Client Alert Archives

Gibson Dunn has formed a Workplace DEI Task Force, bringing to bear the Firm’s experience in employment, appellate and Constitutional law, DEI programs, securities and corporate governance, and government contracts to help our clients develop creative, practical, and lawful approaches to accomplish their DEI objectives following the Supreme Court’s decision in SFFA v. Harvard. Prior issues of our DEI Task Force Update can be found in our DEI Resource Center. Should you have questions about developments in this space or about your own DEI programs, please do not hesitate to reach out to any member of our DEI Task Force or the authors of this Update (listed below).

Fearless Fund Oral Argument:

On January 31, 2024, the Eleventh Circuit heard oral argument in American Alliance for Equal Rights’ (AAER) appeal of the district court’s denial of its motion for preliminary injunction in American Alliance for Equal Rights v. Fearless Fund Management, LLC, No. 23-13138 (11th Cir. 2023). On the panel were Judge Robin S. Rosenbaum, Judge Kevin C. Newsom, and Judge Robert J. Luck.

During the argument, AAER asserted that Fearless Fund’s charitable grant program—which provides $20,000 grants to Black female entrepreneurs—is a racially discriminatory contract subject to Section 1981. But Fearless Fund, represented by Gibson Dunn, asserted that the program is expressive speech protected by the First Amendment, such that the traditional Section 1981 analysis does not apply.

Judge Rosenbaum addressed the First Amendment issue, asking counsel for AAER, Gilbert Dickey of Consovoy McCarthy, “if . . . the entire point of the organization and the donation is to send the message that . . . Black businesswomen are worthy and have been overlooked and left out, then why isn’t that speech?” Mr. Dickey responded that the case law does not permit consideration of an organization’s “previously expressed views to decide whether the actual conduct is expressive.” Pressed further by Judge Newsom to explain the “hydraulic relationship between whether [the program] is subject to Section 1981 and the First Amendment interests at stake,” Mr. Dickey questioned whether a donation in any circumstance could be considered expressive. And in response to Judge Rosenbaum’s hypothetical contest awarded to whoever “does the most to further Black businesswomen,” Mr. Dickey argued that “implications of this case for the First Amendment are pretty minor” because nonprofits would be “free to discriminate based on the message an organization is sending but not on protected characteristics.”

Arguing on behalf of Fearless Fund, Jason Schwartz of Gibson Dunn emphasized that Fearless Fund’s grant program is “core expressive activity” in line with the “proud tradition in this country” of charitable giving by organizations dedicated to specific causes. He called AAER’s suit an “unprecedented effort to use Section 1981 to force a charity to reverse its message or shut down.” Mr. Schwartz argued this inappropriate application of the Reconstruction-era statute would force an untenable result: “give to everyone or no one.”

Mr. Schwartz distinguished “traditional commercial transactions—employment, housing,” from “charitable giving . . . recognized as protected by the First Amendment,” emphasizing that “Americans speak with their money; they magnify their message with their money.” To explore this line between regulatable conduct and First Amendment-protected speech, Judge Luck posed several hypotheticals, including whether, under Fearless Fund’s reasoning, a charity’s contract for the purchase of office supplies would warrant similar protection. When Judge Luck pressed on the claim that “just because it’s a charity it falls outside of 1981 . . . that can’t be right,” Mr. Schwartz agreed, but contended that, here, “the core expressive activity of the Fearless Foundation is to send this message, which, for what it’s worth, is the message of Section 1981.”

Judge Newsom also presented Mr. Schwartz with a hypothetical from AAER’s brief—a “white man only contest”—to which Mr. Schwartz responded, “First of all, no matter how repugnant I might find that, the First Amendment protects all speech,” explaining that a program set up the same way as the Fearless Fund program may be protected, depending on how it is structured.

Mylan Denerstein of Gibson Dunn, also on behalf of the Fearless Fund, argued that AAER had not met the high bar for organizational standing, noting that AAER’s position would require “the court [to] grant a preliminary injunction when we don’t even know who the businesses are.” She emphasized that AAER “fail[ed] to state that they’ve applied for grants or need money or mentorship” and “don’t show the viability of their business,” which further weighed against finding injury sufficient for standing.

The panel did not indicate when it expects to issue a ruling.

Media Coverage:

Key Developments:

On January 30, 2024, Utah Governor Spencer Cox signed House Bill 261 (“HB 261”) into law. HB 261 prohibits state education institutions and government entities from using DEI statements in hiring and providing trainings promoting differential treatment based on personal identity characteristics. HB 261 also mandates that state education institutions replace DEI offices with general access “student success and support” offices. The bill defines maintaining any of these policies or programs as a “prohibited discriminatory practice.” HB 261 progressed rapidly through the legislature, passing only ten days after its introduction. Alongside it, another anti-DEI bill in Utah, House Bill 111 (“HB 111”), has been voted out of committee to the full House. As introduced, HB 111 would prohibit private employers from requiring training in or compelling beliefs about various DEI-related concepts, although the bill was significantly weakened in committee. We are tracking the progress of this bill and will provide additional updates if it passes.

On January 26, 2024, Students for Fair Admissions (“SFFA”) asked the Supreme Court to grant an emergency injunction in its ongoing battle against West Point, bringing its campaign against race-conscious admissions back to the nation’s highest court. SFFA sued West Point on September 19, 2023, arguing that the military academy’s continued use of race-conscious admissions after SFFA v. Harvard is unconstitutional. After the district court denied its request for a preliminary injunction on January 3, 2024, SFFA filed an emergency appeal to the Second Circuit the next day. Instead of waiting for the Second Circuit to rule, SFFA filed an emergency application for an injunction with the Supreme Court, requesting that the court enjoin West Point from considering applicants’ race after the school’s application window closes on January 31. SFFA argued that West Point should be subject to the same constitutional analysis as other schools, despite language in SFFA v. Harvard suggesting military academies might receive more deference. SFFA claimed West Point applicants will suffer irreparable harm if the Supreme Court does not act before West Point’s application cycle closes on January 31. On January 30, 2024, West Point filed its opposition to SFFA’s requested injunction, arguing that there is no “emergency” supporting the injunction, since West Point has been considering applications since August 2023, will continue to do so through May 2024, and has already issued offers to hundreds of candidates. West Point also noted that SFFA failed to establish irreparable harm because SFFA’s members remain eligible to apply to West Point for at least three additional admissions cycles. West Point asserted that the military’s judgment merits “substantial deference” and that a diverse officer corps is “necessary for an effective fighting force.”

On January 25, 2024, AFL filed a formal judicial conduct complaint with Chief Judge Diane S. Sykes of the United States Court of Appeals for the Seventh Circuit. The complaint accuses three judges on the United States District Court for the Southern District of Illinois—Chief Judge Nancy J. Rosenstengel, Judge Staci M. Yandle, and Judge David W. Dugan—of race and sex discrimination in violation of the Rule for Judicial-Conduct and Judicial-Disability Proceedings 4(a), Judicial Code of Conduct Canon 2(A), and the Fifth Amendment of the United States Constitution. Specifically, the complaint highlights the judges’ policies allowing parties to move for oral argument with the promise that, if the motion is granted, a “newer, female, [or] minority attorney” will argue the motion. AFL’s complaint maintains that these policies intentionally discriminate on the basis of sex and race, amounting to “cognizable judicial misconduct” under the applicable judicial rules. Further, AFL argues that allowing these policies to stand undermines judicial integrity and public trust in the judicial system as it gives some parties additional advocacy opportunities for their clients solely on the basis of an advocate’s race or gender.

On January 17, 2024, AFL filed an administrative complaint with the Department of Labor’s Office of Federal Contract Compliance Programs (“OFCCP”), seeking investigations into three airlines—American Airlines, United Airlines, and Southwest Airlines—for alleged violations of federal contract law. AFL claimed that the airlines’ race-based and gender-based hiring targets constitute race- and sex-based discrimination in violation of Executive Order 11246, which requires government contracts to contain an Equal Opportunity Clause prohibiting discrimination, and authorizes the Secretary of Labor to sanction government contractors via contract cancellation, ineligibility, and other penalties. AFL’s American Airlines letter mentioned the airline’s stated commitment to DEI and programs available to Black professionals, while the Southwest letter cited the increase in the company’s diverse hires as evidence of unlawful consideration of race and gender in hiring. Finally, the United letter cited DEI targets in the airline’s 2022 Corporate Responsibility Report and DEI initiatives that favor women and minority-owned subcontractors. These letters follow the November 1, 2023 civil rights complaints AFL submitted to the EEOC regarding the same airlines.

On January 17, 2024, AFL sent a FOIA request to the Federal Bureau of Investigation (FBI). AFL requested all records of communications to and from the FBI’s Chief Diversity Officer, Scott McMillion, from April 2021 to April 2023. Citing McMillion’s comments that “diversity, equity, inclusion and accessibility is literally within [the FBI’s] DNA” and an FBI diversity report that showed the agency has increased employee racial, ethnic, and gender diversity, AFL speculated that the FBI’s hiring process violates Title VII and the Equal Protection Clause.

On January 11, 2024, AFL filed a letter with the EEOC calling for the Commission to conduct an investigation of Nike. AFL accused Nike of knowingly and intentionally using race, color, sex, and national origin as motivating factors in numerous employment decisions in violation of Title VII. AFL sent a similar letter to Nike’s board, highlighting the same alleged violations. In the letters, AFL pointed to language on Nike’s website expressing the company’s intent to set “clear and ambitious targets . . . to increase diverse representation at Nike.” AFL claimed that one way Nike realizes this target is through the creation of “Employee Networks,” which are limited to members of eight specific “favored categories.” These categories focus on race, sex, or gender. AFL maintained that Nike’s explicit focus on only those categories demonstrates the company’s discriminatory intent to deprive “whites, males, and heterosexuals” of the opportunity to gain “real benefits” from inclusion in these Employee Networks. Additionally, AFL cited Nike’s self-reported data as evidence of the company’s express intent to discriminate in favor of certain historically underrepresented demographics. For example, AFL cited Nike’s Fiscal Year 2022 report, which states that the company achieved 51% gender diversity and 38.8% racial diversity. AFL claimed that featuring these statistics demonstrates Nike’s efforts to discriminate against other demographics.

Media Coverage and Commentary:

Below is a selection of recent media coverage and commentary on these issues:

New York Times, “‘America Is Under Attack’: Inside the Anti-D.E.I. Crusade” (January 20): The Times’s Nicholas Confessore reports on thousands of documents newly obtained by the newspaper, providing new details about the recent wave of anti-DEI bills being considered—and in some instances, passed—in state legislatures. Despite polls showing that most Americans support the values underlying DEI, over 20 states considered or passed anti-DEI legislation in 2023. The Times secured documents including emails, grant proposals, and draft reports that the article claims show how conservative activists, centered at California’s Claremont Institute, “formed a loose network of think tanks, political groups and Republican operatives in at least a dozen states” in an effort to “eliminat[e] ‘social justice education’ from American schools.” According to Confessore, the internal documents reveal that (at least in some cases) racist, sexist, and homophobic beliefs were motivating factors. Confessore also suggested that the documents signal the importance of the anti-DEI movement as a Republican fundraising tool and talking point that is anticipated to become even more prominent as the 2024 election nears.
Forbes, “Diversity In Leadership Increases Chances Of Success By 39%” (January 21): Julie Kratz, founder of DEI training organizations Next Pivot Point and Little Allies, reports on new research by McKinsey & Company describing a growing business case for DEI. The research suggests that there is a “39% increased likelihood of outperformance” for companies in the top quartile of ethnic and gender leadership diversity as compared to those in the bottom quartile. Kratz notes that business justifications for diversity are not new, but several factors—including limited diversity in C-suites and lack of accountability—hinder progress. To overcome these challenges, Kratz recommends that companies set aside the “‘one and done’ approach” to DEI training and focus on “a model of continuous learning.”
Wall Street Journal, “DEI Is Worth Saving From Its Excesses” (January 22): Roland Fryer, Harvard economist and founder of venture capital firm Equal Opportunity Ventures, writes in an opinion piece that “[o]pponents and supporters of DEI have very different ideas about what it is.” Fryer recognizes the need for companies to evaluate their diversity initiatives and to identify and eliminate illegal practices, but also advocates for maintaining commitment to developing diverse talent. Fryer suggests that employers should focus on eliminating racial bias “not only because discrimination is wrong but because it is a market failure that prevents the right people from being placed in the right positions.” Companies should be aware of these biases, evident in disparate rates of hiring, promotion, and starting compensation. Fryer recommends use of machine learning to help avoid bias in personnel decisions.

Law360, “EEOC’s Lucas Calls Mark Cuban ‘Dead Wrong’ In DEI Push” (January 29): Law360’s Patrick Hoff reports on a public exchange on the social media platform X between billionaire businessman Mark Cuban and EEOC Commissioner Andrea Lucas. In recent weeks, Cuban has taken to X to defend the business case for DEI. But when he posted on January 28 that, in hiring, “race and gender can be part of the equation,” Commissioner Lucas replied, calling Cuban “dead wrong on black-letter Title VII law.” According to Hoff, in an email to Law360, Cuban clarified that X “is a place to argue” and that he follows the law “in every way.” Although a spokesperson for the EEOC told Law360 that Lucas’s social media posts are her own and not reflective of the agency’s opinions, Lucas told the news outlet that she views public education “in any media” as part of her role. Hoff notes that, in the wake of SFFA, Lucas has stood alone among the EEOC’s commissioners in publicly denouncing race-based corporate DEI policies.

Case Updates:

Below is a list of updates in new and pending cases:

1. Contracting claims under Section 1981, the U.S. Constitution, and other statutes:

Mid-America Milling Company v. U.S. Department of Transportation, No. 3:23-cv-00072-GFVT (E.D. Ky. 2023): Two plaintiff construction companies sued the Department of Transportation, asking the court to enjoin DOT’s Disadvantaged Business Enterprise (DBE) Program, an affirmative action program that awards contracts to minority-owned and women‑owned small businesses in DOT-funded construction projects with the statutory aim of granting 10% of certain DOT-funded contracts to these businesses nationally. Plaintiffs allege that the program constitutes unconstitutional race discrimination in violation of the Fifth Amendment.
- Latest update: On January 16, 2024, DOT filed its motion to dismiss the complaint. DOT argued that the plaintiffs’ allegations that they lost contracts to DBE firms were conclusory and speculative because they failed to allege specific facts about the nature of the contracts, the type of industry, and whether or not those contracts were actually covered by the DBE program. DOT also argued that the plaintiffs failed to allege an injury sufficient for standing because, although they alleged they had bid for DBE contracts, they did not identify the contracts with enough specificity, as not all DOT contracts contain a DBE goal. Finally, DOT argued the plaintiffs failed to join as indispensable parties the state or local agencies who actually implement the DBE goals and channel DOT funds to contractors.
Landscape Consultants of Texas, Inc. v. City of Houston, No. 4:23-cv-3516–DH (S.D. Tx. 2023): Plaintiff landscaping companies owned by white individuals challenged Houston’s government contracting set-aside program for “minority business enterprises” that are owned by members of racial and ethnic minority groups. The companies claim the program violates the Fourteenth Amendment and Section 1981.
- Latest update: On January 12, 2024, the district court denied both the City of Houston’s and Midtown Management District’s motions to dismiss, without issuing a written opinion
Do No Harm v. Pfizer, No. 1:22-cv-07908–JLR (S.D.N.Y. 2022), on appeal at No. 23-15 (2d Cir. 2023): On September 15, 2022, plaintiff association representing physicians, medical students, and policymakers sued Pfizer, alleging that the company’s Breakthrough Fellowship Program, which provided minority college seniors summer internships, two years of employment post-graduation, and a scholarship, violated Section 1981, Title VII, and New York law. The association alleges that the program illegally excludes white and Asian applicants. The association is represented by Consovoy McCarthy PLLC, the firm that also represents American Alliance for Equal Rights in multiple lawsuits. In December 2022, the court granted Pfizer’s motion to dismiss, finding that the plaintiff did not have associational standing because they did not identify at least one member by name, instead only submitting declarations from anonymous members. The association appealed to the Second Circuit, which heard oral argument on October 3, 2023.
- Latest update: On December 21, 2023, Do No Harm filed a Rule 28(j) notice of supplemental authority to support its claim that it has standing despite its reliance on unnamed members. Pointing to a recent district court decision in SFFA v. U.S. Naval Academy that found standing on the basis of pseudonymous plaintiffs, the association argued that the district court misread Supreme Court precedent. On January 12, 2024, Pfizer responded with its own Rule 28(j) letter, contesting the plaintiff’s characterization of the Naval Academy decision and arguing that even if the use of pseudonymous members was sufficient to create standing, the pseudonymous members in the current case still lacked standing because they had declined to apply for Pfizer’s fellowship program after Pfizer changed the requirements—something Pfizer also argued served to moot the case.

2. Employment discrimination under Title VII and other statutory law:

Gerber v. Ohio Northern University, No. 2023-1107-CVH (Ohio. Ct. Common Pleas Hardin Cty. 2023): On June 30, 2023, a law professor sued his former employer, Ohio Northern University, for terminating his employment after an internal investigation determined that he bullied and harassed other faculty members. On January 23, 2024, the plaintiff, now represented by America First Legal, filed an amended complaint. The plaintiff claims that his firing was actually in retaliation for his vocal and public opposition to the university’s stated DEI principles and race-conscious hiring, which he believed were illegal. The plaintiff alleged that the investigation and his termination breached his employment contract, violated Ohio civil rights statutes, and constituted various torts, including defamation, false light, conversion, infliction of emotional distress, and wrongful termination in violation of public policy.
- Latest update: The defendant has until February 20, 2024 to respond to the plaintiff’s second amended complaint.
De Piero v. Pennsylvania State University, No. 2:23-cv-02281-WB (E.D. Pa. 2023): A white male professor sued his employer, Penn State University, claiming that university-mandated DEI trainings, discussions with coworkers and supervisors about race and privilege in the classroom, and comments from coworkers about his “white privilege” constituted a hostile work environment that led him to quit his job. He claimed that after he reported that he felt harassed and published an opinion piece objecting to the impact of DEI concepts in the classroom, the university retaliated against him by investigating him for bullying and aggressive behavior towards his colleagues. The plaintiff alleged harassment, retaliation, and constructive discharge in violation of Title VI, Title VII, Section 1981, Section 1983, the First Amendment, and Pennsylvania civil rights laws.
- Latest update: On January 11, 2024, the district court granted the defendant’s motion to dismiss in part, dismissing all of the plaintiff’s claims except for his hostile work environment claim. On that claim, the judge found that some of his allegations, including that he was required to attend trainings that “discussed racial issues in essentialist and deterministic terms” and “ascrib[ed] negative traits to white people . . . plausibly amount to ‘pervasive’ harassment.” The court made clear that “training on concepts such as ‘white privilege’ . . . can contribute positively . . . in an educational institution,” but that when those discussions occur “with a constant drumbeat of essentialist, deterministic, and negative language, they risk liability under federal law.”
Haltigan v. Drake, No. 5:23-cv-02437-EJD (N.D. Cal. 2023): A white male psychologist sued the University of California Santa Cruz, arguing that a requirement that prospective faculty candidates submit and be evaluated in part on the basis of statements explaining their views and understanding of DEI principles functioned as a loyalty oath that violated his First Amendment freedoms. The plaintiff claimed that because he is “committed to colorblindness and viewpoint diversity”––which he alleged was contrary to UC Santa Cruz’s position on DEI––he would be compelled to alter his political views to be a viable candidate for the position. The plaintiff sought a declaration that the University’s DEI statement requirement violated the First Amendment and a permanent injunction against the enforcement of the requirement.
- Latest update: On January 12, 2024, the district court granted UC Santa Cruz’s motion to dismiss with leave to amend, finding that the plaintiff lacked standing because he had not actually applied for a professor position. The court rejected the plaintiff’s claim that he had “competitor standing” because he only expressed a general interest in the position, and did not allege that he had undertaken any preparations or concrete steps to apply. The court also rejected the argument that the plaintiff had First Amendment prudential standing, sometimes recognized in license application cases, because he was seeking a job, not a license or a permit. Finally, the court found that the plaintiff had not sufficiently alleged that it would have been futile to apply without a DEI statement because UC Santa Cruz might have accepted his application notwithstanding his lack of a statement.
Weitzman v. Fred Hutchinson Cancer Center, No. 2:24-cv-00071-TLF (W.D.WA. 2024): On January 16, 2024, a white Jewish female former employee of a medical center sued her former employer, alleging that she was terminated for expressing her discomfort with DEI-related content shared in the workplace by coworkers, objecting to DEI-related training, and expressing her political opposition to DEI-aligned ideologies. She also claimed that her employer failed to act when she was allegedly discriminated against because of her religion and race by other coworkers. The plaintiff alleged her employer’s conduct constituted racial discrimination, a hostile work environment, and retaliation in violation of the Washington Law against Discrimination (WLAD) and Section 1981; discrimination and retaliation on the basis of political ideology in violation of the Seattle Municipal Code; and intentional infliction of emotional distress and wrongful termination in violation of public policy under common law.
- Latest update: The defendant has not yet responded to the complaint.

3. Challenges to agency rules, laws, and regulatory decisions:

Saadeh v. New Jersey State Bar Association, No. MID-L-006023-21 (N.J. Super. Ct. 2021), on appeal at A-2201-22 (N.J. Super. Ct. App. Div. 2023): On October 15, 2021, a Palestinian and Muslim attorney and bar member sued the New Jersey State Bar Association (NJSBA), alleging that the NJSBA’s practice of reserving certain trustee and committee positions for members of “underrepresented groups” including Black, Hispanic, Asian, women, and LGBTQ attorneys constituted racial discrimination in violation of New Jersey state civil rights laws.
- Latest update: On November 9, 2022, the trial judge ruled that the NJSBA’s practice was racially discriminatory, and ordered it to end the practice and consider all attorneys in good standing eligible for the positions. The court found that the practice was an illegal quota rather than a valid affirmative action program. The court also held that the First Amendment did not protect the NJSBA’s practices. The NJSBA appealed, and on January 18, 2024, the Appellate Division of the New Jersey Superior Court heard oral argument. The NJSBA argued that the trial court applied the incorrect Supreme Court precedent and that under the correct framework, the NJSBA’s practice is a valid, tailored affirmative action plan that redresses the historical underrepresentation of non-white attorneys in the positions at issue. The plaintiff argued that the practice is not legal affirmative action because it does not address the root causes of racial imbalances and is not based on a detailed analysis of the NJSBA’s membership and demographic data.
Palsgaard v. Christian, et al., No. 1:23-cv-01228-SAB (E.D. Cal. 2023): In August 2023, California community college professors filed suit and moved for a preliminary injunction against the state’s new DEI-related evaluation competencies and corresponding language in their faculty contract, which they allege requires them to endorse the state’s views on DEI concepts. The plaintiffs challenge the DEI rules and contract language as compelled speech in violation of the First and Fourteenth Amendments. On December 15, 2023 the defendants filed their motions to dismiss.
- Latest update: On January 19, 2024, the plaintiffs filed a joint opposition to the defendants’ motions to dismiss. Plaintiffs argued that they had standing to challenge the DEI rules and faculty contract and that they had not waived their First Amendment rights. Plaintiffs also argued that their constitutional claims should not be dismissed because the regulations compel them to espouse the state’s preferred message and that both the rules and faculty contract are overbroad and vague.
Earls v. North Carolina Judicial Standards Commission, No. 1:23-cv-00734-WO-JEP (M.D.N.C. 2023): On June 20, 2023, North Carolina Supreme Court Justice Anita Earls, the only non-white female justice on the court, made comments in an interview regarding the diversity of the appellate bench and of the attorneys who appear before the N.C. Supreme Court, and her opinion regarding implicit bias in the state judiciary and attempts to diversify the North Carolina courts. In response, on August 15, 2023, the North Carolina Judicial Standards Commission initiated an investigation into whether Justice Earls violated provisions of the judicial code requiring her to act in a manner that promotes “public confidence in the integrity” of the judicial system. On August 29, 2023, Justice Earls filed a lawsuit claiming that the Commission’s investigation was part of an ongoing effort to restrict and chill her free speech rights in violation of the First Amendment. She claimed that as a result of the investigation, she turned down opportunities to speak on matters related to diversity and equity, demonstrating the investigation’s chilling effect. On November 21, 2023, the district court denied Justice Earls’ request for a preliminary injunction on the grounds that the Commission’s actions likely met strict scrutiny because its investigation was justified by the compelling interest of safeguarding public confidence in the integrity and fairness of the judicial system, and the investigation process appeared narrowly tailored.
- Latest update: On January 17, 2024, Justice Earls voluntarily dismissed her case after the Commission dismissed the investigation against her without recommending disciplinary action.

4. Educational Institutions and Admissions (Fifth Amendment, Fourteenth Amendment, Title VI, Title IX):

Students for Fair Admissions, Inc. v. University of Texas at Austin, 1:20-cv-00763-RP (W.D. Tex. 2020): On July 20, 2020, SFFA sued the University of Texas, alleging that UT Austin’s methods of considering race in undergraduate admissions violated the Equal Protection Clause of the Fourteenth Amendment, Section 1981, Title VII, the Texas Constitution, and Texas state law.
- Latest update: On January 11, 2024, UT Austin replied to SFFA’s opposition to its motion to dismiss, renewing its argument that the case is moot because UT Austin has changed its admissions policies. It further argued that the case was not still live under the “voluntary cessation” doctrine because the policy change was compelled by the Supreme Court’s SFFA v. Harvard decision, and SFFA failed to show UT Austin’s change was not made in good faith. UT Austin also responded to SFFA’s summary judgment motion, asserting that SFFA’s evidence that UT still collects demographic information is not sufficient to show that it discriminates on the basis of race. Also on January 11, civil rights groups acting as intervenors on behalf of UT Austin opposed SFFA’s motion for summary judgment, arguing that SFFA is not entitled to summary judgment because it has not shown that UT’s facially neutral policy is being implemented in a discriminatory manner. They also replied to SFFA’s opposition to the motion to dismiss, arguing that SFFA lacks standing because none of its members have applied to UT Austin under the new policy, and that the case is moot because SFFA is challenging a policy that no longer exists.

The following Gibson Dunn attorneys assisted in preparing this client update: Jason Schwartz, Mylan Denerstein, Blaine Evanson, Molly Senger, Zakiyyah Salim-Williams, Matt Gregory, Zoë Klein, Mollie Reiss, Teddy Rube, Alana Bevan, Marquan Robertson, Elizabeth Penava, Skylar Drefcinski, and Mary Lindsay Krebs.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Labor and Employment practice group, or the following practice leaders and authors:

Jason C. Schwartz – Partner & Co-Chair, Labor & Employment Group
Washington, D.C. (+1 202-955-8242, jschwartz@gibsondunn.com)

Katherine V.A. Smith – Partner & Co-Chair, Labor & Employment Group
Los Angeles (+1 213-229-7107, ksmith@gibsondunn.com)

Mylan L. Denerstein – Partner & Co-Chair, Public Policy Group
New York (+1 212-351-3850, mdenerstein@gibsondunn.com)

Zakiyyah T. Salim-Williams – Partner & Chief Diversity Officer
Washington, D.C. (+1 202-955-8503, zswilliams@gibsondunn.com)

Molly T. Senger – Partner, Labor & Employment Group
Washington, D.C. (+1 202-955-8571, msenger@gibsondunn.com)

Blaine H. Evanson – Partner, Appellate & Constitutional Law Group
Orange County (+1 949-451-3805, bevanson@gibsondunn.com)

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

From the Derivatives Practice Group: ISDA and ESMA were particularly active this week, releasing several global reports.

New Developments

CFTC’s Energy and Environmental Markets Advisory Committee to Meet February 13. On January 30, 2024, CFTC Commissioner Summer K. Mersinger, sponsor of the Energy and Environmental Markets Advisory Committee (EEMAC) announced the EEMAC will hold a public meeting from 9:00 a.m. to 11:30 a.m. (MST) on Tuesday, February 13 at the Colorado School of Mines in Golden, Colorado. The CFTC stated that at this meeting, the EEMAC will explore the role of rare earth minerals in transitional energy and electrification, including the potential development of derivatives products to offer price discovery and hedging opportunities in these markets. Additionally, the meeting will include a presentation and discussion on the federal prudential financial regulators proposed rules implementing Basel III and the implications for and impact on the derivatives market. Finally, the two EEMAC subcommittees will offer an update on their continued work related to traditional energy infrastructure and metals markets. [NEW]
CFTC Cautions the Public to Beware of Artificial Intelligence Scams. On January 25, the CFTC’s Office of Customer Education and Outreach issued a customer advisory warning the public about Artificial Intelligence (AI) scams. Customer Advisory: AI Won’t Turn Trading Bots into Money Machines explains how the scams use the potential of AI technology to defraud investors with false claims that entice them to hand over their money or other assets to fraudsters who misappropriate the funds and deceive investors. The advisory warns investors that claims of high or guaranteed returns are red flags of fraud and that strangers promoting these claims online should be ignored. The CFTC stated that the advisory is intended to help investors identify and avoid potential scams and includes a reminder that AI technology cannot predict the future. It also lists four items investors may consider to avoid such scams: researching the background of a company or trader, researching the history of the trading website, getting a second opinion, and knowing the risks associated with the underlying assets.
CFTC Staff Releases Request for Comment on the Use of Artificial Intelligence in CFTC-Regulated Markets. On January 25, the CFTC’s Divisions of Market Oversight, Clearing and Risk, Market Participants, and Data and the Office of Technology Innovation issued a request for comment (RFC) in an effort to better inform them on the current and potential uses and risks of AI in the derivatives markets that the CFTC regulates. The RFC seeks comment on the definition of AI and its applications, including its use in trading, risk management, compliance, cybersecurity, recordkeeping, data processing and analytics, and customer interactions. The RFC also seeks comment on the risks of AI, including risks related to market manipulation and fraud, governance, explainability, data quality, concentration, bias, privacy and confidentiality and customer protection. The CFTC indicated that staff will consider the responses to the RFC in analyzing possible future actions by the CFTC, such as new or amended guidance, interpretations, policy statements, or regulations. Comments will be accepted until April 24, 2024.
CFTC Seeks Public Comment on Proposed Capital Comparability Determination for Swap Dealers Subject to Supervision by the UK Prudential Regulation Authority. On January 24, the CFTC solicited public comment on a substituted compliance application requesting that the CFTC determine that certain CFTC-registered nonbank swap dealers located in the United Kingdom may satisfy certain Commodity Exchange Act capital and financial reporting requirements by being subject to, and complying with, comparable capital and financial reporting requirements under UK laws and regulations. The Institute of International Bankers, the International Swaps and Derivatives Association, and the Securities Industry and Financial Markets Association submitted the application. In connection with the application, the CFTC also solicited public comment on a proposed comparability determination and related order providing for the conditional availability of substituted compliance to CFTC-registered nonbank swap dealers under the UK Prudential Regulation Authority’s prudential supervision. The comment period will be open until March 24, 2024.
BGC Group Announces Approval for FMX Futures Exchange. On January 22, BGC Group, Inc. (BGC) announced that its FMX Futures Exchange (FMX) received approval from the CFTC to operate an exchange for U.S. Treasury and SOFR futures. BGC will combine their Fenics UST cash Treasury platform and FMX to work across the CME’s U.S. interest rate complex. FMX is party to a clearing agreement with LCH SwapClear, a holder of interest rate collateral, which it indicated will allow for portfolio margining across rates of risk and provide for margin efficiencies and effective risk management.
CFTC Cancels Open Meeting. On January 20, the CFTC cancelled its open meeting scheduled for January 22. According to the CFTC, Tthe following matters will be resolved through the CFTC’s seriatim process:
- Notice of Proposed Order and Request for Comment on an Application for a Capital Comparability Determination Submitted on behalf of Nonbank Swap Dealers subject to Capital and Financial Reporting Requirements of the United Kingdom and Regulated by the United Kingdom Prudential Regulation Authority,
- Proposed Rule: Requirements for Designated Contract Markets and Swap Execution Facilities Regarding Governance and the Mitigation of Conflicts of Interest Impacting Market Regulation Functions.
CFTC Designates IMX Health, LLC as a Contract Market. On January 18, the CFTC announced it has issued an Order of Designation to IMX Health, LLC, granting it designation as a contract market (DCM). IMX Health is a limited liability company registered in Delaware and headquartered in Chicago, Illinois. The CFTC issued the order under Section 5a of the Commodity Exchange Act (CEA) and CFTC Regulation 38.3(a). The CFTC determined IMX Health demonstrated its ability to comply with the CEA provisions and CFTC regulations applicable to DCMs. With the addition of IMX Health, there will be 17 DCMs.
CFTC Issues Staff Letter No. 24-01. On January 16, the CFTC issued Staff Letter No. 24-01, granting an exemption to LCH SA from the requirements of Regulation 1.49(d) to permit LCH SA to hold customer funds at the Banque du France. Additionally, the CFTC confirmed that it would not recommend enforcement action against LCH SA for failing to obtain, or provide the Commission with, an executed version of the template acknowledgment letter set forth in Appendix B to Regulation 1.20 , as required by Regulations 1.20(g)(4) and 22.5, for customer accounts maintained at the Banque de France.

New Developments Outside the U.S.

ESAs Recommend Steps to Enhance the Monitoring of BigTechs’ Financial Services Activities. On February 1, the European Supervisory Authorities (ESAs) published a Report setting out the results of a stock take of BigTech direct financial services provision in the EU. The Report identifies the types of financial services currently carried out by BigTechs in the EU pursuant to EU licenses and highlights inherent opportunities, risks, regulatory and supervisory challenges. The stock take showed that BigTech subsidiary companies currently licensed to provide financial services pursuant to EU law mainly provide services in the payments, e-money and insurance sectors and, in limited cases, the banking sector. However, the ESAs have yet to observe their presence in the market for securities services. To further strengthen the cross-sectoral mapping of BigTechs’ presence and relevance to the EU’s financial sector, the ESAs propose to set-up a data mapping tool. The ESAs explained that this tool is intended to provide a framework that supervisors from the National Competent Authorities would be able to use to monitor on an ongoing and dynamic basis the BigTech companies’ direct and indirect relevance to the EU financial sector. [NEW]
ESMA Publishes Risk Monitoring Report. On January 31, the European Securities and Markets Authority (ESMA) published its first risk monitoring report of 2024, where it sets out the key risk drivers currently facing financial markets. Beyond the risk drivers, ESMA’s report provides an update on structural developments and the status of key sectors of financial markets, during the second half of 2023. The report considers structural developments in various areas, including market-based finance, sustainable finance, securities markets, and asset management. [NEW]
ESMA Consults on Reverse Solicitation and Classification of Crypto Assets as Financial Instruments Under MiCA. On January 29, ESMA, published two Consultations Papers on guidelines under Markets in Crypto Assets Regulation (MiCA), one on reverse solicitation and one on the classification of crypto-assets as financial instruments. ESMA is seeking input on proposed guidance relating to the conditions of application of the reverse solicitation exemption and the supervision practices that National Competent Authorities may take to prevent its circumvention. ESMA is also seeking input on establishing clear conditions and criteria for the qualification of crypto-assets as financial instruments. [NEW]
EC Publishes Amendments to Clearing Obligation Scope in Light of Benchmark Reform. On January 22, the delegated regulation amending the regulatory technical standards (RTS) defining the scope of the clearing obligation (CO) was published in the EU Official Journal, with the amended requirements due to enter into force 20 days after publication. The European Commission (EC) stated that the amendments were introduced in light of the transition to the TONA and SOFR benchmarks referenced in certain over-the-counter derivatives contracts. The amendment to the scope of the CO consists of introducing TONA overnight indexed swaps (OIS) with maturities up to 30 years and extending the SOFR OIS class subject to the CO to maturities up to 50 years. The adoption follows the publication by ESMA, on February 1, 2023, of its final report on changes to the scope of the CO and the derivatives trading obligations (DTO) in light of the benchmark transition, following a consultation last year, to which ISDA responded on September 30, 2022. This ESMA report included two draft amending RTS: one draft RTS amending the scope of the CO and one draft RTS amending the scope of the DTO. The delegated regulation containing the RTS amending the scope of the CO has now been published. The RTS on the DTO has not yet been adopted.

New Industry-Led Developments

ISDA Response on Anti-Greenwashing Rules. On January 26, ISDA submitted a response to the UK Financial Conduct Authority’s consultation on xGC23/3: Guidance on the Anti-Greenwashing Rule. In the response, ISDA highlights that actual or perceived misrepresentation of sustainability features may have a detrimental impact on investor and consumer perceptions of sustainable finance products, and ISDA supports efforts to enhance trust in the market. ISDA considers that sustainability-linked derivatives, environmental, social and governance derivatives and voluntary carbon credits fall within the scope of the rule. [NEW]
Joint Response to EC on BMR. On January 23, ISDA, the Global Financial Markets Association and the Futures Industry Association (FIA) submitted a joint response to the EC call for feedback on the review of the scope and regime for non-EU benchmarks. The response sets out the associations’ comments on the EC’s proposal, along with potential draft amendments and additional revisions that were considered to support the EC’s aims. In the response, the associations welcome the EC’s recognition of the problems caused by the current drafting of the Benchmark Regulation (BMR). The associations support the aim of establishing a third-country regime that is sustainable in the long term once the current transitional regime expires, and overall consider that the proposal will result in a more proportionate regime for users and administrators of benchmarks. [NEW]
ISDA, FIA Respond to MAS Consultation on Amendments to the Capital Framework for Approved Exchanges and Clearing Houses. On January 22, ISDA and the FIA jointly responded to the consultation from the Monetary Authority of Singapore (MAS) on proposed amendments to the capital framework for approved exchanges and approved clearing houses. The scope of the response is limited to the capital framework for approved clearing houses. The associations stated that they welcomed the introduction of a separate liquidity requirement and proposed that MAS consider a more conservative minimum threshold of at least 12 months of operating expenses. They also agreed with the proposed amendments that capital components should only include equity instruments and exclude an approved clearing house’s skin-in-the-game. For total risk requirement, the response suggests the alignment of the operational risk component with the liquidity risk requirement and the inclusion of some clarifications on the investment risk and general counterparty risk components.
ISDA Launches Digital Version of 2002 ISDA Equity Derivatives Definitions. On January 18, ISDA launched a fully digital edition of the 2002 ISDA Equity Derivatives Definitions on the ISDA MyLibrary platform, enabling new versions to be released more efficiently as products and market practices evolve in the future. Following consultation with buy- and sell-side market participants, ISDA identified support to move the definitions to a digital format, develop new product provisions and streamline certain components over time. Publication of the 2002 ISDA Equity Derivatives Definitions in digital form is a first step and enables further changes to be made in future versions.
BCBS-IOSCO Report Sets Out Recommendations for Good Margin Practices in Non-Centrally Cleared Markets. On January 17, the Basel Committee on Banking Supervision (BCBS) and the International Organization of Securities Commissions (IOSCO) published a report on streamlining VM processes and IM responsiveness of margin models in non-centrally cleared markets, which sets out recommendations for market practices intended to enhance market functioning. The report articulates the policy analyses work carried out by the BCBS-IOSCO in two areas discussed in the September 2022 Review of margining practices: (i) exploring the need to streamline variation margin processes in non-centrally cleared markets and (ii) investigating the responsiveness of initial margin models in non-centrally cleared markets. The consultative report sets out eight recommendations intended to encourage the widespread implementation of good market practices but does not propose any policy changes to the BCBS-IOSCO frameworks. BCBS and IOSCO stated that the first four recommendations aim to address challenges that could inhibit a seamless exchange of variation margin during a period of stress. The other four highlight practices for market participants to implement initiatives in an effort to ensure the calculation of initial margin is consistently adequate for contemporaneous market conditions and proposes that supervisors should monitor whether these developments are sufficient to make this model responsive enough to extreme market shocks.
ISDA Launches Sustainability-linked Derivatives Clause Library. On January 17, ISDA launched a clause library for sustainability-linked derivatives (SLDs), designed to provide standardized drafting options for market participants to use when negotiating SLD transactions with counterparties. SLDs embed a sustainability-linked cashflow in a derivatives structure and use key performance indicators (KPIs) to monitor compliance with environmental, social and governance (ESG) targets, incentivizing parties to meet their sustainability objectives.
BCBS, CPMI, and IOSCO Publish Consultative Report on Transparency and Responsiveness of Initial Margin in Centrally Cleared Markets. On January 16, BCBS, the Bank for International Settlements’ Committee on Payments and Market Infrastructures (CPMI) and IOSCO jointly published a consultative report—Transparency and responsiveness of initial margin in centrally cleared markets– review and policy proposals—which interested parties are invited to comment on. BCBS, CPMI, and IOSCO stated that the ten policy proposals in the report aim to increase the resilience of the centrally cleared ecosystem by improving participants’ understanding of central counterparties (CCPs) initial margin calculations and potential future margin requirements. The proposals cover CCP simulation tools, CCP disclosures, measurement of initial margin responsiveness, governance frameworks and margin model overrides, and clearing member transparency.
ISDA and SIFMA Response to US Basel III NPR. On January 16, ISDA and the Securities Industry and Financial Markets Association (SIFMA) submitted a joint response on the US Basel III ‘endgame’ notice of proposed rulemaking (NPR). The response focuses on the Fundamental Review of the Trading Book (FRTB), the revised credit valuation adjustment (CVA) framework, the securities financing transactions requirements and elements of the standardized approach to counterparty credit risk rules. In the response, the associations propose a number of calibration changes to ensure the rules are appropriate and risk sensitive and avoid adverse consequences to US capital markets.
ISDA and SIFMA Response to G-SIB Surcharge Framework Consultation. On January 16, ISDA and SIFMA submitted a response to a consultation by the US Federal Reserve on proposed changes to the G-SIB surcharge. The response raises concerns that the revised G-SIB surcharge would lead to inappropriately high capital requirements for banks offering client clearing services, potentially discouraging them from participating in this business and contravening a long-standing policy objective to promote central clearing. Specifically, the response argues that client derivatives transactions cleared under the agency model should not be included in the complexity and interconnectedness categories of the G-SIB surcharge calculation.

The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Marc Aaron Takagaki, Hayden McGovern, and Karin Thrasher.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Derivatives practice group, or the following practice leaders and authors:

Jeffrey L. Steiner, Washington, D.C. (202.887.3632, jsteiner@gibsondunn.com)

Michael D. Bopp, Washington, D.C. (202.955.8256, mbopp@gibsondunn.com)

Michelle M. Kirschner, London (+44 (0)20 7071.4212, mkirschner@gibsondunn.com)

Darius Mehraban, New York (212.351.2428, dmehraban@gibsondunn.com)

Jason J. Cabral, New York (212.351.6267, jcabral@gibsondunn.com)

Adam Lapidus – New York (+1 212.351.3869, alapidus@gibsondunn.com)

Stephanie L. Brooker, Washington, D.C. (202.887.3502, sbrooker@gibsondunn.com)

Roscoe Jones Jr., Washington, D.C. (202.887.3530, rjones@gibsondunn.com)

William R. Hallatt, Hong Kong (+852 2214 3836, whallatt@gibsondunn.com)

David P. Burns, Washington, D.C. (202.887.3786, dburns@gibsondunn.com)

Marc Aaron Takagaki, New York (212.351.4028, mtakagaki@gibsondunn.com)

Hayden K. McGovern, Dallas (214.698.3142, hmcgovern@gibsondunn.com)

Karin Thrasher, Washington, D.C. (202.887.3712, kthrasher@gibsondunn.com)

Among the meaningful changes in the Final Rules, the Commission did not adopt a safe harbor from the “investment company” definition under the Investment Company Act of 1940, as amended (the “Investment Company Act”) for SPACs.

On January 24, 2024, the U.S. Securities and Exchange Commission (the “Commission”), by a three-to-two vote, adopted new rules and amendments (the “Final Rules”) to enhance disclosure and investor protections in initial public offerings (“IPO”) by special purpose acquisition companies (“SPACs”) and in subsequent business combinations between SPACs and private operating companies (“de-SPAC transaction”).[1]

The Final Rules are thematically aligned with the rule proposal issued by the Commission nearly two years ago in March 2020,[2] but with meaningful changes as noted below, including not adopting a safe harbor from the “investment company” definition under the Investment Company Act of 1940, as amended (the “Investment Company Act”) for SPACs.

The adopting release for the Final Rules (the “Adopting Release”) provides a lengthy and comprehensive discussion that builds upon the Commission’s prior statements and actions regarding SPAC IPOs and de-SPAC transactions.[3] As noted by the Commission’s Chair, Gary Gensler, in the accompanying press release, the Final Rules are intended to “help ensure that the rules for SPACs are substantially aligned with those of traditional IPOs.”[4] Chair Gensler further noted that the measures adopted in the Final Rules “will help protect investors by addressing information asymmetries, misleading information, and conflicts of interest in SPAC and de-SPAC transactions.”[5]

The Adopting Release is available here and a Fact Sheet is available here. The Final Rules will become effective 125 days after publication in the Federal Register. Compliance with the structured data requirements, which require tagging of information disclosed pursuant to new subpart 1600 of Regulation S-K in Inline XBRL, will be required 490 days after publication of the rules in the Federal Register.

I. Overview

There are four key components of the Final Rules:

Disclosure and Investor Protection. The Final Rules impose specific disclosure requirements with respect to, among other things, compensation paid to sponsors, potential conflicts of interest, shareholder dilution, and the fairness of the business combination, for both the SPAC IPOs and de‑SPAC transactions;
Business Combinations Involving Shell Companies. Under the Final Rules, the Commission will deem a business combination transaction involving a reporting shell company and a private operating company as a “sale” of securities under the Securities Act of 1933, as amended (the “Securities Act”), amend the financial statement requirements applicable to transactions involving shell companies, and amend the current “blank check company” definition to make clear that SPACs cannot rely on the safe harbor provision under the Private Securities Litigation Reform Act of 1995, as amended (the “PSLRA”) when marketing a de-SPAC transaction;
Projections. The Final Rules amend the Commission’s guidance on the presentation of projections in any filings with the Commission (not only on de-SPAC transactions, but affecting all projections filed with the Commission) and adds new guidance only for de-SPAC transactions, in both instances to address the reliability of such projections; and
Status of SPACs under the Investment Company Act of 1940. The Proposed Rules included a safe harbor that qualifying SPACs could have used to avoid registering as investment companies under the Investment Company Act. The Final Rules do not include a safe harbor, and instead, the Commission takes the position that SPACs should consider investment company status in light of the facts and circumstances and provides further guidance on what actions might cause a SPAC to fall into the investment company definition.

We provide below our key takeaways, a summary of the Final Rules and links to Commissioner statements regarding the Final Rules.

II. Key Takeaways

Below are the key takeaways from the Final Rules:

Timing. Although the Final Rules will not be in effect for about 4 months, existing SPACs and their targets should expect to receive comments from the Commission staff along the broader lines of the Final Rules. SPACs and their targets also should consider the extent to which they will want to comply voluntarily with certain of the Final Rules, especially those focused on financial statement requirements and enhanced disclosures.
Conforming SPACs to Traditional IPOs. The Final Rules go to great lengths to contrast the current SPAC regulatory regime against the one applicable to traditional IPOs and to “level” the playing field between the two. Closer alignment of the two regimes may reduce some potential benefits of a de-SPAC transaction (g., availability of alternative financing sources and expedited path to becoming a public company) while also exposing the SPAC, its target and their advisors to additional liability.
No PSLRA Protection. The PSLRA safe harbor against a private right of action for forward-looking statements is not available in, among other transactions, an offering by a blank check company or a “penny stock” issuer, or in an initial public offering. Some market participants believed the PSLRA safe harbor was otherwise available in de-SPAC transactions when a SPAC is not a blank check company under Rule 419. Under the Final Rules, the Commission adopts a new definition of “blank check company” for purposes of the PSLRA making clear that SPACs may no longer rely on the safe harbor provision under the PSLRA as it relates to the use of projections and other forward-looking statements when marketing a de-SPAC The lack of the PSLRA safe harbor, especially coupled with enhanced disclosure requirements relating to projections under the Final Rules, may lead to changes in the presentation of projections and assumptions, or the abandonment of projections in a SPAC board’s evaluation of a potential de-SPAC target, which will further undermine the viability of the de-SPAC transaction as an alternative to traditional IPOs for target companies that do not have a lengthy operating history.
Co-Registrant Liability. The Final Rules impose Section 11 liability on target companies and their officers and directors as co-registrants under Form S-4 and Form F-4 Liability will now extend to both SPAC and target company disclosures contained in such filings. Target companies assessing a de-SPAC transaction should now consider whether its current director and officer liability insurance is sufficient prior to the filing of an initial Form S-4 or Form F-4 for its de-SPAC transaction given the potential for increased liability related to the target’s disclosures.
Extension of Current Disclosure Guidance (Projections, Dilution, Sponsor, Conflicts). The Final Rules codify current guidance and practice by the Commission, and require additional information and specificity (in some cases, beyond current rules and guidance). Nonetheless, some of the prescriptive rulemakings around enhanced disclosures—including required financial statements, disclosure of sources of dilution, sponsor control and relationships, and potential conflicts of interest—should not be particularly novel for practitioners as many of these requirements are based on existing rules and guidance.
Board Determination. If required by the law of the jurisdiction of a SPAC’s organization, a SPAC must disclose its board’s determination whether the de-SPAC transaction is advisable and in the best interests of the SPAC and its shareholders and discuss the material factors considered in making the determination. The Final Rules specify that such factors must include, without limitation and to the extent considered, the valuation of the target company, financial projections relied upon by the board of directors, the terms of any financing materially related to the de-SPAC transaction, the dilutive impact of the transaction, and any fairness opinion. While the Proposed Rules would have required disclosure of the SPAC board’s reasonable belief as to the fairness of a de-SPAC transaction and related financings to the SPAC’s shareholders when approving a de-SPAC transaction, that requirement is not included in the Final Rules. Coupled with the enhanced disclosure requirements related to any projections used in a de-SPAC transaction, the Final Rules may result in SPACs not using a target company’s projections to assess a transaction or for marketing purposes, and SPACs may decide against obtaining fairness opinions in connection with de-SPAC transactions.
Underwriter Liability. The Commission did not adopt its proposal of extending underwriter status (and resulting potential liability) in the de-SPAC transaction to those underwriters to SPAC IPOs involved, directly or indirectly, in the de-SPAC transaction (g., advisory services, placement agent services, and other activities related to the de-SPAC transaction would all be considered direct and indirect activities). Rather, the Commission noted in the Final Rules that it will apply the terms “distribution” and “underwriter” “broadly and flexibly” in light of the facts and circumstances of a particular transaction, including a de-SPAC transaction. The introduction of proposed underwriter liability in the Proposed Rules and pivot back to statutory interpretation creates further ambiguity and uncertainty on a going-forward basis. 2022 and 2023 saw a dramatic pullback by financial advisors in their participation in the SPAC market, and we anticipate that certain financial advisors will choose not to participate in SPAC IPOs and de-SPAC transactions as a result of the ambiguity under the Final Rules.
Investment Company Act Safe Harbor. The Commission did not adopt its proposed new safe harbor for SPACs under the Investment Company Act, which would have exempted SPACs from being treated as an “investment company” if the SPAC met certain subjective criteria, related to, among other things, the nature and management of the assets held by the SPAC and the SPAC’s general purpose. Similar to its approach with respect to SPAC IPO underwriter liability, the Final Rules opt to provide general guidance regarding activities that could cause a SPAC to be an “investment company.” As a result, SPACs should carefully assess and monitor their activities, and consider changing their operations if necessary to bring them into compliance with the Investment Company Act.

III. Summary of Final Rules

1. New Subpart 1600 of Regulation S-K

The Final Rules create a new Subpart 1600 of Regulation S-K solely related to SPAC IPOs and de-SPAC transactions. Among other things, this new Subpart 1600 prescribes specific disclosure requirements with respect to the sponsor, potential conflicts of interest, potential shareholder dilution, and fairness to shareholders.

Sponsor, Affiliates, and Promoters

To provide investors with a more complete understanding of the role of SPAC sponsors, affiliates, and promoters,[6] the Commission has adopted Item 1603(a) of Regulation S-K, to require:

Experience. Description of the experience, material roles, and responsibilities of sponsors, affiliates, and promoters.
Arrangements. Discussion of any agreement, arrangement, or understanding (i) between the sponsor and the SPAC, its officers, directors, or affiliates, in determining whether to proceed with a de-SPAC transaction and (ii) regarding the redemption of outstanding securities.
Sponsor Control. Discussion of the controlling persons of the sponsor and any persons who have direct or indirect material interests in the sponsor. The Commission declined to adopt the proposed requirement that SPACs also provide an organizational chart that shows the relationship between the SPAC, the sponsor, and the sponsor’s affiliates.
Lock-Ups. A table describing the material terms of any lock-up agreements with the sponsor and its affiliates.
Compensation. Discussion of the nature and amounts of all compensation (including securities issued by the SPAC) that has been or will be awarded to, earned by, or paid to the sponsor, its affiliates, and any promoters for all services rendered in all capacities to the SPAC and its affiliates, as well as the nature and amounts of any reimbursements to be paid to the sponsor, its affiliates, and any promoters upon the completion of a de-SPAC

Potential Conflicts of Interest

To provide investors with a more complete understanding of the potential conflicts of interest between (i) any SPAC sponsor or affiliate, target company officers and directors, or the SPAC’s officers, directors, or promoters, and (ii) unaffiliated security holders of the SPAC, the Commission adopted a new Item 1603(b) of Regulation S-K. This new Item includes a discussion of conflicts arising as a result of a determination to proceed with a de-SPAC transaction and from the manner in which a SPAC compensates the sponsor or the SPAC’s executive officers and directors, or the manner in which the sponsor compensates its own executive officers and directors.

Relatedly, Item 1603(c) of Regulation S-K will require disclosure of the fiduciary duties that each officer and director of a SPAC owes to other companies.

Sources of Dilution

In an effort to conform and enhance disclosure relating to dilution in SPAC IPOs and de-SPAC transactions, the Commission has adopted Items 1602 and 1604 of Regulation S-K, respectively.

IPO Dilution Disclosure. In providing disclosure pursuant to Item 506, SPAC disclosure previously estimated dilution as a function of the difference between the initial public offering price and the pro forma net tangible book value per share after the offering, often including an assumption of the maximum number of shares eligible for redemption in a de-SPAC transaction. The Final Rules will now require additional granularity on the prospectus cover page, requiring SPACs to present redemption scenarios in quartiles up to the maximum redemption scenario. In addition to changes to the cover page, the Final Rules also supplement Item 506 disclosure by requiring a description of material potential sources of future dilution following a SPAC’s initial public offering, as well as tabular disclosure of the amount of potential future dilution from the public offering price that will be absorbed by non-redeeming SPAC shareholders, to the extent quantifiable.
De-SPAC Dilution Disclosure. In addition to disclosure at the IPO stage of a SPAC’s lifecycle, the Final Rules require additional disclosure regarding material potential sources of dilution as a result of the de-SPAC As seen in comment letters issued by the Commission following the release of the Proposed Rules, the Commission has requested additional granularity with respect to post-closing pro forma ownership disclosure, often requiring the disclosure of various redemption thresholds and the effects of potential sources of dilution. The Final Rules now codify this practice by requiring disclosure in a tabular format that includes intervals representing selected potential redemption levels that may occur across a reasonably likely range of outcomes. The Final Rules do not prescribe specific redemption levels for which dilution information must be provided, but looking at the SPAC IPO dilution requirements (as discussed above), quartile disclosure up to the maximum redemption scenario may be acceptable.

Board Determination Regarding De-SPAC Transaction

Under Item 1606, if the law of the jurisdiction of the SPAC’s organization requires the SPAC’s board of directors to determine whether the de-SPAC transaction is advisable and in the best interests of the SPAC and its shareholders, then the SPAC will be required to disclose that determination. Item 1606 of Regulation S-K will also require a discussion, of the material factors considered in making that determination. This is one of the few areas of the Final Rule where the Commission declined to adopt a more stringent standard, with the initial proposed rule creating a potential “backdoor” opinion requirement by asking that a board of directors affirmatively state whether it reasonably believes a de-SPAC transaction, including any related financing, was fair to the unaffiliated securityholders of the SPAC.

Relatedly, if any director voted against, or abstained from voting on, approval of the de-SPAC transaction or any related financing transaction, SPACs would be required to identify the director, and indicate, if known, after making reasonable inquiry, the reasons for the vote against the transaction or abstention.

2. Aligning De-SPAC Transactions with IPOs

Target Company as Co-Registrant

Under the current rules, only the SPAC and its officers and directors are required to sign the registration statement and are liable for material misstatements or omissions. The Final Rules require the target company to be treated as a co-registrant with the SPAC when a Form S-4 or Form F-4 registration statement is filed by the SPAC in connection with a de-SPAC transaction.[7] Registrant status for a target company and its officers and directors will result in such parties being liable for material misstatements or omissions pursuant to Section 11 of the Securities Act. Under the Final Rules, target companies and their officers and directors will be liable with respect to their own material misstatements or omissions, as well as any material misstatements or omissions made by the SPAC or its officers and directors. As a result, the Final Rules seeks to further incentivize target companies and SPACs to be diligent in monitoring each other’s disclosure.

Smaller Reporting Company Status

Currently, de-SPAC companies are able to avail themselves – as almost all SPACs have done since 2016[8] – of the smaller reporting company rules for at least one year following the de-SPAC transaction (and most SPACs would still retain this status at the time of the de-SPAC transaction when the SPAC is the legal acquirer of the target company). The “smaller reporting company” status benefits the combined company after the de-SPAC transaction by availing it of scaled disclosure and other accommodations as it adjusts to being a public company.

Citing the disparate treatment between traditional IPO companies and de-SPAC companies (the former having to determine smaller reporting company status at the time it files its initial registration statement and the latter retaining the SPAC’s smaller reporting company status until the next annual determination date), the Final Rules require de-SPAC companies to determine compliance with the public float threshold (i.e., public float of (i) less than $250 million, or (ii) in addition to annual revenues less than $100 million, less than $700 million or no public float)[9] prior to the time it makes its first filing with the Commission (other than the Form 8-K filed with Form 10 information).

The public float must be measured as of a date within four business days after the consummation of the de-SPAC transaction. The revenue threshold must be determined by using the annual revenues of the target company as of the most recently completed fiscal year for which audited financial statements are available. The de-SPAC company must reflect its re-determination in its first periodic report due after a 45-day period following the consummation of the de-SPAC transaction.

Target companies will need to consider the burdens of additional reporting requirements in light of the potential of not being able to qualify as a smaller reporting company following their de-SPAC transactions.

PSLRA Safe Harbor

The PSLRA provides a safe harbor for forward-looking statements under the Securities Act and the Securities Exchange Act of 1934, as amended (the “Exchange Act”), under which a company is protected from liability for forward-looking statements in any private right of action under the Securities Act or Exchange Act when, among other things, the forward-looking statement is identified as such and is accompanied by meaningful cautionary statements.

The safe harbor, however, is not available when the forward looking statement is made in connection with an offering by a “blank check company,” a company that is (i) a development stage company with no specific business plan or purpose or has indicated that its business plan is to engage in a merger or acquisition with an unidentified company or companies, or other entity or person, and (ii) is issuing “penny stock.”[10]

Because of the penny stock requirement, many practitioners have considered SPACs to be afforded protection under the PSLRA safe harbor as it does not otherwise meet the second prong of the definition of blank check company for purposes of the PSLRA safe harbor. The Final Rules will adopt a new definition of “blank check company” for purposes of the PSLRA to remove the penny stock requirement, thus effectively removing a SPAC’s ability to qualify for the PSLRA safe harbor provision for the de-SPAC transaction.

This inability to rely on the PSLRA is coupled with the Final Rules’ addition of new and modified projections disclosure requirements (as further discussed below). It remains unclear whether the application of the Final Rules will lead to changes in the use of projections and assumptions (especially considering the current environment where market participants, investors, and financiers have come to expect detailed projections disclosure, similar to what is used in public merger and acquisitions (“M&A”) transactions), or the abandonment of projections in assessing and marketing a de-SPAC transaction.

Underwriter Status and Liability

Historically, Section 11 and Section 12(a)(2) of the Securities Act[11] have imposed underwriter liability on underwriters of a SPAC’s IPO. The Commission declined to adopt its proposal to establish that a de-SPAC transaction would constitute a “distribution” under applicable underwriter regulations, which would have automatically extended underwriter liability to the SPAC IPO underwriter if it engaged in certain de-SPAC activities or compensation arrangements.

Instead, the Final Rules provide general guidance regarding statutory underwriter status, following its “longstanding practice of applying the statutory terms “distribution” and “underwriter” broadly and flexibly, as the facts and circumstances of any transaction may warrant.”[12] The Commission may find a “statutory underwriter” where someone is selling for the issuer or participating in the distribution of securities in the combined company to the SPAC’s investors and the broader public, even though it may not be named as an underwriter in any given offering or may not be engaged in activities typical of a named underwriter in traditional capital raising.[13]

The Commission’s extensive broad interpretation of the concept of “statutory underwriter,” coupled with the traditional “due diligence” defenses of underwriters,[14] suggests that SPACs and target companies should expect extensive diligence requests from financial institutions, advisors, and their counsel in connection with a de-SPAC transaction, requests from investment banks that advisors to a SPAC and its target provide negative assurance and comfort letters in connection with the de-SPAC transaction, and other related changes to the de-SPAC transaction process that add complexity, time, and cost.

3. Business Combinations Involving Shell Companies

The Commission’s concern related to private companies becoming U.S. public companies via de-SPAC transactions is substantially related to the perceived opportunity for such private companies to avoid “Securities Act registration and the related disclosures which are intended to protect investors.”[15]

Rule 145a

Based on the structure of certain de-SPAC transactions, the Commission expressed concern that, unlike investors in transaction structures in which the Securities Act applies (and a registration statement would be filed, absent an exemption), investors in reporting shell companies may not always receive the disclosures and other protection afforded by the Securities Act at the time the change in the nature of their investment occurs, due to the business combination involving another entity that is not a shell company.

Rule 145a intends to address the issue by deeming any direct or indirect business combination of a reporting shell company (other than a business combination related shell company) involving another entity that is not a shell company constitutes “a sale of securities to the reporting shell company’s shareholders.”[16] By deeming such transaction to be a “sale” of securities for the purposes of the Securities Act, the Final Rule is intended to address potential disparities in the disclosure and liability protections available to shareholders of reporting shell companies, depending on the transaction structure deployed.

Rule 145a defines a reporting shell company as a company (other than an asset-backed issuer as defined in Item 1101(b) of Regulation AB) that has:

no or nominal operations;
either:
- no or nominal assets;
- assets consisting solely of cash and cash equivalents; or
- assets consisting of any amount of cash and cash equivalents and nominal other assets; and
an obligation to file reports under Section 13 or Section 15(d) of the Exchange Act.

The Final Rule notes that the sales covered by Rule 145a will not be covered by the exemption provided under Section 3(a)(9) of the Securities Act, because the exchange of securities would not be exclusively with the reporting shell company’s existing security holders, but also would include the target company’s existing security holders.

We would also note that this provision has broader market implications as it would apply to all reporting shell companies (other than a “business combination related shell company,” as defined in Rule 405 under the Securities Act and Rule 12b-2 under the Exchange Act), and not just SPAC transactions.

Financial Statement Requirements in Business Combination Transactions Involving Shell Companies

The Final Rule amends the financial statements required to be provided in a business combination with an intention to bridge the gap between such financial statements and the financial statements required to be provided in an IPO. The Commission views such Final Rule as simply codifying “current staff guidance for transactions involving shell companies.”[17] While the below information is presented in the context of a de-SPAC transaction, we would note that these requirements will apply to all shell companies (other than a “business combination related shell company,” as defined in Rule 405 under the Securities Act and Rule 12b-2 under the Exchange Act), and not just SPAC transactions.

Number of Years of Financial Statements

Rule 15-01(b) will require a registration statement for a de-SPAC transaction where a business is combining with a shell company registrant to include the same financial statements for that business as would be required in a Securities Act registration statement for an IPO of that business.

Audit Requirements

Rule 15-01(a) will require the examination of the financial statements of a business that is or will be a predecessor to a shell company to be audited by an independent accountant in accordance with the standards of the Public Company Accounting Oversight Board (“PCAOB”) for the purpose of expressing an opinion, to the same extent as a registrant would be audited for an IPO, effectively codifying the staff’s existing guidance.[18]

Age of Financial Statements

Rule 15-01(c) will provide for the age of the financial statements of a business involved in a business combination with a shell company to be based on whether such private company would qualify as a smaller reporting company in a traditional IPO process, ultimately aligning with the financial statement requirements in a traditional IPO.

Acquisitions of a Business or Real Estate Operation by a Predecessor

The Commission is implementing a series of rules intended to clarify when companies should disclose financial statements of businesses acquired by SPAC targets or where such business are probable of being acquired by SPAC targets. Rule 15-01(d) will address situations where financial statements of other businesses (other than the predecessor) that have been acquired or are probable to be acquired should be included in a registration statement or proxy/information statement for a de-SPAC transaction. The Final Rule will require application of Rule 3-05 and Rule 8-04 (or Rule 3-14 and Rule 8-06 with respect to real estate operation) of Regulation S-X to acquisitions by a predecessor to the shell company, which the staff views as codifying its existing guidance.

Amendments to the significance tests in Rule 1-02(w) of Regulation S-X will require the significance of the acquisition target of the private target in a de-SPAC transaction to be calculated using the SPAC’s target’s financial information, rather than the SPAC’s financial information.

In addition, Rule 15-01(d)(2) will require the de-SPAC company to file the financial statements of a recently acquired business, that is not or will not be its predecessor pursuant to Rule 3-05(b)(4)(i) in an Item 2.01(f) of Form 8-K filed in connection with the closing of the de-SPAC transaction where such financial statements were omitted from the registration statement for the de-SPAC transaction, to the extent the significance of the acquisition is greater than 20% but less than 50%.

Financial Statements of a Shell Company Registrant after the Combination with Predecessor

Rule 15-01(e) allows a registrant to exclude the financial statements of a SPAC for the period prior to the de-SPAC transaction if (i) all financial statements of the SPAC have been filed for all required periods through the de-SPAC transaction, and (ii) the financial statements of the registrant include the period on which the de-SPAC transaction was consummated. The Final Rule eliminates any distinction between a de-SPAC structured as a forward acquisition or a reverse recapitalization.

Other Amendments

In addition, the Final Rules are also addressing the following related amendments:

amendment of Item 2.01(f) of Form 8-K to (i) refer to “predecessor,” rather than “registrant,” to clarify that the information required to be provided “relates to the acquired business and for periods prior to consummation of the acquisition”[19] and (ii) establish that registrant need not present audited financial statements for predecessor for any period prior to the earliest audited period if, at the time of filing, the predecessor meets the conditions of an “emerging growth company”; and
amendment of Rules 3-01, 8-02, and 10-01(a)(1) of Regulation S-X to expressly refer to the balance sheet of the predecessors, consistent with the provision regarding income statements.

4. Enhanced Projections Disclosure

Disclosure of financial projections is not expressly required by the U.S. federal securities laws; however, it has been common practice for SPACs to use projections of the target company and post-de-SPAC company in its assessment of a proposed de-SPAC transaction, its investor presentations, and soliciting material once a definitive agreement is executed.

The Final Rules amend existing Commission guidance under Item 10(b) of Regulation S-K with respect to the use of any projections of future economic performance for any registrant and persons other than the registrant for any filings subject to Regulation S-K, as well as to add new, supplemental disclosure requirements applying only to de-SPAC transactions, under the new Item 1609 of Regulation S‑K.

Amended Item 10(b) of Regulation S-K

Under Item 10(b) of Regulation S-K, management may present projections regarding a registrant’s future performance, provided that (i) there is a reasonable and good faith basis for such projections, and (ii) they include disclosure of the assumptions underlying the projections and the limitations of such projections, and the presentation and format of such projections. Citing concerns of instances where target companies have disclosed projections that lack a reasonable basis,[20] the Final Rules amend Item 10(b) of Regulation S-K as follows:[21]

Clarification of Applicability to Target Company. Item 10(b) of Regulation S-K currently refers to projections regarding the “registrant.” The Final Rule will modify the language to clarify that the guidance therein applies to any projections of future economic performance of both the registrant and persons other than the registrant (which would include a target company in a de-SPAC transaction), that are included in the registrant’s Commission filings.
Historical Results. Disclosure of projected measures that are not based on historical financial results or operational history should be clearly distinguished from projected measures that are based on historical financial results or operational history.
Prominence of Historical Results. Similar to non-GAAP presentation, the Commission will consider it misleading to present projections that are based on historical financial results or operational history without presenting such historical measure or operational history with equal or greater prominence.
Non-GAAP Measures. Presentation of projections that include a non-GAAP financial measure should include a clear definition or explanation of the measure, a description of the GAAP financial measure to which it is most closely related, and an explanation why the non-GAAP financial measure was used instead of a GAAP measure. The Final Rule notes that the reference to the nearest GAAP measure called for by amended Item 10(b) will not require a reconciliation to that GAAP measure; however, the need to provide a GAAP reconciliation for any non-GAAP financial measures will continue to be governed by Regulation G and Item 10(e) of Regulation S-K.

Important to note that the guidance in the amended Item 10(b) applies to all projections of future economic performance of any registrant and persons other than the registrant that are included in the registrant’s filings with the Commission (not only to de-SPAC transactions).

Proposed Item 1609 of Regulation S-K

In light of the traditional SPAC sponsor compensation structure (i.e., compensation in the form of post-closing equity) and the potential incentives and overall dynamics of a de-SPAC transaction, the Commission has adopted a new rule specific to de-SPAC transactions that will supplement the amendments to Item 10(b) of Regulation S-K (as discussed above). Specifically, the new Item 1609 of Regulation S-K that will require SPACs to provide the accompanying disclosures to financial projections:

Purpose of Projections. Any projection disclosed by the registrant in the filing (or any exhibit thereto) must include disclosure regarding (i) the purpose for which the projection was prepared, and (ii) the party that prepared the projection.
Bases and Assumptions. Disclosure will include all material bases of the disclosed projections and all material assumptions underlying the projections, and any material factors that may materially affect such assumptions. This would include a discussion of any factors that may cause the assumptions to be no longer reasonable, material growth or reduction rates or discount rates used in preparing the projections, and the reasons for selecting such growth or reduction rates or discount rates[22].
Views of Management and the Board. Disclosure must discuss whether or not the projections disclosed continue to reflect the views of the board of directors (or similar governing body) and/or management of the SPAC or target company, as applicable, as of the most recent practicable date prior to the date of the disclosure document required to be disseminated to security holders. If the projections do not continue to reflect the views of the board of directors (or similar governing body) and/or management, the SPAC should include a discussion of the purpose of disclosing the projections and the reasons for any continued reliance by the management or board on the projections.

Similar to the amendments to Item 10(b), the first two requirements summarized above should not come as a particular surprise to existing SPACs and their counsel as projections disclosure has been a significant area of scrutiny by the Commission in the registration statement and proxy statement review process.

We note, however, that the requirement under Item 1609 to add disclosure as to management’s and/or the board’s current views likely will require additional disclosure beyond what has been typical market practice. In particular, projections disclosure in a registration statement or proxy statement is often made in the context of a historical lookback to the projections in place at the time the board of directors of the SPAC assessed whether to enter into a de-SPAC transaction with the target company. These projections typically are not updated with newer data during the pendency of the transaction since the purpose of such disclosure is to inform investors of the board’s rationale for approving the transaction. Item 1609 does not explicitly require the updating of projections, but it does require the parties to disclose whether the included projections reflect the view of the SPAC and the target company as of the date of filing. Moreover, the potential to provide revised projections, coupled with obligations to disclose management’s and board’s continuing views, may prove challenging disclosure to be made between the signing of a business combination agreement and the filing of a registration statement or proxy statement and during the review period for such registration statement or proxy statement.

5. Status of SPACs under the Investment Company Act of 1940

Because pre-transaction SPACs are not engaged in any meaningful business other than investing their IPO proceeds, there has been uncertainty regarding whether they are “investment companies” under the Investment Company Act of 1940.[23] The Proposed Rules included a safe harbor that would have excluded certain SPACs from being defined as investment companies; however, the Commission instead set forth in the Final Rules facts and circumstances guidance relevant to investment-company classification using the five Tonopah factors employed in the standard analysis.[24]

Nature of SPAC Assets and Income. If a SPAC were to invest in investment securities like corporate bonds—especially if those investments exceeded 40% of the SPAC’s assets—it would likely be an investment company. (Assets commonly held by SPACs today, such as U.S. government securities, money market funds, and cash, likely would not count heavily toward investment-company status.) Similarly, if a SPAC were to derive most of its income from investment securities, it would likely be an investment company.
Management Activities. If a SPAC were to hold investment securities while its managers did not actively seek a de-SPAC transaction, or while its managers actively managed those securities to achieve investment returns, the SPAC would more likely be an investment company. Relatedly, SPAC sponsors should be aware that they may be classified as “investment advisors” under the Investment Advisors Act of 1940.[25]
Duration. The longer a SPAC takes to achieve a de-SPAC transaction, the more likely its investment-company-like characteristics qualify it as an investment company. The Commission identifies two timelines as relevant for this analysis. Rule 3a-2 under the Investment Company Act provides a one-year safe harbor for “transient investment companies.” And blank-check companies under Investment Company Act Rule 419 are not investment companies because their duration is limited to 18 months. Because these timelines reflect the Commission’s thinking in similar circumstances, though outside of the SPAC context, SPACs operating beyond 12 or 18 months should assess whether they otherwise qualify as investment companies.
Holding Out. A SPAC that markets itself like an investment company is likely to be considered to be an investment company. For example, a SPAC that advertises itself an alternative to mutual funds is holding itself out as an investment company.
Merging with an Investment Company. A SPAC that proposes to engage in a de-SPAC transaction with an investment company is likely to itself be an investment company.

