-data-rights.

[135] Required Rulemaking on Personal Financial Data Rights, 88 Fed. Reg. 74796, 74796 (Oct. 31, 2023) (to be codified at 12 C.F.R. pts. 1001, 1033), https://www.federalregister.gov/documents/2023/10/31/2023-23576/required-rulemaking-on-personal-financial-data-rights.

[136] 12 U.S.C. § 5533(a).

[137] Required Rulemaking on Personal Financial Data Rights, 88 Fed. Reg. 74796, 74803 (Oct. 31, 2023) (to be codified at 12 C.F.R. pts. 1001, 1033), https://www.federalregister.gov/documents/2023/10/31/2023-23576/required-rulemaking-on-personal-financial-data-rights.

[138] Id. at 74809.

[139] Id. at 74832.

[140] Id. at 74833.

[141] Id. at 74874.

[142] Id.; Press Release, Consumer Financial Protection Bureau, Prepared Remarks of CFPB Director Rohit Chopra on the Proposed Personal Financial Data Rights Rule (Oct. 19, 2023), https://www.consumerfinance.gov/about-us/newsroom/prepared-remarks-of-cfpb-director-rohit-chopra-on-the-proposed-personal-financial-data-rights-rule /.

[143] Press Release, Consumer Financial Protection Bureau, CFPB Proposes New Federal Oversight of Big Tech Companies and Other Providers of Digital Wallets and Payment Apps (Nov. 7, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-proposes-new-federal-oversight-of-big-tech-companies-and-other-providers-of-digital-wallets-and-payment-apps/.

[144] Defining Larger Participants of a Market for General-Use Digital Consumer Payment Applications, 88 Fed. Reg. 80197, 80199, 80204 (Nov. 17, 2023) (to be codified at 12 C.F.R. pt. 1090), https://www.federalregister.gov/documents/2023/11/17/2023-24978/defining-larger-participants-of-a-market-for-general-use-digital-consumer-payment-applications.

[145] Press Release, Consumer Financial Protection Bureau, CFPB Proposes New Federal Oversight of Big Tech Companies and Other Providers of Digital Wallets and Payment Apps (Nov. 7, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-proposes-new-federal-oversight-of-big-tech-companies-and-other-providers-of-digital-wallets-and-payment-apps/.

[146] Id.

[147] Press Release, Consumer Financial Protection Bureau, CFPB Launches Inquiry Into the Business Practices of Data Brokers (Mar. 15, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-launches-inquiry-into-the-business-practices-of-data-brokers/.

[148] Request for Information Regarding Data Brokers and Other Business Practices Involving the Collection and Sale of Consumer Information, 88 Fed. Reg. 16951, 16952 (Mar. 21, 2023), https://www.federalregister.gov/documents/2023/03/21/2023-05670/request-for-information-regarding-data-brokers-and-other-business-practices-involving-the-collection.

[149] Press Release, Consumer Financial Protection Bureau, Remarks of CFPB Director Rohit Chopra at White House Roundtable on Protecting Americans from Harmful Data Broker Practices (Aug. 15, 2023), https://www.consumerfinance.gov/about-us/newsroom/remarks-of-cfpb-director-rohit-chopra-at-white-house-roundtable-on-protecting-americans-from-harmful-data-broker-practices/.

[150] Id.; see also 15 U.S.C. § 1681b.

[151] Id.

[152] Id.

[153] Press Release, Consumer Financial Protection Bureau, CFPB and Federal Partners Confirm Automated Systems and Advanced Technology Not an Excuse for Lawbreaking Behavior (Apr. 25, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-federal-partners-confirm-automated-systems-advanced-technology-not-an-excuse-for-lawbreaking-behavior/.

[154] Press Release, Consumer Financial Protection Bureau, CFPB Issue Spotlight Analyzes “Artificial Intelligence” Chatbots in Banking (June 3, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-issue-spotlight-analyzes-artificial-intelligence-chatbots-in-banking.

[155] Rohit Chopra, Algorithms, Artificial Intelligence, and Fairness in Home Appraisals, CFPB Blog (June 1, 2023), https://www.consumerfinance.gov/about-us/blog/algorithms-artificial-intelligence-fairness-in-home-appraisals/.

[156] Quality Control Standards for Automated Valuation Models, 88 Fed. Reg. 40638, 40638 (June 21, 2023), https://www.federalregister.gov/documents/2023/06/21/2023-12187/quality-control-standards-for-automated-valuation-models.

[157] Rohit Chopra, Algorithms, Artificial Intelligence, and Fairness in Home Appraisals, CFPB Blog (June 1, 2023), https://www.consumerfinance.gov/about-us/blog/algorithms-artificial-intelligence-fairness-in-home-appraisals/.

[158] Quality Control Standards for Automated Valuation Models, 88 Fed. Reg. 40638, 40638 (June 21, 2023), https://www.federalregister.gov/documents/2023/06/21/2023-12187/quality-control-standards-for-automated-valuation-models.

[159] Press Release, Consumer Financial Protection Bureau, CFPB Issues Guidance on Credit Denials by Lenders Using Artificial Intelligence (Sept. 19, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-issues-guidance-on-credit-denials-by-lenders-using-artificial-intelligence/.

[160] Id.

[161] Press Release, SEC, SEC Proposes Changes to Reg S-P to Enhance Protection of Customer Information (Mar. 15, 2023), https://www.sec.gov/news/press-release/2023-51.

[162] Id.

[163] Id.

[164] Id.

[165] A Small Entity Compliance Guide, SEC, Cybersecurity Risk Management Strategy, Governance, and Incident Disclosure (Nov. 14, 2023), https://www.sec.gov/corpfin/secg-cybersecurity#_ftn1.

[166] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Exchange Act Release, 88 Fed. Reg. 51896, 51899.

[167] Id.

[168] Id.

[169] Id.

[170] Id. at 51924.

[171] Id. at 51898–51899.

[172] Id. at 51945.

[173] Id. at 51909–51910.

[174] The rule also includes another exemption that only applies to companies subject to the Federal Communications (“FCC”) notification rule for breaches of customer proprietary network information (“CPNI”). A more detailed description of this exception is outlined in Gibson Dunn’s July 31, 2023 update.

[175] Id.

[176] DOJ, Department of Justice Material Cybersecurity Incident Delay Determinations (Dec. 12, 2023), https://www.justice.gov/media/1328226/dl?inline.

[177] Id.

[178] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Exchange Act Release, 88 Fed. Reg. 51896, 51899.

[179] Id.

[180] Id. at 51913.

[181] Id.

[182] Id.

[183] Id. at 51914.

[184] The Commission’s Privacy Act Regulations, 88 Fed. Reg. 65807, 65808.

[185] Id. at 65808–09.

[186] Press Release, SEC, SEC Proposes Cybersecurity Risk Management Rules and Amendments for Registered Investment Advisers and Funds (Feb. 9, 2022), https://www.sec.gov/news/press-release/2022-20.

[187] Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies, 87 Fed. Reg. 13524 (published Mar. 9, 2022) (to be codified at 17 C.F.R. pts. 230, 232, 239, 270, 274, 275, 279), https://www.federalregister.gov/documents/2022/03/09/2022-03145/cybersecurity-risk-management-for-investment-advisers-registered-investment-companies-and-business.

[188] SEC, Agency Rule List – Fall 2023, https://www.reginfo.gov/public/do/eAgendaMain?operation=OPERATION_GET_AGENCY_RULE_LIST&currentPub=true&agencyCode=&showStage=active&agencyCd=3235&csrf_token=28A8C6498A23E2932F2D7BB0618F4AA9746D20D66D0E1500674B7BEBFD26693EFE119AEDE913D6851EE65F43B418CC81FFA8.

[189] SEC, View Rule (last visited, Jan. 26, 2023), https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310&RIN=3235-AN15.

[190] SEC, 2024 Examination Priorities (Oct. 16, 2023), https://www.sec.gov/files/2024-exam-priorities.pdf.

[191] Press Release, SEC, SEC Division of Examinations Announces 2024 Priorities, https://www.sec.gov/news/press-release/2023-222/.

[192] SEC, SEC Enforcement Results for FY23 (last modified, Jan. 22, 2024), https://www.sec.gov/newsroom/enforcement-results-fy23.

[193] SEC, SEC Enforcement Results for FY23 (last modified, Jan. 22, 2024), https://www.sec.gov/newsroom/enforcement-results-fy23.

[194] Id.

[195] Id.

[196] Press Release, SEC, SEC Charges Virtu for False and Misleading Disclosures Relating to Information Barriers (September 12, 2023), https://www.sec.gov/news/press-release/2023-176.

[197] Id.

[198] Id.

[199] Id.

[200] Press Release, SEC, SEC Charges Software Company Blackbaud Inc. for Misleading Disclosures About Ransomware Attack That Impacted Charitable Donors (March 9, 2023), https://www.sec.gov/news/press-release/2023-48.

[201] Id.

[202] Id.

[203] Id.

[204] Id.

[205] Press Release, SEC, SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures (Oct. 30, 2023), https://www.sec.gov/news/press-release/2023-227; see also Complaint ¶ 1, SEC v. SolarWinds Corp., No. 1:23-9518 (S.D.N.Y. Oct. 30, 2023), ECF No. 1.

[206] Press Release, SEC, SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures (Oct. 30, 2023), https://www.sec.gov/news/press-release/2023-227.

[207] Id.

[208] Id.

[209] Id.

[210] Id.

[211] Id.

[212] Id.

[213] Id.

[214] Id.

[215] Press Release, Department of Health and Human Services, HHS Announces New Divisions Within the Office for Civil Rights to Better Address Growing Need of Enforcement in Recent Years (Feb. 27, 2023), https://www.hhs.gov/about/news/2023/02/27/hhs-announces-new-divisions-within-office-civil-rights-better-address-growing-need-enforcement-recent-years.html.

[216] Id.

[217] Id.

[218] Id.

[219] Press Release, Department of Health and Human Services, HHS Finalizes Rule to Advance Health IT Interoperability and Algorithm Transparency (Dec. 13, 2023), https://www.hhs.gov/about/news/2023/12/13/hhs-finalizes-rule-to-advance-health-it-interoperability-and-algorithm-transparency.html; see also Press Release, Department of Health and Human Services, HHS Proposes New Rule to Further Implement the 21st Century Cures Act (Apr. 11, 2023), https://www.hhs.gov/about/news/2023/04/11/hhs-propose-new-rule-to-further-implement-the-21st-century-cures-act.html.

[220] Id.

[221] Office of the National Coordinator for Health Information Technology, Department of Health and Human Services, Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing, 45 C.F.R. § 170, https://www.federalregister.gov/documents/2024/01/09/2023-28857/health-data-technology-and-interoperability-certification-program-updates-algorithm-transparency-and.

[222] Id.; see also Department of Health and Human Services, Telehealth policy updates (Nov. 9, 2023), https://telehealth.hhs.gov/providers/telehealth-policy/telehealth-policy-updates.

[223] Press Release, Department of Health and Human Services, Fact Sheet: End of the COVID-19 Public Health Emergency (May 9, 2023), https://www.hhs.gov/about/news/2023/05/09/fact-sheet-end-of-the-covid-19-public-health-emergency.html.

[224] Id.

[225] Department of Health and Human Services, Telehealth Policy Changes After the COVID-19 Public Health Emergency (Dec. 19, 2023), https://telehealth.hhs.gov/providers/telehealth-policy/policy-changes-after-the-covid-19-public-health-emergency.

[226] Press Release, Department of Health and Human Services, HHS Office for Civil Rights and the Federal Trade Commission Warn Hospital Systems and Telehealth Providers about Privacy and Security Risks from Online Tracking Technologies (July 20, 2023), https://www.hhs.gov/about/news/2023/07/20/hhs-office-civil-rights-federal-trade-commission-warn-hospital-systems-telehealth-providers-privacy-security-risks-online-tracking-technologies.html.

[227] Id.

[228] FTC, Updated FTC-HHS publication outlines privacy and security laws and rules that impact consumer health data (Sept. 15, 2023), https://www.ftc.gov/business-guidance/blog/2023/09/updated-ftc-hhs-publication-outlines-privacy-security-laws-rules-impact-consumer-health-data.

[229] Press Release, Department of Health and Human Services, Statement from Secretary Becerra on the One Year Anniversary of the Dobbs v. Jackson Women’s Health Organization Decision (June 24, 2023), https://www.hhs.gov/about/news/2023/06/24/statement-secretary-becerra-one-year-anniversary-dobbs-v-jackson-womens-health-organization-decision.html.

[230] See Dobbs v. Jackson Women’s Health Org., 597 U.S. 215 (2022).

[231] Press Release, Department of Health and Human Services, Statement from Secretary Becerra on the One Year Anniversary of the Dobbs v. Jackson Women’s Health Organization Decision (June 24, 2023), https://www.hhs.gov/about/news/2023/06/24/statement-secretary-becerra-one-year-anniversary-dobbs-v-jackson-womens-health-organization-decision.html.

[232] Press Release, Department of Health and Human Services, HHS Proposes Measures to Bolster Patient-Provider Confidentiality Around Reproductive Health Care (Apr. 12, 2023), https://www.hhs.gov/about/news/2023/04/12/hhs-proposes-measures-bolster-patient-provider-confidentiality-around-reproductive-health-care.html.

[233] Id.; see also Regulatory Initiatives, Department of Health and Human Services, HIPAA Privacy Rule and Reproductive Health Care (Apr. 14, 2023), https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/index.html.

[234] HIPAA Privacy Rule To Support Reproductive Health Care Privacy, 88 Fed. Reg. 23506 (proposed Apr. 17, 2023) (to be codified at 45 C.F.R. pts. 160, 164); HHS/OCR, View Rule (last visited Jan. 26, 2024), https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310&RIN=0945-AA20.

[235] Press Release, Department of Health and Human Services, HHS’ Office for Civil Rights Settles HIPAA Investigation of St. Joseph’s Medical Center for Disclosure of Patients’ Protected Health Information to a News Reporter (Nov. 20, 2023), https://www.hhs.gov/about/news/2023/11/20/hhs-office-civil-rights-settles-hipaa-investigation-st-josephs-medical-center-disclosure-patients-protected-health-information-news-reporter.html; Department of Health and Human Services, St. Joseph’s Medical Center Resolution Agreement and Corrective Action Plan (Aug. 22, 2023), https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/sjmc-ra-cap/index.html.

[236] Id.

[237] Id.

[238] Id.

[239] Press Release, Department of Health and Human Services, HHS’ Office for Civil Rights Settles Multiple HIPAA Complaints With Optum Medical Care Over Patient Access to Records (Dec. 15, 2023), https://www.hhs.gov/about/news/2023/12/15/hhs-office-for-civil-rights-settles-multiple-hipaa-complaints-with-optum-medical-care-over-patient-access-to-records.html.

[240] Id.

[241] See id.

[242] Press Release, Department of Health and Human Services, HHS Office for Civil Rights Settles HIPAA Investigation with Arizona Hospital System Following Cybersecurity Hacking (Feb. 2, 2023), https://www.hhs.gov/about/news/2023/02/02/hhs-office-for-civil-rights-settles-hipaa-investigation-with-arizona-hospital-system.html.

[243] Id.

[244] Press Release, Department of Health and Human Services, HHS’ Office for Civil Rights Settles First Ever Phishing Cyber-Attack Investigation (Dec. 7, 2023), https://www.hhs.gov/about/news/2023/12/07/hhs-office-for-civil-rights-settles-first-ever-phishing-cyber-attack-investigation.html.

[245] Id.

[246] Id.

[247] Press Release, Department of Homeland Security, Statement from Secretary Mayorkas on President Biden’s National Cybersecurity Strategy (Mar. 2, 2023), https://www.dhs.gov/news/2023/03/02/statement-secretary-mayorkas-president-bidens-national-cybersecurity-strategy.

[248] Press Release, Department of Homeland Security, DHS Issues Recommendations to Harmonize Cyber Incident Reporting for Critical Infrastructure Entities (Sept. 19, 2023), https://www.dhs.gov/news/2023/09/19/dhs-issues-recommendations-harmonize-cyber-incident-reporting-critical.

[249] Brandon Wales, CIRCIA at One Year: A Look Behind the Scenes, Cybersecurity & Infrastructure Security Agency (Mar. 24, 2023), https://www.cisa.gov/news-events/news/circia-one-year-look-behind-scenes; see also Gibson Dunn’s client alert on the Cyber Incident Reporting for Critical Infrastructure Act, https://www.gibsondunn.com/president-biden-signs-into-law-the-cyber-incident-reporting-for-critical-infrastructure-act-expanding-cyber-reporting-obligations-for-a-wide-range-of-public-and-private-entities/.

[250] Press Release, Department of Homeland Security, Joint Statement from 21 Countries and the Organization of American States Following the Department of Homeland Security Western Hemisphere Cyber Conference (Sept. 28, 2023), https://www.dhs.gov/news/2023/09/28/joint-statement-21-countries-and-organization-american-states-following-department.

[251] Press Release, Cybersecurity and Infrastructure Security Agency, CISA and FBI Release Advisory on CL0P Ransomware Gang Exploiting MOVEit Vulnerability (June 7, 2023), https://www.cisa.gov/news-events/news/cisa-and-fbi-release-advisory-cl0p-ransomware-gang-exploiting-moveit-vulnerabilit y.

[252] Press Release, Department of Homeland Security, Cyber Safety Review Board Releases Report on Activities of Global Extortion-Focused Hacker Group Lapsus$ (Aug. 10, 2023), https://www.dhs.gov/news/2023/08/10/cyber-safety-review-board-releases-report-activities-global-extortion-focused; Press Release, Department of Homeland Security, Department of Homeland Security’s Cyber Safety Review Board to Conduct Review on Cloud Security (Aug. 11, 2023), https://www.dhs.gov/news/2023/08/11/department-homeland-securitys-cyber-safety-review-board-conduct-review-cloud.

[253] Cybersecurity Advisory, Cybersecurity and Infrastructure Security Agency, #StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability (Nov. 21, 2023), https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a.

[254] Press Release, Department of Homeland Security, DHS Announces Additional $374.9 Million in Funding to Boost State, Local Cybersecurity (Aug. 7, 2023), https://www.dhs.gov/news/2023/08/07/dhs-announces-additional-3749-million-funding-boost-state-local-cybersecurity.

[255] Press Release, Department of Justice, Justice Department Announces New National Security Cyber Section Within the National Security Division (June 20, 2023), https://www.justice.gov/opa/pr/justice-department-announces-new-national-security-cyber-section-within-national-security.

[256] Id.

[257] Press Release, Department of Justice, U.S. Department of Justice Disrupts Hive Ransomware Variant (Jan. 26, 2023), https://www.justice.gov/opa/pr/us-department-justice-disrupts-hive-ransomware-variant.

[258] Id.

[259] Press Release, Department of Justice, Justice Department Announces Court-Authorized Disruption of Snake Malware Network Controlled by Russia’s Federal Security Service (May 9, 2023), https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-snake-malware-network-controlled.

[260] Id.

[261] Press Release, Department of Justice, Qakbot Malware Disrupted in International Cyber Takedown (Aug. 29, 2023), https://www.justice.gov/usao-cdca/pr/qakbot-malware-disrupted-international-cyber-takedown.

[262] Press Release, Department of Justice, Justice Department Disrupts Prolific ALPHV/Blackcat Ransomware Variant (Dec. 19, 2023), https://www.justice.gov/opa/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variant.

[263] Id.

[264] Press Release, Department of Justice, Justice Department and Meta Platforms Inc. Reach Key Agreement as They Implement Groundbreaking Resolution to Address Discriminatory Delivery of Housing Advertisements (Jan. 9, 2023), https://www.justice.gov/opa/pr/justice-department-and-meta-platforms-inc-reach-key-agreement-they-implement-groundbreaking.

[265] Id.

[266] Id.; Roy L. Austin, Jr., An Update on Our Ads Fairness Efforts, Meta (Jan. 9, 2023), https://about.fb.com/news/2023/01/an-update-on-our-ads-fairness-efforts/.

[267] Press Release, Department of Justice, Justice Department Files Statement of Interest in Fair Housing Act Case Alleging Unlawful Algorithm-Based Tenant Screening Practices (Jan. 9, 2023), https://www.justice.gov/opa/pr/justice-department-files-statement-interest-fair-housing-act-case-alleging-unlawful-algorithm.

[268] Id.

[269] Id.

[270] RESTRICT Act, S. 686, 118th Cong. (2023), https://www.congress.gov/bill/118th-congress/senate-bill/686/text.

[271] Statements and Releases, White House, Statement from National Security Advisor Jake Sullivan on the Introduction of the RESTRICT Act (Mar. 7, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/07/statement-from-national-security-advisor-jake-sullivan-on-the-introduction-of-the-restrict-act/; Press Release, Department of Commerce, Statement from U.S. Secretary of Commerce Gina Raimondo on the Introduction of the RESTRICT Act (Mar. 7, 2023), https://www.commerce.gov/news/press-releases/2023/03/statement-us-secretary-commerce-gina-raimondo-introduction-restrict-act.

[272] RESTRICT Act, S. 686, 118th Cong. (2023), https://www.congress.gov/bill/118th-congress/senate-bill/686/text.

[273] Protecting Americans’ Data From Foreign Surveillance Act of 2023, S. 1974, 118th Cong. (2023), https://www.congress.gov/bill/118th-congress/senate-bill/1974/text.

[274] Id.

[275] Id.

[276] Id.

[277] Id.

[278] Press Release, Office of Cybersecurity, Energy Security, and Emergency Response, DOE Announces $39 Million in Research Funding to Enhance Cybersecurity of Clean Distributed Energy Resources (Sept. 12, 2023), https://www.energy.gov/ceser/articles/doe-announces-39-million-research-funding-enhance-cybersecurity-clean-distributed.

[279] Id.

[280] Id.

[281] Alexandra Kelley, Cyberattacks on Energy’s National Labs Draw Lawmaker Scrutiny, Nextgov/FCW (Feb. 2, 2023), https://www.nextgov.com/cybersecurity/2023/02/cyberattacks-energys-national-labs-draw-lawmaker-scrutiny/382503/.

[282] Special Report, Department of Energy, Management Challenges at the Department of Energy — Fiscal Year 2024 (Nov. 17, 2023), https://www.energy.gov/sites/default/files/2023-11/DOE-OIG-24-05.pdf.

[283] Id.

[284] Daniel Wilson, Defense Dept. Proposes Long-Awaited Cybersecurity Rule, Law360 (Dec. 22, 2023), https://www.law360.com/cybersecurity-privacy/articles/1780256/defense-dept-proposes-long-awaited-cybersecurity-rule.

[285] Id.

[286] Id.

[287] Press Release, Federal Communications Commission, Chairwoman Rosenworcel Launches Privacy and Data Protection Task Force (June 14, 2023), https://www.fcc.gov/document/chairwoman-rosenworcel-launches-privacy-and-data-protection-task-force.

[288] Id.

[289] Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act, Pub. L. No. 116-105, 133 Stat. 3274 (2019); Federal Communications Commission, TRACED Act Implementation (May 1, 2023), https://www.fcc.gov/TRACEDAct.

[290] Limits on Exempted Calls Under the Telephone Consumer Protection Act of 1991, 88 Fed. Reg. 3668 (Jan. 20, 2023) (to be codified at 47 C.F.R. pt. 64).

[291] Id.

[292] Press Release, Federal Communications Commission, Rosenworcel Launches Effort on AI’s Impact on Robocalls and Robotexts (Oct. 23, 2023), https://docs.fcc.gov/public/attachments/DOC-397925A1.pdf.

[293] Federal Communications Commission, FCC Launches Inquiry into AI’s Impact on Robocalls and Robotexts (Nov. 17, 2023), https://www.fcc.gov/consumer-governmental-affairs/fcc-launches-inquiry-ais-impact-robocalls-and-robotexts.

[294] Federal Communications Commission, Second Report and Order, Second Further Notice of Proposed Rulemaking in CG Docket Nos. 02-278 and 21-402, and Waiver Order in CG Docket No. 17-59 (Dec. 18, 2023), https://docs.fcc.gov/public/attachments/FCC-23-107A1.pdf.

[295] Id. at 13–15.

[296] Id. at 20 n.113.

[297] Press Release, White House, Biden-⁠Harris Administration Announces Cybersecurity Labeling Program for Smart Devices to Protect American Consumers (July 18, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/07/18/biden-harris-administration-announces-cybersecurity-labeling-program-for-smart-devices-to-protect-american-consumers/.

[298] Id.

[299] Press Release, Federal Communications Commission, FCC Fact Sheet on Proposed Voluntary Cybersecurity Labeling Program for Internet-Enabled Devices (Aug. 10, 2023), https://docs.fcc.gov/public/attachments/DOC-395909A1.pdf.

[300] Press Release, Federal Communications Commission, FCC Adopts Updated Data Breach Notification Rules To Protect Consumers (Dec. 13, 2023), https://docs.fcc.gov/public/attachments/DOC-399090A1.pdf.

[301] Id.

[302] Press Release, Federal Communications Commission, FCC Proposes $20M Fine for Apparently Failing to Protect Consumer Data (July 28, 2023), https://docs.fcc.gov/public/attachments/DOC-395581A1.pdf.

[303] Id.

[304] A New Landmark for Consumer Control Over Their Personal Information: CPPA Proposes Regulatory Framework for Automated Decisionmaking Technology, Cal. Privacy Protection Agency (Nov. 27, 2023), https://cppa.ca.gov/announcements/2023/20231127.html; see also Draft Automated Decisionmaking Technology Regulations, Cal. Privacy Protection Agency (Dec. 8, 2023), https://cppa.ca.gov/meetings/materials/20231208_item2_draft.pdf.

[305] CPPA to Review Privacy Practices of Connected Vehicles and Related Technologies, Cal. Privacy Protection Agency (July 31, 2023), https://cppa.ca.gov/announcements/2023/20230731.html.

[306] Ahead of Privacy Day, Attorney General Bonta Focuses on Mobile Applications’ Compliance with the California Consumer Privacy Act, Cal. Att’y Gen. (Jan. 27, 2023), https://oag.ca.gov/news/press-releases/ahead-data-privacy-day-attorney-general-bonta-focuses-mobile-applications%E2%80%99.

[307] Attorney General Bonta Seeks Information from California Employers on Compliance with California Consumer Privacy Act, Cal. Att’y Gen. (July 14, 2023), https://oag.ca.gov/news/press-releases/attorney-general-bonta-seeks-information-california-employers-compliance.

[308] Complaint, People v. Google, Case No. 23CV422424 (Santa Clara Cnty. Super. Ct., Sept. 14, 2023), https://oag.ca.gov/system/files/attachments/press-docs/Filed%20stamped%20Google%20Complaint.pdf.

[309] Attorney General James Seeks information from Madison Square garden Regarding Use of Facial Recognition Technology to Deny Entry to Venues, N.Y. Att’y Gen. (Jan. 25, 2023), https://ag.ny.gov/press-release/2023/attorney-general-james-seeks-information-madison-square-garden-regarding-use.

[310] DFS Announces $1 million Cybersecurity Settlement with First American Title Insurance Company, N.Y. Dept. of Fin. Servs. (Nov. 28, 2023), https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202311281

[311]Id.

[312] AG Ferguson’s lawsuit forces Google to pay nearly $40M over deceptive location tracking, Wash. Att’y Gen. (May 18, 2023) https://www.atg.wa.gov/news/news-releases/ag-ferguson-s-lawsuit-forces-google-pay-nearly-40m-over-deceptive-location.

[313] Press Release, Office of the Indiana Attorney General, Attorney General Todd Rokita Secures $49.5 Million Multistate Settlement with Blackbaud for Data Breach (Oct. 5, 2023), https://events.in.gov/event/attorney_general_todd_rokita_secures_495_million_multistate_settlement_with_blackbaud_for_data_breach.

[314] Press Release, New York State Office of the Attorney General, Attorney General James and Multistate Coalition Secure $6.5 Million from Morgan Stanley for Failing to Protect Customer Data (Nov. 16, 2023), https://ag.ny.gov/press-release/2023/attorney-general-james-and-multistate-coalition-secure-65-million-morgan-stanley.

[315] Press Release, New Jersey Office of the Attorney General, AG Platkin Co-Leads $2.5-Million Multistate Settlement with EyeMed Over Data Breach that Compromised the Personal Information of Millions of Patients (May 16, 2023), https://www.njoag.gov/ag-platkin-co-leads-2-5-million-multistate-settlement-with-eyemed-over-data-breach-that-compromised-the-personal-information-of-millions-of-patients/.

