business Archives - Page 30 of 92 - The National Law Forum

2023 Cybersecurity Year In Review

2023 was another busy year in the realm of data event and cybersecurity litigations, with several noteworthy developments in the realm of disputes and regulator activity. Privacy World has been tracking these developments throughout the year. Read on for key trends and what to expect going into the 2024.

Growth in Data Events Leads to Accompanying Increase in Claims

The number of reportable data events in the U.S. in 2023 reached an all-time high, surpassing the prior record set in 2021. At bottom, threat actors continued to target entities across industries, with litigation frequently following disclosure of data events. On the dispute front, 2023 saw several notable cybersecurity consumer class actions concerning the alleged unauthorized disclosure of sensitive personal information, including healthcare, genetic, and banking information. Large putative class actions in these areas included, among others, lawsuits against the hospital system HCA Healthcare (estimated 11 million individuals involved in the underlying data event), DNA testing provider 23andMe (estimated 6.9 million individuals involved in the underlying data event), and mortgage business Mr. Cooper (estimated 14.6 million individuals involved in the underlying data event).

JPML Creates Several Notable Cybersecurity MDLs

In 2023 the Judicial Panel on Multidistrict Litigation (“JPML”) transferred and centralized several data event and cybersecurity putative class actions. This was a departure from prior years in which the JPML often declined requests to consolidate and coordinate pretrial proceedings in the wake of a data event. By way of example, following the largest data breach of 2023—the MOVEit hack affecting at least 55 million people—the JPML ordered that dozens of class actions regarding MOVEit software be consolidated for pretrial proceedings in the District of Massachusetts. Other data event litigations similarly received the MDL treatment in 2023, including litigations against Samsung, Overby-Seawell Company, and T‑Mobile.

Significant Class Certification Rulings

Speaking of the development of precedent, 2023 had two notable decisions addressing class certification. While they arose in the cybersecurity context, these cases have broader applicability in other putative class actions. Following a remand from the Fourth Circuit, a judge in Maryland (in a MDL) re-ordered the certification of eight classes of consumers affected by a data breach suffered by Mariott. See In Re: Marriott International, Inc., Customer Data Security Breach Litigation,No. 8:19-md-02879, 2023 WL 8247865 (D. Md. Nov. 29, 2023). As explained here on PW, the court held that a class action waiver provision in consumers’ contracts did not require decertification because (1) Marriott waived the provision by requesting consolidation of cases in an MDL outside of the contract’s chosen venue, (2) the class action waiver was unconscionable and unenforceable, and (3) contractual provisions cannot override a court’s authority to certify a class under Rule 23.

The second notable decision came out of the Eleventh Circuit, where the Court of Appeals vacated a district court’s certification of a nationwide class of restaurant customers in a data event litigation. See Green-Cooper v. Brinker Int’l, Inc., No. 21-13146, 73 F. 4th 883 (11th Cir. July 11, 2023). In a 2-1 decision, a majority of the Court held that only one of the three named plaintiffs had standing under Article III of the U.S. Constitution, and remanded to the district court to reassess whether the putative class satisfied procedural requirements for a class. The two plaintiffs without standing dined at one of the defendant’s restaurants either before or after the time period that the restaurant was impacted by the data event, which the Fourth Circuit held to mean that any injury the plaintiffs suffered could not be traced back to defendant.

Standing Challenges Persist for Plaintiffs in Data Event and Cybersecurity Litigations

Since the Supreme Court’s TransUnion decision in 2021, plaintiffs in data breach cases have continued to face challenges getting into or staying in federal court, and opinions like Brinker reiterate that Article III standing issues are relevant at every stage in litigation, including class certification. See, also, e.g., Holmes v. Elephant Ins. Co., No. 3:22-cv-00487, 2023 WL 4183380 (E.D. Va. June 26, 2023) (dismissing class action complaint alleging injuries from data breach for lack of standing). Looking ahead to 2024, it is possible that more data litigation plays out in state court rather than federal court—particularly in the Eleventh Circuit but also elsewhere—as a result.

