Category: Uncategorized

Texas Appeals Court Rules Private Communications with Customers Not Protected Free Speech

In a case addressing the applicability of free speech as a defense to trade secret misappropriation, the Court of Appeals for the Fifth District of Texas retracted its previous ruling, holding that communications with customers and suppliers did not involve a matter of public concern and were therefore not an exercise of free speech. Goldberg, et al. v. EMR (USA Holdings) Inc., et al., Case No. 05-18-00261-CV (Tex. App. Jan. 23, 2020) (Myers, J).

The case concerns allegations of trade secret misappropriation brought by EMR (USA Holdings) (EMR), against Kenneth Goldberg, his company Geomet Recycling (Geomet), and several Geomet employees who, like Goldberg, formerly worked for EMR. EMR and Geomet are both involved in the business of scrap metal recycling. EMR alleged that Goldberg, Geomet and the former EMR employees (collectively, “Defendants”) violated the Texas Uniform Trade Secrets Act (TUTSA), breached fiduciary duties and tortuously interfered with contracts by, among other things, using EMR’s trade secrets and confidential and proprietary information to contact purchasers and suppliers.

Defendants moved to dismiss all claims under the Texas Citizen’s Participation Act (TCPA), claiming that their contacts with purchasers and suppliers were protected free speech involving a matter of public concern. The TCPA allows litigants to seek early dismissal of a lawsuit if they prove by a preponderance of the evidence that the legal action is based on, or is in response to, a party’s exercise of the right of free speech.

The TCPA defines “exercise of the right of free speech” as “a communication made in connection with a matter of public concern.” The statute states that a “‘[m]atter of public concern’ includes an issue related to: (A) health or safety; (B) environmental, economic, or community well-being; . . . or (E) a good, product, or service in the marketplace.” Id. § 27.001(7). Additionally, under the “commercial-speech exemption,” the TCPA does not apply to a legal action brought against a person engaged in the business of selling goods or services if the conduct arises out of a commercial transaction in which the intended audience is an actual or potential buyer or customer.

After the trial court denied Defendants’ motion to dismiss without providing any reasoning, Defendants appealed.

On August 22, 2019, the Court of Appeals for the Fifth District of Texas affirmed the trial court’s decision. The Court held that the commercial-speech exemption to the TCPA applied to the Defendants’ communications with purchaser and suppliers. However, the Court also found that these communications concerned “an issue related to . . . a good, product, or service in the marketplace” and therefore involved a matter of public concern under the TCPA.

Both sides asked for rehearing. In its new ruling, the Court of Appeals reversed course and found that Defendants’ communications with purchasers and suppliers did not involve matters of public concern. Defendants argued that the business of recycling scrap metal relates to environmental, economic and community well-being, which are considered matters of public concern under the TCPA. The Court rejected this argument, noting that while scrap metal recycling may indeed relate to matters of public concern, the communications at issue “were private communications regarding private commercial transactions for the purchase and sale of a commodity.” The Court held that, because the communications themselves did not implicate matters of public concern, they were not subject to the TCPA.

Practice Note:

The new ruling significantly restricts the application of the TCPA. The holding indicates that the TCPA cannot shield defendants from trade secret claims based on communications between the defendant and potential customers or suppliers that solely relate to the purchase or sale of a commodity—even if the commodity at issue might arguably relate to matters of public concern.

© 2020 McDermott Will & Emery

For more on TCPA rule application, see the National Law Review Communications, Media & Internet law section.

D.C. District Court Limits the HIPAA Privacy Rule Requirement for Covered Entities to Provide Access to Records

On January 23, 2020, the D.C. District Court narrowed an individual’s right to request that HIPAA covered entities furnish the individual’s own protected health information (“PHI”) to a third party at the individuals’ request, and removed the cap on the fee covered entities may charge to transmit that PHI to a third party.

Specifically the Court stated that individuals may only direct PHI in an electronic format to such third parties, and that HIPAA covered entities, and their business associates, are not subject to reasonable, and cost-based fees for PHI directed to third parties.

The HIPAA Privacy Rule grants individuals with rights to access their PHI in a designated record set, and it specifies the data formats and permissible fees that HIPAA covered entities (and their business associates) may charge for such production. See 45 C.F.R. § 164.524. When individuals request copies of their own PHI, the Privacy Rule permits a HIPAA covered entity (or its business associate) to charge a reasonable, cost-based fee, that excludes, for example, search and retrieval costs. See 45 C.F.R. § 164.524(c) (4). But, when an individual requests his or her own PHI to be sent to a third party, both the required format of that data (electronic or otherwise) and the fees that a covered entity may charge for that service have been the subject of additional OCR guidance over the years—guidance that the D.C. District Court has now, in part, vacated.

The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act set a statutory cap on the fee that a covered entity may charge an individual for delivering records in an electronic form. 42 U.S.C. § 17935(e)(3). Then, in the 2013 Omnibus Rule, developed pursuant to Administrative Procedure Act rulemaking, the Department of Health and Human Services, Office for Civil Rights (“HHS OCR”) implemented the HITECH Act statutory fee cap in two ways. First, OCR determined that the fee cap applied regardless of the format of the PHI—electronic or otherwise. Second, OCR stated the fee cap also applied if the individual requested that a third party receive the PHI. 78 Fed. Reg. 5566, 5631 (Jan. 25, 2013). Finally, in its 2016 Guidance document on individual access rights, OCR provided additional information regarding these provisions of the HIPAA Privacy Rule. OCR’s FAQ on this topic is available here.

The D.C. District Court struck down OCR’s 2013 and 2016 implementation of the HITECH Act, in part. Specifically, OCR’s 2013 HIPAA Omnibus Final Rule compelling delivery of protected health information (PHI) to third parties regardless of the records’ format is arbitrary and capricious insofar as it goes beyond the statutory requirements set by Congress. That statute requires only that covered entities, upon an individual’s request, transmit PHI to a third party in electronic form. Additionally, OCR’s broadening of the fee limitation under 45 C.F.R. § 164.524(c)(4) in the 2016 Guidance document titled “Individuals’ Right under HIPAA to Access their Health Information 45 C.F.R. Sec. 164.524” violates the APA, because HHS did not follow the requisite notice and comment procedure.” Ciox Health, LLC v. Azar, et al., No. 18-cv0040 (D.D.C. January 23, 2020).

All other requirements for patient access remain the same, including required time frames for the provision of access to individuals, and to third parties designated by such individuals. It remains to be seen, however, how HHS will move forward after these developments from a litigation perspective and how this decision will affect other HHS priorities, such as interoperability and information blocking.

© Polsinelli PC, Polsinelli LLP in California

For more on HIPAA Regulation, see the National Law Review Health Law & Managed Care section.