[316] See Notice of Settlement and Joint Stipulation and [Proposed] Order to Stay Litigation Activities Pending Filing of Mot. for Prelim. Approval, In re Orrick, Herrington & Sutcliffe, LLP Data Breach Litig., No. 3:23-cv-04089 (N.D. Cal. Dec. 21, 2023), ECF No. 50.

[317] See Order Granting Final Approval of Class Action Settlement and Pls.’ Mot. for Att’ys’ Fees and Costs, Desue v. 20/20 Eye Care Network Inc., No. 21-61275 (S.D. Fla. July 8, 2023), ECF No. 100.

[318] Identity Theft Resource Center, Q3 2023 Data Breach Analysis, https://www.idtheftcenter.org/wp-content/uploads/2023/10/20231011_Q3-2023-Data-Breach-Analysis.pdf.

[319] Identity Theft Resource Center, Q3 2022 Data Breach Analysis, https://www.idtheftcenter.org/wp-content/uploads/2022/10/20221005_One-Pager_Q3-2022-Data-Breach-Analysis.pdf.

[320] See Transfer Order, In re MOVEit Customer Data Sec. Breach Litig., MDL No. 3083 (J.P.M.L. Oct. 4, 2023); Judicial Panel on Multidistrict Litigation, MDL Statistics Report – Distribution of Pending MDL Dockets by Actions Pending (Jan. 2, 2014), https://www.jpml.uscourts.gov/sites/jpml/files/Pending_MDL_Dockets_By_Actions_Pending-January-2-2024.pdf.

[321] See In re MOVEit Customer Data Sec. Breach Litig., No. 23-3083 (D. Mass.).

[322] TransUnion LLC v. Ramirez, 594 U.S. 413 (2021) (holding that plaintiffs who had not suffered concrete harm due to data breach, and instead claimed they are at heightened risk of future harm, lack standing to sue under Article III).

[323] Id. at 437.

[324] 72 F.4th 365, 375 (1st Cir. 2023) (holding that plaintiff adequately alleged standing based on the filing of a fraudulent tax return that likely resulted from information compromised in the data breach).

[325] Id. at 377.

[326] Bohnak v. Marsh & McLennan Cos., Inc., 79 F.4th 276, 286 (2d Cir. 2023) (cleaned up).

[327] Id. at 287.

[328] 2023 WL 4183380, at *4 (E.D. Va. June 26, 2023).

[329] Id.

[330] Id.

[331] Id.

[332] Id. at *5.

[333] 2023 WL 5608389, at *2 (C.D. Cal. Aug. 29, 2023) (acknowledging that while an increased risk of identity theft stemming from a data breach can constitute a threat of imminent harm sufficient for standing purposes, on the facts of the case, the username and password stolen in the breach were not linked to the plaintiff’s financial accounts, and thus did not give rise to the threat of identity theft).

[334] Id.

[335] See TransUnion, 594 U.S. at 431 (“Every class member must have Article III standing in order to recover individual damages. Article III does not give federal courts the power to order relief to any uninjured plaintiff, class action or not.”).

[336] 344 F.R.D. 38, 52 (D.D.C. 2023).

[337] Id. at 53.

[338] Id. at 55.

[339] See Cornerstone Research, Securities Class Action Trend Cases, https://www.cornerstone.com/insights/research/securities-class-action-trend-cases/.

[340] Complaint ¶ 3, Jaramillo v. Dish Networks Corp., No. 23-734 (D. Colo. Mar. 23, 2023), ECF No. 1.

[341] Complaint ¶ 4, Official Intel. Pty. Ltd., v. Block, Inc., No. 23-2789 (S.D.N.Y. April 3, 2023), ECF No. 1.

[342] 15 U.S.C. § 78u-4(b)(2).

[343] In re Okta, Inc. Securities Litig., 2023 WL 2749193, at *20 (N.D. Cal. Mar. 31, 2023).

[344] Id. at *15.

[345] Id.

[346] See, e.g., Javier v. Assurance IQ, LLC, 2022 WL 1744107 (9th Cir. May 31, 2022); Popa v. Harriet Carter Gifts, Inc., 45 F.4th 687 (3d Cir. 2022).

[347] 18 U.S.C. § 2510 et seq.

[348] Id. § 2511(2)(d).

[349] See Recording Law, All Party (Two Party) Consent States – List and Details, https://recordinglaw.com/party-two-party-consent-states/ (last visited Jan. 26, 2024) (identifying 13 two-party or all-party consent states).

[350] See, e.g., Cal. Penal Code §§ 631, 632 (wiretapping and eavesdropping statutes); id. § 637.2(a) (authorizing a private right of action and statutory damages).

[351] Doe v. Regents of Univ. of California, No. 23-CV-00598-WHO, 2023 WL 3316766 (N.D. Cal. May 8, 2023).

[352] Jackson v. Fandom, Inc., No. 22-CV-04423-JST, 2023 WL 4670285 (N.D. Cal. July 20, 2023).

[353] Id. at *4–5.

[354] Stark v. Patreon, Inc., 656 F. Supp. 3d 1018 (N.D. Cal. 2023).

[355] Id. at 1039–40.

[356] 18 U.S.C. § 1030(a).

[357] Van Buren v. United States, 141 S. Ct. 1648, 1654–55 (2021).

[358] Press Release, Department of Justice, Department of Justice Announces New Policy for Charging Cases under the Computer Fraud and Abuse Act (May 19, 2022), https://www.justice.gov/opa/press-release/file/1507126/download.

[359] United States v. Calonge, 74 F.4th 31, 36 (2d Cir. 2023), cert. denied, 2023 WL 7475309 (U.S. Nov. 13, 2023).

[360] Id. at 33–34.

[361] Id. at 33.

[362] Id. at 33–34.

[363] Id. at 35–36 (citing 18 U.S.C. § 1030(e)(8)).

[364] Calonge v. United States, 2023 WL 7475309 (U.S. Nov. 13, 2023).

[365] ACW Flex Pack LLC v. Wrobel, 2023 WL 4762596, at *6–7 (N.D. Ill. July 26, 2023).

[366] Id. at *3, *6.

[367] Id. at *5.

[368] Id. at *6.

[369] Id. (quoting 18 U.S.C. § 1030(e)(1)) (emphasis removed).

[370] Id. at *6–8.

[371] Id. at *7.

[372] iPurusa, LLC v. Bank of New York Mellon Corp., 2023 WL 3072686, at *7 (D.N.J. Apr. 25, 2023).

[373] Id. at *6.

[374] Id. at *7.

[375] Id.

[376] See, e.g., T. et al v. OpenAI LP et al., Case No. 23-cv-04557, Dkt. 1 ¶¶ 317–326 (N.D. Cal.); P.M. et al v. OpenAI LP et al., Case No. 23-cv-03199-TLT, Dkt. 1 ¶¶ 422–431 (N.D. Cal.); see id. Dkt. 38 (notice of voluntary dismissal).

[377] hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180 (9th Cir. 2022).

[378] Id. at 1201.

[379] Cal. Penal Code §§ 502(c)(2) & (e)(1).

[380] Id. § 502(b)(1).

[381] Brown v. Google LLC, 2023 WL 5029899, at *1 (N.D. Cal. Aug. 7, 2023).

[382] Id. at *2.

[383] Id. at *18.

[384] Id. at *19 (citing Cal. Penal Code § 502(c)(2)).

[385] Id.

[386] Brown et al. v. Google LLC, Case No. 4:20-cv-03664, Dkt. 1089 (N.D. Cal.).

[387] Nora Gutierrez v. Converse Inc., 2023 WL 8939221, at *1, *5 (C.D. Cal. Oct. 27, 2023).

[388] Id. at *4 (quoting In re iPhone Application Litig., 2011 WL 4403963, at * 12 (N.D. Cal. Sept. 20, 2011)).

[389] Id.

[390] Id. at *5.

[391] 47 U.S.C. § 227.

[392] Facebook, Inc. v. Duguid, 592 U.S. 395 (2021).

[393] Dickson v. Direct Energy, LP, 69 F.4th 338, 348–49 (6th Cir. 2023).

[394] Id. at 345–48.

[395] Drazen v. Pinto, 74 F.4th 1336, 1345–46 (11th Cir. 2023) (reversing Salcedo v. Hanna, 936 F.3d 1162, 1172 (11th Cir. 2019)).

[396] Hall v. Smosh Dot Com, Inc., 72 F.4th 983, 990–91 (9th Cir. 2023).

[397] Id. at 990.

[398] Mauthe v. Millennium Health LLC, 58 F.4th 93, 97 (3d Cir. 2023). The TCPA defines an “unsolicited advertisement” as “any material advertising the commercial availability or quality of any property, goods, or services which is transmitted to any person without that person’s prior express invitation or permission, in writing or otherwise.” 47 U.S.C. § 227(a)(5).

[399] Trim v. Reward Zone USA LLC, 76 F.4th 1157, 1164 (9th Cir. 2023).

[400] Cal. Civ. Code § 1798.150 (West 2023).

[401] California Consumer Privacy Act (CCPA) Litigation, U.S. Cybersecurity and Data Privacy Outlook and Review – 2023 (Jan. 30, 2023), https://www.gibsondunn.com/us-cybersecurity-and-data-privacy-outlook-and-review-2023/.

[402] Order Granting Final Approval of Class Action Settlement, Service v. Volkswagen Grp. of Am., Inc., No. C22-01841 (Cal. Super. Ct. Contra Costa Cnty. May. 31, 2023), https://odyportal.cc-courts.org/Portal/DocumentViewer/DownloadDocumentFile/Download?d=10C938A76250CE4331774E2C729A0D43&c=EC610BADE930EF833C9117C84F5729FC&l=4C398088907DD05C6D76EE93BC04CDF4&cn=F44FB09A29DC4E11FE28DCC41D39CD99&fileName=C22-01841%20-%20Order%20Filed%20Re%20Granting%20Final%20Approval&docTypeId=3&isVersionId=False.

[403] Id. at 4.

[404] Carter v. Vivendi Ticketing US LLC, No. SACV2201981(DFMx), 2023 WL 8153712 (C.D. Cal. Oct. 30, 2023).

[405] Id.

[406] Id. at *2.

[407] Gershfeld v. Teamviewer US, Inc., No. SACV2100058(ADSx), 2021 WL 3046775 (C.D. Cal. June 24, 2021).

[408] Id. at 2.

[409] Gershfeld v. TeamViewer US, Inc., No. 21-55753, 2023 WL 334015 (9th Cir. Jan. 20, 2023) (mem.).

[410] Alexander v. Wells Fargo Bank, N.A., No. 23-CV-617-DMS-BLM, 2023 WL 5109532 (S.D. Cal. Aug. 9, 2023).

[411] California Consumer Privacy Act (CCPA) Litigation, U.S. Cybersecurity and Data Privacy Outlook and Review – 2023 (Jan. 30, 2023), https://www.gibsondunn.com/us-cybersecurity-and-data-privacy-outlook-and-review-2023/.

[412] Brown v. Google LLC, No. 4:20-CV-3664, 2023 WL 5029899 (N.D. Cal. Aug. 7, 2023).

[413] Id.

[414] Id. at *21.

[415] Id.

[416] Id. at *21.

[417] Id.

[418] Cal. Civ. Code § 1798.150(b).

[419] California Consumer Privacy Act (CCPA) Litigation, U.S. Cybersecurity and Data Privacy Outlook and Review – 2023 (Jan. 30, 2023), https://www.gibsondunn.com/us-cybersecurity-and-data-privacy-outlook-and-review-2023/.

[420] Guy v. Convergent Outsourcing, Inc., No. C22-1558, 2023 WL 4637318 (W.D. Wash. July 20, 2023).

[421] Cal. Civ. Code § 1798.150(b).

[422] Guy, 2023 WL 4637318.

[423] Griffey v. Magellan Health Inc., No. CV-20-01282-PHX, 2022 WL 1811165, at *6 (D. Ariz. June 2, 2022).

[424] Guy, 2023 WL 4637318, at *9.

[425] Florence v. Order Express, Inc., No. 22 C 7210, 2023 WL 3602248 (N.D. Ill. May 23, 2023).

[426] Id. at *7 (internal quotations omitted).

[427] Cal. Civ. Code § 1798.150(b).

[428] Florence, 2023 WL 3602248, at *7.

[429] California Consumer Privacy Act (CCPA) Litigation, U.S. Cybersecurity and Data Privacy Outlook and Review – 2023 (Jan. 30, 2023), https://www.gibsondunn.com/us-cybersecurity-and-data-privacy-outlook-and-review-2023/.

[430] Durgan v. U-Haul Int’l Inc., No. CV-22-01565-PHX, 2023 WL 7114622 (D. Ariz. Oct. 27, 2023).

[431] Id. at *7.

[432] Id. at *6.

[433] In re Bank of Am. California Unemployment Benefits Litig., No. 21-MD-2992-LAB-MSB, 2023 WL 3668535 (S.D. Cal. May 25, 2023).

[434] Id. at *13–15.

[435] Id. at *15.

[436] Tims v. Black Horse Carriers, Inc., 216 N.E.3d 845 (Ill. 2023).

[437] 735 Ill. Comp. Stat. Ann. 5/13-205 (2022).

[438] Tims, 216 N.E.3d at 854.

[439] Cothron v. White Castle Sys., Inc., 216 N.E.3d 918, 920 (Ill. 2023).

[440] Id. at 928.

[441] Id. at 929.

[442] Minor v. Oldcastle Servs. Inc., No. 21‐CV‐503‐SMY (S.D. Ill. Mar. 22, 2023).

[443] Jones v. Microsoft Corp., No. 1:22‐cv‐03437 (N.D. Ill. Jan. 9, 2023).

[444] Id. at 7–8.

[445] Warmack‐Stillwell v. Christian Dior, Inc., No. 22‐C‐4633 (N.D. Ill. Feb. 10, 2023).

[446] Crumpton v. Octapharma Plasma, Inc., 513 F. Supp. 3d 1006, 1015–17 (N.D. Ill. 2021).

[447] Id.

[448] Tex. Bus. & Com. Code § 503.001.

[449] Tex. v. Meta Platforms, Inc., Cause No. 22-0121 (Tex. Dist. Ct. Feb. 8, 2023).

[450] Press Release, Attorney General of Texas, Paxton Sues Google for its Unauthorized Capture and Use of Biometric Data and Violation of Texans’ Privacy (Oct. 20, 2022), https://texasattorneygeneral.gov/news/releases/paxton-sues-google-its-unauthorized-capture-and-use-biometric-data-and-violation-texans-privacy.

[451] Gross v. Madison Square Garden Ent. Corp., No. 1:23-cv-03380 (S.D.N.Y. filed Apr. 21, 2023).

[452] Second Amended Complaint at 2–3, Gross v. Madison Square Garden Ent. Corp., No. 1:23-cv-03380 (S.D.N.Y. June 9, 2023).

[453] Id.

[454] Id. at 23–24.

[455] Id. at 25.

[456] Report & Recommendation, Gross v. Madison Square Garden Ent. Corp., No. 23-cv-3380 (S.D.N.Y. Jan. 9, 2024).

[457] Id. at 14.

[458] Id. at 18.

[459] Id. at 20 (quoting Zoll v. Ruder Finn, Inc., No. 01-cv-139 (CSH), 2004 WL 42260, at *4 (S.D.N.Y. Jan. 7, 2004)).

[460] Id. at 21.

[461] Id. at 8–13.

[462] 598 U.S. 471 (2023).

[463] 598 U.S. 617 (2023).

[464] Taamneh, 598 U.S. at 482.

[465] Gonzalez, 598 U.S. at 621.

[466] Taamneh, 598 U.S. at 501–02.

[467] Gonzalez, 598 U.S. at 622.

[468] Minahan v. Google LLC, No. 22-cv-5652, 2023 WL 3605329, at *1 (N.D. Cal. May 1, 2023), appeal filed, No. 23-15775 (9th Cir. May 22, 2023).

[469] Id. at *2.

[470] M.K. v. Google LLC, No. 21-cv-08465, 2023 WL 4937287 (N. D. Cal. filed Oct. 29, 2021).

[471] Id. at *10.

[472] Id. at *3.

[473] Id.

[474] Id. at *5.

[475] Id. at *6–7.

[476] Ramirez v. The Paradies Shops, LLC, 69 F.4th 1213, 1221 (11th Cir. 2023).

[477] Id. at 1216.

[478] Id.

[479] Id. at 1220–21.

[480] Class Action Complaint at 2–3, Pai v. Tesla, Inc., Case 4:23-cv-04550 (N.D. Cal. filed Sept. 5, 2023).

[481] Id.

[482] The Digital Revolution Engineering Smart City Infrastructure, Utilities One (Oct. 27, 2023), https://utilitiesone.com/the-digital-revolution-engineering-smart-city-infrastructure.

[483] Ashley Johnson, Balancing Privacy and Innovation in Smart Cities and Communities, Info. Tech. & Innovation Found. (Mar. 6, 2023), https://itif.org/publications/2023/03/06/balancing-privacy-and-innovation-in-smart-cities-and-communities/.

[484] Id.

[485] Diana Baker Freeman, Why Local Governments Are a Target for Cyber Attacks and Steps to Prevent It, Governing (May 6, 2022), https://www.governing.com/sponsored/why-local-governments-are-a-target-for-cyber-attacks-and-steps-to-prevent-it.

[486] Richard Forno, Local Governments Are Attractive Targets for Hackers and Are Ill-Prepared, Ctr. for Internet & Soc’y (Mar. 28, 2022), https://cyberlaw.stanford.edu/blog/2022/03/local-governments-are-attractive-targets-hackers-and-are-ill-prepared.

[487] Ashley Johnson, Balancing Privacy and Innovation in Smart Cities and Communities, Info. Tech. & Innovation Found. (Mar. 6, 2023), https://itif.org/publications/2023/03/06/balancing-privacy-and-innovation-in-smart-cities-and-communities/.

[488] Id.

[489] Maya Shwayder, The Future of Smart Cities May Mean the Death of Privacy, Digit. Trends (Apr. 22, 2020), https://www.digitaltrends.com/news/smart-cities-privacy-security/.

[490] Ashley Johnson, Balancing Privacy and Innovation in Smart Cities and Communities, Info. Tech. & Innovation Found. (Mar. 6, 2023), https://itif.org/publications/2023/03/06/balancing-privacy-and-innovation-in-smart-cities-and-communities/.

[491] What is Edge Computing?, IBM (last visited Jan. 18, 2024), https://www.ibm.com/topics/edge-computing.

[492] Mary K. Pratt, 7 Edge Computing Trends to Watch in 2023 and Beyond, TechTarget (Dec. 8, 2022), https://www.techtarget.com/searchcio/tip/Top-edge-computing-trends-to-watch-in-2020.

[493] Id.

[494] Id.

[495] Id.

[496] Pete Swabey, Why Edge Computing is a Double-Edged Sword for Privacy, Tech Monitor (Mar. 31, 2023), https://techmonitor.ai/focus/privacy-on-the-edge-why-edge-computing-is-a-double-edged-sword-for-privacy.

[497] Id.

[498] Id.

[499] Id.

[500] Matthew Gooding, Can GAIA-X Solve Europe’s Data Sovereignty Problem?, Tech Monitor (Apr. 8, 2021), https://techmonitor.ai/technology/cloud/what-is-gaia-x-eu-data-sovereignty.

[501] Executive Office of the President, Office of Science and Technology Policy, National Strategy To Advance Privacy-Preserving Data Sharing and Analytics (Mar. 2023), https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Strategy-to-Advance-Privacy-Preserving-Data-Sharing-and-Analytics.pdf.

[502] OECD, Emerging Privacy-Enhancing Technologies, Current Regulatory and Policy Approaches, OECD Digital Economy Papers, No. 351, 2 (Mar. 2023), https://www.oecd-ilibrary.org/deliver/bf121be4-en.pdf?itemId=/content/paper/bf121be4-en&mimeType=pdf.

[503]Executive Office of the President, Office of Science and Technology Policy, National Strategy To Advance Privacy-Preserving Data Sharing and Analytics (Mar. 2023), https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Strategy-to-Advance-Privacy-Preserving-Data-Sharing-and-Analytics.pdf.

[504] Id.

[505] Id.

[506] Id.

[507] Id.

[508] Id.

[509] Id.

[510] Id.

[511] Pete Swabey, Why Edge Computing is a Double-Edged Sword for Privacy, Tech Monitor (Mar. 31, 2023), https://techmonitor.ai/focus/privacy-on-the-edge-why-edge-computing-is-a-double-edged-sword-for-privacy.

[512] Executive Office of the President, Office of Science and Technology Policy, National Strategy To Advance Privacy-Preserving Data Sharing and Analytics (Mar. 2023), https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Strategy-to-Advance-Privacy-Preserving-Data-Sharing-and-Analytics.pdf.

[513] Id.

[514] Shafi Goldwasser et al., The Knowledge Complexity of Interactive Proof Systems, 18 SIAM J. Computing 186 (1989).

[515] Eli Ben-Sasson et al., Zerocash: Decentralized Anonymous Payments from Bitcoin, Zerocash, (May 18, 2014), http://zerocash-project.org/media/pdf/zerocash-extended-20140518.pdf.

[516] Tianyi Liu et al., zkCNN: Zero Knowledge Proofs for Convolutional Neural Network Predictions and Accuracy, Comput. & Commc’ns Sec. (2021), https://doi.org/10.1145/3460120.3485379.

[517] Executive Office of the President, Office of Science and Technology Policy, National Strategy To Advance Privacy-Preserving Data Sharing and Analytics (Mar. 2023), https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Strategy-to-Advance-Privacy-Preserving-Data-Sharing-and-Analytics.pdf.

[518] Id.

[519] Id.

[520] Jennifer Bryant, European Commission Adopts EU-US Adequacy Decision, Int’l Ass’n Priv. Pros. (July 10, 2023), https://iapp.org/news/a/european-commission-adopts-eu-u-s-adequacy-decision/.

[521] Id.

[522] Natasha Lomas, Europe’s Top Court Strikes Down Flagship EU-US Data Transfer Mechanism, TechCrunch (July 16, 2020), https://techcrunch.com/2020/07/16/europes-top-court-strikes-down-flagship-eu-us-data-transfer-mechanism/.

[523] Natasha Lomas, Europe Adopts US Data Adequacy Decision, TechCrunch (July 10, 2023), https://techcrunch.com/2023/07/10/eu-us-data-privacy-framework-adoption/.

[524] Id.

[525] Id.

[526] Press Release, Department of Commerce, Data Privacy Framework Program Launches New Website Enabling U.S. Companies to Participate in Cross-Border Data Transfers (July 17, 2023), https://www.commerce.gov/news/press-releases/2023/07/data-privacy-framework-program-launches-new-website-enabling-us.

[527] Press Release, Senator Ron Wyden, Wyden, Lee, Davidson and Lofgren Introduce Bipartisan Legislation to Reauthorize and Reform Key Surveillance Law, Secure Protections for Americans’ Rights (Nov. 7, 2023), https://www.wyden.senate.gov/news/press-releases/wyden-lee-davidson-and-lofgren-introduce-bipartisan-legislation-to-reauthorize-and-reform-key-surveillance-law-secure-protections-for-americans-rights.

[528] Noah Chauvin & Elizabeth Goitein, Reform Bill Would Protect Americans from Warrantless Surveillance, Brennan Ctr. for Just. (Nov. 7, 2023), https://www.brennancenter.org/our-work/analysis-opinion/reform-bill-would-protect-americans-warrantless-surveillance.

[529] On December 22, 2023, President Biden signed the National Defense Authorization Act, which included a Congressional measure extending Section 702 until mid-April 2024. Rebecca Beitsch, Congress Approves Short-Term Extension of Warrantless Surveillance Powers, The Hill (Dec. 12, 2023), https://thehill.com/policy/national-security/4360341-fisa-congress-approves-short-term-extension-warrantless-surveillance-powers; see also Press Release, White House, Joseph R. Biden, Statement from President Biden on H.R. 2670, National Defense Authorization Act for Fiscal Year 2024 (Dec. 22, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/12/22/statement-from-president-joe-biden-on-h-r-2670-national-defense-authorization-act-for-fiscal-year-2024/.

[530] Noah Chauvin & Elizabeth Goitein, Reform Bill Would Protect Americans from Warrantless Surveillance, Brennan Ctr. for Just., (Nov. 7, 2023), https://www.brennancenter.org/our-work/analysis-opinion/reform-bill-would-protect-americans-warrantless-surveillance.

[531] Id.

[532] Id.

[533] Id.

[534] Id.

[535] Electronic Communications Privacy Act (ECPA), Elec. Priv. Info. Ctr. (last visited Jan. 19, 2024), https://epic.org/ecpa/; see also Press Release, Senator Ron Wyden, Wyden, Lee, Davidson and Lofgren Introduce Bipartisan Legislation to Reauthorize and Reform Key Surveillance Law, Secure Protections for Americans’ Rights (Nov. 7, 2023), https://www.wyden.senate.gov/news/press-releases/wyden-lee-davidson-and-lofgren-introduce-bipartisan-legislation-to-reauthorize-and-reform-key-surveillance-law-secure-protections-for-americans-rights.

[536] Government Surveillance Reform Act of 2023, S. 3234, 118th Cong. (2023).

[537] Id. § 504.

[538] Id.; 47 U.S.C. § 230(f) (2000).

[539] Government Surveillance Reform Act of 2023, S. 3234, 118th Cong. § 504 (2023).

[540] Id. § 501–11.

[541] Id.

[542] Id. § 508.

[543] Id. § 503.

[544] India McKinney, The House Intelligence Committee’s Surveillance ‘Reform’ Bill is a Farce, Elec. Frontier Found. (Dec. 8, 2023), https://www.eff.org/deeplinks/2023/12/section-702-needs-reform-and-oversight-not-expansion-congress-should-oppose-hpsci; see also Jules Roscoe, Congress Pulls Bill That Would Massively Expand Surveillance After ‘Dramatic Showdown’, Vice (Dec. 12, 2023), https://www.vice.com/en/article/y3wkdg/fisa-surveillance-bill-congress-pulled.

[545] Jules Roscoe, Congress Pulls Bill That Would Massively Expand Surveillance After ‘Dramatic Showdown’, Vice (Dec. 12, 2023), https://www.vice.com/en/article/y3wkdg/fisa-surveillance-bill-congress-pulled.

[546] Id.

[547] Press Release, ACLU, Ahead of House Vote, ACLU Sounds Alarm on Bill Greatly Expanding the Government’s Mass Warrantless Surveillance Authority (Dec. 11, 2023), https://www.aclu.org/press-releases/ahead-of-house-vote-aclu-sounds-alarm-on-bill-greatly-expanding-the-governments-mass-warrantless-surveillance-authority.