Cases Continue to Reach Efficient Pre-Trial Resolution

Finally in the dispute realm, several large cybersecurity litigations reached pre-trial resolutions in 2023. The second-largest data event settlement ever—T-Mobile’s $350 million settlement fund with $150 million in data spend—received final approval from the trial court. And software company Blackbaud settled claims relating to a 2020 ransomware incident with 49 states Attorneys General and the District of Columbia to the tune of $49.5 million. Before the settlement, Blackbaud was hit earlier in the year with a $3 million fine from the Securities and Exchange Commission. The twin payouts by Blackbaud are cautionary reminders that litigation and regulatory enforcement on cyber incidents often go-hand-in-hand, with multifaceted risks in the wake of a data event.

FTC and Cybersecurity

Regulators were active on the cybersecurity front in 2023, as well. Following shortly after a policy statement by the Health and Human Resources Office of Civil Rights policy Bulletin on use of trackers in compliance with HIPAA, the FTC announced settlement of enforcement actions against GoodRx, Premom, and BetterHelp for sharing health data via tracking technologies with third parties resulting in a breach of Personal Health Records under the Health Breach Notification Rule. The FTC also settled enforcement actions against Chegg and Drizly for inadequate cybersecurity practices which led to data breaches. In both cases, the FTC faulted the companies for failure to implement appropriate cybersecurity policies and procedures, access controls, and securely store access credentials for company databases (among other issues).

Notably, in Drizly matter, the FTC continued ta trend of holding corporate executives responsible individually for his failure to implement “or properly delegate responsibility to implement, reasonable information security practices.” Under the consent decree, Drizly’s CEO must implement a security program (either at Drizly or any company to which he might move that processes personal information of 25,000 or more individuals and where he is a majority owner, CEO, or other senior officer with information security responsibilities).

SEC’s Focus on Cyber Continues

The SEC was also active in cybersecurity. In addition to the regulatory enforcement action against Blackbaud mentioned above, the SEC initiated an enforcement action against a software company for a cybersecurity incident disclosed in 2020. In its complaint, the SEC alleged that the company “defrauded…investors and customers through misstatements, omissions, and schemes that concealed both the Company’s poor cybersecurity practices and its heightened—and increasing—cybersecurity risks” through its public statements regarding its cybersecurity practices and risks. Like the Drizly matter, the SEC charged a senior company executive individually—in this case, the company’s CISO—for concealing the cybersecurity deficiencies from investors. The matter is currently pending. These cases reinforce that regulators will continue to hold senior executives responsible for oversight and implementation of appropriate cybersecurity programs.

Notable Federal Regulatory Developments

Regulators were also active in issuing new regulations on the cybersecurity front in 2023. In addition to its cybersecurity regulatory enforcement actions, the FTC amended the GLBA Safeguards Rule. Under the amended Rule, non-bank financial institutions must provide notice to notify the FTC as soon as possible, and no later than 30 days after discovery, of any security breach involving the unencrypted information of 500 or more consumers.

Additionally, in March 2024, the SEC proposed revisions to Regulation S-P, Rule 10 and form SCIR, and Regulation SCI aimed at imposing new incident reporting and cybersecurity program requirements for various covered entities. You can read PW’s coverage of the proposed amendments here. In July, the SEC also finalized its long-awaited Cybersecurity Risk Management and Incident Disclosure Regulations. Under the final Regulations, public companies are obligated to report regarding material cybersecurity risks, cybersecurity risk management and governance, and board of directors’ oversight of cybersecurity risks in their annual 10-K reports. Additionally, covered entities are required to report material cybersecurity incidents within four business days of determining materiality. PW’s analysis of the final Regulations are here.

New State Cybersecurity Regulations

The New York Department of Financial Services also finalized amendments to its landmark Cybersecurity Regulations in 2023. In the amended Regulations, NYDFS creates a new category of companies subject to heightened cybersecurity standards: Class A Companies. These heightened cybersecurity standards would apply only to the largest financial institutions (i.e., entities with at least $20 million in gross annual revenues over the last 2 fiscal years, and either (1) more than 2,000 employees; or (2) over $1 billion in gross annual revenue over the last 2 fiscal years). The enhanced requirements include independent cybersecurity audits, enhanced privileged access management controls, and endpoint detection and response with centralized logging (unless otherwise approved in writing by the CISO). New cybersecurity requirements for other covered entities include annual review and approval of company cybersecurity policy by a senior officer or the senior governing body (i.e., board of directors), CISO reporting to the senior governing body, senior governing body oversight, and access controls and privilege management, among others. PW’s analysis of the amended NYDFS Cybersecurity Regulations is here.

