Author: National Law Forum

A group of in-house attorneys developed the National Law Review on-line edition to create an easy to use resource to capture legal trends and news as they first start to emerge. We were looking for a better way to organize, vet and easily retrieve all the updates that were being sent to us on a daily basis.In the process, we’ve become one of the highest volume business law websites in the U.S. Today, the National Law Review’s seasoned editors screen and classify breaking news and analysis authored by recognized legal professionals and our own journalists. There is no log in to access the database and new articles are added hourly. The National Law Review revolutionized legal publication in 1888 and this cutting-edge tradition continues today.

February 2024 Visa Bulletin: Advancement of Priority Dates for Employer-Based Petitions Remains Minimal

U.S. Citizenship and Immigration Services (USCIS) and the U.S. Department of State have not indicated significant advancement in the priority dates for employer-based immigrant petitions, continuing the fiscal year (FY) 2024 trend of long wait times for immigrant visas.

Quick Hits

  • USCIS and the State Department reported minimal movement in the EB-2 and EB-3 categories for Mexico, the Philippines, and all other chargeability areas except India and China.
  • USCIS authorized use of the Dates for Filing chart.
  • Continued limitations on immigrant visas particularly impact chargeability areas of India and China where employers and individuals had hoped to take advantage of shorter wait times in the EB-1 category.

The February 2024 Visa Bulletin

USCIS will continue to use the Dates for Filing chart in the February 2024 Visa Bulletin in determining eligibility for I-485, Application to Register Permanent Residence or Adjust Status, filings. The Dates for Filing chart reflects priority dates anticipated to become current during the fiscal year, whereas the Final Action Dates chart reflects priority dates considered current and available for the specific month. This means that while an applicant may file the I-485 based on the Dates for Filing chart, the application will not be adjudicated at least until the applicant’s priority date becomes current on the Final Action Dates chart.

In summary, there is no advancement in final action dates for China and India in all employment-based categories except that the Other Workers category for India has advanced by one month. For all other chargeabilities, Mexico, and the Philippines, the EB-1 category remains current, the EB-2 category advances by fifteen days, the EB-3 category advances by one month, and the EB-4 Certain Religious Workers category remain the same.

The Final Action Dates chart is shown below.

Source: U.S. Department of State, February 2024 Visa Bulletin

USCIS has confirmed its continued use of the Dates for Filing chart for adjustment of status filing purposes. However, the dates for filing remain the same as in the January 2024 Visa Bulletin in all categories for all countries.

The Dates for Filing chart for employment-based categories follows below.

Source: U.S. Department of State, February 2024 Visa Bulletin

Impacts of Immigrant Visa Backlogs, Slow Movement, and Retrogression: EB-1 Considerations

In the January 2024 Visa Bulletin, we saw some forward movement in certain employment-based categories, particularly in the EB-1 category. This movement aligned with the hope that all EB categories, including the EB-1 category, would advance significantly or at least steadily. USCIS and the State Department had also indicated holding this hope in the August 2023 Visa Bulletin. However, the Visa Bulletins for October 2023November 2023December 2023, and January 2024 showed slow movement, with the Visa Bulletin for February 2024 indicating little to no movement at all.

The lack of advancement in priority dates particularly impacts those chargeable to India and China. While those chargeable to India and China have historically experienced long green card wait times in the common categories of EB-2 and EB-3, many employers and individuals choose to pursue the EB-1 category in hopes to secure the green card in a much shorter time. The benefits to an employer if a sponsored employee receives a green card earlier is that there is a reduction in immigration costs and a reduction in time that an employer would be beholden to immigration regulations. The employer can also rest assured that their talent can be retained beyond the limits of a nonimmigrant visa status.

However, despite the retrogression of the EB-1 categories for China and India, there still stands a benefit that visa availability wait times for the EB-1 category remains much faster than any other category. Employers considering pursuing the EB-1 process for their employees may want to note that the EB-1 holds an extremely high standard. The EB-1 is generally reserved for highly talented individuals who have risen to the top of their field or individuals who will work in a managerial capacity in addition to meeting other narrow criteria.

© 2024, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.
For more news on 2024 Visa and Immigration Updates, visit the NLR Immigration section.

Don’t be Content with Subpar Content: Five Content Marketing Best Practices

In the past, we have outlined eMarketing best practicesintegrating your eMarketing system with other marketing technology, and even discussed using artificial intelligence in your email marketing strategy. However, if you’ve got all the elements in place and your email marketing metrics are still disappointing, what else can you improve? Well, let’s address the 10,000-pound elephant in the room – your content.

For many law firms, content is typically written by lawyers. This can be a challenge because lawyers by trade, are legal writers – favoring a particular writing style that often is not favorable for eMarketing purposes. This leaves the marketing department to attempt to shape the content to make it as effective as possible.

So what is a marketer to do when faced with a partner who is convinced that posting 5,000 words (1,000 of which are footnotes) on the latest regulation change is the best way to communicate with clients and prospective clients? Here are five suggestions and talking points to help build consensus and buy-in for improving your firm’s publications and content marketing.