The following Gibson Dunn lawyers assisted in preparing this alert: Alexander Southwell, Cassandra Gaedt-Sheckter, Natalie Hausknecht, Martie Kutscher Clark, Timothy Loose, Abbey Barrera, Jacob Arber, Tony Bedel, Matt Buongiorno, Eric Hornbeck, Jay Mitchell*, Wesley Sze, Terry Wong, Najatt Ajarar, Michael Brandon, Tawkir Chowdhury, Lanie Corrigan, Justine Deitz, Skylar Drefcinski, Sasha Dudding, Kunal Kanodia, Erin Kim, Brendan Krimsky, Ruby Lang, Emma Li, Ignacio Martinez Castellanos, Jay Minga, Peter Moon, Narayan Narasimhan*, Mason Pazhwak, Matthew Reagan, John Ryan, Christopher Scott*, Becca Smith, Snezhana Stadnik Tapia, Graham Miller Stinnett, Cydney Swain, Julie Sweeney, Trenton Van Oss, Hayato Watanabe, Diego Wright, and Samantha Yi*.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Privacy, Cybersecurity & Data Innovation practice group:

United States:
S. Ashlie Beringer – Co-Chair, Palo Alto (+1 650.849.5327, aberinger@gibsondunn.com)
Jane C. Horvath – Co-Chair, Washington, D.C. (+1 202.955.8505, jhorvath@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303.298.5774, rbergsieker@gibsondunn.com)
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, geyler@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, cgaedt-sheckter@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, sgans@gibsondunn.com)
Lauren R. Goldman – New York (+1 212.351.2375, lgoldman@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Natalie J. Hausknecht – Denver (+1 303.298.5783, nhausknecht@gibsondunn.com)
Martie Kutscher Clark – Palo Alto (+1 650.849.5348, mkutscherclark@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415.393.8395, klinsley@gibsondunn.com)
Timothy W. Loose – Los Angeles (+1 213.229.7746, tloose@gibsondunn.com)
Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
Rosemarie T. Ring – San Francisco (+1 415.393.8247, rring@gibsondunn.com)
Ashley Rogers – Dallas (+1 214.698.3316, arogers@gibsondunn.com)
Alexander H. Southwell – New York (+1 212.351.3981, asouthwell@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, evandevelde@gibsondunn.com)
Benjamin B. Wagner – Palo Alto (+1 650.849.5395, bwagner@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213.229.7472, dwongyang@gibsondunn.com)

Europe:
Ahmed Baladi – Co-Chair, Paris (+33 (0) 1 56 43 13 00, abaladi@gibsondunn.com)
Nicholas Banasevic* – Managing Director, Brussels (+32 2 554 72 40, banasevic@gibsondunn.com)
Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com)
Joel Harrison – London (+44 20 7071 4289, jharrison@gibsondunn.com)
Vera Lukic – Paris (+33 (0) 1 56 43 13 00, vlukic@gibsondunn.com)
Lars Petersen – Frankfurt/Riyadh (+49 69 247 411 525, lpetersen@gibsondunn.com)
Robert Spano – London/Paris (+44 20 7071 4000, rspano@gibsondunn.com)

Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)
Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com)

*Nicholas Banasevic, Managing Director in the firm’s Brussels office and an economist by background, is not admitted to practice law.

*Jay Mitchell and Samantha Yi are associates in the Washington, D.C. office. Jay is admitted in California and Illinois, and Samantha is admitted in Maryland; both are practicing under supervision of members of the District of Columbia Bar under D.C. App. R. 49.

*Narayan Narasimhan and Christopher Scott, recent law graduates in the New York office, are not admitted to practice law.

From the Derivatives Practice Group: The CFTC cancelled its open meeting this week, but is seeking public comment on a number of issues.

New Developments

CFTC Cautions the Public to Beware of Artificial Intelligence Scams. On January 25, the CFTC’s Office of Customer Education and Outreach issued a customer advisory warning the public about Artificial Intelligence (AI) scams. Customer Advisory: AI Won’t Turn Trading Bots into Money Machines explains how the scams use the potential of AI technology to defraud investors with false claims that entice them to hand over their money or other assets to fraudsters who misappropriate the funds and deceive investors. The advisory warns investors that claims of high or guaranteed returns are red flags of fraud and that strangers promoting these claims online should be ignored. The CFTC stated that the advisory is intended to help investors identify and avoid potential scams and includes a reminder that AI technology cannot predict the future. It also lists four items investors may consider to avoid such scams: researching the background of a company or trader, researching the history of the trading website, getting a second opinion, and knowing the risks associated with the underlying assets. [NEW]
CFTC Staff Releases Request for Comment on the Use of Artificial Intelligence in CFTC-Regulated Markets. On January 25, the CFTC’s Divisions of Market Oversight, Clearing and Risk, Market Participants, and Data and the Office of Technology Innovation issued a request for comment (RFC) in an effort to better inform them on the current and potential uses and risks of AI in the derivatives markets that the CFTC regulates. The RFC seeks comment on the definition of AI and its applications, including its use in trading, risk management, compliance, cybersecurity, recordkeeping, data processing and analytics, and customer interactions. The RFC also seeks comment on the risks of AI, including risks related to market manipulation and fraud, governance, explainability, data quality, concentration, bias, privacy and confidentiality and customer protection. The CFTC indicated that staff will consider the responses to the RFC in analyzing possible future actions by the CFTC, such as new or amended guidance, interpretations, policy statements, or regulations. Comments will be accepted until April 24, 2024. [NEW]
CFTC Seeks Public Comment on Proposed Capital Comparability Determination for Swap Dealers Subject to Supervision by the UK Prudential Regulation Authority. On January 24, the CFTC solicited public comment on a substituted compliance application requesting that the CFTC determine that certain CFTC-registered nonbank swap dealers located in the United Kingdom may satisfy certain Commodity Exchange Act capital and financial reporting requirements by being subject to, and complying with, comparable capital and financial reporting requirements under UK laws and regulations. The Institute of International Bankers, the International Swaps and Derivatives Association, and the Securities Industry and Financial Markets Association submitted the application. In connection with the application, the CFTC also solicited public comment on a proposed comparability determination and related order providing for the conditional availability of substituted compliance to CFTC-registered nonbank swap dealers under the UK Prudential Regulation Authority’s prudential supervision. The comment period will be open until March 24, 2024. [NEW]
BGC Group Announces Approval for FMX Futures Exchange. On January 22, BGC Group, Inc. (BGC) announced that its FMX Futures Exchange (FMX) received approval from the CFTC to operate an exchange for U.S. Treasury and SOFR futures. BGC will combine their Fenics UST cash Treasury platform and FMX to work across the CME’s U.S. interest rate complex. FMX is party to a clearing agreement with LCH SwapClear, a holder of interest rate collateral, which it indicated will allow for portfolio margining across rates of risk and provide for margin efficiencies and effective risk management. [NEW]
CFTC Cancels Open Meeting. On January 20, the CFTC cancelled its open meeting scheduled for January 22. According to the CFTC, Tthe following matters will be resolved through the CFTC’s seriatim process:
- Notice of Proposed Order and Request for Comment on an Application for a Capital Comparability Determination Submitted on behalf of Nonbank Swap Dealers subject to Capital and Financial Reporting Requirements of the United Kingdom and Regulated by the United Kingdom Prudential Regulation Authority,
- Proposed Rule: Requirements for Designated Contract Markets and Swap Execution Facilities Regarding Governance and the Mitigation of Conflicts of Interest Impacting Market Regulation Functions. [NEW]
CFTC Designates IMX Health, LLC as a Contract Market. On January 18, the CFTC announced it has issued an Order of Designation to IMX Health, LLC, granting it designation as a contract market (DCM). IMX Health is a limited liability company registered in Delaware and headquartered in Chicago, Illinois. The CFTC issued the order under Section 5a of the Commodity Exchange Act (CEA) and CFTC Regulation 38.3(a). The CFTC determined IMX Health demonstrated its ability to comply with the CEA provisions and CFTC regulations applicable to DCMs. With the addition of IMX Health, there will be 17 DCMs.
CFTC Issues Staff Letter No. 24-01. On January 16, the CFTC issued Staff Letter No. 24-01, granting an exemption to LCH SA from the requirements of Regulation 1.49(d) to permit LCH SA to hold customer funds at the Banque du France. Additionally, the CFTC confirmed that it would not recommend enforcement action against LCH SA for failing to obtain, or provide the Commission with, an executed version of the template acknowledgment letter set forth in Appendix B to Regulation 1.20 , as required by Regulations 1.20(g)(4) and 22.5, for customer accounts maintained at the Banque de France.
SEC Publishes Risk Alert: Observations Related to Security-Based Swap Dealers. On January 10, the SEC’s Division of Examination published a Risk Alert presenting examination and outreach observations concerning compliance with rules applicable to security-based swap dealers. The SEC stated that in sharing these observations, the Division seeks to remind security-based swap dealers of their obligations under relevant security-based swap rules and encourage security-based swap dealers to consider improvements in their compliance programs, as may be appropriate, to further compliance with Exchange Act requirements. The Risk Alert presents observations in the following areas: (1) reporting of security-based swap transactions and correction of reporting errors; (2) business conduct standards; (3) security-based swap trading relationship documentation and portfolio reconciliation; and (4) recordkeeping.
CFTC Publishes Decentralized Finance Report. On January 8, the CFTC’s Digital Assets and Blockchain Technology Subcommittee of the Technology Advisory Committee (TAC) released a report entitled “Decentralized Finance.” The report discusses TAC’s view that the benefits and risks of DeFi depend significantly on the design and features of specific systems, and that one of its central concerns related to DeFi systems is the lack of, and some industry designs to avoid, clear lines of responsibility and accountability. TAC opined that this feature of DeFi systems may present the clearest ways in which DeFi poses risks to consumers and investors, as well as to financial stability, market integrity and illicit finance—according to TAC, it implicates no clear route to ensuring victim recourse, defense against illicit exploitation, or the ability to insert necessary changes and controls during periods of crisis and network stress. The report finds that government and industry should take timely action to work together, across regulatory and other strategic initiatives, to better understand DeFi.
SEC Publishes Risk Alert: Observations Related to Security-Based Swap Dealers. On January 10, the SEC’s Division of Examination published a Risk Alert presenting examination and outreach observations concerning compliance with rules applicable to security-based swap dealers. The SEC stated that in sharing these observations, the Division seeks to remind security-based swap dealers of their obligations under relevant security-based swap rules and encourage security-based swap dealers to consider improvements in their compliance programs, as may be appropriate, to further compliance with Exchange Act requirements. The Risk Alert presents observations in the following areas: (1) reporting of security-based swap transactions and correction of reporting errors; (2) business conduct standards; (3) security-based swap trading relationship documentation and portfolio reconciliation; and (4) recordkeeping.

New Developments Outside the U.S.

EC Publishes Amendments to Clearing Obligation Scope in Light of Benchmark Reform. On January 22, the delegated regulation amending the regulatory technical standards (RTS) defining the scope of the clearing obligation (CO) was published in the EU Official Journal, with the amended requirements due to enter into force 20 days after publication. The EC stated that Tthe amendments were introduced in light of the transition to the TONA and SOFR benchmarks referenced in certain over-the-counter derivatives contracts. The amendment to the scope of the CO consists of introducing TONA overnight indexed swaps (OIS) with maturities up to 30 years and extending the SOFR OIS class subject to the CO to maturities up to 50 years. The adoption follows the publication by the European Securities and Markets Authority (ESMA), on February 1, 2023, of its final report on changes to the scope of the CO and the derivatives trading obligations (DTO) in light of the benchmark transition, following a consultation last year, to which ISDA responded on September 30, 2022. This ESMA report included two draft amending RTS: one draft RTS amending the scope of the CO and one draft RTS amending the scope of the DTO. The delegated regulation containing the RTS amending the scope of the CO has now been published. The RTS on the DTO has not yet been adopted. [NEW]
RBI Issues Circular on Risk Management and Interbank Dealings. On January 5, the Reserve Bank of India (RBI) issued a circular on risk management and interbank dealings. The RBI stated that it has reviewed the foreign exchange risk management facilities based on the feedback received from market participants and experience gained since the revised framework came into force. It has also consolidated the directions in respect of all types of foreign exchange transactions (including cash, tom and spot). The RBI explained that the directions contained in the Currency Futures (Reserve Bank) Directions, 2008 (Notification No. FED.1/DG(SG)-2008 dated August 06, 2008), and Exchange Traded Currency Options (Reserve Bank) Directions, 2010 (Notification No. FED.01/ED(HRK)-2010 dated July 30, 2010), as amended from time to time, are now being incorporated into the Master Direction – Risk Management and Inter-Bank Dealings. These revised directions will come into effect on April 5, 2024, replacing the existing directions in Part A (Section I) of the Master Direction – Risk Management and Inter-Bank Dealings dated July 5, 2016, as amended from time to time, superseding the notifications listed in Annex-II.

New Industry-Led Developments

ISDA, FIA Respond to MAS Consultation on Amendments to the Capital Framework for Approved Exchanges and Clearing Houses. On January 22, ISDA and the FIA jointly responded to the consultation from the Monetary Authority of Singapore (MAS) on proposed amendments to the capital framework for approved exchanges and approved clearing houses. The scope of the response is limited to the capital framework for approved clearing houses. The associations stated that they welcomed the introduction of a separate liquidity requirement and proposed that MAS consider a more conservative minimum threshold of at least 12 months of operating expenses. They also agreed with the proposed amendments that capital components should only include equity instruments and exclude an approved clearing house’s skin-in-the-game. For total risk requirement, the response suggests the alignment of the operational risk component with the liquidity risk requirement and the inclusion of some clarifications on the investment risk and general counterparty risk components. [NEW]
ISDA Launches Digital Version of 2002 ISDA Equity Derivatives Definitions. On January 18, ISDA launched a fully digital edition of the 2002 ISDA Equity Derivatives Definitions on the ISDA MyLibrary platform, enabling new versions to be released more efficiently as products and market practices evolve in the future. Following consultation with buy- and sell-side market participants, ISDA identified support to move the definitions to a digital format, develop new product provisions and streamline certain components over time. Publication of the 2002 ISDA Equity Derivatives Definitions in digital form is a first step and enables further changes to be made in future versions.
BCBS-IOSCO Report Sets Out Recommendations for Good Margin Practices in Non-Centrally Cleared Markets. On January 17, the Basel Committee on Banking Supervision (BCBS) and the International Organization of Securities Commissions (IOSCO) published a report on streamlining VM processes and IM responsiveness of margin models in non-centrally cleared markets, which sets out recommendations for market practices intended to enhance market functioning. The report articulates the policy analyses work carried out by the BCBS-IOSCO in two areas discussed in the September 2022 Review of margining practices: (i) exploring the need to streamline variation margin processes in non-centrally cleared markets and (ii) investigating the responsiveness of initial margin models in non-centrally cleared markets. The consultative report sets out eight recommendations intended to encourage the widespread implementation of good market practices but does not propose any policy changes to the BCBS-IOSCO frameworks. BCBS and IOSCO stated that the first four recommendations aim to address challenges that could inhibit a seamless exchange of variation margin during a period of stress. The other four highlight practices for market participants to implement initiatives in an effort to ensure the calculation of initial margin is consistently adequate for contemporaneous market conditions and proposes that supervisors should monitor whether these developments are sufficient to make this model responsive enough to extreme market shocks. [NEW]
ISDA Launches Sustainability-linked Derivatives Clause Library. On January 17, ISDA launched a clause library for sustainability-linked derivatives (SLDs), designed to provide standardized drafting options for market participants to use when negotiating SLD transactions with counterparties. SLDs embed a sustainability-linked cashflow in a derivatives structure and use key performance indicators (KPIs) to monitor compliance with environmental, social and governance (ESG) targets, incentivizing parties to meet their sustainability objectives.
BCBS, CPMI, and IOSCO Publish Consultative Report on Transparency and Responsiveness of Initial Margin in Centrally Cleared Markets. On January 16, BCBS, the Bank for International Settlements’ Committee on Payments and Market Infrastructures (CPMI) and IOSCO jointly published a consultative report—Transparency and responsiveness of initial margin in centrally cleared markets – review and policy proposals—which interested parties are invited to comment on. BCBS, CPMI, and IOSCO stated that the ten policy proposals in the report aim to increase the resilience of the centrally cleared ecosystem by improving participants’ understanding of central counterparties (CCPs) initial margin calculations and potential future margin requirements. The proposals cover CCP simulation tools, CCP disclosures, measurement of initial margin responsiveness, governance frameworks and margin model overrides, and clearing member transparency.
ISDA and SIFMA Response to US Basel III NPR. On January 16, ISDA and the Securities Industry and Financial Markets Association (SIFMA) submitted a joint response on the US Basel III ‘endgame’ notice of proposed rulemaking (NPR). The response focuses on the Fundamental Review of the Trading Book (FRTB), the revised credit valuation adjustment (CVA) framework, the securities financing transactions requirements and elements of the standardized approach to counterparty credit risk rules. In the response, the associations propose a number of calibration changes to ensure the rules are appropriate and risk sensitive and avoid adverse consequences to US capital markets.
ISDA and SIFMA Response to G-SIB Surcharge Framework Consultation. On January 16, ISDA and the Securities Industry and Financial Markets Association (SIFMA) submitted a response to a consultation by the US Federal Reserve on proposed changes to the G-SIB surcharge. The response raises concerns that the revised G-SIB surcharge would lead to inappropriately high capital requirements for banks offering client clearing services, potentially discouraging them from participating in this business and contravening a long-standing policy objective to promote central clearing. Specifically, the response argues that client derivatives transactions cleared under the agency model should not be included in the complexity and interconnectedness categories of the G-SIB surcharge calculation.

The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Marc Aaron Takagaki, Hayden McGovern, and Karin Thrasher.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Derivatives practice group, or the following practice leaders and authors:

Jeffrey L. Steiner, Washington, D.C. (202.887.3632, jsteiner@gibsondunn.com)

Michael D. Bopp, Washington, D.C. (202.955.8256, mbopp@gibsondunn.com)

Michelle M. Kirschner, London (+44 (0)20 7071.4212, mkirschner@gibsondunn.com)

Darius Mehraban, New York (212.351.2428, dmehraban@gibsondunn.com)

Jason J. Cabral, New York (212.351.6267, jcabral@gibsondunn.com)

Adam Lapidus – New York (+1 212.351.3869, alapidus@gibsondunn.com)

Stephanie L. Brooker, Washington, D.C. (202.887.3502, sbrooker@gibsondunn.com)

Roscoe Jones Jr., Washington, D.C. (202.887.3530, rjones@gibsondunn.com)

William R. Hallatt, Hong Kong (+852 2214 3836, whallatt@gibsondunn.com)

David P. Burns, Washington, D.C. (202.887.3786, dburns@gibsondunn.com)

Marc Aaron Takagaki, New York (212.351.4028, mtakagaki@gibsondunn.com)

Hayden K. McGovern, Dallas (214.698.3142, hmcgovern@gibsondunn.com)

Karin Thrasher, Washington, D.C. (202.887.3712, kthrasher@gibsondunn.com)

Throughout 2023, regulators around the world continued to face corruption challenges as part of an increasingly competitive—and politically tense—global market. Economic downturns, continued armed conflict, and rising tensions between global superpowers both drove corruption risk, and complicated cooperative enforcement of anti-corruption laws. This webcast will explore the approach taken by emerging markets in addressing these challenges and examine the trends seen in FCPA and local anti-corruption enforcement actions.

Tensions between China and the United States continue to complicate cross-border cooperation, but have not slowed the pace of global and domestic anti-corruption enforcement in the region. China continues to impose new laws and regulations aimed at both bribe payors and recipients, while expanding its anti-corruption sweep in the finance and healthcare sectors. In India, there have been a slew of legislative and regulatory developments that impact compliance requirements and investigative procedures in the country. Widely heralded reforms in Latin America have failed to result in meaningful enforcement actions to curb corruption. In Africa, while recent years have seen encouraging anti-corruption enforcement trends both through local agencies and prosecuting agencies abroad, these advances are threatened by an uptick in non-democratic political transitions and continuing risks of armed conflict. While Russia-focused sanctions have lead many U.S. and European businesses to discontinue operations there, some of Russia‘s neighboring markets have thrived by creating a new map of trade flows, many with new and challenging risk profiles that require significant attention.

Join our team of experienced international anti-corruption attorneys to learn more about how to do business in Asia, Latin America, Europe, CIS and across Africa without running afoul of anti-corruption laws, including the Foreign Corrupt Practices Act (“FCPA”).

Topics to be discussed:

An overview of FCPA enforcement statistics and trends for 2023;
The corruption landscape in key emerging markets, including recent headlines and scandals;
Lessons learned from local anti-corruption enforcement in Asia, Latin America, Europe, CIS, and across Africa;
Key anti-corruption legislative changes in Asia, Latin America, Europe, CIS, and Africa; and
Mitigation strategies for businesses operating in high-risk areas

PANELISTS:

Kelly S. Austin leads Gibson Dunn’s White Collar Defense and Investigations Practice Group in Asia and is a global co-chair of the firm’s Anti-Corruption and FCPA Practice Group. Kelly is ranked annually in the top-tier by Chambers Asia Pacific and Chambers Global in Corporate Investigations/Anti-Corruption: China. Her practice focuses on investigations, regulatory compliance and international disputes. She has extensive expertise in government and corporate internal investigations, including those involving the Foreign Corrupt Practices Act (FCPA) and other anti-corruption laws, and anti-money laundering, securities, and trade control laws.

Kelly is a member of the bars of Colorado, Virginia and the District of Columbia, and is admitted to practice in a variety of district and appellate courts in the United States. She is admitted to practice as a solicitor in Hong Kong.

Patrick Doris is a partner in Gibson Dunn’s Dispute Resolution Group in the London office, where he advises financial sector clients and others on OFAC and EU sanctions violations, responses to major cyber-penetration incidents, and other matters relating to national supervisory and regulatory bodies. Patrick’s practice also includes transnational litigation, cross-border investigations, and compliance advisory for clients including major global investment banks, global corporations, leading U.S. operators in the financial sectors, and global manufacturing companies, among others. Most recently, Patrick was recognised by The Legal 500 UK 2024 in the field of Regulatory Investigations and Corporate Crime.

Patrick speaks English, Spanish, French and Catalan, with recent experience of conducting investigations in each of those languages. He is admitted to practice as a solicitor in England & Wales.

Katharina Humphrey is a partner in Gibson Dunn’s Munich office. She advises clients in Germany and throughout Europe on a wide range of compliance and white collar crime matters. Katharina regularly represents multi-national corporations in connection with cross-border internal corporate investigations and government investigations. She has significant expertise in the areas of anti-bribery compliance – especially regarding the enforcement of German anti-corruption laws and the U.S. Foreign Corrupt Practices Act (FCPA) –, technical compliance, as well as sanctions and anti-money-laundering compliance. She also has many years of experience in advising clients with regard to the implementation and assessment of compliance management systems. The Legal 500 Deutschland 2023 and The Legal 500 EMEA 2023 name her the Rising Star in the field of compliance.

Katharina speaks German, English, French and Italian. She is admitted to practice in Germany (Rechtsanwalt).

Benno Schwarz is a partner in Gibson Dunn’s Munich office and co-chair of the firm’s Anti-Corruption & FCPA Practice Group, where his practice focuses on white collar defense and compliance investigations. Benno is ranked annually as a leading lawyer for Germany in White Collar Investigations/Compliance by Chambers Europe and was named by The Legal 500 Deutschland 2023 and The Legal 500 EMEA 2023 as one of our Leading Individuals in Internal Investigations, and also ranked for Compliance. He is noted for his “special expertise on compliance matters related to the USA and Russia.” Benno advises companies on sensitive cases and investigations involving compliance issues with international aspects, such as the implementation of German or international laws in anti-corruption, money laundering and economic sanctions, and he has exemplary experience advising companies in connection with FCPA and NYDFS monitorships or similar monitor functions under U.S. legal regimes.

Benno speaks German and English and is a state-certified translator (IHK) for Russian, which makes it possible for him to carry out internal investigations and regulatory proceedings in all three languages. He has practiced as an admitted German lawyer (Rechtsanwalt) since 1993.

Patrick F. Stokes is a litigation partner in Gibson Dunn’s Washington, D.C. office, where he is the co-chair of the Anti-Corruption and FCPA Practice Group and a member of the firm’s White Collar Defense and Investigations, Securities Enforcement, and Litigation Practice Groups. Patrick’s practice focuses on internal corporate investigations, government investigations, enforcement actions regarding corruption, securities fraud, and financial institutions fraud, and compliance reviews. He has tried more than 30 federal jury trials as first chair, including high-profile white-collar cases, and handled 16 appeals before the U.S. Court of Appeals for the Fourth Circuit. Patrick regularly represents companies and individuals before DOJ and the SEC, in court proceedings, and in confidential internal investigations. Most recently, Best Lawyers in America® recognized Patrick as a “Best Lawyer” in Criminal Defense: White-Collar (2024).

Patrick is a member of the bars of Maryland and the District of Columbia.

Oliver D. Welch is a resident partner in Gibson Dunn’s Hong Kong office and a partner in the Singapore office. Oliver has extensive experience representing multi-national corporations throughout the Asia region on a wide variety of compliance and anti-corruption issues. He focuses on internal and regulatory investigations, including those involving the Foreign Corrupt Practices Act and regularly counsels clients on their anti-corruption compliance programs and controls, including the drafting of policies, procedures, and training materials designed to foster compliance with global anti-corruption laws. Oliver also frequently advises on anti-corruption due diligence in connection with corporate acquisitions, private equity investments, and other business transactions.

He speaks Korean and is a member of the bars of New York and the District of Columbia.

Ning Ning is an of counsel in the Hong Kong office. Ning’s practice focuses on advising clients on government and internal investigations compliance counseling, and compliance due diligence matters across the Asia-Pacific region. She has represented clients before the U.S. Department of Justice (DOJ) and the U.S. Securities and Exchange Commission (SEC) involving potential violations of the U.S. Foreign Corrupt Practices Act, securities laws, and other white collar defense matters. Ning is a native Mandarin speaker and has extensive experiences in China-related investigations and compliance matters.

Ning is a member of the bar of Illinois. She is admitted to practice as a solicitor in Hong Kong.

Karthik Ashwin Thiagarajan, an of counsel in the Singapore office, assists clients with investigations in the information technology, fin-tech, telecommunications, logistics and fast-moving consumer goods sectors in India and Southeast Asia. He advises clients on internal investigations and anti-corruption reviews in the region. A client praised him for being “on top of his trade” in the India Business Law Journal’s 2019 “Leaders of the pack” report.

Karthik speaks English, Hindi, Tamil and Kannada. He is admitted to practice in India and New York.

MCLE CREDIT INFORMATION:

This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 2.0 credit hours, of which 2.0 credit hours may be applied toward the areas of professional practice requirement. This course is approved for transitional/non-transitional credit.

Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 2.0 hours.

Gibson, Dunn & Crutcher LLP is authorized by the Solicitors Regulation Authority to provide in-house CPD training. This program is approved for CPD credit in the amount of 2.0 hours. Regulated by the Solicitors Regulation Authority (Number 324652).

Neither the Connecticut Judicial Branch nor the Commission on Minimum Continuing Legal Education approve or accredit CLE providers or activities. It is the opinion of this provider that this activity qualifies for up to 2 hours toward your annual CLE requirement in Connecticut, including 0 hour(s) of ethics/professionalism.

Application for approval is pending with the Colorado, Illinois, Texas, Virginia and Washington State Bars.

The new thresholds and new filing fees will take effect 30 days after publication in the Federal Register.

On January 22, 2024, the Federal Trade Commission announced its annual update of thresholds for pre-merger notifications of certain M&A transactions under the Hart-Scott-Rodino Antitrust Improvements Act of 1976 (“HSR Act”).[1] Pursuant to the statute, the HSR Act’s jurisdictional thresholds are updated annually to account for changes in the gross national product. The new thresholds will take effect 30 days after publication in the Federal Register and apply to transactions that close on or after that date.

The size-of-transaction threshold for reporting proposed mergers and acquisitions under Section 7A of the Clayton Act will increase by $8.1 million, from $111.4 million in 2023 to $119.5 million for 2024.

Original Threshold	2023 Threshold	2024 Threshold
$10 million	$22.3 million	$23.9 million
$50 million	$111.4 million	$119.5 million
$100 million	$222.7 million	$239 million
$110 million	$245 million	$262.9 million
$200 million	$445.5 million	$478 million
$500 million	$1.1137 billion	$1.195 billion
$1 billion	$2.2274 billion	$2.39 billion

The HSR filing fees have been revised pursuant to the 2023 Consolidated Appropriations Act. The new filing fees, which will also take effect 30 days after publication in the Federal Register, will be:

Fee	Size of Transaction
$30,000	Valued at less than $173.3 million
$105,000	Valued at $173.3 million or more but less than $536.5 million
$260,000	Valued at $536.5 million or more but less than $1.073 billion
$415,000	Valued at $1.073 billion or more but less than $2.146 billion
$830,000	Valued at $2.146 billion or more but less than $5.365 billion
$2,335,000	$5.365 billion or more

The 2024 thresholds triggering prohibitions on certain interlocking directorates on corporate boards of directors are $48,559,000 for Section 8(a)(l) (size of corporation) and $4,855,900 for Section 8(a)(2)(A) (competitive sales). The Section 8 thresholds took effect on January 22, 2024.