SPACs should carefully assess all the facts and circumstances to determine whether they must register as investment companies. In particular, they should pay attention to the 12- and 18-month thresholds and whether investment securities account for most of their assets, income, or efforts.

IV. Conclusions

These Final Rules come as no surprise to SPAC market participants. Indeed, a comparison of existing de-SPAC transaction disclosure practices with many of the Final Rules merely evidences a codification of what the market has already adopted and anticipated over the nearly twenty-two month period since the Proposed Rules were first released. While the market appears to have already anticipated some of these changes, it remains to be seen whether the Final Rules will have any meaningful effect on current market conditions, as evidenced by the substantial retraction in the SPAC market over the last year, or if the SPAC market itself has naturally run its course in light of broader macro-economic trends.

Although we may view many of the Final Rules as reiterating the status quo, the Commission’s efforts here are noteworthy in that the Final Rules also touch upon broader market considerations. For example, the Final Rules’ facts and circumstances guidance with respect to the applicability of “underwriter” or “investment company” status, and the changes to Item 10(b) related to projections disclosure, are not limited solely to SPACs and should be considered relevant to other public market participants and advisors in similar and adjacent circumstances. As a result, we encourage our clients and public market participants to reach out to us to see how this rulemaking may affect their going-forward operations and business plans.

V. Commissioner Statements

For the published statements of the Commissioners, please see the following links:

Commissioner Jaime Lizárraga

Commissioner Caroline A. Crenshaw

Commissioner Mark T. Uyeda (Dissenting)

Commissioner Hester M. Peirce (Dissenting)

[1] U.S. Securities and Exchange Commission, Special Purpose Acquisition Companies, Shell Companies, and Projections, Exchange Act Release No. 99418 (January 24, 2024) (“Final Rules”), available at https://www.sec.gov/files/rules/final/2024/33-11265.pdf.

[2] For our discussion of the proposed rules, see Gibson, Dunn & Crutcher LLP, SEC Proposes Rules to Align SPACs More Closely with IPOs (April 6, 2022), available at https://www.gibsondunn.com/sec-proposes-rules-to-align-spacs-more-closely-with-ipos/.

[3] See Gibson, Dunn & Crutcher LLP, SEC Staff Issues Cautionary Guidance Related to Business Combinations with SPACs (April 6, 2021), link here (addressing certain accounting, financial reporting and governance issues related to SPACs and the combined company following a SPAC business combination), see also Gibson, Dunn & Crutcher LLP, SEC Division of Corporation Finance Issues Interpretations Addressed to SPACs’ Business Combinations (March 24, 2022), link here (discussing new Compliance and Disclosure Interpretations that addressed certain issues related to the business combination process of de-SPAC transactions), and Gibson, Dunn & Crutcher LLP, SEC Publishes C&DIs Addressing Tender Offer Issues (March 17, 2023), link here (discussing new Compliance and Disclosure Interpretations that addressed various tender offer issues in connection with de-SPAC transactions).

[4] U.S. Securities and Exchange Commission, Press Release (2024-8), SEC Adopts Rules to Enhance Investor Protections Relating to SPACs, Shell Companies, and Projections (January 24, 2024), available at https://www.sec.gov/news/press-release/2024-8.

[5] Id.

[6] The term “promoter” is defined in Securities Act Rule 405 and Exchange Act Rule 12b-2.

[7] Under Section 6(a) of the Securities Act, each “issuer” must sign a Securities Act registration statement. The Securities Act broadly defines the term “issuer” to include every person who issues or proposes to issue any securities.

[8] Final Rules, p. 220.

[9] 17 CFR 229.10(f)(1).

[10] The term “penny stock” is defined in 17 CFR 240.3a51-1.

[11] Section 11 of the Securities Act imposes on underwriters, among other parties identified in Section 11(a), civil liability for any part of the registration statement, at effectiveness, which contained an untrue statement of a material fact or omitted to state a material fact required to be stated therein or necessary to make the statements therein not misleading, to any person acquiring such security. Further, Section 12(a)(2) imposes liability upon anyone, including underwriters, who offers or sells a security, by means of a prospectus or oral communication, which includes an untrue statement of a material fact or omits to state a material fact necessary in order to make the statements, in the light of the circumstances under which they were made, not misleading, to any person purchasing such security from them.

[12] Final Rules, p. 284

[13] Id., p. 285

[14] Although the Securities Act does not expressly require an underwriter to conduct a due diligence investigation, the Final Rules reiterates the Commission’s long-standing view that underwriters nonetheless have an affirmative obligation to conduct reasonable due diligence. Final Rules, p. 288. This was also mentioned by the Commission in fn. 184 of the Proposed Rule (citing In re Charles E. Bailey & Co., 35 S.E.C. 33, at 41 (Mar. 25, 1953) (“[An underwriter] owe[s] a duty to the investing public to exercise a degree of care reasonable under the circumstances of th[e] offering to assure the substantial accuracy of representations made in the prospectus and other sales literature.”); In re Brown, Barton & Engel, 41 SEC 59, at 64 (June 8, 1962) (“[I]n undertaking a distribution . . . [the underwriter] had a responsibility to make a reasonable investigation to assure [itself] that there was a basis for the representations they made and that a fair picture, including adverse as well as favorable factors, was presented to investors.”); In the Matter of the Richmond Corp., infra note 185 (“It is a well-established practice, and a standard of the business, for underwriters to exercise diligence and care in examining into an issuer’s business and the accuracy and adequacy of the information contained in the registration statement . . . The underwriter who does not make a reasonable investigation is derelict in his responsibilities to deal fairly with the investing public.”)).

[15] Final Rules, p. 290.

[16] Id., p. 290-91.

[17] Id., p. 112 (citing the staff guidance under the Division of Corporation Finance’s Financial Reporting Manual).

[18] Id., p. 112 (citing the staff guidance under the Division of Corporation Finance’s Financial Reporting Manual at Section 4110.5).

[19] Id., p. 339.

[20] For example, the Commission cites to recent enforcement actions against SPACs, alleging the use of baseless or unsupported projections about future revenues and the use of materially misleading underlying financial projections. See, e.g., In the Matter of Momentus, Inc., et al., Exch. Act Rel. No. 34-92391 (July 13, 2021); SEC vs. Hurgin, et al., Case No. 1:19-cv05705 (S.D.N.Y., filed June 18, 2019); In the Matter of Benjamin H. Gordon, Exch. Act Rel. No. 34-86164 (June 20, 2019); and SEC vs. Milton, Case No. 1:21-cv-6445 (S.D.N.Y., filed July 29, 2021).

[21] The Final Rules made three technical revisions to item 10(b). The first two changes are to enhance clarity and avoid potential ambiguity. The third revision is to create consistency with the terms used in existing Item 10(e)(1)(i)(A) of Regulation S-K. In Item 10(b)(2)(i), they replaced the term “foregoing measures of income” with the term “foregoing measurers of income (loss).” In Item 10(b)(2)(iii), they replaced the term “historical financial measure” with the term “historical financial results.” In Item 10(b)(2)(iv), they revised the item to require a description of the GAAP financial measure “most directly comparable” to the non-GAAP measure, rather than “mostly closely related.”

[22] Two examples of “discount rates” are: (1) the weighted average cost of capital used to discount to present value the future cash flows over the period of years projected in a discounted cash flow analysis and (2) the rate applied to the terminal value in a discounted cash flow analysis to calculate its present value.

[23] See 15 U.S.C. §§ 80a-3(a)(1)(A), (a)(1)(C).

[24] See In the Matter of Tonopah Mining Co., 26 S.E.C. 426 (July 21, 1947).

[25] See 15 U.S.C. § 80b-2(a)(11).

__________

The following Gibson Dunn attorneys assisted in preparing this update: Evan D’Amico, Gerry Spedale, James Springer, and Rodrigo Surcan.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. For further information, please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Capital Markets, Mergers and Acquisitions, Securities Enforcement, or Securities Regulation and Corporate Governance practice groups, or the following practice leaders and authors:

Evan M. D’Amico – Washington, D.C. (+1 202.887.3613, edamico@gibsondunn.com)
Gerry Spedale – Houston (+1 346.718.6888, gspedale@gibsondunn.com)
James O. Springer – Washington, D.C. (+1 202.887.3516, jspringer@gibsondunn.com)
Rodrigo Surcan – New York (+1 212.351.5329, rsurcan@gibsondunn.com)

Mergers and Acquisitions:
Robert B. Little – Dallas (+1 214.698.3260, rlittle@gibsondunn.com)
Saee Muzumdar – New York (+1 212.351.3966, smuzumdar@gibsondunn.com)

Capital Markets:
Andrew L. Fabens – New York (+1 212.351.4034, afabens@gibsondunn.com)
Hillary H. Holmes – Houston (+1 346.718.6602, hholmes@gibsondunn.com)
Stewart L. McDowell – San Francisco (+1 415.393.8322, smcdowell@gibsondunn.com)
Peter W. Wardle – Los Angeles (+1 213.229.7242, pwardle@gibsondunn.com)

Securities Regulation and Corporate Governance:
Elizabeth Ising – Washington, D.C. (+1 202.955.8287, eising@gibsondunn.com)
James J. Moloney – Orange County (+1 949.451.4343, jmoloney@gibsondunn.com)
Lori Zyskowski – New York (+1 212.351.2309, lzyskowski@gibsondunn.com)
Brian J. Lane – Washington, D.C. (+1 202.887.3646, blane@gibsondunn.com)
Ronald O. Mueller – Washington, D.C. (+1 202.955.8671, rmueller@gibsondunn.com)
Thomas J. Kim – Washington, D.C. (+1 202.887.3550, tkim@gibsondunn.com)
Mike Titera – Orange County (+1 949.451.4365, mtitera@gibsondunn.com)
Aaron Briggs – San Francisco (+1 415.393.8297, abriggs@gibsondunn.com)
Julia Lapitskaya – New York (+1 212.351.2354, jlapitskaya@gibsondunn.com)

An analysis of important trends and developments in AML regulation and enforcement, including key priorities emphasized by enforcers, notable enforcement actions and prosecutions, significant judicial opinions, and an important legislative development.

U.S. enforcers increasingly rely on the anti-money laundering (“AML”) statutes to police a wide variety of conduct. Broadly speaking, there are two types of AML statutes: (1) statutes that prohibit certain conduct (for example, knowingly engaging in a financial transaction with the intent to conceal unlawful activity), or (2) statutes that impose affirmative obligations on certain types of businesses to engage in identification and reporting of suspicious financial activity (for example, the Bank Secrecy Act (“BSA”)).

In this alert, we analyze the most important trends and developments in AML regulation and enforcement by recapping significant developments during the preceding year. In this inaugural edition, we recap 12 of the most important developments of 2023, including key priorities emphasized by enforcers, notable enforcement actions and prosecutions, significant judicial opinions, and an important legislative development.

Agency Priorities

We begin with a look at some of the U.S. government’s most significant priorities in the AML space: national security and the Corporate Transparency Act.

The Biden Administration Continues to Focus on National Security and AML

In 2023, the Biden administration prioritized investigations and prosecutions in the national security arena, particularly those implicating AML and sanctions. Department of Justice (“DOJ”) officials have repeatedly described sanctions as “the new FCPA”—relevant to an expanding number of industries, the focus of an increasingly multilateral enforcement regime, and subject to voluntary self-disclosure incentives.[1] Even businesses far removed from the defense sector such as tobacco, cement, and shipping faced enforcement actions for allegedly paying insufficient attention to the national security risks posed by certain actors, regions, and activities.[2] Further, money laundering-related cases now routinely intersect with international sanctions and export control violations.[3]

The U.S. government has backed its enforcement priorities with substantial resourcing. DOJ’s National Security Division designated its first Chief Counsel for Corporate Enforcement, Ian Richardson, and announced the hiring of 25 new prosecutors to investigate national security-related economic crimes.[4] Moreover, the Criminal Division’s Bank Integrity Unit likewise added six prosecutors—a 40 percent increase—to target national security-related financial misconduct.[5]

DOJ, along with the Departments of Treasury and Commerce, has embraced a “whole of government” approach to national security and illicit finance. One example is its growing use of inter-agency task forces. In 2023, DOJ’s Task Force Kleptocapture hit its stride with asset seizures (using inter alia money-laundering seizure theories) totaling more than $500 million of criminal assets with ties to the Russian regime.[6] Building on the success of Kleptocapture, the Departments of Justice and Commerce also launched the Disruptive Technology Strike Force,[7] a multi-agency task force that works to prevent U.S. adversaries from illicitly acquiring sensitive U.S. technology. The Disruptive Technology Strike Force already has brought money laundering prosecutions against those who allegedly evaded U.S. trade restrictions.[8] DOJ and Treasury—along with U.S. allies—have likewise continued to convene the Russian Elites, Proxies, and Oligarchs (REPO) Task Force.[9] This task force works to investigate and counter Russian sanctions evasion, including cryptocurrency and money laundering, and has blocked or frozen more than $58 billion of sanctioned Russian assets.[10]

U.S. enforcers have also released a number of alerts emphasizing the interplay between money laundering and national security issues. Treasury’s Financial Crimes Enforcement Network (“FinCEN”) is the U.S. government’s leading anti-money laundering regulator. In 2023, FinCEN issued three AML alerts to help detect potentially suspicious activity relating to Hamas’s financing and Russian export control violations.[11] FinCEN also issued supplemental AML alerts with Commerce’s Bureau of Industry and Security (“BIS”) that highlighted export evasion typologies.[12] In a similar vein, DOJ’s National Security Division began issuing joint advisories with Commerce and Treasury that provide the private sector with information about enforcement actions against those who use money laundering to support violations of U.S. sanctions and export controls.[13]

The Corporate Transparency Act’s Reporting Requirements to Assist AML Investigations

In January of 2021, the Anti-Money Laundering Act of 2020 became law.[14] One of the provisions in the bill was the Corporate Transparency Act (“CTA”), which established a new regime in the United States requiring many corporate entities to file a form with FinCEN disclosing their beneficial owners.[15]

To implement the CTA, FinCEN has currently issued two rules (with a third in progress). The first rule, the “Reporting Rule,” sets forth which entities need to disclose their beneficial ownership information (“BOI”) to FinCEN and by when. Entities subject to these reporting requirements include both “domestic reporting companies” and “foreign reporting companies.” Domestic reporting companies are defined as corporations, limited liability companies, or any other entity created by the filing of a document with a secretary of state or tribal nation.[16] Foreign reporting companies are corporations, LLCs, or other entities formed under the laws of a foreign country and registered to do business within any U.S. state.[17]

Domestic and foreign reporting companies must file BOI data with FinCEN unless an exemption applies. The CTA affords 23 exemptions for various entities—including public companies, money services businesses, select banks and credit unions, and large operating companies, defined as having more than 20 full time employees, an office space, and $5 million in gross receipts or sales in the United States the prior tax year.[18] There is also an exemption for investment advisers and investment funds, as detailed further in a prior Gibson Dunn client alert.[19] Additionally, subsidiaries of certain exempt entities need not report BOI information in particular circumstances as well.[20] However, pursuant to recent guidance from FinCEN, that exception only applies to subsidiaries that are “fully, 100 percent owned or controlled by an exempt entity.”[21]

If no exemption applies, then select domestic and foreign entities must disclose relevant BOI information. In general, these BOI reports must identify two categories of individuals: (1) the beneficial owners of the entity (defined as those natural persons who own at least 25% of the entity or who exercise “substantial control” over it); and (2) the company applicants of the entity (meaning those directly involved in or responsible for the filing that creates the company).[22] Companies formed before January 1, 2024, however, need only submit the names of their beneficial owners and not the identities of company applicants.[23] FinCEN’s Reporting Rule became operative as of January 1, 2024, with the regulation specifying varying deadlines for submission of BOI data.[24]

The effects of the CTA will continue to unfold in the coming months and years, but it has created significant work for companies as they sort through which of their corporate entities have any reporting obligations.

Notable Corporate AML Resolutions

2023 saw a number of notable AML resolutions. We discuss those which broke new ground below.

MindGeek: A Novel Application of The Spending Statute, 18 U.S.C. § 1957

In a prototypical case, U.S. prosecutors must prove three things to establish a violation of the general money laundering statute (18 U.S.C. § 1956): (1) the commission of an underlying felony (a “Specified Unlawful Activity” or “SUA”); (2) knowingly engaging in a financial transaction; and (3) specific intent to conceal or further the SUA through the financial transaction.[25] U.S. enforcers, however, have a second powerful tool at their disposal—the money laundering “spending statute” (18 U.S.C. § 1957). In a case involving the spending statute, prosecutors are relieved of the burden to prove specific intent to conceal or commit a further crime. Rather, the spending statute requires only (1) the commission of an SUA; and (2) knowingly engaging in a financial transaction involving $10,000 or more of proceeds from the SUA.[26]

On December 21, 2023, DOJ entered into a Deferred Prosecution Agreement with Aylo Holdings S.A.R.L. and its subsidiaries (collectively known as “MindGeek”) involving a novel and aggressive theory using the money laundering spending statute. MindGeek is the parent company of Pornhub and similar websites.[27] DOJ charged MindGeek with violating the spending statute for knowingly engaging in monetary transactions related to sex trafficking activity. DOJ’s theory centered on MindGeek’s relationship with two of its content partners, GirlsDoPorn.com (“GDP”) and GirlsDoToys.com (“GDT”) and the operators of those sites (referred to in the DPA as “the GDP Operators”).[28] According to the resolution documents, both GDP and GDT had specialized channels on MindGeek’s platforms, including Pornhub. Between mid-2017 and mid-2019, MindGeek allegedly received over $100,000 in payments from the GDP Operators.[29] DOJ also alleged that MindGeek “received payments from advertisers attributable to GDP and GDT content” totaling approximately $763,000.[30]

In order to establish that MindGeek had knowledge that the proceeds were from illicit origins, DOJ relied on a mosaic of sources to purportedly establish knowledge, including civil and criminal legal filings, news stories about these cases, takedown requests, and a business records subpoena.[31] Specifically, DOJ alleged that MindGeek’s knowledge derived from:

MindGeek’s receipt of a subpoena for production of business records from plaintiffs’ counsel in a lawsuit filed against GDP in 2016. The complaint in that lawsuit alleged that the GDP Operators had tricked the plaintiffs into appearing in pornographic videos posted to GDP by promising them that their videos would not be posted online;[32]
MindGeek’s receipt of content removal requests from plaintiffs in the lawsuit,[33] plaintiffs’ counsel, and other individuals;[34]
Publicly available criminal filings announcing the sex trafficking charges against GDP operators;[35] and
MindGeek executives’ receipt and internal discussion of news articles about the stages of the civil and criminal proceedings against GDP operators.[36]

On the basis of these allegations, MindGeek entered into a DPA asserting a violation of 18 U.S.C. § 1957.[37] MindGeek agreed to submit to a monitorship for three years[38] and pay a total fine of $974,692.06.[39] Notably, MindGeek agreed to compensate victims in the “full amount of [their] losses” caused by publication of their images on MindGeek’s websites, not including losses for pain and suffering, including a minimum of $3,000 per victim who can demonstrate harm.[40] Also, the DPA contained a stipulation that MindGeek “did not commit, conspire to commit, or aid and abet the commission of sex trafficking.”[41]

This is a novel and aggressive use of § 1957 because DOJ relied on sources such as the public allegations of wrongdoing and a business records subpoena to establish knowledge. Although the resolution may be explained in part by the nature of the industry involved, the resolution nevertheless suggests that public allegations of wrongdoing, the receipt of a business records subpoena, take down requests, and receipt and discussion of news articles about allegations can serve as ways that DOJ may try to establish knowledge under § 1957 against companies.

U.S. Enforcers Extend Reach of BSA and Sanctions to Non-U.S. Crypto Company

Binance is the world’s largest crypto currency exchange by trading volume and it is an overseas, non-U.S. company. On November 21, 2023, Binance reached a settlement to resolve a multi-year investigation with DOJ, the Commodity Futures Trading Commission (“CFTC”), the U.S. Department of Treasury’s Office of Foreign Assets Control (“OFAC”), and FinCEN.[42] Gibson Dunn represented Binance in this resolution.

Although Binance is a non-U.S. company, the enforcers alleged that it historically had U.S. users on its platform. As a result, the enforcers alleged that Binance needed to register as a foreign-located money services business and maintain an adequate AML program under U.S. law because it did business “wholly or in substantial part” within the United States.[43]

Prior to the Binance resolution, sanctions resolutions with cryptocurrency exchanges generally involved U.S. exchanges, which are prohibited from providing financial services to persons in jurisdictions subject to sanctions regulated by OFAC.[44] As a non-U.S. person, Binance could do business in sanctioned jurisdictions.[45] However, because Binance’s platform historically had both U.S. users and users from sanctioned jurisdictions, enforcers alleged that Binance used a “matching engine [. . .] that matched customer bids and offers to execute cryptocurrency trades.”[46] The failure to have sufficient controls on the matching engine, which operated randomly in matching users for trades, meant that it would “necessarily cause” transactions between U.S. users and users targeted by U.S. sanctions.[47] Enforcers took the position that these transactions violated U.S. civil and criminal sanctions law because the International Emergency Economic Powers Act (“IEEPA”) prohibits, among other things, “causing” a violation of sanctions by another party.[48] In other words, by randomly pairing trades between a historical U.S. user and person from a sanctioned jurisdiction, Binance was causing the U.S. person to violate their sanctions obligations. This resolution illustrates the breadth of U.S. jurisdiction to police sanctions offenses, even against non-U.S. companies.

Criminally, Binance pled guilty to (1) conspiracy to conduct an unlicensed money transmitting business, in violation of 18 U.S.C. § 1960 and 31 U.S.C. § 5330 for failure to register,[49] (2) failure to maintain an effective anti-money laundering program, in violation of 31 U.S.C. §§ 5318(h), 5322,[50] and (3) violating IEEPA, 50 U.S.C. § 1701 et seq.[51] Binance also entered into parallel civil settlements with FinCEN (failure to register, AML program) and OFAC (sanctions).[52] Further, Binance also entered into a settlement with the CFTC for violating various sections of the Commodities Exchange Act and related provisions.[53]

As part of the resolution, Binance agreed to pay $4.3 billion to the U.S. government over an approximately 18-month period.[54] Binance also agreed to continue with certain compliance enhancements and agreed to a three-year DOJ monitorship.[55]

FinCEN Designates Bitzlato as a “Primary Money-Laundering Concern” Pursuant to New Powers Designed to Target Russian Money Laundering

On January 18, 2023, FinCEN issued an order identifying Bitzlato Limited, a Hong Kong based cryptocurrency exchange, as a “primary money laundering concern.”[56] It issued this designation because Bitzlato was allegedly “repeatedly facilitating transactions for Russian-affiliated ransomware groups, including Conti, a Ransomware-as-a-Service group that has links to the Russian government and to Russian-connected darknet markets.”[57] The Bitzlato order is the first order issued pursuant to FinCEN’s powers under the Combatting Russian Money Laundering Act.[58]

In 2021, Congress passed the Combatting Russian Money Laundering Act (“Section 9714(a)”), which expanded the actions that FinCEN can take whenever it designates an entity as a “primary money laundering concern.”[59] Previously, whenever the Treasury Secretary had “reasonable grounds” for concluding that an entity is of “primary money laundering concern,”[60] then the Treasury Secretary could impose special measures that would limit the entity’s access to the global financial system.[61] Section 9714(a) provides additional powers to FinCEN to “prohibit, or impose conditions upon, certain transmittals of funds (to be defined by the Secretary) by any domestic financial institution or domestic financial agency.”

Under the terms of the Bitzlato order, FinCEN prohibits financial institutions (as defined in 31 C.F.R. § 1010.100(t)) from engaging in the transmittal of funds from or to Bitzlato. In remarks addressing the order, Deputy Secretary Adeyemo remarked that designating Bitzlato as a primary money laundering concern was a “unique step” that has only been taken a handful of times.[62]

DOJ also brought a parallel criminal proceeding against Bitzlato co-founder and Russian national Anatoly Legkodymov, who pleaded guilty to operating an unlicensed money transmitter and agreed to dissolve Bitzlato.[63]

Looking ahead, FinCEN will likely continue to be aggressive in using its authorities in the digital assets space. On October 19, 2023, for instance, FinCEN issued a Notice of Proposed Rulemaking which proposed to designate cryptocurrency mixers as a primary money laundering concern under Section 311 of the Patriot Act.[64] This is FinCEN’s first proposed Section 311 action involving a class of transactions.

FinCEN Imposes Civil Penalty on Shinhan, Reflecting Increased Scrutiny of Customer Due Diligence and Transaction Monitoring Systems

On September 29, 2023, FinCEN imposed a $15 million civil penalty on Shinhan Bank America for willful violation of the BSA.[65] The Consent Order reflects FinCEN’s growing scrutiny of—and increasingly granular expectations for—customer due diligence and transaction monitoring systems.

Notably, FinCEN criticized Shinhan’s overly “rigid” methodology for calculating customer risk rating scores and emphasized that banks should maintain formal customer risk rating procedures.[66] Risk ratings should not be solely based on customer type (e.g., individual vs. corporate entity) or the type of product (e.g., home mortgage vs. letter of credit). Rather, they should be individually assessed—both at onboarding and throughout the customer relationship—and be based on the customer’s activity and any new information learned about the customer.[67]

The Shinhan Order also makes clear that customers’ risk ratings should inform financial institutions’ monitoring of transactions. The Order notes that Shinhan’s transaction monitoring system did not cluster accounts belonging to the same customer relationship or aggregate transaction activity across different transaction types, undermining its ability to identify suspicious activity. It also includes examples of scenarios that banks should consider incorporating into their transaction monitoring systems, including:

wire transfers sent to several beneficiaries from a single originator, or sent from several originators to a single beneficiary;
transactions passing through a large number of jurisdictions; and
transactions conducted using Remote Deposit Capture.

Moreover, the Order states that these systems should be regularly and comprehensively tested to ensure all scenarios alert as intended, all relevant data properly feeds into the system, scenarios are sufficient and tailored for each product, and scenarios are appropriately applied to ingested data.[68]

FinCEN Issues First Action Against Trust Company

On April 26, 2023, FinCEN assessed a $1.5 million civil penalty against South Dakota-chartered Kingdom Trust Company for willful violation of the BSA.[69] This was FinCEN’s first action against a trust company.

FinCEN assessed a penalty against Kingdom Trust after the company opened accounts and provided services for Latin America-based trading companies and financial institutions with virtually no controls to identify or assess suspicious transactions.[70] A consultant referred clients based in Uruguay, Argentina, Panama, and other locations to the Trust.[71] Kingdom Trust then held cash and securities for these customers and initiated a high volume of suspicious transactions worth approximately $4 billion that went unchecked and unreported.[72] Despite providing services to customers who were the subject of prior media reports related to money laundering and securities fraud, the Trust’s AML compliance program consisted of a single individual responsible for manually reviewing daily transactions.[73]

FinCEN’s action against Kingdom Trust reflects the agency’s growing focus on entities beyond traditional financial institutions, including those not historically subject to the BSA, such as real estate businesses and investment advisors.[74] FinCEN’s action against Kingdom Trust reflects the agency’s unwillingness to “tolerate trust companies with weak compliance programs that fail to identify and report suspicious activities, particularly with respect to high-risk customers whose businesses pose an elevated risk of money laundering.”[75]

FinCEN Issues First Action Under Gap Rule Against Bancrédito for Failing to Report Suspicious Transactions

On September 15, 2023, FinCEN levied a $15 million civil monetary penalty against Bancrédito International Bank and Trust Corporation (Bancrédito).[76] Bancrédito (which held U.S. dollar-denominated accounts on behalf of numerous Central American and Caribbean financial institutions) allegedly failed to both report suspicious transactions (“SARs”) involving movement of U.S. dollars and never established or maintained an AML program, as required by the recently enacted “Gap Rule” (31 C.F.R. § 1020.210).[77]

The enforcement action against Bancrédito is notable in multiple respects. It is the first time that FinCEN took action against a Puerto Rican International Banking Entity (“IBE”). The U.S. Department of the Treasury’s 2022 National Money Laundering Risk Assessment alleged that IBEs pose an elevated risk of money laundering.[78] It is also the first enforcement action under FinCEN’s recently enacted “Gap Rule.” Previously, banks lacking federal functional regulators (such as private banks, non-federally insured credit unions, and certain trust companies) were exempt from select AML program obligations, namely (1) the development of internal policies, procedures, and controls; (2) the designation of a compliance officer; (3) facilitating an ongoing employee training program; and (4) requiring an independent audit function to test programs.[79] However, the “Gap Rule,” effective beginning in 2021, functionally filled that “gap” by requiring the newly covered entities to meet those specific AML requirements (along with also complying with pre-existing BSA obligations such as reporting SARs).[80]

Individual Prosecutions

2023 also featured a number of notable prosecutions of individuals under U.S. money laundering statutes, including in connection with sanctions evasion and in the digital assets industry.

Money Laundering and Sanctions Evasion

In 2023, federal prosecutors on DOJ’s Task Force KleptoCapture brought several prosecutions against the associates of sanctioned oligarch Viktor Vekselberg. OFAC designated Vekselberg as a Specially Designated National (“SDN”) in March 2018.[81] In 2023, DOJ brought a number of prosecutions which reflect the growing intersection between money laundering and sanctions evasion.[82]

On January, 20, 2023, DOJ announced the indictment of Vladislav Osipov and Richard Masters for facilitating a sanctions evasion and money laundering scheme related to a 255-foot luxury yacht owned by Vekselberg.[83] Osipov and Masters used U.S. companies to manage the operation of the vessel and to obfuscate Vekselberg’s involvement, including using payments through third parties and non-U.S. currencies to do business with U.S. companies.[84]

DOJ also targeted Vekselberg’s property portfolio in the United States and those who helped him manage it. On February 7, 2023, federal prosecutors announced the indictment of Vladimir Voronchenko, an associate of Vekselberg’s, for making more than $4 million in payments to maintain four U.S. properties owned by Vekselberg and for his attempt to sell two of those properties.[85] A few weeks later, on February 24, prosecutors brought a civil forfeiture complaint against six of Vekselberg’s properties in New York City, Southampton, New York, and Fisher Island, Florida, alleging that they were the proceeds of sanctions violations and involved in international money laundering.[86]

Vekselberg’s U.S. associates also faced prosecution for their role in money laundering and evading U.S. sanctions. On April 25, 2023, New York attorney Robert Wise pled guilty to conspiracy to commit international money laundering for unlawfully transferring Russian funds into the United States in violations of U.S. sanctions.[87] Voronchenko had retained Wise to assist him in managing Vekselberg’s U.S. properties.[88] Immediately after Vekselberg’s designation as an SDN, Wise’s IOLTA Account began to receive wires from new sources, a Russian bank account, and a bank account in the Bahamas held in the name of a shell company controlled by Voronchenko.[89] Despite being aware of Vekselberg’s designation as an SDN, Wise received 25 wire transfers totaling nearly $3.8 million in his IOLTA account between June 2018 and March 2022 and used these funds to maintain and service Vekselberg’s properties in defiance of U.S. sanctions.[90]

Collectively, these actions demonstrate the increasing interplay between violations of U.S. sanctions and money laundering laws.

Money Laundering Prosecutions of Cryptocurrency Executives for Fraud

2023 also included a number of money laundering prosecutions against executives in the digital assets industry. The most significant of 2023’s individual prosecutions sounded in fraud and subsequent laundering of the fraud proceeds.

On November 2, 2023, a New York jury convicted FTX founder Sam Bankman-Fried of stealing billions of dollars’ worth of FTX customer deposits, capping one of the highest-profile criminal fraud trials in recent history.[91] One of the charges against Bankman-Fried was violating 18 U.S.C. § 1956(a)(1)(B)(i), on the basis that he knowingly engaged in a transaction involving proceeds of illegal activity in order hide the illegal origins of the funds; and Section 1957(a), on the basis that he engaged in a transaction involving criminally derived property exceeding $10,000.[92] These charges related to the transfer of customer funds from Bankman-Fried’s centralized exchange, FTX, to FTX’s sister organization, the hedge fund Alameda Research.[93] Bankman-Fried was convicted on all seven counts, including the money laundering charges.[94] Bankman-Fried’s sentencing hearing is scheduled for March 2024.[95]

Earlier in 2023, Nate Chastain, the former Head of Product at NFT Trading Platform OpenSea, was convicted by a jury of wire fraud and money laundering in what is considered the first insider-trading case involving digital assets. Chastain was accused of purchasing NFTs before they were featured on OpenSea’s homepage, where they subsequently rose in price. Perhaps because the question of whether NFTs are subject to securities laws remains open,[96] DOJ prosecuted Chastain under wire fraud and money laundering statutes.[97] DOJ alleged money laundering because, by engaging in insider trading of NFTs, Chastain knowingly conducted a financial transaction involving the proceeds of an unlawful activity (i.e., wire fraud), in violation of 18 U.S.C. § 1956(a)(1)(B)(i).[98]

Another notable fraud-based cryptocurrency executive prosecution of 2023 involved the former SafeMoon executives, who were accused of making a series of fraudulent misrepresentations about the cryptocurrency that they managed and marketed.[99] DOJ charged a violation of 18 U.S.C. § 1956(a)(1)(B)(i) on the theory that the executives knowingly engaged in and covered up transactions involving the proceeds of securities fraud and wire fraud.[100]

Judicial Opinions

The Implications of Narrowing the Honest Services Wire Fraud Statute

Two judicial decisions in 2023 could affect how prosecutors pursue future money laundering prosecutions. These opinions involve the now highly-publicized FIFA corruption and Varsity Blues scandals—occasions where individuals allegedly made illicit payments to secure lucrative FIFA contracts and favorable college admission decisions, respectively. In both United States v. Full Play Grp., S.A., 2023 WL 5672268 (E.D.N.Y. Sept. 1, 2023) (involving the FIFA corruption matter) and United States United States v. Abdelaziz, 68 F.4th 1 (1st Cir. 2023) (a decision relating to Varsity Blues), federal courts held that certain transactions failed to qualify as unlawful instances of honest services wire fraud—a predicate offense that prosecutors frequently rely on when charging money laundering.[101]

In Full Play, several individuals and companies in the entertainment industry sought to earn media and other related contracts with various sports organizations (including soccer’s FIFA).[102] In an effort to secure these contracts, the media representatives were alleged to have paid FIFA officials significant sums in side payments.[103] Though various individuals were charged with honest services wire fraud for their actions, the district court found that such payments (i.e., those made to private employees of a foreign corporation and labeled as foreign commercial bribery) did not qualify as actionable instances of honest services fraud under 18 U.S.C. §§ 1343 and 1346.[104] In reaching that conclusion, the district court applied two Supreme Court opinions issued last term: Percoco v. United States, 598 U.S. 319 (2023) and Ciminelli v. United States, 598 U.S. 306 (2023). Citing specifically to the Percoco decision, the district court found that honest services fraud “must be defined with the clarity typical of criminal statutes and should not be held to reach an ill-defined category of circumstances simply because of a smattering” of earlier precedents.[105] Applying that standard, the district court vacated the convictions because no applicable precedents precisely addressed (and thus criminalized) comparable instances of foreign commercial bribery.[106] Full Play is currently the subject of an appeal in the Second Circuit.[107]

Similarly, albeit before Percoco and Ciminelli were decided, the Abdelaziz court removed another type of transaction from the range of prosecutable offenses under the honest services fraud provision. In that case, a parent was convicted of making illicit side payments to college admissions personnel—intending that the payments would secure preferential admissions decisions for his child.[108] On appeal, the Abdelaziz court overturned the conviction—finding that such conduct did not amount to honest services wire fraud. In reaching that result, the court specified that the transaction at issue—one where the alleged briber (the convicted parent) actually compensated the alleged victim (the university)—did not fit the conventional understanding of “bribe” or “kickback” under 18 U.S.C. §§ 1343 and 1346.[109] Because no prior decision had specifically barred payments that so clearly benefitted an alleged victim, it could not be considered a criminal deprivation of honest services.

As the courts continue to narrow the scope of the honest services wire fraud statute, prosecutors will be forced to craft different theories of honest services wire fraud and/or rely on different predicate offenses when identifying an SUA required for charging money laundering.

Legislation

2023 also saw an important legislative change in the bribery space, which will also impact money laundering prosecutions.

The Impact of FEPA for Money Laundering Prosecutions

On December 22, 2023, federal lawmakers passed the Foreign Extortion Prevention Act (“FEPA”). FEPA criminalizes what is colloquially referred to as “demand side” bribery—instances in which foreign officials demand, solicit, seek, or receive bribes from a domestic person or U.S.-located company.[110] Before FEPA’s passage, no particular provision under federal law penalized this particular scheme—with the Foreign Corrupt Practices Act (“FCPA”) focusing instead on the supply side of offering or paying bribes to foreign persons.[111] FEPA arms prosecutors with a new tool to root out alleged instances of foreign bribery or extortion that is focused on foreign public officials.

More than just an anti-corruption mechanism, FEPA will also equip prosecutors with an additional tool to pursue money laundering prosecutions as well. By its terms, any contemplated or actual violation of FEPA would qualify as an SUA under the money laundering statutes.[112] Passage of this law will allow prosecutors to rely on U.S. law (i.e., FEPA) when charging foreign officials with money laundering, as opposed to having to allege that the conduct constituted bribery under the foreign laws of another country, which is also an SUA.

Conclusion

2023 was a notable year in the AML enforcement space. We anticipate that 2024 will also be active, as the impacts of FinCEN’s AML whistleblower program begin to be felt, and the additional prosecutors come online in the Criminal Division’s Bank Integrity Unit and the National Security Division’s Counterintelligence and Export Control Section. Moreover, there are yet-to-be issued rules expected both for regulation of the real estate industry and for registered investment advisors.

__________

[1] See, e.g., Principal Associate Deputy Attorney General Marshall Miller Delivers Remarks at the Global Investigations Review Annual Meeting (Sept. 21, 2023), https://www.justice.gov/opa/speech/principal-associate-deputy-attorney-general-marshall-miller-delivers-remarks-global (“It is for all of these reasons that the DAG [Deputy Attorney General] has warned that from a compliance standpoint ‘sanctions are the new FCPA.’”).

[2] See Principal Associate Deputy Attorney General Marshall Miller Delivers Remarks at the Global Investigations Review Annual Meeting (Sept. 21, 2023), https://www.justice.gov/opa/speech/principal-associate-deputy-attorney-general-marshall-miller-delivers-remarks-global (“Even business operations and lines far removed from the defense sector – like cigarettes, cement, and shipping – can pose dire national security risks if companies are not highly sensitive to high-risk actors, high-risk regions, and high-risk activities.”).

[3] Principal Associate Deputy Attorney General Marshall Miller Delivers Remarks at the Ethics and Compliance Initiative IMPACT Conference (May 3, 2023), https://www.justice.gov/opa/speech/principal-associate-deputy-attorney-general-marshall-miller-delivers-remarks-ethics-and (“From money laundering and cyber- and crypto-enabled crime to sanctions and export control evasion and even funneled payments to terrorist groups, corporate crime increasingly — now almost routinely — intersects with national security concerns.”).

[4] Principal Associate Deputy Attorney General Marshall Miller Delivers Remarks at the Global Investigations Review Annual Meeting (Sept. 21, 2023), https://www.justice.gov/opa/speech/principal-associate-deputy-attorney-general-marshall-miller-delivers-remarks-global.

[5] Deputy Attorney General Lisa Monaco Delivers Remarks at American Bar Association National Institute on White Collar Crime (Mar. 2, 2023), https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-monaco-delivers-remarks-american-bar-association-national; Principal Associate Deputy Attorney General Marshall Miller Delivers Remarks at the Global Investigations Review Annual Meeting (Sept. 21, 2023), https://www.justice.gov/opa/speech/principal-associate-deputy-attorney-general-marshall-miller-delivers-remarks-global.

[6] Deputy Assistant Attorney General Eun Young Choi Delivers Keynote Remarks at GIR Live: Sanctions & Anti-Money Laundering Meeting (Nov. 16, 2023), https://www.justice.gov/opa/speech/deputy-assistant-attorney-general-eun-young-choi-delivers-keynote-remarks-gir-.live.

[7] Press Release, U.S. Dep’t of Just., Justice and Commerce Departments Announce Creation of Disruptive Technology Strike Force (May 16, 2023), https://www.justice.gov/opa/pr/justice-and-commerce-departments-announce-creation-disruptive-technology-strike-force; see also Press Release, U.S. Dep’t of Just., Justice Department Announces Five Cases as Part of Recently Launched Disruptive Technology Strike Force (May 16, 2023), https://www.justice.gov/opa/pr/justice-department-announces-five-cases-part-recently-launched-disruptive-technology-strike.

[8] Id.

[9] Press Release, U.S. Dep’t of Just., Russian Elites, Proxies, and Oligarchs Task Force Ministerial Joint Statement (Mar. 17, 2022), https://www.justice.gov/opa/pr/russian-elites-proxies-and-oligarchs-task-force-ministerial-joint-statement.

[10] Press Release, U.S. Dep’t of Just., Russian Elites, Proxies, and Oligarchs Task Force Ministerial Joint Statement (Mar. 17, 2023), https://www.justice.gov/opa/pr/russian-elites-proxies-and-oligarchs-task-force-ministerial-joint-statement; Statement, U.S. Dep’t of Just., Joint Statement from the REPO Task Force (Mar. 9, 2023), https://home.treasury.gov/news/press-releases/jy1329.

[11] Press Release, Fin. Crimes Enf’t Network, U.S. Dep’t of the Treasury, FinCEN Alert to Financial Institutions to Counter Financing to Hamas and its Terrorist Activities (Oct. 20, 2023), https://www.fincen.gov/sites/default/files/2023-10/FinCEN_Alert_Terrorist_Financing_FINAL508.pdf; Supplemental Alert: FinCEN and the U.S. Department of Commerce’s Bureau of Industry and Security Urge Continued Vigilance for Potential Russian Export Control Evasion Attempts (May 19, 2023), https://www.fincen.gov/sites/default/files/shared/FinCEN%20and%20BIS%20Joint%20Alert%20_FINAL_508C.pdf; FinCEN Alert on Potential U.S. Commercial Real Estate Investments by Sanctioned Russian Elites, Oligarchs, and Their Proxies (Jan. 25, 2023), https://www.fincen.gov/sites/default/files/shared/FinCEN%20Alert%20Real%20Estate%20FINAL%20508_1-25-23%20FINAL%20FINAL.pdf.

[12] Supplemental Alert: FinCEN and the U.S. Department of Commerce’s Bureau of Industry and Security Urge Continued Vigilance for Potential Russian Export Control Evasion Attempts (May 19, 2023), https://www.fincen.gov/sites/default/files/shared/FinCEN%20and%20BIS%20Joint%20Alert%20_FINAL_508C.pdf; FinCEN & BIS Joint Notice: FinCEN and the U.S. Department of Commerce’s Bureau of Industry and Security Announce New Reporting Key Term and Highlight Red Flags Relating to Global Evasion of U.S. Export Controls (Nov. 6, 2023), https://www.fincen.gov/sites/default/files/shared/FinCEN_Joint_Notice_US_Export_Controls_FINAL508.pdf.

[13] See U.S. Dep’t of Com., U.S. Dep’t of the Treasury, and U.S. Dep’t of Just., Tri-Seal Compliance Note: Cracking Down on Third-Party Intermediaries Used to Evade Russia-Related Sanctions and Export Controls (Mar. 2, 2023), https://www.justice.gov/nsd/file/1277536/dl?inline. See also Deputy Attorney General Lisa Monaco Delivers Remarks at American Bar Association National Institute on White Collar Crime (Mar. 2, 2023), https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-monaco-delivers-remarks-american-bar-association-national.

[14] See William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, Pub. L. 116-283, Div. F.

[15] Id., § 6403 (adding 31 U.S.C. § 5336).

[16] 31 C.F.R. § 1010.380(c)(1)(i).

[17] 31 C.F.R. § 1010.380(c)(1)(ii).

[18] 31 C.F.R. § 1010.380(c)(2)(i)-(xxiii).

[19] 31 C.F.R. § 1010.380(c)(2)(x)-(xi); Gibson Dunn, The Impact of FinCEN’s Beneficial Ownership Regulation on Investment Funds (Aug. 10, 2023), https://www.gibsondunn.com/the-impact-of-fincens-beneficial-ownership-regulation-on-investment-funds/.

[20] 31 C.F.R. § 1010.380(c)(2)(xxii).

[21] FinCEN: Beneficial Ownership Information Reporting, Frequently Asked Questions (Jan. 12, 2024), https://www.fincen.gov/boi-faqs.

[22] 31 C.F.R. § 1010.380(b)-(e).

[23] 31 C.F.R. § 1010.380(b)(2)(iv).

[24] 31 C.F.R. § 1010.380(a)(1)(i)(B).

[25] See United States v. Huezo, 546 F.3d 174, 178 (2d Cir. 2008) (“The substantive offense of ‘transaction money laundering’ requires proof of both knowledge and specific intent.”) (citing Cuellar v. United States, 128 S. Ct. 1994 (2008)).

[26] See United States v. Wright, 341 F. App’x 709, 713 (2d Cir. 2009) (“To demonstrate a § 1957 violation, the government must prove, inter alia, that the money Wright used to lease the car exceeded $10,000 and was ‘derived from specified unlawful activity.’”).

[27] Deferred Prosecution Agreement at 1, United States v. Aylo Holdings S.A.R.L., No. 1:23-cr-00463 (E.D.N.Y. Dec. 21, 2023), https://www.justice.gov/d9/2023-12/2023.12.21_dpa_final_court_exhibit_version_0.pdf (hereinafter “DPA”).

[28] Attachment B to Deferred Prosecution Agreement, United States v. Aylo Holdings S.A.R.L., No. 1:23-cr-00463 (E.D.N.Y. Dec. 21, 2023) (hereinafter “MindGeek Information”), https://www.justice.gov/d9/2023-12/2023.12.21_dpa_final_court_exhibit_version_0.pdf, ¶ 8.

[29] Id. ¶ 10.

[30] Id.

[31] Id.

[32] Id. ¶ 16.

[33] Id. ¶ 17.

[34] Id. ¶¶ 20, 27.

[35] Id. ¶ 23.

[36] Id. ¶¶ 18, 22, 29, 30.

[37] See DPA at 1.

[38] Id. at 2.

[39] Id. at 2–3.

[40] Id. at 9–10.

[41] Id. at 5.

[42] See Binance Blog, Binance Announcement: Reaching Resolution with U.S. Regulators (Nov. 21, 2023), https://www.binance.com/en/blog/leadership/binance-announcement-reaching-resolution-with-us-regulators-2904832835382364558.

[43] 31 C.F.R. § 1010.100(ff).

[44] See, e.g., Press Release, U.S. Dep’t of the Treasury, Treasury Announces Two Enforcement Actions for Over $24M and $29M Against Virtual Currency Exchange Bittrex, Inc. (Oct. 11, 2022), https://home.treasury.gov/news/press-releases/jy1006 (announcing an enforcement action against Bittrex, Inc., a virtual currency exchange that was based in Washington state).

[45] See International Emergency Economic Powers Act (IEEPA), 50 U.S.C. § 1701(a)(1)(A) (empowering the President to prohibit transactions by “any person, or with respect to any property, subject to the jurisdiction of the United States.”); see also Office of Foreign Assets Control, Frequently Asked Questions: 11. Who Must Comply with OFAC Regulations?, https://ofac.treasury.gov/faqs/11 (“U.S. persons must comply with OFAC regulations, including all U.S. citizens and permanent resident aliens regardless of where they are located, all persons and entities within the United States, all U.S. incorporated entities and their foreign branches. In the cases of certain programs, foreign subsidiaries owned or controlled by U.S. companies also must comply. Certain programs also require foreign persons in possession of U.S.-origin goods to comply.”).

[46] Attachment A, “Statement of Facts,” to the Plea Agreement in United States v. Binance Holdings Ltd., No. 23-178RAJ (Nov. 21, 2023), https://www.justice.gov/opa/media/1326901/dl?inline (hereinafter “Binance SOF”) at 7, ¶ 22.

[47] Id.

[48] 50 U.S.C. § 1705(a) (“It shall be unlawful for a person to violate, attempt to violate, conspire to violate or cause a violation of any license, order, regulation, or prohibition issued [pursuant to IEEPA].”).

[49] Plea Agreement in United States v. Binance Holdings Ltd., No. 23-178RAJ (Nov. 21, 2023), https://www.justice.gov/opa/media/1326901/dl?inline (hereinafter “Binance Plea Agreement”), at ¶ 2.

[50] Id.

[51] Id.

[52] See Nikhilesh De, Binance to Make ‘Complete Exit’ From U.S., Pay Billions to FinCEN, OFAC on Top of DOJ Settlement, CoinDesk (Nov. 21, 2023), https://www.coindesk.com/policy/2023/11/21/binance-to-make-complete-exit-from-us-pay-billions-to-fincen-ofac-on-top-of-doj-settlement/.

[53] Id.

[54] Binance Plea Agreement ¶ 24.

[55] Id at ¶ 32.

[56] Press Release, Fin. Crimes Enf’t Network, U.S. Dep’t of the Treasury, FinCEN Identifies Virtual Currency Exchange Bitzlato as a ‘Primary Money Laundering Concern’ in Connection with Russian Illicit Finance (Jan. 18, 2023), https://www.fincen.gov/news/news-releases/fincen-identifies-virtual-currency-exchange-bitzlato-primary-money-laundering.

[57] Press Release, U.S. Dep’t of the Treasury, Remarks by Wally Adeyemo on Action Against Russian Illicit Finance (Jan. 18, 2023), https://home.treasury.gov/news/press-releases/jy1193.

[58] Public Law 116-283, § 9714(a) (Jan. 1, 2021).

[59] See 88 Fed. Reg. 3919, 3920 (Feb. 1, 2023), https://www.federalregister.gov/documents/2023/01/23/2023-01189/imposition-of-special-measure-prohibiting-the-transmittal-of-funds-involving-bitzlato (explaining passage of the Combatting Russian Money Laundering Act).

[60] 31 U.S.C. § 5381A(a)(1).

[61] 31 U.S.C. § 5381A(b) (commonly known as Section 311 of the Patriot Act).

[62] Press Release, U.S. Dep’t of the Treasury, Remarks by Wally Adeyemo on Action Against Russian Illicit Finance (Jan. 18, 2023), https://home.treasury.gov/news/press-releases/jy1193.

[63] Press Release, U.S. Dep’t of Just., Founder and Majority Owner of Bitzlato, a Cryptocurrency Exchange Charged with Unlicensed Money Transmitting (Jan. 18, 2023), https://www.justice.gov/usao-edny/pr/founder-and-majority-owner-bitzlato-cryptocurrency-exchange-charged-unlicensed-money.

[64] 88 Fed. Reg. 72701, 72704 (Oct. 23, 2023), https://www.federalregister.gov/documents/2023/10/23/2023-23449/proposal-of-special-measure-regarding-convertible-virtual-currency-mixing-as-a-class-of-transactions.

[65] In The Matter Of: Shinhan Bank America, No. 2023-03 (Sept. 29, 2023), https://www.fincen.gov/sites/default/files/enforcement_action/2023-09-29/SHBA_9-28_FINAL_508.pdf.

[66] Id.

[67] Id.

[68] Id.

[69] Press Release, Fin. Crimes Enf’t Network, U.S. Dep’t of the Treasury, FinCEN Assesses $1.5 Million Civil Money Penalty against Kingdom Trust Company for Violations of the Bank Secrecy Act (Apr. 26, 2023), https://www.fincen.gov/news/news-releases/fincen-assesses-15-million-civil-money-penalty-against-kingdom-trust-company.

[70] Id.

[71] Id.

[72] Id.

[73] Id.

[74] See generally Statement of Himamauli Das, Acting Dir., Fin. Crimes Enf’t Network, U.S. Dep’t of the Treasury, Before the Comm. on Fin. Servs., U.S. House of Representatives (Apr. 27, 2023), https://www.fincen.gov/sites/default/files/2023-04/HHRG-118-HFSC-DasH-20230427.pdf; Remarks by Brian Nelson, Under Sec. for Terrorism and Fin. Intel., U.S. Dep’t of the Treasury, at SIFMA’s Anti-Money Laundering and Financial Crimes Conference (May 25, 2022), https://home.treasury.gov/news/press-releases/jy0800.

[75] Id.

[76] In The Matter Of: Bancrédito International Bank and Trust Corporation, No. 2023-02 (Sept. 15, 2023), https://www.fincen.gov/sites/default/files/enforcement_action/2023-09-15/Bancredito_Consent_FINAL_091523_508C.pdf.

[77] Press Release, Fin. Crimes Enf’t Network, U.S. Dep’t of the Treasury, FinCen Announces $15 Million Civil Money Penalty against Bancrédito International Bank and Trust Corporation for Violations of the Bank Secrecy Act (Sept. 15, 2023), https://www.fincen.gov/news/news-releases/fincen-announces-15-million-civil-money-penalty-against-bancredito-international.

[78] National Money Laundering Risk Assessment (Feb. 2022), https://home.treasury.gov/system/files/136/2022-National-Money-Laundering-Risk-Assessment.pdf.

[79] Id.; see also 31 U.S.C. § 5318(h).

[80] See generally 31 C.F.R. § 1020.210; see also 85 Fed. Reg. 57129 (Nov. 16, 2020), https://www.federalregister.gov/documents/2020/09/15/2020-20325/financial-crimes-enforcement-network-customer-identification-programs-anti-money-laundering-programs.

[81] Press Release, U.S. Dep’t of Just., Associate of Sanctioned Oligarch Indicted for Sanctions Evasion and Money Laundering (Feb. 7, 2023), https://www.justice.gov/opa/pr/associate-sanctioned-oligarch-indicted-sanctions-evasion-and-money-laundering.

[82] Press Release, U.S. Dep’t of Just., New York Attorney Pleads Guilty to Conspiring to Commit Money Laundering to Promote Sanctions Violations by Associate of Sanctioned Russian Oligarch (Apr. 25, 2023), https://www.justice.gov/opa/pr/new-york-attorney-pleads-guilty-conspiring-commit-money-laundering-promote-sanctions.

[83] Press Release, U.S. Dep’t of Just., Arrest and Criminal Charges Against British and Russian Businessmen for Facilitating Sanctions Evasion of Russian Oligarch’s $90 Million Yacht (Jan. 20, 2023), https://www.justice.gov/usao-dc/pr/arrest-and-criminal-charges-against-british-and-russian-businessmen-facilitating.

[84] Id.

[85] Press Release, U.S. Dep’t of Just., Associate of Sanctioned Oligarch Indicted for Sanctions Evasion and Money Laundering (Feb. 7, 2023), https://www.justice.gov/opa/pr/associate-sanctioned-oligarch-indicted-sanctions-evasion-and-money-laundering.

[86] Press Release, U.S. Dep’t of Just., Civil Forfeiture Complaint Filed Against Six Luxury Real Estate Properties Involved In Sanctions Evasion And Money Laundering (Feb. 24, 2023), https://www.justice.gov/usao-sdny/pr/civil-forfeiture-complaint-filed-against-six-luxury-real-estate-properties-involved?utm_medium=email&utm_source=govdelivery.

[87] See Superseding Information, United States v. Wise, No. 1:23-cr-00073, Dkt. 4 (S.D.N.Y. 2023).

[88] Id.

[89] Id.

[90] Press Release, U.S. Dep’t of Just., New York Attorney Pleads Guilty to Conspiring to Commit Money Laundering to Promote Sanctions Violations by Associate of Sanctioned Russian Oligarch (Apr. 25, 2023), https://www.justice.gov/opa/pr/new-york-attorney-pleads-guilty-conspiring-commit-money-laundering-promote-sanctions.

[91] See Gibson Dunn, Gibson Dunn Digital Assets Recent Updates – November 2023 (Nov. 6, 2023), https://www.gibsondunn.com/gibson-dunn-digital-assets-recent-updates-november-2023/.

[92] See Superseding Indictment, United States v. Bankman-Fried, No. 1:22-cr-00673, Dkt. 115 (S.D.N.Y. March 28, 2023), https://www.justice.gov/criminal-fraud/file/1593626/dl at ¶¶ 92–95.

[93] Press Release, U.S. Dep’t of Just., United States Attorney Announces Charges Against FTX Founder Sam Bankman-Fried (Dec. 13, 2022), https://www.justice.gov/usao-sdny/pr/united-states-attorney-announces-charges-against-ftx-founder-samuel-bankman-fried.

[94] James Fanelli and Corinne Ramey, Sam Bankman-Fried Is Convicted of Fraud in FTX Collapse, Wall St. J. (Nov. 2, 2023), https://www.wsj.com/finance/currencies/verdict-sam-bankman-fried-trial-ftx-guilty-4a54dbfe.

[95] Id.

[96] Id.

[97] See Chris Dolmestch and Bob Van Voris, First NFT Insider-Trading Trial Leads to Criminal Conviction, Wall St. J. (May 3, 2023), https://www.bloomberg.com/news/articles/2023-05-03/first-nft-insider-trading-trial-leads-to-criminal-conviction.

[98] See Jody Godoy, Ex-OpenSea manager sentenced to 3 months in prison for NFT insider trading (Aug. 22, 2023), https://www.reuters.com/legal/ex-opensea-manager-sentenced-3-months-prison-nft-insider-trading-2023-08-22/.

[99] Press Release, U.S. Dep’t of Just., Founders and Executives of Digital-Asset Company Charged in Multi-Million Dollar International Fraud Scheme (Nov. 1, 2023), https://www.justice.gov/usao-edny/pr/founders-and-executives-digital-asset-company-charged-multi-million-dollar.

[100] United States v. Karony, No. CR-23-433 (E.D.N.Y Oct. 31, 2023), https://www.justice.gov/media/1334306/dl.

[101] See 18 U.S.C. § 1956(c)(7).

[102] United States v. Full Play Grp., S.A., No. 15-CR-252S3PKC, 2023 WL 5672268, at *1-9 (E.D.N.Y. Sept. 1, 2023).

[103] Id.

[104] Id. at *23.

[105] Id. at *20 (internal quotation omitted).

[106] Id. at *23 n.26.

[107] U.S. v. Webb, No. 23-7183 (2d. Cir. 2024).

[108] Abdelaziz, 68 F.4th at 13.

[109] Id. at 29.

[110] National Defense Authorization Act for Fiscal Year 2024, S. 2226, 118th Cong. § 5101(2), codified at 18 U.S.C. § 201(f).

[111] See generally 15 U.S.C. § 78dd-1.

[112] Defining specified unlawful activities to include violations of 18 U.S.C. § 201—the subsection of the federal code wherein FEPA will be codified.

The following Gibson Dunn attorneys assisted in preparing this update: M. Kendall Day, Stephanie Brooker, Chris Jones, Ella Capone, Justin duRivage*, Maura Carey*, and Ben Schlichting.

Gibson Dunn has deep experience with issues relating to the Bank Secrecy Act, other AML and sanctions laws and regulations, and the defense of financial institutions more broadly. For assistance navigating white collar or regulatory enforcement issues involving financial institutions, please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Anti-Money Laundering / Financial Institutions, White Collar Defense & Investigations, or International Trade practice groups, the authors, or any of the following practice group leaders:

Anti-Money Laundering / Financial Institutions:
Stephanie Brooker – Washington, D.C.(+1 202.887.3502, sbrooker@gibsondunn.com)
M. Kendall Day – Washington, D.C. (+1 202.955.8220, kday@gibsondunn.com)

White Collar Defense and Investigations:
Stephanie Brooker – Washington, D.C. (+1 202.887.3502, sbrooker@gibsondunn.com)
Winston Y. Chan – San Francisco (+1 415.393.8362, wchan@gibsondunn.com)
Nicola T. Hanna – Los Angeles (+1 213.229.7269, nhanna@gibsondunn.com)
F. Joseph Warin – Washington, D.C. (+1 202.887.3609, fwarin@gibsondunn.com)

Global Fintech and Digital Assets:
M. Kendall Day – Washington, D.C. (+1 202.955.8220, kday@gibsondunn.com)
Jeffrey L. Steiner – Washington, D.C. (+1 202.887.3632, jsteiner@gibsondunn.com)
Sara K. Weed – Washington, D.C. (+1 202.955.8507, sweed@gibsondunn.com)

Global Financial Regulatory:
William R. Hallatt – Hong Kong (+852 2214 3836, whallatt@gibsondunn.com)
Michelle M. Kirschner – London (:+44 20 7071 4212, mkirschner@gibsondunn.com)
Jeffrey L. Steiner – Washington, D.C. (+1 202.887.3632, jsteiner@gibsondunn.com)

International Trade:
Ronald Kirk – Dallas (+1 214.698.3295, rkirk@gibsondunn.com)
Adam M. Smith – Washington, D.C. (+1 202.887.3547, asmith@gibsondunn.com)

*Maura Carey and Justin duRivage are associates practicing in the firm’s Palo Alto office who are not yet admitted to practice law.

This briefing examines in depth the circulars and consultation paper issued by the SFC and HKMA in December 2023.

Throughout the course of 2023, the Hong Kong Securities and Futures Commission (“SFC”) and the Hong Kong Monetary Authority (“HKMA”) showed clear indications of their increased openness to virtual assets (“VA”), including through the implementation of the SFC’s Hong Kong virtual asset trading platform (“VATP”) regime,[1] and the release of multiple circulars liberalising the regulatory approach to this area.[2] This trend continued through until the very end of 2023, with the SFC and HKMA being very active in this space in late December. In particular, the SFC on December 22, 2023 issued a circular significantly relaxing the approach to virtual asset exchange traded funds (“VA ETFS”) and other funds with exposure to VA, followed by a joint SFC-HKMA circular in relation to intermediaries’ virtual asset-related activities and an HKMA consultation paper setting out a proposed legislative regime for the issuance of stablecoins. This client briefing examines the two circulars and consultation paper in further depth.

I. SFC Circular on SFC-Authorised Funds With Exposure to Virtual Assets

On December 22, 2023, the SFC published a circular on SFC-authorised funds with exposure to virtual assets (“SFC Circular”), and sets out the requirements under which the SFC will consider authorising funds with exposure to VA of more than 10% of their net asset value (“NAV”) (“SFC-authorised VA Funds”).[3] The SFC Circular supersedes an earlier circular on VA futures ETFs issued on October 31, 2022 (“October 2022 Circular”).[4] The key practical effect of the replacement of the October 2022 Circular is to expand the scope of VA ETFs that may be authorised by the SFC, as the October 2022 Circular only provided for the authorisation of VA ETFs with Bitcoin futures and Ether futures traded on the Chicago Mercantile Exchange (“CME”) as the underlying assets. The SFC Circular removes this requirement.

However, all funds with either direct (i.e. as a result of purchasing of tokens directly by the fund) or indirect investment exposure to VA seeking SFC authorisation must comply with a range of requirements, as summarised in the table below.[5] Further, (i) funds having or intending to have VA exposure of more than 10% of NAV that wish to seek the SFC’s authorisation or (ii) existing SFC-authorised funds that plan to obtain VA exposure of more than 10% of their NAV should consult and seek prior approval from the SFC by contacting the relevant case officer of the Investment Products Division.

Area	Key changes from the October 2022 Circular and/or key requirements
Eligible underlying VA	SFC-authorised VA Funds should only invest (indirectly or directly) in VA tokens that are accessible to Hong Kong public for trading on SFC-licensed VATPs.
Investment strategy	As noted above, the SFC Circular has removed the requirement under the October 2022 Circular that VA ETFs must only have as their underlying Bitcoin futures and Ether futures traded on Chicago Mercantile Exchange. However, the SFC Circular does allow SFC-authorised VA Funds to only have exposure to VA futures traded on conventional regulated futures exchanges. Further, the management company of such funds must be able to demonstrate that: (i) the relevant VA futures have adequate liquidity and (ii) the roll costs of the relevant VA futures are manageable and how such roll costs will be managed. Indirect exposures to eligible VA via other exchange-traded products are subject to applicable requirements in the UT Code and other requirements which may be imposed by the SFC. SFC-authorised VA Funds must not have leveraged exposure to VA at the fund level. SFC-authorised VA Funds that primarily adopt a futures-based investment strategy are expected to adopt an active investment strategy to allow flexibility in portfolio composition, rolling strategy and handling of any market disruption events.
Transactions and direct acquisitions of spot VA	Transactions and acquisitions of spot VA by SFC-authorised VA Funds should be conducted through SFC-licensed VATPs or authorised institutions (“AIs”) or their subsidiaries in accordance with any applicable HKMA requirements. For in-cash subscriptions and redemptions, SFC-authorised spot VA ETFs should acquire and dispose of spot VA through SFC-licensed VATPs, either on or off platform. For in-kind subscriptions, participating dealers (“PDs”) should transfer spot VA to SFC-authorised spot VA ETFs’ custody accounts with SFC-licensed VATPs or AIs (and vice versa where in-kind redemptions are concerned). Both in-cash and in-kind subscription and redemption are permitted for SFC-authorised spot VA ETFs. For ETFs that invest in spot VA, PDs should be SFC-licensed corporations or registered institutions.
Custody	The trustee/custodian of an SFC-authorised VA Fund should only delegate its VA custody function to an SFC-licensed VATP or an AI (or a subsidiary of a locally incorporated AI) which meets the expected standards for VA custody issued by the HKMA from time to time. The trustee/custodian and any delegate responsible for taking custody of VA holdings of an SFC-authorised VA Fund should comply with additional requirements: (i) it should ensure segregation between the VA holdings and its own assets as well as the assets it holds for other clients; (ii) it should store most of the VA holdings in a cold wallet, and minimise the amount and duration of VA held in a hot wallet; (iii) it should ensure the seeds and private keys are securely stored in Hong Kong, tightly restricted to authorised personnel, and sufficiently resistant to speculation or collusion, and properly backed up to mitigate any single point of failure.
Management companies	Management companies of SFC-authorised VA Funds should have a good track record of regulatory compliance, and at least one competent staff member with relevant experience in the management of VA or related products. The SFC’s Licensing Department may also impose additional terms and conditions on such management companies.
Valuation	When valuing spot VA, the management companies of SFC-authorised VA Funds should adopt an indexing approach based on VA trade volume across major VA trading platforms (i.e. a benchmark index published by a reputable provider that reflects a significant share of trading activities in the underlying spot VA).
Service providers	Management companies should confirm that all necessary service providers (such as fund administrators, participating dealers, market makers and index providers) are competent, available and ready to support the SFC-authorised VA Funds.
Disclosure and investor education	The offering documents (including the product key facts statements (“KFS”)) of SFC-authorised VA Funds should disclose the investment limits and key risks related to the funds’ VA exposures. Product KFSs for SFC-authorised VA Funds should contain upfront disclosure of the investment objectives and the key risks associated with the underlying VA exposures, such as: (i) price risk, custody risk, cybersecurity risk and fork risk for investments in spot VA; and (ii) potentially large roll costs and operational risks for investments in VA futures.
Distribution	Please refer to Section II below.

II. SFC and HKMA Joint Circular on Intermediaries’ Virtual Asset-Related Activities

On December 22, 2023, the SFC and HKMA issued a joint circular on intermediaries’ virtual asset-related activities (“Joint Circular”) which provides updated guidance to intermediaries carrying on VA-related activities, in respect of (i) the distribution of investment products with exposure to VAs; (ii) the provision of VA dealing services; (iii) the provision of VA advisory services; and (iv) the management of portfolios investing into VAs.[6] The Joint Circular supersedes an earlier joint circular published on October 20, 2023.[7]

The Joint Circular emphasises that VA-related products[8] will very likely be considered complex products and that intermediaries distributing VA-related products considered to be complex products will generally be required to comply with the SFC’s requirements on the sale of complex products (including most notably ensuring suitability of VA-related products, regardless of whether the intermediary has solicited or recommended that its clients invest in the product in question).

However, the SFC and HKMA have also imposed two additional investor protection measures on the distribution of VA-related products to address specific risks related to these products:

Restrictions on sale: Subject to certain exceptions (as discussed further below), the SFC and HKMA have indicated that VA-related complex products should only be offered to professional investors (“PIs”); and
VA knowledge test: Intermediaries must assess whether clients (other than institutional PIs and qualified corporate PIs) have knowledge of investing in virtual assets or VA-related products prior to effecting a transaction in VA-related products on their behalf. Where a client does not have the requisite knowledge, the intermediary may only proceed if it has provided sufficient training to the client on the nature and risks of VAs and the clients have sufficient net worth to bear potential losses from trading VA-related products.[9]

However, while the above investor protection measures appeared in the earlier joint circular dated October 20, 2023, the SFC and HKMA have in the Joint Circular stated that the selling restrictions above will not apply to SFC-authorised VA Funds (i.e. funds approved for public offering), subject to intermediaries complying with the following additional safeguards:

For SFC-authorised VA Funds listed and traded on the Hong Kong Stock Exchange (“SEHK”), client orders can be executed on exchange without the need to comply with the suitability requirement or minimum information and warning statements requirements,[10] providing there has been no solicitation or recommendation by the intermediary.
For SFC-authorised VA Funds that are not listed, or for listed funds where trading occurs off exchange, intermediaries will still have to comply with the abovementioned requirements, as well as undertaking the VA knowledge test set out above on the clients concerned.

Further, the SFC and HKMA have also reminded intermediaries that where these SFC-authorised VA funds are also VA derivative funds, intermediaries also need to comply with the requirements for derivative products set out in the Joint Circular.

To assist intermediaries in determining whether an investment product with exposure to VA is complex and the corresponding selling requirements that may apply to the product, the Joint Circular also includes a flowchart which sets out the relevant factors and the corresponding selling requirements.[11]

III. Legislative Proposal on Issuance of Stablecoins

On December 27, 2023, the Financial Services and the Treasury Bureau (“FSTB”) and the HKMA jointly issued a public consultation paper regarding their proposed legislative regime for the regulation of stablecoins (“Legislative Proposal”).[12] This followed the HKMA’s January 2022 discussion paper inviting feedback on its proposed regulatory approach towards crypto-assets and stablecoins (“Discussion Paper”) (as covered in our previous client alert)[13] and its January 2023 consultation conclusions (“Consultation Conclusions”)[14] (as covered in a subsequent client alert).

The introduction of the Legislative Proposal is driven by the potential interconnectedness between the virtual assets (“VA”) market and the traditional financial system. Specifically, the FSTB and HKMA view stablecoins, especially fiat-referenced stablecoin (“FRS”) as a key monetary and financial stability risk area which could lead to a spill-over from the VA sector to the traditional financial system, and vice versa.

A. Legislative Scope and Approach

The FSTB and HKMA have proposed that, rather than amending existing legislation (including the Payment Systems and Stored Value Facilities Ordinance (“PSSVFO”)), their intention is to introduce a new piece of legislation which will address specific features of stablecoins and could more readily serve as the foundation for the extension of the regulatory regime to other forms of VAs down the track. The FSTB and HKMA have also proposed that the issuance of an FRS by an FRS licensee would be excluded from the scope of existing regulatory regimes, including those applicable to securities (e.g. collective investment schemes) and SVFs.

The FSTB and HKMA have proposed that initially, the licensing regime will apply only to issuers of fiat-referenced stablecoins (“FRS”) – that is, stablecoins which have as their specified asset one or more fiat currencies.[15] The FSTB and HKMA have noted that while a FRS which derives value from arbitrage or algorithm will be caught by the regulatory regime, it is highly unlikely (as explained further below) that such FRS will be able to meet the HKMA’s licensing requirements.

That said, the FSTB and HKMA have left the door open to extend the regulatory regime to other forms of VAs (presumably including other types of stablecoins) by describing the proposed FRS issuance regime as a “first step” in the regulation of virtual assets. Notably, the FSTSB and HKMA have proposed that the legislative regime should empower the “authorities” to modify the parameters of in-scope stablecoins and activities, but have not specified if this power would be reserved to the HKMA specifically or to the HKMA in consultation with the FSTB (for example). In exercising any such power to modify the regime, the “authorities” would be required to consider a number of factors (such as the risks posed to the monetary and financial stability of Hong Kong), and the materiality of the case (such as the market share and the value in circulation) before exercising this power.

B. Licensing Requirements for FRS Issuers

Under the Legislative Proposal, an FRS issuer will have to be licensed with the HKMA before it can:

Issue, or hold itself out as issuing, an FRS in Hong Kong;

Issue, or hold itself out as, issuing a stablecoin that purports to maintain a stable value with reference to the value of the Hong Kong dollar; or
Actively market its issuance of FRS to the Hong Kong public.

