Understanding the Enhanced Regulation S-P Requirements

On May 16, 2024, the Securities and Exchange Commission adopted amendments to Regulation S-P, the regulation that governs the treatment of nonpublic personal information about consumers by certain financial institutions. The amendments apply to broker-dealers, investment companies, and registered investment advisers (collectively, “covered institutions”) and are designed to modernize and enhance the protection of consumer financial information. Regulation S-P continues to require covered institutions to implement written polices and procedures to safeguard customer records and information (the “safeguards rule”), properly dispose of consumer information to protect against unauthorized use (the “disposal rule”), and implementation of a privacy policy notice containing an opt out option. Registered investment advisers with over $1.5 billion in assets under management will have until November 16, 2025 (18 months) to comply, those entities with less will have until May 16, 2026 (24 months) to comply.

Incident Response Program

Covered institutions will have to implement an Incident Response Program (the “Program”) to their written policies and procedures if they have not already done so. The Program must be designed to detect, respond to, and recover customer information from unauthorized third parties. The nature and scope of the incident must be documented with further steps taken to prevent additional unauthorized use. Covered institutions will also be responsible for adopting procedures regarding the oversight of third-party service providers that are receiving, maintaining, processing, or accessing their client’s data. The safeguard rule and disposal rule require that nonpublic personal information received from a third-party about their customers should be treated the same as if it were your own client.

Customer Notification Requirement

The amendments require covered institutions to notify affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. The amendments require a covered institution to provide the notice as soon as practicable, but not later than 30 days, after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred. The notices must include details about the incident, the breached data, and how affected individuals can respond to the breach to protect themselves. A covered institution is not required to provide the notification if it determines that the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience. To the extent a covered institution will have a notification obligation under both the final amendments and a similar state law, a covered institution may be able to provide one notice to satisfy notification obligations under both the final amendments and the state law, provided that the notice includes all information required under both the final amendments and the state law, which may reduce the number of notices an individual receives.

Recordkeeping

Covered institutions will have to make and maintain the following in their books and records:

  • Written policies and procedures required to be adopted and implemented pursuant to the Safeguards Rule, including the incident response program;
  • Written documentation of any detected unauthorized access to or use of customer information, as well as any response to and recovery from such unauthorized access to or use of customer information required by the incident response program;
  • Written documentation of any investigation and determination made regarding whether notification to customers is required, including the basis for any determination made and any written documentation from the United States Attorney General related to a delay in notice, as well as a copy of any notice transmitted following such determination;
  • Written policies and procedures required as part of service provider oversight;
  • Written documentation of any contract entered into pursuant to the service provider oversight requirements; and
  • Written policies and procedures required to be adopted and implemented for the Disposal Rule.

Registered investment advisers will be required to preserve these records for five years, the first two in an easily accessible place.

COPYRIGHT © 2024, STARK & STARK
For more news on SEC Amended Regulations, visit the NLR Securities & SEC section.

U.S. Supreme Court Raises Standard for Labor Board When Seeking 10(j) Injunctions

The U.S. Supreme Court issued a decision directing district courts to use the traditional four-part test when evaluating whether a preliminary injunction should issue at the request of the National Labor Relations Board pending litigation of a complaint under the National Labor Relations Act. No. 23-367 (June 13, 2024).

The decision settles the split among the federal circuit courts over the standard that should be applied when the Board files a motion for a “10(j)” injunction, named for the section of the Act that authorizes the Board to seek injunctive relief. Circuit courts were split on which test should apply: the traditional four-part test, a more lenient two-part test, or a hybrid of the two.

The Court’s decision raises the bar for the Board, requiring it to meet each prong of the four-part test for a court to grant an injunction. In particular, it will be more difficult for the Board to establish it is “likely to succeed on the merits,” as opposed to the more lenient standard espoused by the Board that “there is reasonable cause to believe that unfair labor practices have occurred.”

The Court vacated and remanded the case to the U.S. Court of Appeals for the Sixth Circuit to reevaluate the merits of the injunction request under the four-part test.

10(j) Injunctions

Section 10(j) of the Act allows the Board to seek preliminary injunctions before federal district courts against both employers and unions to stop alleged unfair labor practices during the pendency of the Board’s administrative processing of an unfair labor practice charge. Section 10(j) authorizes a district court “to grant to the Board such temporary relief … as it deems just and proper.”

The requests are rare; the Board has sought only 20 such injunctions since 2023, according to the Board’s website. Nonetheless, the standard a court will use in evaluating the injunction request has been determinative of whether the relief was granted.

Prior Standards

The U.S. Court of Appeals for the Sixth Circuit, as in this case, used a two-part test to assess whether the Board was entitled to an injunction. The two-part test examined whether “there is reasonable cause to believe that unfair labor practices have occurred,” and “whether injunctive relief is ‘just and proper.’” McKinney v. Ozburn-Hessey Logistics, LLC, 875 F.3d 333 (2017). The Supreme Court noted in its latest decision that the Board could establish reasonable cause “by simply showing that its ‘legal theory [was] substantial and not frivolous.’”