1. Best of the Bunch

Take a look at some of your firm’s recent publications by practice area. Are there one or two groups that consistently provide concise, well-written content that is not drowning in legalese? Next, it can be a good idea to look at their metrics. If their mailing list is in good shape, they should also have some of the best open and click-through rates at the firm.

These are the folks to hold up as examples of how to correctly write marketing content. Anyone who has been a marketer in a professional service firm knows that capitalizing on the competitive nature of professionals can be a powerful tool for changing behavior. If you can find one or two practices with superior metrics and can tie it to their content, then you have something to hold up as an example to the rest of the firm.

2. Train ’em Young

Today, associates have grown up with unparalleled access to the internet, email, Twitter (now X) and LinkedIn, so they get it. Firms should capitalize on the technology-savvy and sponge-like nature of the younger members and utilize them by creating content that resonates with their clients. They will likely already understand the importance of concise messaging as the key to effective communication.

3. Break Down Their Mailing Metrics

Lawyers tend to write for other lawyers. As marketers, we need them to write for people from all walks of life. Remember, many CEOs probably don’t have a JD. A quick analysis of their mailing lists may help persuade them that they are not just sending to other lawyers. It is important for lawyers who write to understand that well-written and relevant pieces are often the ones that are most likely to be circulated throughout companies.

Human resources and marketing, for example, are the two departments that are often the ‘beneficiaries’ of law firm alerts. Writing in heavy legalese can be counterproductive for these groups. For attorneys who are still hesitant to alter their writing style, remind them that lawyers also read newspapers, magazines, and even novels. Some of the most important and complex issues of our time, involving matters such as foreign policy, terrorism, taxes, the economy, and healthcare, are communicated every day in these publications—without the use of footnotes.

4. First Is Not Always Best

While it is important your clients know your firm is on top of recent developments, simply sending out a regurgitation of the new regulation doesn’t necessarily convey that your firm understands the impact of the law on the client’s business. Yes, you want your email on the topic to be among the first received, but there’s more to it. You need to demonstrate an understanding of the implications of the law by addressing questions like, “What does this mean for me? Do I need to be concerned? What can I do to prepare or minimize the risk for the company?”

Both speed and depth are important when it comes to content marketing. Get the alert out quickly and explain why it is important to your readers. Later, your lawyers can write a longer, in-depth piece for an outside publication which can also be forwarded to their mailing list.

5. Size Matters

65% of digital media consumption occurs on mobile devices. No one, including your own lawyers, would be inclined to read a 3,000-word piece on their iPhones, no matter how much time they have. The fact is, today’s professionals use their phones to consume quick-hit content – get in, get the jist, and get out, onto the next. This means we need to meet them where they are and produce similarly easy-to-digest content.

An excellent way to help dissuade your lawyers from writing lengthy, dense alerts, is to appeal to their billable hour. Long pieces take longer to write – when a piece half the size will not only take them half the time but ultimately increase readership by twice as much.

© Copyright 2024 CLIENTSFirst Consulting
by: Christina R. Fritsch JD of CLIENTSFirst Consulting
For more news on Content Marketing for Law Firms, visit the NLR Law Office Management section.

FTC Announces 2024 Thresholds for Merger Control Filings under HSR Act and Interlocking Directorates under the Clayton Act

The Federal Trade Commission (“FTC”) has increased the dollar jurisdictional thresholds necessary to trigger the reporting requirements of the Hart-Scott-Rodino Antitrust Improvements Act of 1976, as amended (“HSR Act”), and the dollar value of each of the six filing fee thresholds; the revised thresholds will become effective 30 days after the date of publication in the Federal Register. The daily maximum civil penalty for being in violation of the HSR Act has increased, and is, as of January 10, 2024, $51,744.

The FTC also increased the thresholds for interlocking directorates under Section 8 of the Clayton Act; these revised thresholds are in effect as of January 22, 2024.

Revised HSR Thresholds

Under the HSR Act, parties involved in proposed mergers, acquisitions of voting securities, unincorporated interests or assets, or other business combinations (e.g., joint ventures, exclusive license deals) that meet certain thresholds must report the proposed transaction to the FTC and the Antitrust Division of the U.S. Department of Justice (“DOJ”) unless an exemption applies. The parties to a proposed transaction that requires notification under the HSR Act must observe a statutorily prescribed waiting period (generally 30 days) before closing. Under the revised thresholds, transactions valued at $119.5 million or less are not reportable under the HSR Act.

A transaction closing on or after the date the revised thresholds become effective may be reportable if it meets the following revised criteria:

Size-of-Transaction Test The acquiring person will hold, as a result of the transaction, an aggregate total amount of voting securities, unincorporated interests, or assets of the acquired person valued in excess of $478 million;

or

The acquiring person will hold, as a result of the transaction, an aggregate total amount of voting securities, unincorporated interests, or assets of the acquired person valued in excess of $119.5 million but not more than $478 millionand the Size-of-Person thresholds below are met.
Size-of-Person
Test		 One party (including the party’s ultimate parent entity and its controlled subsidiaries) has at least $239 million in total assets or annual sales, and the other has at least $23.9 million in total assets or annual sales.