In order to be licensed, the FRS issuer must demonstrate that it could meet the following licensing requirements, as summarised below:

Licensing Requirements		Description
Management of reserves and stabilisation mechanism	Full backing	The value of the reserve assets backing an FRS must be at least equal to the par value of the FRS (at a minimum) at all times. Issuers of FRS which derive value from arbitrage or algorithms will not be granted a license, given the inherent difficulties of maintaining a stabilisation mechanism in the absence of any backing assets.
	Investment limitations	The reserve assets must be of high quality and high liquidity with minimal market, credit and concentration risk. Reserve assets must be held in the referenced currency, although flexibility may be allowed on a case-by-case basis subject to the HKMA’s approval. The composition of the reserved assets should be determined with reference to the FRS’s liquidity requirements, including how liquidity requirements will be met through the management and investment of reserve assets. The HKMA will need to be satisfied of the appropriateness of the types of assets held by the FRS issuer, and expects that each issuer will have a regularly reviewed investment policy regarding assets that are suitable for holding as reserve assets.
	Segregation and safekeeping of reserve assets	FRS issuers will be expected have effective trust arrangements to ensure that reserve assets are appropriately segregated and available to satisfy FRS holders’ redemption, as well as their legal right and priority claim in the event of insolvency. Reserve assets must be stored in segregated accounts with licensed banks or with other asset custodians (subject to the HKMA’s approval of the proposed arrangements). FRS issuers must maintain effective internal controls to protect the reserve assets from operational risks, including risks of theft, fraud and misappropriation.
	Risk management and controls	FRS issuers must put in place adequate policies, guidelines and controls for the proper management of all investment activities associated with the management of the reserve assets. This includes having comprehensive liquidity risk management practices which address the approach to large scale redemptions – i.e. run scenarios or other scenarios of liquidity stress. FRS issuers must also conduct periodic stress tests to monitor the adequacy and the liquidity of the reserve assets.
	Disclosure and reporting	FRS issuers must regularly publish the total amount of FRS in circulation, the mark-to-market value of reserve assets and the composition of reserve assets. FRS issuers will also be expected to (in consultation with the HKMA) engage a qualified and independent auditor to perform regular attestations in relation to their FRS, including the (i) composition and market value of the reserve assets; (ii) the par value of FRS in circulation; (iii) whether the reserve assets are adequate to fully back the value of FRS in circulation and are sufficient liquid (as of the last business day of the period covered by the attestation); and (iv) whether the conditions on the reserves management as imposed by the HKMA have all been fulfilled. The Legislative Proposal recommends that the total amount of FRS in circulation and the value of reserve assets be disclosed at least daily, the composition of reserve assets be disclosed at least weekly, and attestation by the independent auditor be performed at least monthly.
	Prohibition on paying interest	FRS issuers must not pay interest to FRS users. Any income or loss from the reserve assets, including but not limited to interest payments, dividends or capital gains or losses are attributable to the FRS issuer.
	Effective stabilisation	The FRS issuer is ultimately responsible for ensuring the effective functioning of the stabilisation mechanism of its FRS, notwithstanding any engagement of third parties to carry out the stabilisation activity.
Redemption requirements		The HKMA expects for FRS users to have the right to redeem their FRS at par value with the FRS issuer to have a claim on the reserve assets (or the issuer if the issuer is not able to meet redemption obligations). An FRS issuer is expected to process redemption requests without undue costs and on a timely basis. The issuer must not impose unreasonable conditions on redemption, such as a very high minimum threshold amount. In the event that fees for redemption are charged, such fees must be clearly communicated to FRS users and must be proportionate, at a level that do not deter redemption. The FRS issuer must meet the redemption request at par value by paying in the fiat currency underlying the relevant FRS. Where channels for FRS users to exchange their FRS into fiat currency become unavailable (e.g. due to disruption to infrastructure), the FRS issuer must nevertheless still be able to ensure direct redemption for all FRS users at part in a reasonably timely manner. The FRS issuer is expected to draw up and maintain a contingency plan to enable orderly redemption of FRS by FRS users in the event that the FRS issuer is unable to meet redemption requests (including in the case of suspension or revocation of the issuer’s licence).
Restrictions on business activities[16]		The HKMA’s approval must be sought before an FRS issuer can commence any new lines of business. To this end, the FRS issuer must conduct a risk assessment and demonstrate to the HKMA that adequate resources are allocated to the issuance and maintenance of the FRS, that the new business will not introduce significant risks, and that proper risk controls are in place to ensure that the new line of business will not impair its functions as an FRS issuer. However, provided that the FRS issuer have adequate systems for the segregation and safekeep of FRS and handling of deposit and withdrawal requests for FRS, the FRS issuer will be allowed to conduct activities ancillary or incidental to its issuance of FRS, such as providing wallet services for the FRS it issues. The FRS issuer is prohibited from carrying on lending and financial intermediation or other regulated activities (e.g. regulated activities under the SFO).
Physical presence in Hong Kong[17]		The FRS issuer must be a company incorporated in Hong Kong with a registered office in Hong Kong. Its key personnel and senior management must be based in Hong Kong, and must be empowered with effective management and control of FRS issuance and related activities.
Financial resources requirements[18]		The FRS issuer is expected to maintain a minimum paid-up share capital to be HKD 25,000,000 or 2% of the par value of FRS in circulation, whichever is higher.
Disclosure requirements		The FRS issuer is expected to disclose general information about the issuer itself, the rights and obligations of its FRS users, the FRS stabilisation mechanism, reserves management arrangements, the underlying technology and the risks through a published white paper. The FRS issuer must also disclose their redemption policies, including the timeframe for the redemption process, the applicable fees and the right of FRS users to redemption.
Governance, knowledge and experience		Controllers, chief executives and directors of an FRS issuer must be fit and proper. Their appointment and any changes to the ownership and management of the FRS issuer are subject to HKMA approval. The FRS issuer is expected to have an adequate system of control for the appointment of the senior management team and suitable staff under a robust corporate governance structure.
Risk management requirements		An FRS issuer is expected to implement appropriate risk management processes and measures, such as adequate security and internal controls, effective fraud monitoring and detection measures; technological risk management measures; and contingency arrangements to address operational disruptions. The FRS issuer must also perform risk assessments on a sufficiently frequent basis and at a minimum, on an annual basis, to ensure adequacy of its internal controls.
Audit requirements		The FRS issuer are required to submit audited financial statements to the HKMA annually. Where required by the HKMA, the FRS issuer must submit reports prepared by external independent auditors and assessors to validate the management and operational soundness of the FRS issuance, such as whether the FRS issuer has adequate systems of control for the management of reserve assets, cybersecurity and the integrity of smart contracts.
Anti-money laundering and counter-financing of terrorism requirements		The FRS issuer must ensure that the design and implementation of its issuance business has adequate and appropriate systems of control for preventing or combating possible money laundering and terrorism financing, and for ensuring compliance with the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (“AMLO”) and any other related rules or regulations issued by the HKMA. This includes ensuring that the FRS issuer has adequate customer due diligence measures in relation to FRS issuance, redemption, transaction monitoring and travel rule requirements.

Notwithstanding the above, the HKMA will have the power to impose, amend and cancel ongoing licensing conditions on an FRS issuer, where necessary. These additional conditions can include requirements on reserve assets and restrictions on the types of services that could be undertaken by the FRS issuer.

Licenses granted under the FRS issuer licensing regime will be open-ended, i.e. licences will remain valid until or unless revoked by the HKMA or the FRS issuer ceases to operate. However, the issue of any new FRS (i.e. other than that which the FRS issuer received a licence to issue) will require the consent of the HKMA before it can issue any new FRS under its license. Further, all licensed FRS issuers must display their licence number on any advertising materials and consumer facing materials or software applications.

C. Custody and offering of FRS

With regard to offering of FRS, the FSTB and HKMA have indicated that they consider that FRS issued by unlicensed entities are unsuitable for use by the public. As a result, their intention is that only licensed FRS issuers, authorized institutions, licensed corporations and licensed VATPs can offer FRS in Hong Kong or actively market such offerings in Hong Kong. Meanwhile, authorized institutions, licensed corporations and licensed VATPs can offer FRS issued by unlicensed entities to professional investors only.

With regard to custody, we understand that the FSTB, HKMA and the SFC are continuing to examine the appropriate regulatory approach for such activities. Further regulatory guidance on this topic (including guidance from the HKMA on the provision of VA custodial services by authorised institutions) is expected in the short to medium term.

D. Supervisory Powers of the HKMA

Mirroring similar provisions under the Banking Ordinance, the Legislative Proposal confers supervisory powers on the HKMA to act in the event that a licensee (i) has become or is likely to become insolvent or unable to meet its obligations; (ii) is carrying on its business in a manner detrimental to the interests of its users or its creditors; or (iii) has contravened any of its licensing conditions or provisions of the proposed regulatory regime. In these circumstances, the HKMA will have the power to:

Require a licensee to implement any action relating to the licensee’s affairs, business or property that the HKMA considers as necessary, including restricting the licensee’s business of FRS issuance;
Direct a licensee to seek advice on the management of its affairs, business and property from an advisor appointed by the HKMA; and
Require a licensee’s affairs, business and property to be managed by a HKMA-appointed manager.

The HKMA’s consent will also be required for changes in ownership or management of FRS issuers, including with regard to any proposed amalgamation, sale or disposal of all or part of the business of an FRS issuer, change of control (including change of majority or minority shareholder controller, or indirect controller) and the appointment of chief executives and directors.

Additionally, the HKMA will also have the power to gather information, including request information or documents from licensees, or to conduct on-site examinations at the licensee’s premises. Where the HKMA has reasonable cause to suspect non-compliance, the HKMA will have the power to conduct investigations into the licensee and persons relevant to the suspected contravention. The HKMA will also have the power to give directions to bring an FRS issuer into compliance with its statutory obligation to ensure the protection of the FRS issuer. Finally, the HKMA will also have the power to make regulations to operationalise the FRS regulatory regime and issue guidelines regarding the way in which it expects to perform its functions with regards to this new regime.

E. Disciplinary Framework

The Legislative Proposal contemplates the creation of both a criminal and a civil framework. It will be a criminal offence to:

Issue an FRS in Hong Kong without a licence;
Advertise the issuance of FRS by an unlicensed issuer;
Fail to produce documents or information as required by the HKMA;
Provide false information to the HKMA; and
Contravene other conditions imposed by the HKMA in connection with the FRS licensing regime.

Separately, the HKMA will also have the power to impose civil and supervisory sanctions, including:

Issuing a caution, warning, reprimand or order to take specified action(s);
Issuing a temporary suspension, suspension or revocation of an FRS issuer’s license;
A pecuniary penalty not exceeding HK$10,000,000 or 3 times the amount of profit gained or loss avoided as a result of the contravention, whichever is higher; and
Any combination of the above.

As a check and balance, an appeal tribunal mechanism will be set up to address appeals against the HKMA’s disciplinary decisions. A person dissatisfied with the decision of the appeal tribunal will be able to appeal to the Court of Appeal against the determination on a point of law.

F. Transitional Arrangements

The FRS Issuer Licensing Regime is proposed to commence one month upon gazettal of the proposed new ordinance. However, the FSTB and HKMA have proposed a transitional arrangement to ensure the smooth transition into the new regime. Under this transitional regime, pre-existing FRS issuers conducting FRS issuance with a meaningful and substantial presence in Hong Kong prior to the commencement of the regime can continue to operate under a non-contravention period of six months, subject to submitting a licence application to the HKMA within the first three months of the commencement of the regime. This comparatively short transitional period (if not extended in the final version of the legislative regime) means that stablecoin issuers will need to take steps to quickly prepare licence applications (and establish a meaningful and substantial presence in Hong Kong if they do not already have one) following the gazettal of the new ordinance. Those pre-existing FRS issuers which fail to submit a licence application to the HKMA within the first three months will need to wind down its business by the end of the fourth month of the commencement of the regime.

__________

[1] See “Hong Kong SFC Consults On Licensing Regime For Virtual Asset Trading Platform Operators”, published by Gibson, Dunn & Crutcher (March 2, 2023), available at https://www.gibsondunn.com/hong-kong-sfc-consults-on-licensing-regime-for-virtual-asset-trading-platform-operators/; and “New Hong Kong Regulatory Requirements and Licensing Regime for Virtual Asset Trading Platforms Finalised as Legislation Takes Effect”, published by Gibson, Dunn & Crutcher (June 7, 2023), available at https://www.gibsondunn.com/new-hong-kong-regulatory-requirements-and-licensing-regime-for-virtual-asset-trading-platforms-finalised-as-legislation-takes-effect/.

[2] “Hong Kong’s SFC Updates Guidance on Tokenised Securities-Related Activities”, published by Gibson, Dunn & Crutcher (November 10, 2023), available at https://www.gibsondunn.com/hong-kong-sfc-updates-guidance-on-tokenised-securities-related-activities/.

[3] “Circular on SFC-Authorised Funds With Exposure to Virtual Assets”, published by the Securities and Futures Commission (December 22, 2023), available at https://apps.sfc.hk/edistributionWeb/gateway/EN/circular/products/product-authorization/doc?refNo=23EC65.

[4] “Circular on Virtual Asset Futures Exchange Traded Funds”, published by the Securities and Futures Commission (October 31, 2023), available at https://apps.sfc.hk/edistributionWeb/gateway/EN/circular/doc?refNo=22EC60.

[5] These requirements are in addition to meeting the applicable requirements in the Overarching Principles Section and the Code on Unit Trusts and Mutual Funds in the SFC Handbook for Unit Trusts and Mutual Funds, Investment-Linked Assurance Schemes and Unlisted Structured Investment Products.

[6] “Joint Circular on Intermediaries’ Virtual Asset-Related Activities”, jointly published by the Securities and Futures Commission and the Hong Kong Monetary Authority (December 22, 2023), available at https://apps.sfc.hk/edistributionWeb/gateway/EN/circular/doc?refNo=23EC67.

[7] “Joint Circular on Intermediaries’ Virtual Asset-Related Activities”, jointly published by the Securities and Futures Commission and the Hong Kong Monetary Authority (October 20, 2023), available here.

[8] “VA-related products” are defined as products which (a) have a principal investment objective or strategy to invest in virtual assets; (b) derive their value principally from the value and characteristics of virtual assets; or (c) track or replicate the investment results or returns which closely match or correspond to virtual assets.

[9] See Appendix 1 of the Joint Circular for the non-exhaustive criteria for assessing whether a client can be regarded as having knowledge of virtual assets.

[10] The minimum information and warning statements requirements require intermediaries to provide clear and easily comprehensible information and warning statements to clients in relation to VA-related products and information on the underlying VA investments; and provide to clients risk disclosure statements (which can be a one-off disclosure) specific to VAs.

[11] See Appendix 3 of the Joint Circular.

[12] “Legislative Proposal to Implement the Regulatory Regime for Stablecoin Issuers in Hong Kong Consultation Paper”, jointly published by the Financial Services and the Treasury Bureau and the Hong Kong Monetary Authority (December 27, 2023), available at https://www.hkma.gov.hk/media/eng/doc/key-information/press-release/2023/20231227e4a1.pdf.

[13] “Another Step Towards the Regulation of Cryptocurrency in Hong Kong: HKMA Releases Discussion Paper on Stablecoins”, published by Gibson, Dunn & Crutcher (September 19, 2022), available at https://www.gibsondunn.com/another-step-towards-the-regulation-of-cryptocurrency-in-hong-kong-hkma-releases-discussion-paper-on-stablecoins/.

[14] “Hong Kong Monetary Authority Introduces Plans To Regulate Stablecoins”, published by Gibson, Dunn & Crutcher (February 7, 2023), available at https://www.gibsondunn.com/hong-kong-monetary-authority-introduces-plans-to-regulate-stablecoins/.

[15] For completeness, the Legislative Proposal defines “stablecoin” to mean “a cryptographically secured digital representation of value that, among other things – (a) is expressed as a unit of account or a store of economic value; (b) is used, or is intended to be used, as a medium of exchange accepted by the public, for the purpose of payment for goods or services; discharge of a debt; and/or investment; (c) can be transferred, stored or traded electronically; (d) uses a distributed ledger or similar technology that is not controlled solely by the issuer; and (e) purports to maintain a stable value with reference to a specified asset, or a pool or basket of assets.” To avoid overlap with the SVF regulatory regime, the FSTB and HKMA have expressly carved out “deposits, including its tokenized or digitally represented form; certain securities or future contracts (mainly authorized collective investment schemes and authorized structured products); float stored in SVFs or SVF banks; and certain digital representations of fiat currencies issued by or on behalf of central banks; and certain digital representation of value that has a limited purpose” from the definition of “stablecoins”.

[16] This licensing requirement will not apply to FRS issuers which are authorized institutions, considering that these authorized institutions are already subject to relevant requirements under banking regulation.

[17] This licensing requirement will not apply to FRS issuers which are authorized institutions, considering that these authorized institutions are already subject to relevant requirements under banking regulation.

[18] This licensing requirement will not apply to FRS issuers which are authorized institutions, considering that these authorized institutions are already subject to relevant requirements under banking regulation.

The following Gibson Dunn lawyers prepared this client alert: William Hallatt, Emily Rumble, and Jane Lu.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. If you wish to discuss any of the matters set out above, please contact any member of Gibson Dunn’s Global Financial Regulatory team, including the following members in Hong Kong and Singapore:

William R. Hallatt – Hong Kong (+852 2214 3836, whallatt@gibsondunn.com)
Grace Chong – Singapore (+65 6507 3608, gchong@gibsondunn.com)
Emily Rumble – Hong Kong (+852 2214 3839, erumble@gibsondunn.com)
Arnold Pun – Hong Kong (+852 2214 3838, apun@gibsondunn.com)
Becky Chung – Hong Kong (+852 2214 3837, bchung@gibsondunn.com)

This update provides an overview of key class action-related developments during the fourth quarter of 2023 (October to December).

Table of Contents

Part I reviews decisions from the Sixth and Tenth Circuits reaffirming the importance of courts conducting a “rigorous” analysis of each Rule 23 factor before certifying a class;
Part II provides an update on cases analyzing the need for plaintiffs to demonstrate a classwide method of proving injury to meet the predominance requirement of Rule 23(b)(3); and

Part III discuses a Ninth Circuit decision scrutinizing the adequacy of a lead plaintiff in a class settlement.

I. Circuit Courts Continue to Emphasize the Importance of “Rigorously” Analyzing Each Rule 23 Class Certification Factor

In its landmark decision in Wal-Mart Stores, Inc. v. Dukes, 564 U.S. 338 (2011), the Supreme Court held (among other things) that before certifying a class, district courts must conduct a “rigorous analysis” of the Rule 23 factors. Id. at 351. This critical requirement remains alive and well, as we’ve covered in previous updates, including here and here. And this past quarter, circuit courts have continued to emphasize that district courts cannot grant class certification with a rubber stamp.

In Brayman v. KeyPoint Government Solutions, Inc., 83 F.4th 823 (10th Cir. 2023), the Tenth Circuit vacated an order granting class certification because “[a] rigorous analysis requires more” than a one-paragraph discussion of predominance. Id. at 838–39. The district court had certified a class of employees who alleged their employer required them to work uncompensated overtime. Although the Tenth Circuit declined to conduct the commonality or predominance analyses itself in the first instance, it provided suggestions about “some of the questions that the district court would need to consider when determining what issues in the class action were common issues, what issues were individual issues, and which predominate.” Id. at 839–41.

As one example, the Tenth Circuit considered how the plaintiffs would prove that an employee worked uncompensated overtime. The plaintiffs contended that each class member would testify about how many hours they worked per week, yet they failed to present any “expert testimony, statistical data, or representative evidence” showing how this was a common, rather than an individual, issue. Id. at 839. As another example, the Tenth Circuit noted that to succeed on their claims, the plaintiffs had to establish that their employer knew of this overtime work, but the plaintiffs’ “unelaborated” interrogatory answers and deposition testimony were not “sufficiently specific and representative to be ‘common’ evidence that would be admissible in each [putative class member]’s individual case” about the employer’s knowledge for that particular individual. Id. at 840.

Similarly, in In re Ford Motor Co., 86 F.4th 723 (6th Cir. 2023), the Sixth Circuit concluded the district court did not conduct a rigorous analysis of commonality, cautioning that Rule 23 “requires a named plaintiff to offer ‘[s]ignificant’ evidentiary proof that he can meet all four of [its] criteria.” Id. at 726 (emphasis added). In re Ford involved allegations about alleged brake design defects in pickup trucks over a five-year period. Id. Although the district court certified Rule 23(c)(4) “issue” classes to resolve three primary issues related to the purported defects, it did so with “cursory treatment of commonality.” Id. In particular, the district court’s analysis did “not make clear that the three certified issues can each be answered ‘in one stroke.’” Id. at 727 (quoting Dukes, 564 U.S. at 350). For instance, one certified issue concerned whether the brakes in the pickup trucks were defective. Although the plaintiffs alleged this was a common issue, the district court failed to “grapple” with the evidence that certain redesigns and manufacturing changes over the class period made a material difference to the alleged defect. Id. at 728. The Sixth Circuit reminded trial judges that they “must evaluate whether each of the four Rule 23(a) factors is actually satisfied, not merely that the factors are properly alleged.” Id. at 729 (citations omitted) (emphases added).

II. Circuit Courts Continue to Require Classwide Method of Proving Injury Before Certifying Rule 23(b) Classes

Two decisions from this quarter, Huber v. Simon’s Agency, Inc., 84 F.4th 132 (3d Cir. 2023), and Sampson v. United Services Automobile Ass’n, 83 F.4th 414 (5th Cir. 2023), reaffirmed the principle that plaintiffs must demonstrate a classwide method of proving injury to meet the predominance requirement of Rule 23(b)(3).

Huber concerned a putative class action against a medical debt collection agency that allegedly provided misleading and confusing notices to debtors. See 84 F.4th at 141. The named plaintiff claimed she incurred extensive financial costs as a result of the misleading information. See id. at 143. The district court certified a class of individuals who received the same information from the defendant. Id. at 142.

On appeal, the Third Circuit held that under TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), and circuit precedent, merely receiving a misleading notice, without allegations of financial loss, was insufficient to establish Article III standing. Huber, 84 F.4th at 148–49. While the Third Circuit ruled that the class action was justiciable because the named plaintiff herself had standing, it reasoned that unnamed class members would need to put forward specific information about their financial circumstances to meet the justiciability requirement. Id. at 147–54. The Third Circuit therefore vacated the certification order and remanded to the district court to assess “the implications of [the] individualized showings [the unnamed class members need to make] for the predominance requirement.” Id. at 157.

In remanding, the Third Circuit offered guidance as to how the predominance inquiry should unfold: if few class members are able to show that they suffered concrete financial injuries, then the class should not be considered sufficiently cohesive to warrant certification. Id. at 157–58. On the other hand, if many class members appear likely to have standing or “if there is a plausible straightforward method to sort them out at the back end of the case,” then the case may be able to proceed on behalf of the class. Id.

In a similar case, Sampson v. United Services Automobile Ass’n, 83 F.4th 414 (5th Cir. 2023), the Fifth Circuit vacated a class certification order because the plaintiffs failed to identify a classwide way of establishing the defendant’s liability. Sampson was a breach of contract action against an insurance company based on its use of a particular method of vehicle valuation. See id. at 417. The plaintiffs-insureds claimed that if the defendant had used a different valuation method, they would have gotten bigger payouts when they totaled their cars. Id.

One of the questions on appeal was whether the plaintiffs could establish classwide injury—an essential element of the claims at issue—by relying on their preferred vehicle-valuation standard. Id. at 421. According to the plaintiffs, the choice of the appropriate vehicle-valuation standard was only a damages question, and district courts have wide discretion to choose among damages models at the class-certification stage. Id. The Fifth Circuit acknowledged that district courts generally do have such discretion, but the purported damages issue was actually entwined with the question of injury. Id. at 421–22. Because the selection of the appropriate vehicle-valuation standard was not just a choice between “imperfect damages models,” but rather went to the question of liability, the Fifth Circuit concluded that “a district court’s wide discretion to choose an imperfect estimative-damages model at the certification stage” had no application. Id. at 422–23.

III. The Ninth Circuit Vacates Approval of Class Settlement, Holding that Class Representative Who Was Subject to Arbitration Agreement Could Not Adequately Represent Class Members Who Were Not

As reported in several previous updates (including here and here), circuit courts have continued the trend of taking more active roles in scrutinizing class settlements. This past quarter, the Ninth Circuit vacated the approval of a class settlement in a case against a dating app, holding that the lead plaintiff was not an adequate representative of the class due to her conflict of interest and failure to vigorously litigate on behalf of all 240,000 class members. See Kim v. Allison, 87 F.4th 994 (9th Cir. 2023).

In Kim, the plaintiff alleged a dating app’s age-based pricing scheme violated California law. Id. at 999. The defendant successfully moved to compel arbitration as to the lead plaintiff because she had agreed to a version of the app’s terms of use that included an arbitration clause. Id. While the plaintiff was appealing the order compelling arbitration, she negotiated a class settlement.

In this second appeal from the settlement approval, objectors focused their arguments on the lead plaintiff’s lack of adequacy, arguing that “unlike the remainder of the class, [the plaintiff] was subject to a binding arbitration order” and the class definition did not account for that important difference. 87 F.4th at 999. The Ninth Circuit agreed that the plaintiff was an inadequate representative and vacated the settlement.

With respect to the plaintiff’s conflict of interest, the Ninth Circuit emphasized that she was subject to an agreement to arbitrate, while potentially 7,000 other class members were not. Id. at 1001. The court reasoned that the plaintiff had a strong interest in settling her claims since she has “no chance of going to trial,” even “at the cost of a broad release of other claims that are not subject to arbitration.” Id. The conflict was “exacerbated” by other provisions in the version of the terms of use that she accepted, including a Texas choice-of-law provision and limitation on liability that did not bind other class members. Id. The court also faulted the plaintiff for making inadequate efforts to conduct discovery before reaching a settlement, and said her “approach to opposing [the defendant]’s motion to compel [arbitration was] not suggestive of vigor” because she “belatedly raised formation challenges” when opposing that motion and failed to make “obvious arguments until after they were forfeited.” Id. at 1002–03.

The following Gibson Dunn lawyers contributed to this update: Swathi Sreerangarajan, Jenna Bernard, Maura Carey*, Wesley Sze, Lauren Blas, Bradley Hamburger, Kahn Scolnick, and Christopher Chorba.

Gibson Dunn attorneys are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Class Actions, Litigation, or Appellate and Constitutional Law practice groups, or any of the following lawyers:

Theodore J. Boutrous, Jr. – Los Angeles (+1 213.229.7000, tboutrous@gibsondunn.com)
Christopher Chorba – Co-Chair, Class Actions Practice Group – Los Angeles (+1 213.229.7396, cchorba@gibsondunn.com)
Theane Evangelis – Co-Chair, Litigation Practice Group, Los Angeles (+1 213.229.7726, tevangelis@gibsondunn.com)
Lauren R. Goldman – New York (+1 212.351.2375, lgoldman@gibsondunn.com)
Kahn A. Scolnick – Co-Chair, Class Actions Practice Group – Los Angeles (+1 213.229.7656, kscolnick@gibsondunn.com)
Bradley J. Hamburger – Los Angeles (+1 213.229.7658, bhamburger@gibsondunn.com)
Michael Holecek – Los Angeles (+1 213.229.7018, mholecek@gibsondunn.com)
Lauren M. Blas – Los Angeles (+1 213.229.7503, lblas@gibsondunn.com)

*Maura Carey is an associate practicing in the firm’s Palo Alto office who is not yet admitted to practice law.

I. Introduction

In contrast to previous years, the 2023 privacy and cybersecurity landscape in the United States was not shaped by an overarching event like the COVID-19 pandemic or Russia’s invasion of Ukraine. 2023 was nonetheless another groundbreaking year for privacy and cybersecurity on the regulatory and enforcement fronts.

Congress’s failure to pass a comprehensive privacy bill left the White House and federal agencies—along with state legislators and agencies—to lead the charge in regulating privacy and cybersecurity in the United States. The White House doubled down on its push to implement a national strategy on cybersecurity, with important implications for federal, state, and private entities. Numerous federal agencies—including the FTC, SEC, CFPB, and HHS—promulgated privacy and data protection regulations and guidance on a range of issues, including cyber-incident disclosure, children’s online privacy, biometric and genetic data, artificial intelligence (“AI”), and algorithmic decision making. Many agencies also brought enforcement actions against companies and (increasingly) individuals for privacy, data security, and related violations.

States were similarly active in 2023, passing and enforcing a flurry of new comprehensive state privacy laws. State agencies like the New York Department of Financial Services took aggressive steps to tighten data protection regulations for entities under their umbrella. And, while this publication does not focus on AI (a topic which will be covered in detail by Gibson Dunn’s forthcoming Artificial Intelligence Legal Review), the rapid rise and proliferation of AI technology was a defining feature of the privacy and cybersecurity landscape in 2023. Litigation likewise remained active, with notable upticks in claims by private litigants and government entities related to data breaches, federal and state wiretapping laws, and state biometrics laws. We expect these trends to accelerate in 2024 and beyond, as the body of privacy and cybersecurity regulation matures and expands.

This Review contextualizes these and other 2023 developments by addressing: (1) the regulation of privacy and data security, other legislative developments, enforcement actions by federal and state authorities, and new regulatory guidance; (2) trends in civil litigation around data privacy and security in areas including data breach, digital, telecommunications, wiretapping, and biometric information privacy laws; and (3) trends related to data innovations and governmental data collection. Information on developments outside the United States—which are relevant to domestic and international companies alike—will be covered in detail by Gibson Dunn’s forthcoming International Cybersecurity and Data Privacy Outlook and Review.

Table of Contents

I. INTRODUCTION

II. REGULATION OF PRIVACY AND DATA SECURITY

A. Regulation of Privacy and Data Security

1. State Legislation and Related Regulations

a. Comprehensive State Privacy Laws

i. Applicability
ii. Exemptions
iii. Data Subject Rights
iv. Data Controller Obligations
v. Enforcement

b. Other State Privacy Laws

i. Washington’s My Health My Data Act
ii. Montana’s Genetic Information Privacy Act
iii. California’s Delete Act
iv. New York Department of Financial Services’ Amendments to Part 500 Cybersecurity Rules
v. New Child Social Media Laws

2. Federal Legislation

a. Comprehensive Federal Privacy Legislation
b. Other Introduced Legislation

B. Enforcement and Guidance

1. Federal Trade Commission

a. FTC Organization Updates
b. Algorithmic Bias and Artificial Intelligence
c. Commercial Surveillance and Data Security

i. FTC’s Approach to Data Security
ii. Rulemaking on Commercial Surveillance and Data Security

d. Notable FTC Enforcement Actions
e, Financial Privacy
f. Children’s and Teens’ Privacy
g. Biometric Information

2. Consumer Financial Protection Bureau

a. Personal Financial Data Rights Rulemaking
b. Increased Oversight of Non-bank Entities
c. Increased Scrutiny of Data Brokers
d. Artificial Intelligence and Algorithmic Bias

3. Securities and Exchange Commission

a. Regulation
b. Enforcement

4. Department of Health and Human Services and HIPAA

a. Rulemaking on HIPAA Compliance and Data Breaches
b. Telehealth and Data Security Guidance
c. Reproductive and Sexual Health Data
d. HHS Enforcement Actions

5. Other Federal Agencies

a. Department of Homeland Security
b. Department of Justice
c. Department of Commerce
d. Department of Energy
e. Department of Defense
f. Federal Communications Commission

6. State Agencies

a. California
b. Other State Agencies
c. Major Data Breach Settlements

III. CIVIL LITIGATION REGARDING PRIVACY AND DATA SECURITY

A. Data Breach Litigation

1. The Impact of TransUnion v. Ramirez on Standing in Data Breach Actions
2. Cybersecurity Related Securities Litigation

B. Wiretapping and Related Litigation Concerning Online “Tracking” Technologies
C. Anti-Hacking and Computer Intrusion Statutes

1. CFAA
2. CDAFA

D. Telephone Consumer Protection Act Litigation
E. State Law Litigation

1. California Consumer Privacy Act Litigation

a. Potential Anchoring Effect of CCPA Statutory Damages
b. Requirements for Adequately Stating a CCPA Claim
c. CCPA Violations Under the UCL
d. The CCPA’s 30-Day Notice Requirement
e. Guidance on Reasonable Security Measures in Connection with the CCPA

2. State Biometric Information Litigation

a. Illinois Biometric Information Privacy Act

i. Expansion of BIPA’s Scope
ii. New Recognized Limitations Under BIPA

b. Texas Biometric Privacy Law Litigation
c. New York Biometric Privacy Law Litigation

F. Other Noteworthy Litigation

A. Data-Intensive Technologies—Privacy Implications and Trends
B. Emerging Privacy Enhancing Technologies (PETs)
C. Governmental Data Collection

V. CONCLUSION

II. Regulation of Privacy and Data Security

Since 2018, 14 states have enacted comprehensive data privacy legislation. Five of these are currently effective, and the remaining nine will go into effect between 2024 and 2026. A number of additional state legislatures considered comprehensive consumer privacy laws this past year but have yet to enact them. In addition, several states have passed narrower data privacy laws governing the use of specific categories of information, such as health and genetic information. These laws demonstrate the states’ efforts to ensure the protection of consumers’ data in the absence of a comprehensive federal data privacy law. We highlight several of these state privacy laws below and provide an overview of key similarities and differences.

A. Regulation of Privacy and Data Security

1. State Legislation and Related Regulations

a. Comprehensive State Privacy Laws

California was the first state to adopt a comprehensive data privacy law with the enactment of the California Consumer Privacy Act (“CCPA”) in 2018. The California Privacy Rights Act (“CPRA”) amended the CCPA in 2020. Since then, 13 other states—Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia—have followed California in enacting comprehensive privacy laws. As shown in the below list of comprehensive state privacy laws enacted to date, five went into effect in 2023, an additional four will go into effect in 2024, four in 2025, and one in 2026. Most of these generally align with the standard template created by the comprehensive state privacy laws in Virginia, Colorado, Connecticut, and Utah, with a few having unique features, which are highlighted below. Please see last year’s Review for a more detailed assessment of the comprehensive data privacy laws in California, Virginia, Colorado, Connecticut, and Utah, which have all now gone into effect.

Table 1: Comprehensive State Privacy Laws

Law	Enacted Date	Effective Date
California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA)[1]	CCPA: June 28, 2018 CPRA: November 3, 2020	CCPA: January 1, 2020 CPRA: January 1, 2023
Virginia Consumer Data Protection Act (VCDPA)[2]	March 2, 2021	January 1, 2023
Colorado Privacy Act (CPA)[3]	July 7, 2021	July 1, 2023
Connecticut Data Privacy Act (CTDPA)[4]	May 10, 2022	July 1, 2023
Utah Consumer Privacy Act (UCPA)[5]	March 24, 2022	December 31, 2023
Florida Digital Bill of Rights (FDBR)[6]	June 6, 2023	July 1, 2024
Texas Data Privacy and Security Act (TDPSA)[7]	June 18, 2023	July 1, 2024
Oregon Consumer Privacy Act (OCPA)[8]	July 18, 2023	July 1, 2024
Montana Consumer Data Privacy Act (MTCDPA)[9]	May 19, 2023	October 1, 2024
Iowa Consumer Data Protection Act (ICDPA)[10]	March 29, 2023	January 1, 2025
Delaware Personal Data Privacy Act (DPDPA)[11]	September 11, 2023	January 1, 2025
New Jersey Data Privacy Act (NJDPA)[12]	January 16, 2024	January 15, 2025
Tennessee Information Protection Act (TIPA)[13]	May 11, 2023	July 1, 2025
Indiana Consumer Data Protection Act (INCDPA)[14]	May 1, 2023	January 1, 2026

The tables below review core aspects of these laws, including applicability, exemptions, data subject rights, data controller obligations, and enforcement.

i. Applicability

Each comprehensive state privacy law applies to entities that conduct business in that state or provide products and services to residents of that state, and that meet certain applicability thresholds. As shown in Table 2 below, these thresholds typically relate to a company’s annual gross revenue and/or the number of individuals whose personal information the business processes or controls. California is unique in applying its comprehensive privacy law to companies that derive 50% or more of their revenue from selling California residents’ personal information, without pairing that requirement with a minimum number of consumers whose data is processed. Florida and Texas also have distinct requirements: Florida’s statutory thresholds are designed to limit the application of the law to large companies, and Texas’s law does not carry any fixed numerical thresholds with respect to gross revenue or number of consumers’ whose data is processed. Unless otherwise indicated, all thresholds listed below are disjunctive requirements.

Table 2: Applicability of Comprehensive State Privacy Laws

ii. Exemptions

All comprehensive state privacy laws also have exemptions for certain entities and categories of data. For example, non-profit entities and entities subject to the GLBA are exempt under most comprehensive state privacy laws. HIPAA-regulated data (but not necessarily entities regulated by HIPAA generally), employee data, and business contact data are likewise typically exempt under all comprehensive state privacy laws, except for in California. California is the only state whose GLBA exemption applies only at the data level, but not the entity level. Other exemptions not included below might include entities or data regulated by other laws, such as the Fair Credit Reporting Act, Driver’s Privacy Protection Act, Children’s Online Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, and the Airline Deregulation Act. Table 3 below provides a non-exhaustive list of common exemptions.

Table 3: Exemptions in Comprehensive State Privacy Laws

Law	Non-Profits (generally)	Consumers Engaged in a Commercial or Employment Context (i.e., employees and business contacts)	HIPAA Exemption (at the data level, entity level, or both)	GLBA Exemption (at the data level, entity level, or both)
CCPA/CPRA (California)	N	N	Data	Data
VCDPA (Virginia)	N	Y	Both	Both
CPA (Colorado)	Y	Y	Data	Both
CTDPA (Connecticut)	N	Y	Both	Both
UCPA (Utah)	N	Y	Both	Both
FDBR (Florida)	N	Y	Both	Both
TDPSA (Texas)	N	Y	Both	Both
OCPA (Oregon)	Y	Y	Data	Data
MTCDPA (Montana)	N	Y	Both	Both
ICDPA (Iowa)	N	Y	Both	Both
DPDPA (Delaware)	Y	Y	Data	Both
NJDPA (New Jersey)	N	Y	Data	Both
TIPA (Tennessee)	N	Y	Both	Both
INCDPA (Indiana)	N	Y	Both	Both

iii. Data Subject Rights

All comprehensive state privacy laws that have been enacted or are in effect provide consumers with the right to access their data, data portability, opt-out of the sale of their data and use of certain data in connection with targeted advertising, and the right to not be discriminated against for exercising their rights. They also provide covered entities with the ability to verify or authenticate the identity of a consumer looking to exercise her rights. However, there are additional rights that are provided by some, but not all, comprehensive state privacy laws. These are outlined in Table 4 below.

Table 4: Data Subject Rights in Comprehensive State Privacy Laws

Law	Correct Inaccurate Data	Request a List of Third Parties with Whom Data Has Been Disclosed	Opt-Out of the Use of Data for Certain Profiling	Limit the Use and Disclosure of Sensitive Data	Appeal the Denial of Data Subject Rights Requests	Right to Appoint Authorized Agents to Submit Data Subject Rights Requests	Have Opt-Out Signals Recognized	Days to Respond to Requests
CCPA/CPRA (California)	Y	N	Y	Limit use	N	Y	Y	15 business days for requests to opt-out and limit use; 45 calendar days for other requests
VCDPA (Virginia)	Y	N	Y	Opt-in	Y	N	N	45 calendar days
CPA (Colorado)	Y	N	Y	Opt-in	Y	Y	Y	45 calendar days
CTDPA (Connecticut)	Y	N	Y	Opt-in	Y	Y	Y	45 calendar days
UCPA (Utah)	N	N	N	Opt-out	N	N	N	45 calendar days
FDBR (Florida)	Y	N	Y	Opt-in	Y	N	N	45 calendar days
TDPSA (Texas)	Y	N	Y	Opt-in	Y	Y	Y	45 calendar days
OCPA (Oregon)	Y	Y	Y	Opt-in	Y	Y	Y	45 calendar days
MTCDPA (Montana)	Y	N	Y	Opt-in	Y	N	N	45 calendar days
ICDPA (Iowa)	N	N	N	Opt-out	Y	N	N	90 calendar days
DPDPA (Delaware)	Y	N	Y	Opt-in	Y	Y	Y	45 calendar days
NJDPA (New Jersey)	Y	N	Y	Opt-in[15]	Y	Y	Y	45 calendar days
TIPA (Tennessee)	Y	N	Y	Opt-in	Y	N	N	45 calendar days
INCDPA (Indiana)	Y	N	Y	Opt-in	Y	N	N	45 calendar days

iv. Data Controller Obligations

All comprehensive state privacy laws impose certain obligations on data controllers (entities that determine the purposes and means of processing of personal data). These include: data minimization; purpose limitations; maintaining privacy policies; maintaining reasonable administrative, technical, and physical data security controls; and contractually obligating personal data processors or service providers to comply with the applicable law. Data minimization in particular may be a significant requirement, as it requires companies to only keep data as long as they have a business need and promptly delete it thereafter. Some of the privacy laws impose additional obligations, which are outlined in Table 5 below. Specifically, some laws require (a) data protection impact assessments, which are designed to identify and minimize data protection risks, (b) financial incentive notices, which disclose discounts or other incentives that are provided in exchange for providing personal information, and (c) specific contractual requirements that set forth how vendors that process data on a business’s behalf will act.

Table 5: Data Controller Obligations in Comprehensive State Privacy Laws

Law	Data Protection Impact Assessment	Financial Incentive Notice	Third-Party/Contractor Contract Requirement
CCPA/CPRA (California)	Y (not finalized)	Y	Y
VCDPA (Virginia)	Y	N	N
CPA (Colorado)	Y	Y	N
CTDPA (Connecticut)	Y	N	N
UCPA (Utah)	N	N	N
FDBR (Florida)	Y	N	N
TDPSA (Texas)	Y	N	N
OCPA (Oregon)	Y	N	N
MTCDPA (Montana)	Y	N	N
ICDPA (Iowa)	N	N	N
DPDPA (Delaware)	Y	N	N
NJDPA (New Jersey)	Y	N	Y
TIPA (Tennessee)	Y	N	N
INCDPA (Indiana)	Y	N	N

v. Enforcement

Finally, there are differences between how each of these comprehensive state privacy laws are enforced and the penalties for noncompliance. As a general matter, comprehensive state privacy laws provide state attorneys general with sole enforcement authority. To date, the state laws have notably not provided for a private right of action. The only outlier is the CCPA/CPRA, which provides a limited private right of action for consumers affected by data breaches, under certain circumstances. Many states also provide for a right to cure, meaning that a plaintiff must provide a putative defendant with notice and an opportunity to cure the violation prior to bringing suit. The enforcement mechanisms provided for by each comprehensive state privacy law are outlined in Table 6 below.

Table 6: Enforcement of Comprehensive State Privacy Laws

Law	Private Right of Action	Enforcement Authority	Right to Cure	Financial Penalties
CCPA/CPRA (California)	Y[16]	California Attorney General and California Privacy Protection Agency	N/A	Up to $2,500 per violation or $7,500 per intentional violation or violation involving the personal information of minors.
VCDPA (Virginia)	N	Virginia Attorney General	30 days	Up to $7,500 per violation.
CPA (Colorado)	N	Colorado Attorney General and local district attorneys	60 days (provision expires January 1, 2025)	Up to $20,000 per violation, with a total maximum penalty of $500,000.
CTDPA (Connecticut)	N	Connecticut Attorney General	60 days (provision expires January 1, 2025)	Up to $5,000 per violation.
UCPA (Utah)	N	Utah Attorney General and Utah Division of Consumer Protection	30 days	Up to $7,500 per violation.
FDBR (Florida)	N	Florida Department of Legal Affairs	45 days (except for violations involving a known child)	Up to $50,000 per violation, or triple that where the violation involves a FL consumer under 18 years old, failure to delete or correct applicable personal information, or the continuing to sell or share the personal information after a consumer opts out of such sale or sharing.
TDPSA (Texas)	N	Texas Attorney General	30 days	Up to $7,500 per violation.
OCPA (Oregon)	N	Oregon Attorney General	30 days (provision expires January 1, 2026)	Up to $7,500 per violation.
MTCDPA (Montana)	N	Montana Attorney General	60 days (provision expires April 1, 2026)	Up to $7,500 per violation.
ICDPA (Iowa)	N	Iowa Attorney General	90 days	Up to $7,500 per violation.
DPDPA (Delaware)	N	Delaware Department of Justice	60 days (provision expires January 1, 2026)	Up to $10,000 per willful violation.
NJDPA (New Jersey)	N	New Jersey Attorney General	30 days (provision expires 18 months after enactment)	Up to $10,000 for the first violation and $20,000 for subsequent violations.
TIPA (Tennessee)	N	Tennessee Attorney General	60 days	Up to $7,500 per violation.
INCDPA (Indiana)	N	Indiana Attorney General	30 days	Up to $7,500 per violation.

b. Other State Privacy Laws

In addition to the comprehensive state privacy laws discussed above, states have continued to legislate in narrower areas, particularly with relation to health or genetic information.

i. Washington’s My Health My Data Act

On April 27, 2023, Washington Governor Jay Inslee signed the “My Health My Data Act” (“MHMDA”) into law, modifying the legal landscape with respect to health-related data for certain Washington entities.[17] The MHMDA creates a privacy regime focused on personal health data.

Covered Entities. The MHMDA applies to “regulated entities” that process “consumer health data.” The law defines “regulated entity” as any “legal entity” that: (1) “[c]onducts business in Washington or produces or provides products or services that are targeted to consumers in Washington”; and (2) “determines the purpose and means of collecting, processing, sharing, or selling of consumer health data,” whether “alone or jointly with others.”[18] Practically, the law applies to any entity that does business in Washington and collects or processes consumer health data. Government agencies, tribal nations, and service providers that are contracted to process consumer health data on behalf of a government agency are exempt from this definition and not considered regulated entities.[19] “Small businesses” are not exempt from the MHMDA, but are given an extra three months to comply.[20]

Covered Data. The law defines “consumer health data” as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.”[21] Examples of this type of data include surgeries or other health-related procedures, reproductive or sexual health information, and genetic data.[22] The primary statutory carveout from the definition of “consumer health data” is information “used to engage in public or peer-reviewed scientific, historical, or statistical research.”[23] However, the research must be monitored by an independent oversight entity that implements safeguards to mitigate privacy risks, including the risk associated with the reidentification of consumer data.[24] The Washington Attorney General, who is charged with enforcing the MHMDA, has explained that purchases of “toiletry products (such as deodorant, mouthwash, and toilet paper)” do not qualify as “consumer health data,” even though they relate to “bodily functions,” whereas “an app that tracks someone’s digestion or perspiration is collecting consumer health data.”[25]

Key Requirements. The MHMDA prohibits regulated entities from collecting or sharing consumer health data without first satisfying certain notice and consent requirements, including: requiring regulated entities to maintain a “consumer health data privacy policy” linked to on their homepage that discloses:

the categories of consumer health data collected and the purpose for which the data is collected;
the categories of sources from which the consumer health data is collected;
the categories of consumer health data shared; and
a list of the categories of third parties and specific affiliates with whom the regulated entity shares the consumer health data.[26]

Regulated entities may only collect or share consumer health data if a consumer provides a prior “clear affirmative act” expressing consent, or if the collection is “necessary to provide a product or service that the consumer . . . has requested.”[27]

Consumer Rights. The MHMDA also provides consumers with a number of protections, including the right to: (1) confirm whether a regulated entity is collecting, sharing, or selling their consumer health data; (2) access that data; (3) withdraw consent for the collection and sharing of their consumer health data; and (4) delete their data.[28]

Enforcement. A violation of the MHMDA is considered a violation of the Washington Consumer Protection Act.[29] The Washington Attorney General may enforce the law.[30] Consumers may also pursue private actions for violations of the MHMDA.[31]

ii. Montana’s Genetic Information Privacy Act

On June 7, 2023, Montana Governor Greg Gianforte signed into law the “Montana Genetic Information Privacy Act” (“MTGIPA”). The MTGIPA applies to any entity that offers consumer genetic testing products or services directly to a consumer, or collects, uses, or analyzes genetic data.[32] “Genetic data” is defined as “any data, regardless of format, concerning a consumer’s genetic characteristics.”[33] The MTGIPA requires covered entities to provide a privacy policy and notice regarding their use of genetic data and to obtain a consumer’s “express consent” in order to collect, use, or disclose a consumer’s genetic data.[34] The MTGIPA also requires an entity to “develop, implement, and maintain a comprehensive security program to protect a consumer’s genetic data against unauthorized access, use, or disclosure.”[35] The Montana Attorney General has sole authority to enforce the MTGIPA.[36]

iii. California’s Delete Act

On October 10, 2023, California Governor Gavin Newson signed the “Delete Act” into law.[37] The law revises California’s data broker registration law and gives consumers the right to manage data held by data brokers free of charge by submitting a single deletion request to a centralized website.[38] After a deletion request is submitted, a data broker is required to delete data within 45 days, and continue deleting any personal information collected about that consumer at least every 45 days thereafter.[39] After a consumer has submitted a deletion request, data brokers are also prohibited from selling or sharing new personal information about the consumer in the future.[40] Consumers will have the option to “selectively exclude” data brokers when submitting a deletion request.[41] The law also requires data brokers to “undergo an audit by an independent third party to determine compliance” with the law.[42]

Under the law, a “data broker” is defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”[43] But the law includes exemptions for entities covered by the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Insurance Information and Privacy Protection Act, the Confidentiality of Medical Information Act, or HIPAA, and business associates of covered entities under the Confidentiality of Medical Information Act or HIPAA.[44]

iv. New York Department of Financial Services’ Amendments to Part 500 Cybersecurity Rules

On November 1, 2023, the New York State Department of Financial Services (“NYDFS”) issued its Second Amendment to 23 NYCRR Part 500 (“Part 500”), which establishes numerous cybersecurity requirements for regulated entities.[45] As discussed in more depth in our recent client alert, the amendments to Part 500 include: expanded responsibility for senior governing bodies, obligations to implement additional safeguards, new requirements for larger companies, new and increased obligations related to written policies and procedures, heightened requirements around audits and risk assessments, and additional reporting requirements for cybersecurity incidents. NYDFS is responsible for enforcing Part 500 and has brought several enforcement actions against various financial entities, including banks, money transfer service providers, and cryptocurrency service providers.[46]

v. New Child Social Media Laws

Several states passed laws restricting social media apps, but those laws have been challenged in the courts. For example, Utah’s Social Media Regulation Act[47] requires social media companies with at least 5,000,000 account holders worldwide to verify the age of adults seeking to maintain or open social media accounts; obtain parental consent for users under the age of 18 to open an account; imposes restrictions on children’s accounts; and prohibits collections of certain data and targeted advertising.[48] The law may be enforced by either the Division of Consumer Protection or through a private right of action.[49] Plaintiffs may obtain up to $2,500 in statutory damages per violation, in addition to attorney’s fees and costs.[50] The law has been challenged in two different suits that are ongoing.[51]

A similar law in Arkansas that would require parental permission for children to create certain social media accounts was blocked by a federal judge.[52] The judge concluded in granting the preliminary injunction that the law, as written, was unconstitutionally vague because it failed to adequately define “social media company,” and therefore which entities were subject to its requirements.[53] The judge also agreed that the law likely violates the First Amendment because the age verification process would chill speech by deterring adults from signing up for social media accounts and that the law is unnecessarily overbroad insofar as it attempts to protect minors from harmful or obscene content.[54] And a Montana federal judge blocked a law in that state that would prohibit mobile application stores from offering TikTok to Montana users.[55] The court, in granting the preliminary injunction, found that plaintiffs were likely to succeed on the merits of their arguments—namely, that an outright ban on a specific app likely violates the First Amendment, the Commerce Clause, and is preempted by federal national security law, among other reasons.[56]

2. Federal Legislation

a. Comprehensive Federal Privacy Legislation

Comprehensive federal privacy legislation remains a popular, yet unrealized, objective despite recent congressional efforts.

The American Data Privacy and Protection Act (“ADPPA”) introduced in 2022 was the most advanced attempt to-date at enacting a comprehensive federal privacy bill. However, the bill died when it failed to advance to the House or Senate floors before the last Congress adjourned in January 2023.[57] As proposed, the ADPPA bill required covered companies to engage in “data minimization” and adopt “privacy by design” principles.[58] The ADPPA also prohibited covered entities from designing and employing discriminatory algorithms, and required them to study the impacts of their algorithms.[59]

Government enforcement of the ADPPA would have been left largely to the FTC at the federal level, alongside state attorneys general and other key state officials.[60] But the ADPPA’s addition of a private right of action was a source for serious concern due to the burden and cost of class action lawsuits.[61] The bill also explicitly preempted most state privacy laws—a fact that some believe was largely responsible for the bill’s demise.[62]

Calls for comprehensive federal privacy legislation continued throughout 2023 despite the ADPPA’s failure. In the spring, Congress held hearings on the continuing need for such legislation.[63] President Biden echoed these calls in an executive order (which also enacted AI safety measures).[64] In his 2023 State of the Union address, the President likewise called for stronger online privacy protections for children.[65]

b. Other Introduced Legislation

Congress did not pass any privacy laws in 2023, although a significant number of consumer and individual privacy-related legislation was introduced.[66] This proposed privacy legislation covered a range of topics, including surveillance technologies, health privacy, privacy for children online, facial recognition, AI, and cybersecurity.

Many of the measures attracted significant bipartisan support, but lawmakers remained divided over the same two issues that sunk more comprehensive federal privacy legislation: (1) whether federal privacy laws should preempt state laws (a position attracting more Republican support) and (2) whether it should include a private right of action (which more Democrats favor). Nevertheless, in the absence of comprehensive federal privacy legislation, Congress may still be more likely to enact legislation on a narrower topic that draws more bipartisan support, such as children’s online safety, in the future.[67]

Lawmakers focused in particular on digital privacy and safety in 2023, especially for children on social media. They held widely publicized hearings on the topic, bringing in social media executives for questioning, with more hearings to come in 2024.[68] In July 2023, the U.S. Senate Commerce Committee advanced a pair of measures seeking to put more responsibility on social media platforms to ensure child safety online: the Kids Online Safety Act, which would require platforms to enact measures to prevent harms to minors and to restrict targeted advertising for children under 13;[69] and COPPA 2.0, which would upgrade and expand the original children’s online privacy law, including by adding protections for teens ages 13 to 16.[70]

Other privacy bills introduced in 2023 include: the Informing Consumers about Smart Devices Act (requiring manufacturers to disclose that a camera or microphone is part of a device before purchase),[71] the Stop Spying Bosses Act (requiring disclosure of or prohibiting surveillance, monitoring, and collection of worker data),[72] the UPHOLD Privacy Act (establishing protection for personally identifiable health and location data),[73] the DELETE Act (requiring the FTC to establish a system allowing individuals to request that data brokers delete their personal information),[74] the Data Care Act of 2023 (imposing duty of care, loyalty, and confidentiality on online service providers),[75] the Online Privacy Act of 2023 (establishing individual privacy rights and creating a private right of action and Digital Privacy Agency),[76] and others described in this Review.

Congress also considered cybersecurity-related legislation: the Federal Cybersecurity Vulnerability Reduction Act of 2023 (requiring certain government contractors to adopt vulnerability disclosure policies),[77] the Modernizing the Acquisition of Cybersecurity Experts Act of 2023 (generally barring agencies from setting minimum educational requirements for cybersecurity workers),[78] and the Federal Cybersecurity Workforce Expansion Act (providing training and apprenticeships for cybersecurity workers).[79]

B. Enforcement and Guidance

In 2023, government regulators remained active in enforcement and regulatory efforts related to data privacy, cybersecurity, and new technology. This section summarizes notable regulatory and enforcement efforts by the Federal Trade Commission (“FTC”), Consumer Financial Protection Bureau (“CFBP”), Securities and Exchange Commission (“SEC”), Department of Health and Human Services (“HHS”), and other federal and state agencies.

1. Federal Trade Commission

The FTC remained active in the regulation and enforcement of cybersecurity and data privacy in 2023—and continued to aggressively pursue new regulatory, enforcement, and litigation matters in other areas as well. Several actions, such as its rulemaking on junk fees, have had important impacts on online businesses. For example, the proposed junk fees rule was introduced in direct response to President Biden’s announced priorities for consumer protection’ and following his call for transparency in consumer pricing.[80] The FTC extended the comment period for the rule through February 7, 2024.[81] As currently drafted, the rule would ban “hidden fees”—or fees that are mandatory, even if provided by a different entity. It would also ban “misleading fees,” essentially requiring disclosure of the purpose and refundability of any fees charged.

The FTC also continued to prioritize algorithmic bias and AI, commercial surveillance, data security, and children’s privacy. Further, the FTC expanded its regulatory and enforcement scope related to biometric information. This section discusses the FTC’s notable actions on these topics in 2023.

a. FTC Organization Updates

In March 2023, Republican Commissioner Christine Wilson resigned abruptly from the FTC, publicly citing her disagreements with Chair Lina Khan’s vision and management of the FTC.[82] This created an additional vacancy on the five-member commission, following the departure of Commissioner Noah Phillips in October 2022.

In July 2023, President Joe Biden nominated two Republican replacements: Virginia Solicitor General Andrew Ferguson and Utah Solicitor General Melissa Holyoak.[83] Prior to his current appointment as Virginia Solicitor General, Ferguson served in numerous roles on the Hill, including as Chief Counsel to Senate Minority Leader Mitch McConnell, as Chief Counsel for Nominations and the Constitution to then-Judiciary Committee Chairman Lindsey Graham, and as Senior Special Counsel to then-Judiciary Committee Chairman Chuck Grassley. Holyoak previously served as President and General Counsel of a nonprofit public-interest law firm that advocates for free markets, free speech, and limited government. In their confirmation hearing, both Holyoak and Ferguson demonstrated interest in regulating big technology companies. Holyoak specifically called out the importance of protecting children online.[84]

Both nominations are currently held up in the Senate.[85] If confirmed, the new Commissioners will not change the Republican-Democrat balance of power at the FTC, which has been led by a Democratic majority since Commissioner Bedoya was confirmed in 2022.

b. Algorithmic Bias and Artificial Intelligence

The FTC continues to signal that AI and algorithms are an enforcement priority. In a mid-year public editorial, for instance, FTC Chair Lina Kahn warned of the risks AI poses, including producing discriminatory outcomes and potential privacy violations.[86]

As reflected in Chair Khan’s editorial, the FTC is particularly concerned about the effects algorithms may have on consumer privacy, including the use of consumer data to train large language models and inadvertent disclosure of personally identifiable information (“PII”) through chatbots. In a series of AI-focused blog posts published from February to August 2023, the FTC warned businesses that they should avoid using automated tools that result in biased or discriminatory impacts. One post further noted that businesses “can’t just blame a third-party developer of the technology” when reasonably foreseeable failures occur; instead, businesses should investigate and identify the foreseeable risks and impact of AI before using it in a consumer-facing setting.[87] In March 2023, the FTC also specifically called out AI technology that simulates human activity and can be used by third-party bad actors to, among other things, target communities of color with fraudulent schemes.”[88] It warned that businesses considering launching tools with such risks must employ deterrents that go beyond “bug corrections or optional features that third parties can undermine via modification or removal.”[89] Other use cases highlighted by the FTC as targets for enforcement include: technology that enables “deepfakes” and “voice cloning,”[90] customizing ads to specific people or groups in a manner that “trick[s] people into making harmful choices[,]”[91] and tools that purport to detect generative AI content.[92]

For a more detailed discussion of regulatory developments in AI, please see Gibson Dunn’s forthcoming Artificial Intelligence Legal Review.

c. Commercial Surveillance and Data Security

i. FTC’s Approach to Data Security

In a February 2023 blog post, the FTC’s Deputy Chief Technology Officer Alex Gaynor highlighted three best practices for effectively protecting user data drawn from recent FTC orders: (i) requiring multi-factor authentication (for consumers and employees); (ii) requiring a company’s systems connections to be encrypted and authenticated; and (iii) requiring data retention schedules to be published and followed.[93] Gaynor warns that these practices alone “are not the sum-total of everything the FTC expects from an effective security program.”[94] He nevertheless suggests a security program is highly likely to be effective if it incorporates these practices.[95]

ii. Rulemaking on Commercial Surveillance and Data Security

As described in Gibson Dunn’s prior alert, the FTC’s Advance Notice of Proposed Rulemaking on commercial surveillance and data security would overhaul the regulatory landscape for corporate internet use. FTC Consumer Protection Chief Samuel Levine noted in a speech in September 2023 that the FTC is currently reviewing over 11,000 comments received in response to the request for comment, which closed on November 21, 2022.[96] If adopted, the rule will have widespread impact, implicating every facet of the internet from advertising to algorithmic decision-making. The advanced notice for the proposed rule, for instance, seeks comment on issues as wide ranging as whether consumer consent is still an effective gatekeeper for corporate data practices, whether the FTC should forbid or limit the development, design, and use of certain automated decision-making systems, and whether the FTC should adopt workplace, teen, or industry-specific (e.g., health- or finance-related) rules around data collection and use. The FTC is expected to take final action on the proposed rule in 2024.[97]

d. Notable FTC Enforcement Actions

In 2023, the FTC maintained its aggressive stance on privacy enforcement, which has been a hallmark of Chair Khan’s tenure. In addition to enforcement actions that hold companies responsible for the activities discussed, there has also been a rise in actions brought against individuals. Below we discuss some of the FTC’s most notable enforcement actions in 2023.

Video Game and Software Developer. In March 2023, the FTC finalized an order in an action originally described in last year’s Review, which will require a large video game and software developer to pay $245 million to refund affected consumers and bans the company from charging consumers through the use of “dark patterns” or otherwise charging consumers without obtaining their affirmative consent.[98] The order also bars the company from blocking consumers’ access to their accounts if the consumer is disputing unauthorized charges.

Home Security Camera Company. The FTC brought an action under Section 5(a) of the FTC Act,[99] challenging a security camera company’s representations regarding security, and alleging that employees and contractors were able to access private videos.[100] A proposed settlement would require deletion of certain data and affected data products “such as data, models, and algorithms derived from videos it unlawfully reviewed,” establishment of a privacy and data security program, obtaining assessments by a third party, and cooperation with a third-party assessor.[101]

Tax Preparation Firms. The FTC issued Notices of Penalty Offenses to five tax preparation firms about the use of information collected for tax preparation services to solicit loan borrowers. A Notice of Penalty Offense is intended to put companies on notice of prior successful enforcement actions against other companies, but does not mean the FTC has found the recipients are violating the law.[102] However, the FTC’s Notice warned that the companies could face civil penalties of up to $50,120 per violation if they use or disclose consumer confidential data collected for tax preparation for other purportedly unrelated purposes, such as advertising, without express consumer consent.[103]

Voice Assistant. In May, DOJ brought an action on behalf of the FTC against a major technology company that includes, among its products, a voice assistant.[104] The FTC alleged that the company improperly prevented parents from deleting their children’s data and retained and risked exposure of sensitive data. The FTC’s settlement with the company, approved in July 2023, requires the company to overhaul its deletion practices, as well as implement stronger privacy safeguards to settle Children’s Online Privacy Protection Act Rule (“COPPA Rule”) claims and deception claims about its data deletion practices.[105]

Telehealth and Prescription Drug Provider. The FTC brought its first enforcement action under the Health Breach Notification Rule, which was originally adopted in 2009 and requires vendors of personal health records and related entities to notify consumers, the FTC, and, in some cases, the media, when such data is disclosed or acquired without consumers’ authorization.[106] The FTC alleged that the company failed to notify consumers, the FTC, and the media about its disclosure of individually identifiable health information to certain online services. This enforcement action followed a 2021 FTC policy statement that purported to require health apps and other online services to comply with the Health Breach Notification Rule.[107] The company agreed to pay a $1.5 million civil penalty and is barred from sharing user health data with third parties for advertising.[108] The FTC also proposed amendments to the Health Breach Notification Rule, with a public comment period that ended on August 8, 2023.[109]

Genetic Testing Firm. The FTC settled allegations against a genetic testing firm for allegedly leaving user data unprotected, misleading users about their ability to delete their data, and retroactively changing its privacy policy without proper notice to consumers. In addition to monetary penalties of $75,000, as part of the final order, the company is required to take remedial actions including instructing third-party contractors to destroy all DNA samples retained beyond a specified timeframe, notifying the FTC of any unauthorized disclosure of consumer personal health data, and implementing a comprehensive information security program.[110]

In-Store Surveillance and Facial Recognition. For the first time, the FTC alleged that the use of facial recognition technology may be an unfair practice or deceptive under Section 5 of the FTC Act.[111] The FTC alleged that a national pharmacy chain deployed AI-facial recognition technology to identify shoplifters and other problematic shoppers. The FTC’s complaint alleged that the company failed to take reasonable measures to prevent harm to consumers who were erroneously accused by employees of wrongdoing because the technology incorrectly flagged the consumers as matching the profile of a known shoplifter or troublemaker. The FTC banned the retailer’s use of facial recognition technology for five years. While the FTC also alleged the company violated the terms of a 2010 consent decree by failing to comply with its own information security program’s policies and contractual requirements for facial technology vendors, the FTC did not seek civil penalties, and imposed a no-money, no-fault order. The case helpfully articulates what the FTC deems as “best practices” for the use of facial recognition technologies, including the usage of cameras and smartphones by retailers to detect and stop shoplifting and to mitigate risks of misidentification.

e. Financial Privacy

The FTC approved further changes to its Standards for Safeguarding Customer Information Rule (“Safeguards Rule”) in 2023. The Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe. The rule was initially amended in October 2021 in response to “widespread data breaches and cyberattacks” by introducing more robust data security requirements for financial institutions to protect their customers’ data.[112] In 2023, the FTC further amended the rule to require financial institutions to report certain data breaches directly to the FTC.[113] Many provisions of the 2021 rule changes went into effect on January 10, 2022, but certain provisions of the Safeguards Rule did not take effect until June 9, 2023.[114] These sections require financial institutions to:

Designate a qualified individual to oversee their information security program;
Develop a written risk assessment;
Limit and monitor who can access sensitive customer information;
Encrypt all sensitive information;
Train security personnel;
Develop an incident response plan;
Periodically assess the security practices of service providers; and
Implement multifactor authentication or another method with equivalent protection for any individual accessing customer information.[115]

The FTC’s 2023 amendments include more specific criteria for what safeguards financial institutions must implement as part of their information security program, and requirements to explain their information-sharing practices and designate a single qualified individual to oversee their information security program and report periodically to an organization’s board of directors, or a senior officer in charge of information security.[116] These amendments will not take effect until mid-2024.

f. Children’s and Teens’ Privacy

On December 20, 2023, the FTC announced long-awaited proposed amendments to the Children’s Online Privacy Protection Rule (“COPPA Rule”).[117] If adopted, the proposed amendments would be the first changes to the COPPA Rule in a decade.[118] The amendments aim to modernize the COPPA framework and shift the burden for protecting children’s privacy and security from parents to service providers.[119] The proposed changes include:

Requiring separate opt-in for targeted advertising;
Prohibiting conditioning a child’s participation on collection of personal information;
Limiting the support for the internal operations exception, which allows operators to collect persistent identifiers without first obtaining verifiable parental consent as long as the operator does not collect any other personal information;
Imposing restrictions on educational technology companies, including prohibiting these companies’ use of students’ data for commercial purposes;
Increasing accountability for Safe Harbor programs, including by requiring each program to publicly disclose its membership list and report additional information to the Commission;
Strengthening data security requirements; and
Limiting data retention.[120]

The FTC also recently sought comments from the Entertainment Software Rating Board and others for a new mechanism for obtaining parental consent under the COPPA Rule: “Privacy-Protective Facial Age Estimation” technology, which analyzes the geometry of a user’s face to accurately confirm a user’s age.[121] The FTC’s request for comments focused on whether such age verification methods would satisfy the COPPA Rule’s requirements and whether it poses a privacy risk to children’s biometric and other personal information.[122]

In 2023, the FTC pursued enforcement action against major technology companies in relation to children’s and teen’s’ privacy. For example, the FTC alleged a technology company violated the COPPA Rule by collecting and illegally retaining personal information from children who signed up for a gaming service without parental consent.[123] The company agreed to pay $20 million and take steps to increase privacy protection for children users to settle the case.[124] The FTC has also proposed changes to its 2020 order with another technology company, alleging in part that the company has not fully complied with the order because it misled parents about their ability to control with whom their children communicated.[125] Among other things, the proposed changes would prohibit the company from monetizing data it collects from users under 18.[126]

g. Biometric Information

On May 18, 2022, the FTC signaled an increased focus on preventing the misuse of biometric information in a policy statement.[127] The policy statement is a first-of-its-kind comprehensive breakdown of the FTC’s view that the commercial use of biometric information poses certain privacy risks to consumers, and it builds on prior workshops and statements analyzing consumer protection issues related to specific technologies that can implicate biometric information.[128]

In the policy statement, the FTC broadly defines biometric information as data depicting or describing a person’s physical, biological, or behavioral traits, characteristics, or measurements, including facial features, iris or retina, fingerprints or handprints, voice, genetics, or characteristic movements or gestures.[129] The FTC warned that certain conduct relating to the use of biometric information and biometric information technologies constitutes an unfair or deceptive practice under Section 5 of the FTC Act, including:

Making false or unsubstantiated marketing claims regarding the validity, reliability, accuracy, performance, fairness, or efficacy of technologies relying on biometric information;
Making deceptive statements about the collection and use of biometric information;
Failing to protect consumers’ biometric information using reasonable data security practices;
Collecting biometric information that consumers meant to conceal or keep private (including by implementing “privacy-invasive default settings”);
Selling technologies that permit harmful or illegal conduct, such as covert tracking; and
Using or selling discriminatory technologies.[130]

To avoid liability under the FTC Act, the FTC recommends that businesses communicate the use and capabilities of biometric information technologies to consumers, ensure biometric information technologies operate fairly and accurately, and implement safeguards to prevent unauthorized access to biometric information. Relying on the policy statement for the first time, the FTC filed a complaint in December 2023 alleging that a drugstore chain surreptitiously used facial recognition technology to identify—sometimes falsely—shoplifters and other customers it deemed problematic, as described above.[131]

2. Consumer Financial Protection Bureau

Notwithstanding increasing congressional antagonism directed at the Consumer Financial Protection Bureau (“CFPB”), the CFPB did not decrease its attention on privacy issues in 2023. Last year, the CFPB issued a long-awaited proposed rule regarding consumer personal financial data rights and signaled an intent to increase its oversight of non-bank entities providing digital wallets and peer-to-peer apps, as well as data brokers that sell certain types of consumer data. The CFPB also parroted the FTC’s concerns with privacy risks associated with AI.

a. Personal Financial Data Rights Rulemaking

On October 19, 2023, the CFPB released a long-awaited Notice of Proposed Rulemaking on Personal Financial Data Rights.[132] If adopted, this rule would establish a regulatory framework where consumers have the power “to break up with banks that provide bad service and would forbid companies that receive data from misusing or wrongfully monetizing the sensitive personal financial data.”[133] The proposed rule would also require covered financial entities to share a consumer’s financial data with authorized third parties upon the consumer’s request.[134] The proposed rule is the first proposal to implement Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”), which authorizes the CFPB to prescribe rules under which consumers may access information about themselves from their financial service providers.[135]

Although Section 1033 applies to all consumer financial products or services covered under the Dodd-Frank Act,[136] the proposed rule would limit the scope of covered entities, or “data providers,” to Regulation Z card issuers, Regulation E financial institutions, and other payment facilitation providers, while generally exempting data providers that do not have a consumer interface.[137] Under the proposed rule, data providers must provide consumers and authorized third parties with “covered data,” such as transaction information, account balance, and upcoming bill information, “in an electronic form usable by consumers and authorized third parties,” as provided by Section 1033 of the Dodd-Frank Act.[138]

In addition to requiring third parties to obtain “express informed consent” from the consumer to become authorized to access covered data, the proposed rule would also prohibit such authorized third parties from collecting, using, or retaining the consumer’s relevant data beyond what is “reasonably necessary” to provide the requested product or service to a consumer.[139] The proposal does not define what is “reasonably necessary,” but instead enumerates activities that do not qualify: (i) targeted advertising; (ii) cross-selling of other products or services; or (iii) the sale of covered data.[140] The proposed rule also imposes data accuracy and data security obligations, among other obligations, on authorized third parties.[141]

The comment period for the proposed rule closed on December 29, 2023; CFPB Director Rohit Chopra said that the agency intends to finalize the rule by fall 2024.[142]

b. Increased Oversight of Non-bank Entities

On November 7, 2023, the CFPB issued a proposed rule that, if adopted, would establish supervisory power over big technology firms and other nonbank entities that offer services allowing consumers to digitally transfer money.[143] The proposed rule would apply to “larger participant” nonbank entities that handle more than five million payment transactions per year through digital wallets, peer-to-peer apps, payment apps, and other “covered payment functionalities.”[144] This oversight authority would allow the CFPB to conduct examinations to ensure that these nonbank entities are adhering to applicable laws governing funds transfer, privacy, and consumer protection.[145] The comment period for this proposed rule closed on January 8, 2024.[146]

c. Increased Scrutiny of Data Brokers

In March 2023, the CFPB launched an inquiry into data brokers to inform whether existing Fair Credit Reporting Act (“FCRA”) rules reflect the market realities of “[m]odern data surveillance practices [that] have allowed companies to hover over our digital lives and monetize our most sensitive data.”[147] The agency’s request for information defined “data brokers” broadly as “an umbrella term to describe firms that collect, aggregate, sell, resell, license, or otherwise share consumers’ personal information with other parties.”[148] That definition could sweep in companies, like credit unions and banks, that are not typically considered data brokers.