Love at Work: 5 Things for Employers to Know

Workplace romances are inevitable. According to a recent survey by the Society for Human Resource Management, one out of every three American adults is or has previously been in a workplace romance. Given this reality, coupled with the #MeToo movement and the resulting renewed emphasis on preventing workplace sexual harassment, it is important to have a basic understanding of the key practical and legal issues surrounding workplace relationships. Below are answers to five common questions.

1. Is workplace romance unlawful?

No. Title VII of the Civil Rights Act of 1964 is the primary federal law governing sexual harassment in the workplace. Two coworkers having a consensual romantic relationship does not, by itself, violate Title VII. Legal and/or employee relations issues can arise, for example, when romantic relationships involve supervisors and subordinates, when a romance “goes bad,” when there are concerns with favoritism, or when two coworkers bring their romance into the workplace in a way that makes others uncomfortable.

2. When does a workplace romance cross the line?

It is impossible to identify all behaviors that may violate Title VII. Fundamentally, the statute prevents harassment because of a person’s sex. According to the Equal Employment Opportunity Commission (EEOC), “[u]nwelcome sexual advances, requests for sexual favors, and other verbal or physical conduct of a sexual nature constitute sexual harassment when this conduct explicitly or implicitly affects an individual’s employment, unreasonably interferes with an individual’s work performance, or creates an intimidating, hostile, or offensive work environment.”

Harassment can include offensive remarks or physical behavior. While Title VII does not generally prevent teasing, offhand comments, or other isolated incidents, such behavior can rise to the level of harassment if it is so frequent or severe that it creates a hostile work environment. The harasser can be a supervisor, an agent of an employer, a coworker, or even a nonemployee. The victim of sexual harassment can be anyone affected by the offensive conduct.

3. Aren’t some workplace relationships beneficial?

Yes. Research has shown that, generally, employees who form genuine relationships with their coworkers and supervisors are happier and more engaged at work, and less likely to leave for another company. Many employers encourage connections between supervisors and subordinates to improve workplace culture. The concept of a “work spouse,” referring to a coworker with whom an employee has a close personal relationship, is increasingly common given the amount of time many employees spend in the workplace. Studies suggest that this kind of tight bond can increase employee motivation, productivity, and retention. Workplace relationships can, however, become the source of legal or practical woes if boundaries are crossed.

4. What can employers do?

Most employers have sexual harassment policies outlining their expectations regarding behavior in the workplace. Employers may also want to provide regular training relating to those policies—in some states, such as CaliforniaConnecticutIllinois, and New York, such training is required. In addition, given the risks relating to workplace romance, employers may also want to consider implementing policies outlining employee conduct expectations related to romantic relationships with coworkers or even third parties, such as vendor employees. There are a variety of permutations to such policies, and some employers prohibit romantic relationships altogether. Others prohibit only romantic relationships between employees and their supervisors. Sometimes, such policies identify the situations in which romantic relationships are permitted (e.g., employees working in different departments) or the potential consequences of romantic relationships (e.g., an employee’s being transferred or having his or her employment terminated).

5. What is a “love contract”?

With a workplace romance, particularly one involving a supervisor and subordinate, there is some risk that an employee may allege that a relationship was involuntary. To mitigate that risk, some employers require employees to disclose any workplace romance and enter into a consensual relationship agreement, commonly called a “love contract.” A love contract is a written acknowledgment signed by both employees involved in a relationship confirming the voluntary and mutual nature of the relationship. Generally, a love contract states that both employees have received, read, and understood the company’s anti-harassment policy and that the relationship does not violate the policy. Love contracts can be perceived negatively by employees, so it is prudent to carefully consider their pros and cons.

© 2020, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.

For more on HR-related concerns, see the National Law Review Labor & Employment law section.

Attorney Wellness and Mindfulness Part 1: Why is Mindfulness a Benefit to Attorneys and others in the Legal Industry?

Attorney wellness and a focus on all aspects of employee well-being, including mental health, has become an important issue in today’s workplace environment.  Law firms, and the legal industry in general, with its competitive reputation, expectation of heavy workloads and high stakes environment is beginning to embrace wellness practices as an anecdote to the chronic stress often faced by attorneys and other individuals who work in law firms.

The problem is so widespread that in 2017, the ABA House of Delegates approved Resolution 106  amended the ABA Model Rule for Minimum Continuing Legal Education (CLE) to include a requirement for lawyers to receive at least one hour of mental health, substance abuse credit every three years.  And mental and physical health issues as well as substance abuse CLE courses are mandatory in several states, such as Illinois and Florida or count towards professional responsibility credits in numerous other states.

Elena Rand JD, MSW and Chief Marketing Officer of Wiggin and Dana has been working on this issue for years, putting her experience as a litigator and a legal executive coach along with her Master’s degree in Clinical Social Work to help those in the legal industry understand chronic stress, how it impacts the body, and how mindfulness, even at a basic level, can help improve performance and well-being.

Elena Rand and Eilene Spear of the National Law Review will be hosting a panel at the Momentum Events Employee Wellness Event for Legal and Professional Services Providers at the Riverside Hotel in Fort Lauderdale on February 27- 28, and in preparation for that presentation they sat down and discussed some aspects of mindfulness, identified some barriers to its practice and outlined the need in the legal industry.

I know you have formal training in Clinical Social Work and have dedicated much of your professional life to workplace health and wellness issues, can you take a minute or two and address your background and why wellness at the workplace, specifically in the legal industry is an issue that you care about?

Attorney wellness and wellness and the legal community in general is something that has been sort of a mission and a passion of mine probably for the last 15, maybe even 20 years. It really came to the forefront of my attention when I was working as a legal executive coach.  I was doing coaching for a large law firm, really focused on working with attorneys to improve their leadership and business development and networking skills and taking high-performers to the next level. What I invariably discovered is that there is an underbelly of crisis and struggling for many of these enormously successful, high achieving, high performing go-getting attorneys. I found that attorneys were struggling both in terms of managing their baseline day to day life to extreme mental health issues and addiction. That kind of came to full bloom and grabbed my attention.

As a legal executive coach working with high-performing attorneys, I was sort of a first responder in many ways for a lot of the wellness and mental health crises that were being buried for many, many years. Before we could even get to how to focus on getting you to the partnership level, and how do we focus on doubling your book of business, attorneys were coming to me on their own saying, “I don’t think I can take another moment of this,” or “if I add one more thing to my day, you know, I’m going to, I’m going to really lose it.”

I started to see that this was an issue that kept popping up and presenting itself, so I went back to grad school and earned a master’s in clinical social work. I wanted to have a real behavioral toolbox so that I could understand human behavior, understand the spectrum of wellness and the lack of wellness, and really be able to service the legal community in that way.