The full list of the revised thresholds is as follows:

Original Threshold 2023 Threshold 2024 Revised Threshold
$10 million $22.3 million $23.9 million
$50 million $111.4 million $119.5 million
$100 million $222.7 million $239 million
$110 million $245 million $262.9 million
$200 million $445.5 million $478 million
$500 million $1,113.7 million $1,195 million
$1 billion $2,227.4 million $2,390 million

The filing fees for reportable transactions and the six filing fee tiers also have been updated, as follows:

Filing Fee Size of Transaction under the Act
$30,000 For transactions valued in excess of $119.5 million but less than $173.3 million
$105,000 For transactions valued at $173.3 million or greater but less than $536.5 million
$260,000 For transactions valued at $536.5 million or greater but less than $1,073 million
$415,000 For transactions valued at $1,073 million or greater but less than $2,146 million
$830,000 For transactions valued at $2,146 million or greater but less than $5,365 million
$2.335 million For transactions valued at $5,365 million or more

The filing fee tiers, introduced in 2023, are adjusted annually to reflect changes in the GNP for the previous year.

The HSR Act’s dollar thresholds are only part of the analysis to determine whether a particular transaction must be reported to the FTC and DOJ; a full analysis requires consideration of exemptions to the filing requirements that may be available to an acquiror. Failure to notify the FTC and DOJ under the HSR Act remains subject to a statutory penalty of up to $51,744 per day of noncompliance.

Revised Thresholds for Interlocking Directorates

Section 8 of the Clayton Act prohibits one person from simultaneously serving as an officer or director of two corporations if: (1) each of the “interlocked” corporations has combined capital, surplus, and undivided profits of more than $48,559,000 (up from $45,257,000); (2) each corporation is engaged in whole or in part in commerce; and (3) the corporations are “by virtue of their business and location of operation, competitors, so that the elimination of competition by agreement between them would constitute a violation of any of the antitrust laws.”1

Section 8 provides several exemptions from the prohibition on interlocks for arrangements where the competitive overlaps “are too small to have competitive significance in the vast majority of situations.”2 A corporate interlock does not violate the statute if (1) the competitive sales of either corporation are less than $4,855,900 (up from $4,525,700); (2) the competitive sales of either corporation are less than 2 percent of that corporation’s total sales; or (3) the competitive sales of each corporation are less than 4 percent of that corporation’s total sales. The DOJ has been active recently in identifying and achieving remediation of interlocks that may violate Section 8.3

1 15 U.S.C. § 19(a)(1)(B).

2 S. Rep. No. 101-286, at 5-6 (1990), reprinted in 1990 U.S.C.C.A.N. 4100, 4103-04.

3 Department of Justice, Two Pinterest Directors Resign from Nextdoor Board of Directors in Response to Justice Department’s Ongoing Enforcement Efforts Against Interlocking Directorates (Aug. 16, 2023); Department of Justice, Justice Department’s Ongoing Section 8 Enforcement Prevents More Potentially Illegal Interlocking Directorates (Mar. 9, 2023); Department of Justice, Directors Resign from the Boards of Five Companies in Response to Justice Department Concerns about Potentially Illegal Interlocking Directorates (Oct. 19, 2022).

© Copyright 2024 Cadwalader, Wickersham & Taft LLP
For more on Merger Control Filings, visit the NLR Antitrust & Trade Regulation section.

Multistate Coalition Supports EPA’s Proposed Revisions to the Safer Choice Standard

As reported in our December 5, 2023, memorandum, the U.S. Environmental Protection Agency (EPA) proposed updates to the Safer Choice Standard on November 14, 2023, that include a name change to the Safer Choice and Design for the Environment (DfE) Standard (Standard), an update to the packaging criteria, the addition of a Safer Choice certification for cleaning service providers, a provision allowing for preterm partnership termination under exceptional circumstances, and the addition of several product and functional use class requirements. 88 Fed. Reg. 78017. On January 16, 2024, California Attorney General Rob Bonta announced that, alongside a coalition of 12 attorneys general, he submitted a comment letter that:

  • Supports EPA’s proposed revisions to its Safer Choice Standard;
  • Recommends that EPA not allow products with plastic primary packaging to use the Safer Choice label or DfE logo;
  • Recommends that if EPA does allow products with plastic primary packaging to use the label and logo, EPA should prohibit the use of chemical recycling in meeting the proposed standard’s plastic packaging recycled content requirements; and
  • Calls on EPA to exclude any products or packaging that contain any per- and polyfluoroalkyl substances (PFAS), “whether intentionally introduced or not.”
©2024 Bergeson & Campbell, P.C.
For more news on EPA’s Safer Choice Standard, visit the NLR Environmental, Energy & Resources section.

Huawei U.S. Patent Grants Drop 24% in 2023; BOE Drops Out of the Top 10

Accordingly to analysis by Harrity Patent AnalyticsHuawei ranked 10th for US patent grants in 2023, down 3 spots from 2022 with a 24% drop in patent grants. BOE Technology Group Co., Ltd. dropped even further to 19th down from 8th in 2022. BOE had a 38% drop in granted US patents. Tencent was 54th this year with an 11% drop in patent grants. Oppo was down 32%. Baidu was up only 1%. Xiaomi was down 7% and didn’t make the top 100 in 2023. Alibaba was down 49%. In contrast, US companies advanced with Qualcomm patent grants up 46%, Alphabet (Google) up 23% and Apple up 11%.