On August 15, 2023, Director Chopra also announced that the CFPB will be developing new rules that define a data broker that sells certain types of consumer data as a “consumer reporting agency” (“CRA”) under FCRA.[149] Defining data brokers as CRAs would impose new obligations on data brokers to comply with FCRA’s demanding standards for data accuracy and privacy, including consumer access and consent rights.[150] Director Chopra also announced a second proposal under consideration that will clarify the extent to which credit header data, such as name, date of birth, and social security number, constitute a consumer report, and thereby limit the ability of CRAs to impermissibly disclose identifying contact information.[151] The CFPB intends to propose these changes for public comment in 2024.[152]

d. Artificial Intelligence and Algorithmic Bias

In an April 25, 2023 joint statement with the DOJ, FTC, and Equal Employment Opportunity Commission, the CFPB reaffirmed its commitment to enforce consumer financial protection laws to prevent harmful uses of AI and algorithmic bias.[153] Since then, the CFPB has highlighted risks associated with AI in multiple contexts:

Chatbots. In June 2023, the CFPB released an issue spotlight on the risks associated with the use of chatbots by financial institutions, including consumer financial protection compliance risks and failures to protect consumer privacy and data, diminished trust and customer service, and harm to consumers resulting from inaccurate information.[154]

Home Appraisals. In June 2023, the CFPB also proposed a rule that would govern automated home valuations.[155] The rule would require institutions that employ automated valuation models to take certain steps to minimize inaccuracy and bias by adopting policies, practices, procedures, and control systems to ensure that models adhere to quality control standards designed to ensure a high level of confidence in the estimates produced.[156] Under the proposal, institutions would also be required to protect against the manipulation of data, seek to avoid conflicts of interest, require random sample testing and reviews, and comply with applicable nondiscrimination laws.[157] The public comment period ended on August 21, 2023.[158]

Credit Decisions. In September 2023, the CFPB issued a Consumer Protection Circular titled “Adverse Action Notification Requirements and the Proper Use of the CFPB’s Sample Forms Provided in Regulation B,” concerning lenders’ obligations when using AI to make consumer credit decisions.[159] The guidance emphasizes that creditors must provide accurate and specific reasons for adverse decisions made by complex algorithms, and this requirement is not automatically satisfied by use of a sample adverse action checklist.[160]

3. Securities and Exchange Commission

In 2023, the SEC continued to focus on transparency around cybersecurity risk management and incident disclosure, as made evident by the Commission’s rulemaking and enforcement activity. Most notably, the SEC finalized rules requiring public companies to report material cybersecurity incidents within four business days of determining materiality, as well as periodic disclosures relating to cybersecurity risk management, strategy, and governance. The SEC was also active on the enforcement front, pursuing actions against companies and individuals in connection with cyber incidents. In 2024, we expect to see heightened enforcement activity as the newly adopted cyber rules take effect and as the SEC takes final action on proposed rulemaking for registered entities, particularly those implicating personal information or sensitive data.

a. Regulation

March 2023 – SEC Proposes Rules to Amend Regulation S-P

On March 15, 2023, the SEC proposed rules that would amend Regulation S-P to update and close certain gaps in the requirements pertaining to the protection of customer information.[161] Most importantly, if adopted, the amendments would require broker-dealers, investment companies, registered investment advisers, and transfer agents (“Covered Institutions”) to adopt written policies and procedures for responding to unauthorized access to or use of customer information.[162] The amendments would also require Covered Institutions to notify individuals of unauthorized use of or access to their sensitive information “as soon as practicable,” but not later than 30 days, after discovery of a data breach.[163]

As explained in the adopting release, the rules would also amend other aspects of Regulation S-P, including:

Extending the protections of the safeguards and disposal rules to both nonpublic personal information that a Covered Institution collects about its own customers and to nonpublic personal information that a covered institution receives about customers of other financial institutions;
Extending the safeguards rule, as amended, to registered transfer agents, and expanding the disposal rule to include transfer agents registered with another appropriate regulatory agency; and
Conforming Regulation S-P’s existing provisions relating to the delivery of an annual privacy notice for consistency with a statutory exception created by Congress in 2015.[164]

The public comment period closed on June 5, 2023, but the SEC has not indicated whether and when it will take final action on the proposed amendments.

July 2023 – SEC Adopts New Cybersecurity Disclosure Rules for Public Companies

On July 26, 2023, as reported in Gibson Dunn’s client alert, the SEC adopted a final rule to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the reporting requirements of the SEC Act of 1934 (the “Exchange Act”).[165] The final rule requires: (i) Form 8-K disclosure of material cybersecurity incidents within four business days of the company’s determination that the cybersecurity incident is material; and (ii) annual disclosures in Form 10-K regarding the company’s cybersecurity risk management, strategy, and governance.[166] For foreign private issuers, the final rule amends Form 20-F to include requirements parallel to Item 106 regarding risk management, strategy, and governance.[167] In addition, the final rule adds “material cybersecurity incidents” to the items that may trigger a current report on Form 6-K.[168] Under the new rule, foreign private issuers will be required to furnish on Form 6-K information about material cybersecurity incidents that the issuers disclose or otherwise publicize in a foreign jurisdiction, to any stock exchange or to security holders.[169]

Compliance Dates

The Form 8-K disclosure requirement went into effect on December 18, 2023 for most registrants (smaller companies will have until June 5, 2024 to comply); all registrants will have to comply with the annual disclosure requirements beginning with their Form 10-K or 20-F filing for the fiscal year ending on or after December 15, 2023.[170]

Reporting Material Cybersecurity Incidents

Under the final rules, when a company experiences a material cybersecurity incident, it must disclose on Form 8-K, the material aspects of the nature, scope, and timing of the incident, and the material impact or “reasonably likely” material impact on the company, including on its financial condition and results of operations.[171] Importantly, this disclosure must be made within four business days of the company determining that it has experienced a material cyber incident, a determination which must be made “without unreasonable delay after discovery of the incident.”[172] In circumstances where a company has determined that a cybersecurity incident is material but does not have all of the information that is required to be disclosed when the Form 8-K filing is due, the company must later update the disclosure through a Form 8-K amendment.[173]

The final rule permits companies to delay reporting material cyber incidents up to an initial period of 30 days, if the U.S. Attorney General notifies the SEC in writing that immediate disclosure would pose a substantial risk to national security or public safety.[174] However, as confirmed by guidelines released by the Department of Justice,[175] the Attorney General will only permit delayed disclosures in very limited circumstances, so public companies should be prepared to disclose virtually all material cyber incidents within four days after determining materiality.[176] The DOJ guidelines also make clear that even where the Attorney General grants a delay, the delay may not delay filing the Form 8-K in its entirety, but may only pertain to some of the information that is required to be disclosed.[177]

Annual Reporting Requirements

The final rule also requires that public companies include on their Form 10-K filings certain disclosures regarding the company’s cybersecurity risk management, strategy and governance.[178] The final rule also includes parallel requirements for a foreign private issuer’s risk management, strategy, and governance disclosures on Form 20-F.[179]

Risk management strategy and governance disclosure. Companies are required to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes, including information regarding:

Whether and how any such processes have been integrated into the company’s overall risk management system or processes;
Whether the company engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
Whether the company has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.[180]

Public companies are also required to describe whether and how any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company, including its business strategy, results of operations, or financial condition.[181] Notably, the final rule requires disclosure of “processes” (as opposed to “policies and procedures”) in order to avoid requiring disclosure of operational details that could be exploited by threat actors and make clear that companies without written policies and procedures need not disclose that fact.

Governance Disclosures. The final rule also requires public companies to describe on Form 10-K how the board of directors oversees the company’s cybersecurity risks. This includes identifying, if applicable, any board committee or subcommittee responsible for the oversight of cybersecurity risks and describing the processes by which the board or such committee is informed about such risks.[182] Additionally, companies must describe management’s role in assessing and managing the company’s material cybersecurity risks from cybersecurity.[183]

September 2023 – SEC Approves Revised Privacy Act Rule

On September 20, 2023, the SEC approved a final rule, adopting amendments to the SEC’s regulations under the Privacy Act of 1974, which governs the federal government’s handling of personal information.[184] The final rule updates and streamlines the SEC’s Privacy Act regulations, including the process for submitting and receiving responses to Privacy Act requests and administrative appeals and provides electronic methods to verify an individual’s identity.[185] Given the extensive nature of the amendments, the final rule replaces entirely the current version of the Privacy Act regulations which was last updated in 2011. The final rule went into effect on October 26, 2023.

Cyber Rules for Registered Investment Advisers, Registered Investment Companies, and Business Development Companies Expected in April 2024.

In February 2022, the SEC proposed cybersecurity rules for registered investment advisers, registered investment companies, and business development companies (the “RIA Rules”).[186] If adopted, the RIA Rules would require covered companies to, among other things, (i) adopt written cybersecurity policies and procedures to address cybersecurity risk, and (ii) report significant cybersecurity incidents, which are those that “significantly affect the critical operations” of a covered company or lead to “unauthorized access or use of information that results in substantial harm” to a covered company, or its clients, funds, or investors.[187] As noted on the SEC’s June 13, 2023 rulemaking agenda, the RIA Rules have entered the final rule stage[188] and are expected to be finalized in April 2024.[189]

Looking ahead, the SEC Division of Examinations announced its priorities for 2024, which stated that it plans to continue focusing on “registrant’s policies and procedures, internal controls, oversight of third-party vendors (where applicable), governance practices, and responses to cyber-related incidents.”[190] SEC Chair Gary Gensler emphasized that the “Division’s efforts, as laid out in the 2024 priorities, enhance trust in our ever-evolving markets.”[191] Information security and cybersecurity will remain a key area of regulation and enforcement for the SEC in 2024.

b. Enforcement

In addition to new rules, in 2023 the SEC continued to pursue enforcement actions at a historically high level against public companies, investment firms, law firms, and individuals.[192] The SEC obtained orders totaling nearly $5 billion in financial remedies in fiscal year 2023, the second-highest amount in SEC history following a record-setting nearly $6.5 billion in fiscal year 2022.[193] Notably, the SEC continued to focus on individuals, with about two-thirds of the SEC’s cases in fiscal year 2023 involving individuals.[194] The SEC also obtained orders that barred 133 individuals from serving as officers or directors for public companies, the highest such number in a decade.[195]

We expect these trends to continue in 2024, particularly as they relate to cybersecurity when the SEC’s newly adopted cyber rules take effect and additional cyber rules are finalized. Below is a summary of some of the most notable cyber-related enforcement actions brought by the SEC in 2023.

Broker-Dealer Username/Password Handling Litigation. In September, 2023, the SEC alleged that a broker-dealer and its parent company allegedly made materially false and misleading statements and omissions regarding information barriers intended to prevent the misuse of sensitive customer information.[196] The SEC alleged that the broker-dealer operated two businesses that were purportedly walled off from each other by data safeguards: a trade order execution service for institutional customers that typically operated on commission, and a proprietary trading business. However, during a 15-month period from 2018 to 2019, the broker-dealer allegedly failed to adequately safeguard a database of post-trade information regarding customer orders that included customer identifying information and further material nonpublic information.[197] The broker-dealer allegedly rendered the database accessible to virtually anyone at its affiliates by leaving the data accessible via “two sets of widely known and frequently shared generic usernames and passwords.”[198] The SEC asserts that this alleged failure to safeguard the information posed significant risk that proprietary traders could abuse it or distribute it outside the entity.[199] The litigation remains pending.

Settlement for Allegedly Misleading Statements Related to 2020 Ransomware Attack. In March 2023, the SEC imposed a $3 million civil penalty to settle allegations it brought against a public company for making allegedly misleading disclosures concerning a 2020 ransomware attack that had impacted over 13,000 customers.[200]

The SEC alleged that, on July 16, 2020, the company announced a ransomware attacker had not gained access to customer bank account information or Social Security Numbers.[201] Within days of the announcement, however, technology and customer relations personnel allegedly learned that the attacker had accessed and exfiltrated that sensitive information.[202] The employees nonetheless allegedly failed to communicate this information to senior management accountable for its public disclosure because, in the SEC’s view, the company failed to maintain adequate disclosure controls and procedures.[203] As a result, the company’s 10-Q report filed in August 2020 did not include this information about the cyberattack, which the SEC views as an omission of material information. In addition, the SEC alleged that the company’s description of the risk of disclosure of sensitive customer information as a hypothetical risk was misleading.[204]

SEC Alleges Fraud Against Public Company and its CISO. In October 2023, the SEC alleged that a network monitoring software company and its Chief Information Security Officer (“CISO”) engaged in fraud and internal controls violations.[205] The SEC alleges that the company and its CISO overstated its cybersecurity practices and understated or failed to disclose known cybersecurity risks.[206] The SEC’s complaint alleges that the company’s public statements conflicted with its internal assessments.[207] The complaint also alleges that the CISO was aware of the company’s cybersecurity risks, but failed to resolve the issues or sufficiently elevate them.[208] The SEC alleged that the cybersecurity shortfalls rendered the company unable to provide reasonable assurances that its most valuable assets were sufficiently protected.[209] The lapses in cybersecurity practices allegedly resulted in a two-year cyberattack campaign against the software company and some of its customers, including federal and state government agencies.[210] The cyberattack was first disclosed publicly in December 2020, though the SEC alleged that disclosure was incomplete.[211] According to the SEC, the company and CISO allegedly “paint[ed] a false picture of the company’s cyber controls environment.”[212] The SEC alleged that the company and CISO violated antifraud provisions of the securities laws, that the company violated reporting and internal controls provisions, and that the CISO aided and abetted the company’s violations.[213] The SEC seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer-and-director bar against the CISO.[214]

Going forward, we expect to see a significant uptick in enforcement activity, particularly around cybersecurity disclosures, given the adoption of the SEC’s cyber disclosure rules which went into effect in December 2023 and other proposed cyber rules pending finalization, as discussed above.

4. Department of Health and Human Services and HIPAA

On February 27, 2023, the Department of Health and Human Services (“HHS”) announced three new divisions within the Office of Civil Rights (“OCR”): an Enforcement Division, a Policy Division, and a Strategic Planning Division.[215] OCR enforces HIPAA and the Health Information Technology for Economic and Clinical Health Act of 2009, among additional privacy-related and other statutes.[216] OCR explained that its caseload has increased 69 percent from 2017 and 2022.[217] OCR thus created the new divisions to “improve[] OCR’s ability to effectively respond to complaints, put[ting] OCR in line with its peers’ structure and mov[ing] OCR into the future.”[218] The addition of three new divisions in OCR signals and underscores the heightened importance of data privacy and security within HHS.

a. Rulemaking on HIPAA Compliance and Data Breaches

On December 13, 2023, HHS finalized a rule implementing the 21st Century Cures Act that enhances the Office of the National Coordinator for Health Information Technology Certification Program, aimed at advancing interoperability, transparency, and the access, exchange, and use of electronic health information.[219] The final rule is designed to increase algorithm transparency and information sharing for healthcare providers.[220] The provisions of the rule are based on the principles of “fairness, appropriateness, validity, effectiveness and safety,” and include certification criteria for “decision support interventions,” “patient demographics and observations,” “electronic case reporting,” and the “exchange and use” of electronic health information.[221] The final rule goes into effect on February 8, 2024.[222]

b. Telehealth and Data Security Guidance

HHS released a fact sheet in early 2023 identifying what will change as a result of the expiration of the federal Public Health Emergency for COVID-19 on May 11, 2023.[223] HHS stated that the “vast majority” of current Medicare telehealth flexibilities (such as waivers of geographic and originating site restrictions and the allowance of audio-only telehealth services) will remain in place through December 2024.[224] The agency also made some Medicare changes permanent so that they will stay in place now that the public health emergency has ended. These include allowing Federally Qualified Health Centers and Rural Health Centers to “serve as a distant site provider for behavioral/mental telehealth services,” allowing Medicare patients to “receive telehealth services for behavioral/mental health care in their home,” and allowing “behavioral/mental telehealth services” to “be delivered using audio-only communication platforms.”[225]

On July 20, 2023, the FTC and HHS issued a joint letter to 130 hospital systems and telehealth providers, warning them to “exercise extreme caution” with respect to certain online technologies that are incorporated in their websites and apps given the potential privacy risks these technologies may pose to patient data.[226] The letter also reminded healthcare providers about their obligations under HIPAA and the FTC’s Health Breach Notification Rule.[227] Relatedly, on September 15, 2023, the FTC and HHS issued an updated publication addressing businesses’ potential questions related to collecting, using, and sharing consumer health information, and provided links to more detailed guidance.[228]

c. Reproductive and Sexual Health Data

On June 24, 2023, HHS Secretary Xavier Becerra released a statement[229] on the one-year anniversary of Dobbs v. Jackson Women’s Health Org., which reversed Roe v. Wade and ended federal protection for abortion access.[230] The statement highlights HHS’s efforts to protect and expand access to reproductive care, and outlines three “priority areas”:

“Reaffirming the Department’s commitment to protecting the right to abortion care in emergency settings under the Emergency Medical Treatment and Labor Act (EMTALA)”;
“Clarifying protections for birth control coverage under the Affordable Care Act”; and
“Protecting medical privacy – including empowering patients to protect their medical information on smart phones, apps, and other platforms.”[231]

On April 12, 2023, HHS proposed measures to strengthen patient-provider confidentiality related to reproductive health care through a Notice of Proposed Rulemaking for the Privacy Rule.[232] The proposed rule would prohibit the use or disclosure of protected health information (“PHI”) to identify, investigate, sue, or prosecute “patients, providers, and others involved in the provision of legal reproductive health care, including abortion.”[233] The public comment period closed on June 16, 2023; and the proposed rule is expected to be finalized in March 2024.[234]

d. HHS Enforcement Actions

OCR continued to enforce the HIPAA Privacy Rule throughout 2023, which has been a continued focus of the agency in recent years. For example, OCR settled claims against a New York-based non-profit academic medical center for alleged violations in 2020 of the HIPAA Privacy Rule.[235] A national newspaper published an article about the medical center’s COVID-19 emergency response, “which included photographs and information about the facility’s patients” exposing patient information, including COVID-19 diagnoses, medical statuses and prognoses, vital signs, and treatment plans.[236] OCR alleged that the facility disclosed three patients’ protected health information to the press “without first obtaining written authorization from the patients.”[237] The settlement required the facility to pay $80,000 and agree to implement a corrective action plan “to develop written policies and procedures that [complied] with the HIPAA Privacy Rule.”[238]

HHS also focused its enforcement efforts around the HIPAA Right of Access Initiative, which was launched in 2019 and requires covered entities to provide individuals with “timely access to their health information for a reasonable cost” under the HIPAA Privacy Rule.[239] As of December 15, 2023, OCR had brought 46 cases pursuant to the HIPAA Right of Access Initiative.[240] These actions were largely brought against covered entities for failing to provide individuals with copies of protected health information within the required timeframe and/or in accordance with permitted fees.[241]

Data breaches have been another recent priority. In February 2023, a nonprofit health system in Arizona agreed to pay $1.25 million to resolve alleged HIPAA Security Rule violations arising from a 2016 data breach, which disclosed the protected health information of 2.81 million individuals.[242] In addition to the monetary penalty, the hospital system agreed to implement a corrective action plan, and two years of OCR monitoring, to address alleged deficiencies relating to the protection of electronic PHI, including pertaining to risk assessment, vulnerability management, monitoring, authentication and protection of data transit.[243]

In December 2023, OCR also entered into a settlement with a Louisiana-based medical group for $480,000, stemming from a phishing attack that exposed the personal information of over 34,000 individuals.[244] OCR alleged that the group failed to conduct a risk analysis of potential vulnerabilities, as required under HIPAA.[245] As with Banner Health, Lafourche agreed to implement a corrective action plan that OCR will monitor for two years [246]

5. Other Federal Agencies

a. Department of Homeland Security

In 2023, the Department of Homeland Security (“DHS”) continued to pursue various cybersecurity initiatives aimed at securing critical infrastructure and helping organizations respond to the rapidly evolving cyber threat landscape. The year marked an increased focus on cyber incident information sharing and reporting through public-private and cross-border partnerships. On March 2, 2023, DHS Secretary Alejandro N. Mayorkas released a statement about working to implement President Biden’s National Cybersecurity Strategy and emphasized the role of public-private sector collaboration and work with DHS’s Cyber Safety Review Board and Cybersecurity and Infrastructure Security Agency (“CISA”).[247] As required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”), DHS and the Cyber Incident Reporting Council issued recommendations to Congress for streamlining the reporting of cyber incidents by establishing standard definitions, timelines, and triggers for reporting; creating a model incident reporting form for federal agencies; and creating a central reporting web portal.[248] These recommendations will inform CISA’s ongoing rulemaking process, as it works towards publishing a Notice of Proposed Rulemaking related to CIRCIA’s reporting requirements by March 2024.[249] Secretary Mayorkas also hosted cyber leaders from 21 nations at the Western Hemisphere Cyber Conference to discuss bilateral and multilateral initiatives to respond to, and facilitate increased information sharing about, cybersecurity challenges, including around critical infrastructure and cyber-enabled crimes and ransomware.[250]

DHS also released multiple reports and advisories outlining recommendations to mitigate risks posed by threat actor groups and vulnerabilities affecting critical infrastructure, including malware attacks by the ransomware group CL0P against users of certain file-transfer software;[251] targeting of industry-standard security tools by threat actor group Lapsus$;[252] and a ransomware variant used to exploit a vulnerability that threatened critical infrastructure.[253]

DHS also increased its State and Local Cybersecurity Grant Program funding from $185 million in FY22 to $374.9 million in FY23, signaling the growing importance of protecting communities from cyber threats.[254]

b. Department of Justice

In 2023, DOJ continued to focus on and expand its capacity to address cyber threats, especially those related to national security. In a series of press releases, DOJ touted certain accomplishments in its ongoing fight against organized cybercrime. For example, it publicized actions it had taken against several ransomware groups, including the Hive and Blackcat, as well as the malware code Qakbot. DOJ also announced significant developments regarding its approach to the issue of algorithmic bias, including an innovative resolution reached with a large social media company and the filing of a statement of interest in a case alleging racial discrimination against rental applicants.

As part of its continued and expanding efforts to counter cyber-related national security threats arising from nation-state actors, DOJ created the National Security Cyber Section (“NatSec Cyber”) within the National Security Division (“NSD”).[255] DOJ noted that NatSec Cyber “will allow NSD to increase the scale and speed of disruption campaigns and prosecutions of nation-state threat actors, state-sponsored cybercriminals, associated money launderers, and other cyber-enabled threats to national security.”[256]

DOJ continued its aggressive, multifaceted efforts to disrupt domestic and international organized cybercrime via collaboration between the FBI and foreign law enforcement organizations. For example, in January 2023, DOJ announced that its months-long campaign against a ransomware-as-a-service network called the “Hive” culminated in the seizure of thousands of decryption keys that were then distributed to victims of the Hive’s activities, as well as the shutting down of servers and websites used by the Hive to coordinate attacks.[257] The Hive’s ransomware campaign impacted more than 1,500 victims, “including hospitals, school districts, financial firms, and critical infrastructure,” across more than 80 countries, and sought to extort hundreds of millions of dollars in ransomware payments.[258] In May 2023, DOJ publicized an operation code-named “MEDUSA,” which involved the deployment of an FBI-developed tool named “PERSEUS” to disrupt the ability of the highly sophisticated cyber espionage malware named “Snake” to compromise infected computers.[259] Snake, whose development the U.S. government attributes to a unit in the Federal Security Service of the Russian Federation, has been used and adapted for the last nearly 20 years to steal and covertly transfer sensitive information from computer networks in over 50 countries, often in service of Russian interests.[260] In August 2023, DOJ announced another multinational effort to degrade and avert attacks from Qakbot, a malware code used by cybercriminals to create malicious botnets and perpetrate “ransomware, financial fraud, and other cyber-enabled criminal activity.”[261] Finally, in December 2023, DOJ announced that the FBI had successfully built a decryption tool that allowed victims of the ransomware-as-a-service group Blackcat (also known as ALPHV or Noberus) to regain control of their systems.[262] This was in addition to taking control of websites associated with the group, which had previously carried out attacks targeting “government facilities, emergency services, defense industrial base companies, critical manufacturing, and healthcare and public health facilities—as well as other corporations, government entities, and schools,” costing victims hundreds of millions of dollars in ransom payments, incident response costs, and losses from data damage and theft.[263]

DOJ also waded into issues around algorithmic bias. In January 2023, for example, DOJ announced a resolution reached with a large social media company to address alleged algorithmic bias on its platforms.[264] This development came as part of a settlement stemming from a June 2022 lawsuit filed in the U.S. District Court for the Southern District of New York that asserted the company engaged in discriminatory delivery of housing advertisements based on algorithms partially relying on protected characteristics in violation of the Fair Housing Act (“FHA”).[265] The settlement agreement required the company to create a system (dubbed the Variance Reduction System) to promote the “equitable distribution of ads” across its platforms, subject to certain compliance metrics, oversight by the court, and ongoing monitoring by a third-party reviewer through June 27, 2026.[266] A DOJ official praised the agreement and the company for setting “a new standard for addressing discrimination through machine learning” and called for others to follow the company’s lead.

DOJ also filed a Statement of Interest in an FHA case pending in a Massachusetts federal district court brought by two Black rental applicants alleging unlawful algorithmic tenant screening practices.[267] Plaintiffs alleged that the screening system discriminated “against Black and Hispanic rental applicants in violation of the FHA.”[268] According to DOJ, the Statement confirms its “commitment to ensuring that the Fair Housing Act is appropriately applied in cases involving algorithms and tenant screening software.”[269]

c. Department of Commerce

On March 7, 2023, a bipartisan group of senators proposed the Restricting the Emergence of Security Threats that Risk Information and Communications Technology (“RESTRICT”) Act, which would give the Commerce Secretary the power to ban foreign‐owned technologies if they are found to pose national security threats.[270] The bill, which received support from the Department of Commerce,[271] was referred to the Committee on Commerce, Science, and Transportation, and is currently awaiting further action.[272]

On June 14, 2023, Senator Wyden introduced the Protecting Americans’ Data From Foreign Surveillance Act of 2023, which would update the Protecting Americans’ Data From Foreign Surveillance Act of 2022 that was introduced in June 2023 but not passed.[273] This bill would bar exports of sensitive data to high‐risk countries, as determined by the Department of Commerce.[274] The Department of Commerce would also be tasked with defining sensitive data, though the bill broadly covers data, including browsing history and location data.[275] However, the new export rules would not apply to data encrypted with technology approved by the National Institute of Standards and Technology (“NIST”).[276] The bill was referred to the Committee on Banking, Housing, and Urban Affairs, and currently awaits further progress.[277]

d. Department of Energy

Through the Infrastructure Investment and Jobs Act, the Department of Energy (“DOE”) has provided significant funding to a series of new cybersecurity programs.[278] On September 12, 2023, the DOE announced $39 million of funding for nine new “National Laboratory” projects to strengthen the cybersecurity of distributed energy resources (“DER”).[279] The funding is intended to “support targeted research, development, and demonstration related to different elements of the DER landscape.”[280]

Despite investing in improved cybersecurity for DER, the DOE itself continues to attract scrutiny of its cybersecurity practices, especially from the DOE’s Office of Inspector General (“OIG”). Ongoing concerns regarding the department’s cybersecurity capabilities stem in part from three apparent cyberattacks against DOE national laboratories in late 2022, which were serious enough to prompt House lawmakers to seek details concerning them in early 2023.[281] In November 2023, the OIG released a report discussing “management challenges” at the DOE, including numerous cybersecurity-related deficiencies.[282] In discussing these deficiencies, the report noted structural and resource-based challenges to an effective organization-wide cybersecurity program, some of which stemmed from inconsistent and outdated practices by DOE contractors.[283] Thus, contractors/vendors doing business with the DOE should expect a greater emphasis on and scrutiny of their cybersecurity practices going forward.

e. Department of Defense

In December 2023, the Department of Defense (“DoD”) released a proposal designed to implement its Cybersecurity Maturity Model Certification (“CMMC”) program, broadly aimed at increasing the security of controlled, unclassified information across the defense industry.[284] The CMMC will set three “levels” of cybersecurity requirements based on the nature of information held by contractors, while ultimately creating a baseline level of cybersecurity for almost all DoD contract solicitations.[285] The program will be implemented in phases over several years, giving companies time to study and understand its requirements and prepare staff to comply with them.[286]

f. Federal Communications Commission

The Federal Communications Commission (“FCC”) was particularly focused on the Telephone Consumer Protection Act (“TCPA”) and cybersecurity issues in 2023. In June 2023, the FCC unveiled a new Privacy and Data Protection Task Force that will “coordinate across the agency on the rulemaking, enforcement, and public awareness needs in the privacy and data protection sectors.”[287] The task force will address issues such as data breaches of telecommunication providers linked to cyber intrusions and supply chain vulnerabilities.[288]

TCPA Rulemaking. In January 2023, the FCC announced that new rules promulgated under Section 8 of the Telephone Robocall Abuse Criminal Enforcement and Deterrence (“TRACED”) Act[289] would go into effect on July 20, 2023.[290] Among other things, the FCC’s new rules provide additional clarity on exemptions from the TCPA, including establishing limits on the number of exempt calls that can be made to a residence during a 30-day period (for non-commercial, non-advertising, or nonprofit purposes); requiring callers to obtain consent before exceeding the numerical limits on exempt calls; and mandating ways that consumers can opt out of exempted calls to residential lines.[291]

In the last quarter of 2023, the FCC took additional regulatory steps to curb robocalls. On October 23, 2023, FCC Chairwoman Jessica Rosenworcel announced the FCC was opening an inquiry into the impact of artificial intelligence technology on robocalls, particularly for more vulnerable consumers such as seniors and those on fixed incomes.[292] Following that announcement, the FCC sought public input to better understand the impact of emerging AI technologies on unwanted telephone calls and text messages.[293] It seems likely that the FCC will continue to assess AI’s impact in this area.

On December 18, 2023, the FCC also approved new TCPA rules that require lead generators, comparison shopping websites, and similar companies to obtain a consumer’s prior express written consent to receive automated calls from each marketing partner.[294] The rule is intended to end companies’ prior practice of relying on a single consent to receive automated calls from multiple marketing partners. The new rule has closed this loophole, and requires one-to-one consent for each marketing partner.[295] There will be an implementation period of at least 12 months to allow companies to make necessary changes to ensure consent complies with the new rules.[296]

Cyber Trust Mark. In July 2023, the FCC, in coordination with the White House, announced a proposal to create a “U.S. Cyber Trust Mark” label for devices that meet certain cybersecurity and privacy criteria set by the National Institute of Standards and Technology, with voluntary commitments to the standard to be made by manufacturers and retailers.[297] Examples of contemplated features offered by labeled devices include “unique and strong default passwords, data protection, software updates, and incident detection capabilities.”[298] In August 2023, the FCC released a Notice of Proposed Rulemaking regarding the proposal to collect public input, noting that if it votes to establish the program, it could be “up and running” by late 2024.[299]

VoIP and TRS Rules. In December 2023, the FCC approved modifications to data breach notification rules for providers of telecommunications, interconnected Voice over Internet Protocol (“VoIP”), and telecommunications relay services (“TRS”).[300] The modifications expand reportable personally identifiable information and the definition of a “breach,” and require carriers or TRS providers to notify the FCC of breaches, in addition to other existing reporting requirements.[301]

Enforcement. The FCC also levied fines against companies for lax data security standards. In July 2023, the FCC sought a combined $20 million fine against two mobile carriers for alleged violations of FCC rules, which mandate that customer identity be properly authenticated before online access to Customer Proprietary Network Information (“CPNI”) is granted to them.[302] The FCC’s investigation concluded that the companies used “readily available” information to provide online access to CPNI and fell below other compulsory data security standards in violation of multiple parts of the FCC’s rules, thereby placing sensitive customer personal data at risk.[303]

6. State Agencies

Throughout 2023, state privacy enforcers, particularly in California, wielded their authority to attempt to expand the ambit of existing privacy laws.

a. California

California Privacy Protection Agency

On the rulemaking front, the California Privacy Protection Agency (“CPPA”) released draft rules for automated decision-making technology (“ADMT”) on November 27, 2023.[304] The draft focuses on two areas: notice requirements on the use of ADMT and enforcement of two new consumer rights: the right to opt-out of ADMT processing and the right to access information about a business’s use of ADMT.

The draft rules require businesses to provide a “Pre-use Notice” which would allow consumers to exercise these two rights. The notice must inform consumers of the business’s use of ADMT and permit them to opt-out of ADMT processing. It also requires businesses to describe the purpose behind the use of ADMT in specific terms. Consumers may opt-out of ADMT for decisions that produce “legal or similarly significant effects” (1) as an employee, student, job applicant or independent contractor or (2) in publicly accessible places (e.g., via surveillance or facial recognition). Formal rulemaking is expected to begin in early 2024.

The CPPA has also begun to spin up its enforcement division, which began inquiring into manufacturers of connected vehicles, meaning vehicles embedded with features like location sharing, web-based entertainment, smartphone integration, and cameras, in an effort to better understand whether companies in this space are complying with applicable rules.[305]

California Attorney General

The California Attorney General (“CA AG”) has announced several privacy-related enforcement “sweeps” in 2023 in a variety of industries. In early 2023, the CA AG sent out letters to an unspecified number of mobile apps in the retail, travel, and food service industries that purportedly failed to comply with the CCPA, specifically by failing to honor consumer requests to opt out of the sale of their personal data or providing mechanisms for opting out of sale of the personal data.[306] In July 2023, the CA AG announced a separate sweep of large employers’ compliance with CCPA as it related to employee and job applicant information.[307] Businesses are required to provide a way for consumers, workers, and job applicants to be able to access, delete, and opt-out of the sale of their personal information. Despite these regular sweeps, however, the CA AG has not announced any enforcement actions or settlements related to the CCPA.

Although there have not been any CCPA settlements disclosed in 2023, the CA AG did announce a $93 million settlement with a large technology company related to allegations that its location-privacy practices violated California’s Unfair Competition Law, a follow-on to a multistate settlement announced in 2022.[308] The complaint alleged that the company deceived people into consenting to the perpetual collection and use of their location data by asking users if they wanted to “enhance” their “experience.” The complaint also alleged that, even if users turned off their location history, their precise location data was nevertheless collected if other settings remained enabled. Finally, the CA AG alleged that the company continued to use real-time location information to show users ads, even if they turned off ad personalization. Under the terms of the settlement, the company will have to provide a pop-up notification to users who have certain location-tracking toggles enabled, provide additional disclosures to users (including in the account-creation flow) and obtain express affirmative consent prior to sharing precise location information with advertisers, among other requirements. The company will also have to submit an annual compliance report and independent assessor reports.

b. Other State Agencies

New York

In January 2023, the New York Attorney General (“NY AG”) sent a letter to a large live-entertainment company about its use of facial recognition technology that allegedly was preventing entry into its venue by attorneys whose firms are engaged in litigation against the company.[309] The NY AG’s letter requests the company provide justifications for its policy, identify efforts to comply with applicable laws, and ensure that its use of this technology will not lead to discrimination.

In November 2023, the New York State Department of Financial Services announced that a title insurer will pay $1 million for allegedly violating state cybersecurity regulations.[310] The insurer allegedly failed to ensure “full and complete implementation” of its cybersecurity policies and procedures prior to a May 2019 data breach that exposed its customers’ nonpublic information.[311]

Washington

The Washington Attorney General (“WA AG”) announced a $39.9 million settlement with a large technology company related to the WA AG’s lawsuit over its location-tracking practices.[312] The WA AG, like the CA AG, filed a separate lawsuit from the multistate effort that had been settled in November 2022. Similar to the California suit, the WA AG alleged that the company collects location data even when consumers had disabled their location history and that it tracked devices even when location access was turned off. In addition to the monetary penalty, the company agreed to disclose additional information to users where they enabled location-related account setting, ensured that users see information about location tracking and gave users detailed information about types of location data that the company collects and how it will be used.

c. Major Data Breach Settlements

While 2023 did not see as many high-profile data breach settlements as in recent years, with the number of data breach-related case filings reaching new records, major settlements are likely on the horizon.

Many of the notable 2023 settlements were reached with state attorneys general. A software provider in the healthcare and education space agreed to a $49.5 million settlement with numerous state attorneys general (led by Indiana and Vermont) to resolve claims stemming from a ransomware attack that impacted the company and nearly 13,000 customers in 2020.[313] In another notable data breach settlement, the attorneys general of New York, Connecticut, Florida, Indiana, New Jersey, and Vermont entered into a $6.5 million settlement with a major financial services provider arising from two instances in which customer data inadvertently left the company’s custody.[314] And a vision insurance company entered a $2.5 million settlement with the attorneys general of New Jersey, Oregon, Florida, and Pennsylvania stemming from a breach which impacted the health care information of 2.1 million individuals.[315]

Class actions have also resulted in significant settlements. A law firm recently announced that it reached a tentative class settlement with plaintiffs whose personal information was allegedly compromised in a data breach.[316] Once finalized, this settlement will resolve four consolidated lawsuits stemming from the firm’s alleged three-month delay in notifying affected individuals of the breach. And in July 2023, the Southern District of Florida approved a $3 million settlement in a class action suit against a health care network and its parent company arising from a 2021 data breach in which over three million individuals were affected.[317]

III. Civil Litigation Regarding Privacy and Data Security

A. Data Breach Litigation

Cybercrimes targeting consumer data have been increasingly pervasive and this trend continued in 2023. The Identity Theft Resource Center, which compiles statistical information on data breaches, reported 2,116 data breaches in the first nine months of 2023.[318] This number surpasses the 2021 record of 1,862 data breaches and represents a nearly 64% increase of the number of data breaches reported over the same nine-month period in 2022.[319] These trends suggest companies will continue to face more widespread and sophisticated attacks by cybercriminals and the risk of litigation remains elevated for companies dealing with the aftermath of a cyberattack.

One of the largest and most significant data breach litigations in history was filed this year. After the developer of a popular file transfer service announced that its service had been exploited by a Russian cybergang in a data breach that exposed the personally identifiable information of more than 55 million people, more than 200 cases were filed.[320] These actions were centralized in an MDL that is now pending in the District of Massachusetts.[321] At the time of publication, the MDL remains in its early stages, but we expect this case will be one that practitioners will watch closely.

This section summarizes key developments in data breach litigation last year.

1. The Impact of TransUnion v. Ramirez on Standing in Data Breach Actions

Many data breach cases are litigated in federal court, given large numbers of potentially affected individuals and jurisdictional provisions of the Class Action Fairness Act. Plaintiffs pursuing claims in federal court must satisfy the standing requirements of Article III of the U.S. Constitution, and data breach actions raise significant questions about whether plaintiffs can satisfy this requirement. In 2021, the U.S. Supreme Court decided TransUnion v. Ramirez, a landmark decision that increased the burden on plaintiffs to demonstrate standing in actions for money damages brought in federal court.[322] The Court held that the mere risk of future harm is insufficient to satisfy the concrete injury that Article III requires, especially where the plaintiff is unaware of the risk of future harm.[323] This holding is especially significant in data breach cases where a plaintiff’s data has been breached but not yet misused.

Although TransUnion went a long way towards clarifying how risks of future harm should be analyzed under Article III, appellate courts have continued to grapple with the bounds of the Court’s holding and divergent approaches to the issue of standing persisted in 2023.

Some courts have interpreted TransUnion narrowly and concluded that notwithstanding its holding, plaintiffs can establish standing even if their data has not yet been misused. For example, in Webb v. Injured Workers Pharmacy, LLC, the First Circuit held that a “material risk of future harm can satisfy the concrete-harm requirement” for standing, reasoning that data compromised in targeted attacks (as opposed to inadvertent disclosures) is more likely to be misused, especially when the data is sensitive and other personal information in the exposed data has already been misused.[324] Moreover, to satisfy TransUnion’s requirement of “alleg[ing] a separate, concrete present harm” to have standing to seek damages, the court held that the plaintiffs’ “time spent responding to a data breach can constitute a concrete injury sufficient to confer standing, at least when that time would otherwise have been put to profitable use.”[325] Similarly, the Second Circuit held that a plaintiff suffered “concrete harms as a result of the risk of future harm occasioned by the exposure” of her personal information, in particular because she incurred expenses attempting to mitigate the consequences of the breach.[326] Moreover, the plaintiff’s name and Social Security number were compromised in the targeted attack, and the court reasoned that the exposure of this type of sensitive data led to concrete present harms due to the increased risk that her identity would be stolen in the future.[327]

Other courts have interpreted TransUnion to mandate a stricter approach to standing. For example, in Holmes v. Elephant Insurance Co., a trial court dismissed for lack of standing claims alleging that the plaintiffs’ personal information was compromised in a 2022 data breach.[328] Despite a potential heightened risk of future identity theft, the court found that this risk alone did not constitute an injury in fact unless it was “certainly impending.”[329] Even though two of the three named plaintiffs had alleged their driver’s license information had appeared on the dark web, the court reasoned that unless combined with additional personal information, a driver’s license number could not be used to create a full identity profile, and therefore only constituted a threat of future identity theft.[330] The court also found there was insufficient support for the contention that the risk of identity theft was “certainly impending” without assuming that the plaintiffs were specifically targeted in the breach, that the perpetrator was actively compiling full profiles of plaintiffs, and that the perpetrator would “imminently and successfully attempt to use th[e] information [at issue] to steal the plaintiffs’ identities.”[331] In reaching this conclusion, the court also diverged from the approach taken by the First Circuit in Webb, finding that absent an imminent threat of identity theft, the cost of mitigative measures, such as time spent monitoring financial information, does not constitute an injury sufficient to support standing.[332]

A California district court in Burns v. Mammoth Media, Inc., appeared to agree with this approach, suggesting that “an increased risk of identity theft may constitute a credible threat of real and immediate harm sufficient to constitute an injury in fact for standing purposes.”[333] However, the court ultimately denied standing and dismissed the claims because there were insufficient allegations to establish an increased threat of identity theft based on the type of data compromised. In particular, the plaintiff alleged only that his name, email address, gender, profile creation date, user name, user ID, password, and access token were exposed, but he failed to explain how the specific data compromised was sufficiently sensitive to create a risk of identity theft.[334]

Questions about standing are also significant to class certification, as putative classes that contain large numbers of uninjured class members are frequently not viable.[335] One case from 2023 illustrating this issue is Attias v. CareFirst, Inc., where the District Court for the District of Columbia denied class certification because “the proposed classes . . . would appear to sweep in significant numbers of people who have suffered no injury in fact in light of TransUnion.”[336] Even though the named plaintiffs had adequately demonstrated standing “because they ha[d] spent at least some amount of time or money protecting against the risk of future identity theft,” there was a “serious predominance problem” because not all the putative class members had done the same, thereby necessitating “individualized proof of injury.”[337] These “logistical hurdles of identifying class members who were injured or determining what kinds of mitigation measures might qualify an individual for class membership” meant the court “[could not] conclude that the common issues predominate over individualized inquiries.”[338]

2. Cybersecurity-Related Securities Litigation

In the aftermath of a cybersecurity incident, companies and their officers also frequently face shareholders suits. Although the pace of data breach-related securities case filings has slowed,[339] the past year still saw a fair share of new litigation. For instance, in March 2023, shareholders filed a securities class action under Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 against a television service provider, alleging that the company overstated its operational efficiency in public statements and SEC filings and maintained deficient cybersecurity infrastructure, leaving the company unable to secure customer data and leaving it vulnerable to cyberattacks and service issues.[340] In another action filed in 2023, shareholders alleged that a financial services technology company violated Sections 12(a)(2) and 15 of the Securities Act of 1933 in connection with the compromise of customer data.[341] The plaintiffs alleged that the company failed to accurately describe its data security capabilities, among other things, in its securities filings. This case remains in the early stages.

Defendants have had success in getting shareholder data-breach claims dismissed on the pleadings, including for failure to plead falsity or scienter with the requisite particularity.[342] For example, the Northern District of California dismissed a shareholder suit related to a January 2022 data security incident.[343] The plaintiffs in that case sued under Section 10(b) and 20(a) of the Securities Exchange Act of 1934, alleging that the company and certain officers made false and misleading statements in the company’s disclosures about its data security practices.[344] The court dismissed these allegations, finding that the plaintiffs failed to allege either falsity or scienter based on the defendants’ general statements about the company’s commitment to data security.[345]

B. Wiretapping and Related Litigation Concerning Online “Tracking” Technologies

Last year’s Review noted a deluge of lawsuits brought under federal and state wiretapping statutes. This trend continued in 2023, with recent lawsuits alleging that various businesses invade consumers’ privacy rights and violate federal and state wiretapping statutes by allegedly failing to obtain sufficient and valid consent when using various online “tracking” technologies, such as session replay, pixels, and chat software. Plaintiffs in these cases generally allege that their interactions with businesses’ websites or apps are “communications” between them and the business, which are being “recorded” and “intercepted” by the business through a third-party pixel, software development kit, chat, or session-replay service provider.[346]

Many of these cases focus on claims for violations of wiretapping statutes. Wiretapping statutes were initially intended to prevent surreptitious recording of, or eavesdropping on, phone calls without the consent of the parties involved, but they have evolved to cover other forms of electronic and digital communications. The federal Wiretap Act of 1968, as amended by the Electronic Communications Privacy Act of 1986,[347] is a “one-party” consent statute that allows communications to be intercepted (with certain exceptions) so long as “one of the parties to the communication has given prior consent[.]”[348] Almost all 50 states also have some form of wiretapping statute; most of them are also one-party consent statutes, but a significant minority require “two-party” (or “all-party”) consent.[349] Many recent lawsuits have brought claims under both the federal Wiretap Act and various state statutes, with litigation heavy in all-party consent states like California (where statutory damages can run as high as $5,000 per violation), Pennsylvania, and Florida.[350]

In addition to alleged violations of wiretapping statutes, lawsuits concerning online tracking technologies frequently raise a host of interrelated legal issues.

For example, a plaintiff in a Northern District of California case alleged that a pixel tool was embedded in a university-owned hospital website where the plaintiff entered private medical information concerning her cardiovascular health.[351] Because this information was allegedly redirected to a third-party company, the plaintiff claimed that the defendant violated the California Invasion of Privacy Act (“CIPA”), three separate sections of the Confidentiality of Medical Information Act (“CMIA”), and the California Constitution. The plaintiff also alleged common law causes of action including breach of contract, unjust enrichment, and the right to privacy. The court allowed the common law privacy and two CMIA claims to move forward and dismissed the remaining claims, largely on the basis that the university is an immune public entity. Similarly, in Jackson v. Fandom Inc.,[352] another Northern District of California judge denied the defendant’s motion to dismiss a proposed class action alleging that the defendant, a hosting service for user-generated wikis, violated the federal Video Privacy Protection Act (“VPPA”) by sharing users’ personally identifiable information (“PII”) through pixels. Specifically, the judge found that associating viewing history with the plaintiff’s unique user ID may have constituted unlawful disclosure of PII.[353]

In yet another notable decision, a federal judge dismissed claims against a technology company alleging it had shared information about the plaintiffs’ online activity with a third party via a pixel without the plaintiffs’ consent.[354] The plaintiffs claimed that the company’s terms of use did not inform users that the platform was sharing information with the third party and that its failure to disclose this information was fraud by omission in violation of both California’s Unfair Competition Law (“UCL”) and its Consumer Legal Remedies Act (“CLRA”). They also asserted claims under VPPA and for unjust enrichment. In granting the company’s motion to dismiss these claims, the court reasoned that Rule 9(b)’s heightened pleading standard applied because the alleged fraud stemmed from alleged misrepresentations in the company’s terms of use.[355] The court therefore granted the company’s motion to dismiss the CLRA and UCL claims. In November 2023, the company moved for summary judgment on that claim, which remains pending.

These cases are representative of many others, and we expect plaintiffs to leverage their mixed outcomes to continue to bring and attempt to extract settlements in similar matters.

C. Anti-Hacking and Computer Intrusion Statutes

The federal Computer Fraud and Abuse Act (“CFAA”) generally makes it unlawful to “intentionally access a computer without authorization” or to “exceed[] authorized access.”[356] In recent years, several high-profile court decisions, including the U.S. Supreme Court’s 2021 decision in Van Buren v. United States, have limited the CFAA’s scope.[357] In 2022, these decisions also prompted the Department of Justice to narrow its CFAA enforcement policies,[358] as described in last year’s Review.

1. CFAA

In 2023, courts around the country have continued to grapple with the CFAA’s outer bounds. Summarized below are three cases of particular interest, including a case from the Second Circuit analyzing venue considerations in CFAA actions and a pair of district court cases reaching somewhat different conclusions on whether software constitutes a “computer” under the statute.

Venue in CFAA Criminal Cases. In July 2023, the Second Circuit upheld a criminal CFAA conviction against a venue challenge.[359] The case involved a defendant, a disgruntled former employee, who deleted information from her company’s online database, which was hosted on servers outside of New York.[360] Her deletion of the database prevented some employees in New York from accessing it.[361] A criminal action was brought against the defendant in the Southern District of New York and the defendant argued venue was improper because the data she deleted resided on servers in Virginia and California, and therefore she could not have damaged a computer in New York.[362] The Second Circuit rejected this claim, holding that even though the data was stored on cloud servers elsewhere, the defendant had still “damaged” a computer in New York, because she had “impair[ed] . . . the integrity or availability of data, a program, a system, or information” on a computer there.[363] The Supreme Court denied certiorari.[364] The case is notable not just because of its expansive view of venue in CFAA criminal cases, but also because it raises new questions about the scope of covered harm to “protected computers” in CFAA criminal and civil cases alike—an especially important issue given the interconnectedness of computer networks.

Cloud Computing Systems As Covered “Computers.” In July 2023, an Illinois federal district court held that a “cloud-based system of data storage” constitutes a “computer” under the civil enforcement sections of the CFAA.[365] The defendants in this case allegedly accessed a former employer’s Microsoft Office 365 cloud services after their employer terminated them—by logging in with old and phony credentials.[366] The defendants moved to dismiss the employer’s CFAA claim, arguing a cloud service is not a protected “computer” under the CFAA.[367] The court disagreed.[368] The court reasoned that the CFAA broadly defines a “computer” as “an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device.”[369] Because a cloud system involves storing data on remote servers, and “[s]ervers fit within the plain language” of a computer under the Act, the plaintiff had sufficiently alleged that the defendants improperly accessed a “computer” under the CFAA.[370] The court also rejected the premise that CFAA liability could attach only if the plaintiff, rather than Microsoft, actually owned the remote servers that supported the cloud service.[371]

Software Not a Covered “Computer.” By contrast, in April 2023, a New Jersey federal district court held that “software” does not constitute a protected computer under the CFAA.[372] In this case, the plaintiff claimed that he was hired to install certain software he created on a bank’s computers, but a dispute arose over whether the bank had paid for a license to use the software.[373] The plaintiff sued, claiming, among other things, that by using the software without permission and by locking him out of his bank computer (which allegedly contained the software), the bank violated the CFAA.[374] The court summarily disagreed, noting that the plaintiff had presented “no authority indicating that software is a ‘computer’ within the meaning of the CFAA,” and dismissed the claim.[375]

Generative AI and the CFAA. Another notable development from this past year was the bevy of lawsuits filed against generative AI companies, challenging the companies’ alleged practice of scraping or otherwise obtaining data to train their AI models. Some of these lawsuits claim that these practices—which involve allegedly harvesting publicly accessible data from the Internet or obtaining user data through the use of “plug-ins” installed on third-party websites—violate the CFAA for exceeding authorized access to plaintiffs’ computers.[376] These cases are still at their early stages and will likely need to grapple with the Ninth Circuit’s 2022 decision in hiQ Labs, Inc. v. LinkedIn,[377] which held that the CFAA’s concept of “without authorization” may not apply “when a computer network generally permits public access to its data”—although the Ninth Circuit noted there may be other common law and statutory claims available for those who believe they have been the victims of data scraping.[378]

2. CDAFA

The Comprehensive Data Access and Fraud Act (“CDAFA”) is California’s sister statute to the CFAA, and it creates a private right of action against any person who “[k]nowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.”[379] “Access” means to “cause output from” the “logical, arithmetical, or memory function resources of a computer.”[380]

In 2023, several district courts considered the interaction between the CDAFA and the recent wave of litigation related to website tracking technologies, including web pixels. Below are two such cases of interest.

Private Browsing Modes and Online Advertising Technologies. In August 2023, a California district court denied a motion for summary judgment on a CDAFA claim. Plaintiffs alleged that a prominent internet company improperly tracked user activity when users were using “private browsing modes.”[381] Plaintiffs claimed that, when third parties embedded certain advertising technologies into their websites, those technologies sent data about the users’ online activities to the company, even if the users were using a private browsing mode.[382] The company sought summary judgment on plaintiffs’ CDAFA claim, arguing that the company could not have “accessed” plaintiffs’ computers under the CDAFA because “website developers,” not the defendant, embed the code that directs users’ browsers to send requests to the company’s servers.”[383] The court rejected this argument, holding that the fact that “website developers chose to embed [the company’s] services onto their websites at most creates a triable issue as to whether developers and not the company . . . ‘cause output from’ plaintiffs’ computers” under the CDAFA.[384] The company separately argued that plaintiffs had suffered no “damage or loss” under the CDAFA, but the court rejected this argument, too, holding that “plaintiffs [had] proffer[ed] evidence that there is a market” for their browsing history data.[385] On December 26, 2023, the parties announced that they had reached a preliminary settlement agreement.[386]

“Technical Barriers” for First-Party Websites. In October 2023, a California district court dismissed with prejudice a CDAFA claim premised on the theory that a chatbox on a developer’s website transmitted certain user information to third parties.[387] The developer argued that it did not act “without permission” under the CDAFA because it did not overcome any “technical or code-based barriers” to insert the third-party code into its own website and allegedly transmit user information.[388] The district court agreed, holding that there are “no technical barriers blocking Defendant from using its own Website” in the manner alleged.[389] The district court also dismissed the claim on the basis that plaintiff had failed to allege any damage or loss under the CDAFA.[390]

D. Telephone Consumer Protection Act Litigation

Originally enacted in 1991, the Telephone Consumer Protection Act (“TCPA”) regulates certain forms of telemarketing and the use of automatic telephone dialing systems (“ATDS”).[391] Historically, much of TCPA litigation centered on issues concerning the technical definition of an ATDS, but that issue was largely clarified through the Supreme Court’s 2021 opinion in Facebook Inc. v. Duguid, which favored a narrower definition that limited it to devices that store or produce telephone numbers by using a random or sequential number generator. [392] Nonetheless, the TCPA continues to be an area of significant regulatory and litigation activity. 2023 was defined by increased regulation and enforcement by the FCC, as well as ongoing federal litigation addressing the scope of the TCPA.

TCPA cases continue to make their way up to the federal appellate courts, which frequently present the issue of whether receipt of a single unsolicited call is sufficient to confer Article III standing. Some circuits have answered in the affirmative. For example, the Sixth Circuit held that a consumer who had received a ringless voicemail had standing to sue under the TCPA.[393] The plaintiff argued, successfully, that the receipt of the unsolicited ringless voicemail was comparable to the common law tort of intrusion upon seclusion.[394] Similarly, in Drazen v. Pinto, an en banc panel of the Eleventh Circuit held that individuals who received even a single unwanted telemarketing text message had standing to sue under the TCPA, overruling the court’s prior decision that held the opposite.[395]

In another notable decision, Hall v. Smosh Dot Com, Inc., the Ninth Circuit held that a phone line subscriber has standing to sue for TCPA violations, even if the subscriber is not the recipient of the call.[396] Even though the plaintiff’s son in that case had received the unwanted text messages, the Ninth Circuit stated that the TCPA does not require that “the owner of a cell phone must also be the phone’s primary or customary user to be injured by unsolicited phone calls or text messages sent to its number.”[397]

Not all courts have read the TCPA so expansively, and appellate courts continue to find communications not covered by the language of the TCPA. For example, in January 2023, the Third Circuit held that faxes sent by a drug testing laboratory, promoting a free educational seminar about opioid use and medication monitoring, did not qualify as “unsolicited advertisements” under the TCPA.[398] In another notable case, the Ninth Circuit held that text messages did not violate the TCPA’s prohibition on “prerecorded voices,” because text messages are not “voice” messages.[399]

In the face of newly implemented rules, shifting case law, and new communications technology, we expect the TCPA to continue to be an area to watch.

E. State Law Litigation

1. California Consumer Privacy Act Litigation

While the regulatory atmosphere around the CCPA evolved in 2023, the litigation landscape remained fairly constant. Consumers, individually or as a class, continued to litigate under the CCPA, making claims for both pecuniary and statutory damages.

a. Potential Anchoring Effect of CCPA Statutory Damages

As discussed in last year’s Review, the CCPA’s provisions for statutory damages have continued to frame settlement negotiations. The CCPA provides that consumers exercising their private right of action for a data breach may recover the greater of statutory damages between $100 and $750 per consumer, per incident, or actual damages.[400] The cases summarized below provide color on how these statutory damages have impacted settlement terms in the CCPA context.

Automobile Manufacturers and Marketing Vendor. In this case, previously discussed in last year’s Review, residents of California and Florida filed class actions alleging that auto manufacturers and a marketing vendor failed to adequately secure customers’ personal information, allowing hackers to steal information such as driver’s license numbers, Social Security numbers, financial account numbers and more.[401] The plaintiffs asserted causes of action for negligence, breach of implied contract, violation of the CCPA, violation of California’s Unfair Competition Law, and breach of contract. The parties agreed to a settlement which was granted final approval on May 31, 2023.[402] The terms of the settlement reflect the potential effects of the CCPA, as California residents whose sensitive personal information was affected received $350, while the non-California residents whose sensitive personal information was exposed would receive only $80 (about 77% less than their California peers).[403]

Ticket Retailer. Consumers who bought tickets from a ticket retailer brought suit after a data breach was disclosed. Plaintiffs alleged that “skimmers” placed on the defendant’s checkout webpage stole their personal sensitive data.[404] Plaintiffs asserted a variety of claims, including negligence, breach of contract, violation of California’s Unfair Competition Law, and violation of the CPPA.[405] The parties reached a $3 million settlement, which was granted final approval on October 30, 2023. The settlement fund provides California sub-class members with an additional $100 “California Statutory Award benefit.”[406]

b. Requirements for Adequately Stating a CCPA Claim

Courts continued to give shape to the requirements to plead a CCPA claim. The decisions below address the facts and allegations required to bring a CCPA action under its limited private right of action, which applies only to data breaches.

Software Company Automatic Renewal Case. The Ninth Circuit recently affirmed the dismissal of a case alleging violations of the CCPA. The plaintiff alleged his data was shared with a credit card processor without his authorization due to the automatic renewal of his subscription. The trial court dismissed his claim because the plaintiff had agreed to the defendant’s End-User License Agreement, which stated his subscription would renew every 12 months unless terminated.[407] The trial court found the disclosure of his personal information was not “without authorization” and was not caused by a failure to implement reasonable security procedures and practices.[408] The Ninth Circuit affirmed.[409]

Online Banking. Plaintiff alleged that the defendant bank violated the CCPA when an unknown individual accessed his bank account, changed his contact information, and obtained new account cards to make purchases. The bank, on a motion to dismiss, argued that the plaintiff had not alleged that a data breach occurred. The court disagreed, finding that plaintiff’s allegations that his account was accessed and personal information obtained because of the failure to implement reasonable security procedures were sufficient to state a claim under the CCPA.[410]

c. CCPA Violations Under the UCL

Violations of the CCPA cannot serve as the predicate for a cause of action under a separate statute including California’s Unfair Competition Law (“UCL”).[411] While there has been no change regarding the inability to use a CCPA violation as the predicate “unlawful” claim under the UCL, one court has found the CCPA may create a property interest upon which a UCL claim may be brought. That decision is summarized below.

Search Engine Company. Originally filed in June 2020, this class action alleges that a large technology company unlawfully collected data from users while using the company’s browser in incognito or private mode.[412] The plaintiffs brought claims, including under the federal Wiretap Act, the California Invasion of Privacy Act (CIPA), and California’s UCL.[413] On summary judgment, the defendant argued that plaintiffs had no economic injury as required for a UCL claim, as they had not lost money or property as a result of the data collection.[414] Plaintiffs argued that their private data has monetary value and they have a property interest in that data “because the [CCPA] affords them the right to exclude Google from selling their data to third parties.”[415] The court agreed with plaintiffs, holding that “plaintiffs have identified an unopposed property interest for at least a portion of the class period under the California Consumer Privacy Act.”[416] The court further found that money damages are not an adequate remedy alone, and that injunctive relief is necessary to address the ongoing data collection.[417]

d. The CCPA’s 30-Day Notice Requirement

The CCPA requires that a “consumer provide[] a business 30 days’ written notice identifying the specific provisions of [the CCPA] the consumer alleges have been or are being violated.”[418] The written notice initiates a 30-day period during which the business may cure any violation. While this cure provision was eliminated by the CPRA, cases addressing the notice-and-cure provisions have continued to move through the courts. Last year’s Review discussed a case dismissing a suit with prejudice where plaintiffs did not comply with the 30-day notice period.[419] The cases below have departed from that decision, illustrating the boundaries of the cure provision as a safeguard.

Consumer Debt Collector. Plaintiffs alleged that their personal information was stolen in a data breach because the information was unencrypted and improperly safeguarded.[420] Plaintiffs brought claims under the CCPA for actual and statutory damages, even though they provided no pre-suit notice for the defendant to cure as required under the CCPA.[421] The court noted that no pre-suit notice is required to the extent plaintiffs sought pecuniary damages, but dismissed the statutory damages claims without prejudice.[422] In dismissing the claim for statutory damages without prejudice, the court expressly declined to follow Griffey, which we discussed in last year’s Review. The Griffey court had dismissed a CCPA claim with prejudice, reasoning that the purpose of the pre-suit notice is to allow the defendant time to cure the violation out of court.[423] Allowing a plaintiff to file a complaint, then send a notice, and then file an amended complaint defeats this remedial purpose of the statutory notice-and-cure provision. The Western District of Washington expressly rejected Griffey’s rationale, concluding that dismissal without prejudice “accords with the remedial nature of the CCPA’s notice provision.”[424]

Money Services Business. After a data breach, plaintiffs brought suit claiming negligence, breach of implied contract, and violation of the CCPA due to the disclosure of their names, Social Security numbers, and driver’s license numbers.[425] Defendant moved to dismiss the CCPA claim, arguing it was barred due to the notice-and-cure provision. Defendant “claimed to have enhanced its security measures” after receiving notice of the alleged violation, and thus “cured all alleged violations within the requisite time period.”[426] The court found this straightforward assertion insufficient because “the implementation and maintenance of reasonable security procedures and practices . . . following a breach does not constitute a cure with respect to that breach.”[427] The court pointed out that the defendant had not provided any additional detail on the nature of its cure, concluding that this was insufficient at the motion-to-dismiss stage.[428]

e. Guidance on Reasonable Security Measures in Connection with the CCPA

In addition to the cases highlighted by last year’s Review,[429] courts have continued to weigh in on what qualifies as reasonable data security measures under the CCPA.

Moving Company. Plaintiffs brought suit after their personal information was stolen by hackers in a cyberattack. Plaintiffs asserted violations of the CCPA for failure to take reasonable precautions to protect their personal information.[430] The court declined to dismiss the CCPA claim, and identified a number of measures the defendants could have taken prior to the breach. Plaintiffs specifically alleged that the defendant’s security measures were inadequate because they failed to implement “adequate filtering software,” “adequate[] training,” “multi-factor authentication,” encryption, and destruction when the personal information was no longer in use.[431] The court also pointed to plaintiff’s complaint, which “identif[ied] fourteen cybersecurity best practices that defendant should have followed but allegedly did not.”[432]

Large National Bank. Plaintiffs brought numerous claims arising out of prepaid benefits payment cards issued by the bank.[433] Plaintiffs alleged that these cards were targeted by bad actors, and the information was easily accessible since the cards had magnetic strips instead of chips. Plaintiffs claimed that erroneous charges and unauthorized transactions resulted in the loss of their funds and alleged violations of the CCPA due to the debit cards’ lack of chip technology, asserting that use of chip technology is a necessary reasonable security measure to protect their personal information. The court agreed, finding that the allegations stated a claim under the CCPA.[434] The court also found that plaintiffs’ allegation that the bank failed to subject its agents to background checks was adequate to state a claim based on failure to implement and maintain reasonable security measures and practices.[435]

2. State Biometric Information Litigation

a. Illinois Biometric Information Privacy Act

2023 was another active year for Illinois’s biometrics law, with courts continuing to expand the scope of the Biometric Information Privacy Act (“BIPA”), but also recognizing new limitations. Perhaps unsurprisingly, Illinois also continued as the leading state with respect to biometrics-related litigation.

i. Expansion of BIPA’s Scope

BIPA’s Statute of Limitations Under Section 15. The Supreme Court of Illinois found that claims brought under Section 15 of BIPA (which relates to retention, collection, disclosure, storage, and use of biometric information) have a five-year statute of limitations, reversing an appellate court’s ruling that placed a one-year limit on such claims.[436] Under Illinois law, “actions . . . to recover damages for an injury done to property, real or personal . . . and all civil actions not otherwise provided for, shall be commenced within 5 years next after the cause of action accrued.”[437] Part of the court’s justification for finding that the default Illinois statute of limitations five-year catchall applied was because a shorter limit would “thwart [the] legislative intent” of BIPA to provide redress for persons aggrieved and “shorten the amount of time a private entity would be held liable for noncompliance with the Act.”[438] Additionally, upon a certified question from the Seventh Circuit, the Supreme Court of Illinois ruled in a 4-3 decision that BIPA claims “accrue under the Act each time a private entity scans or transmits an individual’s biometric identifier or information in violation of section 15(b) or 15(d).”[439] The court dismissed ongoing policy-based concerns about massive damages by reiterating that the court “has repeatedly recognized the potential for significant damages awards under the Act” and that such high damages operate as an incentive for private entities to conform to state law.[440] While noting trial courts presiding over a class action “possess the discretion to fashion” a fair yet less-deleterious award, the court concluded that the legislature was the best vehicle to address policy concerns and the plain language of the statute authorized accrual of claims.[441]

BIPA Claims Survive Death. Also in 2023, a federal court in Illinois, hearing a class action case where the named plaintiff passed away, held that BIPA created a personal property interest and claims survive the plaintiff’s death.[442]

ii. New Recognized Limitations Under BIPA

Even so, courts recognized limitations to claims brought under BIPA in 2023.

“Active Steps” In Furtherance of Collecting Biometric Data. For example, an Illinois federal judge dismissed two claims in a proposed class action where an employer used third-party timekeeping software that registered and scanned employee fingerprints which were then stored on a vendor’s cloud storage service.[443] The judge held that the cloud storage vendor did not take an “active step” in furtherance of collecting biometric information merely by contracting with the third party to provide access to the vendor’s cloud storage system, but instead was “merely a vendor to the third party that provided the biometric timekeeping technology and services to [the employer].”[444]

Exceptions to Collections of Biometric Data: In some cases, courts found that certain exceptions privileged the collection of biometric data—for example, one trial court held that the “general health care exemption” to BIPA covered a virtual try-on tool for sunglasses, finding sunglasses to be a Class I medical device under the FDA.[445] Another court denied the plaintiff’s motion to strike the defendant’s affirmative defense that “the biometric identifiers it collects fall within [the general health care] exception because they are collected along with medical information provided by a donor,” such as fingerprints taken prior to donating plasma used to identify the patient during each donation.[446] The court noted that BIPA does not define the term “patient” nor does it define the term “health care” and found that the defendant’s arguments as to why the exception applied were sufficient to survive a motion to strike.[447]

b. Texas Biometric Privacy Law Litigation

As discussed in last year’s Review, in February 2022, Texas Attorney General Ken Paxton brought the first enforcement action under the Texas Capture and Use of Biometric Identifier Act (“CUBI”) more than two decades after its passage in 2001.[448] AG Paxton asserted a CUBI claim against a large social media company alleging that the company’s collection of “facial geometries” in connection with its facial recognition and tagging feature that it deprecated in November 2021 violated CUBI, in addition to bringing claims under Texas’ Deceptive Trade Practices Act.[449] The parties continued to conduct discovery in the case throughout 2023.

In late October 2022, Texas filed a similar action against another large technology company for alleged violations of CUBI.[450] The case is still in the early stages of discovery. These two cases remain the only actions brought under CUBI. Given the preliminary enforcement efforts by the state of Texas, companies can continue to expect heightened state-level scrutiny and enforcement in the biometrics arena in 2024.

c. New York Biometric Privacy Law Litigation

2023 also saw challenges under the N.Y.C. Biometric Privacy Law. On May 19, 2023, two plaintiffs filed a class action against a large live-entertainment company for its alleged use of facial recognition software to keep banned individuals out of its venues.[451] The plaintiffs allege that the company collects biometric information from every person who enters its venues, and then compares that information to an internal database of banned individuals.[452] The complaint further alleges that the company shares this biometric information with at least one third-party vendor, and that the company ultimately benefits in the form of reduced litigation costs.[453]

The plaintiffs allege that this undisclosed collection, use, and disclosure of customers’ biometric data violates the 2021 New York City Biometric Identifier Information Law and the right to privacy guaranteed by Article 5 of the New York Civil Rights Law.[454] Plaintiffs also pleaded an unjust enrichment claim, maintaining that the company wrongfully obtained benefits from the proposed plaintiff class in the form of valuable data.[455]

On January 9, 2024, a federal magistrate judge released a report recommending dismissal of the civil rights and unjust enrichment claims.[456] On the civil rights law claim, the court found that the limitations period of one year had already run for one plaintiff.[457] For the other plaintiff, the court found that the defendant’s alleged collection and use of biometric information to remove banned individuals could not plausibly be understood “as seeking to draw trade at its venues”—a necessary element of a claim under the civil rights statute.[458] The magistrate also recommended dismissing the unjust enrichment claim on the ground that “New York courts have long recognized the Civil Rights Law as ‘preempting all common law claims based on unauthorized use of name, image, or personality, including unjust enrichment claims.’”[459] Thus, under New York law, there can be no unjust enrichment claim arising from use of one’s personal image.[460] The magistrate recommended allowing the New York City Biometric Identifier Law claim to proceed, finding that the defendant’s alleged conduct is consistent with the text and legislative history of the statute.[461]

F. Other Noteworthy Litigation

Supreme Court Declines to Address Scope of Section 230. In last year’s Review, we noted that the U.S. Supreme Court granted certiorari in two cases that could affect the scope of Section 230 of the Communications Decency Act of 1996, which protects “interactive computer services” from liability for user-published content. In each case, Twitter, Inc. v. Taamneh[462] and Gonzalez v. Google LLC,[463] plaintiffs alleged that social media companies were liable under the Anti-Terrorism Act (ATA) for aiding and abetting acts of terrorism that resulted in the deaths of plaintiffs’ family members. According to the plaintiffs, ISIS allegedly used the defendants’ websites to fundraise and recruit new members, with little interference by content moderators—and sometimes even active promotion by the defendants’ algorithms. Both cases came from the Ninth Circuit Court of Appeals, which had allowed the Taamneh case to proceed[464] but held that Section 230 barred most of the claims in Gonzalez.[465]

The U.S. Supreme Court unanimously reversed the Ninth Circuit’s decision in Taamneh, holding that the plaintiffs had not stated a claim under the ATA because they failed to show “any concrete nexus between defendants’ services” and the attack.[466] On the same day, the Court declined to address the Ninth Circuit’s holding regarding Section 230 in Gonzalez, instead remanding the case for reconsideration in light of Taamneh.[467] Thus the Court effectively sidestepped the question of whether Section 230 bars platform liability for algorithmic amplification of user-published content by resolving one case on ATA grounds alone and remanding the other.

Large Technology Companies Continue to Face VPPA-Related Litigation. Several lawsuits were filed in 2023 concerning companies’ collection and management of users’ video-related information. For example, with respect to a lawsuit relating to one major technology company’s management of user video history information, a federal district court dismissed with prejudice a claim that the company’s alleged retention of the plaintiff’s video rental history violated the New York Video Consumer Privacy Act and the Minnesota Video Privacy Law.[468] The court observed that, like the VPPA, these state analogue statutes were meant to prevent unauthorized disclosure of video-related data rather than mere retention of it.[469]

In another video-related case,[470] a federal court held that the plaintiff had adequately pleaded a VPPA violation by alleging that a company disclosed information about the plaintiff’s online activity to his school district, which was using the company’s platform for digital learning during the COVID-19 pandemic.[471] The company moved to dismiss this claim on two grounds: First, it argued that the plaintiff was not a “subscriber” within the meaning of the VPPA, since his account with the defendant was a byproduct of his relationship with the school district.[472] Second, the company argued that any disclosure of PII was permitted by the VPPA because it was done “in the regular course of business” with the school district.[473] The court rejected both arguments, finding that the plaintiff, who held an account directly with the defendant, was plausibly a subscriber.[474] The court also said it was not appropriate to decide the second issue at the motion to dismiss stage, as the company’s contract with the district was not part of the court’s record.[475]

Employers May Be Potentially Liable for Failing to Secure Employees’ Personally Identifiable Information. 2023 also saw new lawsuits focusing on employee data privacy and seeking to hold employers liable for failing to secure employees’ PII or failing to implement appropriate safeguards. For example, the United States Court of Appeals for the Eleventh Circuit ruled that a plaintiff had plausibly alleged a negligence claim against a former employer that failed to protect PII in the employer’s possession.[476] The complaint alleges that as a condition of employment, the plaintiff and members of the proposed class were required to give the defendant certain PII like their names and Social Security numbers.[477] However, the employer did not maintain adequate security measures to protect that information, and the PII was subsequently leaked in a ransomware attack on the employer’s system.[478]

The court held that such an attack was reasonably foreseeable for a large employer like the defendant; that the plaintiff adequately pleaded that the former employer owed him a duty of care; and that failure to comply with standard data security practices was plausibly a breach of that duty.[479] Thus, the court allowed the plaintiff’s negligence claim to move forward.

Likewise, a major car manufacturer was sued for allegedly failing to protect the personal information of 75,000 current and former employees that was exposed in a data breach carried out by former employees of the company.[480] The complaint alleges that the company failed to implement or follow reasonable data security procedures as required by law, and failed to protect the sensitive information of class members from unauthorized action.[481] The case is in its early stages, and there has not yet been any dispositive-motion practice.

IV. Trends Related to Data Innovations and Governmental Data Collection

A. Data-Intensive Technologies—Privacy Implications and Trends

With the continued proliferation of data-intensive technologies, big data processing and its privacy implications continued to be an area of great focus in 2023. In addition to innovations and issues pertaining to AI, which are covered in detail in Gibson Dunn’s forthcoming Artificial Intelligence Legal Review, there was a renewed focus on smart cities, edge computing and privacy-enhancing technologies (PETs).