__________

[1] Press Release, Federal Trade Commission, FTC Announces 2024 Update of Size of Transaction Thresholds for Premerger Notification Filings, January 22, 2024, available at: https://www.ftc.gov/news-events/news/press-releases/2024/01/ftc-announces-2024-update-size-transaction-thresholds-premerger-notification-filings?utm_source=govdelivery

The following Gibson Dunn attorneys prepared this update: Jamie France, Chris Wilson, and Andrew Cline.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. If you have any questions about the new HSR size of transaction thresholds, or HSR and antitrust/competition regulations and rulemaking more generally, please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Antitrust and Competition, Mergers and Acquisitions, or Private Equity practice groups, or the following authors and practice leaders:

Antitrust and Competition:
Rachel S. Brass – San Francisco (+1 415.393.8293, rbrass@gibsondunn.com)
Andrew Cline – Washington, D.C. (+1 202.887.3698, acline@gibsondunn.com)
Jamie E. France – Washington, D.C. (+1 202.955.8218, jfrance@gibsondunn.com)
Cynthia Richman – Washington, D.C. (+1 202.955.8234, crichman@gibsondunn.com)
Stephen Weissman – Washington, D.C. (+1 202.955.8678, sweissman@gibsondunn.com)
Chris Wilson – Washington, D.C. (+1 202.955.8520, cwilson@gibsondunn.com)

Mergers and Acquisitions:
Robert B. Little – Dallas (+1 214.698.3260, rlittle@gibsondunn.com)
Saee Muzumdar – New York (+1 212.351.3966, smuzumdar@gibsondunn.com)

Private Equity:
Richard J. Birns – New York (+1 212.351.4032, rbirns@gibsondunn.com)
Ari Lanin – Los Angeles (+1 310.552.8581, alanin@gibsondunn.com)
Michael Piazza – Houston (+1 346.718.6670, mpiazza@gibsondunn.com)
John M. Pollack – New York (+1 212.351.3903, jpollack@gibsondunn.com)

Washington, D.C. partner George Hazel and Houston partner Gregg Costa, both former federal judges, are joined by retired Judge Andre Davis, a former federal prosecutor, state judge, and federal judge who left the bench in 2017 to serve as Baltimore’s City Solicitor for almost three years. Judge Davis describes how his experience as a trial judge – which he calls the “best job in America” – informed his time as a federal appellate judge; and all three former judges discuss issues such as the maximum number of motions to raise on appeal and how many of those to include in oral arguments, the importance of well-written, persuasive briefs, and the value of oral arguments, which are often a judge’s first glimpse into their colleagues’ views. Judge Davis also shares what motivated his transition from the bench to Baltimore City Solicitor, which included the opportunity to mentor inexperienced lawyers, hire a new police commissioner, and make much-needed police reforms.

Previous Episode | Next Episode

HOSTS:

Gregg Costa is co-chair of the firm’s Trials Practice Group. Gregg offers clients a unique perspective as a former federal trial and appellate judge. His broad experience—having handled complex civil and criminal matters, at trial and on appeal, as advocate and judge—allows him to offer invaluable skills and strategic insights for both trials and investigations.

George Hazel is a partner in the Washington office of Gibson, Dunn & Crutcher and a member of the firm’s Litigation and White Collar Defense and Investigations Practice Groups. A former federal trial judge and criminal prosecutor, Mr. Hazel brings a broad range of trial experience, having presided over approximately 50 jury trials in federal court and handled 20 jury trials and 30 bench trials as an attorney in federal and state court. Since his return to private practice, Lawdragon has named him one of the “500 Leading Global Litigators” of 2024.

Washington, D.C. partner George Hazel and Houston partner Gregg Costa, both former federal judges, reflect on the similarities in their paths to the federal bench – both began practicing at law firms, became federal prosecutors, and were appointed judges at age 39 – and describe what it takes to be a successful trial lawyer and a successful law clerk. They also discuss some interesting cases from their early careers and the adjustment to once again being in private practice.

Next Episode

HOSTS:

The court’s opinion is quite favorable to government plaintiffs on a number of key fronts, and as a result, likely will be frequently trumpeted by DOJ and FTC in future merger enforcement cases.

On January 8, 2024, Judge Edgardo Ramos of the Southern District of New York issued his ruling in the FTC’s challenge to the proposed acquisition of DeepIntent by IQVIA.[1] The decision, a victory for the FTC, is one likely to be cited early and often by antitrust plaintiffs in Section 7 cases.

BACKGROUND

FTC alleged that IQVIA’s Lasso and Propel Media’s DeepIntent were two leading firms providing programmatic advertising to healthcare professionals.[2] Programmatic advertising is an automated way of presenting targeted advertising, in the form of website-based ads, to a specific cohort, in this case, doctors, nurses, and other health practitioners.[3]

After investigating the proposed acquisition, after which DeepIntent would become part of the IQVIA portfolio, the FTC filed a lawsuit in federal court to temporarily enjoin the transaction pending an in-house administrative proceeding.[4] As discussed below, the court’s opinion reads quite favorably to government plaintiffs on a number of key fronts, and as a result, will likely be frequently trumpeted by DOJ and FTC in future merger enforcement cases.

ANALYSIS

The Court Placed Undue Weight on the 30 Percent Market Share Threshold in Philadelphia National Bank. Perhaps the most concerning aspect of the IQVIA decision is its seeming reinvigoration of the 30 percent market share presumption in Philadelphia National Bank,[5] a case that celebrated its 60th birthday last year.

To refresh on Philadelphia National Bank, one of the earliest cases applying Section 7 of the Clayton Act, the opinion established the structural presumption—a minimum level of market concentration that creates a rebuttable presumption that a merger is anticompetitive. The decision states that, at least as concerns bank mergers, 30 percent market share held by the combined firm is the threshold above which a merger “threaten[s] undue concentration . . .”[6]

The IQVIA court had to consider two competing market share calculations. The FTC’s expert contended the combined firm would comprise 46 percent of the market, while the Defendants’ expert asserted that the combined share would hold 30.6 percent share.[7] Rather than resolving this difference, the court essentially applied Philadelphia National Bank to reduce the dispute largely to irrelevance, concluding that even under the Defendants’ lower market share figures,[8] the transaction satisfies the presumption.

With FTC’s prima facie case established, the remainder of the exercise became largely academic. Even while the court agreed with Defendants that the market was “dynamic and fast-moving,” this nevertheless was an insufficient basis to question whether the “static snapshot of market shares” presented by the FTC was indicative of likely competitive harm.[9] The court disregarded Defendants’ evidence of competitive pressure from other firms. It concluded that the FTC was “not required to establish that DeepIntent and Lasso are exclusive competitors,”[10]—a facile resolution of an otherwise complex question. Concerns pointed out by Defendants about input data used in the FTC expert’s merger simulation were set aside, because per the court, its duty was not to “sift through various models and theories.”[11] So, while the court stated in a footnote that “market shares alone are not dispositive,”[12] the opinion reads functionally the opposite.

To be clear, this article does not contend that Philadelphia National Bank has been overruled or repudiated. Rather, the IQVIA opinion seems to apply, uncritically, the 30 percent market share threshold presented in Philadelphia National Bank without: 1) considering whether this is appropriate given subsequent Supreme Court precedent in General Dynamics[13] and Marine Bancorporation,[14] and 2) carefully evaluating whether concentration figures accurately reflect the competitive dynamic in the marketplace. As noted in the seminal Baker Hughes decision, General Dynamics and Marine Bancorporation, even while not overruling Philadelphia National Bank, caution courts not to impose a practically insurmountable burden on section 7 defendants simply because the government has presented plausible market shares above the threshold.[15] The IQVIA decision appears to do just that.

The Court Applied a More Lenient Preliminary Injunction Standard. The FTC also benefitted from the court’s application of a low bar for obtaining a preliminary injunction. The applicable standard under Section 13(b) of the Clayton Act (which authorizes the FTC to file suit in federal court to seek preliminary injunctive relief pending an administrative hearing) was also a subject of dispute between the parties.

The FTC, citing FTC v. Lancaster Colony Corp.,[16] contended that it need only show “a fair and tenable chance of ultimate success on the merits.”[17] Defendants argued that the FTC must go further and present evidence that “raise[s] questions going to the merits so serious, substantial, difficult and doubtful as to make them fair ground for thorough investigation, study, deliberation and determination by the FTC in the first instance and ultimately by the Court of Appeals.”[18] As it does at other points in the decision, the court declines to resolve the dispute, instead concluding that it doesn’t matter, stating “there is no meaningful difference between the two standards.”[19]

This resolution is at odds with other decisions on the subject. Notably, in FTC v. Staples,[20] the court concluded that there was a difference (and that fair and tenable was the incorrect benchmark), and cited the Second Circuit decision in Fruehauf, which held that “the government must show a reasonable probability that the proposed transaction would substantially lessen competition in the future”[21]—a burden which, however construed, is more onerous than “a fair and tenable chance of ultimate success on the merits.” Here too, it appears the court settled the matter in a manner that made the FTC’s job far easier than Circuit authority requires.

Programmatic Advertising Competes in a Broader Advertising Market. Another key dispute in the IQVIA decision concerned product-market definition and the question whether programmatic advertising directed at healthcare professionals competed with other forms of advertising such as social media and digital advertising on medical websites such as WebMD.[22]

The court, applying Brown Shoe factors, concluded that programmatic advertising qualified as a distinct product market because of some distinct features specific to programmatic advertising such as the availability and granularity of ad performance data.[23] It also highlighted perceived disadvantages of other forms of advertising, such as the limited reach of social media advertising.[24]

However, the court seemed reluctant to fully engage with the evidence presented by Defendants showing that the purchasers of advertising often move their dollars among different advertising channels—including channels that the court concluded are not reasonable substitutes for programmatic advertising.[25] The opinion even credits Defendants’ evidence in this regard, noting “[t]o be clear, social media companies and endemic websites are competing with DSPs in a broad sense. An agency running an advertising campaign will not have an unlimited budget, so it must make decisions about how to allocate the advertising funds it has.”[26] But it is difficult, at best, to square the fact that these channels do compete with the court’s conclusion that they nevertheless are out of the market.

Ultimately, the opinion applies an eye-of-the-needle product-market definition, concluding that other channels are out of the market mainly because they are not identical and perfect substitutes for programmatic advertising—even though purchasers of these products are allocating their money across both programmatic and non-programmatic advertising. Given this plaintiff-friendly conclusion, we should expect to see parties advocating for ultra-narrow product-market definitions frequently citing IQVIA.

CONCLUSIONS AND LOOKING FORWARD

IQVIA is, for now, an unmitigated victory for the FTC, and one that, if affirmed or not appealed, will embolden merger enforcement efforts under the Biden Administration. But the court’s opinion ignores or unwinds formerly well-settled precedent, which may ultimately confuse rather than clarify the resolution of Section 7 actions for years to come.

__________

[1] FTC v. IQVIA Holdings Inc. and Propel Media, Inc., No. 23 Civ. 06188, 2024 WL 81232 (S.D.N.Y. Jan. 8, 2024) (hereinafter, “IQVIA”).

[2] Id. at 1.

[3] Id.

[4] Id.

[5] United States v. Philadelphia National Bank, 374 U.S. 321 (1963).

[6] Id. at 364.

[7] IQVIA, at 34.

[8] Id.

[9] Id. at 43-44.

[10] Id. at 40.

[11] Id. at 42.

[12] Id. at 33 n.24.

[13] United States v. General Dynamics Corp., 415 U.S. 486 (1974).

[14] United States v. Marine Bancorporation, 1073 418 U.S. 602 (1974).

[15] United States v. Baker Hughes, Inc., 908 F.2d 981, 991 (D.C. Cir. 1990).

[16] FTC v. Lancaster Colony Corp., 434 F. Supp. 1088 (S.D.N.Y. 1977).

[17] IQVIA, at 7.

[18] Id.

[19] Id. at 8.

[20] See FTC v. Staples, Inc., 970 F. Supp. 1066, 1072 (D.D.C. 1997).

[21] Fruehauf Corp. v. FTC, 603 F.2d 345, 351 (2d Cir. 1979).

[22] IQVIA, at 2.

[23] Id. at 14.

[24] Id.

[25] Id. at 17.

[26] Id.

The following Gibson Dunn attorneys prepared this update: Svetlana Gans and Chris Wilson.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the issues discussed in this update. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Antitrust and Competition, Mergers and Acquisitions, or Private Equity practice groups, or the following authors and practice leaders:

Antitrust and Competition:
Rachel S. Brass – San Francisco (+1 415.393.8293, rbrass@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, sgans@gibsondunn.com)
Cynthia Richman – Washington, D.C. (+1 202.955.8234, crichman@gibsondunn.com)
Stephen Weissman – Washington, D.C. (+1 202.955.8678, sweissman@gibsondunn.com)
Chris Wilson – Washington, D.C. (+1 202.955.8520, cwilson@gibsondunn.com)

Mergers and Acquisitions:
Robert B. Little – Dallas (+1 214.698.3260, rlittle@gibsondunn.com)
Saee Muzumdar – New York (+1 212.351.3966, smuzumdar@gibsondunn.com)

HNMC, Inc. v. Chan et al., No. 22-0053 – Decided January 19, 2024

On January 19, 2024, the Texas Supreme Court held 9-0 that a property owner isn’t liable for an accident that occurred on an adjacent roadway when the property owner didn’t control any condition on the roadway that caused the accident.

“[C]ourts should not attempt to craft case-specific duties when recognized duty rules apply to the factual situation at hand.”

Justice Busby, writing for the Court

Background:

Francis Chan worked as a nurse at Houston Northwest Medical Center, and she routinely parked her car across the street from the hospital in a lot the hospital owned. Pedestrians routinely used an abandoned crosswalk controlled by Harris County to cross between the hospital and the parking lot. When Chan did so, a vehicle exiting the parking lot struck and killed her. Chan’s estate filed a negligence suit against the driver and the driver’s employer, which designated the hospital and the County as responsible third parties.

A jury found the hospital 20 percent liable, and the en banc court of appeals affirmed. In doing so, the court acknowledged the longstanding principle that premises owners generally have no duty to ensure the safety of an adjacent roadway. But instead of applying that rule, it used the multi-factor balancing test adopted by the Texas Supreme Court in Greater Houston Transportation Co. v. Phillips, 801 S.W.2d 523 (Tex. 1990), to recognize a new duty specific to the situation presented in this case to hold the hospital negligent.

Issue:

Did the court of appeals correctly recognize a new duty that required a hospital to ensure the safety of pedestrians on a road adjacent to its property?

Court’s Holding:

No. A duty rule already exists that contemplates this case’s factual situation, so assessing the Phillips factors to recognize a new duty is improper. Premises owners generally have no duty to ensure the safety of persons on adjacent properties, and the hospital didn’t control any aspect of the adjacent roadway that caused the accident.

What it Means:

Texas courts may not create new, case-specific duties “[w]hen a duty or no-duty rule already exists that contemplates a particular case’s factual situation.”
Even if a property owner is aware of an obvious danger on an adjacent property, the owner has no duty if the owner doesn’t control that property.
The Texas Supreme Court reserved for future consideration the question whether to reconsider, in light of the U.S. Supreme Court’s intervening decision in Dupree v. Younger, 598 U.S. 729, 735–36 (2023), prior precedent holding that the denial of summary judgment on purely legal grounds can’t be challenged on appeal after a trial. Litigants should be on guard to preserve this issue in post-trial proceedings moving forward.

Appellate and Constitutional Law Practice

Thomas H. Dupree Jr. +1 202.955.8547 tdupree@gibsondunn.com	Allyson N. Ho +1 214.698.3233 aho@gibsondunn.com	Julian W. Poon +1 213.229.7758 jpoon@gibsondunn.com
Brad G. Hubbard +1 214.698.3326 bhubbard@gibsondunn.com

Related Practice: Litigation

Reed Brodsky +1 212.351.5334 rbrodsky@gibsondunn.com	Theane Evangelis +1 213.229.7726 tevangelis@gibsondunn.com	Veronica S. Moyé +1 214.698.3320 vmoye@gibsondunn.com
Helgi C. Walker +1 202.887.3599 hwalker@gibsondunn.com

Related Practice: Texas Litigation

Trey Cox +1 214.698.3256 tcox@gibsondunn.com	Collin Cox +1 346.718.6604 ccox@gibsondunn.com	Michael Raiff +1 214.698.3350 mraiff@gibsondunn.com
Gregg Costa +1 346.718.6649 gcosta@gibsondunn.com

This alert was prepared by Texas associates Elizabeth Kiernan, Stephen Hammer, and Brian Sanders.

From the Derivatives Practice Group: Read below for global derivatives updates, including ISDA’s response to US Basel III and G-SIB Surcharge.

New Developments

CFTC Designates IMX Health, LLC as a Contract Market. On January 18, the CFTC announced it has issued an Order of Designation to IMX Health, LLC, granting it designation as a contract market (DCM). IMX Health is a limited liability company registered in Delaware and headquartered in Chicago, Illinois. The CFTC issued the order under Section 5a of the Commodity Exchange Act (CEA) and CFTC Regulation 38.3(a). The CFTC determined IMX Health demonstrated its ability to comply with the CEA provisions and CFTC regulations applicable to DCMs. With the addition of IMX Health, there will be 17 DCMs. [NEW]
CFTC Issues Staff Letter No. 24-01. On January 16, the CFTC issued Staff Letter No. 24-01, granting an exemption to LCH SA from the requirements of Regulation 1.49(d) to permit LCH SA to hold customer funds at the Banque du France. Additionally, the CFTC confirmed that it would not recommend enforcement action against LCH SA for failing to obtain, or provide the Commission with, an executed version of the template acknowledgment letter set forth in Appendix B to Regulation 1.20 , as required by Regulations 1.20(g)(4) and 22.5, for customer accounts maintained at the Banque de France. [NEW]
CFTC to Hold a Commission Open Meeting on January 22. CFTC Chairman Rostin Behnam announced on January 12, 2024 that the Commission will hold an open meeting on Monday, January 22 at 9:30 a.m. (EST) at the CFTC’s Washington, D.C. headquarters. The Commission will consider the following:
- Notice of Proposed Order and Request for Comment on an Application for a Capital Comparability Determination Submitted on behalf of Nonbank Swap Dealers subject to Capital and Financial Reporting Requirements of the United Kingdom and Regulated by the United Kingdom Prudential Regulation Authority,
- Proposed Rule: Requirements for Designated Contract Markets and Swap Execution Facilities Regarding Governance and the Mitigation of Conflicts of Interest Impacting Market Regulation Functions. [NEW]
SEC Publishes Risk Alert: Observations Related to Security-Based Swap Dealers. On January 10, the SEC’s Division of Examination published a Risk Alert presenting examination and outreach observations concerning compliance with rules applicable to security-based swap dealers. The SEC stated that in sharing these observations, the Division seeks to remind security-based swap dealers of their obligations under relevant security-based swap rules and encourage security-based swap dealers to consider improvements in their compliance programs, as may be appropriate, to further compliance with Exchange Act requirements. The Risk Alert presents observations in the following areas: (1) reporting of security-based swap transactions and correction of reporting errors; (2) business conduct standards; (3) security-based swap trading relationship documentation and portfolio reconciliation; and (4) recordkeeping.
CFTC Publishes Decentralized Finance Report. On January 8, the CFTC’s Digital Assets and Blockchain Technology Subcommittee of the Technology Advisory Committee (TAC) released a report entitled “Decentralized Finance.” The report discusses TAC’s view that the benefits and risks of DeFi depend significantly on the design and features of specific systems, and that one of its central concerns related to DeFi systems is the lack of, and some industry designs to avoid, clear lines of responsibility and accountability. TAC opined that this feature of DeFi systems may present the clearest ways in which DeFi poses risks to consumers and investors, as well as to financial stability, market integrity and illicit finance—according to TAC, it implicates no clear route to ensuring victim recourse, defense against illicit exploitation, or the ability to insert necessary changes and controls during periods of crisis and network stress. The report finds that government and industry should take timely action to work together, across regulatory and other strategic initiatives, to better understand DeFi.
SEC Publishes Risk Alert: Observations Related to Security-Based Swap Dealers. On January 10, the SEC’s Division of Examination published a Risk Alert presenting examination and outreach observations concerning compliance with rules applicable to security-based swap dealers. The SEC stated that in sharing these observations, the Division seeks to remind security-based swap dealers of their obligations under relevant security-based swap rules and encourage security-based swap dealers to consider improvements in their compliance programs, as may be appropriate, to further compliance with Exchange Act requirements. The Risk Alert presents observations in the following areas: (1) reporting of security-based swap transactions and correction of reporting errors; (2) business conduct standards; (3) security-based swap trading relationship documentation and portfolio reconciliation; and (4) recordkeeping.
CFTC Publishes Decentralized Finance Report. On January 8, the CFTC’s Digital Assets and Blockchain Technology Subcommittee of the Technology Advisory Committee (TAC) released a report entitled “Decentralized Finance.” The report discusses TAC’s view that the benefits and risks of DeFi depend significantly on the design and features of specific systems, and that one of its central concerns related to DeFi systems is the lack of, and some industry designs to avoid, clear lines of responsibility and accountability. TAC opined that this feature of DeFi systems may present the clearest ways in which DeFi poses risks to consumers and investors, as well as to financial stability, market integrity and illicit finance—according to TAC, it implicates no clear route to ensuring victim recourse, defense against illicit exploitation, or the ability to insert necessary changes and controls during periods of crisis and network stress. The report finds that government and industry should take timely action to work together, across regulatory and other strategic initiatives, to better understand DeFi.

New Developments Outside the U.S.

RBI Issues Circular on Risk Management and Interbank Dealings. On January 5, the Reserve Bank of India (RBI) issued a circular on risk management and interbank dealings. The RBI stated that it has reviewed the foreign exchange risk management facilities based on the feedback received from market participants and experience gained since the revised framework came into force. It has also consolidated the directions in respect of all types of foreign exchange transactions (including cash, tom and spot). The RBI explained that the directions contained in the Currency Futures (Reserve Bank) Directions, 2008 (Notification No. FED.1/DG(SG)-2008 dated August 06, 2008), and Exchange Traded Currency Options (Reserve Bank) Directions, 2010 (Notification No. FED.01/ED(HRK)-2010 dated July 30, 2010), as amended from time to time, are now being incorporated into the Master Direction – Risk Management and Inter-Bank Dealings. These revised directions will come into effect on April 5, 2024, replacing the existing directions in Part A (Section I) of the Master Direction – Risk Management and Inter-Bank Dealings dated July 5, 2016, as amended from time to time, superseding the notifications listed in Annex-II.
Hong Kong Consults on Regulatory Regime for Stablecoins. On December 27, the Financial Services and the Treasury Bureau and the Hong Kong Monetary Authority (HKMA) jointly issued a public consultation paper on the legislative proposal for implementing the regulatory regime for stablecoin issuers in Hong Kong. Under the proposed regime, an issuer would be required to obtain a license from the HKMA if it issues a stablecoin that references the value of one or more fiat currencies in Hong Kong. The licensed issuer will have to fulfil certain financial resources requirements, and will be required to put in place an effective stabilization mechanism, such as maintaining a pool of high-quality and highly-liquid reserve assets with proper custody arrangement. The proposed regime further imposes governance, risk management and AML/CFT measures on licensees. Interested parties are encouraged to submit written comments on or before February 29, 2024.
ESAs Propose to Extend Equity Option Margin Exemption by Two Years. On December 21, the European Supervisory Authorities (ESAs) – the European Securities and Markets Authority (ESMA), the European Banking Authority and the European Insurance and Occupational Pensions Authority – published draft regulatory technical standards (RTS) proposing a two-year extension (until January 4, 2026) to the exemption for equity options from bilateral margining under the European Market Infrastructure Regulation (EMIR). These RTS have to be endorsed by the European Commission and are subject to non-objection by the Council of the EU and the European Parliament before they enter into force. The draft RTS are accompanied by a statement from the ESAs that competent authorities “should not priorityse any supervisory or enforcement action” relating to bilateral margining for equity options until the entry into force of these amended RTS or the adoption of a long-term solution under EMIR 3, whichever occurs first.”

New Industry-Led Developments

ISDA Launches Digital Version of 2002 ISDA Equity Derivatives Definitions. On January 18, ISDA launched a fully digital edition of the 2002 ISDA Equity Derivatives Definitions on the ISDA MyLibrary platform, enabling new versions to be released more efficiently as products and market practices evolve in the future. Following consultation with buy- and sell-side market participants, ISDA identified support to move the definitions to a digital format, develop new product provisions and streamline certain components over time. Publication of the 2002 ISDA Equity Derivatives Definitions in digital form is a first step and enables further changes to be made in future versions. [NEW]
ISDA Launches Sustainability-linked Derivatives Clause Library. On January 17, ISDA launched a clause library for sustainability-linked derivatives (SLDs), designed to provide standardized drafting options for market participants to use when negotiating SLD transactions with counterparties. SLDs embed a sustainability-linked cashflow in a derivatives structure and use key performance indicators (KPIs) to monitor compliance with environmental, social and governance (ESG) targets, incentivizing parties to meet their sustainability objectives. [NEW]
ISDA and SIFMA Response to US Basel III NPR. On January 16, ISDA and the Securities Industry and Financial Markets Association (SIFMA) submitted a joint response on the US Basel III ‘endgame’ notice of proposed rulemaking (NPR). The response focuses on the Fundamental Review of the Trading Book (FRTB), the revised credit valuation adjustment (CVA) framework, the securities financing transactions requirements and elements of the standardized approach to counterparty credit risk rules. In the response, the associations propose a number of calibration changes to ensure the rules are appropriate and risk sensitive and avoid adverse consequences to US capital markets. [NEW]
ISDA and SIFMA Response to G-SIB Surcharge Framework Consultation. On January 16, ISDA and the Securities Industry and Financial Markets Association (SIFMA) submitted a response to a consultation by the US Federal Reserve on proposed changes to the G-SIB surcharge. The response raises concerns that the revised G-SIB surcharge would lead to inappropriately high capital requirements for banks offering client clearing services, potentially discouraging them from participating in this business and contravening a long-standing policy objective to promote central clearing. Specifically, the response argues that client derivatives transactions cleared under the agency model should not be included in the complexity and interconnectedness categories of the G-SIB surcharge calculation. [NEW]
ISDA Updates OTC Derivatives Compliance Calendar. On January 3, 2024, ISDA updated its global calendar of compliance deadlines and regulatory dates for the over-the-counter (OTC) derivatives space. The updated calendar can be found on the ISDA website.
ISDA Submits Response to HMT, FCA and PRA on UK EMIR. On December 20, ISDA and UK Finance submitted a joint response to His Majesty’s Treasury (HMT), the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) on the reform of the UK EMIR. ISDA stated that ISDA and UK Finance submitted the response in an attempt to inform the next stage of the UK’s smarter regulatory framework reform package. In the response, the associations recommend a small number of clearly defined changes, seek certainty and permanence on current temporary exemptions and request an end to the current dependency on equivalence decisions for certain provisions (for instance, the intragroup exemption).

The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Hayden McGovern, and Karin Thrasher.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Derivatives practice group, or the following practice leaders and authors:

Jeffrey L. Steiner, Washington, D.C. (202.887.3632, jsteiner@gibsondunn.com)

Michael D. Bopp, Washington, D.C. (202.955.8256, mbopp@gibsondunn.com)

Michelle M. Kirschner, London (+44 (0)20 7071.4212, mkirschner@gibsondunn.com)

Darius Mehraban, New York (212.351.2428, dmehraban@gibsondunn.com)

Jason J. Cabral, New York (212.351.6267, jcabral@gibsondunn.com)

Adam Lapidus – New York (+1 212.351.3869, alapidus@gibsondunn.com)

Stephanie L. Brooker, Washington, D.C. (202.887.3502, sbrooker@gibsondunn.com)

Roscoe Jones Jr., Washington, D.C. (202.887.3530, rjones@gibsondunn.com)

William R. Hallatt, Hong Kong (+852 2214 3836, whallatt@gibsondunn.com)

David P. Burns, Washington, D.C. (202.887.3786, dburns@gibsondunn.com)

Marc Aaron Takagaki, New York (212.351.4028, mtakagaki@gibsondunn.com)

Hayden K. McGovern, Dallas (214.698.3142, hmcgovern@gibsondunn.com)

Karin Thrasher, Washington, D.C. (202.887.3712, kthrasher@gibsondunn.com)

In recent years, regulatory action has been on the upswing in New York, with state and city administrative agencies and officials adopting increasingly aggressive roles in governing virtually every industry across the State. As a result, now more than ever it is essential for those working in regulated industries—whether on the legal or business side—to understand their legal options in challenging New York state and city agency rules, regulations, determinations, and other executive actions and policies. The primary vehicle for mounting such a challenge is the Article 78 action, a type of summary proceeding brought in New York State Supreme Court.