Additionally, wellness has been a lifelong personal struggle and mission, in my life.  I was one of those crazy, high-performing litigators who hit a wall at 90 miles an hour when I had my first child at the age of 27 and suffered from crippling postpartum depression. Suddenly, after years of just pushing and pushing, I one day woke up to realize that I was now severely impaired. It was very scary and humbling and you know, it became sort of my own passion and mission to really bring a level of attention and awareness to wellness in the legal community.

It’s pretty obvious that the legal industry is very competitive and that it can be full of very high-stress situations. What are some symptoms of constant stress that you might come across in the day to day operations of a typical law firm?

That question’s really important. You know, stress is basically a physiological reaction to a perceived threat to you and to your environment, right? So that’s where you get the whole fight or flight physical response. That’s what stress is. From a biological perspective, what ends up happening is your blood pressure goes up, your veins constrict, and you have basic physiological symptoms kicking you into fight or flight mode.  From purely a biological perspective, these automatic stress responses can have serious ramifications that can end up impairing an individual’s daily functioning.

Biology impacts our behavior; so chronic, ongoing stress in the body manifest and present some clearly identifiable behavioral dysfunctions. For starters, chronic stress induces a level of constant baseline agitation. Everything and anything can be irritating to the point of explosion.  Everyone is a little bit of a powder keg about to explode. Chronic stress will cause sleep deprivation. It has been linked to eating disorders. It can cause imbalances in your metabolism. It’ll cause imbalances in your serotonin level, and the other thing it does is it causes isolation. You have increased isolation with stress because you’re protecting yourself.  You’re not talking to anybody, you’re going through all of these things and everything in your body and mind is telling you to isolate.

From an executive functioning point of view, there is so much research to show that people functioning under high levels of stress for a long period of time can demonstrate impaired judgment,  impaired ability for conflict resolution, and impaired compassion. These impairments impact interpersonal relationships at work including client relationships. High stress has a whole host of impairments associated with high-level executive functioning that really is being called into play moment to moment. As an attorney, chronic stress can compromise your ability to focus and use good judgment. Your ability to analyze situations correctly and be able to step away and say, “is this a moment for confrontation?” or “is this a moment for cool off?” is now off.  Your ability to assess how best to present information appropriately to the client, to the associate, or to the partner is also off. Bottom line is that chronic high stress really impairs many of the operational skills needed to interface and practice effectively as a lawyer.  Finally, it also impairs the softer skills that are really needed as you become more of a senior partner and involved in business development.

From a business perspective, both individuals and the institutional law firms are negatively impacted by untreated chronic high stress as an individual’s capacity to handle situations and use good judgment and analysis have basically gone out the window.

How does mindfulness practices help counteract that stress in a typical law office environment?

Basically, mindfulness is bringing your attention to the present moment in an intentional, deliberate and systematic kind of way with an attitude of acceptance of whatever might show up or for whatever you’re experiencing. What mindfulness does, is it forces you to pause, which is, you know, a novel concept for many attorneys. One of the key things that happen when you are in a stress-induced situation is you stop breathing. We hold our breath. When you do that, you essentially jack up all of those sympathetic stress indicators in your body I mentioned before. I really want to make mindfulness super clear and basic, because I want to make mindfulness practice really accessible and strip away any preconceived ideas of what mindfulness is.

So, what is the power of the present moment?  If we strip it down, the present moment for any human being at any given moment is made up of  a cocktail of  their emotions, their sensations, and/or their thoughts. When you’re bringing your attention to that bundle of things that are happening, what you’re feeling, what you’re thinking and what you’re sensing in the world, suddenly you start to breathe and you start to invoke and sort of trigger your parasympathetic nervous system, which is the self-calming, self-soothing embodiment that we all automatically have in our body. What you’re inviting yourself to do is to intentionally focus on the present moment so that you can breathe, so that your body can be able to kick itself into a place of calmness.

We’re not talking about achieving nirvana, you know, we’re talking about creating a tool that is user-friendly so that in the moment you can pause, breathe and be able to ground in the present moment so that your body and your mind can kick into a better and perhaps, more optimal way of functioning.

That’s a simplified way of thinking about it because other levels can be a little off-putting or intimidating.  If you read a lot of philosophy on mindfulness and meditation, anyone who claims they’re an “expert” in mindfulness doesn’t get it, in my opinion. We’re all beginners. And the idea that we are all beginning all the time in this process with the “beginner’s mind” is what can make the difference of whether you try mindfulness or not. There is no perfection or achievement award in mindfulness; starting at the beginning and paying attention to the present moment over and over again is the practice.

Many thanks to Ms. Rand for her insights.  Monday we will have Part 2, which will address the basics of what mindfulness practice can be, as well as some barriers to practicing mindfulness and how to overcome them.

Copyright ©2020 National Law Forum, LLC

U.S.-China Trade Deal Shows Potential for Improved U.S. Intellectual Property Rights in China

A result of negotiating techniques from Donald Trump’s book “The Art of the Deal” or a result of strategies from the ancient Chinese military strategy treatise “The Art of War”?

Who knows, but on January 15, 2020, the United States (“U.S.”) and China signed Phase One of the Economic and Trade Agreement between the U.S. and China (the “Agreement”).  The Agreement, which is set to go into force on February 14, 2020, attempts to end or at least ease the trade war tensions between the world’s two economic behemoths.  The Agreement, amongst other issues, addresses protection and enforcement of U.S. intellectual Property (“IP”) rights in China.  While the Agreement does not resolve all IP protection and enforcement concerns faced by U.S. businesses in China, it is certainly a step in the right direction.

The importance of IP in establishing a fair and balanced bilateral economic and trade relationship is evident in the fact that the entire first two chapters of the Agreement are dedicated to IP protection and enforcement in China.  The Agreement addresses numerous areas of IP, including trade secrets, pharmaceutical related IP, patents, piracy and counterfeiting, trademarks, technology transfer, and other related topics.

The Agreement puts much of the responsibility on China to revamp its laws and develop new policies and procedures to implement the provisions of the Agreement and to address the long-standing concerns that have existed with regard to protection and enforcement of U.S. IP in China.

Discussed below are some of the areas under the Agreement where China has agreed to implement new laws and procedures to protect U.S. intellectual property.  In return, the U.S. has agreed to affirm that it already has equivalent or similar protection and enforcement mechanisms in place.

Trade Secrets

  • The definition of trade secret is expanded to include confidential business information.
  • The scope of acts that constitutes trade secret misappropriation is broadened to include electronic intrusions, breaches or inducement of a breach of duty not to disclose, and other unauthorized disclosures or uses.
  • Implements burden-shifting in civil proceedings, shifting to the accused party where the holder of a trade secret has produced evidence of a reasonable indication of trade secret misappropriation by the accused party.
  • Adopts provisional measures to prevent the use of misappropriated trade secrets.
  • Eliminates the requirement that the holder of a trade secret establishes actual losses prior to initiation of a criminal investigation for misappropriation.
  • Provides for the application of criminal procedures and penalties to address willful trade secret misappropriation through theft, fraud, physical or electronic intrusion for an unlawful purpose.
  • Prohibits the unauthorized disclosure of undisclosed information, trade secrets, or confidential business information by government personnel involved in government proceedings in which such information is submitted and provides criminal, civil, and administrative penalties for such unauthorized disclosure.