Smart Cities. The trend over the past decade of cities getting “smarter” continued at a rapid clip in 2023. A “smart city” leverages technology, data-driven decision-making, and digitally connected infrastructure to optimize the quality of municipal services, promote safe and sustainable communities, and achieve operational efficiencies.[482] Most of the technologies that smart cities are currently using do not collect or process personal data. For example, smart street-lighting technologies allow cities to turn on, turn off, and dim street lights based on the time of day and weather events and smart water management technologies allow cities to detect chemicals in drinking water and wastewater systems.[483] However, given that smart city technology applications are fueled by and necessitate large scale collection and processing of data as well as government partnership with the private sector, privacy advocates and policy makers are increasingly concerned about the privacy implications of such technology. These concerns largely relate to:

Data security: Smart cities can be vulnerable to cyberattacks because they rely on internet of things (“IoT”) devices, which are common and often insecure targets.[484] Furthermore, local governments often lack the resources to obtain secure technologies, update them, and employ cybersecurity experts.[485] In fact, a recent survey found that nearly one-third of local governments would be unable to detect whether their systems had been hacked.[486]
Commercial use of data: Smart city data may be used commercially if a city partners with a private company to pay for technologies and in exchange gives the company access to data the city collects.[487] A privacy concern arises if the city shares sensitive data with private partners.
Government surveillance: Some privacy advocates are concerned that governments will use smart city technologies to surveil individuals by obtaining data the government could not otherwise compel access to or by pulling data from different sources to build behavior profiles on individual residents.[488] Critics assert that cities are already theoretically able to aggregate enough data from smart city technologies to build detailed behavior profiles on their residents.[489] Ultimately, these debates may be settled by courts, which will decide if these data collection practices violate U.S. privacy laws or the Fourth Amendment.[490]

Although there has not been any legislation seeking to specifically regulate smart city technologies, many of the existing or pending privacy regulations are potentially applicable. However, as smart city technologies, particularly those implicating personal information or sensitive data, continue to grow in number and capability, we expect to see more specific legislation targeting such technology and use cases.

Edge Computing. The enormous volume of data being generated and processed by data-intensive technologies—e.g., IoT devices—has strained traditional computing models. This has led organizations to increasingly embrace “edge computing”—an emerging decentralized computing paradigm where data is processed closer to where it is generated, thus allowing processing of greater data volumes at greater speed.[491] Experts predict that spending on edge technology will continue to soar.[492] Due to deployment of strong internet infrastructures and a growing awareness of the importance of IoT across industries, the edge computing market is estimated to grow at a compound annual growth rate of 21.6% to hit an estimated $132.11 million in 2028.[493] The number of endpoint devices in use is also expected to skyrocket, with estimates of up to 55.7 billion total IoT devices deployed worldwide in the next few years.[494] Telecommunication companies are expected to play a large role in the growth of edge computing, as their widespread infrastructure and expansive reach position them well, literally (based on their close physical proximity to potential customers) and figuratively, to tap the edge computing market.[495]

Although the rise of edge computing is largely a function of the benefits to data processing speed and volume, edge computing has important data privacy and security benefits. For example, edge computing can mitigate some of the privacy risks innate to centralized storage and processing,[496] by diffusing data and thus reducing the scope and impact of a data breach. Edge computing may also reduce the incentives for malicious actors, as an edge device with one or a few users’ data is a less desirable target than a cloud database with millions of users’ data.[497] However, by the same token, storing and processing data on devices outside of a centralized corporate network potentially makes the data less secure, given that personal edge devices are often less secure than corporate devices.[498]

Some commentators have also suggested that edge computing may be an effective compliance tool, particularly with respect to cross-border data transfer laws. For example, one commentator believes that corporations will be able to use edge computing to manage personal data in adherence with local privacy laws by “placing certain locali[z]ed proxy policies that will not allow certain types of data to leave that legal jurisdiction.”[499] Traces of this can be found in the EU’s federated cloud infrastructure model, GAIA-X, which aims to let national governments apply local laws to cloud-hosted data.[500]

Given the rapid proliferation of data-intensive technologies, we expect organizations to continue to focus on alternative computing paradigms like edge computing, which will bring new benefits and challenges for data privacy and security.

B. Emerging Privacy Enhancing Technologies (PETs)

In March 2023, the White House Office of Science and Technology Policy (“OSTP”) published its “National Strategy to Advance Privacy-Preserving Data Sharing and Analytics.” In sum, the report and strategy calls for development and implementation of PETs in order to mitigate the privacy risks inherent in, and thus unlock the innovative and economic benefits of, large-scale data processing.[501] Examples of PETs include:

Homomorphic encryption: Homomorphic encryption is a differential privacy technique (adding noise to the data to prevent an adversary from determining whether any individual’s data was or was not included in the original dataset)[502] that allows computing over encrypted data to produce results in an encrypted form.[503] In other words, the data retains its relevant statistical characteristics for analysis, while hiding the data itself.[504] Then, only authorized users can extract the result from its encrypted format or see the original data.[505] However, homomorphic encryption is currently somewhat limited by higher computational costs and time.[506]
Secure multi-party computation: Secure multi-party computation allows several parties to simultaneously perform agreed-upon computations over their data, while permitting each individual entity to learn only the final output.[507] Accordingly, distributed datasets can be computed over without revealing the source data.[508] However, the requirement of joint collaboration can lead to higher communication and computational costs, making it difficult to scale.[509]
Federated learning: Federated learning allows multiple entities to collaborate and build machine-learning algorithms to process data on edge devices, such as smartphones.[510] Accordingly, the underlying data is not aggregated. Instead, the locally trained models are aggregated in the cloud.[511] In this way, participants do not have to share their raw data, providing inherent privacy protection. However, federated learning has recently been shown to be vulnerable to model inversion attacks.[512] Research into closing these vulnerabilities and creating privacy-preserving federated learning is ongoing.[513]
Zero-knowledge proof: Zero-knowledge proof allows one party, the “prover,” to offer proof to another party, the “verifier,” that a statement is true without revealing any sensitive information.[514] Some digital assets use this technique to prove statements about transactions without revealing additional metadata,[515] and neural networks are using zero-knowledge proof schemes to show that prediction tasks are being carried out, without disclosing any information about the model itself.[516] However, zero-knowledge proof currently has some cost and scalability limitations.[517]

According to the OSTP report, the impetus for a national strategy on PETs is the White House’s belief that large-scale data processing is crucial for innovation and the economy. However, given the complex domestic and international regulatory landscape, the White House recognizes that inherent in such processing are significant privacy risks for data subjects and organization data subjects and organizations.[518] Accordingly, the strategy calls for the adoption of PETs, which can mitigate the privacy risks of large-scale data processing and thus unlock the benefits of data processing to fuel innovation and the economy.

The OSTP report enumerates 16 recommendations across five strategic priorities to advance the development and use of PETs.[519] Importantly, the report specifically calls for the use of secure multi-party computation and zero-knowledge proofs, as well as increased public and private sector partnership and U.S. partnerships/collaboration with foreign governments.

In the absence of a comprehensive federal privacy law and/or regulations specifically focused on privacy-preserving technologies, the OSTP’s strategy signifies what may be the beginning of a burgeoning national standard for the development and use of PETs.

C. Governmental Data Collection

EU-US Data Privacy Framework. In July 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework, concluding that U.S. protection of cross-border data transfers is comparable to the protection offered by the EU.[520] Speaking during a press conference announcing adoption of the U.S. adequacy decision, EU justice commissioner Didier Reynders said, “[w]ith the adoption of the adequacy decision, personal data can now flow freely and safely from the European Economic Area to the United States without any further conditions or authorizations.”[521]

The decision resolved the legal uncertainty surrounding exports of EU users’ personal data by U.S. companies that had existed since the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield in 2020.[522] However, legal challenges are expected, with critics claiming that the Data Privacy Framework merely “paper[s] over the same fundamental legal conflict between EU privacy rights and U.S. surveillance powers.”[523] Nonetheless, Reynders emphasized that the “new framework is substantially different than the EU-U.S. Privacy Shield as a result of the Executive Order issued by President Biden [in 2022]” and highlighted the reworked redress mechanism that will boast “an independent and impartial tribunal that is empowered to investigate complaints lodged by Europeans and to issue binding remedial decisions.”[524] Finally, Reynders cautioned U.S. technology giants that “[i]t will be for the companies to show that they’re in full compliance with the GDPR [General Data Protection Regulation].”[525]

On July 17, 2023, the Department of Commerce launched the new Data Privacy Framework program website, dataprivacyframework.gov.[526] The website allows U.S. companies to self-certify their participation in and commitment to the EU-U.S. Data Privacy Framework (“DPF”), and, optionally, the UK Extension or Swiss-U.S. DPF Principles, in order to participate in cross-border transfers of personal data.

Government Surveillance Reform Act (GSRA). In November 2023, a bipartisan group of senators introduced the Government Surveillance Reform Act (“GSRA”), which would reform the Foreign Intelligence Act (“FISA”) and amend the Electronic Communications Privacy Act (“ECPA”). Importantly, the GSRA proposes significant restrictions on government surveillance and access to data—including, among other things, (i) protecting Americans from warrantless backdoor searches, (ii) requiring warrants for Americans’ location data, web browsing and search records, and vehicle data, (iii) restricting government collection of Americans’ information as part of large datasets and prohibiting the government from purchasing Americans’ data from data brokers, and (iv) prohibiting the collection of Americans’ domestic communications.[527]

FISA, Section 702 was set to expire at the end of 2023,[528] but Congress approved a short-term extension in December 2023.[529] Under Section 702, the government could collect communications by non-Americans located abroad, without a warrant.[530] However, the private phone calls, emails, and text messages of U.S. persons were captured by the blanket surveillance techniques deployed under Section 702.[531]

In response, several lawmakers vowed not to reauthorize Section 702 without “significant reforms.”[532] The GSRA would ban officials from conducting searches for Americans’ communications unless they first obtain a warrant in a criminal investigation or a FISA Title I order in a foreign intelligence investigation.[533] The new warrant requirement would provide for narrow exceptions in cases of: (1) consent, (2) exigent circumstances, or (3) a government attempt to identify targets of cyberattacks by searching for malicious code embedded in Americans’ communications.[534]

The GSRA would also significantly overhaul the ECPA—which addresses wiretapping, access to stored electronic communications, and other information-collection devices.[535] These changes would alter the rights and obligations of entities already covered by the ECPA and expand the reach of the ECPA to entities not currently subject to it.[536] The GSRA would:

Expand the scope of companies subject to the ECPA to include any online service provider.[537] The GSRA would add a new category of service providers—broadly defined as “any information service, system, or access software provider that provides or enables computer access by multiple users to a computer server”[538]—to the Stored Communications Act’s (“SCA”) provision governing compelled disclosures to governmental entities.[539]
Effectively codify the Sixth Circuit’s decision in Warshak v. United States, 631 F.3d 266 (6th Cir. 2010), which held that law enforcement must obtain a warrant to compel the disclosure of the contents of user communications.[540] Further, the GSRA would effectively codify Carpenter v. United States, 138 S. Ct. 2206 (2018), by requiring law enforcement to obtain a warrant to compel the disclosure of location information, web browsing records, online search queries, and covered vehicle data.[541]
Prohibit the government from purchasing the personal data of U.S. persons (U.S. citizens and lawful permanent residents) or people reasonably believed to be located inside the United States.[542]
Exempt congressional subpoenas from the ECPA, allowing political officials to subpoena the communications and personal data of U.S. persons without any statutory protection.[543]

Dueling Surveillance Bills in the U.S. House of Representatives. In December 2023, the House postponed a planned vote on two competing surveillance bills under a procedural rule called “Queen of the Hill,” whereby the bill with the most votes is sent to the Senate.[544] The House Intelligence Committee advanced the first bill, the FISA Reform and Reauthorization Act of 2023, which faced backlash from privacy rights groups.[545] More than 50 organizations signed a letter demanding the bill’s rejection.[546] By contrast, the second bill, proposed by the House Judiciary Committee, entitled The Protect Liberty and End Warrantless Surveillance Act, received support from privacy advocates.[547] Both bills are still pending in the House.

V. Conclusion

In 2023, the privacy and cybersecurity landscape in the U.S. was defined by an expansion of regulatory and enforcement activity led by federal and state agencies, as well as civil litigation brought by private plaintiffs. This was driven in large part by the rapid development and advances in data-intensive technologies like AI and IoT; the unrelenting cyber threat posed by malicious actors; and related litigation arising from these trends. We expect these trends to continue in 2024 as existing technologies and use cases take hold and new ones emerge. In the absence of comprehensive federal legislation (which is unlikely in an election year), we expect federal and state agencies to continue to lead the charge on the regulatory front and aggressively pursue enforcement actions against companies and individuals. We will continue to track and analyze these developments in the year ahead.

__________

[1] Cal. Civ. Code § 1798.100 et seq.

[2] Va. Code Ann. §§ 59.1-575 to 59.1-585.

[3] Colo. Rev. Stat. Ann. § 6-1-1308.

[4] Conn. Gen. Stat. Ann. § 42-520.

[5] Utah Code §§ 13-61-101 to 13-61-404.

[6] S.B. 262, 125 Reg. Sess. (Fla. 2023) (to be codified in Fla. Stat. § 501.701-22).

[7] H.B. 4, 88 Reg. Sess. (Tex. 2023) (to be codified in Tex. Bus. & Com. Code §§ 541.001 to 541.205).

[8] S.B. 618, 82 Leg. Assemb., Reg. Sess. (Or. 2023) (to be codified in Or. Laws Ch. 369).

[9] S.B. 384, 68 Reg. Sess. (Mont. 2023) (to be codified in Mont. Code § 30-14-2801 to 30-14-2817).

[10] S.F. 262, 89th Gen. Assemb., Reg. Sess. (Iowa 2023) (to be codified in Iowa Code § 715D.1 to 715D.9).

[11] H.B. 154, 152 Gen. Assemb., Reg. Sess. (Del. 2023) (to be codified in 6 Del. Code § 12D).

[12] S.B. 332, 220 Leg. Assemb., Reg. Sess. (N.J. 2023).

[13] H.B. 1181; S.B. 73, 112 Gen. Assemb., Reg. Sess. (Tenn. 2023) (to be codified in Tenn. Code §§ 47-18-3301 to 47-18-3315).

[14] S.B. 5, 123 Gen. Assemb., Reg. Sess. (Ind. 2023) (to be codified in Ind. Code §§ 24-15-1-1 to 24-15-11-2).

[15] Notably, under the NJDPA, “financial information” is included as a form of sensitive data, which is defined as including “a consumer’s account number, account log-in, financial account, or credit or debit number, in combination in combination with any required security code, access code, or password that would permit access to a consumer’s financial account.”

[16] Under Civil Code section 1798.150, the damages available for a private right of action to pursue statutory damages between $100 and $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief, and “any other relief the court deems proper.” A number of limitations also exist. For example, under Section 1798.150(b), a consumer must give a business an opportunity to “cure” the alleged violation by sending written notice prior to filing suit. If cured within 30 days and the consumer receives “an express written statement” indicating that the violations have been cured and shall not recur, a claim for statutory damages cannot be pursued.

[17] Protecting Washingtonians’ Personal Health Data and Privacy, Wash. Att’y Gen., https://www.atg.wa.gov/protecting-washingtonians-personal-health-data-and-privacy.

[18] Wash. Rev. Code § 19.373.010(23).

[19] Id. § 19.373.010(23).

[20] Id. §§ 19.373.010(28), 19.373.030(2).

[21] Id. § 19.373.010(8)(a).

[22] Id. § 19.373.010(8)(b).

[23] Id. § 19.373.010(8)(c).

[24] Id.

[25] Protecting Washingtonians’ Personal Health Data and Privacy, Wash. Att’y Gen., https://www.atg.wa.gov/protecting-washingtonians-personal-health-data-and-privacy.

[26] Wash. Rev. Code §§ 19.373.020; 19.373.030.

[27] Id. §§ 19.373.010(6)(a); 19.373.030.

[28] Id. § 19.373.040(a)–(c).

[29] Id. § 19.373.090.

[30] Id. § 19.255.040.

[31] Id.

[32] Mont. Code § 30-23-102(4).

[33] Id. § 30-23-102(6).

[34] Id. § 30-23-104(1)–(2).

[35] Id. § 330-23-104(5).

[36] Id. § 30-23-106.

[37] Press Release, Senator Josh Becker, Governor Newsom Signs First in the Nation Bill to Protect Consumers’ Data from Unknown Third Parties (Oct. 10, 2023), https://sd13.senate.ca.gov/news/press-release/october-10-2023/governor-newsom-signs-first-in-the-nation-bill-to-protect.

[38] Cal. Civ. Code §§ 1798.99.84; 1798.99.86(a)–(b).

[39] Id. § 1798.99.86(c)–(d).

[40] Id. § 1798.99.86(d)(2).

[41] Id. § 1798.99.86(a)(3).

[42] Id. § 1798.99.86(e)(1).

[43] Id. § 1798.99.80(c).

[44] Id. § 1798.99.80(c)(1)(4).

[45] N.Y. Dep’t of Fin. Servs., Cybersecurity Resource Center, https://www.dfs.ny.gov/industry_guidance/cybersecurity.

[46] N.Y. Dep’t of Fin. Servs., Enforcement and Discipline, https://dfs.ny.gov/industry_guidance/enforcement_actions.

[47] Press Release, Utah Governor Spencer J. Cox, Gov. Cox Signs Bills Focused on Social Media and Youth Mental Health in Utah (Mar. 23, 2023), https://governor.utah.gov/2023/03/23/gov-cox-signs-bills-focused-on-social-media-in-utah/.

[48] Utah Code § 13-63-101, et seq.

[49] Id. §§ 13-63-201–301.

[50] Id. § 13-63-301.

[51] NetChoice, LLC v. Reyes, No. 2:23-cv-00911 (D. Utah); Zoulek v. Hass, No. 2:24-cv-00031 (D. Utah).

[52] NetChoice, LLC v. Griffin, No. 5:23-CV-05105, 2023 WL 5660155, at *7 (W.D. Ark. Aug. 31, 2023).

[53] Id. at *13.

[54] Id. at *17, 40–41.

[55] Alario v. Knudsen, No. CV 23-56-M-DWM, 2023 WL 8270811 (D. Mont. Nov. 30, 2023).

[56] Id. at *4.

[57] American Data Privacy and Protection Act (“ADPPA”), H.R. 8152, 117th Cong. (2022).

[58] Id. §§ 101(a)–(b), 103(a).

[59] Id. § 207(a)(1).

[60] Id. §§ 207(b), 401, 402(a).

[61] Id. § 403(a).

[62] Id. § 404(b)(1).

[63] See Innovation, Data, and Commerce Subcommittee Hearing: “Addressing America’s Data Privacy Shortfalls: How a National Standard Fills Gaps to Protect Americans’ Personal Information,” U.S. House Energy & Commerce Comm. (Apr. 27, 2023), https://energycommerce.house.gov/events/innovation-data-and-commerce-subcommittee-hearing-addressing-america-s-data-privacy-shortfalls-how-a-national-standard-fills-gaps-to-protect-americans-personal-information; Innovation, Data, and Commerce Subcommittee Hearing: “Promoting U.S. Innovation and Individual Liberty through a National Standard for Data Privacy,” U.S. House Energy & Commerce Comm. (Mar. 1, 2023), https://energycommerce.house.gov/events/innovation-data-and-commerce-subcommittee-hearing-promoting-u-s-innovation-and-individual-liberty-through-a-national-standard-for-data-privacy.

[64] Exec. Order No. 14,110, 88 Fed. Reg. 75191 (Oct. 30, 2023); see also Press Release, White House, FACT SHEET: President Biden Issues Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence (Oct. 30, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/10/30/fact-sheet-president-biden-issues-executive-order-on-safe-secure-and-trustworthy-artificial-intelligence.

[65] Remarks of President Joe Biden – State of the Union Address as Prepared for Delivery, White House (Feb. 7, 2023), https://www.whitehouse.gov/briefing-room/speeches-remarks/2023/02/07/remarks-of-president-joe-biden-state-of-the-union-address-as-prepared-for-delivery.

[66] See Eric McDaniel, Congress Passed So Few Laws This Year That We Explained Them All in 1,000 Words, NPR (Dec. 22, 2023), https://www.npr.org/2023/12/22/1220111009/congress-passed-so-few-laws-this-year-that-we-explained-them-all-in-1-000-words; Müge Fazlioglu, US Federal Privacy Legislation Tracker: Introduced in the 118th Congress (2023-2024), IAPP (last updated Sept. 2023), https://iapp.org/media/pdf/resource_center/us_federal_privacy_legislation_tracker.pdf.

[67] Müge Fazlioglu, U.S. Privacy Legislation in 2023: Something Old, Something New?, IAPP (July 26, 2023), https://iapp.org/news/a/u-s-federal-privacy-legislation-in-2023-something-old-something-new.

[68] Press Release, U.S. Senate Judiciary Comm., Durbin, Graham Announce January 2024 Hearing with Five Big Tech CEOs on their Failure to Protect Children Online (Nov. 29, 2023), https://www.judiciary.senate.gov/press/releases/durbin-graham-announce-january-2024-hearing-with-five-big-tech-ceos-on-their-failure-to-protect-children-online; Full Committee Hearing: “TikTok: How Congress Can Safeguard American Data Privacy and Protect Children from Online Harms,” U.S. House Energy & Commerce Comm. (Mar. 23, 2023), https://energycommerce.house.gov/events/full-committee-hearing-tik-tok-how-congress-can-safeguard-american-data-privacy-and-protect-children-from-online-harms.

[69] Kids Online Safety Act, S. 1409, 118th Cong. (2023).

[70] Children and Teens’ Online Privacy Protection Act, S. 1418, 118th Cong. (2023).

[71] Informing Consumers about Smart Devices Act, S. 90, 118th Cong. (2023).

[72] Stop Spying Bosses Act, S. 262, 118th Cong. (2023).

[73] UPHOLD Privacy Act of 2023, S. 631, 118th Cong. (2023).

[74] DELETE Act, H.R. 4311, 118th Cong. (2023).

[75] Data Care Act of 2023, S. 744, 118th Cong. (2023).

[76] Online Privacy Act of 2023, H.R. 2701, 118th Cong. (2023).

[77] Federal Cybersecurity Vulnerability Reduction Act of 2023, H.R. 5255, 118th Cong. (2023).

[78] Modernizing the Acquisition of Cybersecurity Experts Act of 2023, H.R. 4502, 118th Cong. (2023).

[79] Federal Cybersecurity Workforce Expansion Act, S. 2256, 118th Cong. (2023).

[80] See Press Release, White House, President Biden Recognizes Actions by Private Sector Ticketing and Travel Companies to Eliminate Hidden Junk Fees and Provide Millions of Customers with Transparent Pricing (June 15, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/06/15/president-biden-recognizes-actions-by-private-sector-ticketing-and-travel-companies-to-eliminate-hidden-junk-fees-and-provide-millions-of-customers-with-transparent-pricing/. See also Press Release, White House, FACT SHEET: Executive Order on Promoting Competition in the American Economy (July 9, 2021), https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/09/fact-sheet-executive-order-on-promoting-competition-in-the-american-economy/.

[81] Trade Regulation Rule on Unfair or Deceptive Fees, 88 Fed. Reg. 77420 (Nov. 9, 2023), https://www.federalregister.gov/documents/2023/11/09/2023-24234/trade-regulation-rule-on-unfair-or-deceptive-fees; Trade Regulation Rule on Unfair or Deceptive Fees, 89 Fed. Reg. 38 (Jan. 2, 2024).

[82] Christine Wilson, Letter to President Joseph R. Biden (Mar. 2, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/p180200wilsonresignationletter.pdf.

[83] See Press Release, White House, President Biden Announces Nominees to Bipartisan Boards and Commissions (July 3, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/07/03/president-biden-announces-nominees-to-bipartisan-boards-and-commissions.

[84] Melissa Holyoak, Statement Before the U.S. Senate Committee on Commerce, Science, and Transportation (Sep. 20, 2023), https://www.commerce.senate.gov/services/files/51CBECA7-1810-4CCD-8046-0AE99CA34CC4.

[85] Hawley Holds Nominees, Calls for Further Evaluation of McConnell Nominees, Senate Office of Josh Hawley (Dec. 20, 2023), https://www.hawley.senate.gov/hawley-holds-nominees-calls-further-evaluation-mcconnell-nominees.

[86] Lina Khan, Lina Khan: We Must Regulate A.I. Here’s How, New York Times (May 3, 2023), https://www.nytimes.com/2023/05/03/opinion/ai-lina-khan-ftc-technology.html.

[87] Michael Atleson, Keep Your AI Claims in Check, Federal Trade Commission (Feb. 27, 2023), https://www.ftc.gov/business-guidance/blog/2023/02/keep-your-ai-claims-check.

[88] Michael Atleson, Chatbots, Deepfakes, and Voice Clones: AI Deception for Sale, Federal Trade Commission (Mar. 20, 2023), https://www.ftc.gov/business-guidance/blog/2023/03/chatbots-deepfakes-voice-clones-ai-deception-sale.

[89] Id.

[90] Id.

[91] Michael Atleson, The Luring Test: AI and the Engineering of Consumer Trust, Federal Trade Commission (May 1, 2023), https://www.ftc.gov/business-guidance/blog/2023/05/luring-test-ai-engineering-consumer-trust.

[92] Michael Atleson, Watching the Detectives: Suspicious Marketing Claims for Tools that Spot AI-Generated Content, Federal Trade Commission (May 1, 2023), https://www.ftc.gov/business-guidance/blog/2023/07/watching-detectives-suspicious-marketing-claims-tools-spot-ai-generated-content.

[93] Alex Gaynor, Security Principles: Addressing Underlying Causes of Risk in Complex Systems, Federal Trade Commission (February 1, 2023), https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2023/02/security-principles-addressing-underlying-causes-risk-complex-systems.

[94] Id.

[95] Id.

[96] Samuel Levine, Chief, Federal Trade Commission, Remarks of Chief Samual Levine at the Consumer Data Industry Association Law and Industry Conference (September 21, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/cdia-sam-levine-9-21-2023.pdf.

[97] Mike Swift, US FTC still pondering ‘commercial surveillance’ rulemaking, Slaughter tells tech industry, MLex (Jan. 10, 2024), https://content.mlex.com/#/content/1535579.

[98] Press Release, Federal Trade Commission, FTC Finalizes Order Requiring Fortnite maker Epic Games to Pay $245 Million for Tricking Users into Making Unwanted Charges (Mar. 14, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/03/ftc-finalizes-order-requiring-fortnite-maker-epic-games-pay-245-million-tricking-users-making.

[99] 15 U.S.C. § 45(a).

[100] Complaint, FTC v. Ring LLC, Case No. 1:23-cv-1549 (May 31, 2023).

[101] Proposed Stipulated Order, FTC v. Ring LLC, Case No. 1:23-cv-1549 (May 31, 2023); Press Release, Federal Trade Commission, FTC Says Ring Employees Illegally Surveilled Customers, Failed to Stop Hackers from Taking Control of Users’ Cameras (May 31, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-says-ring-employees-illegally-surveilled-customers-failed-stop-hackers-taking-control-users.

[102] Notices of Penalty Offenses, Federal Trade Commission, https://www.ftc.gov/enforcement/penalty-offenses.

[103] Press Release, Federal Trade Commission, FTC Warns Tax Preparation Companies About Misuse of Consumer Data (Sep. 18, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/09/ftc-warns-tax-preparation-companies-about-misuse-consumer-data.

[104] Complaint, U.S. v. Amazon.com, Inc., and Amazon.com Services LLC, Case No. 2:23-cv-00811 (May 31, 2023).

[105] Amazon Alexa, Federal Trade Commission (July 21, 2023), https://www.ftc.gov/legal-library/browse/cases-proceedings/amazon-alexa.

[106] Press Release, Federal Trade Commission, FTC Enforcement Action to Bar GoodRx from Sharing Consumers’ Sensitive Health Info for Advertising (Feb. 1, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/02/ftc-enforcement-action-bar-goodrx-sharing-consumers-sensitive-health-info-advertising.

[107] Press Release, Federal Trade Commission, FTC Warns Health Apps and Connected Device Companies to Comply With Health Breach Notification Rule (Sep. 21, 2023), https://www.ftc.gov/news-events/news/press-releases/2021/09/ftc-warns-health-apps-connected-device-companies-comply-health-breach-notification-rule.

[108] Press Release, Federal Trade Commission, FTC Enforcement Action to Bar GoodRx from Sharing Consumers’ Sensitive Health Info for Advertising (Feb. 1, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/02/ftc-enforcement-action-bar-goodrx-sharing-consumers-sensitive-health-info-advertising.

[109] Health Breach Notification Rule, 88 Fed. Reg. 37819, 37839 (June 9, 2023), https://www.federalregister.gov/documents/2023/06/09/2023-12148/health-breach-notification-rule; see also Press Release, Federal Trade Commission, FTC Proposes Amendments to Strengthen and Modernize the Health Breach Notification Rule (May 18, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-proposes-amendments-strengthen-modernize-health-breach-notification-rule.

[110] Press Release, Federal Trade Commission, FTC Finalizes Order with 1Health.io Over Charges it Failed to Protect Privacy and Security of DNA Data and Unfairly Changed its Privacy Policy (Sep. 7, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/09/ftc-finalizes-order-1healthio-over-charges-it-failed-protect-privacy-security-dna-data-unfairly.

[111] FTC v. Rite Aid Corp., No. 2:23-cv-05023 (E.D. Pa. Dec. 19, 2023).

[112] Press Release, Federal Trade Commission, FTC Strengthens Security Safeguards for Consumer Financial Information Following Widespread Data Breaches (Oct. 27, 2021), https://www.ftc.gov/news-events/news/press-releases/2021/10/ftc-strengthens-security-safeguards-consumer-financial-information-following-widespread-data.

[113] Press Release, Federal Trade Commission, FTC Amends Safeguards Rule to Require Non-Banking Financial Institutions to Report Data Security Breaches (October 27, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/10/ftc-amends-safeguards-rule-require-non-banking-financial-institutions-report-data-security-breaches.

[114] Press Release, Federal Trade Commission, Compliance deadline for certain revised FTC Safeguards Rule provisions extended to June 2023 (November 15, 2022), https://www.ftc.gov/business-guidance/blog/2022/11/compliance-deadline-certain-revised-ftc-safeguards-rule-provisions-extended-june-2023.

[115] Id.

[116] Press Release, Federal Trade Commission, FTC Strengthens Security Safeguards for Consumer Financial Information Following Widespread Data Breaches (Oct. 27, 2021), https://www.ftc.gov/news-events/news/press-releases/2021/10/ftc-strengthens-security-safeguards-consumer-financial-information-following-widespread-data.

[117] Press Release, Federal Trade Commission, FTC Proposes Strengthening Children’s Privacy Rule to Further Limit Comanies’ Ability to Monetize Children’s Data (December 20, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/12/ftc-proposes-strengthening-childrens-privacy-rule-further-limit-companies-ability-monetize-childrens.

[118] Id.

[119] Id.

[120] Id.; Children’s Online Privacy Protection Rule, 89 Fed. Reg. 2034 (Jan. 11, 2024). https://www.federalregister.gov/documents/2024/01/11/2023-28569/childrens-online-privacy-protection-rule.

[121] Press Release, Federal Trade Commission, FTC Seeks Comment on New Parental Consent Mechanism Under COPPA (July 19, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/07/ftc-seeks-comment-new-parental-consent-mechanism-under-coppa.

[122] Id.

[123] Press Release, Federal Trade Commission, FTC Will Require Microsoft to Pay $20 million over Charges it Illegally Collected Personal Information from Children without Their Parents’ Consent (June 5, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/06/ftc-will-require-microsoft-pay-20-million-over-charges-it-illegally-collected-personal-information.

[124] Id.

[125] Press Release, Federal Trade Commission, FTC Proposes Blanket Prohibition Preventing Facebook from Monetizing Youth Data (May 3, 2023) https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-proposes-blanket-prohibition-preventing-facebook-monetizing-youth-data.

[126] Id.

[127] Policy Statement of the Federal Trade Commission on Biometric Information and Section 5 of the Federal Trade Commission Act, Federal Trade Commission (May 18, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/p225402biometricpolicystatement.pdf.

[128] Press Release, Federal Trade Commission, FTC to Host Identity Authentication Workshop (Feb. 21, 2007) https://www.ftc.gov/news-events/news/press-releases/2007/02/ftc-host-identity-authentication-w; You Don’t Say: An FTC Workshop on Voice Cloning Technologies, Federal Trade Commission (Jan. 28, 2020), https://www.ftc.gov/newsevents/events/2020/01/you-dont-say-ftc-workshop-voice-cloning-technologies; Face Facts: A Forum on Facial Recognition Technology, Federal Trade Commission (Dec. 8, 2011), https://www.ftc.gov/newsevents/events/2011/12/face-facts-forum-facial-recognition-technology; Facing Facts: Best Practices for Common Uses of Facial Recognition Technology, Federal Trade Commission (Oct. 2012), https://www.ftc.gov/reports/facing-facts-best-practices-common-uses-facial-recognition-technologies.

[129] Policy Statement of the Federal Trade Commission on Biometric Information and Section 5 of the Federal Trade Commission Act, Federal Trade Commission (May 18, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/p225402biometricpolicystatement.pdf.

[130] Id.

[131] Press Release, Federal Trade Commission, Rite Aid Banned From Using AI Facial Recognition After FTC Says Retailer Deployed Technology without Reasonable Safeguards (Dec. 19, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/12/rite-aid-banned-using-ai-facial-recognition-after-ftc-says-retailer-deployed-technology-without.

[132] Press Release, Consumer Financial Protection Bureau, CFPB Proposes Rule to Jumpstart Competition and Accelerate Shift to Open Banking (Oct. 19, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-proposes-rule-to-jumpstart-competition-and-accelerate-shift-to-open-banking/.

[133] Id.

[134] See id.; Required Rulemaking on Personal Financial Data Rights, 88 Fed. Reg. 74796, 74809 (Oct. 31, 2023) (to be codified at 12 C.F.R. pts. 1001, 1033), https://www.federalregister.gov/documents/2023/10/31/2023-23576/required-rulemaking-on-personal-financial-data-rights.

[135] Required Rulemaking on Personal Financial Data Rights, 88 Fed. Reg. 74796, 74796 (Oct. 31, 2023) (to be codified at 12 C.F.R. pts. 1001, 1033), https://www.federalregister.gov/documents/2023/10/31/2023-23576/required-rulemaking-on-personal-financial-data-rights.

[136] 12 U.S.C. § 5533(a).

[137] Required Rulemaking on Personal Financial Data Rights, 88 Fed. Reg. 74796, 74803 (Oct. 31, 2023) (to be codified at 12 C.F.R. pts. 1001, 1033), https://www.federalregister.gov/documents/2023/10/31/2023-23576/required-rulemaking-on-personal-financial-data-rights.

[138] Id. at 74809.

[139] Id. at 74832.

[140] Id. at 74833.

[141] Id. at 74874.

[142] Id.; Press Release, Consumer Financial Protection Bureau, Prepared Remarks of CFPB Director Rohit Chopra on the Proposed Personal Financial Data Rights Rule (Oct. 19, 2023), https://www.consumerfinance.gov/about-us/newsroom/prepared-remarks-of-cfpb-director-rohit-chopra-on-the-proposed-personal-financial-data-rights-rule /.

[143] Press Release, Consumer Financial Protection Bureau, CFPB Proposes New Federal Oversight of Big Tech Companies and Other Providers of Digital Wallets and Payment Apps (Nov. 7, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-proposes-new-federal-oversight-of-big-tech-companies-and-other-providers-of-digital-wallets-and-payment-apps/.

[144] Defining Larger Participants of a Market for General-Use Digital Consumer Payment Applications, 88 Fed. Reg. 80197, 80199, 80204 (Nov. 17, 2023) (to be codified at 12 C.F.R. pt. 1090), https://www.federalregister.gov/documents/2023/11/17/2023-24978/defining-larger-participants-of-a-market-for-general-use-digital-consumer-payment-applications.

[145] Press Release, Consumer Financial Protection Bureau, CFPB Proposes New Federal Oversight of Big Tech Companies and Other Providers of Digital Wallets and Payment Apps (Nov. 7, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-proposes-new-federal-oversight-of-big-tech-companies-and-other-providers-of-digital-wallets-and-payment-apps/.

[146] Id.

[147] Press Release, Consumer Financial Protection Bureau, CFPB Launches Inquiry Into the Business Practices of Data Brokers (Mar. 15, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-launches-inquiry-into-the-business-practices-of-data-brokers/.

[148] Request for Information Regarding Data Brokers and Other Business Practices Involving the Collection and Sale of Consumer Information, 88 Fed. Reg. 16951, 16952 (Mar. 21, 2023), https://www.federalregister.gov/documents/2023/03/21/2023-05670/request-for-information-regarding-data-brokers-and-other-business-practices-involving-the-collection.

[149] Press Release, Consumer Financial Protection Bureau, Remarks of CFPB Director Rohit Chopra at White House Roundtable on Protecting Americans from Harmful Data Broker Practices (Aug. 15, 2023), https://www.consumerfinance.gov/about-us/newsroom/remarks-of-cfpb-director-rohit-chopra-at-white-house-roundtable-on-protecting-americans-from-harmful-data-broker-practices/.

[150] Id.; see also 15 U.S.C. § 1681b.

[151] Id.

[152] Id.

[153] Press Release, Consumer Financial Protection Bureau, CFPB and Federal Partners Confirm Automated Systems and Advanced Technology Not an Excuse for Lawbreaking Behavior (Apr. 25, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-federal-partners-confirm-automated-systems-advanced-technology-not-an-excuse-for-lawbreaking-behavior/.

[154] Press Release, Consumer Financial Protection Bureau, CFPB Issue Spotlight Analyzes “Artificial Intelligence” Chatbots in Banking (June 3, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-issue-spotlight-analyzes-artificial-intelligence-chatbots-in-banking.

[155] Rohit Chopra, Algorithms, Artificial Intelligence, and Fairness in Home Appraisals, CFPB Blog (June 1, 2023), https://www.consumerfinance.gov/about-us/blog/algorithms-artificial-intelligence-fairness-in-home-appraisals/.

[156] Quality Control Standards for Automated Valuation Models, 88 Fed. Reg. 40638, 40638 (June 21, 2023), https://www.federalregister.gov/documents/2023/06/21/2023-12187/quality-control-standards-for-automated-valuation-models.

[157] Rohit Chopra, Algorithms, Artificial Intelligence, and Fairness in Home Appraisals, CFPB Blog (June 1, 2023), https://www.consumerfinance.gov/about-us/blog/algorithms-artificial-intelligence-fairness-in-home-appraisals/.

[158] Quality Control Standards for Automated Valuation Models, 88 Fed. Reg. 40638, 40638 (June 21, 2023), https://www.federalregister.gov/documents/2023/06/21/2023-12187/quality-control-standards-for-automated-valuation-models.

[159] Press Release, Consumer Financial Protection Bureau, CFPB Issues Guidance on Credit Denials by Lenders Using Artificial Intelligence (Sept. 19, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-issues-guidance-on-credit-denials-by-lenders-using-artificial-intelligence/.

[160] Id.

[161] Press Release, SEC, SEC Proposes Changes to Reg S-P to Enhance Protection of Customer Information (Mar. 15, 2023), https://www.sec.gov/news/press-release/2023-51.

[162] Id.

[163] Id.

[164] Id.

[165] A Small Entity Compliance Guide, SEC, Cybersecurity Risk Management Strategy, Governance, and Incident Disclosure (Nov. 14, 2023), https://www.sec.gov/corpfin/secg-cybersecurity#_ftn1.

[166] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Exchange Act Release, 88 Fed. Reg. 51896, 51899.

[167] Id.

[168] Id.

[169] Id.

[170] Id. at 51924.

[171] Id. at 51898–51899.

[172] Id. at 51945.

[173] Id. at 51909–51910.

[174] The rule also includes another exemption that only applies to companies subject to the Federal Communications (“FCC”) notification rule for breaches of customer proprietary network information (“CPNI”). A more detailed description of this exception is outlined in Gibson Dunn’s July 31, 2023 update.

[175] Id.

[176] DOJ, Department of Justice Material Cybersecurity Incident Delay Determinations (Dec. 12, 2023), https://www.justice.gov/media/1328226/dl?inline.

[177] Id.

[178] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Exchange Act Release, 88 Fed. Reg. 51896, 51899.

[179] Id.

[180] Id. at 51913.

[181] Id.

[182] Id.

[183] Id. at 51914.

[184] The Commission’s Privacy Act Regulations, 88 Fed. Reg. 65807, 65808.

[185] Id. at 65808–09.

[186] Press Release, SEC, SEC Proposes Cybersecurity Risk Management Rules and Amendments for Registered Investment Advisers and Funds (Feb. 9, 2022), https://www.sec.gov/news/press-release/2022-20.

[187] Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies, 87 Fed. Reg. 13524 (published Mar. 9, 2022) (to be codified at 17 C.F.R. pts. 230, 232, 239, 270, 274, 275, 279), https://www.federalregister.gov/documents/2022/03/09/2022-03145/cybersecurity-risk-management-for-investment-advisers-registered-investment-companies-and-business.

[188] SEC, Agency Rule List – Fall 2023, https://www.reginfo.gov/public/do/eAgendaMain?operation=OPERATION_GET_AGENCY_RULE_LIST&currentPub=true&agencyCode=&showStage=active&agencyCd=3235&csrf_token=28A8C6498A23E2932F2D7BB0618F4AA9746D20D66D0E1500674B7BEBFD26693EFE119AEDE913D6851EE65F43B418CC81FFA8.

[189] SEC, View Rule (last visited, Jan. 26, 2023), https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310&RIN=3235-AN15.

[190] SEC, 2024 Examination Priorities (Oct. 16, 2023), https://www.sec.gov/files/2024-exam-priorities.pdf.

[191] Press Release, SEC, SEC Division of Examinations Announces 2024 Priorities, https://www.sec.gov/news/press-release/2023-222/.

[192] SEC, SEC Enforcement Results for FY23 (last modified, Jan. 22, 2024), https://www.sec.gov/newsroom/enforcement-results-fy23.

[193] SEC, SEC Enforcement Results for FY23 (last modified, Jan. 22, 2024), https://www.sec.gov/newsroom/enforcement-results-fy23.

[194] Id.

[195] Id.

[196] Press Release, SEC, SEC Charges Virtu for False and Misleading Disclosures Relating to Information Barriers (September 12, 2023), https://www.sec.gov/news/press-release/2023-176.

[197] Id.

[198] Id.

[199] Id.

[200] Press Release, SEC, SEC Charges Software Company Blackbaud Inc. for Misleading Disclosures About Ransomware Attack That Impacted Charitable Donors (March 9, 2023), https://www.sec.gov/news/press-release/2023-48.

[201] Id.

[202] Id.

[203] Id.

[204] Id.

[205] Press Release, SEC, SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures (Oct. 30, 2023), https://www.sec.gov/news/press-release/2023-227; see also Complaint ¶ 1, SEC v. SolarWinds Corp., No. 1:23-9518 (S.D.N.Y. Oct. 30, 2023), ECF No. 1.

[206] Press Release, SEC, SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures (Oct. 30, 2023), https://www.sec.gov/news/press-release/2023-227.

[207] Id.

[208] Id.

[209] Id.

[210] Id.

[211] Id.

[212] Id.

[213] Id.

[214] Id.

[215] Press Release, Department of Health and Human Services, HHS Announces New Divisions Within the Office for Civil Rights to Better Address Growing Need of Enforcement in Recent Years (Feb. 27, 2023), https://www.hhs.gov/about/news/2023/02/27/hhs-announces-new-divisions-within-office-civil-rights-better-address-growing-need-enforcement-recent-years.html.

[216] Id.

[217] Id.

[218] Id.

[219] Press Release, Department of Health and Human Services, HHS Finalizes Rule to Advance Health IT Interoperability and Algorithm Transparency (Dec. 13, 2023), https://www.hhs.gov/about/news/2023/12/13/hhs-finalizes-rule-to-advance-health-it-interoperability-and-algorithm-transparency.html; see also Press Release, Department of Health and Human Services, HHS Proposes New Rule to Further Implement the 21st Century Cures Act (Apr. 11, 2023), https://www.hhs.gov/about/news/2023/04/11/hhs-propose-new-rule-to-further-implement-the-21st-century-cures-act.html.

[220] Id.

[221] Office of the National Coordinator for Health Information Technology, Department of Health and Human Services, Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing, 45 C.F.R. § 170, https://www.federalregister.gov/documents/2024/01/09/2023-28857/health-data-technology-and-interoperability-certification-program-updates-algorithm-transparency-and.

[222] Id.; see also Department of Health and Human Services, Telehealth policy updates (Nov. 9, 2023), https://telehealth.hhs.gov/providers/telehealth-policy/telehealth-policy-updates.

[223] Press Release, Department of Health and Human Services, Fact Sheet: End of the COVID-19 Public Health Emergency (May 9, 2023), https://www.hhs.gov/about/news/2023/05/09/fact-sheet-end-of-the-covid-19-public-health-emergency.html.

[224] Id.

[225] Department of Health and Human Services, Telehealth Policy Changes After the COVID-19 Public Health Emergency (Dec. 19, 2023), https://telehealth.hhs.gov/providers/telehealth-policy/policy-changes-after-the-covid-19-public-health-emergency.

[226] Press Release, Department of Health and Human Services, HHS Office for Civil Rights and the Federal Trade Commission Warn Hospital Systems and Telehealth Providers about Privacy and Security Risks from Online Tracking Technologies (July 20, 2023), https://www.hhs.gov/about/news/2023/07/20/hhs-office-civil-rights-federal-trade-commission-warn-hospital-systems-telehealth-providers-privacy-security-risks-online-tracking-technologies.html.

[227] Id.

[228] FTC, Updated FTC-HHS publication outlines privacy and security laws and rules that impact consumer health data (Sept. 15, 2023), https://www.ftc.gov/business-guidance/blog/2023/09/updated-ftc-hhs-publication-outlines-privacy-security-laws-rules-impact-consumer-health-data.

[229] Press Release, Department of Health and Human Services, Statement from Secretary Becerra on the One Year Anniversary of the Dobbs v. Jackson Women’s Health Organization Decision (June 24, 2023), https://www.hhs.gov/about/news/2023/06/24/statement-secretary-becerra-one-year-anniversary-dobbs-v-jackson-womens-health-organization-decision.html.

[230] See Dobbs v. Jackson Women’s Health Org., 597 U.S. 215 (2022).

[231] Press Release, Department of Health and Human Services, Statement from Secretary Becerra on the One Year Anniversary of the Dobbs v. Jackson Women’s Health Organization Decision (June 24, 2023), https://www.hhs.gov/about/news/2023/06/24/statement-secretary-becerra-one-year-anniversary-dobbs-v-jackson-womens-health-organization-decision.html.

[232] Press Release, Department of Health and Human Services, HHS Proposes Measures to Bolster Patient-Provider Confidentiality Around Reproductive Health Care (Apr. 12, 2023), https://www.hhs.gov/about/news/2023/04/12/hhs-proposes-measures-bolster-patient-provider-confidentiality-around-reproductive-health-care.html.

[233] Id.; see also Regulatory Initiatives, Department of Health and Human Services, HIPAA Privacy Rule and Reproductive Health Care (Apr. 14, 2023), https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/index.html.

[234] HIPAA Privacy Rule To Support Reproductive Health Care Privacy, 88 Fed. Reg. 23506 (proposed Apr. 17, 2023) (to be codified at 45 C.F.R. pts. 160, 164); HHS/OCR, View Rule (last visited Jan. 26, 2024), https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310&RIN=0945-AA20.

[235] Press Release, Department of Health and Human Services, HHS’ Office for Civil Rights Settles HIPAA Investigation of St. Joseph’s Medical Center for Disclosure of Patients’ Protected Health Information to a News Reporter (Nov. 20, 2023), https://www.hhs.gov/about/news/2023/11/20/hhs-office-civil-rights-settles-hipaa-investigation-st-josephs-medical-center-disclosure-patients-protected-health-information-news-reporter.html; Department of Health and Human Services, St. Joseph’s Medical Center Resolution Agreement and Corrective Action Plan (Aug. 22, 2023), https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/sjmc-ra-cap/index.html.

[236] Id.

[237] Id.

[238] Id.

[239] Press Release, Department of Health and Human Services, HHS’ Office for Civil Rights Settles Multiple HIPAA Complaints With Optum Medical Care Over Patient Access to Records (Dec. 15, 2023), https://www.hhs.gov/about/news/2023/12/15/hhs-office-for-civil-rights-settles-multiple-hipaa-complaints-with-optum-medical-care-over-patient-access-to-records.html.

[240] Id.

[241] See id.

[242] Press Release, Department of Health and Human Services, HHS Office for Civil Rights Settles HIPAA Investigation with Arizona Hospital System Following Cybersecurity Hacking (Feb. 2, 2023), https://www.hhs.gov/about/news/2023/02/02/hhs-office-for-civil-rights-settles-hipaa-investigation-with-arizona-hospital-system.html.

[243] Id.

[244] Press Release, Department of Health and Human Services, HHS’ Office for Civil Rights Settles First Ever Phishing Cyber-Attack Investigation (Dec. 7, 2023), https://www.hhs.gov/about/news/2023/12/07/hhs-office-for-civil-rights-settles-first-ever-phishing-cyber-attack-investigation.html.

[245] Id.

[246] Id.

[247] Press Release, Department of Homeland Security, Statement from Secretary Mayorkas on President Biden’s National Cybersecurity Strategy (Mar. 2, 2023), https://www.dhs.gov/news/2023/03/02/statement-secretary-mayorkas-president-bidens-national-cybersecurity-strategy.

[248] Press Release, Department of Homeland Security, DHS Issues Recommendations to Harmonize Cyber Incident Reporting for Critical Infrastructure Entities (Sept. 19, 2023), https://www.dhs.gov/news/2023/09/19/dhs-issues-recommendations-harmonize-cyber-incident-reporting-critical.

[249] Brandon Wales, CIRCIA at One Year: A Look Behind the Scenes, Cybersecurity & Infrastructure Security Agency (Mar. 24, 2023), https://www.cisa.gov/news-events/news/circia-one-year-look-behind-scenes; see also Gibson Dunn’s client alert on the Cyber Incident Reporting for Critical Infrastructure Act, https://www.gibsondunn.com/president-biden-signs-into-law-the-cyber-incident-reporting-for-critical-infrastructure-act-expanding-cyber-reporting-obligations-for-a-wide-range-of-public-and-private-entities/.

[250] Press Release, Department of Homeland Security, Joint Statement from 21 Countries and the Organization of American States Following the Department of Homeland Security Western Hemisphere Cyber Conference (Sept. 28, 2023), https://www.dhs.gov/news/2023/09/28/joint-statement-21-countries-and-organization-american-states-following-department.

[251] Press Release, Cybersecurity and Infrastructure Security Agency, CISA and FBI Release Advisory on CL0P Ransomware Gang Exploiting MOVEit Vulnerability (June 7, 2023), https://www.cisa.gov/news-events/news/cisa-and-fbi-release-advisory-cl0p-ransomware-gang-exploiting-moveit-vulnerabilit y.

[252] Press Release, Department of Homeland Security, Cyber Safety Review Board Releases Report on Activities of Global Extortion-Focused Hacker Group Lapsus$ (Aug. 10, 2023), https://www.dhs.gov/news/2023/08/10/cyber-safety-review-board-releases-report-activities-global-extortion-focused; Press Release, Department of Homeland Security, Department of Homeland Security’s Cyber Safety Review Board to Conduct Review on Cloud Security (Aug. 11, 2023), https://www.dhs.gov/news/2023/08/11/department-homeland-securitys-cyber-safety-review-board-conduct-review-cloud.

[253] Cybersecurity Advisory, Cybersecurity and Infrastructure Security Agency, #StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability (Nov. 21, 2023), https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a.

[254] Press Release, Department of Homeland Security, DHS Announces Additional $374.9 Million in Funding to Boost State, Local Cybersecurity (Aug. 7, 2023), https://www.dhs.gov/news/2023/08/07/dhs-announces-additional-3749-million-funding-boost-state-local-cybersecurity.

[255] Press Release, Department of Justice, Justice Department Announces New National Security Cyber Section Within the National Security Division (June 20, 2023), https://www.justice.gov/opa/pr/justice-department-announces-new-national-security-cyber-section-within-national-security.

[256] Id.

[257] Press Release, Department of Justice, U.S. Department of Justice Disrupts Hive Ransomware Variant (Jan. 26, 2023), https://www.justice.gov/opa/pr/us-department-justice-disrupts-hive-ransomware-variant.

[258] Id.

[259] Press Release, Department of Justice, Justice Department Announces Court-Authorized Disruption of Snake Malware Network Controlled by Russia’s Federal Security Service (May 9, 2023), https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-snake-malware-network-controlled.

[260] Id.

[261] Press Release, Department of Justice, Qakbot Malware Disrupted in International Cyber Takedown (Aug. 29, 2023), https://www.justice.gov/usao-cdca/pr/qakbot-malware-disrupted-international-cyber-takedown.

[262] Press Release, Department of Justice, Justice Department Disrupts Prolific ALPHV/Blackcat Ransomware Variant (Dec. 19, 2023), https://www.justice.gov/opa/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variant.

[263] Id.

[264] Press Release, Department of Justice, Justice Department and Meta Platforms Inc. Reach Key Agreement as They Implement Groundbreaking Resolution to Address Discriminatory Delivery of Housing Advertisements (Jan. 9, 2023), https://www.justice.gov/opa/pr/justice-department-and-meta-platforms-inc-reach-key-agreement-they-implement-groundbreaking.

[265] Id.

[266] Id.; Roy L. Austin, Jr., An Update on Our Ads Fairness Efforts, Meta (Jan. 9, 2023), https://about.fb.com/news/2023/01/an-update-on-our-ads-fairness-efforts/.

[267] Press Release, Department of Justice, Justice Department Files Statement of Interest in Fair Housing Act Case Alleging Unlawful Algorithm-Based Tenant Screening Practices (Jan. 9, 2023), https://www.justice.gov/opa/pr/justice-department-files-statement-interest-fair-housing-act-case-alleging-unlawful-algorithm.

[268] Id.

[269] Id.

[270] RESTRICT Act, S. 686, 118th Cong. (2023), https://www.congress.gov/bill/118th-congress/senate-bill/686/text.

[271] Statements and Releases, White House, Statement from National Security Advisor Jake Sullivan on the Introduction of the RESTRICT Act (Mar. 7, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/07/statement-from-national-security-advisor-jake-sullivan-on-the-introduction-of-the-restrict-act/; Press Release, Department of Commerce, Statement from U.S. Secretary of Commerce Gina Raimondo on the Introduction of the RESTRICT Act (Mar. 7, 2023), https://www.commerce.gov/news/press-releases/2023/03/statement-us-secretary-commerce-gina-raimondo-introduction-restrict-act.

[272] RESTRICT Act, S. 686, 118th Cong. (2023), https://www.congress.gov/bill/118th-congress/senate-bill/686/text.

[273] Protecting Americans’ Data From Foreign Surveillance Act of 2023, S. 1974, 118th Cong. (2023), https://www.congress.gov/bill/118th-congress/senate-bill/1974/text.

[274] Id.

[275] Id.

[276] Id.

[277] Id.

[278] Press Release, Office of Cybersecurity, Energy Security, and Emergency Response, DOE Announces $39 Million in Research Funding to Enhance Cybersecurity of Clean Distributed Energy Resources (Sept. 12, 2023), https://www.energy.gov/ceser/articles/doe-announces-39-million-research-funding-enhance-cybersecurity-clean-distributed.

[279] Id.

[280] Id.

[281] Alexandra Kelley, Cyberattacks on Energy’s National Labs Draw Lawmaker Scrutiny, Nextgov/FCW (Feb. 2, 2023), https://www.nextgov.com/cybersecurity/2023/02/cyberattacks-energys-national-labs-draw-lawmaker-scrutiny/382503/.

[282] Special Report, Department of Energy, Management Challenges at the Department of Energy — Fiscal Year 2024 (Nov. 17, 2023), https://www.energy.gov/sites/default/files/2023-11/DOE-OIG-24-05.pdf.

[283] Id.

[284] Daniel Wilson, Defense Dept. Proposes Long-Awaited Cybersecurity Rule, Law360 (Dec. 22, 2023), https://www.law360.com/cybersecurity-privacy/articles/1780256/defense-dept-proposes-long-awaited-cybersecurity-rule.

[285] Id.

[286] Id.

[287] Press Release, Federal Communications Commission, Chairwoman Rosenworcel Launches Privacy and Data Protection Task Force (June 14, 2023), https://www.fcc.gov/document/chairwoman-rosenworcel-launches-privacy-and-data-protection-task-force.

[288] Id.

[289] Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act, Pub. L. No. 116-105, 133 Stat. 3274 (2019); Federal Communications Commission, TRACED Act Implementation (May 1, 2023), https://www.fcc.gov/TRACEDAct.

[290] Limits on Exempted Calls Under the Telephone Consumer Protection Act of 1991, 88 Fed. Reg. 3668 (Jan. 20, 2023) (to be codified at 47 C.F.R. pt. 64).

[291] Id.

[292] Press Release, Federal Communications Commission, Rosenworcel Launches Effort on AI’s Impact on Robocalls and Robotexts (Oct. 23, 2023), https://docs.fcc.gov/public/attachments/DOC-397925A1.pdf.

[293] Federal Communications Commission, FCC Launches Inquiry into AI’s Impact on Robocalls and Robotexts (Nov. 17, 2023), https://www.fcc.gov/consumer-governmental-affairs/fcc-launches-inquiry-ais-impact-robocalls-and-robotexts.

[294] Federal Communications Commission, Second Report and Order, Second Further Notice of Proposed Rulemaking in CG Docket Nos. 02-278 and 21-402, and Waiver Order in CG Docket No. 17-59 (Dec. 18, 2023), https://docs.fcc.gov/public/attachments/FCC-23-107A1.pdf.

[295] Id. at 13–15.

[296] Id. at 20 n.113.

[297] Press Release, White House, Biden-⁠Harris Administration Announces Cybersecurity Labeling Program for Smart Devices to Protect American Consumers (July 18, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/07/18/biden-harris-administration-announces-cybersecurity-labeling-program-for-smart-devices-to-protect-american-consumers/.

[298] Id.

[299] Press Release, Federal Communications Commission, FCC Fact Sheet on Proposed Voluntary Cybersecurity Labeling Program for Internet-Enabled Devices (Aug. 10, 2023), https://docs.fcc.gov/public/attachments/DOC-395909A1.pdf.

[300] Press Release, Federal Communications Commission, FCC Adopts Updated Data Breach Notification Rules To Protect Consumers (Dec. 13, 2023), https://docs.fcc.gov/public/attachments/DOC-399090A1.pdf.

[301] Id.

[302] Press Release, Federal Communications Commission, FCC Proposes $20M Fine for Apparently Failing to Protect Consumer Data (July 28, 2023), https://docs.fcc.gov/public/attachments/DOC-395581A1.pdf.

[303] Id.

[304] A New Landmark for Consumer Control Over Their Personal Information: CPPA Proposes Regulatory Framework for Automated Decisionmaking Technology, Cal. Privacy Protection Agency (Nov. 27, 2023), https://cppa.ca.gov/announcements/2023/20231127.html; see also Draft Automated Decisionmaking Technology Regulations, Cal. Privacy Protection Agency (Dec. 8, 2023), https://cppa.ca.gov/meetings/materials/20231208_item2_draft.pdf.

[305] CPPA to Review Privacy Practices of Connected Vehicles and Related Technologies, Cal. Privacy Protection Agency (July 31, 2023), https://cppa.ca.gov/announcements/2023/20230731.html.

[306] Ahead of Privacy Day, Attorney General Bonta Focuses on Mobile Applications’ Compliance with the California Consumer Privacy Act, Cal. Att’y Gen. (Jan. 27, 2023), https://oag.ca.gov/news/press-releases/ahead-data-privacy-day-attorney-general-bonta-focuses-mobile-applications%E2%80%99.

[307] Attorney General Bonta Seeks Information from California Employers on Compliance with California Consumer Privacy Act, Cal. Att’y Gen. (July 14, 2023), https://oag.ca.gov/news/press-releases/attorney-general-bonta-seeks-information-california-employers-compliance.

[308] Complaint, People v. Google, Case No. 23CV422424 (Santa Clara Cnty. Super. Ct., Sept. 14, 2023), https://oag.ca.gov/system/files/attachments/press-docs/Filed%20stamped%20Google%20Complaint.pdf.

[309] Attorney General James Seeks information from Madison Square garden Regarding Use of Facial Recognition Technology to Deny Entry to Venues, N.Y. Att’y Gen. (Jan. 25, 2023), https://ag.ny.gov/press-release/2023/attorney-general-james-seeks-information-madison-square-garden-regarding-use.

[310] DFS Announces $1 million Cybersecurity Settlement with First American Title Insurance Company, N.Y. Dept. of Fin. Servs. (Nov. 28, 2023), https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202311281

[311]Id.

[312] AG Ferguson’s lawsuit forces Google to pay nearly $40M over deceptive location tracking, Wash. Att’y Gen. (May 18, 2023) https://www.atg.wa.gov/news/news-releases/ag-ferguson-s-lawsuit-forces-google-pay-nearly-40m-over-deceptive-location.

[313] Press Release, Office of the Indiana Attorney General, Attorney General Todd Rokita Secures $49.5 Million Multistate Settlement with Blackbaud for Data Breach (Oct. 5, 2023), https://events.in.gov/event/attorney_general_todd_rokita_secures_495_million_multistate_settlement_with_blackbaud_for_data_breach.

[314] Press Release, New York State Office of the Attorney General, Attorney General James and Multistate Coalition Secure $6.5 Million from Morgan Stanley for Failing to Protect Customer Data (Nov. 16, 2023), https://ag.ny.gov/press-release/2023/attorney-general-james-and-multistate-coalition-secure-65-million-morgan-stanley.

[315] Press Release, New Jersey Office of the Attorney General, AG Platkin Co-Leads $2.5-Million Multistate Settlement with EyeMed Over Data Breach that Compromised the Personal Information of Millions of Patients (May 16, 2023), https://www.njoag.gov/ag-platkin-co-leads-2-5-million-multistate-settlement-with-eyemed-over-data-breach-that-compromised-the-personal-information-of-millions-of-patients/.

[316] See Notice of Settlement and Joint Stipulation and [Proposed] Order to Stay Litigation Activities Pending Filing of Mot. for Prelim. Approval, In re Orrick, Herrington & Sutcliffe, LLP Data Breach Litig., No. 3:23-cv-04089 (N.D. Cal. Dec. 21, 2023), ECF No. 50.

[317] See Order Granting Final Approval of Class Action Settlement and Pls.’ Mot. for Att’ys’ Fees and Costs, Desue v. 20/20 Eye Care Network Inc., No. 21-61275 (S.D. Fla. July 8, 2023), ECF No. 100.

[318] Identity Theft Resource Center, Q3 2023 Data Breach Analysis, https://www.idtheftcenter.org/wp-content/uploads/2023/10/20231011_Q3-2023-Data-Breach-Analysis.pdf.

[319] Identity Theft Resource Center, Q3 2022 Data Breach Analysis, https://www.idtheftcenter.org/wp-content/uploads/2022/10/20221005_One-Pager_Q3-2022-Data-Breach-Analysis.pdf.

[320] See Transfer Order, In re MOVEit Customer Data Sec. Breach Litig., MDL No. 3083 (J.P.M.L. Oct. 4, 2023); Judicial Panel on Multidistrict Litigation, MDL Statistics Report – Distribution of Pending MDL Dockets by Actions Pending (Jan. 2, 2014), https://www.jpml.uscourts.gov/sites/jpml/files/Pending_MDL_Dockets_By_Actions_Pending-January-2-2024.pdf.

[321] See In re MOVEit Customer Data Sec. Breach Litig., No. 23-3083 (D. Mass.).

[322] TransUnion LLC v. Ramirez, 594 U.S. 413 (2021) (holding that plaintiffs who had not suffered concrete harm due to data breach, and instead claimed they are at heightened risk of future harm, lack standing to sue under Article III).

[323] Id. at 437.

[324] 72 F.4th 365, 375 (1st Cir. 2023) (holding that plaintiff adequately alleged standing based on the filing of a fraudulent tax return that likely resulted from information compromised in the data breach).

[325] Id. at 377.

[326] Bohnak v. Marsh & McLennan Cos., Inc., 79 F.4th 276, 286 (2d Cir. 2023) (cleaned up).

[327] Id. at 287.

[328] 2023 WL 4183380, at *4 (E.D. Va. June 26, 2023).

[329] Id.

[330] Id.

[331] Id.

[332] Id. at *5.

[333] 2023 WL 5608389, at *2 (C.D. Cal. Aug. 29, 2023) (acknowledging that while an increased risk of identity theft stemming from a data breach can constitute a threat of imminent harm sufficient for standing purposes, on the facts of the case, the username and password stolen in the breach were not linked to the plaintiff’s financial accounts, and thus did not give rise to the threat of identity theft).

[334] Id.

[335] See TransUnion, 594 U.S. at 431 (“Every class member must have Article III standing in order to recover individual damages. Article III does not give federal courts the power to order relief to any uninjured plaintiff, class action or not.”).

[336] 344 F.R.D. 38, 52 (D.D.C. 2023).

[337] Id. at 53.

[338] Id. at 55.

[339] See Cornerstone Research, Securities Class Action Trend Cases, https://www.cornerstone.com/insights/research/securities-class-action-trend-cases/.

[340] Complaint ¶ 3, Jaramillo v. Dish Networks Corp., No. 23-734 (D. Colo. Mar. 23, 2023), ECF No. 1.

[341] Complaint ¶ 4, Official Intel. Pty. Ltd., v. Block, Inc., No. 23-2789 (S.D.N.Y. April 3, 2023), ECF No. 1.

[342] 15 U.S.C. § 78u-4(b)(2).

[343] In re Okta, Inc. Securities Litig., 2023 WL 2749193, at *20 (N.D. Cal. Mar. 31, 2023).

[344] Id. at *15.

[345] Id.

[346] See, e.g., Javier v. Assurance IQ, LLC, 2022 WL 1744107 (9th Cir. May 31, 2022); Popa v. Harriet Carter Gifts, Inc., 45 F.4th 687 (3d Cir. 2022).

[347] 18 U.S.C. § 2510 et seq.

[348] Id. § 2511(2)(d).

[349] See Recording Law, All Party (Two Party) Consent States – List and Details, https://recordinglaw.com/party-two-party-consent-states/ (last visited Jan. 26, 2024) (identifying 13 two-party or all-party consent states).

[350] See, e.g., Cal. Penal Code §§ 631, 632 (wiretapping and eavesdropping statutes); id. § 637.2(a) (authorizing a private right of action and statutory damages).

[351] Doe v. Regents of Univ. of California, No. 23-CV-00598-WHO, 2023 WL 3316766 (N.D. Cal. May 8, 2023).

[352] Jackson v. Fandom, Inc., No. 22-CV-04423-JST, 2023 WL 4670285 (N.D. Cal. July 20, 2023).

[353] Id. at *4–5.

[354] Stark v. Patreon, Inc., 656 F. Supp. 3d 1018 (N.D. Cal. 2023).

[355] Id. at 1039–40.

[356] 18 U.S.C. § 1030(a).

[357] Van Buren v. United States, 141 S. Ct. 1648, 1654–55 (2021).

[358] Press Release, Department of Justice, Department of Justice Announces New Policy for Charging Cases under the Computer Fraud and Abuse Act (May 19, 2022), https://www.justice.gov/opa/press-release/file/1507126/download.

[359] United States v. Calonge, 74 F.4th 31, 36 (2d Cir. 2023), cert. denied, 2023 WL 7475309 (U.S. Nov. 13, 2023).

[360] Id. at 33–34.

[361] Id. at 33.

[362] Id. at 33–34.

[363] Id. at 35–36 (citing 18 U.S.C. § 1030(e)(8)).

[364] Calonge v. United States, 2023 WL 7475309 (U.S. Nov. 13, 2023).

[365] ACW Flex Pack LLC v. Wrobel, 2023 WL 4762596, at *6–7 (N.D. Ill. July 26, 2023).

[366] Id. at *3, *6.

[367] Id. at *5.

[368] Id. at *6.

[369] Id. (quoting 18 U.S.C. § 1030(e)(1)) (emphasis removed).

[370] Id. at *6–8.

[371] Id. at *7.

[372] iPurusa, LLC v. Bank of New York Mellon Corp., 2023 WL 3072686, at *7 (D.N.J. Apr. 25, 2023).

[373] Id. at *6.

[374] Id. at *7.

[375] Id.

[376] See, e.g., T. et al v. OpenAI LP et al., Case No. 23-cv-04557, Dkt. 1 ¶¶ 317–326 (N.D. Cal.); P.M. et al v. OpenAI LP et al., Case No. 23-cv-03199-TLT, Dkt. 1 ¶¶ 422–431 (N.D. Cal.); see id. Dkt. 38 (notice of voluntary dismissal).

[377] hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180 (9th Cir. 2022).

[378] Id. at 1201.

[379] Cal. Penal Code §§ 502(c)(2) & (e)(1).

[380] Id. § 502(b)(1).

[381] Brown v. Google LLC, 2023 WL 5029899, at *1 (N.D. Cal. Aug. 7, 2023).

[382] Id. at *2.

[383] Id. at *18.

[384] Id. at *19 (citing Cal. Penal Code § 502(c)(2)).

[385] Id.

[386] Brown et al. v. Google LLC, Case No. 4:20-cv-03664, Dkt. 1089 (N.D. Cal.).

[387] Nora Gutierrez v. Converse Inc., 2023 WL 8939221, at *1, *5 (C.D. Cal. Oct. 27, 2023).

[388] Id. at *4 (quoting In re iPhone Application Litig., 2011 WL 4403963, at * 12 (N.D. Cal. Sept. 20, 2011)).

[389] Id.

[390] Id. at *5.

[391] 47 U.S.C. § 227.

[392] Facebook, Inc. v. Duguid, 592 U.S. 395 (2021).

[393] Dickson v. Direct Energy, LP, 69 F.4th 338, 348–49 (6th Cir. 2023).

[394] Id. at 345–48.

[395] Drazen v. Pinto, 74 F.4th 1336, 1345–46 (11th Cir. 2023) (reversing Salcedo v. Hanna, 936 F.3d 1162, 1172 (11th Cir. 2019)).

[396] Hall v. Smosh Dot Com, Inc., 72 F.4th 983, 990–91 (9th Cir. 2023).

[397] Id. at 990.

[398] Mauthe v. Millennium Health LLC, 58 F.4th 93, 97 (3d Cir. 2023). The TCPA defines an “unsolicited advertisement” as “any material advertising the commercial availability or quality of any property, goods, or services which is transmitted to any person without that person’s prior express invitation or permission, in writing or otherwise.” 47 U.S.C. § 227(a)(5).

[399] Trim v. Reward Zone USA LLC, 76 F.4th 1157, 1164 (9th Cir. 2023).

[400] Cal. Civ. Code § 1798.150 (West 2023).

[401] California Consumer Privacy Act (CCPA) Litigation, U.S. Cybersecurity and Data Privacy Outlook and Review – 2023 (Jan. 30, 2023), https://www.gibsondunn.com/us-cybersecurity-and-data-privacy-outlook-and-review-2023/.

[402] Order Granting Final Approval of Class Action Settlement, Service v. Volkswagen Grp. of Am., Inc., No. C22-01841 (Cal. Super. Ct. Contra Costa Cnty. May. 31, 2023), https://odyportal.cc-courts.org/Portal/DocumentViewer/DownloadDocumentFile/Download?d=10C938A76250CE4331774E2C729A0D43&c=EC610BADE930EF833C9117C84F5729FC&l=4C398088907DD05C6D76EE93BC04CDF4&cn=F44FB09A29DC4E11FE28DCC41D39CD99&fileName=C22-01841%20-%20Order%20Filed%20Re%20Granting%20Final%20Approval&docTypeId=3&isVersionId=False.

[403] Id. at 4.

[404] Carter v. Vivendi Ticketing US LLC, No. SACV2201981(DFMx), 2023 WL 8153712 (C.D. Cal. Oct. 30, 2023).

[405] Id.

[406] Id. at *2.

[407] Gershfeld v. Teamviewer US, Inc., No. SACV2100058(ADSx), 2021 WL 3046775 (C.D. Cal. June 24, 2021).

[408] Id. at 2.

[409] Gershfeld v. TeamViewer US, Inc., No. 21-55753, 2023 WL 334015 (9th Cir. Jan. 20, 2023) (mem.).

[410] Alexander v. Wells Fargo Bank, N.A., No. 23-CV-617-DMS-BLM, 2023 WL 5109532 (S.D. Cal. Aug. 9, 2023).

[411] California Consumer Privacy Act (CCPA) Litigation, U.S. Cybersecurity and Data Privacy Outlook and Review – 2023 (Jan. 30, 2023), https://www.gibsondunn.com/us-cybersecurity-and-data-privacy-outlook-and-review-2023/.

[412] Brown v. Google LLC, No. 4:20-CV-3664, 2023 WL 5029899 (N.D. Cal. Aug. 7, 2023).

[413] Id.

[414] Id. at *21.

[415] Id.

[416] Id. at *21.

[417] Id.

[418] Cal. Civ. Code § 1798.150(b).

[419] California Consumer Privacy Act (CCPA) Litigation, U.S. Cybersecurity and Data Privacy Outlook and Review – 2023 (Jan. 30, 2023), https://www.gibsondunn.com/us-cybersecurity-and-data-privacy-outlook-and-review-2023/.

[420] Guy v. Convergent Outsourcing, Inc., No. C22-1558, 2023 WL 4637318 (W.D. Wash. July 20, 2023).

[421] Cal. Civ. Code § 1798.150(b).

[422] Guy, 2023 WL 4637318.

[423] Griffey v. Magellan Health Inc., No. CV-20-01282-PHX, 2022 WL 1811165, at *6 (D. Ariz. June 2, 2022).