In this one-hour webcast, four of our most experienced attorneys in the field of challenging government action in New York—partners Mylan Denerstein, Gabriel Herrmann, and Akiva Shapiro, and of counsel Paul Kremer—provide practical and strategic guidance for the successful prosecution of Article 78 actions. Drawing on real-world examples from their practice, they will discuss the primary strategic issues that should be considered in deciding whether to bring an Article 78 challenge (versus, for example, a suit in federal court); provide a roadmap for litigating Article 78 proceedings and keys to success; and discuss the procedural hurdles government actors often raise in defending against these actions, and ways of overcoming those hurdles. The program is beneficial to anyone working in a regulated industry or otherwise affected by actions taken by New York city and state agencies and officials, as well as for practitioners.

PANELISTS:

Mylan L. Denerstein is a litigation partner in the New York office of Gibson, Dunn & Crutcher. Mylan is a co-chair of the Public Policy Practice Group and a member of the Crisis Management, White Collar Defense and Investigations, Financial Institutions, Labor and Employment, Securities Litigation, and Appellate Practice Groups. Mylan leads complex litigation and internal investigations, representing companies confronting a wide range of legal issues, in their most critical times. Mylan is known not only for her effective legal advocacy, but also for her problem solving skills. In addition, Mylan is global chair of the firm’s Diversity Committee and co-partner in charge of the New York office. Mylan was previously a member of the firm’s Executive Committee.

In 2022, Mylan was appointed to serve as the independent NYPD Monitor to oversee the court ordered reform process. Previously, Mylan has served in a wide variety of leadership roles in government, including as Counsel to the New York State Governor, as an Executive Deputy Attorney General in the New York Attorney General’s Office, and as Deputy Commissioner for Legal Affairs for the New York City Fire Department. In addition, Mylan served as a federal prosecutor in the U.S. Attorney’s Office for the Southern District of New York, prosecuting complex securities and fraud cases, and then as Deputy Chief of the Criminal Division.

Gabriel Herrmann is a partner in the New York office of Gibson, Dunn & Crutcher, and a member of Gibson Dunn’s Litigation Practice Group. His practice focuses on complex business and financial-services litigation, including disputes concerning commercial breach of contract claims, fraud and business torts, insolvency-related litigation, disputed interests in real property, shareholder derivative and securities litigation, antitrust and competition law, insurance, class actions, and M&A-related litigation. A substantial portion of his experience concerns matters involving cross-border jurisdictional issues, coordination of parallel overseas proceedings, and international choice-of-law and venue considerations. In addition to his commercial practice, Mr. Herrmann has significant experience representing clients in matters relating to the operations of New York State and City governmental entities, including both administrative and judicial review of agency determinations and constitutional challenges to government action and legislation. He practices actively in the federal district and bankruptcy courts, as well as the civil and Commercial Division courts of New York State, and has extensive appellate experience in both the New York State and federal court systems.

Akiva Shapiro is a litigation partner in Gibson, Dunn & Crutcher’s New York office, Chair of the Firm’s New York Administrative Law and Regulatory Practice Group, Co-Chair of its Religious Liberty Working Group, and a member of the Firm’s Appellate and Constitutional Law, Media, Entertainment and Technology, and Securities Litigation Practice Groups, among others. Mr. Shapiro’s practice focuses on a broad range of high-stakes constitutional, administrative, commercial, and appellate litigation matters. He is regularly engaged in front of New York’s trial courts, federal and state courts of appeal, and the U.S. Supreme Court.

Paul J. Kremer is Of Counsel in the New York office of Gibson, Dunn & Crutcher. He is a member of Gibson Dunn’s Litigation, Intellectual Property, and Crisis Management Practice Groups, where he focuses on contract, lease, and license disputes; patent infringement cases; and state and local regulatory challenges.

Paul represents a diverse array of clients engaged in high-stakes commercial litigation, from New York City park trustees and private real estate developers to Fortune 100 technology companies and prestige television networks. His intellectual property clients run the gamut, from garage startups to world-renowned pharmaceutical and consumer electronics makers. He also has extensive experience helping clients of all types navigate the New York State and New York City regulatory spheres.

MCLE CREDIT INFORMATION:

This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 1.0 credit hour, of which 1.0 credit hour may be applied toward the areas of professional practice requirement. This course is approved for transitional/non-transitional credit.

Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast. Please contact CLE@gibsondunn.com to request the MCLE form.

Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1.0 hour.

California attorneys may claim “self-study” credit for viewing the archived version of this webcast. No certificate of attendance is required for California “self-study” credit.

The California Supreme Court today held that courts lack the inherent authority to strike PAGA claims on the ground that they cannot be tried manageably. The Court emphasized, however, that trial courts have numerous other tools for narrowing complex PAGA actions, including limiting the evidence a plaintiff may present at trial.

“[S]triking a PAGA claim on manageability grounds alone … is inconsistent with a plaintiff’s statutory right to bring such a claim and is beyond a trial court’s inherent authority.”

Chief Justice Guerrero, writing for the Court

Background:

Luis Estrada sued his former employer, claiming various Labor Code violations, including violations related to meal periods. Estrada sought to represent classes of similarly situated employees and additionally sought penalties under the Private Attorneys General Act of 2004 (“PAGA”), California Labor Code section 2698 et seq. Following a bench trial, the trial court decertified the meal period classes, concluding that the claims presented too many individualized issues to be resolved in a class proceeding. The trial court also dismissed the PAGA claims seeking penalties based on those same meal-period claims for everyone other than the named plaintiffs, ruling that those claims could not be tried manageably.

The Court of Appeal held that the trial court had no authority to dismiss the PAGA claims on manageability grounds. In doing so, it broke from a previous Court of Appeal decision holding that trial courts have the inherent authority to strike unmanageable PAGA claims. The California Supreme Court granted review to resolve the conflict.

Issue:

Do courts have the inherent authority to strike PAGA claims if they cannot be tried manageably?

Court’s Holding:

No, but courts have numerous tools that can be used to manage PAGA cases, including limiting the evidence that a plaintiff can present at trial.

What it Means:

Both the California Supreme Court and the Ninth Circuit have now held that courts may not strike or dismiss PAGA claims on the ground that they cannot be tried manageably—even in cases in which class claims based on the same asserted Labor Code violations cannot be adjudicated in a manageable class action.
The Court’s opinion focused heavily on the distinction between class actions and PAGA actions, explaining that “class claims differ significantly from PAGA claims” and have “differing doctrinal bas[es].”
The Court emphasized, however, that its holding “does not preclude trial courts from limiting the types of evidence a plaintiff may present or using other tools to assure that a PAGA claim can be effectively tried.”
The Court also did not “foreclose the possibility that a defendant could demonstrate that a trial court’s use of case management techniques so abridged [its] right to present a defense that its right to due process was violated.”
The Court further explained that if a plaintiff’s case were “overbroad or unspecific,” such that she could not “prove liability as to all or most employees,” the PAGA claims could be narrowed through “substantive rulings,” including demurrers or motions for summary judgment.

The Court’s opinion is available here.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the Supreme Court. Please feel free to contact the following practice leaders:

Appellate and Constitutional Law Practice

Thomas H. Dupree Jr. +1 202.955.8547 tdupree@gibsondunn.com	Allyson N. Ho +1 214.698.3233 aho@gibsondunn.com	Julian W. Poon +1 213.229.7758 jpoon@gibsondunn.com
Blaine H. Evanson +1 949.451.3805 bevanson@gibsondunn.com	Bradley J. Hamburger +1 213.229.7658 bhamburger@gibsondunn.com	Michael J. Holecek +1 213.229.7018 mholecek@gibsondunn.com

Related Practice: Labor and Employment

Jason C. Schwartz
+1 202.955.8242
jschwartz@gibsondunn.com

Katherine V.A. Smith
+1 213.229.7107
ksmith@gibsondunn.com

Related Practice: Litigation

Theodore J. Boutrous, Jr.
+1 213.229.7804
tboutrous@gibsondunn.com

Theane Evangelis
+1 213.229.7726
tevangelis@gibsondunn.com

An overview of labor and employee benefits considerations in M&A transactions, which can implicate financial liabilities and impact the value and long-term viability of a business.

As M&A transactions are negotiated, parties often focus on the business and revenue drivers of the target during the due diligence process and leave labor and employee benefit plan considerations as a secondary thought. However, employees are often the backbone of a business – employee and benefit plan matters can implicate serious financial liabilities and employee relations issues can impact the value and long-term viability of a business. Below, we highlight several labor and employee benefits considerations in M&A transactions.

Impact of Deal Structure on Employees and Benefit Plans

In a transaction structured as an acquisition of equity, the buyer acquires the target company’s (or a parent entity’s) equity interests, and typically inherits the target’s existing employees and employee benefit plans. Similarly, in a merger, the target becomes part of the buyer (or a subsidiary of the buyer). The continuity of the existing structure means target employees will generally automatically transfer employment to the buyer group while often remaining employed by their current employing entity, without any offer and acceptance process. This structure offers simplicity for the buyer from an on-boarding perspective, but demands a more thorough review of existing labor practices and benefit plans because the buyer will assume any legacy programs and historical liabilities. The scope of due diligence will include identifying (i) any potential employment practices or benefit plan concerns or non-compliance with applicable laws, and (ii) evaluating labor practices and benefit plans for post-closing integration with buyer practices and plans. In addition, a strategic buyer will need to determine how to handle duplicative benefit plans post-closing and may wish to require a seller to terminate certain plans pre-closing (or need to consider benefit plan mergers post-closing).

In contrast, in a transaction structured as an acquisition of assets, the buyer generally has more control and flexibility over which employees to hire and which benefit plans (if any) the buyer would like to assume. However, even if the buyer does not assume any benefit plans, the concept of successor liability for certain labor practices and benefit plans may still result in liability for the buyer. An asset structure also means the buyer will have to on-board target employees with an offer and acceptance process and employment agreements may need to be renegotiated. As part of this process, the buyer will also have to consider any employee relations issues as target employees face potential changes to their work environment and compensation and benefit structures.

Notably, in some mergers or equity deals, employees may be employed and benefit plans may be maintained at a parent level (rather than at the subsidiary being acquired). Such transactions are more akin to an “asset purchase” from a labor and benefits perspective as parent-level employees and benefit plans would not transfer automatically with the subsidiary target in the deal.

Potentially Costly Benefit Plan Liabilities

Thorough due diligence of benefit plans generally involves an examination of the target’s retirement plans and health and welfare benefits. Employee benefit plans are subject to a number of complex regulatory requirements, including the tax code, ERISA and the Affordable Care Act, which carry significant taxes and penalties in the event of noncompliance. Many of these laws also operate on a “controlled group basis,” meaning that benefit plan obligations at a parent or brother-sister entity can create exposure for the target. The due diligence process can help identify any potential legal risks and design strategies to mitigate such legal risks.

One area of particular concern is identifying whether the target (or any target employee) participates in any defined benefit pension plans or union (multiemployer) pension plans, or whether the target provides (or has promised to provide) any retiree health or other welfare benefits. Defined benefit pension plans are subject to strict funding requirements, and maintaining an under-funded plan may result in increased costs for the buyer post-acquisition due to unexpected increases in required contributions. Withdrawals (including partial withdrawals) from a union pension plan may also implicate significant withdrawal liabilities for an employer contributing to such a plan. In addition, if the target provides (or has promised to provide) any retiree welfare benefits, the buyer should take into account the future financial costs of such obligations, which can be quite significant depending on the covered population and the type of benefit. Thus, attention should be given during due diligence to the funding status of pension plans, any outstanding or potential withdrawal liability, and the extent of any retiree benefit commitments. Once such items are identified, the buyer can develop strategies for addressing these liabilities, including negotiating purchase price deductions or special indemnities.

Impact of Executive Compensation Arrangements and Code Section 280G

Due diligence should also cover the target’s executive compensation arrangements, including any equity arrangements, severance benefits, or other payments that might be triggered in connection with the transaction, to understand the potential future financial obligations and assess the compliance of such arrangements with regulatory requirements. Section 280G of the Internal Revenue Code (“Section 280G”) applies to certain payments (“parachute payments”) made to certain service providers of a corporation (“disqualified individuals”) in connection with a change in control. If parachute payments exceed three times the disqualified individual’s “base amount” (generally the average of the individual’s prior five-year compensation), Section 280G imposes a 20% excise tax on a portion of such payments and also prohibits the employer entity from taking a tax deduction for such payments. Transaction or retention bonuses, equity acceleration, and severance compensation and benefits are common payments that could be considered parachute payments.

Private Company Targets. There are several notable exceptions to Section 280G. One of the most commonly used exceptions for private corporations is to obtain shareholder approval of parachute payments. This process generally involves: (i) obtaining a waiver from each of the disqualified individuals waiving their right to excess parachute payments if such are not approved by the target’s shareholders, (ii) disclosing the details of such payments to all of the company’s shareholders, and (iii) obtaining the approval of at least 75% of the voting power of the target’s shareholders, excluding those receiving parachute payments. Depending on the number of disqualified individuals and shareholders involved, this process can be lengthy and involve additional negotiations. Thus, the parties should identify Section 280G payments early in due diligence so that any shareholder approval process is completed before closing. Where a transaction has a staggered sign and close, a covenant is also often included in the purchase agreement requiring sellers to solicit waivers and shareholder approval in accordance with 280G’s regulatory requirements (under Section 280G the consummation of the transaction cannot be contingent on actually obtaining such shareholder approval).

Public Company Targets. The shareholder approval exception is not available to public company targets. Thus, the parties should identify potential Section 280G payments early in the due diligence process to explore mitigation strategies. Common mitigation strategies involve: (i) using “cutback” provisions to reduce parachute payments to the maximum amount that avoids excise taxes or that results in a better net after-tax benefit for the individual, (ii) for transactions that will sign in one calendar year and close in a later calendar year, increasing the disqualified individuals’ “base amount” by accelerating certain compensation (such as annual bonuses and potentially equity vesting) to the year prior to the year of closing so that such amounts will be included in calculating the “base amount,” and (iii) obtaining valuations of any applicable restrictive covenants which can help to offset the value of excess parachute payments in certain circumstances.

Potential Exposure to Worker Misclassification Liability

Due diligence should also include a review of the target’s worker classification practices. Two primary worker misclassification issues can arise in the context of an M&A transaction: (1) misclassification of workers as exempt under the minimum wage and overtime requirements of the Fair Labor Standards Act (“FLSA”) and similar state laws; and (2) misclassification of workers as independent contractors. Claims brought by employees who have been improperly classified can result in significant liability—including liability for unpaid wages and benefits, liquidated damages, unpaid taxes, and attorney’s fees. These claims are often asserted as collective actions seeking damages on behalf of all affected employees.

Exempt or Non-Exempt Status. In order to comply with the FLSA and similar state laws, exempt employees often must meet separate salary level, salary basis, and job duties tests. To complete a fulsome analysis of these tests, the buyer should ensure that the target provides an employee census early in the diligence process that lists all of the target’s employees, their locations, job titles, compensation rate, compensation type (hourly, salaried, or commission), and classification under the FLSA (exempt or non-exempt). A complete employee census is the first step for identifying potential “red flags.” For any job titles that raise FLSA classification concerns, the buyer should request a job description and additional details to assess whether job duties align with requirements of an applicable exemption under the FLSA.

Independent Contractors. Although true independent contractors are not subject to the FLSA, an employee improperly classified as an independent contractor may have a viable claim for minimum wage, overtime pay, employee benefits coverages and other benefits typically reserved for employees. For this reason, an analysis of the target’s worker classification practices should include review of the use of independent contractors, including an independent contractor census reflecting the scope of work and the length of engagement of independent contractors, as well as an analysis of sample contracts between the target and its independent contractors. The Department of Labor (“DOL”) released a final rule on January 10, 2024, tightening the standard for evaluating the classification of workers. The rule, effective March 11, 2024, suggests that employers use a “totality of the circumstances test” made up of six equally-weighted factors: (1) the opportunity for profit or loss depending on managerial skill; (2) the investments by the worker and potential employer; (3) the degree of permanence of the work relationship; (4) the nature and degree of control over performance of the work and the work relationship; (5) the extent to which the work performed is integral to the potential employer’s business; and (6) the skill and initiative of the worker. No one factor controls; instead, an analysis of all six factors is needed in order to effectively evaluate a worker’s classification. The greater a target’s use of independent contractors, the more fact-intensive a due diligence inquiry into the nature of the parties’ working relationship must be. While the DOL’s new rule is likely to be the subject of legal challenges, it reflects a general trend subjecting independent contractor arrangements to closer scrutiny, increasing the need to carefully assess such arrangements in deal diligence.

Collective Bargaining Issues

If the target company or any of its employees are parties or subject to collective bargaining agreements (“CBAs”), work councils, or any other similar labor obligations with representative bodies, due diligence requires a careful analysis of the agreement’s terms to evaluate its potential impact on the transaction both pre- and post-closing. Examples of such terms include, but are not limited to: (1) provisions that require notice to and consent from the union prior to a sale or transfer of the business; (2) provisions that require recognition of the union; and (3) provisions that require the transferee or purchaser to continue providing certain benefits to the covered union members (such as pension plans). In addition, the buyer should note the status and term of any agreements. If a CBA has recently expired or its expiration is imminent, union negotiations and bargaining for a new CBA could impact the timeline of the transaction and thereby the date of closing, as well as give rise to other considerations.

In addition to examining any union agreements themselves, buyers must be aware of the practical considerations of purchasing a company with union labor obligations, including the scope of any union recognition on employees covered by the transaction. A buyer should also be aware of extra-contractual duties that could arise under federal labor law. For example, the National Labor Relations Board (“NLRB”) recently expanded its test for finding the existence of “joint-employer” status under a final rule to become effective on February 26, 2024. Under the new standard, two or more entities may be found to be joint employers of a group of employees (and, thus, jointly obligated to recognize a union as the representative of such employees) if two conditions are met: (1) each entity has an “employment relationship” with the employees; and (2) the entities “share or codetermine one or more of the employees’ essential terms and conditions of employment.” This new standard can be important to consider in transactions involving parent/subsidiary arrangements, joint ventures, and outsourced management (including between property owners and managers and between portfolio companies and private equity managers).

Another consideration—albeit less common—is that of a double-breasted operation (a practice often—but not exclusively—seen in the construction industry). Such an arrangement can occur when one parent company (or a common owner) operates both union and non-union businesses in the same market. Although permitted by federal labor law, these types of arrangements can be subject to additional scrutiny by the NLRB to ensure that the entities are truly separate and not alter egos of each other created to circumvent the CBA’s coverage of all employees. In the absence of adequate separation, the parent or common owner can be exposed to substantial liability flowing from application of collective bargaining obligations to its erstwhile non-union business operations.

Review of Pay and Payroll Practices

Due diligence should also include a review of the target’s pay and payroll practices, including the company’s policies on employee pay and timekeeping practices. The target should have a system to accurately record time worked and track other employee time, such as meal and break times (the specific requirements for which can vary based on state laws). In reviewing the target’s pay and timekeeping practices, a buyer should keep in mind any distinctions that could be susceptible to challenge. For example, does the target “round” reported time or require non-exempt employees to “clock in” for work electronically in a manner that arguably does not account for the time it takes for the individual to log in to a computer or otherwise perform “clocking in” tasks.

Another issue to consider is the target’s practices and recordkeeping related to employee bonuses. For example, if a bonus that is offered to a non-exempt employee qualifies as a “non-discretionary” bonus under DOL rules, the bonus should be included in the employee’s regular rate of pay for purposes of overtime pay calculation under the FLSA. Proper recordkeeping should allow the buyer’s counsel to confirm the target’s compliance with overtime rules where nuances exist.

Pre-Employment and Hiring Practice Compliance

Many companies require certain pre-employment screenings and testing, such as drug tests, background checks, or physical exams, to help screen and select job applicants. Aside from immigration compliance and anti-discrimination laws, most hiring practices are governed primarily by state law. Buyers must carefully assess potential liability stemming from the target’s pre-employment practices, paying particular attention to the laws of states where the target employs a sizeable number of workers. Improper administration or application of these tests may give rise to a variety of legal claims. Testing should be uniformly applied and comply with the Americans with Disabilities Act (“ADA”), and reasonable accommodations for disabled individuals must be provided. Finally, consideration of any privacy concerns or recordkeeping requirements related to the target’s pre-employment and hiring practices should also be a part of the due diligence process.

Employment Eligibility and Immigration Law Compliance. Due diligence should cover the target’s practices for ensuring immigration compliance, including Form I-9 completion and potential use of E-Verify to confirm a prospective employee’s eligibility to work in the United States, which may be required or restricted under applicable state and federal laws. If the target employs foreign workers and the buyer intends to hire or retain these workers, due diligence should also take into consideration the work status of each of these workers, including the existence or availability of applicable visas or other immigration-related approvals.

Background Checks. Because of the patchwork of state laws governing these subjects, a target’s use of criminal background checks, consumer or credit reports, or social media screening are all cause for additional scrutiny. For example, many states restrict an employer’s ability to inquire into an applicant’s criminal record or limit the employer’s ability to make hiring decisions solely based on an applicant’s criminal record. Additionally, obtaining information about an applicant from a company that compiles background information as a business may require the disclosure of specific information to the applicant in writing.

Medical Exams; Drug Tests. A target’s practices in conducting any pre-employment medical screenings should be closely examined. Under the ADA, job applicants cannot be required to submit to medical or physical examinations or alcohol tests prior to receiving (at least) a conditional job offer. Note, however, that according to EEOC guidance, employers may ask applicants to submit to drug tests before making a conditional job offer.

The following Gibson Dunn lawyers prepared this alert: Sean Feller, Krista Hanvey, Robert Little, Saee Muzumdar, Karl Nelson, Lucy Hong, Chris Celeste Nisttahuz, and Claire Piepenburg.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Mergers & Acquisitions, Private Equity, Executive Compensation & Employee Benefits, or Labor & Employment practice groups, or the following authors and practice leaders:

Executive Compensation and Employee Benefits:
Sean C. Feller – Los Angeles (+1 310.551.8746, sfeller@gibsondunn.com)
Krista Hanvey – Dallas (+ 214.698.3425, khanvey@gibsondunn.com)

Labor and Employment:
Karl G. Nelson – Dallas (+1 214.698.3203, knelson@gibsondunn.com)
Jason C. Schwartz – Washington, D.C. (+1 202.955.8242, jschwartz@gibsondunn.com)
Katherine V.A. Smith – Los Angeles (+1 213.229.7107, ksmith@gibsondunn.com)

Mergers and Acquisitions:
Robert B. Little – Dallas (+1 214.698.3260, rlittle@gibsondunn.com)
Saee Muzumdar – New York (+1 212.351.3966, smuzumdar@gibsondunn.com)

Private Equity:
Richard J. Birns – New York (+1 212.351.4032, rbirns@gibsondunn.com)
Wim De Vlieger – London (+44 20 7071 4279, wdevlieger@gibsondunn.com)
Federico Fruhbeck – London (+44 20 7071 4230, ffruhbeck@gibsondunn.com)
Scott Jalowayski – Hong Kong (+852 2214 3727, sjalowayski@gibsondunn.com)
Ari Lanin – Los Angeles (+1 310.552.8581, alanin@gibsondunn.com)
Michael Piazza – Houston (+1 346.718.6670, mpiazza@gibsondunn.com)
John M. Pollack – New York (+1 212.351.3903, jpollack@gibsondunn.com)

Key Developments:

On January 1, Texas’s ban on DEI offices and programming at public colleges and universities took effect. The new law prohibits public higher education institutions from establishing DEI offices, contracting with third parties to perform the functions of a DEI office, requiring any DEI training as a condition of enrollment, or according any preference based on diversity metrics, in admissions or otherwise. Covered institutions must adopt policies for disciplining employees or contractors who violate the ban, and the institutions’ boards must certify compliance. The law provides for periodic auditing and offers equitable relief to students or employees required to participate in a training in violation of the law. Institutions that fail to cure violations identified by an auditor within 108 days will be ineligible for certain state funding and institutional enhancements.

On January 2, America First Legal (AFL) sent letters to the EEOC and the Office of Federal Contract Compliance Programs (OFCCP) seeking investigations of Sanofi Pasteur for alleged violations of federal law. In its letter to the EEOC, AFL cited a video released to X (formerly Twitter), that appears to record an internal company meeting in which Sanofi Senior Vice President and U.S. Country Lead Carole Huntsman discusses Sanofi’s diversity goals and lists specific ratios of new hires that should be Black and Latinx. AFL also referenced the company’s Diverse Slate Policy, which requires Sanofi’s recruiting team to include “a minimum of one person of color and one female in each slate presented to a hiring leader,” and sets percentage goals for employee representation by race. In its letter to the OFCCP, AFL argued that Sanofi has violated a nondiscrimination clause integrated into every federal contract and subcontract through 41 C.F.R. § 60-1.4(a)(1)–(2), and that it is therefore subject to sanctions by the Secretary of Labor, including cancellation of contracts and a declaration of ineligibility for future government contracts. AFL also referenced the Supplier Diversity program discussed in Sanofi’s Diversity, Equity & Inclusion 2022 Impact Report for North America, which identifies specific goals for contracting with women-owned businesses and for “total diversity spend,” and argued that the program “may signify discriminatory quotas and potential violations of law.”

On January 4, the Foundation Against Intolerance and Racism (“FAIR”) reported that it had sent a letter to the National Institutes of Health (“NIH”) on November 30, 2023, concerning the NIH’s Consortium Underrepresented Student Program (“CUSP”), a summer internship program for individuals from underrepresented groups. FAIR states that, at the time of its letter, the NIH’s application defined underrepresented to include individuals with disabilities, individuals from disadvantaged backgrounds, and individuals from certain ethnic groups. Use of these criteria, according to FAIR, violated the NIH’s own non-discrimination policy, as well as the Equal Protection Clause of the Fourteenth Amendment and Title VI of the Civil Rights Act. FAIR requested that the NIH remove the criteria prior to the CUSP program’s application deadline in mid-January. The NIH has since removed the term underrepresented from the name of the program, the application eligibility criteria, and the application itself. The CUSP program page now encourages individuals of all backgrounds to apply, including those from “populations underrepresented in the clinical and biological sciences, such as underrepresented racial and ethnic groups, individuals with disabilities, individuals from disadvantaged backgrounds, and women.”

On January 5, attorneys general from nineteen states, spearheaded by Kansas, Montana, and Tennessee, wrote a letter to the Department of Commerce to oppose the Department’s proposed Business Diversity Principles, which seek to advance “best practices related to diversity, equity, inclusion, and accessibility (DEIA) in the private sector.” The attorneys general claimed that the Principles violate the Equal Protection Clause and Title VII of the Civil Rights Act, stating that “federal law makes clear that well-intentioned racial discrimination is just as illegal as invidious discrimination.” The attorneys general asserted that any race-based initiatives in the Principles are patently illegal and will garner unnecessary litigation, and referenced several recent lawsuits in which defendant employers and law firms changed their race-based recruitment programs or settled. The letter asserted that it “speaks volumes about [such programs’] lack of legal footing” that “some of the nation’s leading law firms can[not] craft a colorable defense to race-based DEIA efforts.”

On January 11, Arkansas Republican Senator Tom Cotton sent letters to ten different recruiting firms he alleged may be “conspiring with companies to exclude ‘non-diverse’ candidates from the hiring pool.” Recipients included Robert Half, Kelly Services, Randstad North America, Korn Ferry, ManpowerGroup, Egon Zehnder, Spencer Stuart, Heidrick & Struggles, Russell Reynolds Associates, and Diversified Search Group. In his letter, Senator Cotton noted the tension companies face between improving diversity metrics sometimes needed to access investment capital and avoiding the recent wave of legal scrutiny over corporate DEI initiatives, and suggested that companies “are increasingly outsourcing the dirty work of diversity discrimination to recruiting firms.” Noting that these initiatives may violate Title VII, Senator Cotton assured letter recipients that “corporate DEI initiatives that discriminate based on race will soon suffer the same fate as affirmative action in academia.” Citing EEOC Commissioner Andrea Lucas’s June 2023 statement that corporate diversity programs “pose both legal and practical risks for companies,” Senator Cotton urged letter recipients “to refuse any request to racially discriminate in recruiting practices.”

