The Increasing Role of Cybersecurity Experts in Complex Legal Disputes

The testimonies and guidance of expert witnesses have been known to play a significant role in high-stakes legal matters, whether it be the opinion of a clinical psychiatrist in a homicide case or that of a career IP analyst in a patent infringement trial. However, in today’s highly digital world—where cybercrimes like data breaches and theft of intellectual property are increasingly commonplace—cybersecurity professionals have become some of the most sought-after experts for a broadening range of legal disputes.

Below, we will explore the growing importance of cybersecurity experts to the litigation industry in more depth, including how their insights contribute to case strategies, the challenges of presenting technical and cybersecurity-related arguments in court, the specific qualifications that make an effective expert witness in the field of cybersecurity, and the best method for securing that expertise for your case.

How Cybersecurity Experts Help Shape Legal Strategies

Disputes involving highly complex cybercrimes typically require more technical expertise than most trial teams have on hand, and the contributions of a qualified cybersecurity expert can often be transformative to your ability to better understand the case, uncover critical evidence, and ultimately shape your overall strategy.

For example, in the case of a criminal data breach, defense counsel might seek an expert witness to analyze and evaluate the plaintiff’s existing cybersecurity policies and protective mechanisms at the time of the attack to determine their effectiveness and/or compliance with industry regulations or best practices. Similarly, an expert with in-depth knowledge of evolving data laws, standards, and disclosure requirements will be well-suited to determining a party’s liability in virtually any matter involving the unauthorized access of protected information. Cybersecurity experts are also beneficial during the discovery phase when their experience working with certain systems can assist in potentially uncovering evidence related to a specific attack or breach that may have been initially overlooked.

We have already seen many instances in which the testimony and involvement of cybersecurity experts have impacted the overall direction of a legal dispute. Consider the Coalition for Good Governance, for example, that recently rested its case(Opens an external site in a new window) as the plaintiffs in a six-year battle with the state of Georgia over the security of touchscreen voting machines. Throughout the process, the organization relied heavily on the testimony of multiple cybersecurity experts who claimed they identified vulnerabilities in the state’s voting technology. If these testimonies prove effective, it will not only sway the ruling in the favor of the plaintiffs but also lead to entirely new policies and impact the very way in which Georgia voters cast their ballots as early as this year.

The Challenges of Explaining Cybersecurity in the Courtroom

While there is no denying the growing importance of cybersecurity experts in modern-day disputes, it is also important to note that many challenges still exist in presenting highly technical arguments and/or evidence in a court of law.

Perhaps most notably, there remains a significant gap in both legal and technological language, as well as in the knowledge and understanding of cybersecurity professionals and judges, lawyers, and the juries tasked with parsing particularly dense information. In other words, today’s trial teams need to work carefully with cybersecurity experts to develop communication strategies that adequately illustrate their arguments but do not result in unnecessary confusion or a misunderstanding of the evidence being presented. Visuals are a particularly useful tool in helping both litigators and experts explain complex topics while also engaging decision-makers.

Depending on the nature of the data breach or cybercrime in question, you may be tasked with replicating a digital event to support your specific argument. In many cases, this can be incredibly challenging due to the evolving and multifaceted nature of modern cyberattacks, and it may require extensive resources within the time constraints of a given matter. Thus, it is wise to use every tool at your disposal to boost the power of your team—including custom expert witness sourcing and visual advocacy consultants.

What You Should Look for in a Cybersecurity Expert

Determining the qualifications of a cybersecurity expert is highly dependent on the details of each individual case, making it critical to identify an expert whose experience reflects your precise needs. For example, a digital forensics specialist will offer an entirely different skill set than someone with a background in data privacy regulations and compliance.

Making sure an expert has the relevant professional experience to assess your specific cybersecurity case is only one factor to consider. In addition to verifying education and professional history, you must also assess the expert’s experience in the courtroom and familiarity with relevant legal processes. Similarly, expert witnesses should be evaluated based on their individual personality and communication skills, as they will be tasked with conveying highly technical arguments to an audience that will likely have a difficult time understanding all relevant concepts in the absence of clear, simplified explanations.

Where to Find the Most Qualified Cybersecurity Experts

Safeguarding the success of your client or firm in the digital age starts with the right expertise. You need to be sure your cybersecurity expert is uniquely suited to your case and primed to share critical insights when the stakes are high.