[424] Guy, 2023 WL 4637318, at *9.

[425] Florence v. Order Express, Inc., No. 22 C 7210, 2023 WL 3602248 (N.D. Ill. May 23, 2023).

[426] Id. at *7 (internal quotations omitted).

[427] Cal. Civ. Code § 1798.150(b).

[428] Florence, 2023 WL 3602248, at *7.

[429] California Consumer Privacy Act (CCPA) Litigation, U.S. Cybersecurity and Data Privacy Outlook and Review – 2023 (Jan. 30, 2023), https://www.gibsondunn.com/us-cybersecurity-and-data-privacy-outlook-and-review-2023/.

[430] Durgan v. U-Haul Int’l Inc., No. CV-22-01565-PHX, 2023 WL 7114622 (D. Ariz. Oct. 27, 2023).

[431] Id. at *7.

[432] Id. at *6.

[433] In re Bank of Am. California Unemployment Benefits Litig., No. 21-MD-2992-LAB-MSB, 2023 WL 3668535 (S.D. Cal. May 25, 2023).

[434] Id. at *13–15.

[435] Id. at *15.

[436] Tims v. Black Horse Carriers, Inc., 216 N.E.3d 845 (Ill. 2023).

[437] 735 Ill. Comp. Stat. Ann. 5/13-205 (2022).

[438] Tims, 216 N.E.3d at 854.

[439] Cothron v. White Castle Sys., Inc., 216 N.E.3d 918, 920 (Ill. 2023).

[440] Id. at 928.

[441] Id. at 929.

[442] Minor v. Oldcastle Servs. Inc., No. 21‐CV‐503‐SMY (S.D. Ill. Mar. 22, 2023).

[443] Jones v. Microsoft Corp., No. 1:22‐cv‐03437 (N.D. Ill. Jan. 9, 2023).

[444] Id. at 7–8.

[445] Warmack‐Stillwell v. Christian Dior, Inc., No. 22‐C‐4633 (N.D. Ill. Feb. 10, 2023).

[446] Crumpton v. Octapharma Plasma, Inc., 513 F. Supp. 3d 1006, 1015–17 (N.D. Ill. 2021).

[447] Id.

[448] Tex. Bus. & Com. Code § 503.001.

[449] Tex. v. Meta Platforms, Inc., Cause No. 22-0121 (Tex. Dist. Ct. Feb. 8, 2023).

[450] Press Release, Attorney General of Texas, Paxton Sues Google for its Unauthorized Capture and Use of Biometric Data and Violation of Texans’ Privacy (Oct. 20, 2022), https://texasattorneygeneral.gov/news/releases/paxton-sues-google-its-unauthorized-capture-and-use-biometric-data-and-violation-texans-privacy.

[451] Gross v. Madison Square Garden Ent. Corp., No. 1:23-cv-03380 (S.D.N.Y. filed Apr. 21, 2023).

[452] Second Amended Complaint at 2–3, Gross v. Madison Square Garden Ent. Corp., No. 1:23-cv-03380 (S.D.N.Y. June 9, 2023).

[453] Id.

[454] Id. at 23–24.

[455] Id. at 25.

[456] Report & Recommendation, Gross v. Madison Square Garden Ent. Corp., No. 23-cv-3380 (S.D.N.Y. Jan. 9, 2024).

[457] Id. at 14.

[458] Id. at 18.

[459] Id. at 20 (quoting Zoll v. Ruder Finn, Inc., No. 01-cv-139 (CSH), 2004 WL 42260, at *4 (S.D.N.Y. Jan. 7, 2004)).

[460] Id. at 21.

[461] Id. at 8–13.

[462] 598 U.S. 471 (2023).

[463] 598 U.S. 617 (2023).

[464] Taamneh, 598 U.S. at 482.

[465] Gonzalez, 598 U.S. at 621.

[466] Taamneh, 598 U.S. at 501–02.

[467] Gonzalez, 598 U.S. at 622.

[468] Minahan v. Google LLC, No. 22-cv-5652, 2023 WL 3605329, at *1 (N.D. Cal. May 1, 2023), appeal filed, No. 23-15775 (9th Cir. May 22, 2023).

[469] Id. at *2.

[470] M.K. v. Google LLC, No. 21-cv-08465, 2023 WL 4937287 (N. D. Cal. filed Oct. 29, 2021).

[471] Id. at *10.

[472] Id. at *3.

[473] Id.

[474] Id. at *5.

[475] Id. at *6–7.

[476] Ramirez v. The Paradies Shops, LLC, 69 F.4th 1213, 1221 (11th Cir. 2023).

[477] Id. at 1216.

[478] Id.

[479] Id. at 1220–21.

[480] Class Action Complaint at 2–3, Pai v. Tesla, Inc., Case 4:23-cv-04550 (N.D. Cal. filed Sept. 5, 2023).

[481] Id.

[482] The Digital Revolution Engineering Smart City Infrastructure, Utilities One (Oct. 27, 2023), https://utilitiesone.com/the-digital-revolution-engineering-smart-city-infrastructure.

[483] Ashley Johnson, Balancing Privacy and Innovation in Smart Cities and Communities, Info. Tech. & Innovation Found. (Mar. 6, 2023), https://itif.org/publications/2023/03/06/balancing-privacy-and-innovation-in-smart-cities-and-communities/.

[484] Id.

[485] Diana Baker Freeman, Why Local Governments Are a Target for Cyber Attacks and Steps to Prevent It, Governing (May 6, 2022), https://www.governing.com/sponsored/why-local-governments-are-a-target-for-cyber-attacks-and-steps-to-prevent-it.

[486] Richard Forno, Local Governments Are Attractive Targets for Hackers and Are Ill-Prepared, Ctr. for Internet & Soc’y (Mar. 28, 2022), https://cyberlaw.stanford.edu/blog/2022/03/local-governments-are-attractive-targets-hackers-and-are-ill-prepared.

[487] Ashley Johnson, Balancing Privacy and Innovation in Smart Cities and Communities, Info. Tech. & Innovation Found. (Mar. 6, 2023), https://itif.org/publications/2023/03/06/balancing-privacy-and-innovation-in-smart-cities-and-communities/.

[488] Id.

[489] Maya Shwayder, The Future of Smart Cities May Mean the Death of Privacy, Digit. Trends (Apr. 22, 2020), https://www.digitaltrends.com/news/smart-cities-privacy-security/.

[490] Ashley Johnson, Balancing Privacy and Innovation in Smart Cities and Communities, Info. Tech. & Innovation Found. (Mar. 6, 2023), https://itif.org/publications/2023/03/06/balancing-privacy-and-innovation-in-smart-cities-and-communities/.

[491] What is Edge Computing?, IBM (last visited Jan. 18, 2024), https://www.ibm.com/topics/edge-computing.

[492] Mary K. Pratt, 7 Edge Computing Trends to Watch in 2023 and Beyond, TechTarget (Dec. 8, 2022), https://www.techtarget.com/searchcio/tip/Top-edge-computing-trends-to-watch-in-2020.

[493] Id.

[494] Id.

[495] Id.

[496] Pete Swabey, Why Edge Computing is a Double-Edged Sword for Privacy, Tech Monitor (Mar. 31, 2023), https://techmonitor.ai/focus/privacy-on-the-edge-why-edge-computing-is-a-double-edged-sword-for-privacy.

[497] Id.

[498] Id.

[499] Id.

[500] Matthew Gooding, Can GAIA-X Solve Europe’s Data Sovereignty Problem?, Tech Monitor (Apr. 8, 2021), https://techmonitor.ai/technology/cloud/what-is-gaia-x-eu-data-sovereignty.

[501] Executive Office of the President, Office of Science and Technology Policy, National Strategy To Advance Privacy-Preserving Data Sharing and Analytics (Mar. 2023), https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Strategy-to-Advance-Privacy-Preserving-Data-Sharing-and-Analytics.pdf.

[502] OECD, Emerging Privacy-Enhancing Technologies, Current Regulatory and Policy Approaches, OECD Digital Economy Papers, No. 351, 2 (Mar. 2023), https://www.oecd-ilibrary.org/deliver/bf121be4-en.pdf?itemId=/content/paper/bf121be4-en&mimeType=pdf.

[503]Executive Office of the President, Office of Science and Technology Policy, National Strategy To Advance Privacy-Preserving Data Sharing and Analytics (Mar. 2023), https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Strategy-to-Advance-Privacy-Preserving-Data-Sharing-and-Analytics.pdf.

[504] Id.

[505] Id.

[506] Id.

[507] Id.

[508] Id.

[509] Id.

[510] Id.

[511] Pete Swabey, Why Edge Computing is a Double-Edged Sword for Privacy, Tech Monitor (Mar. 31, 2023), https://techmonitor.ai/focus/privacy-on-the-edge-why-edge-computing-is-a-double-edged-sword-for-privacy.

[512] Executive Office of the President, Office of Science and Technology Policy, National Strategy To Advance Privacy-Preserving Data Sharing and Analytics (Mar. 2023), https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Strategy-to-Advance-Privacy-Preserving-Data-Sharing-and-Analytics.pdf.

[513] Id.

[514] Shafi Goldwasser et al., The Knowledge Complexity of Interactive Proof Systems, 18 SIAM J. Computing 186 (1989).

[515] Eli Ben-Sasson et al., Zerocash: Decentralized Anonymous Payments from Bitcoin, Zerocash, (May 18, 2014), http://zerocash-project.org/media/pdf/zerocash-extended-20140518.pdf.

[516] Tianyi Liu et al., zkCNN: Zero Knowledge Proofs for Convolutional Neural Network Predictions and Accuracy, Comput. & Commc’ns Sec. (2021), https://doi.org/10.1145/3460120.3485379.

[517] Executive Office of the President, Office of Science and Technology Policy, National Strategy To Advance Privacy-Preserving Data Sharing and Analytics (Mar. 2023), https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Strategy-to-Advance-Privacy-Preserving-Data-Sharing-and-Analytics.pdf.

[518] Id.

[519] Id.

[520] Jennifer Bryant, European Commission Adopts EU-US Adequacy Decision, Int’l Ass’n Priv. Pros. (July 10, 2023), https://iapp.org/news/a/european-commission-adopts-eu-u-s-adequacy-decision/.

[521] Id.

[522] Natasha Lomas, Europe’s Top Court Strikes Down Flagship EU-US Data Transfer Mechanism, TechCrunch (July 16, 2020), https://techcrunch.com/2020/07/16/europes-top-court-strikes-down-flagship-eu-us-data-transfer-mechanism/.

[523] Natasha Lomas, Europe Adopts US Data Adequacy Decision, TechCrunch (July 10, 2023), https://techcrunch.com/2023/07/10/eu-us-data-privacy-framework-adoption/.

[524] Id.

[525] Id.

[526] Press Release, Department of Commerce, Data Privacy Framework Program Launches New Website Enabling U.S. Companies to Participate in Cross-Border Data Transfers (July 17, 2023), https://www.commerce.gov/news/press-releases/2023/07/data-privacy-framework-program-launches-new-website-enabling-us.

[527] Press Release, Senator Ron Wyden, Wyden, Lee, Davidson and Lofgren Introduce Bipartisan Legislation to Reauthorize and Reform Key Surveillance Law, Secure Protections for Americans’ Rights (Nov. 7, 2023), https://www.wyden.senate.gov/news/press-releases/wyden-lee-davidson-and-lofgren-introduce-bipartisan-legislation-to-reauthorize-and-reform-key-surveillance-law-secure-protections-for-americans-rights.

[528] Noah Chauvin & Elizabeth Goitein, Reform Bill Would Protect Americans from Warrantless Surveillance, Brennan Ctr. for Just. (Nov. 7, 2023), https://www.brennancenter.org/our-work/analysis-opinion/reform-bill-would-protect-americans-warrantless-surveillance.

[529] On December 22, 2023, President Biden signed the National Defense Authorization Act, which included a Congressional measure extending Section 702 until mid-April 2024. Rebecca Beitsch, Congress Approves Short-Term Extension of Warrantless Surveillance Powers, The Hill (Dec. 12, 2023), https://thehill.com/policy/national-security/4360341-fisa-congress-approves-short-term-extension-warrantless-surveillance-powers; see also Press Release, White House, Joseph R. Biden, Statement from President Biden on H.R. 2670, National Defense Authorization Act for Fiscal Year 2024 (Dec. 22, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/12/22/statement-from-president-joe-biden-on-h-r-2670-national-defense-authorization-act-for-fiscal-year-2024/.

[530] Noah Chauvin & Elizabeth Goitein, Reform Bill Would Protect Americans from Warrantless Surveillance, Brennan Ctr. for Just., (Nov. 7, 2023), https://www.brennancenter.org/our-work/analysis-opinion/reform-bill-would-protect-americans-warrantless-surveillance.

[531] Id.

[532] Id.

[533] Id.

[534] Id.

[535] Electronic Communications Privacy Act (ECPA), Elec. Priv. Info. Ctr. (last visited Jan. 19, 2024), https://epic.org/ecpa/; see also Press Release, Senator Ron Wyden, Wyden, Lee, Davidson and Lofgren Introduce Bipartisan Legislation to Reauthorize and Reform Key Surveillance Law, Secure Protections for Americans’ Rights (Nov. 7, 2023), https://www.wyden.senate.gov/news/press-releases/wyden-lee-davidson-and-lofgren-introduce-bipartisan-legislation-to-reauthorize-and-reform-key-surveillance-law-secure-protections-for-americans-rights.

[536] Government Surveillance Reform Act of 2023, S. 3234, 118th Cong. (2023).

[537] Id. § 504.

[538] Id.; 47 U.S.C. § 230(f) (2000).

[539] Government Surveillance Reform Act of 2023, S. 3234, 118th Cong. § 504 (2023).

[540] Id. § 501–11.

[541] Id.

[542] Id. § 508.

[543] Id. § 503.

[544] India McKinney, The House Intelligence Committee’s Surveillance ‘Reform’ Bill is a Farce, Elec. Frontier Found. (Dec. 8, 2023), https://www.eff.org/deeplinks/2023/12/section-702-needs-reform-and-oversight-not-expansion-congress-should-oppose-hpsci; see also Jules Roscoe, Congress Pulls Bill That Would Massively Expand Surveillance After ‘Dramatic Showdown’, Vice (Dec. 12, 2023), https://www.vice.com/en/article/y3wkdg/fisa-surveillance-bill-congress-pulled.

[545] Jules Roscoe, Congress Pulls Bill That Would Massively Expand Surveillance After ‘Dramatic Showdown’, Vice (Dec. 12, 2023), https://www.vice.com/en/article/y3wkdg/fisa-surveillance-bill-congress-pulled.

[546] Id.

[547] Press Release, ACLU, Ahead of House Vote, ACLU Sounds Alarm on Bill Greatly Expanding the Government’s Mass Warrantless Surveillance Authority (Dec. 11, 2023), https://www.aclu.org/press-releases/ahead-of-house-vote-aclu-sounds-alarm-on-bill-greatly-expanding-the-governments-mass-warrantless-surveillance-authority.

The following Gibson Dunn lawyers assisted in preparing this alert: Alexander Southwell, Cassandra Gaedt-Sheckter, Natalie Hausknecht, Martie Kutscher Clark, Timothy Loose, Abbey Barrera, Jacob Arber, Tony Bedel, Matt Buongiorno, Eric Hornbeck, Jay Mitchell*, Wesley Sze, Terry Wong, Najatt Ajarar, Michael Brandon, Tawkir Chowdhury, Lanie Corrigan, Justine Deitz, Skylar Drefcinski, Sasha Dudding, Kunal Kanodia, Erin Kim, Brendan Krimsky, Ruby Lang, Emma Li, Ignacio Martinez Castellanos, Jay Minga, Peter Moon, Narayan Narasimhan*, Mason Pazhwak, Matthew Reagan, John Ryan, Christopher Scott*, Becca Smith, Snezhana Stadnik Tapia, Graham Miller Stinnett, Cydney Swain, Julie Sweeney, Trenton Van Oss, Hayato Watanabe, Diego Wright, and Samantha Yi*.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Privacy, Cybersecurity & Data Innovation practice group:

United States:
S. Ashlie Beringer – Co-Chair, Palo Alto (+1 650.849.5327, aberinger@gibsondunn.com)
Jane C. Horvath – Co-Chair, Washington, D.C. (+1 202.955.8505, jhorvath@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303.298.5774, rbergsieker@gibsondunn.com)
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, geyler@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, cgaedt-sheckter@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, sgans@gibsondunn.com)
Lauren R. Goldman – New York (+1 212.351.2375, lgoldman@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Natalie J. Hausknecht – Denver (+1 303.298.5783, nhausknecht@gibsondunn.com)
Martie Kutscher Clark – Palo Alto (+1 650.849.5348, mkutscherclark@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415.393.8395, klinsley@gibsondunn.com)
Timothy W. Loose – Los Angeles (+1 213.229.7746, tloose@gibsondunn.com)
Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
Rosemarie T. Ring – San Francisco (+1 415.393.8247, rring@gibsondunn.com)
Ashley Rogers – Dallas (+1 214.698.3316, arogers@gibsondunn.com)
Alexander H. Southwell – New York (+1 212.351.3981, asouthwell@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, evandevelde@gibsondunn.com)
Benjamin B. Wagner – Palo Alto (+1 650.849.5395, bwagner@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213.229.7472, dwongyang@gibsondunn.com)

Europe:
Ahmed Baladi – Co-Chair, Paris (+33 (0) 1 56 43 13 00, abaladi@gibsondunn.com)
Nicholas Banasevic* – Managing Director, Brussels (+32 2 554 72 40, banasevic@gibsondunn.com)
Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com)
Joel Harrison – London (+44 20 7071 4289, jharrison@gibsondunn.com)
Vera Lukic – Paris (+33 (0) 1 56 43 13 00, vlukic@gibsondunn.com)
Lars Petersen – Frankfurt/Riyadh (+49 69 247 411 525, lpetersen@gibsondunn.com)
Robert Spano – London/Paris (+44 20 7071 4000, rspano@gibsondunn.com)

Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)
Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com)

*Nicholas Banasevic, Managing Director in the firm’s Brussels office and an economist by background, is not admitted to practice law.

*Jay Mitchell and Samantha Yi are associates in the Washington, D.C. office. Jay is admitted in California and Illinois, and Samantha is admitted in Maryland; both are practicing under supervision of members of the District of Columbia Bar under D.C. App. R. 49.

*Narayan Narasimhan and Christopher Scott, recent law graduates in the New York office, are not admitted to practice law.

From the Derivatives Practice Group: The CFTC cancelled its open meeting this week, but is seeking public comment on a number of issues.

New Developments

CFTC Cautions the Public to Beware of Artificial Intelligence Scams. On January 25, the CFTC’s Office of Customer Education and Outreach issued a customer advisory warning the public about Artificial Intelligence (AI) scams. Customer Advisory: AI Won’t Turn Trading Bots into Money Machines explains how the scams use the potential of AI technology to defraud investors with false claims that entice them to hand over their money or other assets to fraudsters who misappropriate the funds and deceive investors. The advisory warns investors that claims of high or guaranteed returns are red flags of fraud and that strangers promoting these claims online should be ignored. The CFTC stated that the advisory is intended to help investors identify and avoid potential scams and includes a reminder that AI technology cannot predict the future. It also lists four items investors may consider to avoid such scams: researching the background of a company or trader, researching the history of the trading website, getting a second opinion, and knowing the risks associated with the underlying assets. [NEW]
CFTC Staff Releases Request for Comment on the Use of Artificial Intelligence in CFTC-Regulated Markets. On January 25, the CFTC’s Divisions of Market Oversight, Clearing and Risk, Market Participants, and Data and the Office of Technology Innovation issued a request for comment (RFC) in an effort to better inform them on the current and potential uses and risks of AI in the derivatives markets that the CFTC regulates. The RFC seeks comment on the definition of AI and its applications, including its use in trading, risk management, compliance, cybersecurity, recordkeeping, data processing and analytics, and customer interactions. The RFC also seeks comment on the risks of AI, including risks related to market manipulation and fraud, governance, explainability, data quality, concentration, bias, privacy and confidentiality and customer protection. The CFTC indicated that staff will consider the responses to the RFC in analyzing possible future actions by the CFTC, such as new or amended guidance, interpretations, policy statements, or regulations. Comments will be accepted until April 24, 2024. [NEW]
CFTC Seeks Public Comment on Proposed Capital Comparability Determination for Swap Dealers Subject to Supervision by the UK Prudential Regulation Authority. On January 24, the CFTC solicited public comment on a substituted compliance application requesting that the CFTC determine that certain CFTC-registered nonbank swap dealers located in the United Kingdom may satisfy certain Commodity Exchange Act capital and financial reporting requirements by being subject to, and complying with, comparable capital and financial reporting requirements under UK laws and regulations. The Institute of International Bankers, the International Swaps and Derivatives Association, and the Securities Industry and Financial Markets Association submitted the application. In connection with the application, the CFTC also solicited public comment on a proposed comparability determination and related order providing for the conditional availability of substituted compliance to CFTC-registered nonbank swap dealers under the UK Prudential Regulation Authority’s prudential supervision. The comment period will be open until March 24, 2024. [NEW]
BGC Group Announces Approval for FMX Futures Exchange. On January 22, BGC Group, Inc. (BGC) announced that its FMX Futures Exchange (FMX) received approval from the CFTC to operate an exchange for U.S. Treasury and SOFR futures. BGC will combine their Fenics UST cash Treasury platform and FMX to work across the CME’s U.S. interest rate complex. FMX is party to a clearing agreement with LCH SwapClear, a holder of interest rate collateral, which it indicated will allow for portfolio margining across rates of risk and provide for margin efficiencies and effective risk management. [NEW]
CFTC Cancels Open Meeting. On January 20, the CFTC cancelled its open meeting scheduled for January 22. According to the CFTC, Tthe following matters will be resolved through the CFTC’s seriatim process:
- Notice of Proposed Order and Request for Comment on an Application for a Capital Comparability Determination Submitted on behalf of Nonbank Swap Dealers subject to Capital and Financial Reporting Requirements of the United Kingdom and Regulated by the United Kingdom Prudential Regulation Authority,
- Proposed Rule: Requirements for Designated Contract Markets and Swap Execution Facilities Regarding Governance and the Mitigation of Conflicts of Interest Impacting Market Regulation Functions. [NEW]
CFTC Designates IMX Health, LLC as a Contract Market. On January 18, the CFTC announced it has issued an Order of Designation to IMX Health, LLC, granting it designation as a contract market (DCM). IMX Health is a limited liability company registered in Delaware and headquartered in Chicago, Illinois. The CFTC issued the order under Section 5a of the Commodity Exchange Act (CEA) and CFTC Regulation 38.3(a). The CFTC determined IMX Health demonstrated its ability to comply with the CEA provisions and CFTC regulations applicable to DCMs. With the addition of IMX Health, there will be 17 DCMs.
CFTC Issues Staff Letter No. 24-01. On January 16, the CFTC issued Staff Letter No. 24-01, granting an exemption to LCH SA from the requirements of Regulation 1.49(d) to permit LCH SA to hold customer funds at the Banque du France. Additionally, the CFTC confirmed that it would not recommend enforcement action against LCH SA for failing to obtain, or provide the Commission with, an executed version of the template acknowledgment letter set forth in Appendix B to Regulation 1.20 , as required by Regulations 1.20(g)(4) and 22.5, for customer accounts maintained at the Banque de France.
SEC Publishes Risk Alert: Observations Related to Security-Based Swap Dealers. On January 10, the SEC’s Division of Examination published a Risk Alert presenting examination and outreach observations concerning compliance with rules applicable to security-based swap dealers. The SEC stated that in sharing these observations, the Division seeks to remind security-based swap dealers of their obligations under relevant security-based swap rules and encourage security-based swap dealers to consider improvements in their compliance programs, as may be appropriate, to further compliance with Exchange Act requirements. The Risk Alert presents observations in the following areas: (1) reporting of security-based swap transactions and correction of reporting errors; (2) business conduct standards; (3) security-based swap trading relationship documentation and portfolio reconciliation; and (4) recordkeeping.
CFTC Publishes Decentralized Finance Report. On January 8, the CFTC’s Digital Assets and Blockchain Technology Subcommittee of the Technology Advisory Committee (TAC) released a report entitled “Decentralized Finance.” The report discusses TAC’s view that the benefits and risks of DeFi depend significantly on the design and features of specific systems, and that one of its central concerns related to DeFi systems is the lack of, and some industry designs to avoid, clear lines of responsibility and accountability. TAC opined that this feature of DeFi systems may present the clearest ways in which DeFi poses risks to consumers and investors, as well as to financial stability, market integrity and illicit finance—according to TAC, it implicates no clear route to ensuring victim recourse, defense against illicit exploitation, or the ability to insert necessary changes and controls during periods of crisis and network stress. The report finds that government and industry should take timely action to work together, across regulatory and other strategic initiatives, to better understand DeFi.
SEC Publishes Risk Alert: Observations Related to Security-Based Swap Dealers. On January 10, the SEC’s Division of Examination published a Risk Alert presenting examination and outreach observations concerning compliance with rules applicable to security-based swap dealers. The SEC stated that in sharing these observations, the Division seeks to remind security-based swap dealers of their obligations under relevant security-based swap rules and encourage security-based swap dealers to consider improvements in their compliance programs, as may be appropriate, to further compliance with Exchange Act requirements. The Risk Alert presents observations in the following areas: (1) reporting of security-based swap transactions and correction of reporting errors; (2) business conduct standards; (3) security-based swap trading relationship documentation and portfolio reconciliation; and (4) recordkeeping.

New Developments Outside the U.S.

EC Publishes Amendments to Clearing Obligation Scope in Light of Benchmark Reform. On January 22, the delegated regulation amending the regulatory technical standards (RTS) defining the scope of the clearing obligation (CO) was published in the EU Official Journal, with the amended requirements due to enter into force 20 days after publication. The EC stated that Tthe amendments were introduced in light of the transition to the TONA and SOFR benchmarks referenced in certain over-the-counter derivatives contracts. The amendment to the scope of the CO consists of introducing TONA overnight indexed swaps (OIS) with maturities up to 30 years and extending the SOFR OIS class subject to the CO to maturities up to 50 years. The adoption follows the publication by the European Securities and Markets Authority (ESMA), on February 1, 2023, of its final report on changes to the scope of the CO and the derivatives trading obligations (DTO) in light of the benchmark transition, following a consultation last year, to which ISDA responded on September 30, 2022. This ESMA report included two draft amending RTS: one draft RTS amending the scope of the CO and one draft RTS amending the scope of the DTO. The delegated regulation containing the RTS amending the scope of the CO has now been published. The RTS on the DTO has not yet been adopted. [NEW]
RBI Issues Circular on Risk Management and Interbank Dealings. On January 5, the Reserve Bank of India (RBI) issued a circular on risk management and interbank dealings. The RBI stated that it has reviewed the foreign exchange risk management facilities based on the feedback received from market participants and experience gained since the revised framework came into force. It has also consolidated the directions in respect of all types of foreign exchange transactions (including cash, tom and spot). The RBI explained that the directions contained in the Currency Futures (Reserve Bank) Directions, 2008 (Notification No. FED.1/DG(SG)-2008 dated August 06, 2008), and Exchange Traded Currency Options (Reserve Bank) Directions, 2010 (Notification No. FED.01/ED(HRK)-2010 dated July 30, 2010), as amended from time to time, are now being incorporated into the Master Direction – Risk Management and Inter-Bank Dealings. These revised directions will come into effect on April 5, 2024, replacing the existing directions in Part A (Section I) of the Master Direction – Risk Management and Inter-Bank Dealings dated July 5, 2016, as amended from time to time, superseding the notifications listed in Annex-II.

New Industry-Led Developments

ISDA, FIA Respond to MAS Consultation on Amendments to the Capital Framework for Approved Exchanges and Clearing Houses. On January 22, ISDA and the FIA jointly responded to the consultation from the Monetary Authority of Singapore (MAS) on proposed amendments to the capital framework for approved exchanges and approved clearing houses. The scope of the response is limited to the capital framework for approved clearing houses. The associations stated that they welcomed the introduction of a separate liquidity requirement and proposed that MAS consider a more conservative minimum threshold of at least 12 months of operating expenses. They also agreed with the proposed amendments that capital components should only include equity instruments and exclude an approved clearing house’s skin-in-the-game. For total risk requirement, the response suggests the alignment of the operational risk component with the liquidity risk requirement and the inclusion of some clarifications on the investment risk and general counterparty risk components. [NEW]
ISDA Launches Digital Version of 2002 ISDA Equity Derivatives Definitions. On January 18, ISDA launched a fully digital edition of the 2002 ISDA Equity Derivatives Definitions on the ISDA MyLibrary platform, enabling new versions to be released more efficiently as products and market practices evolve in the future. Following consultation with buy- and sell-side market participants, ISDA identified support to move the definitions to a digital format, develop new product provisions and streamline certain components over time. Publication of the 2002 ISDA Equity Derivatives Definitions in digital form is a first step and enables further changes to be made in future versions.
BCBS-IOSCO Report Sets Out Recommendations for Good Margin Practices in Non-Centrally Cleared Markets. On January 17, the Basel Committee on Banking Supervision (BCBS) and the International Organization of Securities Commissions (IOSCO) published a report on streamlining VM processes and IM responsiveness of margin models in non-centrally cleared markets, which sets out recommendations for market practices intended to enhance market functioning. The report articulates the policy analyses work carried out by the BCBS-IOSCO in two areas discussed in the September 2022 Review of margining practices: (i) exploring the need to streamline variation margin processes in non-centrally cleared markets and (ii) investigating the responsiveness of initial margin models in non-centrally cleared markets. The consultative report sets out eight recommendations intended to encourage the widespread implementation of good market practices but does not propose any policy changes to the BCBS-IOSCO frameworks. BCBS and IOSCO stated that the first four recommendations aim to address challenges that could inhibit a seamless exchange of variation margin during a period of stress. The other four highlight practices for market participants to implement initiatives in an effort to ensure the calculation of initial margin is consistently adequate for contemporaneous market conditions and proposes that supervisors should monitor whether these developments are sufficient to make this model responsive enough to extreme market shocks. [NEW]
ISDA Launches Sustainability-linked Derivatives Clause Library. On January 17, ISDA launched a clause library for sustainability-linked derivatives (SLDs), designed to provide standardized drafting options for market participants to use when negotiating SLD transactions with counterparties. SLDs embed a sustainability-linked cashflow in a derivatives structure and use key performance indicators (KPIs) to monitor compliance with environmental, social and governance (ESG) targets, incentivizing parties to meet their sustainability objectives.
BCBS, CPMI, and IOSCO Publish Consultative Report on Transparency and Responsiveness of Initial Margin in Centrally Cleared Markets. On January 16, BCBS, the Bank for International Settlements’ Committee on Payments and Market Infrastructures (CPMI) and IOSCO jointly published a consultative report—Transparency and responsiveness of initial margin in centrally cleared markets – review and policy proposals—which interested parties are invited to comment on. BCBS, CPMI, and IOSCO stated that the ten policy proposals in the report aim to increase the resilience of the centrally cleared ecosystem by improving participants’ understanding of central counterparties (CCPs) initial margin calculations and potential future margin requirements. The proposals cover CCP simulation tools, CCP disclosures, measurement of initial margin responsiveness, governance frameworks and margin model overrides, and clearing member transparency.
ISDA and SIFMA Response to US Basel III NPR. On January 16, ISDA and the Securities Industry and Financial Markets Association (SIFMA) submitted a joint response on the US Basel III ‘endgame’ notice of proposed rulemaking (NPR). The response focuses on the Fundamental Review of the Trading Book (FRTB), the revised credit valuation adjustment (CVA) framework, the securities financing transactions requirements and elements of the standardized approach to counterparty credit risk rules. In the response, the associations propose a number of calibration changes to ensure the rules are appropriate and risk sensitive and avoid adverse consequences to US capital markets.
ISDA and SIFMA Response to G-SIB Surcharge Framework Consultation. On January 16, ISDA and the Securities Industry and Financial Markets Association (SIFMA) submitted a response to a consultation by the US Federal Reserve on proposed changes to the G-SIB surcharge. The response raises concerns that the revised G-SIB surcharge would lead to inappropriately high capital requirements for banks offering client clearing services, potentially discouraging them from participating in this business and contravening a long-standing policy objective to promote central clearing. Specifically, the response argues that client derivatives transactions cleared under the agency model should not be included in the complexity and interconnectedness categories of the G-SIB surcharge calculation.

The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Marc Aaron Takagaki, Hayden McGovern, and Karin Thrasher.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Derivatives practice group, or the following practice leaders and authors:

Jeffrey L. Steiner, Washington, D.C. (202.887.3632, jsteiner@gibsondunn.com)

Michael D. Bopp, Washington, D.C. (202.955.8256, mbopp@gibsondunn.com)

Michelle M. Kirschner, London (+44 (0)20 7071.4212, mkirschner@gibsondunn.com)

Darius Mehraban, New York (212.351.2428, dmehraban@gibsondunn.com)

Jason J. Cabral, New York (212.351.6267, jcabral@gibsondunn.com)

Adam Lapidus – New York (+1 212.351.3869, alapidus@gibsondunn.com)

Stephanie L. Brooker, Washington, D.C. (202.887.3502, sbrooker@gibsondunn.com)

Roscoe Jones Jr., Washington, D.C. (202.887.3530, rjones@gibsondunn.com)

William R. Hallatt, Hong Kong (+852 2214 3836, whallatt@gibsondunn.com)

David P. Burns, Washington, D.C. (202.887.3786, dburns@gibsondunn.com)

Marc Aaron Takagaki, New York (212.351.4028, mtakagaki@gibsondunn.com)

Hayden K. McGovern, Dallas (214.698.3142, hmcgovern@gibsondunn.com)

Karin Thrasher, Washington, D.C. (202.887.3712, kthrasher@gibsondunn.com)

The new thresholds and new filing fees will take effect 30 days after publication in the Federal Register.

On January 22, 2024, the Federal Trade Commission announced its annual update of thresholds for pre-merger notifications of certain M&A transactions under the Hart-Scott-Rodino Antitrust Improvements Act of 1976 (“HSR Act”).[1] Pursuant to the statute, the HSR Act’s jurisdictional thresholds are updated annually to account for changes in the gross national product. The new thresholds will take effect 30 days after publication in the Federal Register and apply to transactions that close on or after that date.

The size-of-transaction threshold for reporting proposed mergers and acquisitions under Section 7A of the Clayton Act will increase by $8.1 million, from $111.4 million in 2023 to $119.5 million for 2024.

Original Threshold	2023 Threshold	2024 Threshold
$10 million	$22.3 million	$23.9 million
$50 million	$111.4 million	$119.5 million
$100 million	$222.7 million	$239 million
$110 million	$245 million	$262.9 million
$200 million	$445.5 million	$478 million
$500 million	$1.1137 billion	$1.195 billion
$1 billion	$2.2274 billion	$2.39 billion

The HSR filing fees have been revised pursuant to the 2023 Consolidated Appropriations Act. The new filing fees, which will also take effect 30 days after publication in the Federal Register, will be:

Fee	Size of Transaction
$30,000	Valued at less than $173.3 million
$105,000	Valued at $173.3 million or more but less than $536.5 million
$260,000	Valued at $536.5 million or more but less than $1.073 billion
$415,000	Valued at $1.073 billion or more but less than $2.146 billion
$830,000	Valued at $2.146 billion or more but less than $5.365 billion
$2,335,000	$5.365 billion or more

The 2024 thresholds triggering prohibitions on certain interlocking directorates on corporate boards of directors are $48,559,000 for Section 8(a)(l) (size of corporation) and $4,855,900 for Section 8(a)(2)(A) (competitive sales). The Section 8 thresholds took effect on January 22, 2024.

__________

[1] Press Release, Federal Trade Commission, FTC Announces 2024 Update of Size of Transaction Thresholds for Premerger Notification Filings, January 22, 2024, available at: https://www.ftc.gov/news-events/news/press-releases/2024/01/ftc-announces-2024-update-size-transaction-thresholds-premerger-notification-filings?utm_source=govdelivery

The following Gibson Dunn attorneys prepared this update: Jamie France, Chris Wilson, and Andrew Cline.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. If you have any questions about the new HSR size of transaction thresholds, or HSR and antitrust/competition regulations and rulemaking more generally, please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Antitrust and Competition, Mergers and Acquisitions, or Private Equity practice groups, or the following authors and practice leaders:

Antitrust and Competition:
Rachel S. Brass – San Francisco (+1 415.393.8293, rbrass@gibsondunn.com)
Andrew Cline – Washington, D.C. (+1 202.887.3698, acline@gibsondunn.com)
Jamie E. France – Washington, D.C. (+1 202.955.8218, jfrance@gibsondunn.com)
Cynthia Richman – Washington, D.C. (+1 202.955.8234, crichman@gibsondunn.com)
Stephen Weissman – Washington, D.C. (+1 202.955.8678, sweissman@gibsondunn.com)
Chris Wilson – Washington, D.C. (+1 202.955.8520, cwilson@gibsondunn.com)

Mergers and Acquisitions:
Robert B. Little – Dallas (+1 214.698.3260, rlittle@gibsondunn.com)
Saee Muzumdar – New York (+1 212.351.3966, smuzumdar@gibsondunn.com)

Private Equity:
Richard J. Birns – New York (+1 212.351.4032, rbirns@gibsondunn.com)
Ari Lanin – Los Angeles (+1 310.552.8581, alanin@gibsondunn.com)
Michael Piazza – Houston (+1 346.718.6670, mpiazza@gibsondunn.com)
John M. Pollack – New York (+1 212.351.3903, jpollack@gibsondunn.com)

The court’s opinion is quite favorable to government plaintiffs on a number of key fronts, and as a result, likely will be frequently trumpeted by DOJ and FTC in future merger enforcement cases.

On January 8, 2024, Judge Edgardo Ramos of the Southern District of New York issued his ruling in the FTC’s challenge to the proposed acquisition of DeepIntent by IQVIA.[1] The decision, a victory for the FTC, is one likely to be cited early and often by antitrust plaintiffs in Section 7 cases.

BACKGROUND

FTC alleged that IQVIA’s Lasso and Propel Media’s DeepIntent were two leading firms providing programmatic advertising to healthcare professionals.[2] Programmatic advertising is an automated way of presenting targeted advertising, in the form of website-based ads, to a specific cohort, in this case, doctors, nurses, and other health practitioners.[3]

After investigating the proposed acquisition, after which DeepIntent would become part of the IQVIA portfolio, the FTC filed a lawsuit in federal court to temporarily enjoin the transaction pending an in-house administrative proceeding.[4] As discussed below, the court’s opinion reads quite favorably to government plaintiffs on a number of key fronts, and as a result, will likely be frequently trumpeted by DOJ and FTC in future merger enforcement cases.

ANALYSIS

The Court Placed Undue Weight on the 30 Percent Market Share Threshold in Philadelphia National Bank. Perhaps the most concerning aspect of the IQVIA decision is its seeming reinvigoration of the 30 percent market share presumption in Philadelphia National Bank,[5] a case that celebrated its 60th birthday last year.

To refresh on Philadelphia National Bank, one of the earliest cases applying Section 7 of the Clayton Act, the opinion established the structural presumption—a minimum level of market concentration that creates a rebuttable presumption that a merger is anticompetitive. The decision states that, at least as concerns bank mergers, 30 percent market share held by the combined firm is the threshold above which a merger “threaten[s] undue concentration . . .”[6]

The IQVIA court had to consider two competing market share calculations. The FTC’s expert contended the combined firm would comprise 46 percent of the market, while the Defendants’ expert asserted that the combined share would hold 30.6 percent share.[7] Rather than resolving this difference, the court essentially applied Philadelphia National Bank to reduce the dispute largely to irrelevance, concluding that even under the Defendants’ lower market share figures,[8] the transaction satisfies the presumption.

With FTC’s prima facie case established, the remainder of the exercise became largely academic. Even while the court agreed with Defendants that the market was “dynamic and fast-moving,” this nevertheless was an insufficient basis to question whether the “static snapshot of market shares” presented by the FTC was indicative of likely competitive harm.[9] The court disregarded Defendants’ evidence of competitive pressure from other firms. It concluded that the FTC was “not required to establish that DeepIntent and Lasso are exclusive competitors,”[10]—a facile resolution of an otherwise complex question. Concerns pointed out by Defendants about input data used in the FTC expert’s merger simulation were set aside, because per the court, its duty was not to “sift through various models and theories.”[11] So, while the court stated in a footnote that “market shares alone are not dispositive,”[12] the opinion reads functionally the opposite.

To be clear, this article does not contend that Philadelphia National Bank has been overruled or repudiated. Rather, the IQVIA opinion seems to apply, uncritically, the 30 percent market share threshold presented in Philadelphia National Bank without: 1) considering whether this is appropriate given subsequent Supreme Court precedent in General Dynamics[13] and Marine Bancorporation,[14] and 2) carefully evaluating whether concentration figures accurately reflect the competitive dynamic in the marketplace. As noted in the seminal Baker Hughes decision, General Dynamics and Marine Bancorporation, even while not overruling Philadelphia National Bank, caution courts not to impose a practically insurmountable burden on section 7 defendants simply because the government has presented plausible market shares above the threshold.[15] The IQVIA decision appears to do just that.

The Court Applied a More Lenient Preliminary Injunction Standard. The FTC also benefitted from the court’s application of a low bar for obtaining a preliminary injunction. The applicable standard under Section 13(b) of the Clayton Act (which authorizes the FTC to file suit in federal court to seek preliminary injunctive relief pending an administrative hearing) was also a subject of dispute between the parties.

The FTC, citing FTC v. Lancaster Colony Corp.,[16] contended that it need only show “a fair and tenable chance of ultimate success on the merits.”[17] Defendants argued that the FTC must go further and present evidence that “raise[s] questions going to the merits so serious, substantial, difficult and doubtful as to make them fair ground for thorough investigation, study, deliberation and determination by the FTC in the first instance and ultimately by the Court of Appeals.”[18] As it does at other points in the decision, the court declines to resolve the dispute, instead concluding that it doesn’t matter, stating “there is no meaningful difference between the two standards.”[19]

This resolution is at odds with other decisions on the subject. Notably, in FTC v. Staples,[20] the court concluded that there was a difference (and that fair and tenable was the incorrect benchmark), and cited the Second Circuit decision in Fruehauf, which held that “the government must show a reasonable probability that the proposed transaction would substantially lessen competition in the future”[21]—a burden which, however construed, is more onerous than “a fair and tenable chance of ultimate success on the merits.” Here too, it appears the court settled the matter in a manner that made the FTC’s job far easier than Circuit authority requires.

Programmatic Advertising Competes in a Broader Advertising Market. Another key dispute in the IQVIA decision concerned product-market definition and the question whether programmatic advertising directed at healthcare professionals competed with other forms of advertising such as social media and digital advertising on medical websites such as WebMD.[22]

The court, applying Brown Shoe factors, concluded that programmatic advertising qualified as a distinct product market because of some distinct features specific to programmatic advertising such as the availability and granularity of ad performance data.[23] It also highlighted perceived disadvantages of other forms of advertising, such as the limited reach of social media advertising.[24]

However, the court seemed reluctant to fully engage with the evidence presented by Defendants showing that the purchasers of advertising often move their dollars among different advertising channels—including channels that the court concluded are not reasonable substitutes for programmatic advertising.[25] The opinion even credits Defendants’ evidence in this regard, noting “[t]o be clear, social media companies and endemic websites are competing with DSPs in a broad sense. An agency running an advertising campaign will not have an unlimited budget, so it must make decisions about how to allocate the advertising funds it has.”[26] But it is difficult, at best, to square the fact that these channels do compete with the court’s conclusion that they nevertheless are out of the market.

Ultimately, the opinion applies an eye-of-the-needle product-market definition, concluding that other channels are out of the market mainly because they are not identical and perfect substitutes for programmatic advertising—even though purchasers of these products are allocating their money across both programmatic and non-programmatic advertising. Given this plaintiff-friendly conclusion, we should expect to see parties advocating for ultra-narrow product-market definitions frequently citing IQVIA.

CONCLUSIONS AND LOOKING FORWARD

IQVIA is, for now, an unmitigated victory for the FTC, and one that, if affirmed or not appealed, will embolden merger enforcement efforts under the Biden Administration. But the court’s opinion ignores or unwinds formerly well-settled precedent, which may ultimately confuse rather than clarify the resolution of Section 7 actions for years to come.

__________

[1] FTC v. IQVIA Holdings Inc. and Propel Media, Inc., No. 23 Civ. 06188, 2024 WL 81232 (S.D.N.Y. Jan. 8, 2024) (hereinafter, “IQVIA”).

[2] Id. at 1.

[3] Id.

[4] Id.

[5] United States v. Philadelphia National Bank, 374 U.S. 321 (1963).

[6] Id. at 364.

[7] IQVIA, at 34.

[8] Id.

[9] Id. at 43-44.

[10] Id. at 40.

[11] Id. at 42.

[12] Id. at 33 n.24.

[13] United States v. General Dynamics Corp., 415 U.S. 486 (1974).

[14] United States v. Marine Bancorporation, 1073 418 U.S. 602 (1974).

[15] United States v. Baker Hughes, Inc., 908 F.2d 981, 991 (D.C. Cir. 1990).

[16] FTC v. Lancaster Colony Corp., 434 F. Supp. 1088 (S.D.N.Y. 1977).

[17] IQVIA, at 7.

[18] Id.

[19] Id. at 8.

[20] See FTC v. Staples, Inc., 970 F. Supp. 1066, 1072 (D.D.C. 1997).

[21] Fruehauf Corp. v. FTC, 603 F.2d 345, 351 (2d Cir. 1979).

[22] IQVIA, at 2.

[23] Id. at 14.

[24] Id.

[25] Id. at 17.

[26] Id.

The following Gibson Dunn attorneys prepared this update: Svetlana Gans and Chris Wilson.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the issues discussed in this update. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Antitrust and Competition, Mergers and Acquisitions, or Private Equity practice groups, or the following authors and practice leaders:

Antitrust and Competition:
Rachel S. Brass – San Francisco (+1 415.393.8293, rbrass@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, sgans@gibsondunn.com)
Cynthia Richman – Washington, D.C. (+1 202.955.8234, crichman@gibsondunn.com)
Stephen Weissman – Washington, D.C. (+1 202.955.8678, sweissman@gibsondunn.com)
Chris Wilson – Washington, D.C. (+1 202.955.8520, cwilson@gibsondunn.com)

Mergers and Acquisitions:
Robert B. Little – Dallas (+1 214.698.3260, rlittle@gibsondunn.com)
Saee Muzumdar – New York (+1 212.351.3966, smuzumdar@gibsondunn.com)

HNMC, Inc. v. Chan et al., No. 22-0053 – Decided January 19, 2024

On January 19, 2024, the Texas Supreme Court held 9-0 that a property owner isn’t liable for an accident that occurred on an adjacent roadway when the property owner didn’t control any condition on the roadway that caused the accident.

“[C]ourts should not attempt to craft case-specific duties when recognized duty rules apply to the factual situation at hand.”

Justice Busby, writing for the Court

Background:

Francis Chan worked as a nurse at Houston Northwest Medical Center, and she routinely parked her car across the street from the hospital in a lot the hospital owned. Pedestrians routinely used an abandoned crosswalk controlled by Harris County to cross between the hospital and the parking lot. When Chan did so, a vehicle exiting the parking lot struck and killed her. Chan’s estate filed a negligence suit against the driver and the driver’s employer, which designated the hospital and the County as responsible third parties.

A jury found the hospital 20 percent liable, and the en banc court of appeals affirmed. In doing so, the court acknowledged the longstanding principle that premises owners generally have no duty to ensure the safety of an adjacent roadway. But instead of applying that rule, it used the multi-factor balancing test adopted by the Texas Supreme Court in Greater Houston Transportation Co. v. Phillips, 801 S.W.2d 523 (Tex. 1990), to recognize a new duty specific to the situation presented in this case to hold the hospital negligent.

Issue:

Did the court of appeals correctly recognize a new duty that required a hospital to ensure the safety of pedestrians on a road adjacent to its property?

Court’s Holding:

No. A duty rule already exists that contemplates this case’s factual situation, so assessing the Phillips factors to recognize a new duty is improper. Premises owners generally have no duty to ensure the safety of persons on adjacent properties, and the hospital didn’t control any aspect of the adjacent roadway that caused the accident.

What it Means:

Texas courts may not create new, case-specific duties “[w]hen a duty or no-duty rule already exists that contemplates a particular case’s factual situation.”
Even if a property owner is aware of an obvious danger on an adjacent property, the owner has no duty if the owner doesn’t control that property.
The Texas Supreme Court reserved for future consideration the question whether to reconsider, in light of the U.S. Supreme Court’s intervening decision in Dupree v. Younger, 598 U.S. 729, 735–36 (2023), prior precedent holding that the denial of summary judgment on purely legal grounds can’t be challenged on appeal after a trial. Litigants should be on guard to preserve this issue in post-trial proceedings moving forward.

Appellate and Constitutional Law Practice

Thomas H. Dupree Jr. +1 202.955.8547 tdupree@gibsondunn.com	Allyson N. Ho +1 214.698.3233 aho@gibsondunn.com	Julian W. Poon +1 213.229.7758 jpoon@gibsondunn.com
Brad G. Hubbard +1 214.698.3326 bhubbard@gibsondunn.com

Related Practice: Litigation

Reed Brodsky +1 212.351.5334 rbrodsky@gibsondunn.com	Theane Evangelis +1 213.229.7726 tevangelis@gibsondunn.com	Veronica S. Moyé +1 214.698.3320 vmoye@gibsondunn.com
Helgi C. Walker +1 202.887.3599 hwalker@gibsondunn.com

Related Practice: Texas Litigation

Trey Cox +1 214.698.3256 tcox@gibsondunn.com	Collin Cox +1 346.718.6604 ccox@gibsondunn.com	Michael Raiff +1 214.698.3350 mraiff@gibsondunn.com
Gregg Costa +1 346.718.6649 gcosta@gibsondunn.com

This alert was prepared by Texas associates Elizabeth Kiernan, Stephen Hammer, and Brian Sanders.

From the Derivatives Practice Group: Read below for global derivatives updates, including ISDA’s response to US Basel III and G-SIB Surcharge.

New Developments

CFTC Designates IMX Health, LLC as a Contract Market. On January 18, the CFTC announced it has issued an Order of Designation to IMX Health, LLC, granting it designation as a contract market (DCM). IMX Health is a limited liability company registered in Delaware and headquartered in Chicago, Illinois. The CFTC issued the order under Section 5a of the Commodity Exchange Act (CEA) and CFTC Regulation 38.3(a). The CFTC determined IMX Health demonstrated its ability to comply with the CEA provisions and CFTC regulations applicable to DCMs. With the addition of IMX Health, there will be 17 DCMs. [NEW]
CFTC Issues Staff Letter No. 24-01. On January 16, the CFTC issued Staff Letter No. 24-01, granting an exemption to LCH SA from the requirements of Regulation 1.49(d) to permit LCH SA to hold customer funds at the Banque du France. Additionally, the CFTC confirmed that it would not recommend enforcement action against LCH SA for failing to obtain, or provide the Commission with, an executed version of the template acknowledgment letter set forth in Appendix B to Regulation 1.20 , as required by Regulations 1.20(g)(4) and 22.5, for customer accounts maintained at the Banque de France. [NEW]
CFTC to Hold a Commission Open Meeting on January 22. CFTC Chairman Rostin Behnam announced on January 12, 2024 that the Commission will hold an open meeting on Monday, January 22 at 9:30 a.m. (EST) at the CFTC’s Washington, D.C. headquarters. The Commission will consider the following:
- Notice of Proposed Order and Request for Comment on an Application for a Capital Comparability Determination Submitted on behalf of Nonbank Swap Dealers subject to Capital and Financial Reporting Requirements of the United Kingdom and Regulated by the United Kingdom Prudential Regulation Authority,
- Proposed Rule: Requirements for Designated Contract Markets and Swap Execution Facilities Regarding Governance and the Mitigation of Conflicts of Interest Impacting Market Regulation Functions. [NEW]
SEC Publishes Risk Alert: Observations Related to Security-Based Swap Dealers. On January 10, the SEC’s Division of Examination published a Risk Alert presenting examination and outreach observations concerning compliance with rules applicable to security-based swap dealers. The SEC stated that in sharing these observations, the Division seeks to remind security-based swap dealers of their obligations under relevant security-based swap rules and encourage security-based swap dealers to consider improvements in their compliance programs, as may be appropriate, to further compliance with Exchange Act requirements. The Risk Alert presents observations in the following areas: (1) reporting of security-based swap transactions and correction of reporting errors; (2) business conduct standards; (3) security-based swap trading relationship documentation and portfolio reconciliation; and (4) recordkeeping.
CFTC Publishes Decentralized Finance Report. On January 8, the CFTC’s Digital Assets and Blockchain Technology Subcommittee of the Technology Advisory Committee (TAC) released a report entitled “Decentralized Finance.” The report discusses TAC’s view that the benefits and risks of DeFi depend significantly on the design and features of specific systems, and that one of its central concerns related to DeFi systems is the lack of, and some industry designs to avoid, clear lines of responsibility and accountability. TAC opined that this feature of DeFi systems may present the clearest ways in which DeFi poses risks to consumers and investors, as well as to financial stability, market integrity and illicit finance—according to TAC, it implicates no clear route to ensuring victim recourse, defense against illicit exploitation, or the ability to insert necessary changes and controls during periods of crisis and network stress. The report finds that government and industry should take timely action to work together, across regulatory and other strategic initiatives, to better understand DeFi.
SEC Publishes Risk Alert: Observations Related to Security-Based Swap Dealers. On January 10, the SEC’s Division of Examination published a Risk Alert presenting examination and outreach observations concerning compliance with rules applicable to security-based swap dealers. The SEC stated that in sharing these observations, the Division seeks to remind security-based swap dealers of their obligations under relevant security-based swap rules and encourage security-based swap dealers to consider improvements in their compliance programs, as may be appropriate, to further compliance with Exchange Act requirements. The Risk Alert presents observations in the following areas: (1) reporting of security-based swap transactions and correction of reporting errors; (2) business conduct standards; (3) security-based swap trading relationship documentation and portfolio reconciliation; and (4) recordkeeping.
CFTC Publishes Decentralized Finance Report. On January 8, the CFTC’s Digital Assets and Blockchain Technology Subcommittee of the Technology Advisory Committee (TAC) released a report entitled “Decentralized Finance.” The report discusses TAC’s view that the benefits and risks of DeFi depend significantly on the design and features of specific systems, and that one of its central concerns related to DeFi systems is the lack of, and some industry designs to avoid, clear lines of responsibility and accountability. TAC opined that this feature of DeFi systems may present the clearest ways in which DeFi poses risks to consumers and investors, as well as to financial stability, market integrity and illicit finance—according to TAC, it implicates no clear route to ensuring victim recourse, defense against illicit exploitation, or the ability to insert necessary changes and controls during periods of crisis and network stress. The report finds that government and industry should take timely action to work together, across regulatory and other strategic initiatives, to better understand DeFi.

New Developments Outside the U.S.

RBI Issues Circular on Risk Management and Interbank Dealings. On January 5, the Reserve Bank of India (RBI) issued a circular on risk management and interbank dealings. The RBI stated that it has reviewed the foreign exchange risk management facilities based on the feedback received from market participants and experience gained since the revised framework came into force. It has also consolidated the directions in respect of all types of foreign exchange transactions (including cash, tom and spot). The RBI explained that the directions contained in the Currency Futures (Reserve Bank) Directions, 2008 (Notification No. FED.1/DG(SG)-2008 dated August 06, 2008), and Exchange Traded Currency Options (Reserve Bank) Directions, 2010 (Notification No. FED.01/ED(HRK)-2010 dated July 30, 2010), as amended from time to time, are now being incorporated into the Master Direction – Risk Management and Inter-Bank Dealings. These revised directions will come into effect on April 5, 2024, replacing the existing directions in Part A (Section I) of the Master Direction – Risk Management and Inter-Bank Dealings dated July 5, 2016, as amended from time to time, superseding the notifications listed in Annex-II.
Hong Kong Consults on Regulatory Regime for Stablecoins. On December 27, the Financial Services and the Treasury Bureau and the Hong Kong Monetary Authority (HKMA) jointly issued a public consultation paper on the legislative proposal for implementing the regulatory regime for stablecoin issuers in Hong Kong. Under the proposed regime, an issuer would be required to obtain a license from the HKMA if it issues a stablecoin that references the value of one or more fiat currencies in Hong Kong. The licensed issuer will have to fulfil certain financial resources requirements, and will be required to put in place an effective stabilization mechanism, such as maintaining a pool of high-quality and highly-liquid reserve assets with proper custody arrangement. The proposed regime further imposes governance, risk management and AML/CFT measures on licensees. Interested parties are encouraged to submit written comments on or before February 29, 2024.
ESAs Propose to Extend Equity Option Margin Exemption by Two Years. On December 21, the European Supervisory Authorities (ESAs) – the European Securities and Markets Authority (ESMA), the European Banking Authority and the European Insurance and Occupational Pensions Authority – published draft regulatory technical standards (RTS) proposing a two-year extension (until January 4, 2026) to the exemption for equity options from bilateral margining under the European Market Infrastructure Regulation (EMIR). These RTS have to be endorsed by the European Commission and are subject to non-objection by the Council of the EU and the European Parliament before they enter into force. The draft RTS are accompanied by a statement from the ESAs that competent authorities “should not priorityse any supervisory or enforcement action” relating to bilateral margining for equity options until the entry into force of these amended RTS or the adoption of a long-term solution under EMIR 3, whichever occurs first.”

New Industry-Led Developments

ISDA Launches Digital Version of 2002 ISDA Equity Derivatives Definitions. On January 18, ISDA launched a fully digital edition of the 2002 ISDA Equity Derivatives Definitions on the ISDA MyLibrary platform, enabling new versions to be released more efficiently as products and market practices evolve in the future. Following consultation with buy- and sell-side market participants, ISDA identified support to move the definitions to a digital format, develop new product provisions and streamline certain components over time. Publication of the 2002 ISDA Equity Derivatives Definitions in digital form is a first step and enables further changes to be made in future versions. [NEW]
ISDA Launches Sustainability-linked Derivatives Clause Library. On January 17, ISDA launched a clause library for sustainability-linked derivatives (SLDs), designed to provide standardized drafting options for market participants to use when negotiating SLD transactions with counterparties. SLDs embed a sustainability-linked cashflow in a derivatives structure and use key performance indicators (KPIs) to monitor compliance with environmental, social and governance (ESG) targets, incentivizing parties to meet their sustainability objectives. [NEW]
ISDA and SIFMA Response to US Basel III NPR. On January 16, ISDA and the Securities Industry and Financial Markets Association (SIFMA) submitted a joint response on the US Basel III ‘endgame’ notice of proposed rulemaking (NPR). The response focuses on the Fundamental Review of the Trading Book (FRTB), the revised credit valuation adjustment (CVA) framework, the securities financing transactions requirements and elements of the standardized approach to counterparty credit risk rules. In the response, the associations propose a number of calibration changes to ensure the rules are appropriate and risk sensitive and avoid adverse consequences to US capital markets. [NEW]
ISDA and SIFMA Response to G-SIB Surcharge Framework Consultation. On January 16, ISDA and the Securities Industry and Financial Markets Association (SIFMA) submitted a response to a consultation by the US Federal Reserve on proposed changes to the G-SIB surcharge. The response raises concerns that the revised G-SIB surcharge would lead to inappropriately high capital requirements for banks offering client clearing services, potentially discouraging them from participating in this business and contravening a long-standing policy objective to promote central clearing. Specifically, the response argues that client derivatives transactions cleared under the agency model should not be included in the complexity and interconnectedness categories of the G-SIB surcharge calculation. [NEW]
ISDA Updates OTC Derivatives Compliance Calendar. On January 3, 2024, ISDA updated its global calendar of compliance deadlines and regulatory dates for the over-the-counter (OTC) derivatives space. The updated calendar can be found on the ISDA website.
ISDA Submits Response to HMT, FCA and PRA on UK EMIR. On December 20, ISDA and UK Finance submitted a joint response to His Majesty’s Treasury (HMT), the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) on the reform of the UK EMIR. ISDA stated that ISDA and UK Finance submitted the response in an attempt to inform the next stage of the UK’s smarter regulatory framework reform package. In the response, the associations recommend a small number of clearly defined changes, seek certainty and permanence on current temporary exemptions and request an end to the current dependency on equivalence decisions for certain provisions (for instance, the intragroup exemption).

The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Hayden McGovern, and Karin Thrasher.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Derivatives practice group, or the following practice leaders and authors:

Jeffrey L. Steiner, Washington, D.C. (202.887.3632, jsteiner@gibsondunn.com)

Michael D. Bopp, Washington, D.C. (202.955.8256, mbopp@gibsondunn.com)

Michelle M. Kirschner, London (+44 (0)20 7071.4212, mkirschner@gibsondunn.com)

Darius Mehraban, New York (212.351.2428, dmehraban@gibsondunn.com)

Jason J. Cabral, New York (212.351.6267, jcabral@gibsondunn.com)

Adam Lapidus – New York (+1 212.351.3869, alapidus@gibsondunn.com)

Stephanie L. Brooker, Washington, D.C. (202.887.3502, sbrooker@gibsondunn.com)

Roscoe Jones Jr., Washington, D.C. (202.887.3530, rjones@gibsondunn.com)

William R. Hallatt, Hong Kong (+852 2214 3836, whallatt@gibsondunn.com)

David P. Burns, Washington, D.C. (202.887.3786, dburns@gibsondunn.com)

Marc Aaron Takagaki, New York (212.351.4028, mtakagaki@gibsondunn.com)

Hayden K. McGovern, Dallas (214.698.3142, hmcgovern@gibsondunn.com)

Karin Thrasher, Washington, D.C. (202.887.3712, kthrasher@gibsondunn.com)

The California Supreme Court today held that courts lack the inherent authority to strike PAGA claims on the ground that they cannot be tried manageably. The Court emphasized, however, that trial courts have numerous other tools for narrowing complex PAGA actions, including limiting the evidence a plaintiff may present at trial.

“[S]triking a PAGA claim on manageability grounds alone … is inconsistent with a plaintiff’s statutory right to bring such a claim and is beyond a trial court’s inherent authority.”

Chief Justice Guerrero, writing for the Court

Background:

Luis Estrada sued his former employer, claiming various Labor Code violations, including violations related to meal periods. Estrada sought to represent classes of similarly situated employees and additionally sought penalties under the Private Attorneys General Act of 2004 (“PAGA”), California Labor Code section 2698 et seq. Following a bench trial, the trial court decertified the meal period classes, concluding that the claims presented too many individualized issues to be resolved in a class proceeding. The trial court also dismissed the PAGA claims seeking penalties based on those same meal-period claims for everyone other than the named plaintiffs, ruling that those claims could not be tried manageably.

The Court of Appeal held that the trial court had no authority to dismiss the PAGA claims on manageability grounds. In doing so, it broke from a previous Court of Appeal decision holding that trial courts have the inherent authority to strike unmanageable PAGA claims. The California Supreme Court granted review to resolve the conflict.

Issue:

Do courts have the inherent authority to strike PAGA claims if they cannot be tried manageably?

Court’s Holding:

No, but courts have numerous tools that can be used to manage PAGA cases, including limiting the evidence that a plaintiff can present at trial.

What it Means:

Both the California Supreme Court and the Ninth Circuit have now held that courts may not strike or dismiss PAGA claims on the ground that they cannot be tried manageably—even in cases in which class claims based on the same asserted Labor Code violations cannot be adjudicated in a manageable class action.
The Court’s opinion focused heavily on the distinction between class actions and PAGA actions, explaining that “class claims differ significantly from PAGA claims” and have “differing doctrinal bas[es].”
The Court emphasized, however, that its holding “does not preclude trial courts from limiting the types of evidence a plaintiff may present or using other tools to assure that a PAGA claim can be effectively tried.”
The Court also did not “foreclose the possibility that a defendant could demonstrate that a trial court’s use of case management techniques so abridged [its] right to present a defense that its right to due process was violated.”
The Court further explained that if a plaintiff’s case were “overbroad or unspecific,” such that she could not “prove liability as to all or most employees,” the PAGA claims could be narrowed through “substantive rulings,” including demurrers or motions for summary judgment.

The Court’s opinion is available here.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the Supreme Court. Please feel free to contact the following practice leaders:

Appellate and Constitutional Law Practice

Thomas H. Dupree Jr. +1 202.955.8547 tdupree@gibsondunn.com	Allyson N. Ho +1 214.698.3233 aho@gibsondunn.com	Julian W. Poon +1 213.229.7758 jpoon@gibsondunn.com
Blaine H. Evanson +1 949.451.3805 bevanson@gibsondunn.com	Bradley J. Hamburger +1 213.229.7658 bhamburger@gibsondunn.com	Michael J. Holecek +1 213.229.7018 mholecek@gibsondunn.com

Related Practice: Labor and Employment

Jason C. Schwartz
+1 202.955.8242
jschwartz@gibsondunn.com

Katherine V.A. Smith
+1 213.229.7107
ksmith@gibsondunn.com

Related Practice: Litigation

Theodore J. Boutrous, Jr.
+1 213.229.7804
tboutrous@gibsondunn.com

Theane Evangelis
+1 213.229.7726
tevangelis@gibsondunn.com

An overview of labor and employee benefits considerations in M&A transactions, which can implicate financial liabilities and impact the value and long-term viability of a business.

As M&A transactions are negotiated, parties often focus on the business and revenue drivers of the target during the due diligence process and leave labor and employee benefit plan considerations as a secondary thought. However, employees are often the backbone of a business – employee and benefit plan matters can implicate serious financial liabilities and employee relations issues can impact the value and long-term viability of a business. Below, we highlight several labor and employee benefits considerations in M&A transactions.

Impact of Deal Structure on Employees and Benefit Plans

In a transaction structured as an acquisition of equity, the buyer acquires the target company’s (or a parent entity’s) equity interests, and typically inherits the target’s existing employees and employee benefit plans. Similarly, in a merger, the target becomes part of the buyer (or a subsidiary of the buyer). The continuity of the existing structure means target employees will generally automatically transfer employment to the buyer group while often remaining employed by their current employing entity, without any offer and acceptance process. This structure offers simplicity for the buyer from an on-boarding perspective, but demands a more thorough review of existing labor practices and benefit plans because the buyer will assume any legacy programs and historical liabilities. The scope of due diligence will include identifying (i) any potential employment practices or benefit plan concerns or non-compliance with applicable laws, and (ii) evaluating labor practices and benefit plans for post-closing integration with buyer practices and plans. In addition, a strategic buyer will need to determine how to handle duplicative benefit plans post-closing and may wish to require a seller to terminate certain plans pre-closing (or need to consider benefit plan mergers post-closing).

In contrast, in a transaction structured as an acquisition of assets, the buyer generally has more control and flexibility over which employees to hire and which benefit plans (if any) the buyer would like to assume. However, even if the buyer does not assume any benefit plans, the concept of successor liability for certain labor practices and benefit plans may still result in liability for the buyer. An asset structure also means the buyer will have to on-board target employees with an offer and acceptance process and employment agreements may need to be renegotiated. As part of this process, the buyer will also have to consider any employee relations issues as target employees face potential changes to their work environment and compensation and benefit structures.

Notably, in some mergers or equity deals, employees may be employed and benefit plans may be maintained at a parent level (rather than at the subsidiary being acquired). Such transactions are more akin to an “asset purchase” from a labor and benefits perspective as parent-level employees and benefit plans would not transfer automatically with the subsidiary target in the deal.

Potentially Costly Benefit Plan Liabilities

Thorough due diligence of benefit plans generally involves an examination of the target’s retirement plans and health and welfare benefits. Employee benefit plans are subject to a number of complex regulatory requirements, including the tax code, ERISA and the Affordable Care Act, which carry significant taxes and penalties in the event of noncompliance. Many of these laws also operate on a “controlled group basis,” meaning that benefit plan obligations at a parent or brother-sister entity can create exposure for the target. The due diligence process can help identify any potential legal risks and design strategies to mitigate such legal risks.

One area of particular concern is identifying whether the target (or any target employee) participates in any defined benefit pension plans or union (multiemployer) pension plans, or whether the target provides (or has promised to provide) any retiree health or other welfare benefits. Defined benefit pension plans are subject to strict funding requirements, and maintaining an under-funded plan may result in increased costs for the buyer post-acquisition due to unexpected increases in required contributions. Withdrawals (including partial withdrawals) from a union pension plan may also implicate significant withdrawal liabilities for an employer contributing to such a plan. In addition, if the target provides (or has promised to provide) any retiree welfare benefits, the buyer should take into account the future financial costs of such obligations, which can be quite significant depending on the covered population and the type of benefit. Thus, attention should be given during due diligence to the funding status of pension plans, any outstanding or potential withdrawal liability, and the extent of any retiree benefit commitments. Once such items are identified, the buyer can develop strategies for addressing these liabilities, including negotiating purchase price deductions or special indemnities.

Impact of Executive Compensation Arrangements and Code Section 280G

Due diligence should also cover the target’s executive compensation arrangements, including any equity arrangements, severance benefits, or other payments that might be triggered in connection with the transaction, to understand the potential future financial obligations and assess the compliance of such arrangements with regulatory requirements. Section 280G of the Internal Revenue Code (“Section 280G”) applies to certain payments (“parachute payments”) made to certain service providers of a corporation (“disqualified individuals”) in connection with a change in control. If parachute payments exceed three times the disqualified individual’s “base amount” (generally the average of the individual’s prior five-year compensation), Section 280G imposes a 20% excise tax on a portion of such payments and also prohibits the employer entity from taking a tax deduction for such payments. Transaction or retention bonuses, equity acceleration, and severance compensation and benefits are common payments that could be considered parachute payments.

Private Company Targets. There are several notable exceptions to Section 280G. One of the most commonly used exceptions for private corporations is to obtain shareholder approval of parachute payments. This process generally involves: (i) obtaining a waiver from each of the disqualified individuals waiving their right to excess parachute payments if such are not approved by the target’s shareholders, (ii) disclosing the details of such payments to all of the company’s shareholders, and (iii) obtaining the approval of at least 75% of the voting power of the target’s shareholders, excluding those receiving parachute payments. Depending on the number of disqualified individuals and shareholders involved, this process can be lengthy and involve additional negotiations. Thus, the parties should identify Section 280G payments early in due diligence so that any shareholder approval process is completed before closing. Where a transaction has a staggered sign and close, a covenant is also often included in the purchase agreement requiring sellers to solicit waivers and shareholder approval in accordance with 280G’s regulatory requirements (under Section 280G the consummation of the transaction cannot be contingent on actually obtaining such shareholder approval).

Public Company Targets. The shareholder approval exception is not available to public company targets. Thus, the parties should identify potential Section 280G payments early in the due diligence process to explore mitigation strategies. Common mitigation strategies involve: (i) using “cutback” provisions to reduce parachute payments to the maximum amount that avoids excise taxes or that results in a better net after-tax benefit for the individual, (ii) for transactions that will sign in one calendar year and close in a later calendar year, increasing the disqualified individuals’ “base amount” by accelerating certain compensation (such as annual bonuses and potentially equity vesting) to the year prior to the year of closing so that such amounts will be included in calculating the “base amount,” and (iii) obtaining valuations of any applicable restrictive covenants which can help to offset the value of excess parachute payments in certain circumstances.

Potential Exposure to Worker Misclassification Liability

Due diligence should also include a review of the target’s worker classification practices. Two primary worker misclassification issues can arise in the context of an M&A transaction: (1) misclassification of workers as exempt under the minimum wage and overtime requirements of the Fair Labor Standards Act (“FLSA”) and similar state laws; and (2) misclassification of workers as independent contractors. Claims brought by employees who have been improperly classified can result in significant liability—including liability for unpaid wages and benefits, liquidated damages, unpaid taxes, and attorney’s fees. These claims are often asserted as collective actions seeking damages on behalf of all affected employees.

Exempt or Non-Exempt Status. In order to comply with the FLSA and similar state laws, exempt employees often must meet separate salary level, salary basis, and job duties tests. To complete a fulsome analysis of these tests, the buyer should ensure that the target provides an employee census early in the diligence process that lists all of the target’s employees, their locations, job titles, compensation rate, compensation type (hourly, salaried, or commission), and classification under the FLSA (exempt or non-exempt). A complete employee census is the first step for identifying potential “red flags.” For any job titles that raise FLSA classification concerns, the buyer should request a job description and additional details to assess whether job duties align with requirements of an applicable exemption under the FLSA.

Independent Contractors. Although true independent contractors are not subject to the FLSA, an employee improperly classified as an independent contractor may have a viable claim for minimum wage, overtime pay, employee benefits coverages and other benefits typically reserved for employees. For this reason, an analysis of the target’s worker classification practices should include review of the use of independent contractors, including an independent contractor census reflecting the scope of work and the length of engagement of independent contractors, as well as an analysis of sample contracts between the target and its independent contractors. The Department of Labor (“DOL”) released a final rule on January 10, 2024, tightening the standard for evaluating the classification of workers. The rule, effective March 11, 2024, suggests that employers use a “totality of the circumstances test” made up of six equally-weighted factors: (1) the opportunity for profit or loss depending on managerial skill; (2) the investments by the worker and potential employer; (3) the degree of permanence of the work relationship; (4) the nature and degree of control over performance of the work and the work relationship; (5) the extent to which the work performed is integral to the potential employer’s business; and (6) the skill and initiative of the worker. No one factor controls; instead, an analysis of all six factors is needed in order to effectively evaluate a worker’s classification. The greater a target’s use of independent contractors, the more fact-intensive a due diligence inquiry into the nature of the parties’ working relationship must be. While the DOL’s new rule is likely to be the subject of legal challenges, it reflects a general trend subjecting independent contractor arrangements to closer scrutiny, increasing the need to carefully assess such arrangements in deal diligence.