Conversely, other courts, such as the U.S. Court of Appeals for the Seventh and Eighth Circuits applied the four-part test used for preliminary injunctions in traditional litigation settings set forth in Winter v. Natural Resources Defense Council, 555 U.S. 7 (2008). Under the Winter framework, a party seeking injunctive relief must “make a clear showing” that:

  1. He is likely to succeed on the merits;
  2. He is likely to suffer irreparable harm in the absence of preliminary relief;
  3. The balance of equities tips in his favor; and
  4. An injunction is in the public interest.

New Standard for Labor Board

In holding that the four-part test applies to 10(j) injunction requests by the Board, the Court declined to allow Section 10(j) language “to supplant the traditional equitable principles governing injunctions.” Rather, courts should apply standard principles involved in granting injunctive relief, not 10(j)’s “discretion-inviting directive.”

The Court explained that the reasonable-cause standard in the two-part test “goes far beyond simply fine tuning the traditional criteria to the Section 10(j) context—it substantively lowers the bar for securing a preliminary injunction by requiring courts to yield to the Board’s preliminary view of the facts, law, and equities.” It noted there is a substantial difference between the “likely”-to-succeed-on-the-merits standard versus a finding that the charge was “substantial and not frivolous.” Under the “less exacting” standard, courts could evaluate injunction requests giving significant deference to the Board under even a “minimally plausible legal theory” without assessing conflicting facts or questions of law.

Accordingly, the Board must satisfy the traditional standard that requires it to make a clear showing it is likely to succeed on the merits of the claim under a valid theory of liability.

The Court’s decision to standardize 10(j) injunction requests not only raises the Board’s burden of proof, but it creates more consistency across district courts at a time employers increasingly face injunction requests by an activist Board general counsel.

Jackson Lewis P.C. © 2024

United States | New DACA Report Breaks Down the Trillion-Dollar Cost of Ending the Program

Coalition for the American Dream published a report this week detailing the projected economic and societal costs of ending the Deferred Action for Childhood Arrivals program.

Key Points:

  • Coalition for the American Dream published the report days ahead of the 12th anniversary of the DACA program on June 15.
  • Current DACA recipients number more than 500,000. The report finds that future long-term economic losses and costs could approach $1 trillion over the lifetimes of DACA recipients.
  • Other economic and workforce impacts include:
    • As many as 168,000 U.S. jobs in DACA-owned businesses could be lost.
    • U.S. workforce losses could include 37,000 healthcare workers, 17,000 STEM professionals and 17,000 educators.
    • Lost business training and recruitment costs for current DACA employees could reach $8 billion.

Additional Information: The report’s demographic and economic estimates and business impacts are based in part on data collected in the U.S. Census Bureau’s 2022 American Community Survey, the March 2022-2023-2024 Current Population Surveys and data from U.S. Citizenship and Immigration Services.

Coalition for the American Dream is an organization of more than 100 businesses, trade associations and other groups representing every major sector of the U.S. economy and more than half of American private sector workers. Its mission is to seek the passage of bipartisan legislation that gives Dreamers a permanent solution.

BAL Analysis: The report notes if DACA ended and work authorizations were denied renewal, 440,000 workers would be forced from the U.S. workforce over a two-year period, with the most acute impact on health, education and STEM occupations. The business community continues to show strong support for DACA and the crucial role Dreamers play in the U.S. economy. Given the uncertain environment, DACA recipients who qualify for a renewal are urged to apply for one as soon as they can.

©2024 Berry Appleman & Leiden. All Rights Reserved.
For more on the DACA, visit the NLR Immigration section.

The Double-Edged Impact of AI Compliance Algorithms on Whistleblowing

As the implementation of Artificial Intelligence (AI) compliance and fraud detection algorithms within corporations and financial institutions continues to grow, it is crucial to consider how this technology has a twofold effect.

It’s a classic double-edged technology: in the right hands it can help detect fraud and bolster compliance, but in the wrong it can snuff out would-be-whistleblowers and weaken accountability mechanisms. Employees should assume it is being used in a wide range of ways.

Algorithms are already pervasive in our legal and governmental systems: the Securities and Exchange Commission, a champion of whistleblowers, employs these very compliance algorithms to detect trading misconduct and determine whether a legal violation has taken place.

There are two major downsides to the implementation of compliance algorithms that experts foresee: institutions avoiding culpability and tracking whistleblowers. AI can uncover fraud but cannot guarantee the proper reporting of it. This same technology can be used against employees to monitor and detect signs of whistleblowing.

Strengths of AI Compliance Systems:

AI excels at analyzing vast amounts of data to identify fraudulent transactions and patterns that might escape human detection, allowing institutions to quickly and efficiently spot misconduct that would otherwise remain undetected.

AI compliance algorithms are promised to operate as follows:

  • Real-time Detection: AI can analyze vast amounts of data, including financial transactions, communication logs, and travel records, in real-time. This allows for immediate identification of anomalies that might indicate fraudulent activity.
  • Pattern Recognition: AI excels at finding hidden patterns, analyzing spending habits, communication patterns, and connections between seemingly unrelated entities to flag potential conflicts of interest, unusual transactions, or suspicious interactions.
  • Efficiency and Automation: AI can automate data collection and analysis, leading to quicker identification and investigation of potential fraud cases.

Yuktesh Kashyap, associate Vice President of data science at Sigmoid explains on TechTarget that AI allows financial institutions, for example, to “streamline compliance processes and improve productivity. Thanks to its ability to process massive data logs and deliver meaningful insights, AI can give financial institutions a competitive advantage with real-time updates for simpler compliance management… AI technologies greatly reduce workloads and dramatically cut costs for financial institutions by enabling compliance to be more efficient and effective. These institutions can then achieve more than just compliance with the law by actually creating value with increased profits.”