On the state front, California Privacy Protection Agency issued draft cybersecurity assessment regulations as required by the CCPA. Under the draft regulations, if a business’s “processing of consumers’ personal information presents significant risk to consumers’ security”, that business must conduct a cybersecurity audit. If adopted as proposed, companies that process a (yet undetermined) threshold number of items of personal information, sensitive personal information, or information regarding consumers under 16, as well as companies that exceed a gross revenue threshold will be considered “high risk.” The draft regulations outline detailed criteria for evaluating businesses’ cybersecurity program and documenting the audit. The draft regulations anticipate that the audit results will be reported to the business’s board of directors or governing body and that a representative of that body will certify that the signatory has reviewed and understands the findings of the audit. If adopted, businesses will be obligated to certify compliance with the audit regulations to the CPPA. You can read PW’s analysis of the implications of the proposed regulations here.

Consistent with 2023 enforcement priorities, new regulations issued this year make clear that state and federal regulators are increasingly holding senior executives and boards of directors responsible for oversight of cybersecurity programs. With regulations explicitly requiring oversight of cybersecurity risk management, the trend toward holding individual executives responsible for egregious cybersecurity lapses is likely to continue into 2024 and beyond.

Looking Forward

2023 demonstrated “the more things change, the more they stay the same.” Cybersecurity litigation trends were a continuation the prior two years. Something to keep an eye on in 2024 remains the potential for threatened individual officer and director liability in the wake of a widespread cyberattack. While the majority of cybersecurity litigations filed continue to be brought on behalf of plaintiffs whose personal information was purportedly disclosed, shareholders and regulators will increasingly look to hold executives responsible for failing to adopt reasonable security measures to prevent cyberattacks in the first instance.

Needless to say, 2024 should be another interesting year on the cybersecurity front. This is particularly so for data event litigations and for data developments more broadly.

Becoming Antitrust Aware in 2024: Top Five Recommendations for the New Year

A new year means resolutions which are often centered around self-improvement measures like weight loss, exercise plans, and other health improvement measures. Companies can also benefit from resolutions. Increasing antitrust awareness is not usually on the resolution list but here we offer some ideas for companies as they embark on a new year.

Treat antitrust as a priority in 2024.

As antitrust lawyers, our viewpoint may be biased, and we certainly appreciate that most companies already have a lengthy list of priorities for their in-house and outside legal teams. Given that all companies, regardless of their size, are subject to the antitrust laws, and given the high stakes involved (including criminal penalties and treble damages awards), antitrust certainly deserves to be on the priority list. One relatively easy way to get the ball rolling is to put fresh eyes on your company’s antitrust policy. When was the last time it was updated? What type of trainings does your company use to teach the concepts contained in the policy? The training doesn’t need to be – and shouldn’t be – boring or esoteric. Instead, trainings should be engaging and tailored to the specific antitrust risks that workgroups may face. For example, the sales team will need different antitrust training than those working on supply chain or environmental, social, and governance (ESG) initiatives. Ask your antitrust lawyer to create easy-to-follow, lively online trainings that can be viewed on demand. And if your company doesn’t have an antitrust policy, we suggest that creating one be moved to the top (or near top) of the legal department’s to-do list in 2024.

Understand the current antitrust enforcement priorities.

2024 will be a significant year for antitrust. It’s an election year, which means 2024 may be the Biden Administration’s last year to execute on plans that have been in the works since President Biden issued Executive Order 14036, “Promoting Competition in the American Economy,” in July 2021. Some of the Administration’s more dramatic plans include significant revisions to the Hart-Scott-Rodino (HSR) premerger notification process. While we don’t expect all the FTC and DOJ’s sweeping proposals to make it into the HSR final rule, we do expect some changes to be made, and they will likely mean significant additional burdens for filing parties. We also expect to see the FTC’s new rule on non-compete agreements. The FTC’s proposal would ban most non-compete agreements, and some states have already enacted their own prohibitions on non-compete agreements.