The drop in Chinese patent grants reverse the trend of growing US patent grants for Chinese companies. Huawei’s patents grants in 2022 were up 3%, BOE up 27%, Baidu up 43% and Xiaomi up 33%.

Possible reasons for the drop in grants to Chinese entities may include a poorly performing Chinese economy, the reduction and elimination of government subsidies for foreign patent grants, the impact of COVID-19 on patent application filings the past few years; and geopolitical tensions.

Top 10 Chinese Grantees of U.S. Patents in 2023

Rank Company 2023 Patents % Change from 2022
10 HUAWEI TECHNOLOGIES CO., LTD. 2290 -24%
19 BOE TECHNOLOGY GROUP CO., LTD 1695 -38%
54 TENCENT HOLDINGS LTD 702 -11%
67 BAIDU, INC. 626 +1%
77 LENOVO GROUP LIMITED 530 -16%
84 OPPO MOBILE TELECOMMUNICATIONS CORPORATION 516 -32%
101 XIAOMI INC. 461 -7%
115 TSINGHUA HOLDINGS 372 -3%
121 ZTE CORPORATION 351 -14%
122 BYTEDANCE LTD. 350 +119%

Source: https://harrityllp.com/patent300/

© 2024 Schwegman, Lundberg & Woessner, P.A. All Rights Reserved.
For more news on Granted US Patents, visit the NLR Intellectual Property section.

New Diligence Opportunity for Financial Institutions

On Jan. 1, 2024, the Corporate Transparency Act (“CTA”) took effect. As a result, all business entities, unless expressly exempt by the CTA, must file Reports of Beneficial Ownership Information (“BOI”) with the Financial Crimes Enforcement Network (“FinCEN”), a unit of the U.S. Treasury. Under the CTA, “financial institutions,” i.e., banks and other entities that provide financings and are subject to the “Know Your Customer” and “Customer Due Diligence” regulations of FinCEN pursuant to the Bank Secrecy Act, the USA Patriot Act, and the Anti-Money Laundering Act of 2020, may access the BOI on reports filed with FinCEN.

To gain access to the BOI, the financial institution MUST:

  1. Obtain the written consent of the customer, i.e., the borrower, guarantor, or other loan party, in connection with the diligence process required before entering a business relationship with the customer, or as part of the continuing diligence required in an existing relationship. Accordingly, forms used by the financial institution to open or to continue an existing business relationship must include a clear and conspicuous provision in which the customer gives consent. This will probably require a complete review and revision of those forms;
  2. Determine that obtaining access to the BOI is reasonably necessary for the financial institution to meet its diligence obligations. That determination should be spelled out in the written request to FinCEN for access; and
  3. Acknowledge the scope of confidentiality obligations with respect to the BOI obtained, including the limited use permitted of the information, as well as safeguarding that accessed BOI from misuse.

Financial institutions should be prepared to request access to BOI as a matter of course. In any case where a customer engages in violative activity, and the BOI would have alerted the financial institution to possible risks, that institution could be exposed to sanctions by its principal prudential regulator and/or by other law enforcement agencies.

©2024 Norris McLaughlin P.A., All Rights Reserved
For more news on Financial Institutions Gaining Access to BOIs, visit the NLR Financial Institutions & Banking section.

2023 Cybersecurity Year In Review

2023 was another busy year in the realm of data event and cybersecurity litigations, with several noteworthy developments in the realm of disputes and regulator activity. Privacy World has been tracking these developments throughout the year. Read on for key trends and what to expect going into the 2024.

Growth in Data Events Leads to Accompanying Increase in Claims

The number of reportable data events in the U.S. in 2023 reached an all-time high, surpassing the prior record set in 2021. At bottom, threat actors continued to target entities across industries, with litigation frequently following disclosure of data events. On the dispute front, 2023 saw several notable cybersecurity consumer class actions concerning the alleged unauthorized disclosure of sensitive personal information, including healthcare, genetic, and banking information. Large putative class actions in these areas included, among others, lawsuits against the hospital system HCA Healthcare (estimated 11 million individuals involved in the underlying data event), DNA testing provider 23andMe (estimated 6.9 million individuals involved in the underlying data event), and mortgage business Mr. Cooper (estimated 14.6 million individuals involved in the underlying data event).

JPML Creates Several Notable Cybersecurity MDLs

In 2023 the Judicial Panel on Multidistrict Litigation (“JPML”) transferred and centralized several data event and cybersecurity putative class actions. This was a departure from prior years in which the JPML often declined requests to consolidate and coordinate pretrial proceedings in the wake of a data event. By way of example, following the largest data breach of 2023—the MOVEit hack affecting at least 55 million people—the JPML ordered that dozens of class actions regarding MOVEit software be consolidated for pretrial proceedings in the District of Massachusetts. Other data event litigations similarly received the MDL treatment in 2023, including litigations against SamsungOverby-Seawell Company, and T‑Mobile.