USDA Releases Reports on Economic Impact Analysis of the U.S. Biobased Products Industry and on Hemp Research and Innovation

On March 8, 2024, the U.S. Department of Agriculture honored the second annual National Biobased Products Day, “a celebration to raise public awareness of biobased products, their benefits and their contributions to the U.S. economy and rural communities.” USDA states that as part of its activities to honor National Biobased Products Day, it released two reports:

Economic Impact Analysis of the U.S. Biobased Products Industry

USDA states that its commissioned report “An Economic Impact Analysis of the U.S. Biobased Products Industry: 2023 Update,” shows that, based on data from 2021, the biobased products industry has grown nationwide despite the impacts of the global COVID-19 pandemic. According to USDA, key report findings include:

  • Biobased products, a segment of the bioeconomy, contributed $489 billion to the U.S. economy in 2021, up from $464 billion in 2020. This is an increase of $25 billion — a 5.1 percent increase;
  • The biobased products sector, and the jobs it supports, are shown to impact every state in the nation, not just the states where agriculture is the main industry; and
  • The use of biobased products reduces the consumption of petroleum equivalents. In 2017, oil displacement was estimated to be as much as 9.4 million barrels of oil equivalents. In 2021, the displacement grew to 10.7 million barrels of oil equivalents.

USDA notes that the findings span seven major sectors representing the bioeconomy: Agriculture and Forestry; Biobased Chemicals; Biobased Plastic Bottles and Packaging; Biorefining; Enzymes; Forest Products; and Textiles. The 2023 Update is the sixth volume in a series of reports tracking the impact of the biobased product industry on the U.S. economy.

Hemp Research and Innovation

USDA also released its “Hemp Research Needs Roadmap,” which reflects stakeholder input in identifying the hemp industry’s greatest research needs: breeding and genetics, best practices for production, biomanufacturing for end uses, and transparency and consistency. According to USDA, these priority research areas “cut across the entire hemp supply chain and are vital to bolstering hemp industry research.” USDA notes that growing demand for biobased products, like those from hemp, “creates potential for added-value use in food, feed, fiber and other industrial products that can improve the livelihoods of U.S. producers and offer consumers alternative biobased products.”

USDA also announced a $10 million National Institute of Food and Agriculture investment to Oregon State University’s Global Hemp Innovation Center. USDA states that the Center will work with 13 Native American Tribes to spur economic development in the western United States by developing manufacturing capabilities for materials and products made from hemp.

The ‘Effective Spread’ of Order Execution Quality Reporting

On March 6, 2024, by unanimous vote, the Securities and Exchange Commission (SEC) adopted changes to Rule 605 under Regulation NMS, the provision that previously required only entities defined as “market centers” to publish detailed statistics on the quality of execution of “covered orders” in NMS stocks. Amended Rule 605 expands the reporting requirement in many ways:

  • by reporting party, to (a) broker-dealers with over 100,000 customer accounts (not just “market centers”); (b) Single Dealer Platforms; and (c) Automated Trading Systems (as a stand-alone reporter, separate from any reports by the broker-dealer operator the ATS);
  • by expanding the scope of “covered orders” to include: (a) non-marketable limit orders received outside market hours and executed during market hours; (b) stop orders; and (c) short sale orders not marked short exempt and not subject to price test restrictions under Reg SHO.
  • by revising time and size categories to include odd-lot and fractional share orders and measure execution time in microseconds and milliseconds. Timestamps must also contain millisecond granularity.
  • by expanding execution quality metrics. This expansion is wide-ranging and, among other things, (a) adds effective over quoted spread (“E/Q”) as a reporting metric; (b) requires reporting of average realized spread at multiple periods from 50 milliseconds to five minutes after execution; (c) measures price improvement not only relative to the NBBO, but also relative to the “best available displayed price,” a new baseline that includes available odd-lot liquidity; (d) adds measures of size improvement; and (e) includes fill rate information for non-marketable limit orders.

In the past, Rule 605 reports were practically unreadable for retail investors. They were data-heavy rather than in “plain English” and were reported at the security level, requiring significant data analysis to draw meaningful conclusions. The revised Rule seeks to remedy this deficiency, requiring covered broker-dealers and market centers to provide a Summary Report broken out by S&P 500 and non-S&P 500 securities, by order type (market and marketable limit) and order size, with columns for: average order size (shares and notional), average midpoint, percentage of orders executed at the quote or better, percentage receiving price improvement (both absolute and as a percentage of midpoint); average effective spread; average quoted spread; average effective over quoted spread (or “E/Q” percentage); average realized spread 15 seconds and one minute after execution; and average execution speed, in milliseconds.