If your company engages in M&A, be aware of the new Merger Guidelines.

The newest Merger Guidelines, addressing both horizontal and vertical mergers, were unveiled in December 2023 . One of the most significant changes announced in the 2023 Merger Guidelines are the decreased levels of concentration that will trigger a rebuttable presumption of illegality. Under the new Guidelines, a market share of greater than 30% and a concentration increase of 100 points will be enough to trigger that rebuttable presumption. That is not to say the presumption is the death knell for a transaction, but it does mean that the government enforcement will be aggressive. Also be aware that the 2023 Guidelines introduce new topics, such as labor markets. Early analysis and planning will be critical, requiring involvement of skilled antitrust counsel.

Understand that application of the antitrust laws is constantly evolving.

The language of the core U.S. antitrust laws – the Sherman Act, the Clayton Act, and the FTC Act, hasn’t changed, but the application of these laws is always evolving. For example, the antitrust enforcers and private plaintiffs are increasingly focused on labor issues, such as “no poach” agreements and wage fixing. Antitrust enforcers are also focused on private equity, as evidenced by the FTC’s recent lawsuit against Welsh, Carson, Anderson, and Stowe and some of the changes contained in the proposed revisions to the HSR Rules. Technology is also a significant factor that provokes interesting questions that don’t have answers, at least not currently. For example, do pricing algorithms lead to price fixing? How will antitrust enforcers deal with artificial intelligence?

Pay attention to state antitrust enforcers.

The federal regulators at the Department of Justice and Federal Trade Commission may get most of the attention, but we must never forget that states have their own antitrust laws and their own antitrust enforcers, who have the power to investigate and bring legal action. Often, the state regulators work collaboratively with their federal counterparts, but the state regulators are free to go their own way, such as those targeting various ESG initiatives. Also bear in mind that states are increasingly blazing new trails, such as bans on non-competes. Thirteen states have also enacted “mini” HSR premerger notification statutes for health care deals. It’s always prudent to check the laws of the state or states where business is conducted to determine if there are any state-specific antitrust considerations.

Corporate Transparency Act Requires Disclosure of Information Regarding Beneficial Owners to FinCEN

The new year brings the most expansive disclosure requirements for U.S. business entities since the Depression. Starting January 1, 2024, U.S. companies and foreign companies operating in the United States will be required to report their beneficial owners and principal officers to the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) pursuant to the Corporate Transparency Act (CTA) adopted as part of the 2021 National Defense Authorization Act, unless subject to specific exemptions.

Who Is Required to Report?
The CTA’s filing requirements (31 CFR 1010.380(c)(1)) apply to both domestic reporting companies and foreign reporting companies.

Domestic reporting companies are corporations, limited liability companies and any other entity registered to do business in any state or tribal jurisdiction by the filing of a document with the secretary of state or similar official.
Foreign reporting companies are business entities formed under the law of a foreign country that are registered to do business in any state or tribal jurisdiction by the filing of a document with the secretary of state or similar official

The CTA provides 23 categories of exemption. The following types of entities are not required to file reports with FinCEN:

Large Operating Companies
This exemption applies to entities that (1) have 20 people or more full time employees in the United States, (2) have gross revenue (or sales) in excess of $5 million on their prior year’s tax return and (3) have a physical office in the United States.
Securities Reporting Issuers
Governmental Authorities
Banks
Credit Unions
Depository Institution Holding Companies
Money Services Businesses
Brokers and Dealers in Securities
Securities Exchanges and Clearing Agencies
Other Exchange Act Registered Entities

Investment Companies and Investment Advisers
Venture Capital Fund Advisers
Insurance Companies
State-Licensed Insurance Producers
Commodity Exchange Act Registered Entities
Accounting Firms
Public Utilities
Financial Market Utilities
Pooled Investment Vehicles
Tax-Exempt Entities
Entities Assisting a Tax-Exempt Entity
Subsidiaries of Certain Exempt Entities
Inactive Entities

It is worth noting that the definition of reporting companies is not limited to corporations and limited liability companies. Limited partnerships, professional service entities and other entities may qualify as reporting companies and, if so, are required to comply with the CTA’s reporting requirements.