Significant Class Certification Rulings

Speaking of the development of precedent, 2023 had two notable decisions addressing class certification. While they arose in the cybersecurity context, these cases have broader applicability in other putative class actions. Following a remand from the Fourth Circuit, a judge in Maryland (in a MDL) re-ordered the certification of eight classes of consumers affected by a data breach suffered by Mariott. See In Re: Marriott International, Inc., Customer Data Security Breach Litigation,No. 8:19-md-02879, 2023 WL 8247865 (D. Md. Nov. 29, 2023). As explained here on PW, the court held that a class action waiver provision in consumers’ contracts did not require decertification because (1) Marriott waived the provision by requesting consolidation of cases in an MDL outside of the contract’s chosen venue, (2) the class action waiver was unconscionable and unenforceable, and (3) contractual provisions cannot override a court’s authority to certify a class under Rule 23.

The second notable decision came out of the Eleventh Circuit, where the Court of Appeals vacated a district court’s certification of a nationwide class of restaurant customers in a data event litigation. See Green-Cooper v. Brinker Int’l, Inc., No. 21-13146, 73 F. 4th 883 (11th Cir. July 11, 2023). In a 2-1 decision, a majority of the Court held that only one of the three named plaintiffs had standing under Article III of the U.S. Constitution, and remanded to the district court to reassess whether the putative class satisfied procedural requirements for a class. The two plaintiffs without standing dined at one of the defendant’s restaurants either before or after the time period that the restaurant was impacted by the data event, which the Fourth Circuit held to mean that any injury the plaintiffs suffered could not be traced back to defendant.

Standing Challenges Persist for Plaintiffs in Data Event and Cybersecurity Litigations

Since the Supreme Court’s TransUnion decision in 2021, plaintiffs in data breach cases have continued to face challenges getting into or staying in federal court, and opinions like Brinker reiterate that Article III standing issues are relevant at every stage in litigation, including class certification. See, also, e.g.Holmes v. Elephant Ins. Co., No. 3:22-cv-00487, 2023 WL 4183380 (E.D. Va. June 26, 2023) (dismissing class action complaint alleging injuries from data breach for lack of standing). Looking ahead to 2024, it is possible that more data litigation plays out in state court rather than federal court—particularly in the Eleventh Circuit but also elsewhere—as a result.

Cases Continue to Reach Efficient Pre-Trial Resolution

Finally in the dispute realm, several large cybersecurity litigations reached pre-trial resolutions in 2023. The second-largest data event settlement ever—T-Mobile’s $350 million settlement fund with $150 million in data spend—received final approval from the trial court. And software company Blackbaud settled claims relating to a 2020 ransomware incident with 49 states Attorneys General and the District of Columbia to the tune of $49.5 million. Before the settlement, Blackbaud was hit earlier in the year with a $3 million fine from the Securities and Exchange Commission. The twin payouts by Blackbaud are cautionary reminders that litigation and regulatory enforcement on cyber incidents often go-hand-in-hand, with multifaceted risks in the wake of a data event.

FTC and Cybersecurity

Regulators were active on the cybersecurity front in 2023, as well. Following shortly after a policy statement by the Health and Human Resources Office of Civil Rights policy Bulletin on use of trackers in compliance with HIPAA, the FTC announced settlement of enforcement actions against GoodRxPremom, and BetterHelp for sharing health data via tracking technologies with third parties resulting in a breach of Personal Health Records under the Health Breach Notification Rule. The FTC also settled enforcement actions against Chegg and Drizly for inadequate cybersecurity practices which led to data breaches. In both cases, the FTC faulted the companies for failure to implement appropriate cybersecurity policies and procedures, access controls, and securely store access credentials for company databases (among other issues).

Notably, in Drizly matter, the FTC continued ta trend of holding corporate executives responsible individually for his failure to implement “or properly delegate responsibility to implement, reasonable information security practices.” Under the consent decree, Drizly’s CEO must implement a security program (either at Drizly or any company to which he might move that processes personal information of 25,000 or more individuals and where he is a majority owner, CEO, or other senior officer with information security responsibilities).

SEC’s Focus on Cyber Continues

The SEC was also active in cybersecurity. In addition to the regulatory enforcement action against Blackbaud mentioned above, the SEC initiated an enforcement action against a software company for a cybersecurity incident disclosed in 2020. In its complaint, the SEC alleged that the company “defrauded…investors and customers through misstatements, omissions, and schemes that concealed both the Company’s poor cybersecurity practices and its heightened—and increasing—cybersecurity risks” through its public statements regarding its cybersecurity practices and risks. Like the Drizly matter, the SEC charged a senior company executive individually—in this case, the company’s CISO—for concealing the cybersecurity deficiencies from investors. The matter is currently pending. These cases reinforce that regulators will continue to hold senior executives responsible for oversight and implementation of appropriate cybersecurity programs.

Notable Federal Regulatory Developments

Regulators were also active in issuing new regulations on the cybersecurity front in 2023. In addition to its cybersecurity regulatory enforcement actions, the FTC amended the GLBA Safeguards Rule. Under the amended Rule, non-bank financial institutions must provide notice to notify the FTC as soon as possible, and no later than 30 days after discovery, of any security breach involving the unencrypted information of 500 or more consumers.