While the rule revisions are comprehensive and will require significant programming (or vendor) expense, particularly for broker-dealers newly subject to the rule, many of the changes are welcome. Rule 605 had previously been subject to many increasingly outdated metrics, and firms that route orders will welcome more comprehensive and granular data elements. It remains to be seen whether retail and institutional customers will use the data to demand better execution quality from their broker-dealers or manage order-entry decisions based on the data.

What is meaningful, however, is the timing of this rule revision. These revisions were proposed in December 2022 as part of a package of significant market structure changes, including a proposed Order Competition Rule, a proposed far-reaching SEC best execution requirement known as Regulation Best Execution, and proposals to revise the pricing increments for quoting and trading equity securities and the minimum fees to access that liquidity. These other proposals were very controversial and subject to strong pushback from many parts of the securities industry. Many argued that the SEC should first adopt the proposed amendments to Rule 605 and then use the data from revised Rule 605 reporting to evaluate the other rule proposals. This approach would, of course, delay consideration of the other rule proposals while data were generated under revised Rule 605. The SEC’s adoption of just the Rule 605 revisions does not preclude further consideration of the other rules, but it is a welcome development and a step in the right direction.

The Rule 605 amendments will become effective 60 days after the release is published in the Federal Register. The compliance date is currently set for 18 months after that effective date.

For more news on SEC Regulations, visit the NLR Securities & SEC section.

FCC Updated Data Breach Notification Rules Go into Effect Despite Challenges

On March 13, 2024, the Federal Communications Commission’s updates to the FCC data breach notification rules (the “Rules”) went into effect. They were adopted in December 2023 pursuant to an FCC Report and Order (the “Order”).

The Rules went into effect despite challenges brought in the United States Court of Appeals for the Sixth Circuit. Two trade groups, the Ohio Telecom Association and the Texas Association of Business, petitioned the United States Court of Appeals for the Sixth Circuit and Fifth Circuit, respectively, to vacate the FCC’s Order modifying the Rules. The Order was published in the Federal Register on February 12, 2024, and the petitions were filed shortly thereafter. The challenges, which the United States Panel on Multidistrict Litigation consolidated to the Sixth Circuit, argue that the Rules exceed the FCC’s authority and are arbitrary and capricious. The Order addresses the argument that the Rules are “substantially the same” as breach rules nullified by Congress in 2017. The challenges, however, have not progressed since the Rules went into effect.

Read our previous blog post to learn more about the Rules.

Listen to this post

Staying on Course: Navigating Election Year Issues for Exempt Organizations

With the 2024 election cycle underway, it is important for exempt organizations to understand and comply with relevant restrictions on political campaign activities to safeguard their tax-exempt status and avoid triggering excise tax penalties. This alert provides an overview of the political campaign rules applicable to exempt organizations and specifically highlights the restrictions on political campaign activities applicable to Section 501(c)(3), 501(c)(4), and 501(c)(6) organizations.

Restrictions on Political Activities

Exempt organizations are subject to certain restrictions regarding their participation in political campaign activities, and the amount of permissible participation is a key distinction between Section 501(c)(3), 501(c)(4), and 501(c)(6) organizations. To comply with these restrictions, an exempt organization must (1) know their specific tax-exempt status and the restrictions that apply to them, (2) understand what activities constitute political campaign activities, (3) avoid activities that violate the applicable restrictions, and (4) mitigate the risk that activities conducted by employees in their individual capacities are attributed to the organization.

Prohibited Political Campaign Intervention for Section 501(c)(3) Organizations

Section 501(c)(3) organizations are subject to an absolute prohibition on participation or intervention in political campaign activities. Organizations that violate this ban are subject to the revocation of their tax-exempt status and the imposition of excise tax penalties on both the organization itself and organization managers who approve expenditures used for impermissible political purposes. Therefore, Section 501(c)(3) organizations must avoid activities that violate the prohibition on political campaign intervention.