Media Coverage and Commentary:

Below is a selection of recent media coverage and commentary on these issues:

Law360 Pulse, “Law Firm DEI Efforts At Crossroads Amid ’24 Litigation Threat” (January 2): Law360’s Ryan Boysen describes the shifting DEI landscape for law firms following the Supreme Court’s SFFA decision. Although Edward Blum recently expressed that AAER was done suing law firms (following AAER’s now-dismissed suits against Morrison Foerster, Perkins Coie, and Winston & Strawn), Boysen writes that “experts say law firms should remain vigilant in 2024.” Gibson Dunn Partner Jason Schwartz, head of the firm’s DEI Task Force and co-Chair of the firm’s Labor & Employment group, told Boysen that the “litigation around diversity and related topics that we’ve seen in the wake of SFFA is really only the beginning.” Schwartz also flagged that the “key issue heading into 2024 will be how Muldrow[, the Title VII case pending before the Supreme Court,] is decided,” concluding that “[i]f that ruling creates a lower bar for filing Title VII lawsuits, then you will see a lot of diversity programs being challenged in litigation.”
Wall Street Journal, “How the Push for Diversity at Colleges and Companies Came Under Siege” (January 4): WSJ’s Ray A. Smith and Lauren Weber describe the “legal, economic and geopolitical forces” threatening DEI initiatives. Smith and Weber spoke to DEI consultants about the potential long-term effects of the recent increase in opposition to DEI. Paradigm CEO Joelle Emerson said that many Fortune 500 companies are continuing their diversity and inclusion efforts but are planning to be “quieter” about their implementation. Johnny C. Taylor, Jr., CEO of the Society for Human Resources Management, has seen some companies begin moving away from certain DEI efforts, especially those that are “tied to numeral targets for hiring or promotions” or that base executive bonuses on those targets. Rory Lancman, director of corporate initiatives and senior counsel at the Louis D. Brandeis Center for Human Rights Under Law, notes that the DEI landscape is further complicated by diverging opinions on the Israel-Hamas war, which have garnered significant attention on college campuses and have caused tension in some workplaces.
Fortune, “The anti-DEI movement has gone from fringe to mainstream. Here’s what that means for corporate America” (January 4): Paradigm CEO Joelle Emerson discusses how, in her view, conservative activists have “weaponized” DEI, and what proponents of diversity initiatives can do to reframe the discussion. Notwithstanding the recent wave of litigation challenging DEI-related programs, “anti-diversity activists have been working towards this moment for decades,” writes Emerson. But she opines that the recent success of the anti-DEI narrative is due in part to the nature of the pro-DEI narrative—one that, in some cases, has not “always left room for conversations, questions, or nuance” and leads to “drawing a line in the sand, pro-DEI vs. anti-DEI.” The result, says Emerson, is that many corporate leaders who care about increasing representation of diverse voices are nonetheless concerned about being criticized for not going far enough, and worry about the legal ramifications of setting diversity goals. Emerson advocates for a return to fundamentals—“the actual principles of diversity, equity, and inclusion”—with renewed focus on the precise access and experience gaps DEI work is seeking to close.
Washington Post, “Conservative anti-DEI activists claim victory in Harvard leader’s fall” (January 5): The Post’s Julian Mark and Taylor Telford report on conservative activists’ response to the resignation of Harvard University President Claudine Gay. Gay recently came under fire for her Congressional testimony related to on-campus anti-Semitism, and has also faced accusations of plagiarism in her scholarly work. As Mark and Telford note, conservative activists and public figures have characterized Gay’s achievements as the result of her race and not her merit. In a post on X, activist Chris Rufo called Gay’s resignation “the beginning of the end for DEI in America’s institutions”; in his own post on X, hedge fund manager and Harvard alumnus Bill Ackman, who described DEI as “inherently a racist and illegal movement,” called Gay’s resignation “an important step forward for the University.” In an op-ed published in the New York Times, Gay stood by her scholarly work and characterized her resignation as part of a larger attack on DEI, stating that “the campaign against me was about more than one university and one leader.”
Harvard Business Review, “DEI Is Under Attack. Here’s How Companies Can Mitigate the Legal Risks.” (January 5): Kenji Yoshino and David Glasgow, both of the NYU School of Law and the Meltzer Center for Diversity, Inclusion, and Belonging, advocate for businesses to take a proactive approach in adapting to the shifting legal landscape surrounding DEI. Yoshino and Glasgow lay out a framework for identifying risk among DEI programs, noting that high-risk programs: (1) confer “a preference” on some individuals and not others; (2) give that preference to a legally protected group; and (3) confer, as part of that preference, some “palpable benefit” related to work. Applying this framework, Yoshino and Glasgow identify examples of high-risk programs, including enforcing hiring, promotion, or other quotas, using protected criteria as a tiebreaker in making employment decisions, targeting specific programs to specific protected groups, and linking managers’ compensation to meeting DEI targets. To mitigate risk, Yoshino and Glasgow recommend that companies seek to level the playing field for all candidates, focus on commonalities other than membership in protected groups, and identify ways to increase DEI buy-in untethered to any palpable benefits in the workplace.
Corporate Counsel, “Many Companies Doubling Down on DEI Despite Backlash” (January 10): Corporate Counsel’s Trudy Knockless reports on a new study by law firm Littler Mendelson, finding that companies have maintained their DEI commitments even while seeking to minimize legal risk in the wake of SFFA. Surveying over 320 senior corporate executives, the study found that 57% of respondents say their organizations have increased diversity efforts over the last year and 91% say DEI is as much of a priority as it was before the Supreme Court’s decision. Despite this commitment, the study also identified DEI as a challenge to corporations, as executives try to “find a balance” among competing priorities in the shifting legal and political landscape.
The New York Times, “D.E.I. Goes Quiet” (January 13): The New York Times’ Sarah Kessler asks whether the recent decrease in visibility of corporate DEI programs means companies have “pulled back” on DEI, or whether they have simply “changed how they approach and talk about it.” Kessler asked this question of Paradigm CEO Joelle Emerson, who suggested that the pushback against diversity programs has led some companies to rebrand their efforts as a broader attempt to improve workplace culture. Porter Braswell, founder of the professional membership network 2045 Studio, told Kessler that many companies are opening diversity programs to all employees and reframing them as opportunities to increase representation of diverse experiences. Experts have different opinions on this rebranding. Braswell said that what mattered was that the “end goals of these diversity initiatives and programs will not change.” But Misty Gaither, vice president of diversity, inclusion, equity and belonging at Indeed, advocated against walking back the use of the term DEI: “The data says that all of these positive things happen when you have diversity, equity and inclusion. So we’re not going to mask it or call it something different.”

Case Updates:

Below is a list of updates in new and pending cases:

1. Contracting claims under Section 1981, the U.S. Constitution, and other statutes:

Am. Alliance for Equal Rights v. Fearless Fund Mgmt., LLC, No. 1:23-cv-03424-TWT (N.D. Ga. 2023), on appeal at No. 23-13138 (11th Cir. 2023): AAER sued a Black women-owned venture capital firm with a charitable grant program that provides $20,000 grants to Black female entrepreneurs; AAER alleged that the program violates Section 1981 and sought a preliminary injunction. Fearless Fund is represented by Gibson Dunn.
- Latest update: On January 3, AAER filed its reply in support of its merits brief before the Eleventh Circuit. AAER reiterated that it had standing despite the use of pseudonymous declarations by members, and also claimed the fact that the members had never applied to the contest was irrelevant because Fearless Fund explicitly excluded non-Black non-female businesses. AAER also challenged Fearless Fund’s characterization of the program as legal affirmative action, arguing that the use of blanket racial categorizations lacked the structured, measurable benchmarks of a valid affirmative action program under 29 U.S.C. § 1608, and was not sufficiently tailored to meet strict scrutiny. AAER also reasserted that Fearless Fund’s program is a contract, and that any changes to the program’s rules made after the litigation began should not exempt Fearless Fund from liability. Finally, AAER argued that Fearless Fund’s program should be considered a contest rather than a charitable donation program, and that, as a result, it lacked the requisite expressive content to constitute protected speech under the First Amendment. Oral argument is scheduled for January 31, 2024.

Roberts & Freedom Truck Dispatch v. Progressive Preferred Ins. Co., et al., No. 23-cv-1597 (N.D. Oh. 2023): On August 16, 2023, plaintiffs represented by AFL sued defendants Progressive Insurance and Hello Alice, alleging that defendants’ grant program that awarded funding specifically to Black entrepreneurs to support their small businesses violated Section 1981.
- Latest update: On December 21, 2023, a coalition of four civil rights organizations filed a motion requesting leave to file an amicus brief on behalf of the defendants, which the court granted on January 2. In their brief, the civil rights groups argued that historical evidence from the 1866 Congress that passed Section 1981 shows that Congress’s overriding intent was to grant Black citizens the tools to be independent and empowered actors in the economy. Thus, they argued, interpreting the statute to impede voluntary private philanthropy like a grant program that supports Black economic mobility would subvert Congress’s intent and misread the statute. On January 3, the plaintiffs amended their complaint, adding new exhibits and pleading additional facts to support its contention that the grant program at issue is a contract and not a charitable donation. The defendants’ motion to dismiss the amended complaint is due February 7, 2024.

Do No Harm v. Vituity, No. 3:23-cv-24746-TKW-HTC (N.D. Fla. 2023): On December 8, 2023, Do No Harm, an advocacy group representing doctors and healthcare professionals, sued a nationwide physician partnership that runs a Bridge to Brilliance Incentive Program—a DEI and recruitment program that advertises a sign-on bonus and benefits specifically to qualified Black physicians. The plaintiff alleged the program violates Section 1981 as well as Section 1557 of the Affordable Care Act, which prohibits discrimination by healthcare providers receiving federal financial assistance. Do No Harm sought a temporary restraining order and preliminary injunction, barring the defendant from closing the application period on December 17, 2023.
- Latest update: On January 3, the parties voluntarily dismissed the case after Vituity ended the challenged incentive program. In a joint stipulation of dismissal, Vituity stipulated to having “already made the decision to end the Black Physician Leadership Incentive.” The company agreed that “moving forward, when applicable, while reviewing applications for incentives, Vituity may only take into consideration how race affected a physician’s life, be it through discrimination, inspiration, or otherwise,” paraphrasing language the Supreme Court used in SFFA v. Harvard to describe a permissible use of race in the school admissions context.

Landscape Consultants of Texas, Inc, v. City of Houston, No. 4:23-cv-3516 (S.D. Tx. 2023): Plaintiff landscaping companies owned by white individuals challenged Houston’s government contracting set-aside program for “minority business enterprises” that are owned by members of racial and ethnic minority groups. The companies claim the program violates the Fourteenth Amendment and Section 1981.
- Latest update: On December 20, the plaintiffs filed their opposition to the City of Houston’s motion to dismiss. As to their alleged injury-in-fact, the plaintiffs argued that they did not need to plead that they lost contracts due to the minority business enterprise policy; rather, they only needed to allege that the policy forced them to compete for contracts on an unequal basis. Further, the plaintiffs argued that Equal Protection claims do not require an allegation of racial animus when challenging a facially-discriminatory government program.

2. Employment discrimination under Title VII and other statutory law:

Farkas v. FirstEnergy Corp. et al., No. cv-23-986280 (Ohio Ct. Common Pleas Cuyahoga Cty.): On September 29, 2023, a white male former corporate counsel at FirstEnergy sued the company under Ohio’s antidiscrimination statute, alleging that he was fired in retaliation for expressing concerns about the company’s DEI programs.
- Latest update: On December 19, 2023, FirstEnergy filed its motion to dismiss the complaint under seal, arguing in the unsealed portions that the plaintiff failed to provide sufficient notice of the claims being asserted, that some of his claims are time-barred, and that he failed to state a claim under Ohio procedural law. The plaintiff filed his opposition, also under seal, on January 8.

Grande v. Hartford Board of Education et al., No. 3:24-cv-00010-JAM (D. Ct. 2024): On January 3, 2024, Plaintiff, a white male physical education teacher in the Hartford school district, filed suit against the Hartford School Board after allegedly being forced to attend mandatory DEI trainings. He claimed that he objected to the content of a mandatory professional development session focused on race and privilege, stating that he felt “white-shamed” after expressing his political disagreement with the training’s purposes and goals, and that he was thereafter subjected to a retaliatory investigation and was wrongfully threatened with termination. He claims the school’s actions constitute retaliation and compelled speech in violation of the First Amendment.
- Latest update: According to the docket, the defendant has not yet been served with the complaint.

3. Educational Institutions and Admissions (Fifth Amendment, Fourteenth Amendment, Title VI, Title IX):

Students for Fair Admissions v. U.S. Military Academy at West Point et al., No. 7:23-cv-08262 (S.D.N.Y. 2023), on appeal at No. 24-40 (2d Cir. 2024): On September 19, 2023, SFFA sued West Point Academy, arguing that affirmative action in its admissions process, including alleged racial “benchmarks” of “desired percentages” of minority representation, violates the Fifth Amendment of the U.S. Constitution by taking applicants’ race into account.
- Latest update: On January 3, 2024, the court denied SFFA’s request for a preliminary injunction. Although the court found that SFFA had standing to sue notwithstanding its reliance on pseudonymous members, it held that the organization failed to satisfy the factors warranting a preliminary injunction. For likelihood of success on the merits, the court emphasized that SFFA had a very high burden to prove a negative (that West Point was not likely to be able to justify its race-conscious admissions with a compelling government interest) with limited and speculative facts at the preliminary injunction stage. The court found that the speculative “patchwork” of putatively non-compelling interests and justifications that SFFA attributed to West Point in its complaint did not actually align with those offered by the government at oral argument, muddling rather than clarifying the legal issues. Further, the court stated that the Supreme Court’s instructions to give “great deference” to military authorities encouraged the court to be apprehensive of rendering a preliminary decision “without a full understanding . . . as to what exactly are the compelling interests asserted [and] to whom those compelling interests belong.” As a result, the court found that SFFA’s request for a preliminary injunction at most “creates questions of fact,” falling short of the “clear showing required for the extraordinary and drastic remedy sought.” On the other factors, the court found that SFFA did not establish irreparable harm because it appeared its pseudonymous members were still eligible for admission to West Point. The court also held that the public interest and the balance of the equities favored West Point because an injunction would disrupt West Point’s ongoing admissions cycle and potentially lead to withdrawn admission offers. On January 4, SFFA filed an emergency appeal to the Second Circuit, requesting immediate review of the district court’s decision.

Jason C. Schwartz – Partner & Co-Chair, Labor & Employment Group
Washington, D.C. (+1 202-955-8242, jschwartz@gibsondunn.com)

Katherine V.A. Smith – Partner & Co-Chair, Labor & Employment Group
Los Angeles (+1 213-229-7107, ksmith@gibsondunn.com)

Mylan L. Denerstein – Partner & Co-Chair, Public Policy Group
New York (+1 212-351-3850, mdenerstein@gibsondunn.com)

Zakiyyah T. Salim-Williams – Partner & Chief Diversity Officer
Washington, D.C. (+1 202-955-8503, zswilliams@gibsondunn.com)

Molly T. Senger – Partner, Labor & Employment Group
Washington, D.C. (+1 202-955-8571, msenger@gibsondunn.com)

Blaine H. Evanson – Partner, Appellate & Constitutional Law Group
Orange County (+1 949-451-3805, bevanson@gibsondunn.com)

Data analytics technology has now matured to a point where companies should consider how to harness it for enhancing compliance around their corporate financial and sustainability disclosures.

I. INTRODUCTION AND SCOPE

As computing technology develops at a mind-boggling pace, companies are thinking more creatively about how to leverage data science and analytics, including through the use of artificial intelligence (AI) (collectively, data analytics technology) across their operations. This alert provides guidance and recommendations regarding one specific area where clients should consider this technology: managing and mitigating compliance risks associated with the company’s public financial and sustainability disclosures.

We first provide some background on data analytics and artificial intelligence. Second, we provide a brief overview of the extent to which large market capitalization (large-cap) companies are using data analytics technology. We also discuss how companies are leveraging AI for specific objectives and how regulators are thinking about and employing data analytics technology. Third, we highlight specific risks associated with public disclosures, filings, and other statements, and present some ideas for how companies can use data analytics technology to mitigate those risks. We also discuss the risks companies may face through activism and litigation because of how third parties are using these technologies.

We provide four recommendations for companies to consider—or consider further—as they seek to better manage disclosure risks by using data analytics technology. These recommendations include ways in which companies may leverage both traditional data analytics tools[1]—which often require data scientists manually to compile and examine reports—and tools incorporating machine learning and AI capabilities[2] such that portions of the analysis may be automated.[3] Broadly, these recommendations are centered around using data analytics technology to more proactively:

assess regulatory filings, investor disclosures, and public statements for areas of regulatory risk;
understand, prepare for, and respond to activism and litigation relating to public disclosures;
address fraud and non-compliance with corporate policies and procedures; and
identify and combat misinformation in news and media coverage about the company and its business.

These recommendations are intended at a high level and many of them may be implemented using either traditional data analytics tools or AI capabilities. Moreover, AI and the legal frameworks governing its development and use are rapidly evolving, and, while the information in this alert is accurate as of the date of its writing, we are confident that subsequent developments will warrant continued evaluation of the relevant factual, technological, and legal landscape. Ultimately, the purpose of the discussion and recommendations below is to assist companies as they consider how to use these tools to enhance compliance around the company’s public financial and sustainability disclosures.

II. RELEVANT TECHNOLOGY AND RELATED CONSIDERATIONS

Data Analytics

Data analytics (sometimes referred to as “data science” in the technology and academic sectors) involves the collection, transformation, and organization of data in order to draw conclusions, develop predictions, and support informed decision-making. Data analytics relies on data mining, data cleansing, data transformation, and data modeling to describe, predict, and improve performance. In the business context, data analytics has become an increasingly important tool for analyzing and shaping business processes, improving decision-making, and driving business results.

Broadly speaking, data analytics is commonly used in several ways:

Descriptive analytics identifies trends and patterns in current or historical data to describe the state of affairs in a specified time period.[4] In the business context, data analytics is used to analyze business information and develop insights to inform business decisions.
Diagnostic analytics uses data to identify, understand, and explain the reasons for past performance.[5]
Predictive analytics uses statistical modeling, forecasting, and machine learning to analyze data produced by descriptive or diagnostic analytics and to make predictions about the future based on that analysis.[6]
Prescriptive analytics uses machine learning and complex algorithms to build and test specific solutions to complex problems that can be implemented to solve business problems and drive improved results.[7]

Data analytics can be manual or automated, with automated processes relying on computers to generate results more efficiently, cost-effectively, and with minimal need for human intervention.

A recent example of non-AI data analytics tools that impact public companies is the Securities and Exchange Commission’s (SEC’s) Earnings Per Share Initiative, which uses “risk-based data analytics to uncover potential accounting and disclosure violations caused by, among other things, earnings management practices.”[8] Unlike other initiatives that focus on re-running financial data, the EPS initiative is using data analytics and other tools to uncover evidence of manipulation in reporting.[9] Although relatively simple compared to generative artificial intelligence (GAI), these data-based approaches can reveal large-scale manipulation due to human error (e.g., investigators review data to ensure that the proper ratio of the numeral “4” appears in data, as human manipulation tends to leave out the number 4, due to a tendency to round up or down).[10] Academic research on earnings management and accounting fraud has applied such methods or concepts to detect fraud by, for example, drawing correlations between CEO/CFO driving records and propensity for ostentatious lifestyles.[11] Regulators and analysts are using the methods developed in these papers to detect accounting fraud earlier and, according to the SEC’s latest budget request, it plans to put even more effort into developing its AI capabilities.[12]

Artificial Intelligence

AI is a technology through which various computing and analytics tasks can be automated. “An AI system is a machine-based system that is capable of influencing the environment by producing an output (predictions, recommendations or decisions) for a given set of objectives. It uses machine and/or human-based data and inputs to (i) perceive real and/or virtual environments; (ii) abstract these perceptions into models through analysis in an automated manner (e.g., with machine learning), or manually; and (iii) use model inference to formulate options for outcomes. AI systems are designed to operate with varying levels of autonomy.”[13] For example, AI systems can be used to automate any of the four types of data analytics described above. AI systems can be designed to automatically analyze data, identify issues, propose solutions, and predict how a solution will work. With that information in hand, human decision-makers can decide whether or not to take a proposed course of action. AI systems can also be designed to be fully automated. That is, once an AI system has identified a problem and proposed and tested a solution, it can decide whether to implement the solution without human intervention.

To be able to propose and test solutions to complex problems—and even take independent action—an AI system relies on training models that consume and process vast amounts of data. The lifecycle of an AI system involves several phases: “i) ‘design, data and models’; which is a context-dependent sequence encompassing planning and design, data collection and processing, as well as model building; ii) ‘verification and validation’; iii) ‘deployment’; and iv) ‘operation and monitoring’. These phases often take place in an iterative manner and are not necessarily sequential.”[14]

III. GENERAL USE CASES FOR ANALYTICS IN THE COMPLIANCE SPACE

Current State of the Use of Data Analytics Technology

Although companies are rapidly adopting data analytics technology, its use for managing risk and compliance has lagged somewhat. Deloitte conducted a recent study of large-cap companies by surveying members of the Society for Corporate Governance.[15] The study found that nearly half of all respondents reported that the use of AI tools was neither expressly permitted nor prohibited within their company. However, among large-cap respondents, only 25% reported that the use of AI tools is simply not addressed by company policies, with 36% of large-cap respondents reporting that they allow for AI use for specific purposes, and 14% of large-cap respondents permitting use for any purpose.[16]

Among large-cap respondents, 17% reported that they do not currently have any AI use framework, AI policy, or AI code of conduct in place, while 47% are “currently considering” implementing such policies and frameworks.[17] Notably, among all respondents (including mid- and large-cap), only 13% have specific AI-related policies or frameworks in place.[18] However, 57% of large-cap respondents are currently considering revising corporate policies (including privacy, cyber, risk management, etc.) to address the use of AI.[19]

Although AI use cases span many industries, the current focus of AI-related attention (including usage, strategy, impact, disruption, competitive advantage, and risk) for large-cap respondents was focused primarily on sales/marketing (55%), product development (48%), legal (42%), human resources (36%), risk (30%), and finance/accounting (21%).[20]

With respect to internal company management of AI, responsibility is primarily delegated to IT/tech (56% of large-cap respondents), a cross-functional working group (47% of respondents), and legal (34% of respondents). At the board level, 25% of large-cap respondents reported not expressly delegating authority for primary oversight of AI, 19% reporting that the topic has not yet been addressed at the board level, 19% placing responsibility with the audit committee (or similar), 13% of respondents place responsibility with the technology committee, another 13% placing authority with the full board, and notably only 3% placing responsibility with the risk committee.[21]

There is a risk that at least some employees are using AI in a way that is not on the companies’ radar. A recent survey by the Conference Board found that “56% of workers are using generative AI at work but only 26% of those respondents said their organization has a policy related to its use.”[22] This use of AI presents risks, but it also shows the promise that AI presents across a wide variety of corporate functions.

Risks and Opportunities in the Use of Environmental Data Analytics Technology

Despite a relatively low rate of adoption of data analytics technology by large companies, smaller companies and organizations are already building such tools, especially to push for additional environmental and sustainability measures. These tools are not just novelties. They pose potential risks to companies because governments across the world are requiring the disclosure of increasingly large amounts of environmental and sustainability data. Environmental activists and large, especially European, investors are likewise demanding the disclosure of sustainability data, including human rights, supply chain, and human capital information. This disclosure of ever-larger amounts of data combined with increasingly powerful computing technology creates an ever-more-risky disclosure environment for public companies.[23]

Some examples of tools that are publicly known include Climate TRACE, which tracks and inventories companies’ emissions in real-time;[24] GreenWatch, which compares companies’ green claims to emissions performance;[25] Datamaran, which reviews and analyzes corporate governance data to assess a company’s ESG performance and identify areas for improvement;[26] Manifest Climate, which compares companies’ data to reporting frameworks, regulations, and peers;[27] and JUST Capital, which uses AI to rank companies on the basis of “just” business behavior, emphasizing ESG factors.[28] BreezoMeter offers real-time air quality data, promoting environmental transparency and awareness.[29] ClarityAI provides sustainability data to allow users to invest, shop, and benchmark based on that data.[30] These tools create risks but also present opportunities.

Of course, companies could consider using some of these tools, such as Datamaran or Manifest Climate, to their own advantage, especially to evaluate their compliance with complex regulations and ESG rules, and to compare their disclosures and metrics to other peers. Additionally, companies could consider using tools such as SustainLab, which provides a comprehensive platform for sustainability data management and reporting;[31] Ecogain, which uses AI to assist companies in setting and achieving sustainability goals;[32] and Turntide Technologies, which uses AI to optimize energy consumption in buildings.[33] Such tools could, for example, help companies ensure they comply with their state and federal reporting requirements.

SEC Recognition of Opportunities for the Use of AI

As companies have increasingly begun to deploy AI, the SEC has begun to consider how AI can be used to enhance its compliance and enforcement efforts. The agency describes several uses of AI in its most recent budget request to Congress, which describes the SEC’s “broader undertaking to initialize and integrate machine-learning and artificial intelligence-supporting technology, with the ultimate goal to innovate and develop usable tools for the staff that deploy predictive and information visualization models to create data analytics efficiencies, particularly in the rulemaking context, where the staff routinely receives significant and diffuse feedback from market participants during open comment periods.”[34]

In a September 10, 2023 speech to the annual meeting of the North American Securities Administrators Association (NASAA), SEC Commissioner Mark T. Uyeda discussed some of the potential benefits of AI use, including decreased operational costs for companies and expanded access to investors.[35] Importantly, Commissioner Uyeda also discussed how AI can be used to improve compliance efforts by both companies and regulators. For companies, Commissioner Uyeda noted that they will be able to use AI to detect fraud, monitor data, flag risk indicators, and identify patterns in data much faster.[36] Such uses might reduce costs for companies, result in more accurate determinations of compliance violations, and inform decisions about whether findings need to be escalated, including to regulators and law enforcement.[37] For regulators, AI can help sift through the large volumes of data included in Exchange Act filings, for example. Regulators can use AI to evaluate those filings and identify areas of potential risk.

IV. RISK MANAGEMENT STRATEGIES AND RECOMMENDATIONS

The growing use of data analytics technology by activist organizations and regulators to challenge companies’ business practices and regulatory disclosures puts pressure on companies to consider what actions they might take to implement tools of their own to respond to and preempt such efforts. We discuss four risk areas below: public disclosures and statements, activism and litigation, fraud and non-compliance with corporate policies, and misinformation about the company in news and media coverage. These risk areas intersect and impact one another. Accordingly, companies should consider how to leverage the tools discussed below across risk areas where appropriate.

However, it is important to take all the recommendations below as intended: Not as a promotion of any particular method or product but as an encouragement to consider how data analytics technology can help a company mitigate the risks created by the increasingly data-driven scrutiny of corporate financial and sustainability disclosures.

Leverage Data Analytics Technology to Assess Regulatory Filings, Investor Disclosures, and Public Statements for Areas of Regulatory Risk

Public companies are required and urged to disclose large amounts of information, and those disclosures must comply with an increasingly complex array of regulatory and third-party oversight. These disclosures create the potential for hundreds of opportunities for simple human error and intentional or reckless misstatements or omissions that are always judged in hindsight. Ensuring compliance with these requirements can be challenging, even under established, longstanding regulatory regimes.

Existing disclosure requirements present sufficient compliance risks because as noted above, the SEC has already begun proactively using data analytics technology to identify non-compliance.[38] Compliance is even more challenging when regulators adopt new disclosure requirements, which has been happening at a torrid pace. Without a clear interpretation, an enforcement track record, or guidance from courts, new disclosure rules can create significant regulatory uncertainty, increasing risk for companies required to file under the new rules. For example, the SEC’s new rules on cybersecurity disclosures for public companies significantly changed the status quo—imposing a substantial burden and introducing complexity to incident response for all public companies.[39]

Additionally, in the coming months, the SEC is expected to finalize new rules that would require public companies to disclose in their 10-Ks a potentially expansive amount of data relating to environmental and climate risks.[40] Not to be outdone, the California Legislature recently passed two bills that will impose significant and mandatory climate-related reporting requirements for large public and private companies doing business in California.[41] The bills require annual disclosure of audited Scope 1, 2, and 3 greenhouse gas emissions and biennial disclosure of certain climate risks.[42] The European Union is also implementing several directives over the coming years that will require multinational companies to disclose environmental, social, and governance data[43] and extensive human rights impacts across their value chains.[44] These directives and rules collectively will result in significantly more disclosures and could—indeed, are intended to—heighten the compliance, investigation, and litigation risks for companies.