Additionally, in March 2024, the SEC proposed revisions to Regulation S-P, Rule 10 and form SCIR, and Regulation SCI aimed at imposing new incident reporting and cybersecurity program requirements for various covered entities. You can read PW’s coverage of the proposed amendments here. In July, the SEC also finalized its long-awaited Cybersecurity Risk Management and Incident Disclosure Regulations. Under the final Regulations, public companies are obligated to report regarding material cybersecurity risks, cybersecurity risk management and governance, and board of directors’ oversight of cybersecurity risks in their annual 10-K reports. Additionally, covered entities are required to report material cybersecurity incidents within four business days of determining materiality. PW’s analysis of the final Regulations are here.

New State Cybersecurity Regulations

The New York Department of Financial Services also finalized amendments to its landmark Cybersecurity Regulations in 2023. In the amended Regulations, NYDFS creates a new category of companies subject to heightened cybersecurity standards: Class A Companies. These heightened cybersecurity standards would apply only to the largest financial institutions (i.e., entities with at least $20 million in gross annual revenues over the last 2 fiscal years, and either (1) more than 2,000 employees; or (2) over $1 billion in gross annual revenue over the last 2 fiscal years). The enhanced requirements include independent cybersecurity audits, enhanced privileged access management controls, and endpoint detection and response with centralized logging (unless otherwise approved in writing by the CISO). New cybersecurity requirements for other covered entities include annual review and approval of company cybersecurity policy by a senior officer or the senior governing body (i.e., board of directors), CISO reporting to the senior governing body, senior governing body oversight, and access controls and privilege management, among others. PW’s analysis of the amended NYDFS Cybersecurity Regulations is here.

On the state front, California Privacy Protection Agency issued draft cybersecurity assessment regulations as required by the CCPA. Under the draft regulations, if a business’s “processing of consumers’ personal information presents significant risk to consumers’ security”, that business must conduct a cybersecurity audit. If adopted as proposed, companies that process a (yet undetermined) threshold number of items of personal information, sensitive personal information, or information regarding consumers under 16, as well as companies that exceed a gross revenue threshold will be considered “high risk.” The draft regulations outline detailed criteria for evaluating businesses’ cybersecurity program and documenting the audit. The draft regulations anticipate that the audit results will be reported to the business’s board of directors or governing body and that a representative of that body will certify that the signatory has reviewed and understands the findings of the audit. If adopted, businesses will be obligated to certify compliance with the audit regulations to the CPPA. You can read PW’s analysis of the implications of the proposed regulations here.

Consistent with 2023 enforcement priorities, new regulations issued this year make clear that state and federal regulators are increasingly holding senior executives and boards of directors responsible for oversight of cybersecurity programs. With regulations explicitly requiring oversight of cybersecurity risk management, the trend toward holding individual executives responsible for egregious cybersecurity lapses is likely to continue into 2024 and beyond.

Looking Forward

2023 demonstrated “the more things change, the more they stay the same.” Cybersecurity litigation trends were a continuation the prior two years. Something to keep an eye on in 2024 remains the potential for threatened individual officer and director liability in the wake of a widespread cyberattack. While the majority of cybersecurity litigations filed continue to be brought on behalf of plaintiffs whose personal information was purportedly disclosed, shareholders and regulators will increasingly look to hold executives responsible for failing to adopt reasonable security measures to prevent cyberattacks in the first instance.

Needless to say, 2024 should be another interesting year on the cybersecurity front. This is particularly so for data event litigations and for data developments more broadly.

© Copyright 2024 Squire Patton Boggs (US) LLP
by: Kristin L. Bryan , Shea Leitch , James Brennan of Squire Patton Boggs (US) LLP
For more news on Data Event and Cybersecurity Litigations in 2023, visit the NLR Communications, Media & Internet section.

Becoming Antitrust Aware in 2024: Top Five Recommendations for the New Year

A new year means resolutions which are often centered around self-improvement measures like weight loss, exercise plans, and other health improvement measures. Companies can also benefit from resolutions. Increasing antitrust awareness is not usually on the resolution list but here we offer some ideas for companies as they embark on a new year.

Treat antitrust as a priority in 2024.

As antitrust lawyers, our viewpoint may be biased, and we certainly appreciate that most companies already have a lengthy list of priorities for their in-house and outside legal teams. Given that all companies, regardless of their size, are subject to the antitrust laws, and given the high stakes involved (including criminal penalties and treble damages awards), antitrust certainly deserves to be on the priority list. One relatively easy way to get the ball rolling is to put fresh eyes on your company’s antitrust policy. When was the last time it was updated? What type of trainings does your company use to teach the concepts contained in the policy? The training doesn’t need to be – and shouldn’t be – boring or esoteric. Instead, trainings should be engaging and tailored to the specific antitrust risks that workgroups may face. For example, the sales team will need different antitrust training than those working on supply chain or environmental, social, and governance (ESG) initiatives. Ask your antitrust lawyer to create easy-to-follow, lively online trainings that can be viewed on demand. And if your company doesn’t have an antitrust policy, we suggest that creating one be moved to the top (or near top) of the legal department’s to-do list in 2024.