Prohibited political campaign intervention occurs when an exempt organization “participates in, or intervenes in” a “candidate’s” campaign for “public office” (Section 501(c)(3)).

The term “candidate” refers to any person who has declared an intent to run for national, state, or local office and likely includes incumbents until they announce an intention not to run. A candidate also includes individuals who have yet to declare an intention to run for public office, but whose potential candidacy generates significant public speculation. The term “public office” broadly refers to any national, state, or local elective office, as well as any elected position in a political party.

An organization is considered to “participate in, or intervene in” political campaign activity by making contributions to political campaign accounts or making public statements on behalf of the organization in favor of or in opposition to a candidate for public office. Specifically, the Internal Revenue Service (IRS) regulations define participation in a political campaign as “publication or distribution of written or printed statements or the making of oral statements on behalf of or in opposition to . . . a candidate” (Treas. Reg. § 1.501(c)(3)-1(c)(3)(iii)). The IRS regulations also note that political campaign intervention is not limited to these specified activities.

The IRS has interpreted prohibited political campaign intervention to include even some nonpartisan educational activities. For example, the IRS has ruled that an organization that was formed to promote public education violated the prohibition on political campaign activities when it announced the names of the school board candidates it considered most qualified following an objective review of the candidates’ qualifications (Rev. Rul. 67-71, 1967-1 C.B. 125).

These restrictions on political campaign activities do not extend to the officers, directors, or employees of a 501(c)(3) organization, provided they are acting in their individual capacities. It is particularly important, however, to mitigate the risk that any personal political activities conducted by officers, directors, or employees will be attributed to the organization. An exempt organization should ensure their employees do not use institutional resources to engage in personal political campaign activities or act in a manner that suggests they are speaking on behalf of the organization when engaged in campaign advocacy. Exempt organizations should adopt clear policies regarding political activities and institutional resources and communicate the importance of such policies to employees during an election year.

Permissible Political Activities

Some educational activities that are election-related are permissible, however, and will not be considered prohibited campaign intervention. In order to be considered “educational,” the activities must present “a sufficiently full and fair exposition of the pertinent facts” (Treas. Reg. § 1.501(c)(3)-1(d)(3)). The information presented must “permit an individual or the public to form an independent opinion or conclusion” and not be biased. Activities that satisfy this definition may be considered permissible educational activities rather than prohibited or restricted political activities.

The following types of educational activities, although election-related, are generally permissible:

  • Voter Registration: Voter registration drives are not considered political campaign activities if they are conducted in a nonpartisan and fair manner. An organization conducting the voter registration drive should not expressly advocate for or against any candidates or political parties as part of the voter registration. They also generally should not name candidates or provide their party affiliations. If any candidates are named, all candidates should be named. All persons interested in registering must also be permitted to register, regardless of their political preference or party affiliation.
  • Voter Education: Certain forms of voter education, such as the distribution of voter guides and voting records, may qualify as an educational activity provided the organization avoids editorial commentary and ensures the materials cover a broad range of issues. Organizations must not demonstrate a preference toward a certain candidate or only cover a narrow range of issues when engaging in voter education activities.
  • Candidate Debates and Forums: Providing a fair, neutral forum for candidate debates may qualify as an educational activity so long as the debate provides equal time to all qualified candidates. Organizations should be particularly careful to include all qualified candidates, cover a broad range of topics, have a nonpartisan group compose the questions, and clarify that the candidates’ views are not the views of the exempt organization. The moderator selected by the organization can ensure the candidates follow the ground rules for the debate, but they should not ask questions or comment on the candidate’s statement in a way the indicates support or opposition to the candidate or their positions.

Section 501(c)(4) Organizations

Section 501(c)(4) social welfare organizations have more latitude to engage in political campaign activities than Section 501(c)(3) organizations. Section 501(c)(4) organizations are not subject to an absolute ban on campaign intervention, but instead are permitted to engage in some limited political activities, provided they remain primarily engaged in social welfare activities. The IRS will compare an organization’s political activities and expenditures (plus its non-exempt activities) with its social welfare activities to determine whether the organization remains primarily engaged in promoting social welfare consistent with its tax-exempt status. Accordingly, Section 501(c)(4) organizations should maintain records to ensure they remain primarily engaged in social welfare activities during an election year. If a Section 501(c)(4) organization engages in political activities, it must also provide its members with a notice of how much of their dues were used towards political activities and determine the proxy tax on those expenditures. If member dues are used for political campaign activities, then a portion of the dues may not be a deductible business expense under Section 162.