There are several ways companies could use data analytics technology to assess and mitigate the risks posed by current and coming disclosure requirements. As an initial matter, companies could use some of the third-party tools described above to test their data and disclosures.[45] Companies could use existing data sets of SEC comment letters and enforcement actions to develop their own lists of SEC hot topics and trends. Companies could use data analytics technology to compare the disclosures of peer companies and compare those disclosures against their own. This type of analysis could help companies identify whether peers are handling their disclosures differently and inform changes to their disclosures if the analysis identifies gaps. Especially in uncertain or new regulatory environments, such as the SEC’s new cybersecurity reporting rules and its proposed emissions reporting rules, evaluating and learning from the disclosures of peer firms is an important way to mitigate risk. Data analytics technology can make that process more efficient and dynamic.

Companies could also employ data analytics technology to learn from the mistakes peer companies have made with their disclosures. For example, companies could analyze SEC or Environmental Protection Agency (EPA) enforcement actions and identify the issues that triggered regulatory scrutiny. Data analytics technology could enable analysis of a vast number of relevant enforcement actions to discern key compliance errors or patterns of enforcement. Companies could also cross reference the disclosures of peer companies against SEC or EPA enforcement actions to identify which disclosures triggered investigation and enforcement.

Looking inward to the company’s own data, data analytics technology could be used to evaluate internal controls and monitor and analyze hotline or whistleblower complaints. Similarly, companies could employ data analytics technology to analyze their own historical disclosures and compare them against current enforcement priorities and new regulations to determine what the potential risks are and what, if any, sections of the disclosures need to be updated or modified.

Companies also can learn from financial analysts and academics, who have devised ways to identify fraudulent activity in financial statements. None of these methods are proven, but combined, analytical methods like pattern recognition, Benford’s Law,[46] textual analysis of disclosures,[47] and ratio analysis can be proactively employed to test the company’s own information. The requirement by the SEC that companies disclose much of their data using XBRL (eXtensible Business Reporting Language) format means that much of the companies’ key data is reported in machine-readable, structured data format. This makes it easier for investors and third parties to analyze,[48] but also for companies to perform their own analyses.

Caution is warranted as companies begin to incorporate the use of these tools. Recent reporting has highlighted the shortcomings of AI when it comes to analyzing disclosures such as SEC filings.[49] Indeed, researchers have found that as of this writing, AI models are only able to answer relevant questions about an SEC filing with 79% accuracy.[50] However, the use of AI for discrete tasks that have been shown to produce accurate results and the use of non-AI data analytics on larger tasks, like the methods described above, may be valuable ways to improve a company’s disclosure review process. Moreover, it will be important to continue to monitor AI’s capabilities as the technology in this space is developing quickly.

Leverage Data Analytics Technology to Understand, Prepare for, and Respond to Activism and Litigation Relating to Public Disclosures

Companies may also be able to use data analytics technology to mitigate activism and litigation risk. Increasingly, activists and other organizations are using data analytics technology to evaluate companies’ advertisements, press releases, and disclosure documents and to compare them against actual performance, regulatory frameworks, and desired policy goals. This analysis can often result in shareholder activism, litigation or regulatory scrutiny, and reputational damage to the company.

Climate activist organizations have taken a particular interest in this approach, leveraging a growing number of data analytics technology tools to evaluate and report on companies’ climate change and environmental activities. For example, Datamaran reviews and analyzes corporate governance data, including ESG risks and opportunities, to assess a company’s ESG performance and identify areas for improvement.[51] Climate TRACE independently tracks companies’ emissions in real time, and has been described as the “world’s first global emissions inventory.”[52] GreenWatch contrasts companies’ green or sustainability claims against their actual emissions performance, and has been advertised as AI to detect “greenwashing.”[53]

Another existing tool is provided by Manifest Climate, which compares company data to reporting frameworks and regulations, as well as to peers. Using a dashboard format, Manifest Climate promises to employ AI to help companies with sustainability compliance and strategy. Specifically, the tool is designed to help companies “identify their climate-related risks and opportunities, track peer action and market trends, and provide better disclosures aligned with global reporting standards and frameworks including TCFD, SEC, CSA, ISSB and more.”[54] It promises to allow companies to compare themselves to peers, identify sustainability actions the company is taking that it is not disclosing, and serve as a climate risk management solution. These offerings are examples of ways companies may benefit from AI applied to sustainability reporting. The tool, and the others discussed throughout this memo, show some of the early capabilities that third parties are likely to apply against companies’ data.

Companies can likewise use AI to evaluate activists’ claims, employing their own analytics to evaluate and respond to allegations regarding inaccurate or misleading statements in their marketing materials, on their websites, and in their public filings and statements. This is a useful defensive tool, not just to respond to claims made in activist campaigns or shareholder engagements, but also to claims made in the media that may affect corporate reputation, trigger shareholder proposals or proxy fights, or draw regulatory scrutiny.

Data analytics technology can also play a role in mitigating risk in specific litigation. For example, in support of claims based on misleading statements and or deceptive marketing, plaintiffs often pull statements from particular documents at particular times and use them out of context. Companies facing such a lawsuit could consider using data analytics technology to analyze those statements, support responsive filings, and build a more complete and accurate narrative. But it is critical that companies comply with court orders and any other applicable rules and requirements, including rules of professional conduct, when using AI in the litigation context and strictly avoid relying on AI-generated content for filings or strategy.[55]

That said, the proactive use of data analytics technology is becoming more important in light of the increasing government focus on sustainability disclosures. In addition to the SEC’s efforts discussed above, the Federal Trade Commission (FTC) provides another example of increasing government scrutiny that creates risk. Under section 5 of the Federal Trade Commission Act, the FTC has the authority to “prevent persons, partnerships, or corporations” from using “unfair or deceptive acts or practices in or affecting commerce.”[56] There is a risk that a company’s public sustainability statements may come under scrutiny for being allegedly unfair or deceptive.

For example, activists are placing particular emphasis on so-called “greenwashing” statements and are pressuring the FTC to step in. In fact, the FTC has taken some action in this area, requesting public comment on its Guides for the Use of Environmental Marketing Claims (Green Guides).[57] First issued in 1992 and most recently revised in 2012, the Commission’s Green Guides, 16 C.F.R. part 260, address the applicability of section 5 of the FTC Act to environmental advertising and labeling claims.[58] The Green Guides outline general principles applicable to all environmental marketing claims, and provide specific guidance regarding many common environmental benefit claims.[59]

The EU proposed Green Claims Directive likewise will expand the regulatory scrutiny over sustainability claims. The directive lists actions “which are to be considered misleading if they cause or are likely to cause the average consumers to take a transactional decision that they would not have otherwise taken” and expands the lists of “commercial practices which are considered unfair in all circumstances . . . to four practices associated with greenwashing.”[60] It also imposes detailed substantiation requirements on sustainability claims.

With respect to FTC requests for comments about rulemaking, companies could employ AI to mine the comment submissions for keywords or themes. AI may help identify instances where the company’s interests are specifically mentioned and in what context. It could also recognize patterns in the comment submissions that hone in on the issues most addressed by commenters to help focus the company’s responses on the key issues. Moreover, companies could use this approach with respect to analyzing any large agency docket or action in which they are interested, understanding the critical issues, and formulating a responsive strategy. Regardless, companies should monitor the market because these types of tools are improving in quality and sophistication.

As a more general matter, companies can use data analytics technology both proactively and defensively to ensure that their public statements do not run afoul of these developing rules and standards. As described above, companies could employ data analytics technology to analyze and learn from the public statements of other companies, especially those of competitors. Companies could use the results to evaluate whether their public statements conform to standard practice and whether any similar statements have drawn regulatory scrutiny. More defensively, in an environment where third parties are using AI tools to analyze a company’s public statements, companies can use AI tools to run their own internal analyses of public statements prior to publication to identify and remediate any potential issues likely to be seized on by regulators, plaintiffs, or activists.

Increase the Use of Data Analytics Technology to Address Fraud and Non-Compliance with Corporate Policies and Procedures

Fraud and non-compliance with corporate policies and procedures are not new risks for companies, but as regulators increasingly employ new tools to detect fraud—as noted above—it is imperative that companies leverage data analytics technology internally to mitigate risk. Using basic structured query (“SQL”) language tools, for instance, companies are already using data analytics technology to continuously monitor and audit vast and complex data streams, looking for anomalies or behavioral patterns that may indicate fraud. SQL queries can compare data across tables and use statistical functions to identify discrepancies or outliers in data. SQL can be used to generate summary reports, which can be used to identify trends and patterns in data. Queries can also be used to analyze trends in data over time by comparing data across audits performed in different time periods.[61] Major banks already use data analytics technology to identify credit card and banking fraud and to maintain compliance with anti-money laundering and other rules, so this is an area that is relatively advanced in terms of the availability of off-the-shelf tools.[62] Some companies have been using data analytics technology to identify employee fraud and monitor for anti-corruption compliance.[63] The results can be used to guide internal investigations and to inform recommendations on how to improve internal policies and controls.

Use Data Analytics Technology to Help Identify and Combat Misinformation in News and Media Coverage About the Company and Its Business

News media reports about a company’s substantive business and compliance efforts may pose significant potential risks. News reports can serve as a trigger for government investigations, regulatory action, and lawsuits, and regulators and plaintiffs’ attorneys have been known to leverage information contained in such reports. They can also significantly impact corporate reputation and stock prices. Data analytics technology offers an efficient and automated method to comb the internet for relevant reports, articles, or statements, identify any misstatements or inaccuracies, and flag issues for decision. Such information could enable a company to quickly correct the record on inaccurate news pieces, publish responses, or address misleading statements through its public disclosures.[64]

V. CONCLUSION

Data analytics technology has now matured to a point where companies should consider how to harness it for enhancing compliance around their corporate financial and sustainability disclosures. There is far more growth to come, but there are opportunities for assessing regulatory filings and public disclosures; understanding and responding to activism and litigation; addressing fraud and non-compliance with corporate policies and procedures; and identifying and combating misinformation in news and media coverage about the company and its business. As regulators, activists, and others ramp up their data-driven scrutiny of corporate financial and sustainability disclosures, companies may want to stay ahead of those efforts.

__________

[1] As generally understood in the technology sector, data analytics (also known as data science) is a technology-agnostic discipline in which the data collected, generated, and maintained by an organization is subjected to statistical analysis for the purposes of providing the organization with insights relevant to its operations and objectives such that it can guide decision-making and help solve other organizational problems. Data analytics can be used, for example, in product development, supply chain management, and financial modeling. Data analytics also may help to identify and mitigate legal and compliance risks, which are the focus of this memorandum. For more information, see generally, e.g., Thor Olavsrud, What is data analytics? Analyzing and managing data for decisions, CIO (June 7, 2022), https://www.cio.com/article/191313/what-is-data-analytics-analyzing-and-managing-data-for-decisions.html.

[2] In the context of this alert, we discuss the capabilities of AI only as related to the analysis and mitigation of compliance risks, such that companies may consider that AI is not entirely distinct from data analytics.

[3] “An AI system is a machine-based system that is capable of influencing the environment by producing an output (predictions, recommendations or decisions) for a given set of objectives.” OECD.AI Policy Observatory, OECD AI Principles overview, https://oecd.ai/en/ai-principles (last visited Oct. 2, 2023).

[4] See Olavsrud, supra note 1.

[5] Id.

[6] Id.

[7] Id.

[8] Securities and Exchange Commission, SEC Charges Gentex and Chief Financial Officer in Connection with EPS Initiative (Feb. 7, 2023), https://www.sec.gov/enforce/34-96819-s.

[9] See here. Silver Law Group, What To Know About The SEC’s “EPS Initiative” (June 16, 2023), here.

[10] See Dave Michaels, SEC Probes Whether Companies Rounded Up Earnings Per Share, Wall St. J. (June 22, 2018), https://www.wsj.com/articles/sec-probes-whether-companies-rounded-up-earnings-1529699702?mod=article_inline.

[11] David Woodcock, Accounting Fraud: Down, But Not Out, Law360 (Sept. 11, 2015, 10:38 AM EDT), https://www.law360.com/articles/700727. (“There are now thousands of academic research papers on earnings management and accounting fraud, on the motivations, financial impacts and detection methods, among other things. They apply methods or concepts like Benford’s Law, quadrophobia, Beneish M-Scores, F-Scores, and cash flow variances, and they draw correlations between CEO/CFO driving records and propensity for ostentatious lifestyles. Their work is being used by regulators and analysts to detect accounting fraud earlier.”). The point here is that the SEC’s use of these tools is not new, but it is increasing as the agency seeks to harness data analytics technology for use in its review of public company disclosures and accounting.

[12] Securities and Exchange Commission, SEC Fiscal Year 2024 Congressional Budget Justification Annual Performance Plan (SEC 2024 Budget), 26, at https://www.sec.gov/files/fy-2024-congressional-budget-justification_final-3-10.pdf (“In addition, the SEC intends to invest in artificial intelligence/machine learning (AI/ML) and other capabilities to address the growing volume of data it receives, processes, analyzes, and makes available to the investing public.”).

[13] OECD.AI Policy Observatory, supra note 3.

[14] Id.

[15] Natalie Cooper, Bob Lamm, & Randi Val Morrison, Board Practices: Artificial intelligence, Harvard Law School Forum on Corporate Governance (Sept. 2, 2023), https://corpgov.law.harvard.edu/2023/09/02/board-practices-artificial-intelligence/#more-158903

[16] Id.

[17] Id.

[18] Id.

[19] Id.

[20] Id.

[21] Id.

[22] Frederic Lee, Employee AI Use Outpacing Workplace Policies, Agenda Week (Sept 29, 2023), here.

[23] David Woodcock, ESG and The Board: Avoiding Risky Business, The Corporate Board (Sept./Oct. 2023) (“[S]ustainability and ESG reports highlighting corporate disclosures and commitments have grown considerably in length over the past few years. According to one study, these have grown from an average length of 102 pages in 2019 to 165 pages in 2022. Almost every large company produces one.”),

[24] Climate TRACE, https://climatetrace.org/ (last viewed Oct. 2, 2023).

[25] GreenWatch, http://greenwatch.ai/ (last viewed Oct. 2, 2023).

[26] Datamaran, https://www.datamaran.com/ (last viewed Oct. 2, 2023).

[27] Manifest Climate, https://www.manifestclimate.com/ (last viewed Oct. 2, 2023).

[28] JUST Capital, https://justcapital.com/ (last viewed Oct. 2, 2023).

[29] BreezoMeter, https://www.breezometer.com/air-quality-map/ (last viewed Oct. 2, 2023).

[30] ClarityAI, https://clarity.ai/ (last viewed Oct. 2, 2023).

[31] SustainLab, https://sustainlab.co/ (last viewed Oct. 2, 2023).

[32] Ecogain, https://en.ecogain.se/ (last viewed Oct. 2, 2023).

[33] Turntide Technologies, https://turntide.com/ (last viewed Oct. 2, 2023).

[34] SEC 2024 Budget, supra note 12, at 25 (noting the importance of two requested data analyst positions: “The positions are critical to the division’s effort to support the agency’s broader undertaking to initialize and integrate machine-learning and artificial intelligence-supporting technology, with the ultimate goal to innovate and develop usable tools for the staff that deploy predictive and information visualization models to create data analytics efficiencies, particularly in the rulemaking context, where the staff routinely receives significant and diffuse feedback from market participants during open comment periods.”); 26 (“In FY 2024, the SEC Cloud Center of Excellence will continue to help drive modernization efforts within the Commission. The cornerstone of this program is a cloud platform that will allow the SEC to increase mission capabilities and agility through the use of modern software tools to enable data visualization, artificial intelligence, and machine learning.”).

[35] Mark T. Uyeda, Remarks to the 2023 NASAA Fall Annual Meeting—Modernizing Investor Protection for the Digital Age, Securities and Exchange Commission (Sept. 10, 2023), https://www.sec.gov/news/speech/uyeda-remarks-nasaa-091023.

[36] Id.

[37] Id.

[38] See supra note 8 (discussing SEC’s EPS initiative).

[39] Client Alert, SEC Adopts New Rules on Cybersecurity Disclosure for Public Companies, Gibson, Dunn & Crutcher LLP (July 31, 2023), https://www.gibsondunn.com/sec-adopts-new-rules-on-cybersecurity-disclosure-for-public-companies/.

[40] SEC Proposes Rules to Enhance and Standardize Climate-Related Disclosures for Investors, U.S. Sec. & Exch. Comm’n (Mar. 21, 2022), https://www.sec.gov/news/press-release/2022-46.

[41] Client Alert, California Passes Climate Disclosure Legislation, Gibson, Dunn & Crutcher LLP (Sept. 27, 2023), https://www.gibsondunn.com/california-passes-climate-disclosure-legislation/.

[42] Id.

[43] Client Alert, European Corporate Sustainability Reporting Directive (CSRD): Key Takeaways from Adoption of the European Sustainability Reporting Standards, Gibson, Dunn & Crutcher LLP (Aug. 23, 2023), at https://www.gibsondunn.com/european-corporate-sustainability-reporting-directive-key-takeaways-from-adoption-of-european-sustainability-reporting-standards/.

[44] Client Alert, European Commission Proposes Far-Reaching Human Rights and Environmental Due Diligence Obligations, Gibson, Dunn & Crutcher LLP (Mar. 11, 2022), at https://www.gibsondunn.com/european-commission-proposes-far-reaching-human-rights-and-environmental-due-diligence-obligations/.

[45] Note the guidance in the concluding section on certain risks to consider when doing this, including confidentiality of sensitive company data.

[46] Benford’s Law as a Quality of Reporting Indicator, Ideagen Audit Analytics, https://blog.auditanalytics.com/benfords-law-as-a-quality-of-reporting-indicator/ (last visited Jan. 1, 2024).

[47] Loughran, Tim and McDonald, Bill, Textual Analysis in Finance (June 17, 2020), available at https://ssrn.com/abstract=3470272.

[48] Audit Analytics, https://www.auditanalytics.com/ (last visited Oct. 2, 2023).

[49] AI Models Only 79% Accurate When Asked About SEC Filings, PYMNTS (Dec. 19, 2023), https://www.pymnts.com/artificial-intelligence-2/2023/ai-models-only-79-accurate-when-asked-about-sec-filings/ (last visited Jan. 10, 2024).

[50] Id.

[51] Datamaran, supra note 26.

[52] Climate TRACE, supra note 24.

[53] GreenWatch, supra note 25.

[54] Manifest Climate, supra note 27.

[55] Peter Hayes, Attorneys Must Certify AI Policy Compliance, Judge Orders, Bloomberg Law (May 31, 2023) (discussing Judge Brantley Starr’s standing order on the use of AI), available at https://news.bloomberglaw.com/litigation/attorneys-must-certify-ai-policy-compliance-judge-orders.

[56] 15 U.S.C. § 45.

[57] Federal Trade Commission, Request for Public Comment, Guides for the Use of Environmental Marketing Claims, 87 Fed. Reg. 77766 (Dec. 20, 2022), https://www.regulations.gov/document/FTC-2022-0077-0001.

[58] Id.

[59] Id.

[60] European Commission, Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on substantiation and communication of explicit environmental claims (Proposed Green Claims Directive) (Mar. 22, 2023), https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52023PC0166&from=EN. This proposed directive is intended to work together with an earlier directive. See European Commission, Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL empowering consumers for the green transition through better protection against unfair practices and better information (Proposed Greenwashing Directive) (Mar. 30, 2022), https://eur-lex.europa.eu/resource.html?uri=cellar:ccf4e0b8-b0cc-11ec-83e1-01aa75ed71a1.0012.02/DOC_1&format=PDF.

[61] Muhammad Musa Mazhar, Audit Analytics: When writing few lines of SQL can help detect billion dollar fraud, LinkedIn (Dec. 22, 2022), https://www.linkedin.com/pulse/audit-analytics-when-writing-few-lines-sql-can-help-detect-mazhar/.

[62] See, e.g., J.P. Pressley, Why Banks Are Using Advanced Analytics for Faster Fraud Detection, BizTech (July 25, 2023), https://biztechmagazine.com/article/2023/07/why-banks-are-using-advanced-analytics-faster-fraud-detection#:~:text; Denis Francis, Imke Jacob, and Fadi Zoghby, The Data and Analytics Edge in Corporate and Commercial Banking, McKinsey Report (Mar. 23, 2023), https://www.mckinsey.com/industries/financial-services/our-insights/the-data-and-analytics-edge-in-corporate-and-commercial-banking; Jamie Dimon, Chairman and CEO Letter to Shareholders, JP Morgan Chase & Co. Annual Report 2022, https://reports.jpmorganchase.com/investor-relations/2022/ar-ceo-letters.htm (“We already have more than 300 AI use cases in production today for risk, prospecting, marketing, customer experience and fraud prevention, and AI runs throughout our payments processing and money movement systems across the globe. AI has already added significant value to our company. For example, in the last few years, AI has helped us to significantly decrease risk in our retail business (by reducing fraud and illicit activity) and improve trading optimization and portfolio construction (by providing optimal execution strategies, automating forecasting and analytics, and improving client intelligence).”).

[63] See, e.g., Angie Sullivan & Mathias Ward, Four ways to use data analytics to identify corruption red flags, Tableau, https://www.tableau.com/blog/identify-corruption-red-flags-using-data-analytics (describing four steps to using data analytics: (1) Identify corruption risk factors; (2) Design analytics to identify corruption red flags; (3) Risk rank transactions and perform testing; (4) Use analytics to provide proactive alerting of high-risk transactions).

[64] Even where companies already engage in proactive monitoring of the Internet for relevant material, AI could be used to perform or improve some of those functions.

The following Gibson Dunn attorneys assisted in preparing this update: Vivek Mohan, David Woodcock, Frances Waldmann, Hugh Danilack, and Samantha Yi*.

Gibson, Dunn & Crutcher’s lawyers are available to assist in addressing any questions you may have regarding these issues. Please contact the Gibson Dunn lawyer with whom you usually work, any of the leaders and members of the firm’s Artificial Intelligence, Securities Enforcement, or Securities Regulation and Corporate Governance practice groups, or the following authors:

Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
David Woodcock – Dallas (+1 214.698.3211, dwoodcock@gibsondunn.com)
Frances A. Waldmann – Los Angeles (+1 213.229.7914, fwaldmann@gibsondunn.com)
Hugh N. Danilack – Washington, D.C. (+1 202.777.9536, hdanilack@gibsondunn.com)

Artificial Intelligence:
Cassandra L. Gaedt-Sheckter – Co-Chair, Palo Alto (+1 650.849.5203, cgaedt-sheckter@gibsondunn.com)
Vivek Mohan – Co-Chair, Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
Robert Spano – Co-Chair, London/Paris (+44 20 7071 4902, rspano@gibsondunn.com)
Eric D. Vandevelde – Co-Chair, Los Angeles (+1 213.229.7186, evandevelde@gibsondunn.com)

Securities Enforcement:
Richard W. Grime – Co-Chair, Washington, D.C. (+1 202.955.8219, rgrime@gibsondunn.com)
Mark K. Schonfeld – Co-Chair, New York (+1 212.351.2433, mschonfeld@gibsondunn.com)
David Woodcock – Co-Chair, Dallas (+1 214.698.3211, dwoodcock@gibsondunn.com)

Securities Regulation and Corporate Governance:
Elizabeth Ising – Co-Chair, Washington, D.C. (+1 202.955.8287, eising@gibsondunn.com)
James J. Moloney – Co-Chair, Orange County (+1 949.451.4343, jmoloney@gibsondunn.com)
Lori Zyskowski – Co-Chair, New York (+1 212.351.2309, lzyskowski@gibsondunn.com)

*Samantha Yi is an associate working in the firm’s Washington, D.C. office who currently is admitted to practice only in Maryland.

Key practitioners from our Los Angeles, Orange County, San Francisco, Washington, D.C. and Palo Alto offices hosted Gibson Dunn’s annual complimentary MCLE briefing which provides 8.0 hours of CLE credit, including specialty subjects such as Ethics, Elimination of Bias, and Competence Issues.

The 3-day program included the latest developments at the United States Supreme Court and SEC, Antitrust Hot Topics, State Bar New Reporting Requirements, and AI amongst other timely topics.

If you have any questions about the program or indeed future programs, please contact LAEvents@gibsondunn.com.

Leading Teams with Empathy

PANELISTS:

Tiaunia Henry
Abbey Hudson
Jarrett Green

AI Regulation + Governance: Recapping the Year Behind, Previewing the Year Ahead

PANELISTS:

Vivek Mohan
Eric Vandevelde
Cassandra L. Gaedt-Sheckter
Frances Waldmann

Impact of Recent Supreme Court Decisions on Corporate DEI Programs

PANELISTS:

Cynthia Chen McTernan
Katherine Smith

Jones v. City of Los Angeles: Gibson Dunn Achieves Historic Civil Rights Victory

PANELISTS:

Katie Marquart
Courtney Johnson
Lauren Blas

We’re All Snitches Now: The New State Bar Reporting Rule

PANELISTS:

Joe Rose
Poonam Kumar

Antitrust Hot Topics: Increased Enforcement Activity in Recent Years

PANELISTS:

Chris Whittaker
Caeli A. Higney
Chris Wilson
Amy Feagles

Supreme Court Roundup

PANELISTS:

Samuel Eckman
Elizabeth Dooley

SEC Rulemaking and Related Developments

PANELISTS:

Kevin Bettsteller
Mike Titera
Aaron Briggs

MCLE CREDIT INFORMATION:

Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 8.0 credit hours, of which 1.0 credit hour may be applied toward the Elimination of Bias requirement, 1.0 credit hour may be applied toward the Competence Issues requirement, 1.0 credit hours may be applied toward the Ethics requirement and 5.0 credit hours may be applied toward the General Practice requirement.

This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 8.0 credit hours, of which 2.5 credit hours may be applied toward the areas of Ethics and Professionalism; 1.0 credit hour may be applied toward the areas of Diversity, Inclusion and Elimination of Bias and 4.5 credit hours may be applied toward the areas of Professional Practice. These courses are approved for transitional/non-transitional credit.

Gibson, Dunn & Crutcher LLP is authorized by the Solicitors Regulation Authority to provide in-house CPD training. This program is approved for CPD credit in the amount of 8.0 hours. Regulated by the Solicitors Regulation Authority (Number 324652).

Neither the Connecticut Judicial Branch nor the Commission on Minimum Continuing Legal Education approve or accredit CLE providers or activities. It is the opinion of this provider that this activity qualifies for up to 8.0 hours toward your annual CLE requirement in Connecticut, including 2.5 hours of ethics/professionalism.

Application for approval is pending with the Colorado, Illinois, Texas, Virginia and Washington State Bars.

From the Derivatives Practice Group: U.S. derivatives news has been slow during the last two weeks, but a few international developments may pique your interest.

New Developments

SEC Publishes Risk Alert: Observations Related to Security-Based Swap Dealers. On January 10, the SEC’s Division of Examination published a Risk Alert presenting examination and outreach observations concerning compliance with rules applicable to security-based swap dealers. The SEC stated that in sharing these observations, the Division seeks to remind security-based swap dealers of their obligations under relevant security-based swap rules and encourage security-based swap dealers to consider improvements in their compliance programs, as may be appropriate, to further compliance with Exchange Act requirements. The Risk Alert presents observations in the following areas: (1) reporting of security-based swap transactions and correction of reporting errors; (2) business conduct standards; (3) security-based swap trading relationship documentation and portfolio reconciliation; and (4) recordkeeping. [NEW]
CFTC Publishes Decentralized Finance Report. On January 8, the CFTC’s Digital Assets and Blockchain Technology Subcommittee of the Technology Advisory Committee (TAC) released a report entitled “Decentralized Finance.” The report discusses TAC’s view that the benefits and risks of DeFi depend significantly on the design and features of specific systems, and that one of its central concerns related to DeFi systems is the lack of, and some industry designs to avoid, clear lines of responsibility and accountability. TAC opined that this feature of DeFi systems may present the clearest ways in which DeFi poses risks to consumers and investors, as well as to financial stability, market integrity and illicit finance—according to TAC, it implicates no clear route to ensuring victim recourse, defense against illicit exploitation, or the ability to insert necessary changes and controls during periods of crisis and network stress. The report finds that government and industry should take timely action to work together, across regulatory and other strategic initiatives, to better understand DeFi.
CFTC Chairman Announces Division of Data Appointments to Continue the CFTC’s Focus on Mission Critical Data. On December 21, CFTC Chairman Rostin Behnam announced two appointments in the Division of Data (DOD) intended to enhance the CFTC’s analytic capabilities as the agency aims to increase innovation in its data-driven culture. Ted Kaouk has been named Chief Data Officer and Director of DOD. Dr. Kaouk will spearhead data integration initiatives and collaborate with the CFTC’s offices and divisions in an attempt to help the agency make informed policy decisions. John Coughlan will serve as the agency’s first Chief Data Scientist. He will work to advance DOD’s data science expertise and expand the agency’s use of artificial intelligence to more effectively oversee the derivatives markets and meet its own regulatory requirements.