Pharmaceutical-Related Intellectual Property

  • Permits pharmaceutical patent applicants to rely on supplemental data to satisfy relevant requirements for patentability, during patent examination proceedings, patent review proceedings, and judicial proceedings.
  • Provides (a) a system to provide notice to a patent holder, licensee, or holder of marketing approval, that a person is seeking to market that product during the term of an applicable patent claiming the approved product or its approved method of use; (b) adequate time and opportunity for such a patent holder to timely seek available remedies; and (c) procedures for judicial or administrative proceedings and expeditious remedies, for resolution of disputes concerning the validity or infringement of an applicable patent claiming an approved pharmaceutical product.
  • With regard to pharmaceutical-related patents on new products and methods of use, provides an extension of the patent term, due to unreasonable curtailment of the patent term as a result of the marketing approval process, of up to five years, and may limit the resulting effective patent term to no more than 14 years from the date of marketing approval in China.

Patents

  • Provides patent term extensions to compensate for unreasonable delays that occur in granting the patent or during pharmaceutical product marketing approvals. For this provision, an unreasonable delay shall at least include a delay in the issuance of the patent of more than four years from the date of filing, or three years after a request for examination of the application, whichever is later.

Piracy and Counterfeiting on E-Commerce Platforms

  • Provides enforcement procedures that permit effective and expeditious action by right holders against infringement that occurs in the online environment, including an effective notice and takedown system to address infringement.
  • Provides that e-commerce platforms may have their operating licenses revoked for repeated failures to curb the sale of counterfeit or pirated goods.

Geographical Indications

  • Provides that when determining whether a term is generic in China, how consumers understand the term in China will be taken in to account.

Manufacture and Export of Pirated and Counterfeit Goods

  • Provides effective and expeditious enforcement action against the related products of counterfeit medicines and biologics, including active pharmaceutical ingredients, bulk chemicals, and biological substances.
  • Sharing with the U.S. the registration information of pharmaceutical raw material sites that have been inspected and that comply with the requirements of Chinese laws and regulations; and publishing data on enforcement measures, including seizures, revocations of business licenses, fines, and other actions taken by the National Medical Products Administration, Ministry of Industry and Information Technology, or any successor entity.
  • Significantly increasing the number of enforcement actions and publishing data online on the measurable impact of these actions each quarter.
  • Seizing and destroying counterfeit or pirated goods, including the materials and implements used in the manufacture or creation of such pirated or counterfeit goods.
  • Requiring a counterfeiter to pay right holders the profits from infringement or damages adequate to compensate for the injury from the infringement.
  • Increase the number of trained personnel to inspect for counterfeit and pirated goods.
  • Ensure that all government agencies and all entities that the government owns or controls install and use only licensed software.

Trademarks

  • Provide for criminal enforcement if there is “reasonable suspicion” based on articulable facts that a criminal violation of an intellectual property right has occurred.
  • Provide civil and criminal penalties sufficient to deter future intellectual property theft or infringements. 

Implementation

  • Within 30 working days after the date of entry into force of this Agreement, China will present an action plan to strengthen intellectual property protection and shall include measures that China will take to implement its obligations and the date by which each measure will go into effect.

Technology Transfer

  • Provides that U.S. businesses are able to operate openly and freely in China without any force or pressure to transfer key technology as a requirement for operating in China.

What does this all mean?  Well it’s hard to tell really at this point as the Agreement does not actually implement any new laws or regulations, but rather is a bunch of promises between China and the U.S.  Until China implements new laws or regulations to fulfill its promises we can really only speculate on its true impact.  Of course, implementation of new laws or regulations is only effective if there is suitable enforcement to back it up.  However, most would agree that if China does fulfill its obligations we can expect to see stronger economic and trade relations between the U.S. and China, in particular giving U.S. businesses greater confidence and predictability in protecting and enforcing their IP rights in China.

© 2020 Ward and Smith, P.A.. All Rights Reserved.

For more on international trade negotiations, see the National Law Review Antitrust & Trade Regulation law section.

National Security vs. Investment: Are we striking the right balance?

The U.S. Treasury Department’s final regulations, giving it more power to scrutinize any national security risks that may arise from deals between U.S. and foreign companies, are scheduled to go into effect this week, Feb. 13, 2020.

CFIUS New Regulations

The regs implement the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) and provide the interagency Committee on Foreign Investment in the United States (CFIUS) broader authority over certain investments and real estate transactions. Critics say the regs will change cross-border M&A deal-making for years to come, and advance increasingly protectionist U.S. policy.

Treasury Secretary Steven T. Mnuchin said the regs will strengthen national security and “modernize the investment review process,” while maintaining “our nation’s open investment policy by encouraging investment in American businesses and workers, and by providing clarity and certainty regarding the types of transactions that are covered.”

We have previously described in the MoginRubin Blog how not everyone shares the Treasury Secretary’s respect for CFIUS.

Financial writer and author Robert Teitelman described it in an article for Barron’s as “a creature from the shadows of the administrative state” that “defines obscurity in the federal government.” He said it “encourages the very practices the administration condemns in China.” Hernan Cristerna, co-head of global mergers and acquisitions at JPMorgan Chase, told the New York Times that CFIUS is the “No. 1 weapon in the Trump administration’s protectionist arsenal” and called it “the ultimate regulatory bazooka.”

Enacted in August 2018, FIRRMA gives CFIUS much greater reach into deals where national security is a potential issue. Specifically, the law extends CFIUS’s jurisdiction over “certain non-controlling investments into U.S. businesses involved in critical technology, critical infrastructure, or sensitive personal data. Big data, artificial intelligence, nanotechnology, and biotechnology are among the specific technologies the law was designed to protect. It also establishes CFIUS’s jurisdiction over real estate deals.

The regulations limit CFIUS’s application of its expanded jurisdiction to “certain categories of foreign persons,” and has “initially” designated a handful of countries as “excepted foreign states.” They are Australia, Canada, and the U.K., countries with which the U.S. has “robust intelligence sharing and defense industrial base integration mechanisms.” The list may be expanded in the future, according to the regs.

‘Controlling interest’ redefined.

Attorneys, in-house counsel and other professionals deeply involved in cross-border transactions are already experiencing some nuts and bolts changes that other professionals want to be aware of.