Due Diligence and Human Oversight

Stephen M. Kohn, founding partner of Kohn, Kohn & Colapinto LLP, argues that AI compliance algorithms will be an ineffective tool that allow institutions to escape liability. He worries that corporations and financial institutions will implement AI systems and evade enforcement action by calling it due diligence.

“Companies want to use AI software to show the government that they are complying reasonably. Corporations and financial institutions will tell the government that they use sophisticated algorithms, and it did not detect all that money laundering, so you should not sanction us because we did due diligence.” He insists that the U.S. Government should not allow these algorithms to be used as a regulatory benchmark.

Legal scholar Sonia Katyal writes in her piece “Democracy & Distrust in an Era of Artificial Intelligence” that “While automation lowers the cost of decision making, it also raises significant due process concerns, involving a lack of notice and the opportunity to challenge the decision.”

While AI can be used as a powerful tool for identifying fraud, there is still no method for it to contact authorities with its discoveries. Compliance personnel are still required to blow the whistle, given societies standard due process. These algorithms should be used in conjunction with human judgment to determine compliance or lack thereof. Due process is needed so that individuals can understand the reasoning behind algorithmic determinations.

The Double-Edged Sword

Darrell West, Senior Fellow at Brookings Institute’s Center for Technology Innovation and Douglas Dillon Chair in Governmental Studies warns about the dangerous ways these same algorithms can be used to find whistleblowers and silence them.

Nowadays most office jobs (whether remote or in person) conduct operations fully online. Employees are required to use company computers and networks to do their jobs. Data generated by each employee passes through these devices and networks. Meaning, your privacy rights are questionable.

Because of this, whistleblowing will get much harder – organizations can employ the technology they initially implemented to catch fraud to instead catch whistleblowers. They can monitor employees via the capabilities built into our everyday tech: cameras, emails, keystroke detectors, online activity logs, what is downloaded, and more. West urges people to operate under the assumption that employers are monitoring their online activity.

These techniques have been implemented in the workplace for years, but AI automates tracking mechanisms. AI gives organizations more systematic tools to detect internal problems.

West explains, “All organizations are sensitive to a disgruntled employee who might take information outside the organization, especially if somebody’s dealing with confidential information, budget information or other types of financial information. It is just easy for organizations to monitor that because they can mine emails. They can analyze text messages; they can see who you are calling. Companies could have keystroke detectors and see what you are typing. Since many of us are doing our jobs in Microsoft Teams meetings and other video conferencing, there is a camera that records and transcribes information.”

If a company is defining a whistleblower as a problem, they can monitor this very information and look for keywords that would indicate somebody is engaging in whistleblowing.

With AI, companies can monitor specific employees they might find problematic (such as a whistleblower) and all the information they produce, including the keywords that might indicate fraud. Creators of these algorithms promise that soon their products will be able to detect all sorts of patterns and feelings, such as emotion and sentiment.

AI cannot determine whether somebody is a whistleblower, but it can flag unusual patterns and refer those patterns to compliance analysts. AI then becomes a tool to monitor what is going on within the organization, making it difficult for whistleblowers to go unnoticed. The risk of being caught by internal compliance software will be much greater.

“The only way people could report under these technological systems would be to go offline, using their personal devices or burner phones. But it is difficult to operate whistleblowing this way and makes it difficult to transmit confidential information. A whistleblower must, at some point, download information. Since you will be doing that on a company network, and that is easily detected these days.”

But the question of what becomes of the whistleblower is based on whether the compliance officers operate in support of the company or the public interest – they will have an extraordinary amount of information about the company and the whistleblower.

Risks for whistleblowers have gone up as AI has evolved because it is harder for them to collect and report information on fraud and compliance without being discovered by the organization.

West describes how organizations do not have a choice whether or not to use AI anymore: “All of the major companies are building it into their products. Google, Microsoft, Apple, and so on. A company does not even have to decide to use it: it is already being used. It’s a question of whether they avail themselves of the results of what’s already in their programs.”

“There probably are many companies that are not set up to use all the information that is at their disposal because it does take a little bit of expertise to understand data analytics. But this is just a short-term barrier, like organizations are going to solve that problem quickly.”

West recommends that organizations should just be a lot more transparent about their use of these tools. They should inform their employees what kind of information they are using, how they are monitoring employees, and what kind of software they use. Are they using detection? Software of any sort? Are they monitoring keystrokes?

Employees should want to know how long information is being stored. Organizations might legitimately use this technology for fraud detection, which might be a good argument to collect information, but it does not mean they should keep that information for five years. Once they have used the information and determined whether employees are committing fraud, there is no reason to keep it. Companies are largely not transparent about length of storage and what is done with this data and once it is used.

West believes that currently, most companies are not actually informing employees of how their information is being kept and how the new digital tools are being utilized.

The Importance of Whistleblower Programs:

The ability of AI algorithms to track whistleblowers poses a real risk to regulatory compliance given the massive importance of whistleblower programs in the United States’ enforcement of corporate crime.

The whistleblower programs at the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) respond to individuals who voluntarily report original information about fraud or misconduct.