Section 501(c)(6) Organizations

Business leagues described in Section 501(c)(6) are subject to the same less-stringent rules regarding political campaign activities as Section 501(c)(4) organizations. Section 501(c)(6) organizations may engage in some political activities on a limited basis, provided such political activities are not the organization’s primary activity. If a Section 501(c)(6) organization engages in political activities, it must also provide its members with a notice of how much of their dues were used towards political activities and determine the proxy tax on those expenditures. If member dues are used for political campaign activities, then a portion of the dues may not be a deductible business expense under Section 162.

Related Restrictions

The scope of this alert is limited to restrictions on political campaign activities under federal tax law. Exempt organizations are also subject to campaign finance restrictions and requirements by the Federal Election Commission, as well as rules regarding legislative or lobbying activities imposed by the IRS, the Lobbying Disclosure Act of 1995, and other federal, state, and local laws, which are beyond the scope of this alert.

U.S. House of Representatives Passes Bill to Ban TikTok Unless Divested from ByteDance

Yesterday, with broad bipartisan support, the U.S. House of Representatives voted overwhelmingly (352-65) to support the Protecting Americans from Foreign Adversary Controlled Applications Act, designed to begin the process of banning TikTok’s use in the United States. This is music to my ears. See a previous blog post on this subject.

The Act would penalize app stores and web hosting services that host TikTok while it is owned by Chinese-based ByteDance. However, if the app is divested from ByteDance, the Act will allow use of TikTok in the U.S.

National security experts have warned legislators and the public about downloading and using TikTok as a national security threat. This threat manifests because the owner of ByteDance is required by Chinese law to share users’ data with the Chinese Communist government. When downloading the app, TikTok obtains access to users’ microphones, cameras, and location services, which is essentially spyware on over 170 million Americans’ every move, (dance or not).

Lawmakers are concerned about the detailed sharing of Americans’ data with one of its top adversaries and the ability of TikTok’s algorithms to influence and launch disinformation campaigns against the American people. The Act will make its way through the Senate, and if passed, President Biden has indicated that he will sign it. This is a big win for privacy and national security.

Copyright © 2024 Robinson & Cole LLP. All rights reserved.
by: Linn F. Freedman of Robinson & Cole LLP

For more news on Social Media Legislation, visit the NLR Communications, Media & Internet section.

Clueless in the Cubicle

The Journal’s recent piece about managing employees with misperceptions about their employment self-worth reminds us once again why honest and timely performance feedback makes good business sense. I have written before about the benefit of candid performance reviews, even at the risk of hurt feelings. I have also defended performance evaluations as an important tool to mitigate potential liability for employment claims. The Journal’s piece states that nearly four in 10 employees who received the lowest grades from their managers last year rated themselves as highly valued by the organization based on almost two million assessments. If true, that represents an astounding disconnect between performance-related perception and reality.

Theory is one thing. Managers who are adept at giving feedback is another. While businesses are rightly focused on running the organization’s business, training managers how to deliver quality feedback is often assigned a low priority. Adding to that deficiency is the often unmet need for managers with the right EQ to deliver feedback. But despite those challenges, which exist even for employees who relish feedback, there are some important guidelines for managing employees with an inflated sense of employment worth. Here are a few suggestions for delivering feedback for performance-deniers, who clearly require a more exacting approach.

First, performance discussions (especially about the areas in which the employee is falling short) must be done regularly and ongoing, and especially promptly after an error or mistake is committed. Performance deniers will use a one-time annual review (even if negative) to point out the obvious: if they are falling so short, the manager would not have waited so long to deliver that message (and which, in their view, adds to the review’s inherent unreliability).

Second, managers should not shy away from a denier’s tendency to fight the feedback (they disagree with it, it is wrong, it is fake). Rather, managers should use the denier’s dispute to double down on feedback: the employee’s inability to accept criticism, consider it, and even hear it, are all key parts of an employee’s commitment to the organization to grow and do better. Growth requires introspection. The refusal to engage in that process is itself a performance deficiency.