For example, deals that would give foreign companies “controlling interest” are no longer the only deals the committee will examine; it is now interested in deals that would transfer non-controlling but “substantial interest” when critical technologies, critical infrastructure, or the private data of U.S. citizens are involved. Deals that fall into these categories now require filing; previously they were optional. Deals that would once have sailed through scrutiny may now be delayed by investigations. CFIUS also has more time to review transactions. The initial stage ends within 45 days and the second phase can last from 45 to 60 days. Filing fees are set but cannot be more than 1% of the value of the transaction or $300,000, whichever figure is lower. And, of course, there is increased risk that they be ultimately be blocked.

The regs include a new definition of “principal place of business” as the “primary location where an entity’s management directs, controls, or coordinates the entity’s activities, or, in the case of an investment fund, where the fund’s activities and investments are primarily directed, controlled, or coordinated by or on behalf of the general partner, managing member, or equivalent.” If the entity is determined to be in the U.S. and has represented in its most recent submission or filing to a U.S. or foreign government that if either its principal place of business, principal office and place of business, address of principal executive offices, address of headquarters, or equivalent, is outside the U.S. then that location is deemed the entity’s principal place of business unless it can prove that the location has changed since the filing.

These new regulations will impact many purely private cross-border transactions, especially in the areas of critical infrastructure, sensitive personal data, and real estate.

Early consideration important.

M&A counsel must now consider CFIUS implications early-on, not only to avoid delay and frustration, but to account for CFIUS clearance in deal timing and closing deadlines. Fines may be levied if CFIUS notices are not timely filed.

Fund managers who make large investments in U.S. companies can also expect to be asked to represent in deal documents that their funds or investors do not require a mandatory CFIUS filing.

For more background and additional insights, please read our previous post, CFIUS: A Guardian of National Security or a Protectionist Tool? Also, you can download the regulations from the MoginRubin website:  Part-800-Final-Rule-Jan-17-2020  Part-802-Final-Rule-Jan-17-2020

© MoginRubin LLP

ARTICLE BY Dan Mogin and  Jennifer M. Oliver of MoginRubin.
For more on CFIUS regulations, see the National Law Review Global Law section.

Clash of Consumer Protection Goals: Does the Text of the TCPA Frustrate the Purposes of the CPSA?

“Hello.  This is an automated call from Acme Manufacturing. Our records indicate that you purchased Product X between December 2019 and January 2020. We wanted to let you know that we are recalling Product X because of a potential fire risk. Please call us or visit our website for important information on how to participate in this recall.”

When companies recall products, they do so to protect consumers.  In fact, various federal laws, including the Consumer Product Safety Act (CPSA), the Federal Food, Drug, and Cosmetic Act (FDCA), and National Highway and Motor Vehicle Safety Act (MVSA), encourage (and may require) recalls. And the agencies that enforce these statutes would likely approve of the hypothetical automated call above because direct notification is the best way to motivate consumer responses to recalls.[1]

But automated calls to protect consumers can run into a problem: the Telephone Consumer Protection Act (TCPA).

Are Recall Calls a Nuisance or an Emergency?

The TCPA seeks to protect consumers from the “nuisance and privacy invasion” of unwanted automated marketing calls.[2] The TCPA prohibits any person from making marketing calls to landlines, or any non-emergency calls or text messages[3] to wireless lines, using automated dialers or recorded messages unless the recipient has given prior written consent. The Act includes a private right of action and statutory per-violation damages – $500, trebled to $1,500 if a court finds the violation willful and knowing.[4] These penalties can add up quickly: In one case, a jury found that a company violated the TCPA nearly two million times, exposing the company to minimum statutory damages totaling almost $1,000,000,000.[5]

There is an important exception to the TCPA’s prohibition on automated calls. The TCPA allows autodialed calls for emergency purposes,[6] but the Act does not define that phrase. While the FCC has interpreted emergency purposes to mean “calls made necessary in any situation affecting the health and safety of consumers,”[7] recalls are not explicitly identified within this definition. As a result, aggressive plaintiffs have demanded millions in damages from companies that use automatic dialers to disseminate recall messages.[8]

For example, a grocery chain – Kroger – made automated calls to some purchasers of ground beef as part of a recall stemming from salmonella concerns. A plaintiff responded with a purported class action that did not mention the recall [9] but was based on consumers alleging that they had received “annoying” “automated call[s] from Kroger.”

Moving to dismiss, Kroger observed that the plaintiff – who had not listened to the call beyond its initial greeting[10] and thus could not comment on the call’s text – had “cherry-picked”[11] portions of consumers’ online comments to support the case, omitting text that clearly demonstrated that the calls were made for health and safety purposes.[12] Kroger argued that the online comments did not support the plaintiff’s allegations that Kroger had made any marketing calls.

The court granted Kroger’s motion and dismissed the complaint without leave to amend. Even so, Kroger was compelled to spend time and money defending the claim.

In light of this type of lawsuit, one communications firm involved in automotive recalls has petitioned the FCC to “clarify . . . that motor vehicle safety recall-related calls and texts are ‘made for emergency purposes.’”[13] The Association of Global Automakers and the Alliance of Automobile Manufacturers commented in support of the petition, arguing that the “[l]ack of clarity regarding TCPA liability for vehicle safety recall messages has had a chilling effect on these important communications.”[14] The Settlement Special Administrator for the Takata airbag settlements also wrote in support, commenting that automated “recall-related calls and texts serve an easily recognizable public safety purpose.”[15]

The TCPA’s emergency exception offers protection in litigation. The FCC’s definition – “calls made necessary in any situation affecting the health and safety of consumers” – neatly encapsulates the entire function of a recall, namely acting to protect consumers’ health and safety. Moreover, in developing the emergency exception, Congress broadened initial language that excepted calls made by a “public school or other governmental entity” to the enacted “emergency purposes” phrasing precisely to ensure the exception encompassed automated emergency calls by private entities.[16] One of the seminal emergency purposes for which a private entity might seek to make automated calls is a product recall.

Even with such sound arguments that TCPA claims related to recall calls are without merit within the statute, however, aggressive plaintiffs have brought such claims. These efforts compel companies to spend finite resources defending claims that should not be brought in the first place. An express statutory or regulatory statement that recalls are squarely within the definition of emergency purposes would give companies greater confidence that not only would they be able to successfully defend against any effort to pit the TCPA against consumer-protection values, but that the claims are so unlikely to be brought that the companies need not even fear to have to defend.

Protecting Against Recall-Call Complaints

Until the FCC or Congress expressly instructs plaintiff’s counsel not to try to litigate against automated recall calls, there are steps companies that want to use automated dialers to drive recall responses can take to minimize any risk of a court misinterpreting their calls or finding TCPA liability where it should not attach.