How Does a Company Comply?
FinCEN requires affected companies to file beneficial ownership information reports (BOI Reports) using an electronic filing system. See the BOI E-Filing System.

What Information Should Be Reported?
Reporting companies must identify beneficial owners in their BOI Reports.

Beneficial owners are defined as individuals who directly or indirectly (1) exercise substantial control over a reporting company or (2) own or control at least 25 percent of ownership interests of a reporting company. Ownership interests covered by the CTA may include profits interests, convertible instruments, options and contractual arrangements as well as equity securities. In addition, owners who hold their ownership interests jointly or through a trust, agent or other intermediary are also required to be identified – although minors are generally exempted from reporting obligations.

Senior officers (typically, the president, CEO, CFO, COO and officers who perform similar functions); individuals with the ability to appoint senior officers or a majority of the board of directors or a similar body; and anyone else who directs, determines or has substantial input to other important decisions of a reporting company also need to be identified in BOI Reports as individuals exercising substantial control over reporting companies.

Reporting companies created on or after January 1, 2024, also must identify “company applicants” in their BOI Reports. Company applicants are the individuals who filed the documents creating the reporting company and individuals primarily responsible for directing or controlling the filing of documents creating a reporting company.

BOI Reports must contain the following information regarding the reporting company:

Legal name
Any trade name or d/b/a name
Address of the company’s principal place of business in the United States
Jurisdiction of formation
Taxpayer Identification Number.

BOI Reports must contain the following information regarding each beneficial owner and company applicant:

Full legal name
Date of birth
Current address
Copy of a passport, driver’s license or other identification document.

Every person who files a BOI Report must certify the information contained is true, correct and complete.

Information contained in BOI Reports will not be available to the public. However, FinCEN is authorized to disclose such information to:

U.S. federal agencies engaged in national security, intelligence or law enforcement activity
With court approval, to certain other state or local law enforcement agencies
Non-U.S. law enforcement agencies at the request of a U.S. federal law enforcement agency, prosecutor or judge
With the consent of the reporting company, financial institutions and their regulators
Federal regulators in assessing financial institutions compliance with customer due diligence requirements
The U.S. Department of the Treasury for purposes including tax administration.

Is There a Fee?
No fee is required in connection with filing of BOI Reports.

When Do Companies Need to File?
U.S. and foreign reporting companies that were formed or registered to do business in the United States prior to January 1, 2024, must file their initial BOI Reports no later than January 1, 2025. U.S. and foreign reporting companies formed on or after January 1, 2024, must file their initial BOI Reports within 90 days of receipt of notice of formation.

Reporting companies are required to file updated reports with FinCEN within 30 days of occurrence of a change in any of the information contained in their BOI Reports.

What If There Are Changes or Inaccuracies in the Reported Information?
Inaccuracies in BOI Reports must be corrected within 30 days of the date a reporting company becomes aware of or had reason to know of such inaccuracy. FinCEN has indicated that there will be no penalties for filing inaccurate BOI Reports if such reports are corrected within 90 days of their filing.

What If a Company Fails to File?
The willful failure to report the information required by the CTA or filing fraudulent information under the CTA may result in civil or criminal penalties, including penalties of up to $500 per day as long as a violation continues, imprisonment for up to two years and a fine of up to $10,000. Senior officers of an entity that fails to file a required report may be held accountable for such failure.

If you have questions regarding the provisions of the CTA or its applicability to your company, you may go to the FinCEN website.

Updated Merger Guidelines Finalized

On December 18, 2023, the Federal Trade Commission (FTC) and the U.S. Department of Justice (DOJ) jointly issued a significantly revised version of the Merger Guidelines that describes the frameworks the enforcement agencies use when evaluating potential mergers.