If a tip leads to a successful enforcement action, the whistleblowers are entitled to 10-30% of the recovered funds. These programs have created clear anti-retaliation protections and strong financial incentives for reporting securities and commodities fraud.

Established in 2010 under the Dodd-Frank Act, these programs have been integral to enforcement. The SEC reports that whistleblower tips have led to over $6 billion in sanctions while the CFTC states that almost a third of its investigations stem from whistleblower disclosures.

Whistleblower programs, with robust protections for those who speak out, remain essential for exposing fraud and holding organizations accountable. This ensures that detected fraud is not only identified, but also reported and addressed, protecting taxpayer money, and promoting ethical business practices.

If AI algorithms are used to track down whistleblowers, their implementation would hinder these programs. Companies will undoubtedly retaliate against employees they suspect of blowing the whistle, creating a massive chilling effect where potential whistleblowers would not act out of fear of detection.

Already being employed in our institutions, experts believe these AI-driven compliance systems must have independent oversight for transparency’s sake. The software must also be designed to adhere to due process standards.

Copyright Kohn, Kohn & Colapinto, LLP 2024. All Rights Reserved.
For more news on AI Compliance and Whistleblowing, visit the NLR Communications, Media & Internet section.

Supreme Court Says When It Comes to Deciding Arbitration Clauses: “I Am the Law”

On May 23, the Supreme Court issued a decision holding that when parties have two conflicting contracts – one that sends disputes to arbitration and one that sends disputes to the courts – a court, not an arbitrator, must decide which contract controls. This decision is important as arbitration provisions continue to rise in popularity and situations like the one the Supreme Court encountered are not uncommon.

The Supreme Court’s decision in Coinbase Inc., v. Suski, et. al., stems from a dispute regarding two separate contracts between Coinbase, a leading cryptocurrency exchange platform, and respondents, users of Coinbase. The first contract concerned the Coinbase user agreement, which included an arbitration agreement with a delegation clause. The delegation clause provided that “[a]ll such matters shall be decided by an arbitrator and not by a court or judge.” The second contract concerned the official rules of a sweepstakes Coinbase offered, where respondents entered for a chance to win Dogecoin. The official rules contained a forum selection clause, which provided: “[t]he California courts (state and federal) shall have sole jurisdiction of any controversies regarding the [sweepstakes] promotion and the laws of California shall govern the promotion.” Thus, the arbitration agreement’s delegation clause, which sent all disputes to arbitration, and the official rules’ forum selection clause, which sent all disputes to California courts, provided for different procedural vehicles for disputes.

Respondents brought suit against Coinbase in the United States District Court for the Northern District of California for claims under the Coinbase user agreement and the official rules. Coinbase moved to compel arbitration based on the Coinbase user agreement, and the District Court denied the motion, reasoning that deciding which contract governed was a question for the court. On appeal, the Ninth Circuit affirmed the District Court’s ruling. The Supreme Court then granted certiorari, and was tasked to decide, when two such contracts exist, who should decide the arbitrability of a contract-related dispute between the parties – an arbitrator or the court?

Justice Ketanji Brown Jackson, writing for the Supreme Court, began the Court’s analysis by noting that the Supreme Court has “previously addressed three layers of arbitration disputes: (1) merits, (2) arbitrability, and (3) who decides arbitrability. This case involves a fourth: What happens if parties have multiple agreements that conflict as to the third-order question of who decides arbitrability?”. Justice Jackson wrote that “[b]asic legal principles establish the answer. Arbitration is a matter of contract and consent, and we have long held that disputes are subject to arbitration if, and only if, the parties actually agreed to arbitrate those disputes. Here… a court needs to decide what the parties have agreed to.” So, if there is a contract at dispute without an arbitration clause, even if there is another contract that requires arbitration, the matter will need to be decided by a court.

Coinbase argued that the user agreement’s delegation provision should have been isolated and severed from the contract and the Ninth Circuit should have considered only arguments specific to that provision. The Supreme Court, however, rejected this argument, reasoning that if a party challenges the validity of the precise agreement to arbitrate at issue, the federal court must consider the challenge before ordering compliance with that arbitration agreement. The Supreme Court also declined to heed Coinbase’s warning that its ruling would “invite chaos by facilitating challenges to delegation clauses.” To this argument, the Supreme Court replied that such chaos will not follow because disputes with one contract that mandates arbitration will go to arbitration absent a successful challenge, and situations with two contracts – one sending the dispute to arbitration and one sending the dispute to the courts – will be handled by a court.

This is an important decision in the dispute resolution space because it makes clear that even though a company may have an arbitration provision in one contract, that arbitration provision will not necessarily carry the day if there are subsequent contracts that provide for different results. As companies continue to increasingly use arbitration provisions in their contracts, they must be careful to be consistent in any future contracts or agreements.