For example, companies may (as some already do) ask for customers’ consent to be autodialed in connection with the products they have purchased – e.g., by including consent language on product warranty cards or registration forms. In fact, the Consumer Product Safety Improvement Act of 2008 (CPSIA)[17] already requires manufacturers of durable infant and toddler products to include registration cards for recall-communication purposes.[18] Companies in some other industries (like the on- and off-road motor vehicle industries) typically have robust registration systems that can incorporate auto dialing consent, and more companies in other spaces may want to consider using registration to facilitate recalls.

Further, automated recall calls should focus on the recall. If calls extend to marketing messaging, that could undermine both a future TCPA defense and the efficacy of that and future recall communications.

Optimally, companies would be less likely to need these defenses if the statute more clearly signaled to would-be litigants that they should not even bother. If the FCC grants the pending petition and plainly states that product recalls are emergencies for TCPA purposes, courts’ deference to agency interpretations might deter at least some complaints. A statutory amendment would be the surest guarantee, though, and manufacturers may wish to ask Congress to amend the TCPA to clarify that recall messages are emergency messages.

[1] See, e.g., Joseph F. Williams, U.S. Consumer Prod. Safety Comm’n, Recall Effectiveness Workshop Report, 5 (Feb. 22, 2018).

[2] Pub. L. No. 102-243, § 2(12), 105 Stat. 2394, 2395 (Dec. 20, 1991).

[3] Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, CG Docket No. 02-278, Report and Order, 18 FCC Rcd 14014, 14115, para. 165 (2003)

[4] TCPA at § 3(a), 105 Stat. at 2399 (codified at 47 U.S.C. § 227(c)(5)).

[5] Wakefield v. ViSalus, Inc., No. 3:15-cv-1857-SI (D. Or.).

[6] See, e.g., TCPA at § 3(a), 105 Stat. at 2395-96 (codified at 47 U.S.C. § 227(b)(1)(A)).

[7] 47 C.F.R. § 64.1200(f)(4).

[8] See, e.g., Compl., Ibrahim v. Am. Honda Motor Co., Inc., No. 1:16-cv-04294, Dkt. #1 (N.D. Ill. Apr. 14, 2016).

[9] Compl., Brooks v. Kroger Co., No. 3:19-cv-00106-AJB-MDD, Dkt. #1 (S.D. Cal. Jan. 15, 2019) (“Brooks”).

[10] Pl. Opp. to Mot. to Dismiss at 5, Brooks, Dkt. #9 (Apr. 4, 2019).

[11] Reply in Supp. of Mot. to Dismiss at 7, Brooks, Dkt. #10 (Apr. 11, 2019).

[12] The plaintiff quoted one complaint as “Automated call from Kroger.” Compl. at 3-4, Brooks. As the defense noted, that complaint continued, “requesting that you return ground beef . . . due to the threat of salmonella.” Mem. in Supp. of Mot. to Dismiss at 6, Brooks Dkt. #7 (Mar. 21, 2019).

[13] IHS Markit Ltd. Petition for Emergency Declaratory Ruling, CG Docket No. 02-278, Petition, ii (Sept. 21, 2018).

[14] IHS Markit Ltd. Petition for Emergency Declaratory Ruling, CG Docket No. 02-278, Comments of Association of Global Automakers, Inc. and Alliance of Automobile Manufacturers, 9 (Nov. 5, 2018).

[15] IHS Markit Ltd. Petition for Emergency Declaratory Ruling, CG Docket No. 02-278, Comments of Patrick A. Juneau, 3 (Nov. 5, 2018).

[16] S. Rep. No. 102-178, 5 (Oct. 8, 1991).

[17] Pub. L. No. 110-314, 122 Stat. 3016 (Aug. 14, 2008) (codified as amended at 15 U.S.C. § 2056a).

[18] 15 U.S.C. § 2056a(d).

© 2020 Schiff Hardin LLP

For more on CPSA, FDCA, MVSA & other recalls, see the National Law Review Consumer Protection law section.

Lyft Sexual Assault Claims Consolidated for Pre-Trial Proceedings

Lyft and other companies have become a part of life and people look to them for a safe ride home at the end of a night out.   However, ridesharing companies, like Lyft and Uber, have been under fire for passenger safety concerns, and the stories of women being sexually assaulted by their drivers are prolific, harrowing and terrifying.  In response to this disturbing trend, a wave of lawsuits in California are addressing the company’s responsibility when a passenger is assaulted.

Lyft Sexual Assault Claims Consolidated in San Francisco Superior Court

Recently,  California Superior Court Judge Hon. Kenneth Freeman granted a petition to consolidate multiple Lyft sexual assault cases in California recommending the Superior Court of California San Francisco County as the appropriate venue for the “complex” coordinated matters to be heard.

The Lyft passenger lawsuits claim the plaintiffs were sexually assaulted by sexual predators driving for Lyft after Lyft had been on actual notice of ongoing, sexual assaults by its drivers. According to the complaints, Lyft failed to respond to the sexual assaults by adopting and implementing adequate driver hiring or monitoring systems and procedures to protect riders. This failure to respond to an identified, systemic issue of sexual assault put more riders at risk.

The Lyft plaintiffs filed a motion to coordinate the cases, as most of the cases included in the ruling had been filed in San Francisco Superior Court.  The court agreed with the Lyft plaintiffs that: Lyft’s corporate headquarters are in San Francisco, as are the majority of corporate witnesses and documents.   The court added, the San Francisco Superior Court uses e-filing, which could potentially save the parties significant costs.  Additionally, only cases that are “complex” as defined by California’s Judicial Council standards may be coordinated.

Need for ESI (Electronically Stored Information)  Orders, Are Lyft Drivers are Independent Contractors or Employees, Additional Plaintiffs Joining Requires Complex Case Management

Co-Counsel for the Lyft Sexual Assault Plaintiffs, Brooks Cutter of Cutter Law argued that there are likely to be thousands of documents, studies, e-mails, and memoranda that are relevant to the claims and defenses in this case and discovery will inevitably require a complex ESI (Electronically Stored Information) order and accordingly a court like San Francisco Superior Court is well-equipped to handle such issues, including staying discovery, staying portions of the case, obtaining stipulations that apply to the entire coordinated case, and selecting bellwether plaintiffs.

Many of the underlying cases in the consolidation action allege vicarious liability or the liability of Lyft for the torts or wrongful actions of their drivers whether or not Lyft classifies them as an employee or independent contractor.  Lyft, Uber, and Doordash are actively fighting California Assembly Bill 5 Pledging over $90 Million To Fund Voter Initiative To Overturn AB-5  which went into effect January 1, 2020.  AB-5 profoundly alters the legal standard applied in evaluating whether a worker is classified as an employee or an independent contractor.   Furthermore,  Uber and Postmates on December 31st  filed a legal challenge in Federal Court alleging AB-5 violates individuals’ constitutional rights, seeking declaratory and injunctive remedies claiming the law unfairly discriminates against technology platforms and those who make a living through them.