Collective Bargaining Issues

If the target company or any of its employees are parties or subject to collective bargaining agreements (“CBAs”), work councils, or any other similar labor obligations with representative bodies, due diligence requires a careful analysis of the agreement’s terms to evaluate its potential impact on the transaction both pre- and post-closing. Examples of such terms include, but are not limited to: (1) provisions that require notice to and consent from the union prior to a sale or transfer of the business; (2) provisions that require recognition of the union; and (3) provisions that require the transferee or purchaser to continue providing certain benefits to the covered union members (such as pension plans). In addition, the buyer should note the status and term of any agreements. If a CBA has recently expired or its expiration is imminent, union negotiations and bargaining for a new CBA could impact the timeline of the transaction and thereby the date of closing, as well as give rise to other considerations.

In addition to examining any union agreements themselves, buyers must be aware of the practical considerations of purchasing a company with union labor obligations, including the scope of any union recognition on employees covered by the transaction. A buyer should also be aware of extra-contractual duties that could arise under federal labor law. For example, the National Labor Relations Board (“NLRB”) recently expanded its test for finding the existence of “joint-employer” status under a final rule to become effective on February 26, 2024. Under the new standard, two or more entities may be found to be joint employers of a group of employees (and, thus, jointly obligated to recognize a union as the representative of such employees) if two conditions are met: (1) each entity has an “employment relationship” with the employees; and (2) the entities “share or codetermine one or more of the employees’ essential terms and conditions of employment.” This new standard can be important to consider in transactions involving parent/subsidiary arrangements, joint ventures, and outsourced management (including between property owners and managers and between portfolio companies and private equity managers).

Another consideration—albeit less common—is that of a double-breasted operation (a practice often—but not exclusively—seen in the construction industry). Such an arrangement can occur when one parent company (or a common owner) operates both union and non-union businesses in the same market. Although permitted by federal labor law, these types of arrangements can be subject to additional scrutiny by the NLRB to ensure that the entities are truly separate and not alter egos of each other created to circumvent the CBA’s coverage of all employees. In the absence of adequate separation, the parent or common owner can be exposed to substantial liability flowing from application of collective bargaining obligations to its erstwhile non-union business operations.

Review of Pay and Payroll Practices

Due diligence should also include a review of the target’s pay and payroll practices, including the company’s policies on employee pay and timekeeping practices. The target should have a system to accurately record time worked and track other employee time, such as meal and break times (the specific requirements for which can vary based on state laws). In reviewing the target’s pay and timekeeping practices, a buyer should keep in mind any distinctions that could be susceptible to challenge. For example, does the target “round” reported time or require non-exempt employees to “clock in” for work electronically in a manner that arguably does not account for the time it takes for the individual to log in to a computer or otherwise perform “clocking in” tasks.

Another issue to consider is the target’s practices and recordkeeping related to employee bonuses. For example, if a bonus that is offered to a non-exempt employee qualifies as a “non-discretionary” bonus under DOL rules, the bonus should be included in the employee’s regular rate of pay for purposes of overtime pay calculation under the FLSA. Proper recordkeeping should allow the buyer’s counsel to confirm the target’s compliance with overtime rules where nuances exist.

Pre-Employment and Hiring Practice Compliance

Many companies require certain pre-employment screenings and testing, such as drug tests, background checks, or physical exams, to help screen and select job applicants. Aside from immigration compliance and anti-discrimination laws, most hiring practices are governed primarily by state law. Buyers must carefully assess potential liability stemming from the target’s pre-employment practices, paying particular attention to the laws of states where the target employs a sizeable number of workers. Improper administration or application of these tests may give rise to a variety of legal claims. Testing should be uniformly applied and comply with the Americans with Disabilities Act (“ADA”), and reasonable accommodations for disabled individuals must be provided. Finally, consideration of any privacy concerns or recordkeeping requirements related to the target’s pre-employment and hiring practices should also be a part of the due diligence process.

Employment Eligibility and Immigration Law Compliance. Due diligence should cover the target’s practices for ensuring immigration compliance, including Form I-9 completion and potential use of E-Verify to confirm a prospective employee’s eligibility to work in the United States, which may be required or restricted under applicable state and federal laws. If the target employs foreign workers and the buyer intends to hire or retain these workers, due diligence should also take into consideration the work status of each of these workers, including the existence or availability of applicable visas or other immigration-related approvals.

Background Checks. Because of the patchwork of state laws governing these subjects, a target’s use of criminal background checks, consumer or credit reports, or social media screening are all cause for additional scrutiny. For example, many states restrict an employer’s ability to inquire into an applicant’s criminal record or limit the employer’s ability to make hiring decisions solely based on an applicant’s criminal record. Additionally, obtaining information about an applicant from a company that compiles background information as a business may require the disclosure of specific information to the applicant in writing.

Medical Exams; Drug Tests. A target’s practices in conducting any pre-employment medical screenings should be closely examined. Under the ADA, job applicants cannot be required to submit to medical or physical examinations or alcohol tests prior to receiving (at least) a conditional job offer. Note, however, that according to EEOC guidance, employers may ask applicants to submit to drug tests before making a conditional job offer.

The following Gibson Dunn lawyers prepared this alert: Sean Feller, Krista Hanvey, Robert Little, Saee Muzumdar, Karl Nelson, Lucy Hong, Chris Celeste Nisttahuz, and Claire Piepenburg.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Mergers & Acquisitions, Private Equity, Executive Compensation & Employee Benefits, or Labor & Employment practice groups, or the following authors and practice leaders:

Executive Compensation and Employee Benefits:
Sean C. Feller – Los Angeles (+1 310.551.8746, sfeller@gibsondunn.com)
Krista Hanvey – Dallas (+ 214.698.3425, khanvey@gibsondunn.com)

Labor and Employment:
Karl G. Nelson – Dallas (+1 214.698.3203, knelson@gibsondunn.com)
Jason C. Schwartz – Washington, D.C. (+1 202.955.8242, jschwartz@gibsondunn.com)
Katherine V.A. Smith – Los Angeles (+1 213.229.7107, ksmith@gibsondunn.com)

Mergers and Acquisitions:
Robert B. Little – Dallas (+1 214.698.3260, rlittle@gibsondunn.com)
Saee Muzumdar – New York (+1 212.351.3966, smuzumdar@gibsondunn.com)

Private Equity:
Richard J. Birns – New York (+1 212.351.4032, rbirns@gibsondunn.com)
Wim De Vlieger – London (+44 20 7071 4279, wdevlieger@gibsondunn.com)
Federico Fruhbeck – London (+44 20 7071 4230, ffruhbeck@gibsondunn.com)
Scott Jalowayski – Hong Kong (+852 2214 3727, sjalowayski@gibsondunn.com)
Ari Lanin – Los Angeles (+1 310.552.8581, alanin@gibsondunn.com)
Michael Piazza – Houston (+1 346.718.6670, mpiazza@gibsondunn.com)
John M. Pollack – New York (+1 212.351.3903, jpollack@gibsondunn.com)

Key Developments:

On January 1, Texas’s ban on DEI offices and programming at public colleges and universities took effect. The new law prohibits public higher education institutions from establishing DEI offices, contracting with third parties to perform the functions of a DEI office, requiring any DEI training as a condition of enrollment, or according any preference based on diversity metrics, in admissions or otherwise. Covered institutions must adopt policies for disciplining employees or contractors who violate the ban, and the institutions’ boards must certify compliance. The law provides for periodic auditing and offers equitable relief to students or employees required to participate in a training in violation of the law. Institutions that fail to cure violations identified by an auditor within 108 days will be ineligible for certain state funding and institutional enhancements.

On January 2, America First Legal (AFL) sent letters to the EEOC and the Office of Federal Contract Compliance Programs (OFCCP) seeking investigations of Sanofi Pasteur for alleged violations of federal law. In its letter to the EEOC, AFL cited a video released to X (formerly Twitter), that appears to record an internal company meeting in which Sanofi Senior Vice President and U.S. Country Lead Carole Huntsman discusses Sanofi’s diversity goals and lists specific ratios of new hires that should be Black and Latinx. AFL also referenced the company’s Diverse Slate Policy, which requires Sanofi’s recruiting team to include “a minimum of one person of color and one female in each slate presented to a hiring leader,” and sets percentage goals for employee representation by race. In its letter to the OFCCP, AFL argued that Sanofi has violated a nondiscrimination clause integrated into every federal contract and subcontract through 41 C.F.R. § 60-1.4(a)(1)–(2), and that it is therefore subject to sanctions by the Secretary of Labor, including cancellation of contracts and a declaration of ineligibility for future government contracts. AFL also referenced the Supplier Diversity program discussed in Sanofi’s Diversity, Equity & Inclusion 2022 Impact Report for North America, which identifies specific goals for contracting with women-owned businesses and for “total diversity spend,” and argued that the program “may signify discriminatory quotas and potential violations of law.”

On January 4, the Foundation Against Intolerance and Racism (“FAIR”) reported that it had sent a letter to the National Institutes of Health (“NIH”) on November 30, 2023, concerning the NIH’s Consortium Underrepresented Student Program (“CUSP”), a summer internship program for individuals from underrepresented groups. FAIR states that, at the time of its letter, the NIH’s application defined underrepresented to include individuals with disabilities, individuals from disadvantaged backgrounds, and individuals from certain ethnic groups. Use of these criteria, according to FAIR, violated the NIH’s own non-discrimination policy, as well as the Equal Protection Clause of the Fourteenth Amendment and Title VI of the Civil Rights Act. FAIR requested that the NIH remove the criteria prior to the CUSP program’s application deadline in mid-January. The NIH has since removed the term underrepresented from the name of the program, the application eligibility criteria, and the application itself. The CUSP program page now encourages individuals of all backgrounds to apply, including those from “populations underrepresented in the clinical and biological sciences, such as underrepresented racial and ethnic groups, individuals with disabilities, individuals from disadvantaged backgrounds, and women.”

On January 5, attorneys general from nineteen states, spearheaded by Kansas, Montana, and Tennessee, wrote a letter to the Department of Commerce to oppose the Department’s proposed Business Diversity Principles, which seek to advance “best practices related to diversity, equity, inclusion, and accessibility (DEIA) in the private sector.” The attorneys general claimed that the Principles violate the Equal Protection Clause and Title VII of the Civil Rights Act, stating that “federal law makes clear that well-intentioned racial discrimination is just as illegal as invidious discrimination.” The attorneys general asserted that any race-based initiatives in the Principles are patently illegal and will garner unnecessary litigation, and referenced several recent lawsuits in which defendant employers and law firms changed their race-based recruitment programs or settled. The letter asserted that it “speaks volumes about [such programs’] lack of legal footing” that “some of the nation’s leading law firms can[not] craft a colorable defense to race-based DEIA efforts.”

On January 11, Arkansas Republican Senator Tom Cotton sent letters to ten different recruiting firms he alleged may be “conspiring with companies to exclude ‘non-diverse’ candidates from the hiring pool.” Recipients included Robert Half, Kelly Services, Randstad North America, Korn Ferry, ManpowerGroup, Egon Zehnder, Spencer Stuart, Heidrick & Struggles, Russell Reynolds Associates, and Diversified Search Group. In his letter, Senator Cotton noted the tension companies face between improving diversity metrics sometimes needed to access investment capital and avoiding the recent wave of legal scrutiny over corporate DEI initiatives, and suggested that companies “are increasingly outsourcing the dirty work of diversity discrimination to recruiting firms.” Noting that these initiatives may violate Title VII, Senator Cotton assured letter recipients that “corporate DEI initiatives that discriminate based on race will soon suffer the same fate as affirmative action in academia.” Citing EEOC Commissioner Andrea Lucas’s June 2023 statement that corporate diversity programs “pose both legal and practical risks for companies,” Senator Cotton urged letter recipients “to refuse any request to racially discriminate in recruiting practices.”

Media Coverage and Commentary:

Below is a selection of recent media coverage and commentary on these issues:

Law360 Pulse, “Law Firm DEI Efforts At Crossroads Amid ’24 Litigation Threat” (January 2): Law360’s Ryan Boysen describes the shifting DEI landscape for law firms following the Supreme Court’s SFFA decision. Although Edward Blum recently expressed that AAER was done suing law firms (following AAER’s now-dismissed suits against Morrison Foerster, Perkins Coie, and Winston & Strawn), Boysen writes that “experts say law firms should remain vigilant in 2024.” Gibson Dunn Partner Jason Schwartz, head of the firm’s DEI Task Force and co-Chair of the firm’s Labor & Employment group, told Boysen that the “litigation around diversity and related topics that we’ve seen in the wake of SFFA is really only the beginning.” Schwartz also flagged that the “key issue heading into 2024 will be how Muldrow[, the Title VII case pending before the Supreme Court,] is decided,” concluding that “[i]f that ruling creates a lower bar for filing Title VII lawsuits, then you will see a lot of diversity programs being challenged in litigation.”
Wall Street Journal, “How the Push for Diversity at Colleges and Companies Came Under Siege” (January 4): WSJ’s Ray A. Smith and Lauren Weber describe the “legal, economic and geopolitical forces” threatening DEI initiatives. Smith and Weber spoke to DEI consultants about the potential long-term effects of the recent increase in opposition to DEI. Paradigm CEO Joelle Emerson said that many Fortune 500 companies are continuing their diversity and inclusion efforts but are planning to be “quieter” about their implementation. Johnny C. Taylor, Jr., CEO of the Society for Human Resources Management, has seen some companies begin moving away from certain DEI efforts, especially those that are “tied to numeral targets for hiring or promotions” or that base executive bonuses on those targets. Rory Lancman, director of corporate initiatives and senior counsel at the Louis D. Brandeis Center for Human Rights Under Law, notes that the DEI landscape is further complicated by diverging opinions on the Israel-Hamas war, which have garnered significant attention on college campuses and have caused tension in some workplaces.
Fortune, “The anti-DEI movement has gone from fringe to mainstream. Here’s what that means for corporate America” (January 4): Paradigm CEO Joelle Emerson discusses how, in her view, conservative activists have “weaponized” DEI, and what proponents of diversity initiatives can do to reframe the discussion. Notwithstanding the recent wave of litigation challenging DEI-related programs, “anti-diversity activists have been working towards this moment for decades,” writes Emerson. But she opines that the recent success of the anti-DEI narrative is due in part to the nature of the pro-DEI narrative—one that, in some cases, has not “always left room for conversations, questions, or nuance” and leads to “drawing a line in the sand, pro-DEI vs. anti-DEI.” The result, says Emerson, is that many corporate leaders who care about increasing representation of diverse voices are nonetheless concerned about being criticized for not going far enough, and worry about the legal ramifications of setting diversity goals. Emerson advocates for a return to fundamentals—“the actual principles of diversity, equity, and inclusion”—with renewed focus on the precise access and experience gaps DEI work is seeking to close.
Washington Post, “Conservative anti-DEI activists claim victory in Harvard leader’s fall” (January 5): The Post’s Julian Mark and Taylor Telford report on conservative activists’ response to the resignation of Harvard University President Claudine Gay. Gay recently came under fire for her Congressional testimony related to on-campus anti-Semitism, and has also faced accusations of plagiarism in her scholarly work. As Mark and Telford note, conservative activists and public figures have characterized Gay’s achievements as the result of her race and not her merit. In a post on X, activist Chris Rufo called Gay’s resignation “the beginning of the end for DEI in America’s institutions”; in his own post on X, hedge fund manager and Harvard alumnus Bill Ackman, who described DEI as “inherently a racist and illegal movement,” called Gay’s resignation “an important step forward for the University.” In an op-ed published in the New York Times, Gay stood by her scholarly work and characterized her resignation as part of a larger attack on DEI, stating that “the campaign against me was about more than one university and one leader.”
Harvard Business Review, “DEI Is Under Attack. Here’s How Companies Can Mitigate the Legal Risks.” (January 5): Kenji Yoshino and David Glasgow, both of the NYU School of Law and the Meltzer Center for Diversity, Inclusion, and Belonging, advocate for businesses to take a proactive approach in adapting to the shifting legal landscape surrounding DEI. Yoshino and Glasgow lay out a framework for identifying risk among DEI programs, noting that high-risk programs: (1) confer “a preference” on some individuals and not others; (2) give that preference to a legally protected group; and (3) confer, as part of that preference, some “palpable benefit” related to work. Applying this framework, Yoshino and Glasgow identify examples of high-risk programs, including enforcing hiring, promotion, or other quotas, using protected criteria as a tiebreaker in making employment decisions, targeting specific programs to specific protected groups, and linking managers’ compensation to meeting DEI targets. To mitigate risk, Yoshino and Glasgow recommend that companies seek to level the playing field for all candidates, focus on commonalities other than membership in protected groups, and identify ways to increase DEI buy-in untethered to any palpable benefits in the workplace.
Corporate Counsel, “Many Companies Doubling Down on DEI Despite Backlash” (January 10): Corporate Counsel’s Trudy Knockless reports on a new study by law firm Littler Mendelson, finding that companies have maintained their DEI commitments even while seeking to minimize legal risk in the wake of SFFA. Surveying over 320 senior corporate executives, the study found that 57% of respondents say their organizations have increased diversity efforts over the last year and 91% say DEI is as much of a priority as it was before the Supreme Court’s decision. Despite this commitment, the study also identified DEI as a challenge to corporations, as executives try to “find a balance” among competing priorities in the shifting legal and political landscape.
The New York Times, “D.E.I. Goes Quiet” (January 13): The New York Times’ Sarah Kessler asks whether the recent decrease in visibility of corporate DEI programs means companies have “pulled back” on DEI, or whether they have simply “changed how they approach and talk about it.” Kessler asked this question of Paradigm CEO Joelle Emerson, who suggested that the pushback against diversity programs has led some companies to rebrand their efforts as a broader attempt to improve workplace culture. Porter Braswell, founder of the professional membership network 2045 Studio, told Kessler that many companies are opening diversity programs to all employees and reframing them as opportunities to increase representation of diverse experiences. Experts have different opinions on this rebranding. Braswell said that what mattered was that the “end goals of these diversity initiatives and programs will not change.” But Misty Gaither, vice president of diversity, inclusion, equity and belonging at Indeed, advocated against walking back the use of the term DEI: “The data says that all of these positive things happen when you have diversity, equity and inclusion. So we’re not going to mask it or call it something different.”

Case Updates:

Below is a list of updates in new and pending cases:

1. Contracting claims under Section 1981, the U.S. Constitution, and other statutes:

Am. Alliance for Equal Rights v. Fearless Fund Mgmt., LLC, No. 1:23-cv-03424-TWT (N.D. Ga. 2023), on appeal at No. 23-13138 (11th Cir. 2023): AAER sued a Black women-owned venture capital firm with a charitable grant program that provides $20,000 grants to Black female entrepreneurs; AAER alleged that the program violates Section 1981 and sought a preliminary injunction. Fearless Fund is represented by Gibson Dunn.
- Latest update: On January 3, AAER filed its reply in support of its merits brief before the Eleventh Circuit. AAER reiterated that it had standing despite the use of pseudonymous declarations by members, and also claimed the fact that the members had never applied to the contest was irrelevant because Fearless Fund explicitly excluded non-Black non-female businesses. AAER also challenged Fearless Fund’s characterization of the program as legal affirmative action, arguing that the use of blanket racial categorizations lacked the structured, measurable benchmarks of a valid affirmative action program under 29 U.S.C. § 1608, and was not sufficiently tailored to meet strict scrutiny. AAER also reasserted that Fearless Fund’s program is a contract, and that any changes to the program’s rules made after the litigation began should not exempt Fearless Fund from liability. Finally, AAER argued that Fearless Fund’s program should be considered a contest rather than a charitable donation program, and that, as a result, it lacked the requisite expressive content to constitute protected speech under the First Amendment. Oral argument is scheduled for January 31, 2024.

Roberts & Freedom Truck Dispatch v. Progressive Preferred Ins. Co., et al., No. 23-cv-1597 (N.D. Oh. 2023): On August 16, 2023, plaintiffs represented by AFL sued defendants Progressive Insurance and Hello Alice, alleging that defendants’ grant program that awarded funding specifically to Black entrepreneurs to support their small businesses violated Section 1981.
- Latest update: On December 21, 2023, a coalition of four civil rights organizations filed a motion requesting leave to file an amicus brief on behalf of the defendants, which the court granted on January 2. In their brief, the civil rights groups argued that historical evidence from the 1866 Congress that passed Section 1981 shows that Congress’s overriding intent was to grant Black citizens the tools to be independent and empowered actors in the economy. Thus, they argued, interpreting the statute to impede voluntary private philanthropy like a grant program that supports Black economic mobility would subvert Congress’s intent and misread the statute. On January 3, the plaintiffs amended their complaint, adding new exhibits and pleading additional facts to support its contention that the grant program at issue is a contract and not a charitable donation. The defendants’ motion to dismiss the amended complaint is due February 7, 2024.

Do No Harm v. Vituity, No. 3:23-cv-24746-TKW-HTC (N.D. Fla. 2023): On December 8, 2023, Do No Harm, an advocacy group representing doctors and healthcare professionals, sued a nationwide physician partnership that runs a Bridge to Brilliance Incentive Program—a DEI and recruitment program that advertises a sign-on bonus and benefits specifically to qualified Black physicians. The plaintiff alleged the program violates Section 1981 as well as Section 1557 of the Affordable Care Act, which prohibits discrimination by healthcare providers receiving federal financial assistance. Do No Harm sought a temporary restraining order and preliminary injunction, barring the defendant from closing the application period on December 17, 2023.
- Latest update: On January 3, the parties voluntarily dismissed the case after Vituity ended the challenged incentive program. In a joint stipulation of dismissal, Vituity stipulated to having “already made the decision to end the Black Physician Leadership Incentive.” The company agreed that “moving forward, when applicable, while reviewing applications for incentives, Vituity may only take into consideration how race affected a physician’s life, be it through discrimination, inspiration, or otherwise,” paraphrasing language the Supreme Court used in SFFA v. Harvard to describe a permissible use of race in the school admissions context.

Landscape Consultants of Texas, Inc, v. City of Houston, No. 4:23-cv-3516 (S.D. Tx. 2023): Plaintiff landscaping companies owned by white individuals challenged Houston’s government contracting set-aside program for “minority business enterprises” that are owned by members of racial and ethnic minority groups. The companies claim the program violates the Fourteenth Amendment and Section 1981.
- Latest update: On December 20, the plaintiffs filed their opposition to the City of Houston’s motion to dismiss. As to their alleged injury-in-fact, the plaintiffs argued that they did not need to plead that they lost contracts due to the minority business enterprise policy; rather, they only needed to allege that the policy forced them to compete for contracts on an unequal basis. Further, the plaintiffs argued that Equal Protection claims do not require an allegation of racial animus when challenging a facially-discriminatory government program.

2. Employment discrimination under Title VII and other statutory law:

Farkas v. FirstEnergy Corp. et al., No. cv-23-986280 (Ohio Ct. Common Pleas Cuyahoga Cty.): On September 29, 2023, a white male former corporate counsel at FirstEnergy sued the company under Ohio’s antidiscrimination statute, alleging that he was fired in retaliation for expressing concerns about the company’s DEI programs.
- Latest update: On December 19, 2023, FirstEnergy filed its motion to dismiss the complaint under seal, arguing in the unsealed portions that the plaintiff failed to provide sufficient notice of the claims being asserted, that some of his claims are time-barred, and that he failed to state a claim under Ohio procedural law. The plaintiff filed his opposition, also under seal, on January 8.

Grande v. Hartford Board of Education et al., No. 3:24-cv-00010-JAM (D. Ct. 2024): On January 3, 2024, Plaintiff, a white male physical education teacher in the Hartford school district, filed suit against the Hartford School Board after allegedly being forced to attend mandatory DEI trainings. He claimed that he objected to the content of a mandatory professional development session focused on race and privilege, stating that he felt “white-shamed” after expressing his political disagreement with the training’s purposes and goals, and that he was thereafter subjected to a retaliatory investigation and was wrongfully threatened with termination. He claims the school’s actions constitute retaliation and compelled speech in violation of the First Amendment.
- Latest update: According to the docket, the defendant has not yet been served with the complaint.

3. Educational Institutions and Admissions (Fifth Amendment, Fourteenth Amendment, Title VI, Title IX):

Students for Fair Admissions v. U.S. Military Academy at West Point et al., No. 7:23-cv-08262 (S.D.N.Y. 2023), on appeal at No. 24-40 (2d Cir. 2024): On September 19, 2023, SFFA sued West Point Academy, arguing that affirmative action in its admissions process, including alleged racial “benchmarks” of “desired percentages” of minority representation, violates the Fifth Amendment of the U.S. Constitution by taking applicants’ race into account.
- Latest update: On January 3, 2024, the court denied SFFA’s request for a preliminary injunction. Although the court found that SFFA had standing to sue notwithstanding its reliance on pseudonymous members, it held that the organization failed to satisfy the factors warranting a preliminary injunction. For likelihood of success on the merits, the court emphasized that SFFA had a very high burden to prove a negative (that West Point was not likely to be able to justify its race-conscious admissions with a compelling government interest) with limited and speculative facts at the preliminary injunction stage. The court found that the speculative “patchwork” of putatively non-compelling interests and justifications that SFFA attributed to West Point in its complaint did not actually align with those offered by the government at oral argument, muddling rather than clarifying the legal issues. Further, the court stated that the Supreme Court’s instructions to give “great deference” to military authorities encouraged the court to be apprehensive of rendering a preliminary decision “without a full understanding . . . as to what exactly are the compelling interests asserted [and] to whom those compelling interests belong.” As a result, the court found that SFFA’s request for a preliminary injunction at most “creates questions of fact,” falling short of the “clear showing required for the extraordinary and drastic remedy sought.” On the other factors, the court found that SFFA did not establish irreparable harm because it appeared its pseudonymous members were still eligible for admission to West Point. The court also held that the public interest and the balance of the equities favored West Point because an injunction would disrupt West Point’s ongoing admissions cycle and potentially lead to withdrawn admission offers. On January 4, SFFA filed an emergency appeal to the Second Circuit, requesting immediate review of the district court’s decision.

Jason C. Schwartz – Partner & Co-Chair, Labor & Employment Group
Washington, D.C. (+1 202-955-8242, jschwartz@gibsondunn.com)

Katherine V.A. Smith – Partner & Co-Chair, Labor & Employment Group
Los Angeles (+1 213-229-7107, ksmith@gibsondunn.com)

Mylan L. Denerstein – Partner & Co-Chair, Public Policy Group
New York (+1 212-351-3850, mdenerstein@gibsondunn.com)

Zakiyyah T. Salim-Williams – Partner & Chief Diversity Officer
Washington, D.C. (+1 202-955-8503, zswilliams@gibsondunn.com)

Molly T. Senger – Partner, Labor & Employment Group
Washington, D.C. (+1 202-955-8571, msenger@gibsondunn.com)

Blaine H. Evanson – Partner, Appellate & Constitutional Law Group
Orange County (+1 949-451-3805, bevanson@gibsondunn.com)

Data analytics technology has now matured to a point where companies should consider how to harness it for enhancing compliance around their corporate financial and sustainability disclosures.

I. INTRODUCTION AND SCOPE

As computing technology develops at a mind-boggling pace, companies are thinking more creatively about how to leverage data science and analytics, including through the use of artificial intelligence (AI) (collectively, data analytics technology) across their operations. This alert provides guidance and recommendations regarding one specific area where clients should consider this technology: managing and mitigating compliance risks associated with the company’s public financial and sustainability disclosures.

We first provide some background on data analytics and artificial intelligence. Second, we provide a brief overview of the extent to which large market capitalization (large-cap) companies are using data analytics technology. We also discuss how companies are leveraging AI for specific objectives and how regulators are thinking about and employing data analytics technology. Third, we highlight specific risks associated with public disclosures, filings, and other statements, and present some ideas for how companies can use data analytics technology to mitigate those risks. We also discuss the risks companies may face through activism and litigation because of how third parties are using these technologies.

We provide four recommendations for companies to consider—or consider further—as they seek to better manage disclosure risks by using data analytics technology. These recommendations include ways in which companies may leverage both traditional data analytics tools[1]—which often require data scientists manually to compile and examine reports—and tools incorporating machine learning and AI capabilities[2] such that portions of the analysis may be automated.[3] Broadly, these recommendations are centered around using data analytics technology to more proactively:

assess regulatory filings, investor disclosures, and public statements for areas of regulatory risk;
understand, prepare for, and respond to activism and litigation relating to public disclosures;
address fraud and non-compliance with corporate policies and procedures; and
identify and combat misinformation in news and media coverage about the company and its business.

These recommendations are intended at a high level and many of them may be implemented using either traditional data analytics tools or AI capabilities. Moreover, AI and the legal frameworks governing its development and use are rapidly evolving, and, while the information in this alert is accurate as of the date of its writing, we are confident that subsequent developments will warrant continued evaluation of the relevant factual, technological, and legal landscape. Ultimately, the purpose of the discussion and recommendations below is to assist companies as they consider how to use these tools to enhance compliance around the company’s public financial and sustainability disclosures.

II. RELEVANT TECHNOLOGY AND RELATED CONSIDERATIONS

Data Analytics

Data analytics (sometimes referred to as “data science” in the technology and academic sectors) involves the collection, transformation, and organization of data in order to draw conclusions, develop predictions, and support informed decision-making. Data analytics relies on data mining, data cleansing, data transformation, and data modeling to describe, predict, and improve performance. In the business context, data analytics has become an increasingly important tool for analyzing and shaping business processes, improving decision-making, and driving business results.

Broadly speaking, data analytics is commonly used in several ways:

Descriptive analytics identifies trends and patterns in current or historical data to describe the state of affairs in a specified time period.[4] In the business context, data analytics is used to analyze business information and develop insights to inform business decisions.
Diagnostic analytics uses data to identify, understand, and explain the reasons for past performance.[5]
Predictive analytics uses statistical modeling, forecasting, and machine learning to analyze data produced by descriptive or diagnostic analytics and to make predictions about the future based on that analysis.[6]
Prescriptive analytics uses machine learning and complex algorithms to build and test specific solutions to complex problems that can be implemented to solve business problems and drive improved results.[7]

Data analytics can be manual or automated, with automated processes relying on computers to generate results more efficiently, cost-effectively, and with minimal need for human intervention.

A recent example of non-AI data analytics tools that impact public companies is the Securities and Exchange Commission’s (SEC’s) Earnings Per Share Initiative, which uses “risk-based data analytics to uncover potential accounting and disclosure violations caused by, among other things, earnings management practices.”[8] Unlike other initiatives that focus on re-running financial data, the EPS initiative is using data analytics and other tools to uncover evidence of manipulation in reporting.[9] Although relatively simple compared to generative artificial intelligence (GAI), these data-based approaches can reveal large-scale manipulation due to human error (e.g., investigators review data to ensure that the proper ratio of the numeral “4” appears in data, as human manipulation tends to leave out the number 4, due to a tendency to round up or down).[10] Academic research on earnings management and accounting fraud has applied such methods or concepts to detect fraud by, for example, drawing correlations between CEO/CFO driving records and propensity for ostentatious lifestyles.[11] Regulators and analysts are using the methods developed in these papers to detect accounting fraud earlier and, according to the SEC’s latest budget request, it plans to put even more effort into developing its AI capabilities.[12]

Artificial Intelligence

AI is a technology through which various computing and analytics tasks can be automated. “An AI system is a machine-based system that is capable of influencing the environment by producing an output (predictions, recommendations or decisions) for a given set of objectives. It uses machine and/or human-based data and inputs to (i) perceive real and/or virtual environments; (ii) abstract these perceptions into models through analysis in an automated manner (e.g., with machine learning), or manually; and (iii) use model inference to formulate options for outcomes. AI systems are designed to operate with varying levels of autonomy.”[13] For example, AI systems can be used to automate any of the four types of data analytics described above. AI systems can be designed to automatically analyze data, identify issues, propose solutions, and predict how a solution will work. With that information in hand, human decision-makers can decide whether or not to take a proposed course of action. AI systems can also be designed to be fully automated. That is, once an AI system has identified a problem and proposed and tested a solution, it can decide whether to implement the solution without human intervention.

To be able to propose and test solutions to complex problems—and even take independent action—an AI system relies on training models that consume and process vast amounts of data. The lifecycle of an AI system involves several phases: “i) ‘design, data and models’; which is a context-dependent sequence encompassing planning and design, data collection and processing, as well as model building; ii) ‘verification and validation’; iii) ‘deployment’; and iv) ‘operation and monitoring’. These phases often take place in an iterative manner and are not necessarily sequential.”[14]

III. GENERAL USE CASES FOR ANALYTICS IN THE COMPLIANCE SPACE

Current State of the Use of Data Analytics Technology

Although companies are rapidly adopting data analytics technology, its use for managing risk and compliance has lagged somewhat. Deloitte conducted a recent study of large-cap companies by surveying members of the Society for Corporate Governance.[15] The study found that nearly half of all respondents reported that the use of AI tools was neither expressly permitted nor prohibited within their company. However, among large-cap respondents, only 25% reported that the use of AI tools is simply not addressed by company policies, with 36% of large-cap respondents reporting that they allow for AI use for specific purposes, and 14% of large-cap respondents permitting use for any purpose.[16]

Among large-cap respondents, 17% reported that they do not currently have any AI use framework, AI policy, or AI code of conduct in place, while 47% are “currently considering” implementing such policies and frameworks.[17] Notably, among all respondents (including mid- and large-cap), only 13% have specific AI-related policies or frameworks in place.[18] However, 57% of large-cap respondents are currently considering revising corporate policies (including privacy, cyber, risk management, etc.) to address the use of AI.[19]

Although AI use cases span many industries, the current focus of AI-related attention (including usage, strategy, impact, disruption, competitive advantage, and risk) for large-cap respondents was focused primarily on sales/marketing (55%), product development (48%), legal (42%), human resources (36%), risk (30%), and finance/accounting (21%).[20]

With respect to internal company management of AI, responsibility is primarily delegated to IT/tech (56% of large-cap respondents), a cross-functional working group (47% of respondents), and legal (34% of respondents). At the board level, 25% of large-cap respondents reported not expressly delegating authority for primary oversight of AI, 19% reporting that the topic has not yet been addressed at the board level, 19% placing responsibility with the audit committee (or similar), 13% of respondents place responsibility with the technology committee, another 13% placing authority with the full board, and notably only 3% placing responsibility with the risk committee.[21]

There is a risk that at least some employees are using AI in a way that is not on the companies’ radar. A recent survey by the Conference Board found that “56% of workers are using generative AI at work but only 26% of those respondents said their organization has a policy related to its use.”[22] This use of AI presents risks, but it also shows the promise that AI presents across a wide variety of corporate functions.

Risks and Opportunities in the Use of Environmental Data Analytics Technology

Despite a relatively low rate of adoption of data analytics technology by large companies, smaller companies and organizations are already building such tools, especially to push for additional environmental and sustainability measures. These tools are not just novelties. They pose potential risks to companies because governments across the world are requiring the disclosure of increasingly large amounts of environmental and sustainability data. Environmental activists and large, especially European, investors are likewise demanding the disclosure of sustainability data, including human rights, supply chain, and human capital information. This disclosure of ever-larger amounts of data combined with increasingly powerful computing technology creates an ever-more-risky disclosure environment for public companies.[23]

Some examples of tools that are publicly known include Climate TRACE, which tracks and inventories companies’ emissions in real-time;[24] GreenWatch, which compares companies’ green claims to emissions performance;[25] Datamaran, which reviews and analyzes corporate governance data to assess a company’s ESG performance and identify areas for improvement;[26] Manifest Climate, which compares companies’ data to reporting frameworks, regulations, and peers;[27] and JUST Capital, which uses AI to rank companies on the basis of “just” business behavior, emphasizing ESG factors.[28] BreezoMeter offers real-time air quality data, promoting environmental transparency and awareness.[29] ClarityAI provides sustainability data to allow users to invest, shop, and benchmark based on that data.[30] These tools create risks but also present opportunities.

Of course, companies could consider using some of these tools, such as Datamaran or Manifest Climate, to their own advantage, especially to evaluate their compliance with complex regulations and ESG rules, and to compare their disclosures and metrics to other peers. Additionally, companies could consider using tools such as SustainLab, which provides a comprehensive platform for sustainability data management and reporting;[31] Ecogain, which uses AI to assist companies in setting and achieving sustainability goals;[32] and Turntide Technologies, which uses AI to optimize energy consumption in buildings.[33] Such tools could, for example, help companies ensure they comply with their state and federal reporting requirements.

SEC Recognition of Opportunities for the Use of AI

As companies have increasingly begun to deploy AI, the SEC has begun to consider how AI can be used to enhance its compliance and enforcement efforts. The agency describes several uses of AI in its most recent budget request to Congress, which describes the SEC’s “broader undertaking to initialize and integrate machine-learning and artificial intelligence-supporting technology, with the ultimate goal to innovate and develop usable tools for the staff that deploy predictive and information visualization models to create data analytics efficiencies, particularly in the rulemaking context, where the staff routinely receives significant and diffuse feedback from market participants during open comment periods.”[34]

In a September 10, 2023 speech to the annual meeting of the North American Securities Administrators Association (NASAA), SEC Commissioner Mark T. Uyeda discussed some of the potential benefits of AI use, including decreased operational costs for companies and expanded access to investors.[35] Importantly, Commissioner Uyeda also discussed how AI can be used to improve compliance efforts by both companies and regulators. For companies, Commissioner Uyeda noted that they will be able to use AI to detect fraud, monitor data, flag risk indicators, and identify patterns in data much faster.[36] Such uses might reduce costs for companies, result in more accurate determinations of compliance violations, and inform decisions about whether findings need to be escalated, including to regulators and law enforcement.[37] For regulators, AI can help sift through the large volumes of data included in Exchange Act filings, for example. Regulators can use AI to evaluate those filings and identify areas of potential risk.

IV. RISK MANAGEMENT STRATEGIES AND RECOMMENDATIONS

The growing use of data analytics technology by activist organizations and regulators to challenge companies’ business practices and regulatory disclosures puts pressure on companies to consider what actions they might take to implement tools of their own to respond to and preempt such efforts. We discuss four risk areas below: public disclosures and statements, activism and litigation, fraud and non-compliance with corporate policies, and misinformation about the company in news and media coverage. These risk areas intersect and impact one another. Accordingly, companies should consider how to leverage the tools discussed below across risk areas where appropriate.

However, it is important to take all the recommendations below as intended: Not as a promotion of any particular method or product but as an encouragement to consider how data analytics technology can help a company mitigate the risks created by the increasingly data-driven scrutiny of corporate financial and sustainability disclosures.

Leverage Data Analytics Technology to Assess Regulatory Filings, Investor Disclosures, and Public Statements for Areas of Regulatory Risk

Public companies are required and urged to disclose large amounts of information, and those disclosures must comply with an increasingly complex array of regulatory and third-party oversight. These disclosures create the potential for hundreds of opportunities for simple human error and intentional or reckless misstatements or omissions that are always judged in hindsight. Ensuring compliance with these requirements can be challenging, even under established, longstanding regulatory regimes.

Existing disclosure requirements present sufficient compliance risks because as noted above, the SEC has already begun proactively using data analytics technology to identify non-compliance.[38] Compliance is even more challenging when regulators adopt new disclosure requirements, which has been happening at a torrid pace. Without a clear interpretation, an enforcement track record, or guidance from courts, new disclosure rules can create significant regulatory uncertainty, increasing risk for companies required to file under the new rules. For example, the SEC’s new rules on cybersecurity disclosures for public companies significantly changed the status quo—imposing a substantial burden and introducing complexity to incident response for all public companies.[39]

Additionally, in the coming months, the SEC is expected to finalize new rules that would require public companies to disclose in their 10-Ks a potentially expansive amount of data relating to environmental and climate risks.[40] Not to be outdone, the California Legislature recently passed two bills that will impose significant and mandatory climate-related reporting requirements for large public and private companies doing business in California.[41] The bills require annual disclosure of audited Scope 1, 2, and 3 greenhouse gas emissions and biennial disclosure of certain climate risks.[42] The European Union is also implementing several directives over the coming years that will require multinational companies to disclose environmental, social, and governance data[43] and extensive human rights impacts across their value chains.[44] These directives and rules collectively will result in significantly more disclosures and could—indeed, are intended to—heighten the compliance, investigation, and litigation risks for companies.

There are several ways companies could use data analytics technology to assess and mitigate the risks posed by current and coming disclosure requirements. As an initial matter, companies could use some of the third-party tools described above to test their data and disclosures.[45] Companies could use existing data sets of SEC comment letters and enforcement actions to develop their own lists of SEC hot topics and trends. Companies could use data analytics technology to compare the disclosures of peer companies and compare those disclosures against their own. This type of analysis could help companies identify whether peers are handling their disclosures differently and inform changes to their disclosures if the analysis identifies gaps. Especially in uncertain or new regulatory environments, such as the SEC’s new cybersecurity reporting rules and its proposed emissions reporting rules, evaluating and learning from the disclosures of peer firms is an important way to mitigate risk. Data analytics technology can make that process more efficient and dynamic.

Companies could also employ data analytics technology to learn from the mistakes peer companies have made with their disclosures. For example, companies could analyze SEC or Environmental Protection Agency (EPA) enforcement actions and identify the issues that triggered regulatory scrutiny. Data analytics technology could enable analysis of a vast number of relevant enforcement actions to discern key compliance errors or patterns of enforcement. Companies could also cross reference the disclosures of peer companies against SEC or EPA enforcement actions to identify which disclosures triggered investigation and enforcement.

Looking inward to the company’s own data, data analytics technology could be used to evaluate internal controls and monitor and analyze hotline or whistleblower complaints. Similarly, companies could employ data analytics technology to analyze their own historical disclosures and compare them against current enforcement priorities and new regulations to determine what the potential risks are and what, if any, sections of the disclosures need to be updated or modified.

Companies also can learn from financial analysts and academics, who have devised ways to identify fraudulent activity in financial statements. None of these methods are proven, but combined, analytical methods like pattern recognition, Benford’s Law,[46] textual analysis of disclosures,[47] and ratio analysis can be proactively employed to test the company’s own information. The requirement by the SEC that companies disclose much of their data using XBRL (eXtensible Business Reporting Language) format means that much of the companies’ key data is reported in machine-readable, structured data format. This makes it easier for investors and third parties to analyze,[48] but also for companies to perform their own analyses.

Caution is warranted as companies begin to incorporate the use of these tools. Recent reporting has highlighted the shortcomings of AI when it comes to analyzing disclosures such as SEC filings.[49] Indeed, researchers have found that as of this writing, AI models are only able to answer relevant questions about an SEC filing with 79% accuracy.[50] However, the use of AI for discrete tasks that have been shown to produce accurate results and the use of non-AI data analytics on larger tasks, like the methods described above, may be valuable ways to improve a company’s disclosure review process. Moreover, it will be important to continue to monitor AI’s capabilities as the technology in this space is developing quickly.

Leverage Data Analytics Technology to Understand, Prepare for, and Respond to Activism and Litigation Relating to Public Disclosures

Companies may also be able to use data analytics technology to mitigate activism and litigation risk. Increasingly, activists and other organizations are using data analytics technology to evaluate companies’ advertisements, press releases, and disclosure documents and to compare them against actual performance, regulatory frameworks, and desired policy goals. This analysis can often result in shareholder activism, litigation or regulatory scrutiny, and reputational damage to the company.

Climate activist organizations have taken a particular interest in this approach, leveraging a growing number of data analytics technology tools to evaluate and report on companies’ climate change and environmental activities. For example, Datamaran reviews and analyzes corporate governance data, including ESG risks and opportunities, to assess a company’s ESG performance and identify areas for improvement.[51] Climate TRACE independently tracks companies’ emissions in real time, and has been described as the “world’s first global emissions inventory.”[52] GreenWatch contrasts companies’ green or sustainability claims against their actual emissions performance, and has been advertised as AI to detect “greenwashing.”[53]

Another existing tool is provided by Manifest Climate, which compares company data to reporting frameworks and regulations, as well as to peers. Using a dashboard format, Manifest Climate promises to employ AI to help companies with sustainability compliance and strategy. Specifically, the tool is designed to help companies “identify their climate-related risks and opportunities, track peer action and market trends, and provide better disclosures aligned with global reporting standards and frameworks including TCFD, SEC, CSA, ISSB and more.”[54] It promises to allow companies to compare themselves to peers, identify sustainability actions the company is taking that it is not disclosing, and serve as a climate risk management solution. These offerings are examples of ways companies may benefit from AI applied to sustainability reporting. The tool, and the others discussed throughout this memo, show some of the early capabilities that third parties are likely to apply against companies’ data.

Companies can likewise use AI to evaluate activists’ claims, employing their own analytics to evaluate and respond to allegations regarding inaccurate or misleading statements in their marketing materials, on their websites, and in their public filings and statements. This is a useful defensive tool, not just to respond to claims made in activist campaigns or shareholder engagements, but also to claims made in the media that may affect corporate reputation, trigger shareholder proposals or proxy fights, or draw regulatory scrutiny.

Data analytics technology can also play a role in mitigating risk in specific litigation. For example, in support of claims based on misleading statements and or deceptive marketing, plaintiffs often pull statements from particular documents at particular times and use them out of context. Companies facing such a lawsuit could consider using data analytics technology to analyze those statements, support responsive filings, and build a more complete and accurate narrative. But it is critical that companies comply with court orders and any other applicable rules and requirements, including rules of professional conduct, when using AI in the litigation context and strictly avoid relying on AI-generated content for filings or strategy.[55]

That said, the proactive use of data analytics technology is becoming more important in light of the increasing government focus on sustainability disclosures. In addition to the SEC’s efforts discussed above, the Federal Trade Commission (FTC) provides another example of increasing government scrutiny that creates risk. Under section 5 of the Federal Trade Commission Act, the FTC has the authority to “prevent persons, partnerships, or corporations” from using “unfair or deceptive acts or practices in or affecting commerce.”[56] There is a risk that a company’s public sustainability statements may come under scrutiny for being allegedly unfair or deceptive.

For example, activists are placing particular emphasis on so-called “greenwashing” statements and are pressuring the FTC to step in. In fact, the FTC has taken some action in this area, requesting public comment on its Guides for the Use of Environmental Marketing Claims (Green Guides).[57] First issued in 1992 and most recently revised in 2012, the Commission’s Green Guides, 16 C.F.R. part 260, address the applicability of section 5 of the FTC Act to environmental advertising and labeling claims.[58] The Green Guides outline general principles applicable to all environmental marketing claims, and provide specific guidance regarding many common environmental benefit claims.[59]

The EU proposed Green Claims Directive likewise will expand the regulatory scrutiny over sustainability claims. The directive lists actions “which are to be considered misleading if they cause or are likely to cause the average consumers to take a transactional decision that they would not have otherwise taken” and expands the lists of “commercial practices which are considered unfair in all circumstances . . . to four practices associated with greenwashing.”[60] It also imposes detailed substantiation requirements on sustainability claims.

With respect to FTC requests for comments about rulemaking, companies could employ AI to mine the comment submissions for keywords or themes. AI may help identify instances where the company’s interests are specifically mentioned and in what context. It could also recognize patterns in the comment submissions that hone in on the issues most addressed by commenters to help focus the company’s responses on the key issues. Moreover, companies could use this approach with respect to analyzing any large agency docket or action in which they are interested, understanding the critical issues, and formulating a responsive strategy. Regardless, companies should monitor the market because these types of tools are improving in quality and sophistication.

As a more general matter, companies can use data analytics technology both proactively and defensively to ensure that their public statements do not run afoul of these developing rules and standards. As described above, companies could employ data analytics technology to analyze and learn from the public statements of other companies, especially those of competitors. Companies could use the results to evaluate whether their public statements conform to standard practice and whether any similar statements have drawn regulatory scrutiny. More defensively, in an environment where third parties are using AI tools to analyze a company’s public statements, companies can use AI tools to run their own internal analyses of public statements prior to publication to identify and remediate any potential issues likely to be seized on by regulators, plaintiffs, or activists.

Increase the Use of Data Analytics Technology to Address Fraud and Non-Compliance with Corporate Policies and Procedures

Fraud and non-compliance with corporate policies and procedures are not new risks for companies, but as regulators increasingly employ new tools to detect fraud—as noted above—it is imperative that companies leverage data analytics technology internally to mitigate risk. Using basic structured query (“SQL”) language tools, for instance, companies are already using data analytics technology to continuously monitor and audit vast and complex data streams, looking for anomalies or behavioral patterns that may indicate fraud. SQL queries can compare data across tables and use statistical functions to identify discrepancies or outliers in data. SQL can be used to generate summary reports, which can be used to identify trends and patterns in data. Queries can also be used to analyze trends in data over time by comparing data across audits performed in different time periods.[61] Major banks already use data analytics technology to identify credit card and banking fraud and to maintain compliance with anti-money laundering and other rules, so this is an area that is relatively advanced in terms of the availability of off-the-shelf tools.[62] Some companies have been using data analytics technology to identify employee fraud and monitor for anti-corruption compliance.[63] The results can be used to guide internal investigations and to inform recommendations on how to improve internal policies and controls.

Use Data Analytics Technology to Help Identify and Combat Misinformation in News and Media Coverage About the Company and Its Business

News media reports about a company’s substantive business and compliance efforts may pose significant potential risks. News reports can serve as a trigger for government investigations, regulatory action, and lawsuits, and regulators and plaintiffs’ attorneys have been known to leverage information contained in such reports. They can also significantly impact corporate reputation and stock prices. Data analytics technology offers an efficient and automated method to comb the internet for relevant reports, articles, or statements, identify any misstatements or inaccuracies, and flag issues for decision. Such information could enable a company to quickly correct the record on inaccurate news pieces, publish responses, or address misleading statements through its public disclosures.[64]

V. CONCLUSION

Data analytics technology has now matured to a point where companies should consider how to harness it for enhancing compliance around their corporate financial and sustainability disclosures. There is far more growth to come, but there are opportunities for assessing regulatory filings and public disclosures; understanding and responding to activism and litigation; addressing fraud and non-compliance with corporate policies and procedures; and identifying and combating misinformation in news and media coverage about the company and its business. As regulators, activists, and others ramp up their data-driven scrutiny of corporate financial and sustainability disclosures, companies may want to stay ahead of those efforts.

__________

[1] As generally understood in the technology sector, data analytics (also known as data science) is a technology-agnostic discipline in which the data collected, generated, and maintained by an organization is subjected to statistical analysis for the purposes of providing the organization with insights relevant to its operations and objectives such that it can guide decision-making and help solve other organizational problems. Data analytics can be used, for example, in product development, supply chain management, and financial modeling. Data analytics also may help to identify and mitigate legal and compliance risks, which are the focus of this memorandum. For more information, see generally, e.g., Thor Olavsrud, What is data analytics? Analyzing and managing data for decisions, CIO (June 7, 2022), https://www.cio.com/article/191313/what-is-data-analytics-analyzing-and-managing-data-for-decisions.html.

[2] In the context of this alert, we discuss the capabilities of AI only as related to the analysis and mitigation of compliance risks, such that companies may consider that AI is not entirely distinct from data analytics.

[3] “An AI system is a machine-based system that is capable of influencing the environment by producing an output (predictions, recommendations or decisions) for a given set of objectives.” OECD.AI Policy Observatory, OECD AI Principles overview, https://oecd.ai/en/ai-principles (last visited Oct. 2, 2023).

[4] See Olavsrud, supra note 1.

[5] Id.

[6] Id.

[7] Id.

[8] Securities and Exchange Commission, SEC Charges Gentex and Chief Financial Officer in Connection with EPS Initiative (Feb. 7, 2023), https://www.sec.gov/enforce/34-96819-s.

[9] See here. Silver Law Group, What To Know About The SEC’s “EPS Initiative” (June 16, 2023), here.

[10] See Dave Michaels, SEC Probes Whether Companies Rounded Up Earnings Per Share, Wall St. J. (June 22, 2018), https://www.wsj.com/articles/sec-probes-whether-companies-rounded-up-earnings-1529699702?mod=article_inline.

[11] David Woodcock, Accounting Fraud: Down, But Not Out, Law360 (Sept. 11, 2015, 10:38 AM EDT), https://www.law360.com/articles/700727. (“There are now thousands of academic research papers on earnings management and accounting fraud, on the motivations, financial impacts and detection methods, among other things. They apply methods or concepts like Benford’s Law, quadrophobia, Beneish M-Scores, F-Scores, and cash flow variances, and they draw correlations between CEO/CFO driving records and propensity for ostentatious lifestyles. Their work is being used by regulators and analysts to detect accounting fraud earlier.”). The point here is that the SEC’s use of these tools is not new, but it is increasing as the agency seeks to harness data analytics technology for use in its review of public company disclosures and accounting.

[12] Securities and Exchange Commission, SEC Fiscal Year 2024 Congressional Budget Justification Annual Performance Plan (SEC 2024 Budget), 26, at https://www.sec.gov/files/fy-2024-congressional-budget-justification_final-3-10.pdf (“In addition, the SEC intends to invest in artificial intelligence/machine learning (AI/ML) and other capabilities to address the growing volume of data it receives, processes, analyzes, and makes available to the investing public.”).

[13] OECD.AI Policy Observatory, supra note 3.

[14] Id.

[15] Natalie Cooper, Bob Lamm, & Randi Val Morrison, Board Practices: Artificial intelligence, Harvard Law School Forum on Corporate Governance (Sept. 2, 2023), https://corpgov.law.harvard.edu/2023/09/02/board-practices-artificial-intelligence/#more-158903

[16] Id.

[17] Id.

[18] Id.

[19] Id.

[20] Id.

[21] Id.

[22] Frederic Lee, Employee AI Use Outpacing Workplace Policies, Agenda Week (Sept 29, 2023), here.

[23] David Woodcock, ESG and The Board: Avoiding Risky Business, The Corporate Board (Sept./Oct. 2023) (“[S]ustainability and ESG reports highlighting corporate disclosures and commitments have grown considerably in length over the past few years. According to one study, these have grown from an average length of 102 pages in 2019 to 165 pages in 2022. Almost every large company produces one.”),

[24] Climate TRACE, https://climatetrace.org/ (last viewed Oct. 2, 2023).

[25] GreenWatch, http://greenwatch.ai/ (last viewed Oct. 2, 2023).

[26] Datamaran, https://www.datamaran.com/ (last viewed Oct. 2, 2023).

[27] Manifest Climate, https://www.manifestclimate.com/ (last viewed Oct. 2, 2023).

[28] JUST Capital, https://justcapital.com/ (last viewed Oct. 2, 2023).

[29] BreezoMeter, https://www.breezometer.com/air-quality-map/ (last viewed Oct. 2, 2023).

[30] ClarityAI, https://clarity.ai/ (last viewed Oct. 2, 2023).

[31] SustainLab, https://sustainlab.co/ (last viewed Oct. 2, 2023).

[32] Ecogain, https://en.ecogain.se/ (last viewed Oct. 2, 2023).

[33] Turntide Technologies, https://turntide.com/ (last viewed Oct. 2, 2023).

[34] SEC 2024 Budget, supra note 12, at 25 (noting the importance of two requested data analyst positions: “The positions are critical to the division’s effort to support the agency’s broader undertaking to initialize and integrate machine-learning and artificial intelligence-supporting technology, with the ultimate goal to innovate and develop usable tools for the staff that deploy predictive and information visualization models to create data analytics efficiencies, particularly in the rulemaking context, where the staff routinely receives significant and diffuse feedback from market participants during open comment periods.”); 26 (“In FY 2024, the SEC Cloud Center of Excellence will continue to help drive modernization efforts within the Commission. The cornerstone of this program is a cloud platform that will allow the SEC to increase mission capabilities and agility through the use of modern software tools to enable data visualization, artificial intelligence, and machine learning.”).

[35] Mark T. Uyeda, Remarks to the 2023 NASAA Fall Annual Meeting—Modernizing Investor Protection for the Digital Age, Securities and Exchange Commission (Sept. 10, 2023), https://www.sec.gov/news/speech/uyeda-remarks-nasaa-091023.

[36] Id.

[37] Id.

[38] See supra note 8 (discussing SEC’s EPS initiative).

[39] Client Alert, SEC Adopts New Rules on Cybersecurity Disclosure for Public Companies, Gibson, Dunn & Crutcher LLP (July 31, 2023), https://www.gibsondunn.com/sec-adopts-new-rules-on-cybersecurity-disclosure-for-public-companies/.

[40] SEC Proposes Rules to Enhance and Standardize Climate-Related Disclosures for Investors, U.S. Sec. & Exch. Comm’n (Mar. 21, 2022), https://www.sec.gov/news/press-release/2022-46.

[41] Client Alert, California Passes Climate Disclosure Legislation, Gibson, Dunn & Crutcher LLP (Sept. 27, 2023), https://www.gibsondunn.com/california-passes-climate-disclosure-legislation/.

[42] Id.

[43] Client Alert, European Corporate Sustainability Reporting Directive (CSRD): Key Takeaways from Adoption of the European Sustainability Reporting Standards, Gibson, Dunn & Crutcher LLP (Aug. 23, 2023), at https://www.gibsondunn.com/european-corporate-sustainability-reporting-directive-key-takeaways-from-adoption-of-european-sustainability-reporting-standards/.

[44] Client Alert, European Commission Proposes Far-Reaching Human Rights and Environmental Due Diligence Obligations, Gibson, Dunn & Crutcher LLP (Mar. 11, 2022), at https://www.gibsondunn.com/european-commission-proposes-far-reaching-human-rights-and-environmental-due-diligence-obligations/.

[45] Note the guidance in the concluding section on certain risks to consider when doing this, including confidentiality of sensitive company data.

[46] Benford’s Law as a Quality of Reporting Indicator, Ideagen Audit Analytics, https://blog.auditanalytics.com/benfords-law-as-a-quality-of-reporting-indicator/ (last visited Jan. 1, 2024).

[47] Loughran, Tim and McDonald, Bill, Textual Analysis in Finance (June 17, 2020), available at https://ssrn.com/abstract=3470272.

[48] Audit Analytics, https://www.auditanalytics.com/ (last visited Oct. 2, 2023).

[49] AI Models Only 79% Accurate When Asked About SEC Filings, PYMNTS (Dec. 19, 2023), https://www.pymnts.com/artificial-intelligence-2/2023/ai-models-only-79-accurate-when-asked-about-sec-filings/ (last visited Jan. 10, 2024).

[50] Id.

[51] Datamaran, supra note 26.

[52] Climate TRACE, supra note 24.

[53] GreenWatch, supra note 25.

[54] Manifest Climate, supra note 27.

[55] Peter Hayes, Attorneys Must Certify AI Policy Compliance, Judge Orders, Bloomberg Law (May 31, 2023) (discussing Judge Brantley Starr’s standing order on the use of AI), available at https://news.bloomberglaw.com/litigation/attorneys-must-certify-ai-policy-compliance-judge-orders.

[56] 15 U.S.C. § 45.

[57] Federal Trade Commission, Request for Public Comment, Guides for the Use of Environmental Marketing Claims, 87 Fed. Reg. 77766 (Dec. 20, 2022), https://www.regulations.gov/document/FTC-2022-0077-0001.

[58] Id.

[59] Id.

[60] European Commission, Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on substantiation and communication of explicit environmental claims (Proposed Green Claims Directive) (Mar. 22, 2023), https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52023PC0166&from=EN. This proposed directive is intended to work together with an earlier directive. See European Commission, Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL empowering consumers for the green transition through better protection against unfair practices and better information (Proposed Greenwashing Directive) (Mar. 30, 2022), https://eur-lex.europa.eu/resource.html?uri=cellar:ccf4e0b8-b0cc-11ec-83e1-01aa75ed71a1.0012.02/DOC_1&format=PDF.

[61] Muhammad Musa Mazhar, Audit Analytics: When writing few lines of SQL can help detect billion dollar fraud, LinkedIn (Dec. 22, 2022), https://www.linkedin.com/pulse/audit-analytics-when-writing-few-lines-sql-can-help-detect-mazhar/.

[62] See, e.g., J.P. Pressley, Why Banks Are Using Advanced Analytics for Faster Fraud Detection, BizTech (July 25, 2023), https://biztechmagazine.com/article/2023/07/why-banks-are-using-advanced-analytics-faster-fraud-detection#:~:text; Denis Francis, Imke Jacob, and Fadi Zoghby, The Data and Analytics Edge in Corporate and Commercial Banking, McKinsey Report (Mar. 23, 2023), https://www.mckinsey.com/industries/financial-services/our-insights/the-data-and-analytics-edge-in-corporate-and-commercial-banking; Jamie Dimon, Chairman and CEO Letter to Shareholders, JP Morgan Chase & Co. Annual Report 2022, https://reports.jpmorganchase.com/investor-relations/2022/ar-ceo-letters.htm (“We already have more than 300 AI use cases in production today for risk, prospecting, marketing, customer experience and fraud prevention, and AI runs throughout our payments processing and money movement systems across the globe. AI has already added significant value to our company. For example, in the last few years, AI has helped us to significantly decrease risk in our retail business (by reducing fraud and illicit activity) and improve trading optimization and portfolio construction (by providing optimal execution strategies, automating forecasting and analytics, and improving client intelligence).”).

[63] See, e.g., Angie Sullivan & Mathias Ward, Four ways to use data analytics to identify corruption red flags, Tableau, https://www.tableau.com/blog/identify-corruption-red-flags-using-data-analytics (describing four steps to using data analytics: (1) Identify corruption risk factors; (2) Design analytics to identify corruption red flags; (3) Risk rank transactions and perform testing; (4) Use analytics to provide proactive alerting of high-risk transactions).

[64] Even where companies already engage in proactive monitoring of the Internet for relevant material, AI could be used to perform or improve some of those functions.

The following Gibson Dunn attorneys assisted in preparing this update: Vivek Mohan, David Woodcock, Frances Waldmann, Hugh Danilack, and Samantha Yi*.

Gibson, Dunn & Crutcher’s lawyers are available to assist in addressing any questions you may have regarding these issues. Please contact the Gibson Dunn lawyer with whom you usually work, any of the leaders and members of the firm’s Artificial Intelligence, Securities Enforcement, or Securities Regulation and Corporate Governance practice groups, or the following authors:

Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
David Woodcock – Dallas (+1 214.698.3211, dwoodcock@gibsondunn.com)
Frances A. Waldmann – Los Angeles (+1 213.229.7914, fwaldmann@gibsondunn.com)
Hugh N. Danilack – Washington, D.C. (+1 202.777.9536, hdanilack@gibsondunn.com)

Artificial Intelligence:
Cassandra L. Gaedt-Sheckter – Co-Chair, Palo Alto (+1 650.849.5203, cgaedt-sheckter@gibsondunn.com)
Vivek Mohan – Co-Chair, Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
Robert Spano – Co-Chair, London/Paris (+44 20 7071 4902, rspano@gibsondunn.com)
Eric D. Vandevelde – Co-Chair, Los Angeles (+1 213.229.7186, evandevelde@gibsondunn.com)

Securities Enforcement:
Richard W. Grime – Co-Chair, Washington, D.C. (+1 202.955.8219, rgrime@gibsondunn.com)
Mark K. Schonfeld – Co-Chair, New York (+1 212.351.2433, mschonfeld@gibsondunn.com)
David Woodcock – Co-Chair, Dallas (+1 214.698.3211, dwoodcock@gibsondunn.com)

Securities Regulation and Corporate Governance:
Elizabeth Ising – Co-Chair, Washington, D.C. (+1 202.955.8287, eising@gibsondunn.com)
James J. Moloney – Co-Chair, Orange County (+1 949.451.4343, jmoloney@gibsondunn.com)
Lori Zyskowski – Co-Chair, New York (+1 212.351.2309, lzyskowski@gibsondunn.com)

*Samantha Yi is an associate working in the firm’s Washington, D.C. office who currently is admitted to practice only in Maryland.

From the Derivatives Practice Group: U.S. derivatives news has been slow during the last two weeks, but a few international developments may pique your interest.

New Developments

SEC Publishes Risk Alert: Observations Related to Security-Based Swap Dealers. On January 10, the SEC’s Division of Examination published a Risk Alert presenting examination and outreach observations concerning compliance with rules applicable to security-based swap dealers. The SEC stated that in sharing these observations, the Division seeks to remind security-based swap dealers of their obligations under relevant security-based swap rules and encourage security-based swap dealers to consider improvements in their compliance programs, as may be appropriate, to further compliance with Exchange Act requirements. The Risk Alert presents observations in the following areas: (1) reporting of security-based swap transactions and correction of reporting errors; (2) business conduct standards; (3) security-based swap trading relationship documentation and portfolio reconciliation; and (4) recordkeeping. [NEW]
CFTC Publishes Decentralized Finance Report. On January 8, the CFTC’s Digital Assets and Blockchain Technology Subcommittee of the Technology Advisory Committee (TAC) released a report entitled “Decentralized Finance.” The report discusses TAC’s view that the benefits and risks of DeFi depend significantly on the design and features of specific systems, and that one of its central concerns related to DeFi systems is the lack of, and some industry designs to avoid, clear lines of responsibility and accountability. TAC opined that this feature of DeFi systems may present the clearest ways in which DeFi poses risks to consumers and investors, as well as to financial stability, market integrity and illicit finance—according to TAC, it implicates no clear route to ensuring victim recourse, defense against illicit exploitation, or the ability to insert necessary changes and controls during periods of crisis and network stress. The report finds that government and industry should take timely action to work together, across regulatory and other strategic initiatives, to better understand DeFi.
CFTC Chairman Announces Division of Data Appointments to Continue the CFTC’s Focus on Mission Critical Data. On December 21, CFTC Chairman Rostin Behnam announced two appointments in the Division of Data (DOD) intended to enhance the CFTC’s analytic capabilities as the agency aims to increase innovation in its data-driven culture. Ted Kaouk has been named Chief Data Officer and Director of DOD. Dr. Kaouk will spearhead data integration initiatives and collaborate with the CFTC’s offices and divisions in an attempt to help the agency make informed policy decisions. John Coughlan will serve as the agency’s first Chief Data Scientist. He will work to advance DOD’s data science expertise and expand the agency’s use of artificial intelligence to more effectively oversee the derivatives markets and meet its own regulatory requirements.

New Developments Outside the U.S.

RBI Issues Circular on Risk Management and Interbank Dealings. On January 5, the Reserve Bank of India (RBI) issued a circular on risk management and interbank dealings. The RBI stated that it has reviewed the foreign exchange risk management facilities based on the feedback received from market participants and experience gained since the revised framework came into force. It has also consolidated the directions in respect of all types of foreign exchange transactions (including cash, tom and spot). The RBI explained that the directions contained in the Currency Futures (Reserve Bank) Directions, 2008 (Notification No. FED.1/DG(SG)-2008 dated August 06, 2008), and Exchange Traded Currency Options (Reserve Bank) Directions, 2010 (Notification No. FED.01/ED(HRK)-2010 dated July 30, 2010), as amended from time to time, are now being incorporated into the Master Direction – Risk Management and Inter-Bank Dealings. These revised directions will come into effect on April 5, 2024, replacing the existing directions in Part A (Section I) of the Master Direction – Risk Management and Inter-Bank Dealings dated July 5, 2016, as amended from time to time, superseding the notifications listed in Annex-II. [NEW]
Hong Kong Consults on Regulatory Regime for Stablecoins. On December 27, the Financial Services and the Treasury Bureau and the Hong Kong Monetary Authority (HKMA) jointly issued a public consultation paper on the legislative proposal for implementing the regulatory regime for stablecoin issuers in Hong Kong. Under the proposed regime, an issuer would be required to obtain a license from the HKMA if it issues a stablecoin that references the value of one or more fiat currencies in Hong Kong. The licensed issuer will have to fulfil certain financial resources requirements, and will be required to put in place an effective stabilization mechanism, such as maintaining a pool of high-quality and highly-liquid reserve assets with proper custody arrangement. The proposed regime further imposes governance, risk management and AML/CFT measures on licensees. Interested parties are encouraged to submit written comments on or before February 29, 2024. [NEW]
ESAs Propose to Extend Equity Option Margin Exemption by Two Years. On December 21, the European Supervisory Authorities (ESAs) – the European Securities and Markets Authority (ESMA), the European Banking Authority and the European Insurance and Occupational Pensions Authority – published draft regulatory technical standards (RTS) proposing a two-year extension (until January 4, 2026) to the exemption for equity options from bilateral margining under the European Market Infrastructure Regulation (EMIR). These RTS have to be endorsed by the European Commission and are subject to non-objection by the Council of the EU and the European Parliament before they enter into force. The draft RTS are accompanied by a statement from the ESAs that competent authorities “should not priorityse any supervisory or enforcement action” relating to bilateral margining for equity options until the entry into force of these amended RTS or the adoption of a long-term solution under EMIR 3, whichever occurs first.” [NEW]

New Industry-Led Developments

ISDA Updates OTC Derivatives Compliance Calendar. On January 3, 2024, ISDA updated its global calendar of compliance deadlines and regulatory dates for the over-the-counter (OTC) derivatives space. The updated calendar can be found on the ISDA website.
ISDA Submits Response to HMT, FCA and PRA on UK EMIR. On December 20, ISDA and UK Finance submitted a joint response to His Majesty’s Treasury (HMT), the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) on the reform of the UK EMIR. ISDA stated that ISDA and UK Finance submitted the response in an attempt to inform the next stage of the UK’s smarter regulatory framework reform package. In the response, the associations recommend a small number of clearly defined changes, seek certainty and permanence on current temporary exemptions and request an end to the current dependency on equivalence decisions for certain provisions (for instance, the intragroup exemption). [NEW]

The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Marc Aaron Takagaki, Hayden McGovern, and Karin Thrasher.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Derivatives practice group, or the following practice leaders and authors:

Jeffrey L. Steiner, Washington, D.C. (202.887.3632, jsteiner@gibsondunn.com)

Michael D. Bopp, Washington, D.C. (202.955.8256, mbopp@gibsondunn.com)

Michelle M. Kirschner, London (+44 (0)20 7071.4212, mkirschner@gibsondunn.com)

Darius Mehraban, New York (212.351.2428, dmehraban@gibsondunn.com)

Jason J. Cabral, New York (212.351.6267, jcabral@gibsondunn.com)

Adam Lapidus, – New York (+1 212.351.3869, alapidus@gibsondunn.com)

Stephanie L. Brooker, Washington, D.C. (202.887.3502, sbrooker@gibsondunn.com)

Roscoe Jones Jr., Washington, D.C. (202.887.3530, rjones@gibsondunn.com)

William R. Hallatt, Hong Kong (+852 2214 3836, whallatt@gibsondunn.com)

David P. Burns, Washington, D.C. (202.887.3786, dburns@gibsondunn.com)

Marc Aaron Takagaki, New York (212.351.4028, mtakagaki@gibsondunn.com)

Hayden K. McGovern, Dallas (214.698.3142, hmcgovern@gibsondunn.com)

Karin Thrasher, Washington, D.C. (202.887.3712, kthrasher@gibsondunn.com)

Key provisions of this Act came into force on 26 December 2023 and could affect businesses around the world. It is therefore essential to have a clear understanding of the new laws and what they could mean for your organisation.

Following intensive debate, King Charles III gave royal assent to the Economic Crime and Corporate Transparency Act 2023 (“ECCTA”) on 26 October 2023. As we set out in our client alert of 18 September 2023,[1] and in an article for Börsen-Zeitung of 25 November 2023,[2] the UK Government has described the corresponding bill as the most significant reform of the “identification doctrine”, which governed the attribution of criminal liability to corporate entities for more than 50 years.

Key Takeaways

The new laws governing how criminal liability can be attributed to a corporate entity for economic crimes apply to offences from 26 December 2023 onwards.
The ECCTA states that the actions of senior managers can be attributed to the corporate entity. The definition of senior managers is broad.
The new offence of failure to prevent fraud, which only applies to large organisations, cannot come into force until guidance is published. It is anticipated guidance will be published in the course of 2024.
The new laws governing attribution and the new offence of failure to prevent fraud can apply to non-UK corporate entities and to conduct outside the UK.
UK law enforcement agencies may use these laws to cooperate closely with foreign agencies. The principle of double jeopardy may not necessarily prevent prosecutions in multiple jurisdictions.
International companies should consider the practical steps outlined in this client alert, including identifying which officers and employees might fall within the definition of senior managers, assessing the extent to which they are exposed to risk of fraud, considering existing fraud prevention procedures and ensuring clear records of training and policies are retained.

New Rules of Attributing Criminal Liability to Corporate Entities

The ECCTA introduces the concept of a “senior manager” which defines whose actions can be attributed to a corporate entity. It is anticipated that this will allow prosecutors to fix companies with criminal liability more easily, as they no longer have to rely on the vague and narrowly applied “identification doctrine” which relies on identifying “the directing mind and will of the corporation”.[3] The concept of “senior manager” will include any individual who plays a significant role in:

the making of decisions about how the whole or a substantial part of the activities of the body corporate or partnership are to be managed or organised, or
the actual managing or organising of the whole or a substantial part of those activities.[4]

At present, the new attribution rules only apply to offences specified in schedule 12 of the ECCTA which are called “listed offences”[5] and include various economic crime offences such as cheating the public revenue, false accounting, money laundering, bribery or fraud. However, this list is apt to be extended to other offences in the future. Indeed, on 14 November 2023, the UK Government introduced the Criminal Justice Bill 2023 which seeks to extend the new attribution laws to all types of crime for which corporate liability may be appropriate.[6] This bill is being considered by the House of Commons and it is currently unclear if and when it may be passed.