New Developments Outside the U.S.

RBI Issues Circular on Risk Management and Interbank Dealings. On January 5, the Reserve Bank of India (RBI) issued a circular on risk management and interbank dealings. The RBI stated that it has reviewed the foreign exchange risk management facilities based on the feedback received from market participants and experience gained since the revised framework came into force. It has also consolidated the directions in respect of all types of foreign exchange transactions (including cash, tom and spot). The RBI explained that the directions contained in the Currency Futures (Reserve Bank) Directions, 2008 (Notification No. FED.1/DG(SG)-2008 dated August 06, 2008), and Exchange Traded Currency Options (Reserve Bank) Directions, 2010 (Notification No. FED.01/ED(HRK)-2010 dated July 30, 2010), as amended from time to time, are now being incorporated into the Master Direction – Risk Management and Inter-Bank Dealings. These revised directions will come into effect on April 5, 2024, replacing the existing directions in Part A (Section I) of the Master Direction – Risk Management and Inter-Bank Dealings dated July 5, 2016, as amended from time to time, superseding the notifications listed in Annex-II. [NEW]
Hong Kong Consults on Regulatory Regime for Stablecoins. On December 27, the Financial Services and the Treasury Bureau and the Hong Kong Monetary Authority (HKMA) jointly issued a public consultation paper on the legislative proposal for implementing the regulatory regime for stablecoin issuers in Hong Kong. Under the proposed regime, an issuer would be required to obtain a license from the HKMA if it issues a stablecoin that references the value of one or more fiat currencies in Hong Kong. The licensed issuer will have to fulfil certain financial resources requirements, and will be required to put in place an effective stabilization mechanism, such as maintaining a pool of high-quality and highly-liquid reserve assets with proper custody arrangement. The proposed regime further imposes governance, risk management and AML/CFT measures on licensees. Interested parties are encouraged to submit written comments on or before February 29, 2024. [NEW]
ESAs Propose to Extend Equity Option Margin Exemption by Two Years. On December 21, the European Supervisory Authorities (ESAs) – the European Securities and Markets Authority (ESMA), the European Banking Authority and the European Insurance and Occupational Pensions Authority – published draft regulatory technical standards (RTS) proposing a two-year extension (until January 4, 2026) to the exemption for equity options from bilateral margining under the European Market Infrastructure Regulation (EMIR). These RTS have to be endorsed by the European Commission and are subject to non-objection by the Council of the EU and the European Parliament before they enter into force. The draft RTS are accompanied by a statement from the ESAs that competent authorities “should not priorityse any supervisory or enforcement action” relating to bilateral margining for equity options until the entry into force of these amended RTS or the adoption of a long-term solution under EMIR 3, whichever occurs first.” [NEW]

New Industry-Led Developments

ISDA Updates OTC Derivatives Compliance Calendar. On January 3, 2024, ISDA updated its global calendar of compliance deadlines and regulatory dates for the over-the-counter (OTC) derivatives space. The updated calendar can be found on the ISDA website.
ISDA Submits Response to HMT, FCA and PRA on UK EMIR. On December 20, ISDA and UK Finance submitted a joint response to His Majesty’s Treasury (HMT), the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) on the reform of the UK EMIR. ISDA stated that ISDA and UK Finance submitted the response in an attempt to inform the next stage of the UK’s smarter regulatory framework reform package. In the response, the associations recommend a small number of clearly defined changes, seek certainty and permanence on current temporary exemptions and request an end to the current dependency on equivalence decisions for certain provisions (for instance, the intragroup exemption). [NEW]

The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Marc Aaron Takagaki, Hayden McGovern, and Karin Thrasher.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Derivatives practice group, or the following practice leaders and authors:

Jeffrey L. Steiner, Washington, D.C. (202.887.3632, jsteiner@gibsondunn.com)

Michael D. Bopp, Washington, D.C. (202.955.8256, mbopp@gibsondunn.com)

Michelle M. Kirschner, London (+44 (0)20 7071.4212, mkirschner@gibsondunn.com)

Darius Mehraban, New York (212.351.2428, dmehraban@gibsondunn.com)

Jason J. Cabral, New York (212.351.6267, jcabral@gibsondunn.com)

Adam Lapidus, – New York (+1 212.351.3869, alapidus@gibsondunn.com)

Stephanie L. Brooker, Washington, D.C. (202.887.3502, sbrooker@gibsondunn.com)

Roscoe Jones Jr., Washington, D.C. (202.887.3530, rjones@gibsondunn.com)

William R. Hallatt, Hong Kong (+852 2214 3836, whallatt@gibsondunn.com)

David P. Burns, Washington, D.C. (202.887.3786, dburns@gibsondunn.com)

Marc Aaron Takagaki, New York (212.351.4028, mtakagaki@gibsondunn.com)

Hayden K. McGovern, Dallas (214.698.3142, hmcgovern@gibsondunn.com)

Karin Thrasher, Washington, D.C. (202.887.3712, kthrasher@gibsondunn.com)

Key provisions of this Act came into force on 26 December 2023 and could affect businesses around the world. It is therefore essential to have a clear understanding of the new laws and what they could mean for your organisation.

Following intensive debate, King Charles III gave royal assent to the Economic Crime and Corporate Transparency Act 2023 (“ECCTA”) on 26 October 2023. As we set out in our client alert of 18 September 2023,[1] and in an article for Börsen-Zeitung of 25 November 2023,[2] the UK Government has described the corresponding bill as the most significant reform of the “identification doctrine”, which governed the attribution of criminal liability to corporate entities for more than 50 years.

Key Takeaways

The new laws governing how criminal liability can be attributed to a corporate entity for economic crimes apply to offences from 26 December 2023 onwards.
The ECCTA states that the actions of senior managers can be attributed to the corporate entity. The definition of senior managers is broad.
The new offence of failure to prevent fraud, which only applies to large organisations, cannot come into force until guidance is published. It is anticipated guidance will be published in the course of 2024.
The new laws governing attribution and the new offence of failure to prevent fraud can apply to non-UK corporate entities and to conduct outside the UK.
UK law enforcement agencies may use these laws to cooperate closely with foreign agencies. The principle of double jeopardy may not necessarily prevent prosecutions in multiple jurisdictions.
International companies should consider the practical steps outlined in this client alert, including identifying which officers and employees might fall within the definition of senior managers, assessing the extent to which they are exposed to risk of fraud, considering existing fraud prevention procedures and ensuring clear records of training and policies are retained.

New Rules of Attributing Criminal Liability to Corporate Entities

The ECCTA introduces the concept of a “senior manager” which defines whose actions can be attributed to a corporate entity. It is anticipated that this will allow prosecutors to fix companies with criminal liability more easily, as they no longer have to rely on the vague and narrowly applied “identification doctrine” which relies on identifying “the directing mind and will of the corporation”.[3] The concept of “senior manager” will include any individual who plays a significant role in:

the making of decisions about how the whole or a substantial part of the activities of the body corporate or partnership are to be managed or organised, or
the actual managing or organising of the whole or a substantial part of those activities.[4]

At present, the new attribution rules only apply to offences specified in schedule 12 of the ECCTA which are called “listed offences”[5] and include various economic crime offences such as cheating the public revenue, false accounting, money laundering, bribery or fraud. However, this list is apt to be extended to other offences in the future. Indeed, on 14 November 2023, the UK Government introduced the Criminal Justice Bill 2023 which seeks to extend the new attribution laws to all types of crime for which corporate liability may be appropriate.[6] This bill is being considered by the House of Commons and it is currently unclear if and when it may be passed.

Extraterritorial Effect

A key feature of the new attribution laws is their wide extraterritorial effect. Corporate entities may be held criminally liable for an offence, even if the offending took place outside the UK as long as the offending would constitute a criminal offence in the location where it took place (see section 196(3) ECCTA).[7] Consider the following example:

A pharmaceutical company has a UK headquarters and a subsidiary in Germany, which has been underperforming. The Head of Accounting is based in Munich and is also a member of the management board of the German entity. She overstates the revenue of the German subsidiary when submitting the annual accounts in order to “smooth things over” until business improves. Therefore, the accounts of the Group were significantly inflated.

In Germany, this could constitute the offence of false accounting under section 331 of the Commercial Code (Handelsgesetzbuch). In the UK, this conduct could constitute false accounting under the Theft Act 1968 which is an offence listed in schedule 12 of the ECCTA. This means that both the German entity and the UK headquarters could potentially face prosecution in the UK.

Because the ECCTA does not require the corporate entity or partnership to be incorporated or formed in the UK, on its face, the ECCTA does not expressly require any particular tie to the UK. However, when introducing section 196(3), Parliament pointed out that a UK connection is required: “…criminal liability will not attach to an organisation based and operating overseas for conduct carried out wholly overseas simply because the senior manager concerned was subject to the UK’s extraterritorial jurisdiction; for instance, because that manager is a British citizen. Domestic law does not generally apply to conduct carried out wholly overseas unless the offence has some connection with the UK. This is an important matter of international legal comity.”[8]

The extraterritorial ambit of the underlying offence will be relevant. As Parliament also noted, some offences, wherever they are committed, can be prosecuted against individuals or organisations who have certain close connections to the UK. Consider this example:

A telecommunications company has a UK headquarters and a subsidiary in Germany. The German subsidiary recently pitched for a large contract in India which, if successful, would boost its business and benefit the whole group. The German Head of Sales thought the pitch went well, but in order to be sure, he offers his contact in India an all-expenses paid holiday at a five star resort in Spain, on the understanding that the German subsidiary will be awarded the contract.

In Germany, this could constitute the offence of giving bribes in commercial practice (sec. 299 of the German Criminal Code). In the UK, this conduct could constitute the offence of bribing another person under the UK Bribery Act 2010 (“UKBA”) which is an offence listed in schedule 12 of the ECCTA. Both corporate entities, i.e. the German subsidiary and the UK headquarters, could potentially face prosecution in the UK. Prior to the ECCTA, it would have been difficult to prove that a Head of Sales was a directing mind and will of the company and prosecutors would arguably only have been able to bring charges for failure to prevent bribery.[9] However, it is likely that the Head of Sales would fall under the definition of senior manager and therefore allow the corporate entities to be prosecuted for the principal bribery offence,[10] despite their being no involvement by a board member.

It is also noteworthy that the new rules of attribution also apply to attempts or conspiracy to commit offences listed in schedule 12 as well as aiding, abetting, counselling or procuring the commission of those offences.[11] A senior manager may be based outside the UK but act as an accomplice to a UK offence. For example, a banker working for a Frankfurt bank could put the German bank at risk if he encouraged a London-based employee of its UK subsidiary to act in violation of the Financial Services and Markets Act 2000.

The new rules of attribution follow an international trend to hold legal entities more comprehensively accountable for criminal conduct committed by employees and other representatives. For instance, although German law does not recognise criminal liability of corporate bodies as such, the German Administrative Offences Act (Ordnungswidrigkeitengesetz, “OWiG”) allows a legal entity to be fined if certain “leading individuals” (Leitungspersonen) commit a criminal or an administrative offence. While some clarifications by the competent courts will be needed, the standard of a “leading individual” is arguably comparable with the notion of a “senior manager” now adopted under UK law.

The Offence of Failure to Prevent Fraud

The ECCTA introduces a new corporate offence of “failure to prevent fraud”[12] which, following a controversial debate between the House of Commons and the House of Lords, only applies to “large organisations”.[13] Before this offence comes into force, guidance must be published[14] and it is anticipated that this will happen in 2024.

Under the new offence, an organisation will be liable where a specified fraud offence is committed by an “associate” for the organisation’s benefit (an employee, subsidiary or agent, or a person who otherwise performs services for or on behalf of the organisation), and the organisation did not have reasonable fraud prevention procedures in place. Importantly, it does not need to be demonstrated that senior personnel ordered or knew about the fraud.

The new offence will apply to bodies corporate and partnerships wherever incorporated or formed.[15] However, the Government Factsheet envisages there being a UK nexus: “If an employee commits fraud under UK law, or targeting UK victims, their employer could be prosecuted, even if the organisation (and the employee) are based overseas.”[16] The offence is clearly intended to have a broad application and could, for example, apply to any organisation offering goods and services through a website or providing an internet marketplace accessible to consumers based in the UK.

In order for an organisation to be guilty of the offence of failure to prevent fraud, an offence listed in schedule 13 ECCTA has to be committed. The listed offences include, for example, the statutory offences of fraud, false accounting, false statements by company directors, fraudulent trading or the common law offence of cheating the public revenue.[17] This includes aiding, abetting, counselling or procuring the commission of a listed offence, but – in contrast to section 196(2) – does not extend to conspiracies.[18]

In order to understand the extraterritorial reach of the offence of failure to prevent fraud, the jurisdictional ambit of the underlying offences in schedule 13 should be considered. On the basis of the Criminal Justice Act 1993 and the common law principles, the courts of England and Wales can: “apply the English criminal law where a substantial measure of the activities constituting a crime take place in England, and restrict its application in such circumstances solely in cases where it can seriously be argued on a reasonable view that these activities should, on the basis of international comity, be dealt with by another country.” (see R v Smith (Wallace Duncan) (No. 4))[19]. Consider the following example:

An international construction firm incorporated in France planned to build and sell a number of holiday cottages across France. The holiday cottages were specifically marketed to and attracted a number of UK investors. The construction firm ran out of money making it highly unlikely that the cottages would be built. However, the managers directed their sales team to continue selling the cottages anyway. They also discussed the issue with the construction firm’s auditors which led to the auditors signing off accounts, knowing they did not reflect the true financial position of the construction company. The result was that many individuals in the UK who had invested in the properties lost considerable amounts of money.

In the example above, both the construction firm and the auditing company in France may be exposed to prosecution for the offence of failure to prevent fraud on the basis that UK victims were targeted. Given the changes to the “identification doctrine” set out above, there might also be an argument to prosecute both companies for the underlying offence of fraud by false representation,[20] given in the impact on UK victims.

The above example also raises the question of whether corporate entities will be prosecuted for both the underlying offence e.g. fraud by false representation, and the offence of failure to prevent fraud for the same conduct. The Crown Prosecution Service guidance indicates that this is possible in relation to offences under the UKBA[21] but it does not appear to have happened in practice.

The underlying legal concept of the new offence and of similarly structured offences under English law,[22] is comparable with certain provisions under civil law systems (e.g. section 130 of the German OWiG)[23] which aim to sanction improper supervision.

Cooperation between Law Enforcement Agencies

The current trend of national enforcement authorities working together in cross-border cases is likely to continue and may expand to use the new legal tools under the ECCTA. In the examples set out above, it is conceivable that at least the individuals and the subsidiaries in Germany may find themselves prosecuted by German criminal law enforcers – in addition to prosecution by UK authorities.

In particular, the EU-UK Trade and Cooperation Agreement (“EU-UK Agreement”) governs the relationship between the EU and the UK post Brexit. It contains provisions about cooperation in criminal matters between the UK and EU Member States,[24] including mutual judicial assistance, surrender, exchange of criminal record information, and confiscation. Furthermore, the EU-UK Agreement strives to ensure that special EU enforcement agencies like Europol and Eurojust cooperate with UK authorities. In addition to cooperation between the UK and EU Member States, the UK is also party of numerous other bilateral treaties on mutual legal assistance in criminal matters.[25]

In its Annual Report for 2022, Eurojust stated that the United Kingdom participated in 29 Joint Investigation Teams and 79 coordination meetings.[26] While many investigations of Eurojust concern crimes like human trafficking and smuggling, these figures suggest that UK law enforcement may also seek cooperation in cases relating to offences under the ECCTA.

The new Director of the SFO, Nick Ephgrave QPM has now been in place for just over three months, and it remains to be seen how he will guide the agency and use the new legal tools at his disposal and whether he continues the moves towards greater international cooperation. In the past, there have been several examples of successful cooperation between different enforcement agencies such as the settlement that Airbus SE reached with the UK, the United States and French authorities in 2020. All three settlement agreements were approved by the courts in each jurisdiction on the same day, indicating strong cooperation efforts between the three states involved.[27] In its judgment approving the DPA, the UK High Court stressed that international cooperation is crucial in cases of corporate wrongdoings across jurisdictions for many reasons, including to avoid forum shopping for settlements.[28]

The risk of an organisation being prosecuted in both the UK and other states for the same criminal conduct also depends on whether each jurisdiction applies the principle of double jeopardy. Generally, a defendant in the UK may argue that he should not be tried for the same offence in law and fact for which he was previously convicted or acquitted (autrefois acquit or autrefois convict). A UK conviction may not automatically prevent EU Member States from double prosecution, but only influence the sentencing in that other jurisdiction. International double jeopardy, however, is not uniformly accepted. Therefore, whether a jurisdiction will prohibit the prosecution of misconduct that was already resolved by a foreign court, must be determined on a case-by case basis, depending on which states are involved.[29]

Practical Steps

Following the new attribution laws in force since 26 December 2023 and in anticipation of the new offence of failure to prevent fraud likely coming into force later this year, we have set out some practical steps to be considered by corporate entities both inside and outside the UK.

Risk Analysis: companies should determine the business units most likely to be affected by the new regulations and the audience which may need particular training and supervision. This analysis may cover a variety of aspects such as:

the extent to which UK customers may be impacted by the business activities, predominantly with respect to selling goods or services to UK customers;
any other connection the entity has to the UK. This could include a subsidiary entity, a branch, employees working remotely or on secondment in the UK, as well as suppliers or other business partners in the UK;
identification of individuals who fall within the ECCTA definition of a “senior manager” whether they are based inside or outside the UK. Check whether the titles of individuals accurately reflect their roles, and whether the responsibilities of their managers are clearly defined and documented;

considering any parts of the business which are potentially vulnerable to the offences listed in schedules 12 and 13 of the ECCTA (e.g. offences under Financial Services and Markets Act 2000 may be particularly relevant for organisations offering financial services).

Recordkeeping: corporate entities should keep a clear record of policies, including previously applicable versions, and of conducted training. If needed, this might assist organisations in the future to show that reasonable prevention procedures were in place. These training materials and policies should reflect the outcome of the risk analysis mentioned above and address the practical realities of the relevant business units.

Culture: senior leadership teams may wish to consider whether any changes can be made to promote an open “anti-fraud” culture.

Whistleblowing: consider revising whistleblowing procedures to enable reporting of potential violations of foreign laws. This should assist with early identification of potential risks. Many enterprises in the EU are currently reviewing their procedures on whistleblowing in light of the EU whistleblowing directive and the respective implementation laws.[30]

Monitoring: the status and effectiveness of the compliance framework will need to be checked, regularly reviewed and continuously developed with regard to the risks arising from the ECCTA. This should include a regular testing of the threshold values for determining a “large organisation” as well as monitoring the catalogue of offences in schedules 12 and 13 of the ECCTA and associated legal risks. This will enable corporate entities to have a good overview of their current status and allow them to quickly assess whether they meet the requirements of the guidance once it is published. Obviously, a comprehensive review should take place once the UK Government has published its guidance on reasonable preventive measures, which we expect to happen in the course of 2024.

__________

[1] Expansion of Corporate Criminal Liability in the UK: Reform of the Identification Principle and New Offence of Failure to Prevent Fraud.

[2] London verschärft das Unternehmensstrafrecht.

[3] See our previous client alert, Expansion of Corporate Criminal Liability in the UK: Reform of the Identification Principle and New Offence of Failure to Prevent Fraud for further detail.

[4] Economic Crime and Corporate Transparency Act 2023, s 196(4).

[5] Economic Crime and Corporate Transparency Act 2023 schedule 12.

[6] Criminal Justice Bill, Committee debates: compilation pdf of sittings so far, page 68.

[7] Economic Crime and Corporate Transparency Act 2023 s 196(3).

[8] https://hansard.parliament.uk/Lords/2023-06-27/debates/EF8264AF-6478-470E-8B37-018C4B278F6E/EconomicCrimeAndCorp rateTransparencyBill.

[9] UKBA, s 7.

[10] UKBA, ss 1, 2, 6.

[11] Economic Crime and Corporate Transparency Act 2023, s 196(2).

[12] Economic Crime and Corporate Transparency Act 2023, s 199.

[13] As defined in Economic Crime and Corporate Transparency Act 2023, ss 201, 202. For further discussion see our previous client alert, Expansion of Corporate Criminal Liability in the UK: Reform of the Identification Principle and New Offence of Failure to Prevent Fraud.

[14] Economic Crime and Corporate Transparency Act 2023, s 219(8).

[15] Economic Crime and Corporate Transparency Act 2023, s 199(13).

[16] Factsheet: failure to prevent fraud offence of 26 October 2023.

[17] Schedule 13 ECCTA.

[18] Economic Crime and Corporate Transparency Act 2023, s 199(6).

[19] [2004] EWCA Crim 631.

[20] Section 2 Fraud Act 2006.

[21] Bribery Act 2010: Joint Prosecution Guidance of The Director of the Serious Fraud Office and The Director of Public Prosecutions.

[22] See, e.g. failure to prevent bribery under the UKBA or failure to prevent facilitation of UK tax or foreign evasion offences under the Criminal Finances Act 2007.

[23] Although OWiG, s 130 and the new UK offence sanctioning failure to prevent fraud have some similarities, there are also notable differences. Unlike ECCTA, s 199, the provision under German law is not limited to fraud offences and does not require that the person is acting with the intend to benefit anybody. Furthermore, unlike OWiG, s 130, the ECCTA establishes a direct criminal liability of the corporation itself. It is the responsibility of the corporation itself to prove that it had the necessary preventive procedures in place at the time the fraud offence was committed to avoid criminal liability. Under OWiG, s 130, the prosecution will take into account the preventive measures of the individual person obliged to exercise proper supervision.

[24] Pursuant to Article 633 (1) EU-UK Trade and Cooperation Agreement, the provisions on mutual assistance (Title VIII) are meant to supplement and facilitate the provisions of the European Convention on Mutual Assistance in Criminal Matters, done at Strasbourg on 20 April 1959 and its additional protocols.

[25] For a full list of all bilateral treaties, see https://www.gov.uk/government/publications/bilateral-treaties-on-mutual-legal-assistance-in-criminal-matters.

[26] European Union Agency for Criminal Justice Cooperation, Annual Report 2022 – Eurojust Activity Map, United Kingdom.

[27] See the respective press releases on 31 January 2020: U.S. Department of Justice; Serious Fraud Office, and the Parquet National Financier.

[28] SFO v Airbus SE, Case No: U20200108, 31 January 2020, para. 92.

[29] For an overview of national and international double jeopardy in various jurisdictions, see OECD, Resolving Foreign Bribery Cases with Non-Trial Resolutions, OECD Data Collection Questionnaire Results (2019) pp. 231 et seq.

[30] Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law. National implementation laws do not necessarily require that violations for foreign law can be reported, see e.g. section 2(1) no. 1 of the German Whistleblower Protection Act (Hinweisgeberschutzgesetz).

The following Gibson Dunn lawyers prepared this client alert: Matthew Nunan, Allan Neil, Patrick Doris, Benno Schwarz, Katharina Humphrey, Amy Cooke, Andreas Dürr, Rebecca Barry, Sam Firmin*, Vanessa Ludwig, and Julian Reichert.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. If you wish to discuss any of the matters set out above, please contact the Gibson Dunn lawyer with whom you usually work, any member of Gibson Dunn’s White Collar Defense and Investigations and Anti-Corruption and FCPA practice groups, or the following authors in Frankfurt, London and Munich.

London:
Matthew Nunan (+44 20 7071 4201, mnunan@gibsondunn.com)
Allan Neil (+44 20 7071 4296, aneil@gibsondunn.com)
Patrick Doris (+44 20 7071 4276, pdoris@gibsondunn.com)
Amy Cooke (+44 20 7071 4041, acooke@gibsondunn.com)
Rebecca Barry (+44 20 7071 4086, rbarry@gibsondunn.com)
Sam Firmin* (+44 20 7071 4051, sfirmin@gibsondunn.com)

Munich / Frankfurt:
Benno Schwarz (+49 89 189 33-110, bschwarz@gibsondunn.com)
Katharina Humphrey (+49 89 189 33-155, khumphrey@gibsondunn.com)
Andreas Dürr (+49 89 189 33-219, aduerr@gibsondunn.com)
Julian Reichert (+49 89 189 33-229, jreichert@gibsondunn.com)
Vanessa Ludwig (+49 69 247 411-531, vludwig@gibsondunn.com)

*Sam Firmin is a staff attorney working in the firm’s London office.

Law	Annual Gross Revenue	Annual Processing of Consumers’ Data	Other Thresholds
CCPA/CPRA (California)	$25 million or more.	Buys, sells, or shares the personal information of 100,000 or more California residents, households, or devices.	Derives 50% or more of their annual revenue from selling California residents’ personal information.
VCDPA (Virginia)	N/A	Controls or processes the personal data of at least 100,000 Virginia consumers.	Controls or processes the personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.
CPA (Colorado)	N/A	Processes the personal data of more than 100,000 Colorado individuals.	Derives revenue or receives discounts on goods or services in exchange for the sale of personal data of 25,000 or more individuals.
CTDPA (Connecticut)	N/A	Controls or processes the personal data of at least 100,000 Connecticut consumers.	Controls or processes the personal data of at least 25,000 consumers and derives over 25% of gross revenue from the sale of personal information.
UCPA (Utah)	$25 million or more.	Controls or processes the personal data of 100,000 or more Utah consumers.	Controls or processes the personal data of 25,000 or more Utah consumers and derives 50% or more of gross annual revenue from sale of personal data.
FDBR (Florida)	$1 billion or more.	N/A	(i) Derives 50% or more of its global annual revenues from targeted advertising or the sale of ads online; (ii) operates a consumer smart speaker and voice command service with an integrated virtual assistant through a cloud service and hands-free verbal activation; or (iii) operates an app store that offers at least 250,000 software applications for consumers to download.
TDPSA (Texas)	N/A	N/A	(i) Conducts business in Texas or produces products/provides services consumed by residents of Texas; (ii) processes or engages in the sale of personal data; and (iii) does not qualify as a small business as defined by the United States Small Business Administration (with limited exceptions).
OCPA (Oregon)	N/A	Controls or processes the personal data of 100,000 or more Oregon consumers, other than for completing a payment transaction.	Controls or processes the personal data of 25,000 or more Oregon consumers and derives 25% or more of gross revenue from sale of personal data.
MTCDPA (Montana)	N/A	Controls or processes the personal data of 50,000 or more Montana consumers, excluding for the purpose of completing payment transactions.	Controls or processes the personal data of 25,000 or more Montana consumers and derives more than 25% of gross revenue from sale of personal data.
ICDPA (Iowa)	N/A	Controls or processes the personal data of 100,000 or more Iowa consumers.	Controls or processes the personal data of 25,000 or more Iowa consumers and derives more than 50% of gross revenue from the sale of personal data.
DPDPA (Delaware)	N/A	Controls or processes the personal data of at least 35,000 Delaware residents, excluding for the purpose of completing payment transactions.	Controls or processes the personal data of at least 10,000 Delaware residents and derives more than 20% of its gross revenue from the sale of personal data.
NJDPA (New Jersey)	N/A	Controls or processes the personal data of at least 100,000 New Jersey consumers.	Controls or processes the data of at least 25,000 New Jersey consumers and derives revenue or receives a financial benefit from the sale of the data.
TIPA (Tennessee)	$25 million or more.	Controls or processes the personal data of 170,000 or more Tennessee consumers.	Controls or processes the personal data of 25,000 or more Tennessee consumers and derives more than 50% of gross revenue from sale of personal information.
INCDPA (Indiana)	N/A	Controls or processes the personal data of 100,000 or more Indiana residents.	Controls or processes the personal data of 25,000 or more Indiana consumers who are residents and derives more than 50% of gross revenue from the sale of personal data.