Copyright ©2024 Nelson Mullins Riley & Scarborough LLP

Kroger Faces Civil Lawsuit Over Calorie Claims on Bread Products

  • The District Attorney’s Offices of Ventura and Santa Barbara Counties have filed a civil lawsuit against The Kroger Co. in Santa Barbara Superior Court alleging that Kroger had violated California’s false advertising and unfair competition laws. Kroger operates several grocery stores across California such as Ralph’s, Food 4 Less, and Foods Co.
  • The complaint alleges that, between November 2018 and June 2022, Kroger marketed its CARBmaster Wheat and CARBmaster White breads as containing 30 calories per slice, while the actual calorie content was alleged to contain 50 calories or more. Additionally, the complaint alleges that false CARBmaster calorie counts were displayed on both the front packaging and the Nutrition Facts Panel before June 2022. The complaint further alleged that Kroger persists in misleadingly advertising inaccurate, lower calorie counts on its websites to this day.
  • Ventura County District Attorney, Erik Nasarenko, emphasized the importance of accurate nutritional information for consumer health and the unfair advantage false advertising provides over compliant competitors. “Consumers rely on nutritional information to make important decisions about their personal health and well-being,” he said. “For some consumers, these decisions are based upon medical necessity. False advertising of calories can mislead, or even endanger consumers, and it provides an unfair advantage over competitors who are advertising in compliance with FDA guidelines.”
  • Santa Barbara District Attorney, John Savrnoch, stressed the importance of consumers’ right to accurate product information, particularly caloric content. “Consumers are entitled to accurate information on products, especially caloric information on food items,” he stated. “My office is committed to protecting the public by enforcing the False Advertising Law and Unfair Competition Law, and we are grateful to jointly prosecute this case with the Ventura County District Attorney’s Office.”
© 2024 Keller and Heckman LLP
For more news on the Kroger Bread Lawsuit, visit the NLR Biotech Food Drug section.

Biden Administration Announces Voluntary Carbon Market Principles

The recent Joint Policy Statement and Principles (Principles) released by the Biden Administration, and related remarks by Secretary of the Treasury Janet L. Yellen, mark a significant milestone in the development of the voluntary carbon market (VCM).

Our views on this announcement and a brief summary of these Principles are set out below.

This is a very encouraging, and intriguing, governmental announcement in respect of an unregulated, international market.

One of the critical aspects of this announcement is the US government’s approach to balancing market promotion with non-regulation. The VCM is notably unregulated, and the intention is for it to remain so. As such, the announcement appears to be striving to foster integrity and growth within the market whilst avoiding the imposition of rigid regulatory frameworks that could stifle growth. There is a clear nod from the government to the market’s voluntary nature, thereby allowing for flexibility and the opportunity for diverse, creative solutions to emerge. However, the VCM has faced challenges that are not unusual for a nascent, evolving market and the government clearly wants to stimulate the market by providing clear guidance that enhances trust and integrity. This delicate equilibrium is essential for the long-term success and scalability of the VCM.

These Principles therefore serve as voluntary (but government-endorsed) guidelines, moving towards establishing a structure that market participants can follow to ensure the credibility and reliability of carbon credits.

The Principles do not reshape the current market. They are based instead, in large part, on existing best practice advocated by private sector and non-governmental organisations and initiatives. We have considered in some detail in a prior article these existing quasi-regulatory bodies and their functions – much of which is echoed in the Principles.

The Principles seek to bolster integrity in three main areas: on the supply side, demand side and the actual market itself.

Supply-side

  • Principle 1 – “Integrity & Standards”: Carbon credits must meet strict integrity standards and be certified through robust, transparent verification processes to ensure additionality, quantifiability and permanence.
  • Principle 2 – “Avoid Harm”: Generating credits should cause no environmental or social harm and promote co-benefits including sustainable development and increased biodiversity, involving relevant stakeholders in the process.

Demand-side

  • Principle 3 – “Buyer Responsibility”: Companies offsetting credits should set net-zero strategies, maintain an inventory of emissions (detailing Scope 1, 2, and 3 emissions) and regularly report.
  • Principle 4 – “Transparency”: Companies offsetting credits should publicly disclose details of purchased and retired credits annually, ensuring information is accessible and comparable.
  • Principle 5 – “Accurate Claims”: Public offsetting claims must accurately reflect the climate impact of credits and only use those meeting high integrity standards, prioritising internal emissions reductions.

Market-side

  • Principle 6 – “Market Integrity”: Stakeholders should seek to improve market functionality, transparency and equity to enhance the market’s overall health and high-integrity.
  • Principle 7 – “Facilitate Participation”: Policymakers and market participants should lower transaction costs and barriers for credit providers, ensuring market certainty and bankability of VCM projects, especially from developing regions.

On the supply side (Principles 1 and 2), inspiration has been drawn from, amongst other sources, the Core Carbon Principles and other standards of the Integrity Council for the Voluntary Carbon Market. On the demand side (Principles 3, 4 and 5), inspiration has been drawn from, amongst other sources, the Claims Code of Practice and other standards of the Voluntary Carbon Market Initiative. On the market side (Principles 6 and 7) the message is more general and is aimed at promoting the integrity of the standards/registries and their participants and focussing on the policymakers. The Principles conclude with a rallying cry for policymakers and buyers to consider ways to enhance market certainty for lenders undertaking long term investments. The current financing landscape of the VCM is an area which we have also considered in some detail in a prior article.

The Principles and comments from Treasury acknowledge that the VCM, in its current state, suffers from some key challenges that inhibit growth at the scale needed to achieve national and international climate goals. The seven Principles outlined above are the government’s initial efforts at assisting to overcome those challenges. They reflect the importance of a functioning carbon reduction infrastructure (both physical and financial) to the government, and a high level of understanding of the carbon abatement ecosystem. And, perhaps most importantly, these statements recognise and encourage the involvement and initiative of all participating stakeholders to take demonstrative steps to establish a market-based approach to carbon reduction. As Secretary Yellen’s statement says, “harnessing the power of markets and private capital is critical.”