Third, managers should not permit performance conversations to become a discussion about victimization, unfair treatment or perceived persecution (all of which may end up becoming a legal claim). Performance deniers are adept at deflecting: one key deflection is to blame others and make the discussion about things entirely outside performance parameters. Managers need to be empowered to insist on returning the feedback conversation back to the key and only focus: what is the employee doing well and how can (and must) the employee improve?

Finally, organizations need to assess the impact performance deniers have on employee morale. While not all employees will share the same perception, most people are aware when others aren’t pulling their weight – especially when they are tasked to pick up the pieces. Those on the downhill slope of these assignments – often the best performers because of the natural inclination to step up – may not stick around. The slippery slope here is clear and cluelessness at work is not a great look for the business or the employee.

740,000 Reasons to Think Twice Before Putting a Company in Bankruptcy

A recent decision from a bankruptcy court in Delaware provides a cautionary tale about the risks of involuntary bankruptcy.

In the Delaware case, the debtor managed a group of investment funds. The business was all but defunct when several investors, dissatisfied with the debtor’s management, filed an involuntary Chapter 7 petition.  They obtained an order for relief from the bankruptcy court, then removed the debtor as manager of the funds and inserted their hand-picked manager.  So far, so good.

The debtor, who was not properly served with the involuntary petition and did not give the petition the attention it required, struck back and convinced the bankruptcy court to set aside the order for relief. The debtor then went after the involuntary petitioners for damages.  After 8 years of litigation, the Delaware court awarded the debtor $740,000 in damages – all of it attributable to attorneys’ fees and costs.

If you file an involuntary petition and the bankruptcy court dismisses it, then a debtor can recover costs and reasonable attorneys’ fees.  The legal fees include the amount necessary to defeat the involuntary filing.  In addition, if the court finds that the petition was filed in bad faith, then the court also can enter judgment for all damages proximately caused by the filing and punitive damages.  The Delaware court awarded the debtor $75,000 for defeating the involuntary petition.

The debtor also sought a judgment for attorneys’ fees in pursuit of damages for violating the automatic stay.  The involuntary petitioners had replaced the debtor as manager without first obtaining leave from the court to do so.  The investment fund was barely operating and had little income to support a claim for actual damages.  Nevertheless, the Delaware court awarded $665,000 in attorneys’ fees related to litigating the automatic stay violation.

Because the debtor had no “actual” damages from the stay violation, the involuntary petitioners contended that the debtor was not entitled to recovery of attorneys’ fees.  The Delaware court pointed out that “actual” damages (e.g., loss of business income) are not a prerequisite to the recovery of attorneys’ fees, much to the chagrin of the defendants.  The court held that attorneys’ fees and costs are always “actual damages” in the context of a willful violation of the automatic stay.

The Delaware court also rejected defendants’ argument that the fee amount was “unreasonable” since there was no monetary injury to the business.  In other words, the debtor should not have spent so much money on legal fees because it lost on its claim.  The court held that defendants’ argument was made “with the benefit of hindsight” – at the end of litigation when the court had ruled, after an evidentiary trial, that debtor suffered no actual injury.  The court pointed out that the debtor sought millions in damages for the loss of management’s fees, and even though the court rejected the claim after trial, it was not an unreasonable argument for the debtor to make.  The court concluded that “the reasonableness of one’s conduct must be assessed at the time of the conduct and based on the information that was known or knowable at the time.”

The involuntary petitioners likely had sound reasons to want the debtor removed as fund manager.  But by pursuing involuntary bankruptcy and losing, they ended up having to stroke a check to the debtor for over $700,000.  Talk about adding insult to injury.  The upshot is that involuntary bankruptcy is an extreme and risky action that should be a last-resort option undertaken with extreme caution.

SEC Issues Long-Awaited Climate Risk Disclosure Rule

INTRODUCTION

On Wednesday, 6 March 2024, the Securities and Exchange Commission (SEC) approved its highly anticipated final rules on “The Enhancement and Standardization of Climate-Related Disclosures for Investors” by a vote of 3-2, with Republican Commissioners Hester Peirce and Mark Uyeda dissenting. Accompanying the final rules was a press release and fact sheet detailing the provisions of the rulemaking. The final rules will go into effect 60 days after publication in the Federal Register and will include a phased-in compliance period for all registrants.

This is likely to be one of the most consequential rulemakings of Chairman Gary Gensler’s tenure given the prioritization of addressing climate change as a key pillar for the Biden administration. However, given the significant controversy associated with this rulemaking effort, the final rules are likely to face legal challenges and congressional oversight in the coming months. As such, it remains unclear at this point whether the final rules will survive the forthcoming scrutiny.