The newly finalized Merger Guidelines are the result of a nearly two-year effort that involved both agencies soliciting public input via listening sessions, written comments, and workshops.

The agencies describe the new Merger Guidelines as necessary to address the modern economy and how firms now do business. The Merger Guidelines are broken into multiple sections: Guidelines 1–6 describe the frameworks the agencies use when attempting to identify a merger that the agencies believe raises a prima facie concern, while Guidelines 7–11 explain how to apply those frameworks in specific settings. The guidelines also identify evidence the agencies will consider to potentially rebut an inference of competitive harm. Finally, these guidelines include a discussion of the tools the agencies use when evaluating the relevant facts, the potential harm to competition, and how to define the relevant markets.

The Merger Guidelines are notable for signaling the FTC’s and DOJ’s desire to pursue a more aggressive enforcement agenda, specifically, by lowering the threshold at which proposed mergers will be deemed presumptively anticompetitive by those enforcement agencies. The new guidelines also seek to address relatively new concerns the agencies have identified, such as cross-market transactions and sequences of smaller transactions.

Can Artificial Intelligence Assist with Cybersecurity Management?

AI has great capability to both harm and to protect in a cybersecurity context. As with the development of any new technology, the benefits provided through correct and successful use of AI are inevitably coupled with the need to safeguard information and to prevent misuse.

Using AI for good – key themes from the European Union Agency for Cybersecurity (ENISA) guidance

ENISA published a set of reports earlier last year focused on AI and the mitigation of cybersecurity risks. Here we consider the main themes raised and provide our thoughts on how AI can be used advantageously*.

Using AI to bolster cybersecurity

In Womble Bond Dickinson’s 2023 global data privacy law survey, half of respondents told us they were already using AI for everyday business activities ranging from data analytics to customer service assistance and product recommendations and more. However, alongside day-to-day tasks, AI’s ‘ability to detect and respond to cyber threats and the need to secure AI-based application’ makes it a powerful tool to defend against cyber-attacks when utilized correctly. In one report, ENISA recommended a multi-layered framework which guides readers on the operational processes to be followed by coupling existing knowledge with best practices to identify missing elements. The step-by-step approach for good practice looks to ensure the trustworthiness of cybersecurity systems.

Utilizing machine-learning algorithms, AI is able to detect both known and unknown threats in real time, continuously learning and scanning for potential threats. Cybersecurity software which does not utilize AI can only detect known malicious codes, making it insufficient against more sophisticated threats. By analyzing the behavior of malware, AI can pin-point specific anomalies that standard cybersecurity programs may overlook. Deep-learning based program NeuFuzz is considered a highly favorable platform for vulnerability searches in comparison to standard machine learning AI, demonstrating the rapidly evolving nature of AI itself and the products offered.

A key recommendation is that AI systems should be used as an additional element to existing ICT, security systems and practices. Businesses must be aware of the continuous responsibility to have effective risk management in place with AI assisting alongside for further mitigation. The reports do not set new standards or legislative perimeters but instead emphasize the need for targeted guidelines, best practices and foundations which help cybersecurity and in turn, the trustworthiness of AI as a tool.

Amongst other factors, cybersecurity management should consider accountability, accuracy, privacy, resiliency, safety and transparency. It is not enough to rely on traditional cybersecurity software especially where AI can be readily implemented for prevention, detection and mitigation of threats such as spam, intrusion and malware detection. Traditional models do exist, but as ENISA highlights they are usually designed to target or’address specific types of attack’ which, ‘makes it increasingly difficult for users to determine which are most appropriate for them to adopt/implement.’ The report highlights that businesses need to have a pre-existing foundation of cybersecurity processes which AI can work alongside to reveal additional vulnerabilities. A collaborative network of traditional methods and new AI based recommendations allow businesses to be best prepared against the ever-developing nature of malware and technology based threats.

In the US in October 2023, the Biden administration issued an executive order with significant data security implications. Amongst other things, the executive order requires that developers of the most powerful AI systems share safety test results with the US government, that the government will prepare guidance for content authentication and watermarking to clearly label AI-generated content and that the administration will establish an advanced cybersecurity program to develop AI tools and fix vulnerabilities in critical AI models. This order is the latest in a series of AI regulations designed to make models developed in the US more trustworthy and secure.