While the VCM principles announcement reflects an attempt to improve confidence in voluntary carbon offsets, at the same time the US Department of Agriculture (USDA) signalled its interest in establishing public protocols specifically for third-party verification of offsets deriving from forestry and farming. This action reflects a keen interest on both sides of the political aisle in Congress. Sen. Debbie Stabenow (D-MI), chair of the Senate Agriculture Committee noted that both the VCM principles and the USDA announcement established that, “Voluntary carbon credit markets generate new revenue streams for farmers, foresters, and rural communities, and there is clear enthusiasm across private industry and the public sector to tap into that potential.” Sen. Stabenow further notes that these actions “will strengthen the integrity of these markets and build a foundation for the future.

The VCM principles and USDA statement can be seen as part of an effort to implement the Growing Climate Solutions Act which was designed to break down barriers for farmers, ranchers, and foresters interested in participating in carbon markets and in embracing so-called climate-smart agricultural practices. The Act was passed by Congress on a bipartisan basis and signed into law by President Biden on December 29, 2022. As the House and Senate consider “farm bills” in the near future, we can expect more action on agricultural offsets.

These announcements clearly underscore the government’s commitment to promoting the VCM without the enforcement of laws or regulations. It is a firm message of support for the VCM, and explicit recognition that development of the VCM is critical to unlocking carbon abatement projects globally. It clarifies that the current administration recognises the VCM as another component of the energy transition required to achieve national and international climate goals, as well as sustainable environmental practices. In particular, these seven Principles provide a framework that can guide the VCM’s growth. Whilst the Principles goldplate (rather than reinvent) existing best practice, this achieves the sensitive balancing act required from a government seeking to promote an unregulated market.

© 2024 Bracewell LLP
For more on the Carbon Market, visit the NLR Environmental Energy Resources section.

Supreme Court Weakens NLRB’s Ability to Obtain Injunctions in Labor Cases

On June 13, 2024, the Supreme Court of the United States held that courts must assess requests for an injunction by the National Labor Relations Board (NLRB) using the traditional four-factor test for preliminary injunctions. The ruling weakens the Board’s ability to obtain quick court orders to maintain the “status quo” in favor of workers in pending labor cases.

Quick Hits

  • The Supreme Court held that federal courts must apply the traditional four-factor equitable test for preliminary injunctions when considering the NLRB’s request for a 10(j) injunction.
  • The ruling found the NRLA does not require courts to defer to the NLRB’s initial findings of a labor violation.
  • The ruling weakens the NLRB’s ability to quickly stop employer actions it alleges are unfair labor practices.

The Supreme Court held that when considering temporary injunction requests under Section 10(j) of the National Labor Relations Act (NLRA), courts must apply the traditional equitable four factors as set forth in the high court’s 2008 decision in Winter v. Natural Resources Defense Council, Inc. The decision means that courts must consider 10(j) injunction requests under the same equitable principles that they do for other preliminary injunctions without deferring to the NLRB’s determination that an unfair labor practice had occurred.

The unanimous decision comes in a labor dispute in which the trial court issued a preliminary injunction against an employer after applying a two-part test that only asked whether “there is reasonable cause to believe that unfair labor practices have occurred” and whether an injunction is “just and proper.” The injunction was later affirmed by the Sixth Circuit Court of Appeals.

The NLRA prohibits employers from engaging in certain unfair labor practices and allows workers to file a charge with the NLRB. The NLRA provides the NLRB with authority to seek a temporary injunction in federal court and Section 10(j) states that courts may “grant the Board such temporary relief … as it deems just and proper.”

However, the Supreme Court held that the NRLA does not strip courts of their equitable powers, and they must apply the traditional four-factor rule as articulated in Winter when considering a request for a 10(j) injunction. Under that rule, a plaintiff must show “he is likely to succeed on the merits, that he is likely to suffer irreparable harm in the absence of preliminary relief, that the balance of equities tips in his favor, and that an injunction is in the public interest.”

The Supreme Court rejected the NLRB’s argument that Section 10(j) informs the application of equitable principles and that courts should use a “reasonable cause” standard as applied by the Sixth Circuit in the case. The NLRB had pointed to the context that Congress has given it the authority to adjudicate unfair labor practice charges in the first instance and that courts must give deference to the NLRB’s final decisions.

Justice Clarence Thomas, in the Court’s opinion, stated that the reasonable cause standard “substantively lowers the bar for securing a preliminary injunction by requiring courts to yield to the Board’s preliminary view of the facts, law, and equities.” Justice Thomas stated the fact that the NLRB is the body that will adjudicate unfair labor practice charges on the merits does not mean courts must defer to what amounts to be the NLRB’s initial litigating position. Section 10(j) “does not compel this watered-down approach to equity,” Justice Thomas stated.

In a partial dissent, Justice Ketanji Brown Jackson agreed that the NRLA does not strip courts of their equitable powers and that the injunction in the case should be overturned. However, Justice Jackson argued the Court should not ignore the fact that Congress, through the NRLA, granted the NLRB authority over labor disputes.