WHAT IS IN THE RULE?

According to the SEC’s fact sheet:

  • “The final rules would require a registrant to disclose, among other things: material climate-related risks; activities to mitigate or adapt to such risks; information about the registrant’s board of directors’ oversight of climate-related risks and management’s role in managing material climate-related risks; and information on any climate-related targets or goals that are material to the registrant’s business, results of operations, or financial condition.
  • Further, to facilitate investors’ assessment of certain climate-related risks, the final rules would require disclosure of Scope 1 and/or Scope 2 greenhouse gas (GHG) emissions on a phased-in basis by certain larger registrants when those emissions are material; the filing of an attestation report covering the required disclosure of such registrants’ Scope 1 and/or Scope 2 emissions, also on a phased-in basis; and disclosure of the financial statement effects of severe weather events and other natural conditions including, for example, costs and losses.
  • The final rules would include a phased-in compliance period for all registrants, with the compliance date dependent on the registrant’s filer status and the content of the disclosure.”

NEXT STEPS

The final rules are likely to face significant opposition, including legal challenges and congressional oversight. It is expected that there will be various lawsuits brought against the final rules, which are likely to receive support from several industry groups, or potentially GOP-led state attorneys general who have been active in litigating against environmental, social and governance (ESG) policies and regulations. It is also possible that the final rules could face criticism from some climate advocates that the SEC did not go far enough in its disclosure requirements.

Further, it is expected that the House Financial Services Committee (HFSC) will conduct oversight hearings, as well as introduce a resolution under the Congressional Review Act (CRA), to attempt to block the regulations from taking effect. HFSC Chairman Patrick McHenry (R-NC) indicated that the Oversight and Investigations Subcommittee will hold a field hearing on March 18 and the full Committee will convene a hearing on April 10 to discuss the potential implications of the rules. If a CRA resolution were to pass the House and garner sufficient support from moderate Democrats in the Senate to pass, it would likely be vetoed by President Biden.

Ultimately, the SEC climate risk disclosure rules are unlikely to significantly change the trajectory of corporate disclosures made by multinational companies based in the U.S., most of whom have already been making sustainability disclosures in accordance with the Financial Stability Board’s Task Force on Climate-Related Financial Disclosures. The ongoing problem for investors is that such disclosures are not standardized and therefore are not comparable. Consequently, many of these large issuers may continue to enhance their sustainability disclosures in accordance with standards issued by the International Sustainability Standards Board and the Global Reporting Initiative as an investor relations imperative notwithstanding the SEC’s timetable for implementation of these final rules.

A more detailed analysis of the SEC rules is forthcoming from our Corporate and Asset Management and Investment Funds practices in the coming days.

President Biden Announces Groundbreaking Restrictions on Access to Americans’ Sensitive Personal Data by Countries of Concern

The EO and forthcoming regulations will impact the use of genomic data, biometric data, personal health care data, geolocation data, financial data and some other types of personally identifiable information. The administration is taking this extraordinary step in response to the national security risks posed by access to US persons’ sensitive data by countries of concern – data that could then be used to surveil, scam, blackmail and support counterintelligence efforts, or could be exploited by artificial intelligence (AI) or be used to further develop AI. The EO, however, does not call for restrictive personal data localization and aims to balance national security concerns against the free flow of commercial data and the open internet, consistent with protection of security, privacy and human rights.

The EO tasks the US Department of Justice (DOJ) to develop rules that will address these risks and provide an opportunity for businesses and other stakeholders, including labor and human rights organizations, to provide critical input to agency officials as they draft these regulations. The EO and forthcoming regulations will not screen individual transactions. Instead, they will establish general rules regarding specific categories of data, transactions and covered persons, and will prohibit and regulate certain high-risk categories of restricted data transactions. It is contemplated to include a licensing and advisory opinion regime. DOJ expects companies to develop and implement compliance procedures in response to the EO and subsequent implementing of rules. The adequacy of such compliance programs will be considered as part of any enforcement action – action that could include civil and criminal penalties. Companies should consider action today to evaluate risk, engage in the rulemaking process and set up compliance programs around their processing of sensitive data.