Implementing security by design

A security by design approach centers efforts around security protocols from the basic building blocks of IT infrastructure. Privacy-enhancing technologies, including AI, assist security by design structures and effectively allow businesses to integrate necessary safeguards for the protection of data and processing activity, but should not be considered as a ‘silver bullet’ to meet all requirements under data protection compliance.

This will be most effective for start-ups and businesses in the initial stages of developing or implementing their cybersecurity procedures, as conceiving a project built around security by design will take less effort than adding security to an existing one. However, we are seeing rapid growth in the number of businesses using AI. More than one in five of our survey respondents (22%), for instance, started to use AI in the past year alone.

However, existing structures should not be overlooked and the addition of AI into current cybersecurity system should improve functionality, processing and performance. This is evidenced by AI’s capability to analyze huge amounts of data at speed to provide a clear, granular assessment of key performance metrics. This high-level, high-speed analysis allows businesses to offer tailored products and improved accessibility, resulting in a smoother retail experience for consumers.

Risks

Despite the benefits, AI is by no-means a perfect solution. Machine-learning AI will act on what it has been told under its programming, leaving the potential for its results to reflect an unconscious bias in its interpretation of data. It is also important that businesses comply with regulations (where applicable) such as the EU GDPR, Data Protection Act 2018, the anticipated Artificial Intelligence Act and general consumer duty principles.

Cost benefits

Alongside reducing the cost of reputational damage from cybersecurity incidents, it is estimated that UK businesses who use some form of AI in their cybersecurity management reduced costs related to data breaches by £1.6m on average. Using AI or automated responses within cybersecurity systems was also found to have shortened the average ‘breach lifecycle’ by 108 days, saving time, cost and significant business resource. Further development of penetration testing tools which specifically focus on AI is required to explore vulnerabilities and assess behaviors, which is particularly important where personal data is involved as a company’s integrity and confidentiality is at risk.

Moving forward

AI can be used to our advantage but it should not been seen to entirely replace existing or traditional models to manage cybersecurity. While AI is an excellent long-term assistant to save users time and money, it cannot be relied upon alone to make decisions directly. In this transitional period from more traditional systems, it is important to have a secure IT foundation. As WBD suggests in our 2023 report, having established governance frameworks and controls for the use of AI tools is critical for data protection compliance and an effective cybersecurity framework.

Despite suggestions that AI’s reputation is degrading, it is a powerful and evolving tool which could not only improve your business’ approach to cybersecurity and privacy but with an analysis of data, could help to consider behaviors and predict trends. The use of AI should be exercised with caution, but if done correctly could have immeasurable benefits.

___

* While a portion of ENISA’s commentary is focused around the medical and energy sectors, the principles are relevant to all sectors.

International Trade, Enforcement & Compliance Recent Developments Update (January 17, 2024)

One of the most consistent messages coming from the U.S. government is that multinational companies need to take control of their supply chains. Forced labor, human trafficking, supply chain transparency, OFAC sanctions, even conflict minerals — all are areas in which the best defense against potential violations is strong compliance and due diligence to ensure that companies properly manage their supply chains, rights down to the last supplier. Today’s mix of enforcement actions and guidance from the U.S. government underscores the importance of doing so.

EXPORT CONTROLS AND HUMAN RIGHTS

The Department of Commerce has stated that it has the authority to put companies on the Entity List (requiring special licensing and restrictions) solely for human rights violations. Does your company conduct full due diligence on its suppliers and sub-suppliers to ensure that they are operating in accordance with U.S. forced labor and human trafficking laws?

FORCED LABOR/UFLPA

The Department of Homeland Security continues to add Chinese and other companies to the Uyghur Forced Labor and Prevention Act (UFLPA) Entity List. Does your organization specifically screen against the UFLPA Entity List, as well as have in place UFLPA compliance and due diligence measures?