Key Takeaways

The Supreme Court’s ruling raises the bar for the NLRB to seek injunctions by requiring courts to make their own assessment of the equitable factors for issuing preliminary injunctions without deference to the NLRB’s initial findings that an unfair labor practice has occurred. Under the reasonable cause standard, the NLRB merely had to show that its legal theory was not frivolous and that an injunction was necessary to protect the “status quo” pending the NLRB’s proceedings. That standard had allowed the NLRB to quickly put a stop to employer actions that its in-house attorneys believe are labor violations during the pendency of an administrative proceeding on the merits, which could take years to resolve.

© 2024, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.
For more news on the Supreme Court NLRB Ruling, visit the NLR Labor Employment section.

Cybersecurity Crunch: Building Strong Data Security Programs with Limited Resources – Insights from Tech and Financial Services Sectors

In today’s digital age, cybersecurity has become a paramount concern for executives navigating the complexities of their corporate ecosystems. With resources often limited and the ever-present threat of cyberattacks, establishing clear priorities is essential to safeguarding company assets.

Building the right team of security experts is a critical step in this process, ensuring that the organization is well-equipped to fend off potential threats. Equally important is securing buy-in from all stakeholders, as a unified approach to cybersecurity fosters a robust defense mechanism across all levels of the company.Digit

This insider’s look at cybersecurity will delve into the strategic imperatives for companies aiming to protect their digital frontiers effectively.

Where Do You Start on Cybersecurity?
Resources are limited, and pressures on corporate security teams are growing, both from internal stakeholders and outside threats. But resources to do the job aren’t. So how can companies protect themselves in real world environment, where finances, employee time, and other resources are finite?

“You really have to understand what your company is in the business of doing,” Wilson said. “Every business will have different needs. Their risk tolerances will be different.”

“You really have to understand what your company is in the business of doing. Every business will have different needs. Their risk tolerances will be different.”

BRIAN WILSON, CHIEF INFORMATION SECURITY OFFICER, SAS
For example, Tuttle said in the manufacturing sector, digital assets and data have become increasingly important in recent years. The physical product no longer is the end-all, be-all of the company’s success.

For cybersecurity professionals, this new reality leads to challenges and tough choices. Having a perfect cybersecurity system isn’t possible—not for a company doing business in a modern, digital world. Tuttle said, “If we’re going to enable this business to grow, we’re going to have to be forward-thinking.”

That means setting priorities for cybersecurity. Inskeep, who previously worked in cybersecurity for one of the world’s largest financial services institutions, said multi-factor authentication and controlling access is a good starting point, particularly against phishing and ransomware attacks. Also, he said companies need good back-up systems that enable them to recover lost data as well as robust incident response plans.

“Bad things are going to happen,” Wilson said. “You need to have logs and SIEMs to tell a story.”

Tuttle said one challenge in implementing an incident response plan is engaging team members who aren’t on the front lines of cybersecurity. “They need to know how to escalate quickly, because they are likely to be the first ones to see something that isn’t right,” she said. “They need to be thinking, ‘What should I be looking for and what’s my response?’”

“They need to know how to escalate quickly, because they are likely to be the first ones to see something that isn’t right. They need to be thinking, ‘What should I be looking for and what’s my response?’”

LISA TUTTLE, CHIEF INFORMATION SECURITY OFFICER, SPX TECHNOLOGIES
Wilson said tabletop exercises and security awareness training “are a good feedback loop to have to make sure you’re including the right people. They have to know what to do when something bad happens.”

Building a Security Team
Hiring and maintaining good people in a harrowing field can be a challenge. Companies should leverage their external and internal networks to find data privacy and cybersecurity team members.

Wilson said SAS uses an intern program to help ensure they have trained professionals already in-house. He also said a company’s Help Desk can be a good source of talent.

Remote work also allows companies to cast a wider net for hiring employees. The challenge becomes keeping remote workers engaged, and companies should consider how they can make these far-flung team members feel part of the team.

Inskeep said burnout is a problem in the cybersecurity field. “It’s a job that can feel overwhelming sometimes,” he said. “Interacting with people and protecting them from that burnout has become more critical than ever.”

“It’s a job that can feel overwhelming sometimes. Interacting with people and protecting them from that burnout has become more critical than ever.”

TODD INSKEEP, FOUNDER AND CYBERSECURITY ADVISOR, INCOVATE SOLUTIONS
Weighing Levels of Compliance
The first step, Claypoole said, is understanding the compliance obligations the company faces. These obligations include both regulatory requirements (which are tightening) as well as contract terms from customers.

“For a business, that can be scary, because your business may be agreeing to contract terms with customers and they aren’t asking you about the security requirements in those contracts,” Wilson said.

The panel also noted that “compliance” and “security” aren’t the same thing. Compliance is a minimum set of standards that must be met, while security is a more wide-reaching goal.

But company leaders must realize they can’t have a perfect cybersecurity system, even if they could afford it. It’s important to identify priorities—including which operations are the most important to the company and which would be most disruptive if they went offline.

Wilson noted that global privacy regulations are increasing and becoming stricter every year. In addition, federal officials have taken criminal action against CSOs in recent years.

“Everybody’s radar is kind of up,” Tuttle said. The increasingly compliance pressure also means it’s important for cybersecurity teams to work collaboratively with other departments, rather than making key decisions in a vacuum. Inskeep said such decisions need to be carefully documented as well.