Lyft has also been accused of stalling and slowing down discovery. Coordinated proceedings could help plaintiffs’ attorneys combat Lyft’s delays, and it could be beneficial to have one judge see how Lyft has conducted itself in discovery.

Attorney Cutter stated he is aware of five more related sexual assault cases that have been filed in the time since that petition was filed.   According to attorney Cutter, “There are definitely victims who have not yet come forward.”

Lyft Fought Against Sexual Assault Lawsuit Consolidation

Lyft, represent by Williams & Connolly, argued that the consolidation of  Lyft Sexual assault cases “would make in San Francisco Superior Court a national clearinghouse for claims against San Francisco-based companies.”    Furthermore, Lyft contended that:

“all claims against a California based-company —wherever the underlying incidents arise, and however much the disputed facts occurred elsewhere and other states’ laws govern the contested legal issues — could be brought in California courts and coordinated.”

Lyft’s two main objections to consolidation are that “the allegations of misconduct are not the same and that the majority of the cases did not occur in California.”

Judge Freeman, however, disagreed with the company, focusing instead on Lyft’s actions or inactions as an organization to protect rider’s safety. “To the contrary, the predominating legal and factual issues will examine Lyft’s liability for allegedly failing to institute a system to have prevented the assaults in these cases and potential future assaults.” Judge Freeman said. “The court agrees with plaintiffs that this is not a case against the drivers; it is fundamentally a case against Lyft.”

Significance of Lyft Consolidation Ruling

Judge Freeman also found that coordination of the suits would make the most efficient use of court resources and avoid duplicative testimony. In giving his ruling he further noted that there is a risk of duplicative and inconsistent rulings if the cases were not coordinated, which would create confusion, and it would hinder the Court of Appeal’s ability to hear challenges to inconsistent rulings, orders, and judgments, which would inevitably cause significant delays.

“This is an important ruling for victims as it means the claims will be heard in a single court in California,” plaintiff’s co-counsel Brooks Cutter said. “Lyft opposed our motion and wanted to force victims to undergo litigation in separate courts across the country. As a California company, it is appropriate for these Lyft claims to be heard in California.”

The Lyft sexual assault and rape claims each allege that the company did not adequately address the issue of sexual misconduct committed by sexual predators who drove for the ride-sharing company. Furthermore, they allege Lyft owed that duty to its riders, who believed it offered a safe form of transportation.  Attorney Cutter says, “The occurrence of sexual assault in the vast majority of these lawsuits is undisputed. The focus of these lawsuits is Lyft’s accountability for the assaults, which plaintiffs contend were enabled by Lyft’s lax background checks and failure to enact reasonable in-app monitoring to help ensure rider safety.”

Alexandra LaManna, a spokeswoman for Lyft, disclosed to the New York Times: in 2019 nearly one in five employees at the company had been dedicated to initiatives strengthening the rideshare platform’s safety, and that in recent months Lyft had introduced more than 15 new safety features.  Lyft announced in September of 2019 some of these safety features: access to 911 through the app and monitoring and offers of support from Lyft personnel to the driver and passenger if a trip is experiencing an unexpected delay.  These are on top of the company’s criminal background checks, steps to prevent fraudulent use of the app and identify driver identity, and harassment prevention programs.

However, despite these steps, more Lyft lawsuits are being filed, alleging the ride-sharing company has not taken adequate steps to protect riders from sexual assault.

Lyft has not Released a Safety Report – Lyft Victims Can Still File Lawsuits

In December 2019, Lyft competitor Uber released a safety report.  Uber reported that in 2017 and 2018 it received reports of 5,981 incidents of sexual abuse.  In 2018, this included 235 rapes and 280 reports of attempted rape, 1,560 reports of groping, 376 reports of unwanted kissing to breast, buttocks or mouth and 594 reports of unwanted kissing to another body part.  Because Uber’s figures are based on the information it received, the actual numbers could in fact be higher than reported.

Lyft has not released its safety report regarding sexual assaults, rapes, and accidents. Attorney Cutter finds the lack of safety report from Lyft to be problematic.  He says, “It is important for Lyft to issue a safety report so the public has a better understanding of the significant risk of sexual assault in rideshare vehicles.”

Victims who suffered sexual assault committed by a Lyft driver are still eligible to file a lawsuit. Consolidation of the current lawsuits does not prevent future lawsuits from being filed, and it is likely there are many more victims who have yet to come forward about their experiences.

Copyright ©2020 National Law Forum, LLC

More on consolidated case litigation in the National Law Review Litigation and Trial Practice section.

What Constitutes “Reasonable” Compensation For Private Foundation Insiders?

Private foundations are created as independent legal entities for solely charitable purposes, and many are run by unpaid family members and other volunteers. But what happens when a private foundation wishes to pay officers, directors or trustees, who are also family members of the individual funding, the foundation?

Because private foundations are “private” as opposed to public charities, there are strict rules around paying family members. Specifically, Section 4941 of the Internal Revenue Code prohibits any financial transaction between a private foundation and a “disqualified person” or an “insider,”[i] – generally the donor and the donor’s family – as it may constitute “self-dealing,” which is deemed a misuse of charitable assets. Family compensation would seem to fall directly under this restriction. However, there is one notable exception to this rule: compensation paid for “personal services” to carry out foundation affairs is permissible, provided that the services rendered are “reasonable and necessary” to carry out the exempt purposes of the foundation, and the compensation is “not excessive.” What constitutes “reasonable” and “not excessive” compensation may vary widely, depending on underlying facts and circumstances.

The services provided to the foundation must be “necessary” for the foundation to carry out its tax-exempt purpose and “personal” in nature. Although the IRS has not specifically defined “personal services,” the regulations cite examples such as investment management, legal and banking services. And, they include professional and managerial services rendered by an insider in his or her capacity as an officer, director, trustee or executive director of the foundation.

The services provided to the foundation must also be “reasonable.” Public charities can more easily determine whether compensation paid to an insider is “reasonable” because there are specific IRS regulations that define unreasonable compensation for public charities called “excess benefit transactions.” Private foundations, however, do not have clear-cut guidelines but will often defer to the regulations that public charities follow. The standards set forth in the regulations require that compensation should be what “would ordinarily be paid for like services by like enterprises under like circumstances.” This depends on the individual’s job title and description, the skill or knowledge required to perform the duties, the amount of time needed to fulfill the functions required, and the salaries paid for comparable positions. In practice, many foundations compare their proposed compensation amounts to what other for-profit and non-profit companies and organizations pay to similarly qualified individuals with comparable levels of responsibility.