Companies across industries collect and store more sensitive consumer and user data today than ever before; data that is often obtained by data brokers and other third parties. Concerns have grown around perceived foreign adversaries and other bad actors using this highly sensitive data to track and identify US persons as potential targets for espionage or blackmail, including through the training and use of AI. The increasing availability and use of sensitive personal information digitally, in concert with increased access to high-performance computing and big data analytics, has raised additional concerns around the ability of adversaries to threaten individual privacy, as well as economic and national security. These concerns have only increased as governments around the world face the privacy challenges posed by increasingly powerful AI platforms.

The EO takes significant new steps to address these concerns by expanding the role of DOJ, led by the National Security Division, in regulating the use of legal mechanisms, including data brokerage, vendor and employment contracts and investment agreements, to obtain and exploit American data. The EO does not immediately establish new rules or requirements for protection of this data. It instead directs DOJ, in consultation with other agencies, to develop regulations – but these restrictions will not enter into effect until DOJ issues a final rule.

Broadly, the EO, among other things:

  • Directs DOJ to issue regulations to protect sensitive US data from exploitation due to large scale transfer to countries of concern, or certain related covered persons and to issue regulations to establish greater protection of sensitive government-related data
  • Directs DOJ and the Department of Homeland Security (DHS) to develop security standards to prevent commercial access to US sensitive personal data by countries of concern
  • Directs federal agencies to safeguard American health data from access by countries of concern through federal grants, contracts and awards

Also on February 28, DOJ issued an Advance Notice of Proposed Rulemaking (ANPRM), providing a critical first opportunity for stakeholders to understand how DOJ is initially contemplating this new national security regime and soliciting public comment on the draft framework.

According to a DOJ fact sheet, the ANPRM:

  • Preliminarily defines “countries of concern” to include China and Russia, among others
  • Focuses on six enumerated categories of sensitive personal data: (1) covered personal identifiers, (2) geolocation and related sensor data, (3) biometric identifiers, (4) human genomic data, (5) personal health data and (6) personal financial data
  • Establishes a bulk volume threshold for the regulation of general data transactions in the enumerated categories but will also regulate transactions in US government-related data regardless of the volume of a given transaction
  • Proposes a broad prohibition on two specific categories of data transactions between US persons and covered countries or persons – data brokerage transactions and genomic data transactions.
  • Contemplates restrictions on certain vendor agreements for goods and services, including cloud service agreements; employment agreements; and investment agreements. These cybersecurity requirements would be developed by DHS’s Cybersecurity and Infrastructure Agency and would focus on security requirements that would prevent access by countries of concern.

The ANPRM also proposes general and specific licensing processes that will give DOJ considerable flexibilities for certain categories of transactions and more narrow exceptions for specific transactions upon application by the parties involved. DOJ’s licensing decisions would be made in collaboration with DHS, the Department of State and the Department of Commerce. Companies and individuals contemplating data transactions will also be able to request advisory opinions from DOJ on the applicability of these regulations to specific transactions.

A White House fact sheet announcing these actions emphasized that they will be undertaken in a manner that does not hinder the “trusted free flow of data” that underlies US consumer, trade, economic and scientific relations with other countries. A DOJ fact sheet echoed this commitment to minimizing economic impacts by seeking to develop a program that is “carefully calibrated” and in line with “longstanding commitments to cross-border data flows.” As part of that effort, the ANPRM contemplates exemptions for four broad categories of data: (1) data incidental to financial services, payment processing and regulatory compliance; (2) ancillary business operations within multinational US companies, such as payroll or human resources; (3) activities of the US government and its contractors, employees and grantees; and (4) transactions otherwise required or authorized by federal law or international agreements.

Notably, Congress continues to debate a comprehensive Federal framework for data protection. In 2022, Congress stalled on the consideration of the American Data Privacy and Protection Act, a bipartisan bill introduced by House energy and commerce leadership. Subsequent efforts to move comprehensive data privacy legislation in Congress have seen little momentum but may gain new urgency in response to the EO.

The EO lays the foundation for what will become significant new restrictions on how companies gather, store and use sensitive personal data. Notably, the ANPRM also represents recognition by the White House and agency officials that they need input from business and other stakeholders to guide the draft regulations. Impacted companies must prepare to engage in the comment process and to develop clear compliance programs so they are ready when the final restrictions are implemented.

Kate Kim Tuma contributed to this article