“If you get to a place where you are being investigated, you need your own lawyer,” Claypoole said.

“If you get to a place where you are being investigated, you need your own lawyer.”

TED CLAYPOOLE, PARTNER, WOMBLE BOND DICKINSON
Cyberinsurance is another consideration for data privacy teams, but it can help Chief Security Officers make the case for more resources (both financial and work hours). Inskeep said cyberinsurance questions also can help companies identify areas of risks and where they need to prioritize their efforts. Such priorities can change, and he said companies need to have a committee or some other mechanism to regularly review and update cybersecurity priorities.

Wilson said one positive change he’s seen is that top executives now understand the importance of cybersecurity and are more willing to include cybersecurity team members in the up-front decision-making process.

Bringing in Outside Expertise
Consultants and vendors can be helpful to a cybersecurity team, particularly for smaller teams. Companies can move certain functions to third-party consultants, allowing their own teams to focus on core priorities.

“If we don’t have that internal expertise, that’s a situation where we’d call in third-party resources,” Wilson said.

Bringing in outside professionals also can help a company keep up with new trends and new technologies.

Ultimately, a proactive and well-coordinated cybersecurity strategy is indispensable for safeguarding the digital landscape of modern enterprises. With an ever-evolving threat landscape, companies must be agile in their approach and continuously review and update their security measures. At the core of any effective cybersecurity plan is a comprehensive risk management framework that identifies potential vulnerabilities and outlines steps to mitigate their impact. This framework should also include incident response protocols to minimize the damage in case of a cyberattack.

In addition to technology and processes, the human element is crucial in cybersecurity. Employees must be educated on how to spot potential threats, such as phishing emails or suspicious links, and know what steps to take if they encounter them.

Key Takeaways:
What are the biggest risk areas and how do you minimize those risks?
Know your external cyber footprint. This is what attackers see and will target.
Align with your team, your peers, and your executive staff.
Prioritize implementing multi-factor authentication and controlling access to protect against common threats like phishing and ransomware.
Develop reliable backup systems and robust incident response plans to recover lost data and respond quickly to cyber incidents.
Engage team members who are not on the front lines of cybersecurity to ensure quick identification and escalation of potential threats.
Conduct tabletop exercises and security awareness training regularly.
Leverage intern programs and help desk personnel to build a strong cybersecurity team internally.
Explore remote work options to widen the talent pool for hiring cybersecurity professionals, while keeping remote workers engaged and integrated.
Balance regulatory compliance with overall security goals, understanding that compliance is just a minimum standard.

Copyright © 2024 Womble Bond Dickinson (US) LLP All Rights Reserved.

by: Theodore F. Claypoole of Womble Bond Dickinson (US) LLP

For more on Cybersecurity, visit the Communications Media Internet section.

A Tribute to Whistleblowers: Bitcoin Billionaire to pay $40 Million to Settle Tax Evasion Suit

Michael Saylor, the billionaire bitcoin investorwill pay a record $40 million to settle allegations that he defrauded Washington D.C. by falsely claiming he lived elsewhere to avoid paying D.C. taxes. The suit – discussed in of one of our previous blogs – was originally brought by a whistleblower, Tributum, LLC., and the D.C. Attorney General intervened in the lawsuit in 2022. The settlement marks the largest income tax fraud recovery in Washington D.C. history.

Though Saylor claims he has lived in Florida since 2012, the suit alleged that Saylor actually resided in a 7,000-square-foot penthouse, or on yachts docked on the Potomac River in the District of Columbia. Furthermore, the Attorney General alleged that from 2005 through 2021, Saylor paid no income taxes. Saylor first improperly claimed residency in Virginia to pay lower taxes, then created an elaborate scheme to feign Florida residency to avoid income taxes altogether, as Florida has no personal income tax. Court filings state that MicroStrategy, Saylor’s company, submitted falsified documents to prove his residency.

According to a court filing, MicroStrategy kept track of Saylor’s location, and those records show that he met the 183-day residency threshold for D.C., meaning he was obligated to pay income taxes to the District. As we mentioned in our previous blog on the case, the complaint summarizes this tax fraud scheme as “depriv[ing] the District of tens of millions of dollars or more in tax revenue it was lawfully owed, all while Saylor continued to enjoy the full range of services, infrastructure, and other fruits of living in the District.” Despite this, he allegedly made bold claims to his friends, “contending that anyone who paid taxes to the District was stupid,” according to the Attorney General.

About the case, the D.C. Attorney General further stated that “No one in the District of Columbia, no matter how wealthy or powerful they may be, is above the law.” Holding even evasive billionaires accountable is an important part of keeping the integrity of our systems intact and ensuring that we all pay our fair share. Under the District of Columbia False Claims Act , private citizens can report tax evasion schemes , while the federal False Claims Act has a “tax bar,” so tax fraud is not actionable under that law. The IRS Whistleblower program instead offers recourse.

In addition to the $40 million settlement, Saylor has agreed to comply with D.C. tax laws. The amount of the whistleblower award in the case is still being determined, but whistleblowers are entitled to 15-25% of the government’s recovery in a qui tam False Claims Act settlement.

© 2024 by Tycko & Zavareei LLP
For more news on Cryptocurrency Tax Evasion Settlements, visit the NLR Criminal Law & Business Crimes section.