Some factors to be considered:

(i) the size of the organization;

(ii) the employment history of the candidate and any special qualifications (e.g., licenses and certifications);

(iii) the geographic location of the foundation (some regional markets pay more than others);

(iv) the specific job responsibilities and duties;

(v) the time commitment; and

(vi) the total value of the compensation package, including benefits.

It is highly recommended that the compensation of foundation insiders meet the following requirements:

(i) the compensation is approved in advance by an authorized body of disinterested individuals such as the independent board members;

(ii) the authorized body obtains appropriate comparable data prior to making its determination as to reasonableness; and

(iii) the authorized body concurrently makes its determination and adequately documents the basis for that determination, all without the participation of the individuals whose compensation is being set.

Conflicts of interest frequently arise when setting compensation or benefits for officers, directors or trustees of private foundations. As such, the IRS requires that private foundations adopt a conflict of interest policy to help ensure that when actual or potential conflicts of interest arise, the organization has a process in place to resolve the conflict and assure that the affected individual will advise the governing body about all of the relevant facts concerning the situation. A conflict of interest policy is also intended to establish procedures under which individuals who have a conflict will be excused from voting on such matters.

States also have rules around conflicts of interest. In New York, a conflict of interest policy for private foundations became mandatory after the passage of the New York Non-Profit Revitalization Act of 2013.[ii]

A private foundation’s conflict of interest policy, among other things, must include the following:

(i) a definition of the circumstances that constitute a conflict of interest;

(ii) procedures for disclosing a conflict to the board;

(iii) a requirement that the person with the conflict not be present to vote on matters giving rise to such conflict;

(iv) a requirement that existence and resolution of a conflict be properly documented;

(v) procedures for disclosing, addressing and documenting related party transaction; and

(vi) a requirement that each officer, director and key employee submit to the secretary of the foundation prior to initial election of the board, and annually thereafter, a written statement identifying possible conflicts of interest.

The penalties for disregarding the compensation rules are severe. If foundation insiders fail to meet the “personal services” and “reasonable and necessary” requirements, the foundation will be subject to substantial fines. The foundation is assessed a penalty equal to 20% of the portion of compensation that is considered unreasonable. And each foundation manager who agrees to pay the unreasonable compensation could be personally liable for a penalty equal to 5% of the unreasonable compensation. On top of these penalties, the violation must be corrected, which could require returning the portion of the compensation deemed unreasonable to the foundation, along with interest. If all of this is not corrected in a timely manner, the IRS may impose additional taxes on the foundation, currently 100% of the amount of the unreasonable compensation. Similarly, an additional tax of 50% may be imposed on any foundation manager who refuses to correct the violation.

The good news is that a private foundation may pay its insiders for their foundation work as long as it follows the rules and takes all necessary steps to remain in compliance.

[i] A “disqualified person” or “insider” is any of the following: (1) foundation managers (officers, directors, trustees or persons with similar powers); (2) substantial contributors and individuals or entities with a 20% or greater interest in an entity that is a substantial contributor; (3) the family members of all such individuals; (4) certain entities partially or wholly owned, directly or indirectly, by disqualified persons; and (5) certain government officials.

[ii] The Non-Profit Revitalization Act of 2013 was signed into law by Governor Andrew M. Cuomo on December 18, 2013, and became effective on July 1, 2014.

© 1998-2020 Wiggin and Dana LLP

For more information, see the National Law Review Financial Law section.

SEC Examiners Release Cyber Observations: What You Need To Know

On January 27, 2020, the SEC’s Office of Compliance Inspections and Examinations (OCIE) announced its most recent Cybersecurity and Resiliency Observations. This report highlights specific practices that have been, and can be taken to enhance cybersecurity preparedness and incident response. The release of these observations is the latest move by the SEC demonstrating its increased attention to corporate cybersecurity practices. If you are a market participant supervised by OCIE, you may want to consider this report a benchmark to help navigate the SEC’s expectations when reviewing internal cybersecurity programs. The SEC has indicated that cybersecurity compliance and procedures remain a top priority—and they should be for you too.

OCIE Cybersecurity and Resiliency Observations

The OCIE, which reviews the effectiveness of market participants’ compliance programs, focused on seven areas in the cybersecurity report: governance and risk management; access rights and controls; data loss prevention; mobile security; incident response and resiliency; vendor management; and training and awareness. OCIE explained that it “felt it was critical to share these observations in order to allow organizations the opportunity to reflect on their own cyber-security practices.”

OCIE made clear that the most effective cybersecurity programs were those with proactive senior leaders committed to improving their organization’s cyber posture before an incident occurs. “Devoting appropriate board and senior leadership attention to setting strategy of and overseeing the organization’s cybersecurity and resiliency programs,” was a key observation.

Preventing data loss is a perennial focus of cybersecurity programs. OCIE observed a variety of tools and practices to ensure that sensitive data, including client information, was not lost, misused, or accessed by unauthorized users. These included frequent vulnerability scans of software and devices, utilizing encryption, keeping software patched with the latest updates, and monitoring for insider threats. On that last point, OCIE observed companies creating insider threat programs to identify specious behaviors, including escalating issues to senior leadership as appropriate.

Consistent with cybersecurity guidance from other sources but relatively new from the SEC, the report highlighted the risks associated with mobile devices, urging the implementation of security measures to prevent unauthorized access to sensitive systems. As corporate employees increasingly rely on mobile devices for work, the amount of sensitive data stored on those devices continues to grow, creating unique security concerns. OCIE observed companies implementing security measures that prevent users from saving sensitive information to personally owned devices and maintaining the ability to remotely clear data on employees’ devices, if necessary.

Addressing vendor management, OCIE underscored the increased risk related to vendor use of cloud services and the importance of due diligence when selecting vendors. Lastly, and arguably the most important topics addressed were incident response and training. OCIE stressed that market participants should be consistently testing and updating their incident response plans and training employees to identify and respond to cyber threats. These seven areas of focus provide important guidance for market participants regarding the expectations of OCIE examiners when conducting reviews.

Takeaways

With the release of the 2020 observations, the SEC continues to send the clear message that it expects market participants to not only respond timely and responsibly to cyber incidents, but also to proactively implement mitigation policies to reduce threats. Importantly, OCIE recognized that there is no one-size-fits-all approach.

Every organization should develop incident response plans that are tailored to their unique circumstances. Regulators continue to emphasize that is not enough to simply have policies on the books—companies must routinely update and practice those plans. Senior leaders should be involved in that process and should be prepared for the SEC and other regulators to closely examine their plans and other internal security protocols. Failure to do so is not only a regulatory issue, but creates private litigation risk.

The SEC is paying attention to and reiterating a common cybersecurity compliance roadmap: develop and implement cybersecurity plans to reduce risks, be prepared for regulatory scrutiny that may follow a cybersecurity incident, conduct staff training, and be prepared to respond to cybersecurity incidents.

© 2020 Bracewell LLP