Understand the current antitrust enforcement priorities.

2024 will be a significant year for antitrust. It’s an election year, which means 2024 may be the Biden Administration’s last year to execute on plans that have been in the works since President Biden issued Executive Order 14036, “Promoting Competition in the American Economy,” in July 2021. Some of the Administration’s more dramatic plans include significant revisions to the Hart-Scott-Rodino (HSR) premerger notification process. While we don’t expect all the FTC and DOJ’s sweeping proposals to make it into the HSR final rule, we do expect some changes to be made, and they will likely mean significant additional burdens for filing parties. We also expect to see the FTC’s new rule on non-compete agreements. The FTC’s proposal would ban most non-compete agreements, and some states have already enacted their own prohibitions on non-compete agreements.

If your company engages in M&A, be aware of the new Merger Guidelines.

The newest Merger Guidelines, addressing both horizontal and vertical mergers, were unveiled in December 2023 . One of the most significant changes announced in the 2023 Merger Guidelines are the decreased levels of concentration that will trigger a rebuttable presumption of illegality. Under the new Guidelines, a market share of greater than 30% and a concentration increase of 100 points will be enough to trigger that rebuttable presumption. That is not to say the presumption is the death knell for a transaction, but it does mean that the government enforcement will be aggressive. Also be aware that the 2023 Guidelines introduce new topics, such as labor markets. Early analysis and planning will be critical, requiring involvement of skilled antitrust counsel.

Understand that application of the antitrust laws is constantly evolving.

The language of the core U.S. antitrust laws – the Sherman Act, the Clayton Act, and the FTC Act, hasn’t changed, but the application of these laws is always evolving. For example, the antitrust enforcers and private plaintiffs are increasingly focused on labor issues, such as “no poach” agreements and wage fixing. Antitrust enforcers are also focused on private equity, as evidenced by the FTC’s recent lawsuit against Welsh, Carson, Anderson, and Stowe and some of the changes contained in the proposed revisions to the HSR Rules. Technology is also a significant factor that provokes interesting questions that don’t have answers, at least not currently. For example, do pricing algorithms lead to price fixing? How will antitrust enforcers deal with artificial intelligence?

Pay attention to state antitrust enforcers.

The federal regulators at the Department of Justice and Federal Trade Commission may get most of the attention, but we must never forget that states have their own antitrust laws and their own antitrust enforcers, who have the power to investigate and bring legal action. Often, the state regulators work collaboratively with their federal counterparts, but the state regulators are free to go their own way, such as those targeting various ESG initiatives. Also bear in mind that states are increasingly blazing new trails, such as bans on non-competes. Thirteen states have also enacted “mini” HSR premerger notification statutes for health care deals. It’s always prudent to check the laws of the state or states where business is conducted to determine if there are any state-specific antitrust considerations.

Copyright ©2024 Nelson Mullins Riley & Scarborough LLP
For more Antitrust Awareness News, visit the NLR Antitrust & Trade Regulation section.

Corporate Transparency Act Requires Disclosure of Information Regarding Beneficial Owners to FinCEN

The new year brings the most expansive disclosure requirements for U.S. business entities since the Depression. Starting January 1, 2024, U.S. companies and foreign companies operating in the United States will be required to report their beneficial owners and principal officers to the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) pursuant to the Corporate Transparency Act (CTA) adopted as part of the 2021 National Defense Authorization Act, unless subject to specific exemptions.

Who Is Required to Report?
The CTA’s filing requirements (31 CFR 1010.380(c)(1)) apply to both domestic reporting companies and foreign reporting companies.

  • Domestic reporting companies are corporations, limited liability companies and any other entity registered to do business in any state or tribal jurisdiction by the filing of a document with the secretary of state or similar official.
  • Foreign reporting companies are business entities formed under the law of a foreign country that are registered to do business in any state or tribal jurisdiction by the filing of a document with the secretary of state or similar official

The CTA provides 23 categories of exemption. The following types of entities are not required to file reports with FinCEN:

  • Large Operating Companies
    This exemption applies to entities that (1) have 20 people or more full time employees in the United States, (2) have gross revenue (or sales) in excess of $5 million on their prior year’s tax return and (3) have a physical office in the United States.
  • Securities Reporting Issuers
  • Governmental Authorities
  • Banks
  • Credit Unions
  • Depository Institution Holding Companies
  • Money Services Businesses
  • Brokers and Dealers in Securities
  • Securities Exchanges and Clearing Agencies
  • Other Exchange Act Registered Entities
  • Investment Companies and Investment Advisers
  • Venture Capital Fund Advisers
  • Insurance Companies
  • State-Licensed Insurance Producers
  • Commodity Exchange Act Registered Entities
  • Accounting Firms
  • Public Utilities
  • Financial Market Utilities
  • Pooled Investment Vehicles
  • Tax-Exempt Entities
  • Entities Assisting a Tax-Exempt Entity
  • Subsidiaries of Certain Exempt Entities
  • Inactive Entities

It is worth noting that the definition of reporting companies is not limited to corporations and limited liability companies. Limited partnerships, professional service entities and other entities may qualify as reporting companies and, if so, are required to comply with the CTA’s reporting requirements.