Extraterritorial Effect

A key feature of the new attribution laws is their wide extraterritorial effect. Corporate entities may be held criminally liable for an offence, even if the offending took place outside the UK as long as the offending would constitute a criminal offence in the location where it took place (see section 196(3) ECCTA).[7] Consider the following example:

A pharmaceutical company has a UK headquarters and a subsidiary in Germany, which has been underperforming. The Head of Accounting is based in Munich and is also a member of the management board of the German entity. She overstates the revenue of the German subsidiary when submitting the annual accounts in order to “smooth things over” until business improves. Therefore, the accounts of the Group were significantly inflated.

In Germany, this could constitute the offence of false accounting under section 331 of the Commercial Code (Handelsgesetzbuch). In the UK, this conduct could constitute false accounting under the Theft Act 1968 which is an offence listed in schedule 12 of the ECCTA. This means that both the German entity and the UK headquarters could potentially face prosecution in the UK.

Because the ECCTA does not require the corporate entity or partnership to be incorporated or formed in the UK, on its face, the ECCTA does not expressly require any particular tie to the UK. However, when introducing section 196(3), Parliament pointed out that a UK connection is required: “…criminal liability will not attach to an organisation based and operating overseas for conduct carried out wholly overseas simply because the senior manager concerned was subject to the UK’s extraterritorial jurisdiction; for instance, because that manager is a British citizen. Domestic law does not generally apply to conduct carried out wholly overseas unless the offence has some connection with the UK. This is an important matter of international legal comity.”[8]

The extraterritorial ambit of the underlying offence will be relevant. As Parliament also noted, some offences, wherever they are committed, can be prosecuted against individuals or organisations who have certain close connections to the UK. Consider this example:

A telecommunications company has a UK headquarters and a subsidiary in Germany. The German subsidiary recently pitched for a large contract in India which, if successful, would boost its business and benefit the whole group. The German Head of Sales thought the pitch went well, but in order to be sure, he offers his contact in India an all-expenses paid holiday at a five star resort in Spain, on the understanding that the German subsidiary will be awarded the contract.

In Germany, this could constitute the offence of giving bribes in commercial practice (sec. 299 of the German Criminal Code). In the UK, this conduct could constitute the offence of bribing another person under the UK Bribery Act 2010 (“UKBA”) which is an offence listed in schedule 12 of the ECCTA. Both corporate entities, i.e. the German subsidiary and the UK headquarters, could potentially face prosecution in the UK. Prior to the ECCTA, it would have been difficult to prove that a Head of Sales was a directing mind and will of the company and prosecutors would arguably only have been able to bring charges for failure to prevent bribery.[9] However, it is likely that the Head of Sales would fall under the definition of senior manager and therefore allow the corporate entities to be prosecuted for the principal bribery offence,[10] despite their being no involvement by a board member.

It is also noteworthy that the new rules of attribution also apply to attempts or conspiracy to commit offences listed in schedule 12 as well as aiding, abetting, counselling or procuring the commission of those offences.[11] A senior manager may be based outside the UK but act as an accomplice to a UK offence. For example, a banker working for a Frankfurt bank could put the German bank at risk if he encouraged a London-based employee of its UK subsidiary to act in violation of the Financial Services and Markets Act 2000.

The new rules of attribution follow an international trend to hold legal entities more comprehensively accountable for criminal conduct committed by employees and other representatives. For instance, although German law does not recognise criminal liability of corporate bodies as such, the German Administrative Offences Act (Ordnungswidrigkeitengesetz, “OWiG”) allows a legal entity to be fined if certain “leading individuals” (Leitungspersonen) commit a criminal or an administrative offence. While some clarifications by the competent courts will be needed, the standard of a “leading individual” is arguably comparable with the notion of a “senior manager” now adopted under UK law.

The Offence of Failure to Prevent Fraud

The ECCTA introduces a new corporate offence of “failure to prevent fraud”[12] which, following a controversial debate between the House of Commons and the House of Lords, only applies to “large organisations”.[13] Before this offence comes into force, guidance must be published[14] and it is anticipated that this will happen in 2024.

Under the new offence, an organisation will be liable where a specified fraud offence is committed by an “associate” for the organisation’s benefit (an employee, subsidiary or agent, or a person who otherwise performs services for or on behalf of the organisation), and the organisation did not have reasonable fraud prevention procedures in place. Importantly, it does not need to be demonstrated that senior personnel ordered or knew about the fraud.

The new offence will apply to bodies corporate and partnerships wherever incorporated or formed.[15] However, the Government Factsheet envisages there being a UK nexus: “If an employee commits fraud under UK law, or targeting UK victims, their employer could be prosecuted, even if the organisation (and the employee) are based overseas.”[16] The offence is clearly intended to have a broad application and could, for example, apply to any organisation offering goods and services through a website or providing an internet marketplace accessible to consumers based in the UK.

In order for an organisation to be guilty of the offence of failure to prevent fraud, an offence listed in schedule 13 ECCTA has to be committed. The listed offences include, for example, the statutory offences of fraud, false accounting, false statements by company directors, fraudulent trading or the common law offence of cheating the public revenue.[17] This includes aiding, abetting, counselling or procuring the commission of a listed offence, but – in contrast to section 196(2) – does not extend to conspiracies.[18]

In order to understand the extraterritorial reach of the offence of failure to prevent fraud, the jurisdictional ambit of the underlying offences in schedule 13 should be considered. On the basis of the Criminal Justice Act 1993 and the common law principles, the courts of England and Wales can: “apply the English criminal law where a substantial measure of the activities constituting a crime take place in England, and restrict its application in such circumstances solely in cases where it can seriously be argued on a reasonable view that these activities should, on the basis of international comity, be dealt with by another country.” (see R v Smith (Wallace Duncan) (No. 4))[19]. Consider the following example:

An international construction firm incorporated in France planned to build and sell a number of holiday cottages across France. The holiday cottages were specifically marketed to and attracted a number of UK investors. The construction firm ran out of money making it highly unlikely that the cottages would be built. However, the managers directed their sales team to continue selling the cottages anyway. They also discussed the issue with the construction firm’s auditors which led to the auditors signing off accounts, knowing they did not reflect the true financial position of the construction company. The result was that many individuals in the UK who had invested in the properties lost considerable amounts of money.

In the example above, both the construction firm and the auditing company in France may be exposed to prosecution for the offence of failure to prevent fraud on the basis that UK victims were targeted. Given the changes to the “identification doctrine” set out above, there might also be an argument to prosecute both companies for the underlying offence of fraud by false representation,[20] given in the impact on UK victims.

The above example also raises the question of whether corporate entities will be prosecuted for both the underlying offence e.g. fraud by false representation, and the offence of failure to prevent fraud for the same conduct. The Crown Prosecution Service guidance indicates that this is possible in relation to offences under the UKBA[21] but it does not appear to have happened in practice.

The underlying legal concept of the new offence and of similarly structured offences under English law,[22] is comparable with certain provisions under civil law systems (e.g. section 130 of the German OWiG)[23] which aim to sanction improper supervision.

Cooperation between Law Enforcement Agencies

The current trend of national enforcement authorities working together in cross-border cases is likely to continue and may expand to use the new legal tools under the ECCTA. In the examples set out above, it is conceivable that at least the individuals and the subsidiaries in Germany may find themselves prosecuted by German criminal law enforcers – in addition to prosecution by UK authorities.

In particular, the EU-UK Trade and Cooperation Agreement (“EU-UK Agreement”) governs the relationship between the EU and the UK post Brexit. It contains provisions about cooperation in criminal matters between the UK and EU Member States,[24] including mutual judicial assistance, surrender, exchange of criminal record information, and confiscation. Furthermore, the EU-UK Agreement strives to ensure that special EU enforcement agencies like Europol and Eurojust cooperate with UK authorities. In addition to cooperation between the UK and EU Member States, the UK is also party of numerous other bilateral treaties on mutual legal assistance in criminal matters.[25]

In its Annual Report for 2022, Eurojust stated that the United Kingdom participated in 29 Joint Investigation Teams and 79 coordination meetings.[26] While many investigations of Eurojust concern crimes like human trafficking and smuggling, these figures suggest that UK law enforcement may also seek cooperation in cases relating to offences under the ECCTA.

The new Director of the SFO, Nick Ephgrave QPM has now been in place for just over three months, and it remains to be seen how he will guide the agency and use the new legal tools at his disposal and whether he continues the moves towards greater international cooperation. In the past, there have been several examples of successful cooperation between different enforcement agencies such as the settlement that Airbus SE reached with the UK, the United States and French authorities in 2020. All three settlement agreements were approved by the courts in each jurisdiction on the same day, indicating strong cooperation efforts between the three states involved.[27] In its judgment approving the DPA, the UK High Court stressed that international cooperation is crucial in cases of corporate wrongdoings across jurisdictions for many reasons, including to avoid forum shopping for settlements.[28]

The risk of an organisation being prosecuted in both the UK and other states for the same criminal conduct also depends on whether each jurisdiction applies the principle of double jeopardy. Generally, a defendant in the UK may argue that he should not be tried for the same offence in law and fact for which he was previously convicted or acquitted (autrefois acquit or autrefois convict). A UK conviction may not automatically prevent EU Member States from double prosecution, but only influence the sentencing in that other jurisdiction. International double jeopardy, however, is not uniformly accepted. Therefore, whether a jurisdiction will prohibit the prosecution of misconduct that was already resolved by a foreign court, must be determined on a case-by case basis, depending on which states are involved.[29]

Practical Steps

Following the new attribution laws in force since 26 December 2023 and in anticipation of the new offence of failure to prevent fraud likely coming into force later this year, we have set out some practical steps to be considered by corporate entities both inside and outside the UK.

Risk Analysis: companies should determine the business units most likely to be affected by the new regulations and the audience which may need particular training and supervision. This analysis may cover a variety of aspects such as:

the extent to which UK customers may be impacted by the business activities, predominantly with respect to selling goods or services to UK customers;
any other connection the entity has to the UK. This could include a subsidiary entity, a branch, employees working remotely or on secondment in the UK, as well as suppliers or other business partners in the UK;
identification of individuals who fall within the ECCTA definition of a “senior manager” whether they are based inside or outside the UK. Check whether the titles of individuals accurately reflect their roles, and whether the responsibilities of their managers are clearly defined and documented;

considering any parts of the business which are potentially vulnerable to the offences listed in schedules 12 and 13 of the ECCTA (e.g. offences under Financial Services and Markets Act 2000 may be particularly relevant for organisations offering financial services).

Recordkeeping: corporate entities should keep a clear record of policies, including previously applicable versions, and of conducted training. If needed, this might assist organisations in the future to show that reasonable prevention procedures were in place. These training materials and policies should reflect the outcome of the risk analysis mentioned above and address the practical realities of the relevant business units.

Culture: senior leadership teams may wish to consider whether any changes can be made to promote an open “anti-fraud” culture.

Whistleblowing: consider revising whistleblowing procedures to enable reporting of potential violations of foreign laws. This should assist with early identification of potential risks. Many enterprises in the EU are currently reviewing their procedures on whistleblowing in light of the EU whistleblowing directive and the respective implementation laws.[30]

Monitoring: the status and effectiveness of the compliance framework will need to be checked, regularly reviewed and continuously developed with regard to the risks arising from the ECCTA. This should include a regular testing of the threshold values for determining a “large organisation” as well as monitoring the catalogue of offences in schedules 12 and 13 of the ECCTA and associated legal risks. This will enable corporate entities to have a good overview of their current status and allow them to quickly assess whether they meet the requirements of the guidance once it is published. Obviously, a comprehensive review should take place once the UK Government has published its guidance on reasonable preventive measures, which we expect to happen in the course of 2024.

__________

[1] Expansion of Corporate Criminal Liability in the UK: Reform of the Identification Principle and New Offence of Failure to Prevent Fraud.

[2] London verschärft das Unternehmensstrafrecht.

[3] See our previous client alert, Expansion of Corporate Criminal Liability in the UK: Reform of the Identification Principle and New Offence of Failure to Prevent Fraud for further detail.

[4] Economic Crime and Corporate Transparency Act 2023, s 196(4).

[5] Economic Crime and Corporate Transparency Act 2023 schedule 12.

[6] Criminal Justice Bill, Committee debates: compilation pdf of sittings so far, page 68.

[7] Economic Crime and Corporate Transparency Act 2023 s 196(3).

[8] https://hansard.parliament.uk/Lords/2023-06-27/debates/EF8264AF-6478-470E-8B37-018C4B278F6E/EconomicCrimeAndCorp rateTransparencyBill.

[9] UKBA, s 7.

[10] UKBA, ss 1, 2, 6.

[11] Economic Crime and Corporate Transparency Act 2023, s 196(2).

[12] Economic Crime and Corporate Transparency Act 2023, s 199.

[13] As defined in Economic Crime and Corporate Transparency Act 2023, ss 201, 202. For further discussion see our previous client alert, Expansion of Corporate Criminal Liability in the UK: Reform of the Identification Principle and New Offence of Failure to Prevent Fraud.

[14] Economic Crime and Corporate Transparency Act 2023, s 219(8).

[15] Economic Crime and Corporate Transparency Act 2023, s 199(13).

[16] Factsheet: failure to prevent fraud offence of 26 October 2023.

[17] Schedule 13 ECCTA.

[18] Economic Crime and Corporate Transparency Act 2023, s 199(6).

[19] [2004] EWCA Crim 631.

[20] Section 2 Fraud Act 2006.

[21] Bribery Act 2010: Joint Prosecution Guidance of The Director of the Serious Fraud Office and The Director of Public Prosecutions.

[22] See, e.g. failure to prevent bribery under the UKBA or failure to prevent facilitation of UK tax or foreign evasion offences under the Criminal Finances Act 2007.

[23] Although OWiG, s 130 and the new UK offence sanctioning failure to prevent fraud have some similarities, there are also notable differences. Unlike ECCTA, s 199, the provision under German law is not limited to fraud offences and does not require that the person is acting with the intend to benefit anybody. Furthermore, unlike OWiG, s 130, the ECCTA establishes a direct criminal liability of the corporation itself. It is the responsibility of the corporation itself to prove that it had the necessary preventive procedures in place at the time the fraud offence was committed to avoid criminal liability. Under OWiG, s 130, the prosecution will take into account the preventive measures of the individual person obliged to exercise proper supervision.

[24] Pursuant to Article 633 (1) EU-UK Trade and Cooperation Agreement, the provisions on mutual assistance (Title VIII) are meant to supplement and facilitate the provisions of the European Convention on Mutual Assistance in Criminal Matters, done at Strasbourg on 20 April 1959 and its additional protocols.

[25] For a full list of all bilateral treaties, see https://www.gov.uk/government/publications/bilateral-treaties-on-mutual-legal-assistance-in-criminal-matters.

[26] European Union Agency for Criminal Justice Cooperation, Annual Report 2022 – Eurojust Activity Map, United Kingdom.

[27] See the respective press releases on 31 January 2020: U.S. Department of Justice; Serious Fraud Office, and the Parquet National Financier.

[28] SFO v Airbus SE, Case No: U20200108, 31 January 2020, para. 92.

[29] For an overview of national and international double jeopardy in various jurisdictions, see OECD, Resolving Foreign Bribery Cases with Non-Trial Resolutions, OECD Data Collection Questionnaire Results (2019) pp. 231 et seq.

[30] Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law. National implementation laws do not necessarily require that violations for foreign law can be reported, see e.g. section 2(1) no. 1 of the German Whistleblower Protection Act (Hinweisgeberschutzgesetz).

The following Gibson Dunn lawyers prepared this client alert: Matthew Nunan, Allan Neil, Patrick Doris, Benno Schwarz, Katharina Humphrey, Amy Cooke, Andreas Dürr, Rebecca Barry, Sam Firmin*, Vanessa Ludwig, and Julian Reichert.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. If you wish to discuss any of the matters set out above, please contact the Gibson Dunn lawyer with whom you usually work, any member of Gibson Dunn’s White Collar Defense and Investigations and Anti-Corruption and FCPA practice groups, or the following authors in Frankfurt, London and Munich.

London:
Matthew Nunan (+44 20 7071 4201, mnunan@gibsondunn.com)
Allan Neil (+44 20 7071 4296, aneil@gibsondunn.com)
Patrick Doris (+44 20 7071 4276, pdoris@gibsondunn.com)
Amy Cooke (+44 20 7071 4041, acooke@gibsondunn.com)
Rebecca Barry (+44 20 7071 4086, rbarry@gibsondunn.com)
Sam Firmin* (+44 20 7071 4051, sfirmin@gibsondunn.com)

Munich / Frankfurt:
Benno Schwarz (+49 89 189 33-110, bschwarz@gibsondunn.com)
Katharina Humphrey (+49 89 189 33-155, khumphrey@gibsondunn.com)
Andreas Dürr (+49 89 189 33-219, aduerr@gibsondunn.com)
Julian Reichert (+49 89 189 33-229, jreichert@gibsondunn.com)
Vanessa Ludwig (+49 69 247 411-531, vludwig@gibsondunn.com)

*Sam Firmin is a staff attorney working in the firm’s London office.

The rule, scheduled to take effect on March 11, 2024, defines independent contractor status more narrowly than the rule published in 2021 by the Trump Administration.

Today the U.S. Department of Labor released a final rule regarding who is an “independent contractor” under the Fair Labor Standards Act (“FLSA”), and thus not subject to the minimum wage and overtime requirements the FLSA applies to “employees.” The rule defines independent contractor status more narrowly than the rule published in 2021 by the Trump Administration. It is scheduled to take effect on March 11, 2024.

The rule largely hews to the Department’s October 2022 proposal. It codifies a six-factor, totality-of-the-circumstances test for who qualifies as an independent contractor. Under the rule, independent contractor status will be determined by looking to the following factors: the worker’s opportunity for profit or loss; the worker’s investments; the permanency of the relationship; the degree of control by the employer over the worker; whether the work is an integral part of the employer’s business; and the skill and initiative required to do the work. The test will not assign special weight to any of the six factors, and instead consider them “in view of the economic reality of the whole activity” in which the worker in question is engaged.

Apart from jettisoning the framework of the 2021 rule—which relied on five factors, not six, and gave particular weight to “control” and the “opportunity for profit or loss”—the new rule makes important adjustments to how the traditional factors were applied in the 2021 rule. For example, DOL will consider the worker’s investments on a relative basis with the employer’s investments. The Department states, “if the worker is making similar types of investments as the employer or investments of the type that allow the worker to operate independently in the worker’s industry or field, then that fact suggests that the worker is in business for themself,” and, like the proposal, indicates that the “dollar values” of the company’s and workers’ investments should be compared. The rule also reformulates the factor in the 2021 rule concerning whether a worker’s activities are part of an “integrated unit of production,” changing it to an assessment of whether the activity is important or “central” to a business’s operations, and rejecting many commenters’ assertions that this factor will nearly always weigh in favor of employee status and thus is not a useful indicator of the appropriate classification. Additionally, the Department will consider a worker’s “initiative” indicative of independent contractor status under several different aspects of its test.

Many commenters disagreed with the proposed rule’s provision that “[c]ontrol implemented by the employer for purposes of complying with legal obligations” and “safety standards” was “indicative” of employee status. In a notable change, the final rule provides that “[a]ctions taken by the potential employer for the sole purpose of complying with a specific, applicable Federal, State, Tribal, or local law or regulation are not indicative of control.” Still, the rule emphasizes that any action taken by the employer that goes beyond what is strictly required by law or regulation may be indicative of employee status. Moreover, the rule’s “sole purpose” language may still allow consideration of actions taken to ensure compliance with legal requirements.

The Department has also removed the provision of the 2021 rule that clarified that “the actual practice of the parties involved is more relevant than what may be contractually or theoretically possible.” Under the Department’s new rule, a company’s so-called “reserved” control can be more important than control the company actually exercises over workers.

In its release, the Department acknowledges that the rule is an “interpretive” rule and asserts that the rule will be entitled only to “Skidmore deference” from the courts, rather than the more robust “Chevron deference” that sometimes is given to federal regulations. Nevertheless, the rule is a substantial departure from the 2021 rule it replaces and, by the Department’s admission, the rule provides “broader discussion” of many factors than the Department has given before. Commenters representing a wide variety of industries and independent contractors have warned the Department that the rule could result in the misclassification of many independent contractors as employees and chill innovative and valuable work relationships to the detriment of established companies, startups, and workers alike.

The new rule is likely to face litigation. A coalition of industry groups successfully challenged the Department’s previous attempt to withdraw the 2021 rule, arguing among other things that DOL’s action was arbitrary and capricious. That suit remains pending before the Fifth Circuit Court of Appeals. See Coal. for Workforce Innovation v. Walsh, No. 1:21-CV-130, 2022 WL 1073346 (E.D. Tex. Mar. 14, 2022), appeal filed, No. 22-40316 (5th Cir. May 13, 2022).

In addition to litigation, Senator Bill Cassidy (R-La.) announced that he will introduce a Congressional Review Act (“CRA”) resolution to repeal the new rule, and Representative Kevin Kiley (R-Cal.) also stated that he would introduce a CRA resolution in the House. If passed by both houses of Congress, a CRA resolution would almost certainly be vetoed by President Biden.

The following Gibson Dunn attorneys prepared this update: Eugene Scalia, Jason Schwartz, Katherine Smith, Theane Evangelis, Michael Holecek, Jason Mendro, Andrew Kilberg, Alex Harris, Max Schulman, and Andrew Ebrahem*.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. To learn more about these issues, please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Labor and Employment or Administrative Law and Regulatory practice groups, or the following authors and practice leaders:

Eugene Scalia – Co-Chair, Administrative Law & Regulatory Practice Group, Washington, D.C.
(+1 202.955.8210, escalia@gibsondunn.com)

Jason C. Schwartz – Co-Chair, Labor & Employment Practice Group, Washington, D.C.
(+1 202.955.8242, jschwartz@gibsondunn.com)

Katherine V.A. Smith – Co-Chair, Labor & Employment Practice Group, Los Angeles
(+1 213.229.7107, ksmith@gibsondunn.com)

Helgi C. Walker – Co-Chair, Administrative Law & Regulatory Practice Group, Washington, D.C.
(+1 202.887.3599, hwalker@gibsondunn.com)

*Andrew Ebrahem is admitted only in Virginia; practicing under the supervision of members of the District of Columbia Bar under D.C. App. R. 49.

We are pleased to provide you with Gibson Dunn’s ESG update for Winter 2023. This update covers the following key developments from November and December 2023.

I. GLOBAL

Institutional Shareholder Services (ISS) publishes 2024 Benchmark Policy Updates

On December 19, 2023, the proxy advisor ISS published its updated 2024 Benchmark Proxy Voting Policies, which will apply to shareholder meetings that take place on or after February 1, 2024. ISS have also published separate regional update documents announcing policy changes for each of the Americas, EMEA and Asia-Pacific. The main changes by ISS concern executive compensation, board composition and diversity, and risk oversight.

These updates by ISS follow the 2024 guidelines on proxy voting polices published earlier in November 2023 by Glass Lewis.

ICMA publishes new voluntary code of conduct for ESG ratings and data products providers

On December 14, 2023, the ICMA published a new voluntary Code of Conduct for ESG ratings and data products providers in line with IOSCO recommendations. Setting out 6 different principles, the Code introduces clear standards for ESG ratings and data product providers, and clarifies their interaction with wider market participants. The 6 principles concern: (1) good governance; (2) securing quality (systems and controls); (3) conflicts of interest; (4) transparency; (5) confidentiality (systems and controls); and (6) engagement (systems and controls).

The overarching aims of the Code are to: (1) improve the availability and quality of information provided to investors at product and entity levels; (2) enhance market integrity through increased transparency, good governance and sound systems and controls; and (3) improve competition through better comparability of products and providers.

ESG ratings and data products providers who sign up to the Code will need to make a public annual statement of application which explains their approach to implementing the Code. An implementation period of 6 months for ESG ratings providers, and 12 months for ESG data products providers, will then apply. By the time this period lapses, the 6 principles should be embedded within the provider’s organization. Providers that have agreed to adopt the Code will also be listed on the ICMA’s website.

Based heavily on the IOSCO recommendations, the ICMA intends for the Code to be applied internationally and a step towards creating a globally consistent regulatory framework. A hybrid event for stakeholders will take place at the London Stock Exchange on January 31, 2024 to discuss how the Code will work in practice.

Network for Greening the Financial System (NGFS) publishes Recommendations toward the development of scenarios for assessing nature-related financial risks

On December 13, 2023, the NGFS published a Technical Document providing recommendations toward the development of scenarios to assess nature-related economic and financial risks. The Technical Document is premised upon a two-part framework required for conducting forward-looking risk assessments: (1) envisioning consistent narratives to identify different hazards; and (2) exploring methods and tools e.g. models and data needs, to assess the impacts of such hazards and the ability to mitigate them. It also highlights the specificities of nature-related risks as opposed to climate-related risks, and discusses and outlines potential ways forward.

The NGFS intends for the Technical Document to pave the way for the future development of nature-related scenarios and the ability of central banks and supervisors to conduct comprehensive forward-looking nature risk assessments.

COP28 countries agree deal to transition away from fossil fuels

On December 13, 2023, representatives from nearly 200 countries reached a deal at the COP28 summit to transition away from fossil fuels in the effort to meet global net zero emissions by 2050. Specifically, governments are called upon to triple renewable energy capacity globally by 2030, accelerate efforts to reduce coal use, focus on technologies such as carbon capture and storage and low-carbon hydrogen production, and phase out fossil fuel subsidies. All countries will need to set “ambitious” emissions targets over the next 2 years to limit global warming to 1.5°C above pre-industrial levels. However, the agreement does recognize that targets should be set in light of “different national circumstances”, taking into account poorer nations.

IOSCO publishes a final report presenting supervisory practices across its members to address greenwashing

On December 4, 2023, the IOSCO published a final Report on Supervisory Practices to Address Greenwashing. The Report discusses the initiatives undertaken in various jurisdictions to address greenwashing, in line with IOSCO recommendations published in November 2021 (Report 1 and Report 2) and the subsequent Call for Action in November 2022, with the aim of increasing visibility of the roles that regulators are playing in this space. It also sets out the challenges hindering the implementation of these recommendations, including data gaps, transparency, quality, and reliability of ESG ratings, consistency in labelling and classification of sustainability-related products, evolving regulatory approaches, and capacity building needs.

The IOSCO highlighted that the main findings of the Report indicate the following:

There is no global definition of greenwashing.
Most jurisdictions have supervisory tools and mechanisms in place to address greenwashing in the area of asset managers and their products.
Educational, awareness measures and capacity building activities are being used as proactive tools to prevent greenwashing. However, addressing greenwashing also requires financial education initiatives, both at investor and industry levels.
The ESG ratings and data products markets are growing rapidly.
Steps are reportedly being taken by Affiliate Members Consultative Committee (AMCC) members to improve the consistency of terminology, which could lead to better classification of funds and labelling.
Enforcement measures such as infringement notices, fines, revocations of licenses, and suspension of businesses have been applied to greenwashing cases. Civil or criminal liability can also be applicable depending on the severity of the particular case.
The cross-border nature of sustainable finance investments requires adequate sharing of information, data and knowledge between countries.

International Organization of Securities Commissions (IOSCO) publishes a Consultation Report to promote the integrity and orderly functioning of the Voluntary Carbon Markets (VCMs)

On December 3, 2023, the IOSCO published a 90-day consultation report outlining a set of 21 ‘Good Practices’ to promote the integrity and orderly functioning of the VCMs. The proposed ‘Good Practices’ relate to regulatory frameworks, primary market issuance, secondary market trading, and use and disclosure of use of carbon credits. Although not legally binding, the IOSCO’s intention is that they help to support sound market structures and enhance financial integrity in the VCMs, allowing for carbon credits to be traded in an orderly and transparent way.

The proposed ‘Good Practices’ build on the Key Considerations included in the November 2022 Discussion Paper, the feedback received in response to that Discussion Paper, and IOSCO members’ knowledge and oversight of financial markets. They also draw upon existing good practices and principles for well-functioning markets, such as IOSCO’s Objectives and Principles of Securities Regulation (including the derivatives markets).

The deadline for comments from relevant regulators, authorities and market participants on the proposed ‘Good Practices’ is March 3, 2024.

COP28: the global climate summit convenes in United Emirates

The 2023 UN Climate Change Conference convened in Dubai over the first few weeks of December, with the spotlight on climate finance, gender-responsive climate action, the energy transition and climate mitigation. Notable developments on the finance front include the announcement by the UK, France, the World Bank, the African Development Bank Group, the European Bank for Reconstruction and Development, and the Inter-American Development Bank (IDB) of new commitments to expand the use of climate resilient debt clauses (CDRCs)—which allow the lenders to pause debt for countries that are faced with a natural disasters—in their lending. The UK announced the first ever CDRC to Senegal, the first in Africa. In addition, a consortium of multilateral development banks and funders, States and NGOs announced the issuance of Guiding Principles for Financing Climate and Health Solutions, which aim to foster collaboration between funders and accelerate the allocation of finance to countries and communities for climate and health solutions.

Elsewhere during the conference, the new Gender-Responsive Just Transitions & Climate Action Partnership was endorsed by over 60 state parties, making a series of commitments to support women’s economic empowerment and ensure women’s livelihoods are protected during the just transition.

Basel Committee proposes mandatory climate change disclosures by banks

On 29 November, 2023, the Basel Committee on Banking Supervision—the primary global standard setter for the prudential regulation of banks—issued a public consultation paper on its proposed Pillar 3 disclosure framework for climate-related financial risks. The consultation seeks the views of stakeholders on various qualitative and quantitative disclosure requirements that would complement the work of other standard setters, including the International Sustainability Standards Board (ISSB) and provide a global common disclosure baseline for internationally active banks. The Committee will use feedback from the consultation process to consider which requirements should be mandatory and which should be subject to national discretion.

International Capital Markets Association issues updates to Guidance Handbook

On November 29, 2023, the International Capital Market Association (ICMA) and Executive Committee of the Principles published an updated edition of the Guidance Handbook, which gives guidance on the Green Bond Principles (2014), Social Bond Principles (2017), Sustainability Bond Guidelines (2017) and Sustainability-Linked Bond Principles (2020). The updated edition includes further guidance on relabelling bonds as GSS bonds post-issuance, use of proceeds of GSS bonds, bonds issued by “pure play companies” (i.e. organisations that are mainly or entirely involved in environmentally and/or socially sustainable activities), impact reporting, and identifying target populations for the purpose of Social Bonds.

International Capital Markets Association (ICMA) and the Executive Committee of the Principles update the Guidance Handbook

On November 29, 2023, the ICMA and the Executive Committee of the Principles published an updated edition of the Guidance Handbook, replacing the January 2022 edition.

The Guidance Handbook provides market participants with sought-after additional information on how to interpret the Green Bond Principles, Social Bond Principles, Sustainability Bond Guidelines and Sustainability-Linked Bond Principles (collectively, the Principles), as well as advice on their practical application for transactions. The updated Guidance Handbook also now includes the Q&As initially published separately which concern secured green, social and sustainability bonds (GSS Bonds) (Chapter 3), sustainability-linked bonds (Chapter 4), and GSS bonds related to pandemics and social projects to support fragile and conflict states (Chapter 8). Further guidance is also provided on re-labelling (Chapter 1.18), net asset value (Chapter 2.1), pure play companies (Chapter 2.1), impact reporting (Chapter 2.3), and social bonds (Chapter 2.3).

The revised Guidance Handbook seeks to support market development and underpin market integrity. The ICMA intends for the Guidance Handbook to be widely circulated and used by the green, social, sustainability and sustainability-linked bond market (GSSS bond market).

Basel Committee consults on a disclosure framework for climate-related financial risk

On November 29, 2023, the Basel Committee on Banking Supervision published a public consultation paper on the disclosure of climate-related financial risks. In particular, the Committee is evaluating how a Pillar 3 disclosure framework would further its mandate to strengthen the regulation, supervisions and practices of banks worldwide to enhance financial stability. The Committee is also investigating the potential design of such a framework. Its initial proposals for the framework include qualitative and quantitative disclosure requirements, bank-specific metrics for quantitative climate disclosures, forecasts, and quantitative disclosure requirements subject to jurisdictional discretion.

The Committee intends for the disclosure framework to complement the work of other standard setters, including the International Sustainability Standards Board (ISSB), and provide a common disclosure baseline for internationally active banks.

The consultation is part of the Committee’s approach to addressing climate-related risks to the global banking system. The deadline for stakeholder feedback is February 29, 2024, with a revised or final proposal expected to be published in Q3-Q4 2024. The Committee is further contemplating a potential implementation date of January 1, 2026, one year after the effective date proposed by the ISSB and after the expiration of the ISSB’s proposed transitional arrangements.

Abu Dhabi launches its first ESG benchmark index

Ahead of the COP28 summit, on November 28, 2023 the Abu Dhabi Securities Exchange (ADX) announced the launch of its ESG benchmark index developed in collaboration with FTSE Russell. The benchmark is designed to provide investors with a tradable ESG benchmark that ranks companies according to ESG scores sourced from London Stock Exchange Group (LSEG) Data & Analytics. The companies will be measured on an annual basis based on their public reporting.

The index will initially include 24 companies that are listed on the ADX market and are constituents of the FTSE ADX General Index.

Global Reporting Initiative releases new draft climate and energy standards

On November 21, 2023, the Global Reporting Initiative (GRI) published two draft standards designed to support organisations in their accountability efforts relating to their climate change impacts. The first is a new draft Climate Change Standard to assist organisations in disclosing their climate change transition and adaption plans and actions and in explaining their use of carbon credits and GHG removals. The second is a draft revised Energy Standard, which includes an additional management disclosure on the role of the organisation’s energy policies and commitments in the transition to a decarbonised economy, as well as extended requirements on energy consumption and generation.

Both drafts are currently subject to public comment period; interested parties can submit online comments on the draft by February 29, 2024.

Glass Lewis publishes 2024 Benchmark Policy Guidelines, including guidelines for shareholder proposals and ESG-related issues

On November 16, 2023, the proxy advisor Glass Lewis published its 2024 Benchmark Policy Guidelines which apply to shareholder meetings held on or after January 1, 2024. The Guidelines set out Glass Lewis’ views on current market practice and its approach in different global markets for 2024, including the US, UK, France, Germany, Switzerland, MENA, China, Hong Kong, and Singapore.

The key changes seen in this year’s edition vary between markets but largely focus on areas including the following:

Director attendance levels;
Cyber risk oversight;
Executive ownership guidelines;
Utility of compensation clawback provisions;
Material weaknesses in internal controls over financial reporting;
Board accountability for climate-related issues;
Board oversight of ESG issues; and
Clarification on remuneration at financial institutions.

Glass Lewis has also published a 2024 edition of its Guidelines for Shareholder Proposals and ESG-Related Issues which apply globally. The main updates here concern board accountability for climate-related issues, consideration for engagement between companies and investors, and recommendations on non-financial reporting.

CFA Institute, PRI and GSIA announce harmonised definitions for sustainable investments

On November 1, 2023, the CFA Institute, Principles for Responsible Investment (PRI) and the Global Sustainable Investment Alliance (GSIA) issued a new paper containing harmonised definitions aimed at clarifying the language of responsible investment. In particular, the harmonised definitions serve to promote consistent and precise use of terminology with regard to five existing responsible investment terms: “screening”, “ESG integration”, “thematic investing”, “stewardship” and “impact investing”, and thereby to deepen understanding of the nuances of responsible investment approaches.

The paper is available on the each of the respective organizations’ websites: CFA Institute here, PRI here, and GSIA here.

International Bar Association publishes report on use of arbitration in ESG-related disputes

On October 30, 2021, the International Bar Association (IBA) published a Report on use of ESG contractual obligations and related disputes, based in part on a survey of in-house and counsel and compliance staff at large multinationals by the IBA’s ESG subcommittee. The report addresses use of ESG-related obligations in both commercial contracts and investment treaties, as well as the role of arbitration in the resolution of ESG-related disputes.

On the commercial front, the report notes the proliferation of ESG-specific requirements in commercial contracts in the past decade, including references to the Equator Principles, UN Guiding Principles on Business and Human Rights and the Green Loan principles, and the availability of model ESG clauses such as those developed by The Chancery Lane Project and American Bar Association. The report anticipates an increased inclusion of termination rights for breach of ESG obligations as regulation in this area increases.

On the investment front, the report finds that the language adopted in some modern model investment treaties indicates that States are seeking investment that furthers the E, S and G elements of their sustainability agenda, and that specific substantive ESG-related standards are making an appearance in model investment treaties. Further, that there are frequent carve outs for the State’s right to regulate on issues including ESG matters.

Finally, on the matter of dispute resolution, the report points to the survey’s finding that one of the most important factors in the choice of disputes resolution mechanisms to resolve ESG disputes is confidentiality. This, in turn, likely presages the increased use of arbitration to resolve ESG disputes (especially contractual disputes) in future.

II. UNITED KINGDOM

UK enacts The Greenhouse Gas Emissions Trading Scheme (Amendment) (No. 2) Order 2023

The Greenhouse Gas Emissions Trading Scheme (Amendment) (No 2) Order 2023 (SI 2023/1387) (Amendment No 2 Order) came into force on January 1, 2024. The Amendment No 2 Order was made on December 13, 2023 and, alongside the Greenhouse Gas Emissions Trading Scheme (Amendment) Order 2023 (SI 2023/850) and the Greenhouse Gas Emissions Trading Scheme Auctioning (Amendment) Regulations 2023 (SI 2023/994), is part of a package of legislation targeting reforms to the UK Emissions Trading Scheme (UK ETS).

The Amendment No 2 Order has implemented amendments to the UK ETS which concern the following:

Capping of free allocation for aviation at 100% of emissions;
Amending free allocation rules for electricity generators, including clarification of the definition of combined heat and power (CHP) plants and electricity generator, as well as an updated definition of electricity generator which only considers electricity exports for the baseline period 2019-2023 rather than all electricity exports since 2005; and
Clarification for carbon capture and storage (CCS) plants, including that an industrial installation that installs a capture plant is not disqualified from receiving free allocation.

FCA publishes 46^th Edition of Primary Market Bulletin featuring guidance on ESG stewardship and TCFD disclosure obligations compliance

On December 19, 2023, the FCA released its 46^th edition of the Primary Market Bulletin. This edition focuses on providing guidance in two areas:

1. Shareholder cooperation regarding ESG stewardship more generally and with respect to Article 10 of the UK Market Abuse Regulation (MAR), under which it is an offence to unlawfully disclose inside information.
The FCA advised that two pre-existing resources remain relevant to issues on shareholder activism, engagement and cooperation: (1) a letter from the FSA to the Association of British Insurers titled “Shareholder engagement and the current regulatory regime” dated August 19, 2009; and (2) the FSA’s Market Watch 20 dated May 20, 2007.

Further, the FCA clarified that the earlier outcome in the case of FCA v Sir Christopher Gent does not alter its approach to the MAR and should also not inhibit engagement between companies and their shareholders.

2. Procedures and policies by sponsors for compliance with the Task Force on Climate-Related Financial Disclosures (TCFD) disclosure obligations.
The FCA also discussed its assessment of how sponsors have made changes to their procedures to ensure listing applicants have systems in place to comply with the TCFD requirements. As required by the Listing Rules, premium and standard listed companies must include climate-related financial disclosures in their annual reports consistent with the TCFD disclosure requirements. The FCA’s findings were largely positive and the review found most sponsors had amended their policies to take into account the increased focus on climate-related matters.

The FCA further noted its expectations that sponsors should have sufficient skills, knowledge and expertise to interpret and apply relevant elements of the FCA Handbook. It also flagged the importance of sponsors providing their staff with appropriate training, including in relation to general developments in climate and sustainability-related disclosure.

Climate related risks features in the FRC’s areas of supervisory focus and priority sectors for 2024/25

On December 6, 2023, the Financial Reporting Council (FRC) announced its 2024/25 supervisory focus areas and priority sectors for both corporate reporting review and audit quality inspections. However, the FRC observed that it monitors companies and audits from all sectors, and the priority sectors are just one risk factor amongst many that are taken into a consideration when making its selections.

The FRC declared its 4 areas of supervisory focus to be: (1) risks related to the current economic environment, such as going concern, impairment, recoverability and recognition of tax assets/liabilities; (2) climate-related risks, including Task Force on Climate-related Financial Disclosures (TCFD); (3) implementation of IFRS 17 – Insurance Contracts; and (4) cash flow statements.

In addition, when selecting corporate reports and audits for review, the FRC has 5 priority sectors: (1) construction and materials; (2) food producers; (3) gas, water and multi-utilities; (4) industrial metals and mining; and (5) retail. The FRC has also stated that the financial services sector, including banking and insurance, will continue to be a focus of review and will be included annually in its selections.

Financial Conduct Authority publishes final rules on sustainability disclosure and investment labels

On November 28, 2023, the Financial Conduct Authority (FCA) published a Policy Statement containing its final rules and guidance on sustainability disclosure requirements (SDR) and investment labels, which aim to improve trust and transparency to the market for sustainable investment products. The new regime applies (albeit in different respects) to UK asset managers and to FCA-authorised firms who make sustainability-related claims about their products and services, and is for the benefit of both professional and institutional investors as well as “retail investors”, i.e. consumers.

The new regime comprises the following package of measures: (i) an anti-greenwashing rule to ensure that sustainability-related claims are fair, clear and not misleading, (ii) four new product labels to help consumers navigate the investment product landscape, (iii) naming and marketing rules for investment products to ensure accurate use of sustainability-related terms, (iv) consumer-facing information requirements to help consumers understand key sustainability product features, (v) detailed information requirements in pre-contractual, ongoing product-level and entity-level disclosures for the benefit of institutional investors and consumers, and (vi) requirements for distributors to ensure that product-level information such as labelling is made available to consumers.

Sustainability disclosure and labelling regime confirmed by the FCA

On November 28, 2023, the Financial Conduct Authority (FCA) announced in its Policy Statement the introduction of its new UK Sustainability Disclosure Requirements and a new investment labels regime to improve the trust, transparency and credibility of sustainable investment products, increase consumer protection through greater access to information when investing, and also minimise greenwashing by companies.

The new FCA regime will introduce the following measures:

1. From May 31, 2024, an anti-greenwashing rule for all FCA-authorised firms to ensure sustainability-related claims are fair, clear and not misleading. Final guidance providing further clarity on this rule is due to be published prior to the rule’s introduction once its public consultation closes on January 26, 2024;

2. From July 31, 2024, the application of 4 different product labels (Sustainability Focus, Sustainability Improvers, Sustainability Impact, and Sustainability Mixed Goals) to investment products to help investors understand what their money is being used for, based on clear sustainability goals and criteria;

3. From December 2, 2024, naming and marketing requirements for UK asset managers so investment products cannot be described as having a positive impact on sustainability when they do not; and

4. From December 2, 2025, ongoing product-level and entity-level disclosures for firms with assets under management exceeding £50 billion. Additionally, from December 2, 2026, entity-level disclosures will be extended to firms with assets under management exceeding £5 billion.

The measures do not yet apply to portfolio management products and services, and the FRC plans to consult on this in early 2024.

UK to set out regulatory rules for ESG ratings industry imminently

On November 8, 2023, Financial Times reported that the UK government will publish a formal proposal for regulation of agencies that evaluate companies’ environmental, social and governance performance as early as January 2024. The Treasury is said to be examining whether this will require new legislation or can be achieved through measures implemented under existing laws. The proposal will take into account responses from a consultation process which ended in June 2023, with a government response to the consultation due to be published by the Treasury “in due course”.

Ministers have not ruled out the possibility of the creation of a new supervisory body to take on this function, but it is more likely that the remit of the Financial Conduct Authority will be expanded. The FCA is currently developing a voluntary code of conduct for ESG ratings and data product providers (see our earlier update here).

The European Commission proposed new regulations for ESG rating providers on June 13, 2023. See also update on Hong Kong (below) on development of an ESG ratings and data providers code of conduct.

Financial Reporting Council indicates intention to drop proposed ESG-related changes to UK Corporate Governance Code

Following consultation with stakeholders on proposed revisions to the UK Corporate Governance Code (the governance code applicable to all companies with a ‘premium listing’ on the London Stock Exchange), the Financial Reporting Council announced on November 7, 2023 that it will only be taking forward a small number of its original 18 proposals, and will be abandoning the proposals relating to the role of audit committees on environmental and social governance, and to modifications to existing code provisions around diversity, over-boarding, and Committee Chairs engaging with shareholders. The updated Code will be published in January 2024.

This follows the announcement by the UK government, on October 16, 2023, that it was withdrawing the draft Companies (Strategic Report and Directors’ Report) (Amendment) Regulations following concerns by companies on burdensome and ever-increasing reporting requirements.

III. EUROPE

European Insurance and Occupational Pensions Authority (EIOPA) seeks feedback on its proposed approach to tackle greenwashing in the insurance and occupational pension sectors

EIOPA has launched a public consultation on its Consultation Paper on the Opinion on sustainability claims and greenwashing in the insurance and pensions sectors. The principles within the Opinion aim to pave the way for a more effective and harmonised supervision of sustainability claims across Europe and thereby limit the risk of greenwashing in the insurance and occupational pensions sectors. The deadline for submission of comments is March 12, 2024.

European Commission proposes to update free allocation rules to implement EU emissions trading system

The European Commission has opened a consultation process on the proposed updates to multiple regulatory acts under the Delegated Regulation for the implementation of the EU emissions trading system (ETS). The intention is to allow transitional EU-wide rules for harmonised free allocation of emission allowances. The consultation will close on January 2, 2024.

European Parliament’s Economic and Monetary Affairs Committee (ECON) adopts position on regulation to increase ESG ratings transparency and competition

On December 4, 2023, ECON adopted its position on a regulation by the European Commission aimed at enhancing transparency and competition in ESG ratings. ECON advocates for changes to the rules proposed by the European Commission – in particular:

breaking down the ESG rating into separate E, S and G factors to avoid rating obscuring poor performance on any of these individual metrics;
promoting the “double materiality” approach, i.e. whether the delivered rating addresses both material financial risk to the rated entity and the material impact of the rated entity on the environment and society;
increasing transparency on the methodologies, models and key rating assumptions which rating providers use in their ESG rating activities; and
boosting competition in favour of smaller rating providers.

The regulation aligns with other EU sustainability initiatives. On December 20, 2023, the Council of the EU has agreed its negotiating mandate on the proposal for a regulation on ESG ratings. In its negotiating mandate, the Council clarified the circumstances under which ESG ratings fall under the scope of the regulation, providing further details on the applicable exemptions.

European Securities and Markets Authority (ESMA) presents methodology for climate risk stress and considers use of ESG controversies to monitor greenwashing

On December 19, 2023, ESMA published two articles outlining (i) an approach to modelling the impact of asset price shocks from adverse scenarios involving climate-related risks, and (ii) exploring the use of ESG controversies for the purpose of monitoring greenwashing risk. ESMA is holding a webinar on the topics on February 7, 2024.

European Central Bank (ECB) and the European Systemic Risk Board (ESRB) publish report on climate-related financial stability risks

On December 18, 2023, the ECB and the ESRB published a joint report on the impact of climate change on the EU financial system. The reports sets out a framework for addressing risk by gathering evidence on the most important financial stability indicators and looks to develop a macroprudential strategy for addressing climate broader nature-related risks.

European Banking Authority (EBA) proposes voluntary EU label for green loans

On December 15, 2023, EBA published a response to the European Commission’s call for advice on green loans and mortgages. In its response, EBA suggests the introduction of a voluntary EU label for green loans based on a common EU definition and as well as the integration of the concept of a ‘green mortgage’ and its key sustainability features in the Mortgage Credit Directive. In particular, EBA proposes that:

such EU definition and labelling framework incorporate a degree of flexibility to facilitate market participants’ credible efforts in contributing to environmental objectives;
for the labelling framework to include information on the long-term benefits of investing in energy-efficient solutions, documentation requirements and availability of financial support schemes; and
when reviewing the Mortgage Credit Directive, the European Commission consider integrating the concept of green mortgages as well as the expected features of these loans.

Council of the EU and European Parliament strike deal on the Corporate Sustainability Due Diligence Directive; European Securities and Markets Authority (ESMA) consults on draft guidelines on enforcement of sustainability information

On December 14, 2023, the Council of the EU and the European Parliament reached a provisional agreement on the Corporate Sustainability Due Diligence Directive, which will oblige firms to integrate their human rights and environmental impact into their management systems. Eligible companies will be required to make investments, seek contractual assurances from partners, improve their business plans or provide support to their partners from SMEs in order to identify, assess, prevent, mitigate and remedy the negative impact of their activities on people and the planet. Companies’ business model will also have to comply with limiting global warming to 1.5°C. In addition, supervisory authorities will be able to launch inspections and impose penalties on non-compliant companies, including fines of up to 5% of their net worldwide turnover. As a next step, the provisional agreement needs to be endorsed and formally adopted by both institutions.

On December 15, 2023, ESMA published a consultation paper on a set of draft guidelines on enforcement of sustainability information, with responses sought by 15 March 2024. The main goals of the draft guidelines are to ensure that national competent authorities carry out their supervision of listed companies’ sustainability information under the Corporate Sustainability Reporting Directive (CSRD), the European Sustainability Reporting Standards and Article 8 of the Taxonomy Regulation in a converged manner; and to establish consistency in, and equally robust approaches to, the supervision of listed companies’ sustainability and financial information. ESMA says this will facilitate increased connectivity between the two types of reporting.

European Securities and Markets Authority (ESMA): “Update on the guidelines on funds’ names using ESG or sustainability-related terms – Postponement of Publication”

On December 14, 2023, ESMA has published a statement that it has postponed the adoption of the Guidelines on ESG and sustainability-related terms in fund names to ensure that the outcome of reviews of AIFMD and the UCITS Directive may be fully considered. In particular, the text of the provisional agreement resulting from the interinstitutional negotiations contains two new mandates for ESMA to develop guidelines specifying the circumstances where the name of an AIF or UCITS is unclear, unfair, or misleading. ESMA plans to adopt the Guidelines shortly after the date of entry into force of AIFMD and UCITS Directive revised texts.

European Securities and Markets Authority (ESMA) to launch and participate in Common Supervisory Action on ESG disclosures for Benchmarks Administrators

On December 13, 2023, ESMA announced that it will launch a common supervisory action (CSA) with national competent authorities (NCAs) on environmental, social and governance disclosures under the EU Benchmarks Regulation. This is ESMA’s first CSA in its role as a direct supervisor of benchmarks administrators. It will be carried out by ESMA and the NCAs during 2024 and until Q1 2025.

ESAs put forward amendments to sustainability disclosures for the financial sector

The three European Supervisory Authorities (European Banking Authority, European Insurance and Occupational Pensions Authority, and European Securities and Markets Authority – togethers the ESAs) are finalising amendments to the Sustainable Finance Disclosure Regulation (SFDR), proposing new social indicators, streamlined disclosure frameworks for adverse impacts, and additional product disclosures on greenhouse gas emissions reduction targets. The Final Report was published on December 4, 2023. Other revisions include improvements to “Do No Significant Harm” disclosures, simplified disclosure templates, and other technical adjustments regarding derivatives and sustainable investment calculations.

Loan Market Association (LMA) updates sustainable lending glossary

In December 2023, the LMA updated its sustainable lending glossary, produced in conjunction with the Loan Syndications and Trading Association and the Asia Pacific Loan Market Association. The glossary (which was first published in March 2020 and was last revised in August 2021) intends to assist the transparency of terms in the rapidly evolving sustainable lending market and provides an alphabetical list of terms, concepts, institutions, and agreements relevant to green and sustainable lending transactions.

European Green Bonds Regulation published in Official Journal

On November 30, 2023, the Official Journal of the EU has published Regulation (EU) 2023/2631 of the European Parliament and of the Council on European Green Bonds and optional disclosures for bonds marketed as environmentally sustainable and for sustainability-linked bonds. This Regulation lays down uniform requirements for issuers of bonds that wish to use the designation ‘European green bond’ or ‘EuGB’ for their environmentally sustainable bonds, and entered into force on December 2023, 2023, and will apply from December 21, 2024.

EU finalises European Green Bond Regulations

On November 30, 2023, Regulation (EU) 2023/2631 on European Green Bonds and optional disclosures for bonds marketed as environmentally sustainable and for sustainability-linked bonds was published in the Official Journal of the European Union. The Regulation provides for uniform requirements for issuers of environmentally sustainable bonds who intend to designate their bonds as “European green bonds” or “EuGB”. See our earlier update here.

EU Commission publishes proposal for carbon certification framework

On November 30, 2023, the EU Commission published its proposal for a new regulation establishing a voluntary EU certification framework for carbon removals. The proposal sets out quality criteria (“Qu.AL.ITY critera”) for carbon removal activities that take place in the EU, rules for the independent verification of carbon removals, and rules to recognise certification schemes that can be used to demonstrate compliance with the EU framework.

The proposal is now under discussion by the European Parliament and the Council, with the Commission due to develop tailored certification methodologies for the different types of carbon removal activities based on the QU.A.L.ITY criteria, supported by an expert group which will meet in the first quarter of 2023.

COP28: EU Parliament pushes for end of global fossil fuel subsidies by 2025

On November 21, 2023, the EU Parliament adopted a resolution calling, among other things, for the EU and all parties at COP28 to end all direct and indirect fossil fuel subsidies as soon as possible, and by 2025 at the latest. The resolution also called for an end to all environmentally harmful subsidies as soon as possible and latest by 2027, at both EU and Member State levels, and called on Member states to improve their national reporting of fossil fuel subsidies and plan for their phase-out in the upcoming revisions of their national energy and climate plans.

EU Parliament and Council agree to introduce “ecocide” offence

On November 16, 2023, it was announced that the Parliament and Council have reached a provisional agreement on a new EU directive that will impose new criminal sanctions for environmental harm. The directive was first proposed in December 2021, to replace the existing Environmental Crime Directive 2008 and establish minimum rules that bring the existing criminal regime into alignment with the objectives of the EU’s Green Deal.

The agreed directive will introduce “qualified offences” described by the Parliament as “comparable to ecocide”, whereby stricter sanctions are imposed for intentional acts that caused destruction, irreversible, widespread and substantial damage, or long-lasting widespread and substantial damage to an ecosystem of considerable size of environmental value, or to a natural habitat within a protected site, or to the quality of air, soil or water.

Specific new offences include timber trafficking, illegal recycling of polluting components of ships, and serious breaches of legislation on chemicals.

The provisional agreement is due to be formally adopted by both the European Parliament and the Council. The press releases of the Commission, Parliament and Council are available here, here and here.

European Parliament and Council agree on new EU Methane Regulation

On November 15, 2023, it was announced that the European Parliament and Council have reached a provisional agreement on a EU new regulation to reduce energy sector methane emissions in Europe and in global supply chains. The regulation was first proposed in December 2021, under the banner of the European Green Deal, with the aim of preventing avoidable release of methane into the atmosphere and minimise methane leaks by fossil energy companies operating in the EU.

The EU Methane Regulation, in its agreed form, will impose obligations on companies in the oil, gas and coal sectors, including requiring oil and gas companies to carry out regular surveys of their equipment to detect and repair methane leaks on the EU territory within specific deadlines, banning routine venting and flaring by the oil and gas sectors and limiting venting from thermal coal mines from 2027, and requiring companies in all three sectors to carry out an inventory of closed, inactive, plugged and abandoned assets with a view to monitoring and mitigating their emissions as soon as possible.

The regulation also targets methane emissions related to imported oil, gas and coal into the EU, including by establishing a methane transparency database where data on methane emissions reported by importers and EU operators is made available to the public, and by requiring the Commission to establish methane performance profiles of countries and companies to allow importers to make informed choices on their energy imports.

The provisional agreement is due to be formally adopted by both the European Parliament and the Council. The press releases of the Commission and Council are available here and here.

European Commission proposes postponement of pending European Sustainability Reporting Standards until June 2026

On October 24, 2023, the Commission published a proposal for a Decision postponing the deadlines for adoption of the second tranche of European Sustainability Reporting Standards (ESRS) (i.e. the sector-specific standards) which underpin the disclosure requirements of the EU’s new comprehensive sustainability rules in the Corporate Sustainability Reporting Directive (CSRD) . The current deadline is June 30, 2024, but the Commission is proposing a two-year delay until June 2026, in order to allow companies within the scope of the to focus on implementation of the first tranche of ESRS. These first-tranche standards were adopted on July 31, 2023 and are sector-agnostic, applying to all companies within scope of the CSRD. This is in response to a demand from the corporate sector.

The Commission also proposes that the adoption date for the ESRS to be used by certain non-EU companies with business in the EU be likewise postponed by two years, to June 2026.

The feedback period on the Commission proposal closes on December 19, 2023.

IV. NORTH AMERICA

New York State Department of Financial Services (NYFDS) adopted guidance for New York State-regulated banking and mortgage institutions related to climate change risks

On December 21, 2023, NYFDS adopted guidance aimed at assisting institutions with the management of material financial and operational risks from climate change. NYFDS has not currently set a timeline for implementing the guidance, but it will be issuing a request for information in 2024 in order to ascertain the steps regulated institutions are taking, or are planning to take, to identify, monitor, and control these risks.

BlackRock, Inc. (BlackRock) sued by U.S. state for allegedly misleading ESG representations

On December 18, 2023, Tennessee filed a consumer protection lawsuit in Tennessee state court against BlackRock, alleging the company had misled or made false representations to the state’s consumers regarding the incorporation of ESG into its investment strategy.

Commodity Futures Trading Commission (CFTC) proposes federal guidelines targeting voluntary carbon markets

As reported in our recent client alert, on December 4, 2023, the CFTC issued proposed guidance focused on the trade of voluntary carbon credit derivative contracts listed on CFTC-regulated exchanges. The guidance is directed at such exchanges and provides factors for them to consider in light of applicable regulatory standards, including requirements designed to support quality standards and appropriate governance and validation, among other topics. The public has until February 16, 2024 to comment on the proposed guidance.

U.S. Environmental Protection Agency’s (EPA) adopts final rule to targeting methane and other air pollutants from the oil and natural gas industry

On December 2, 2023, the EPA adopted a final rule consisting of several initiatives aimed at preventing an estimated 58 million tons of methane emissions between 2024 and 2038, a nearly 80% reduction of projected methane emissions without the rule. Among other things, the final rule will include new source performance standards to reduce methane and smog-forming volatile organic compounds from new or modified sources as well as emissions guidelines clarifying how states can use their existing program in plans for limiting methane emissions from existing sources.

A detailed summary of this final rule is summarized in our recent client alert.

California AB 1305 author shares his intent for first reporting deadline

In October, California adopted the “Voluntary Carbon Market Disclosures Act,” which imposes website disclosure requirements on (1) business entities that market or sell voluntary carbon offsets within California and (2) entities operating in California that make certain sustainability claims (e.g., achieving net zero emissions, carbon neutrality, or significant emission reductions, among others), with additional disclosure obligations if such entities purchase or use voluntary carbon offsets sold in the state. The statute provides that the required disclosures must be “updated no less than annually,” but does not specify when the first set of disclosures were required. The law became effective on January 1, 2024.

On November 30, 2023, the California Assembly member who authored AB 1305 submitted a letter to the Clerk of the Assembly stating his intention that the first annual disclosure should be posted by January 1, 2025, and to provide a more formal letter to the Assembly Daily Journal after the State Assembly reconvened in early January.

EPA Office of Environmental Justice and External Civil Rights receives funding for environmental and climate justice community change grants

On November 21, 2023, the Biden-Harris administration announced the funding of approximately $2 billion in the EPA’s Community Change Grants through the Inflation Reduction Act. The funds are described as “the largest single investment in environmental justice in history” and are to be used to support the deployment of community-driven clean energy projects, bolster climate resilience, and strengthen communities’ abilities to combat environmental and climate change challenges.

Glass Lewis announces several new and revised ESG-related proxy voting policies

On November 16, 2023, Glass Lewis published its updated voting policies for the U.S. The policies became effective on January 1, 2024. Noteworthy changes related to ESG topics include two new policies on cyber risk oversight and board oversight of environmental and social issues, and a revised policy on board diversity. The first new policy provides that, where a company has been materially impacted by a cyberattack, Glass Lewis may recommend votes against appropriate directors should Glass Lewis find the board’s oversight, response or disclosures concerning cybersecurity-related issues to be insufficient or if they are not provided to shareholders. In addition, when evaluating the board’s role in overseeing environmental and/or social issues, Glass Lewis will examine a company’s committee charters and governing documents to determine if the company has codified a meaningful level of oversight of and accountability for a company’s material environmental and social impacts. Glass Lewis also clarified that it will review a company’s disclosures for a rationale or plan to address the lack of board diversity, including a timeline on intended appointments, in making voting recommendations.

U.S. Federal Insurance Office (FIO) to collect information on homeowners’ insurance to assess climate-related financial risk to consumers

On November 1, 2023, the FIO published a public notice of its intention to collect zip-code-level insurance data from insurers as part of its effort to assess the possible impact of climate-related financial risks on Americans. Based on feedback to a prior proposal, the FIO revised its data collection request to reduce the estimated number of hours insurance companies need to comply with the request.

V. APAC

Partnership for Carbon Accounting Financials (PCAF) and China-based Green Finance Forum of 60 (GF60) forms partnership to harmonise greenhouse gas accounting methodologies for financial institutions in China

On December 21, 2023, PCAF announced that it has entered into a strategic partnership agreement with GF60 which is aimed at harmonizing greenhouse gas accounting methodologies for financial institutions in China, and enhancing the capability of such financial institutions to calculate the greenhouse gas emissions of their financial activities. PCAF will assist the Chinese financial sector in implementing PCAF standards and it observed that the collaboration will ultimately help to promote China’s progress in decarbonization.

GF60 is a non-profit international green finance and sustainability platform operated by the Shanghai Jinsinan Institute of Finance.

First ESG Disclosure Guidance for China’s insurance industry released

At a press conference held in Beijing on December 13, 2023, the Insurance Association of China (IAC) launched the Chinese insurance industry’s first ever Guidelines for Environmental, Social and Governance Information Disclosure by Insurance Institutions. Expected to help improve the quality of ESG disclosures in the insurance industry, the Guidelines set standards for insurance companies to disclose ESG information, including providing guidance both on disclosure content and disclosure methods.

The self-regulatory Guidelines take reference from international ESG disclosure standards such as the Global Reporting Initiative (GRI), Sustainability Accounting Standards Board (SASB), and the Stock Exchange of Hong Kong, whilst seeking to incorporate the unique characteristics of China and the Chinese insurance industry such as disclosure requirements for rural revitalization, insurance agent management and enhancement, sustainable insurance products, and green investment of insurance funds.

Philippines relaxes rules to encourage lending for green projects

On December 13, 2023, the Philippine central bank, Bangko Sentral ng Pilipinas, announced that it will temporarily allow banks to set aside lower reserves for sustainable bond sales and increase their lending capability. In particular, the reserve requirement rate for green, social, sustainability, and other sustainable bonds issued by banks will be gradually reduced from the current rate of 3% to 0%: the rate will fall to 1% in the first year after the change takes effect, before being cut to 0% in the second year. The central bank has also approved an additional 15% single borrower limit on loans to finance sustainable projects, including transition to decarbonization. Both measures will be in place for 2 years, subject to review, and constitute part of the central bank’s 11-point Sustainable Central Banking Strategy established to combat climate change.

Thailand Finance Ministry and investment management industry launches 22 new mutual funds to support Thailand’s ESG goals

At a joint press conference on December 8, 2023, Thailand’s Ministry of Finance, the Federation of Thai Capital Market Organizations (FETCO), Thailand’s Securities and Exchange Commission (SEC), the Stock Exchange of Thailand (SET) and Thailand’s Association of Investment Management Companies (AIMC) announced the launch of a new Thailand ESG Fund (Thai ESG Fund). The Fund consists of 22 new mutual funds with a fundraising target of 10 billion baht by the end of the year to accelerate sustainable development in Thailand, and progress towards carbon neutrality and net-zero greenhouse gas emissions. All Thai ESG Funds will largely invest in domestic assets such as debt securities or stocks of listed companies that meet disclosure requirements for emissions disclosures and reduction targets, and that are themed around environmental protection or sustainability.

Monetary Authority of Singapore (MAS) releases Code of Conduct for ESG Rating and Data Product Providers

On December 6, 2023, MAS published both its finalised Singapore Code of Conduct for ESG Rating and Data Product Providers and an accompanying Checklist for such providers to self-attest their compliance with the voluntary Code. It builds upon the recommendations from the International Organisation of Securities Commissions (IOSCO) for good practices by ESG rating and data product providers. A list of providers who have publicly adopted the Code will be available on the International Capital Market Association’s (ICMA) website, subject to the provider notifying the ICMA of their publication.

The industry Code seeks to establish baseline industry standards for transparency in methodologies and data sources, governance, and management of conflicts of interest that may compromise the reliability and independence of the products.

MAS are implementing the industry Code on a ‘Comply or Explain’ basis: ESG rating and data product providers are to state they comply with the principles and best practices set out in the Code or explain why they do not. Third party assurance or audit may also be sought by providers for their self-attestation on the Checklist. Providers are encouraged by MAS to disclose their adoption of the Code and publish a completed Checklist on their websites within 12 months of the Code’s publication.

Monetary Authority of Singapore taxonomy for sustainable finance

On December 3, 2023, the Monetary Authority of Singapore (MAS) launched the Singapore-Asia Taxonomy for Sustainable Finance, which sets out detailed thresholds and criteria for defining green and transition activities that contribute to climate change mitigation across eight focus sectors. Transition activities are those that do not meet the green thresholds now but are on a pathway to net zero or contributing to net zero outcomes. The taxonomy was drawn up with support and recommendations from the Climate Bonds Initiative. Whilst aimed at providing guidance for Singapore-based financial institutions, asset owners and investment managers, it is also expected to be used by companies, regulators, policymakers and other financial market participants seeking to identify and allocate capital to “green” and transition activities.

Hong Kong Stock Exchange and China Beijing Green Exchange sign MOU to promote green finance

On November 28, 2023, Hong Kong Exchanges and Clearing Limited (HKEX) announced the signing of a Memorandum of Understanding (MOU) with the China Beijing Green Exchange (CBGEX) – the designated trading platform for the Emissions Trading Scheme under the Beijing Municipal Government – to explore cooperation in areas such as building an ESG ecosystem, promoting green and sustainable finance, and contributing to the green development of the Belt and Road Initiative.

HKEX and CBGEX will be jointly exploring cross-border sustainable development, with a focus on addressing China’s growing demand for green infrastructure investments and its shift to a low-carbon economy. Both exchanges will also research green and transition finance, collaborate on capabilities building for ESG standards and information disclosure, and explore opportunities in the carbon market.

Hong Kong postpones mandatory climate disclosures for listed issuers

On November 3, 2023, the Hong Kong Stock Exchange (HKEX) announced that it would postpone the implementation of proposed Listing Rule amendments on climate-related disclosures from January 2024 to January 2025, after seeking market feedback on the proposed amendments (consultation paper here). The proposed new rules were informed by the new IFRS S2 Climate-related Disclosures promulgated by the International Sustainability Standards Board (ISSB). The HKEX is postponing implementation in order to allow issuers more time to familiarize themselves with the new climate-related disclosure requirements and to give itself time to take account of recommended approaches on scalability and phasing-in of disclosure requirements which the ISSB is providing global regulators in its upcoming ISSB Adoption Guide.

Australia announces Sustainable Finance Strategy

On November 2, 2023, the Australian Treasury released a consultation paper outlining its Sustainable Finance Strategy, which is aimed at mobilizing private investment needed in coming decades, enabling Australian firms to access the capital needed to finance their own transitions, ensuring that financial opportunities and risks presented by climate change are identified and well managed, and aligning Australia’s capital markets with emerging international standards on sustainable finance. This is consistent with the Australian government’s adoption of a “climate first” approach to sustainable finance reforms.

Key proposals cover:

Reporting: Implementing mandatory climate reporting requirements for large companies and financial institutions from July 2024 onwards, to ensure standardized disclosure of climate and other sustainability-related financial opportunities and risks.
Taxonomy: Developing an Australian sustainable finance taxonomy, to provide a comprehensive medium-term framework for understanding how certain economic activities and investments align with good sustainability outcomes, and to provide a consistent set of metrics for firms and investors to support credible transition planning.
Labelling: Improving sustainability labelling for investment products, to provide more consistent information on design and sustainability characteristics of products labelled as “green”, “sustainable”, “ESG”, or similar.
Sector Guidance on Emission Reduction: Developing national sectoral emissions reduction pathways, to provide firms and investors with clearer policy guidance on anticipated emissions reductions trajectories and priorities in key sectors, supporting more rigorous corporate transition planning and increasing accountability.

The consultation process ended on December 1, 2023 and the results will inform ongoing policy development and regulatory engagement on sustainable finance in Australia.

ICMA to form a working group to develop an ESG ratings and data providers code of conduct for Hong Kong Securities and Futures Commission

On October 31, 2023, the International Capital Market Association (ICMA) announced that it is convening a working group to lead the development of a voluntary code of conduct for ESG ratings and data product providers based in Hong Kong.

The code will be informed by the recommendations from the International Organization of Securities Commission’s report on “Environmental, Social and Governance Ratings and Data Product Providers”, and the working group is expected to release its draft code of conduct for public consultation in early 2024.

Please let us know if there are other topics that you would be interested in seeing covered in future editions of the monthly update.

Warmest regards,

Susy Bullock
Elizabeth Ising
Perlette M. Jura
Ronald Kirk
Michael K. Murphy
Selina S. Sagayam

Chairs, Environmental, Social and Governance Practice Group, Gibson Dunn & Crutcher LLP

The following Gibson Dunn lawyers prepared this client update: Lauren Assaf-Holmes, Grace Chong, Natalie Harris, Sophy Helgesen, Elizabeth Ising, Cynthia Mabry, Ian Mwiti Mathenge, Patricia Tan Openshaw, Selina S. Sagayam and Theresa Witoszynski.

Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Environmental, Social and Governance practice group:

Environmental, Social and Governance (ESG):
Susy Bullock – London (+44 (0) 20 7071 4283, sbullock@gibsondunn.com)
Elizabeth Ising – Washington, D.C. (+1 202-955-8287, eising@gibsondunn.com)
Perlette M. Jura – Los Angeles (+1 213-229-7121, pjura@gibsondunn.com)
Ronald Kirk – Dallas (+1 214-698-3295, rkirk@gibsondunn.com)
Michael K. Murphy – Washington, D.C. (+1 202-955-8238, mmurphy@gibsondunn.com)
Patricia Tan Openshaw – Hong Kong (+852 2214-3868, popenshaw@gibsondunn.com)
Selina S. Sagayam – London (+44 (0) 20 7071 4263, ssagayam@gibsondunn.com)

Law	Annual Gross Revenue	Annual Processing of Consumers’ Data	Other Thresholds
CCPA/CPRA (California)	$25 million or more.	Buys, sells, or shares the personal information of 100,000 or more California residents, households, or devices.	Derives 50% or more of their annual revenue from selling California residents’ personal information.
VCDPA (Virginia)	N/A	Controls or processes the personal data of at least 100,000 Virginia consumers.	Controls or processes the personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.
CPA (Colorado)	N/A	Processes the personal data of more than 100,000 Colorado individuals.	Derives revenue or receives discounts on goods or services in exchange for the sale of personal data of 25,000 or more individuals.
CTDPA (Connecticut)	N/A	Controls or processes the personal data of at least 100,000 Connecticut consumers.	Controls or processes the personal data of at least 25,000 consumers and derives over 25% of gross revenue from the sale of personal information.
UCPA (Utah)	$25 million or more.	Controls or processes the personal data of 100,000 or more Utah consumers.	Controls or processes the personal data of 25,000 or more Utah consumers and derives 50% or more of gross annual revenue from sale of personal data.
FDBR (Florida)	$1 billion or more.	N/A	(i) Derives 50% or more of its global annual revenues from targeted advertising or the sale of ads online; (ii) operates a consumer smart speaker and voice command service with an integrated virtual assistant through a cloud service and hands-free verbal activation; or (iii) operates an app store that offers at least 250,000 software applications for consumers to download.
TDPSA (Texas)	N/A	N/A	(i) Conducts business in Texas or produces products/provides services consumed by residents of Texas; (ii) processes or engages in the sale of personal data; and (iii) does not qualify as a small business as defined by the United States Small Business Administration (with limited exceptions).
OCPA (Oregon)	N/A	Controls or processes the personal data of 100,000 or more Oregon consumers, other than for completing a payment transaction.	Controls or processes the personal data of 25,000 or more Oregon consumers and derives 25% or more of gross revenue from sale of personal data.
MTCDPA (Montana)	N/A	Controls or processes the personal data of 50,000 or more Montana consumers, excluding for the purpose of completing payment transactions.	Controls or processes the personal data of 25,000 or more Montana consumers and derives more than 25% of gross revenue from sale of personal data.
ICDPA (Iowa)	N/A	Controls or processes the personal data of 100,000 or more Iowa consumers.	Controls or processes the personal data of 25,000 or more Iowa consumers and derives more than 50% of gross revenue from the sale of personal data.
DPDPA (Delaware)	N/A	Controls or processes the personal data of at least 35,000 Delaware residents, excluding for the purpose of completing payment transactions.	Controls or processes the personal data of at least 10,000 Delaware residents and derives more than 20% of its gross revenue from the sale of personal data.
NJDPA (New Jersey)	N/A	Controls or processes the personal data of at least 100,000 New Jersey consumers.	Controls or processes the data of at least 25,000 New Jersey consumers and derives revenue or receives a financial benefit from the sale of the data.
TIPA (Tennessee)	$25 million or more.	Controls or processes the personal data of 170,000 or more Tennessee consumers.	Controls or processes the personal data of 25,000 or more Tennessee consumers and derives more than 50% of gross revenue from sale of personal information.
INCDPA (Indiana)	N/A	Controls or processes the personal data of 100,000 or more Indiana residents.	Controls or processes the personal data of 25,000 or more Indiana consumers who are residents and derives more than 50% of gross revenue from the sale of personal data.