How Does a Company Comply?
FinCEN requires affected companies to file beneficial ownership information reports (BOI Reports) using an electronic filing system. See the BOI E-Filing System.

What Information Should Be Reported?
Reporting companies must identify beneficial owners in their BOI Reports.

Beneficial owners are defined as individuals who directly or indirectly (1) exercise substantial control over a reporting company or (2) own or control at least 25 percent of ownership interests of a reporting company. Ownership interests covered by the CTA may include profits interests, convertible instruments, options and contractual arrangements as well as equity securities. In addition, owners who hold their ownership interests jointly or through a trust, agent or other intermediary are also required to be identified – although minors are generally exempted from reporting obligations.

Senior officers (typically, the president, CEO, CFO, COO and officers who perform similar functions); individuals with the ability to appoint senior officers or a majority of the board of directors or a similar body; and anyone else who directs, determines or has substantial input to other important decisions of a reporting company also need to be identified in BOI Reports as individuals exercising substantial control over reporting companies.

Reporting companies created on or after January 1, 2024, also must identify “company applicants” in their BOI Reports. Company applicants are the individuals who filed the documents creating the reporting company and individuals primarily responsible for directing or controlling the filing of documents creating a reporting company.

BOI Reports must contain the following information regarding the reporting company:

  • Legal name
  • Any trade name or d/b/a name
  • Address of the company’s principal place of business in the United States
  • Jurisdiction of formation
  • Taxpayer Identification Number.

BOI Reports must contain the following information regarding each beneficial owner and company applicant:

  • Full legal name
  • Date of birth
  • Current address
  • Copy of a passport, driver’s license or other identification document.

Every person who files a BOI Report must certify the information contained is true, correct and complete.

Information contained in BOI Reports will not be available to the public. However, FinCEN is authorized to disclose such information to:

  • U.S. federal agencies engaged in national security, intelligence or law enforcement activity
  • With court approval, to certain other state or local law enforcement agencies
  • Non-U.S. law enforcement agencies at the request of a U.S. federal law enforcement agency, prosecutor or judge
  • With the consent of the reporting company, financial institutions and their regulators
  • Federal regulators in assessing financial institutions compliance with customer due diligence requirements
  • The U.S. Department of the Treasury for purposes including tax administration.

Is There a Fee?
No fee is required in connection with filing of BOI Reports.

When Do Companies Need to File?
U.S. and foreign reporting companies that were formed or registered to do business in the United States prior to January 1, 2024, must file their initial BOI Reports no later than January 1, 2025. U.S. and foreign reporting companies formed on or after January 1, 2024, must file their initial BOI Reports within 90 days of receipt of notice of formation.

Reporting companies are required to file updated reports with FinCEN within 30 days of occurrence of a change in any of the information contained in their BOI Reports.

What If There Are Changes or Inaccuracies in the Reported Information?
Inaccuracies in BOI Reports must be corrected within 30 days of the date a reporting company becomes aware of or had reason to know of such inaccuracy. FinCEN has indicated that there will be no penalties for filing inaccurate BOI Reports if such reports are corrected within 90 days of their filing.

What If a Company Fails to File?
The willful failure to report the information required by the CTA or filing fraudulent information under the CTA may result in civil or criminal penalties, including penalties of up to $500 per day as long as a violation continues, imprisonment for up to two years and a fine of up to $10,000. Senior officers of an entity that fails to file a required report may be held accountable for such failure.

If you have questions regarding the provisions of the CTA or its applicability to your company, you may go to the FinCEN website.

© 2024 Wilson Elser
For more on the Corporate Transparency Act, visit the NLR Corporate & Business Organizations section.

Updated Merger Guidelines Finalized

On December 18, 2023, the Federal Trade Commission (FTC) and the U.S. Department of Justice (DOJ) jointly issued a significantly revised version of the Merger Guidelines that describes the frameworks the enforcement agencies use when evaluating potential mergers.

The newly finalized Merger Guidelines are the result of a nearly two-year effort that involved both agencies soliciting public input via listening sessions, written comments, and workshops.

The agencies describe the new Merger Guidelines as necessary to address the modern economy and how firms now do business. The Merger Guidelines are broken into multiple sections: Guidelines 1–6 describe the frameworks the agencies use when attempting to identify a merger that the agencies believe raises a prima facie concern, while Guidelines 7–11 explain how to apply those frameworks in specific settings. The guidelines also identify evidence the agencies will consider to potentially rebut an inference of competitive harm. Finally, these guidelines include a discussion of the tools the agencies use when evaluating the relevant facts, the potential harm to competition, and how to define the relevant markets.

The Merger Guidelines are notable for signaling the FTC’s and DOJ’s desire to pursue a more aggressive enforcement agenda, specifically, by lowering the threshold at which proposed mergers will be deemed presumptively anticompetitive by those enforcement agencies. The new guidelines also seek to address relatively new concerns the agencies have identified, such as cross-market transactions and sequences of smaller transactions.

©2024 Epstein Becker & Green, P.C. All rights reserved.
For more on Merger Guidelines, visit the NLR Antitrust & Trade Regulation section.