FORCED LABOR/UFLPA

The U.S. government has issued a pointed six-agency set of compliance guidelines regarding “the Risks and Considerations for Businesses and Individuals with Exposure to Entities Engaged in Forced Labor and other Human Rights Abuses linked to Xinjiang Uyghur Autonomous Region.” Does your organization maintain a compliance policy, vendor code of conduct, supply chain transparency and due diligence procedures, and other measures designed to ensure your supply chain is free of forced labor, human trafficking, or goods sourced from forced labor in the Xingjian Autonomous Region?

CUSTOMS PENALTY FOR ERRONEOUS USE OF FIRST SALE RULE

Due to the imposition of special Section 301 tariffs on most goods from Customs, many companies have begun to use the first sale rule, which allows the reporting of a lower value where there is a bona fide sale to a middleman. Improper application of the rule, however, can be the basis for substantial penalties, as an apparel company that paid a $1.3 million settlement with the DOJ found out. If your company uses the first sale rule, do you regularly review pricing and relevant circumstances to ensure you are meeting all the requirements for all entries?

EXPORT CONTROLS

Pledging “a new era of trilateral partnership,” the U.S., Japan, and South Korea governments have announced expanded collaboration to fight illegal exports of dual-use products, including high-tech products that might be shipped to China in violation of U.S. export controls. Has your organization performed a recent classification review to confirm it is aware of any restrictions that might adhere to the export of any of its products to sensitive countries, governments, or users?

Recent FinCEN FAQs Provide Additional Guidance on Compliance

The US Financial Crimes Enforcement Network (FinCEN) released several new FAQs this month to provide further clarity on the Corporate Transparency Act’s (CTA) provisions.
Notably, FinCEN provided guidance on who is considered “primary responsible” for directing a filing, as well as what is necessary to qualify under the subsidiary exemption, among other matters.

The CTA’s requirements went into effect on January 1, 2024. As we’ve previously detailed, reporting companies formed prior to that date will be required to file their initial reports with FinCEN no later than January 1, 2025. A reporting company created during 2024 is required to file its initial report within 90 days of its creation or registration, and one created on or after January 1, 2025, will have 30 days to file its initial report. A previously registered company will need to update its registration within 30 days of a change in its beneficial ownership or other information reported to FinCEN. For detailed overviews of the CTA, please visit our earlier posts located here, here, and here.

Company Applicants: Who is “Primarily Responsible” for Directing a Filing?
The CTA requires that reporting companies formed on or after January 1, 2024, disclose their “company applicant.” An individual is a “company applicant” if (1) they directly file the company’s formation or registration documents with a secretary of state or similar office or (2) if more than one person is involved in the filing, they are primary responsible for directing or controlling the filing. A maximum of two individuals can be reported as company applicants.

The FAQs clarify that the person who signs the formation document, such as an incorporator, is not necessarily a company applicant. Instead, the rule focuses on the person responsible for making decisions about the filing, including how the filing is managed, what contents to include, and when and where filing will occur.

FinCEN provides three scenarios to illustrate the rule. In two of the scenarios, an attorney or a paralegal instructed by that attorney completes a company creation document using information provided by a client and sends the document to a corporate service provider to be filed with a secretary of state. In this scenario, the attorney will one of the company applicants, and the employee at the corporate service provider who directly filed the document with the secretary of state will be the other company applicant. In the third scenario, the attorney’s client initiated the company creation directly with the corporate service provider — in this case, the client will be a company applicant (as will the employee at the corporate service provider who directly filed the document).

Subsidiary Exemption: Is Partial Control of a Subsidiary’s Ownership Interests By an Exempt Entity Sufficient to Qualify for the Subsidiary Exemption?
The short answer is — no.

The CTA lists 23 categories of entities that are exempt from the beneficial ownership information (BOI) reporting requirements. A subsidiary of certain categories of exempt entities will also be exempt if the subsidiary is controlled or wholly owned, whether directly or indirectly, by one or more of such exempt entities.

The FAQs clarify what happens when the exempt entity partially controls the subsidiary. Partial control is insufficient for an entity to fall within the subsidiary exemption — a subsidiary’s ownership interests must be fully, 100% owned or controlled by the exempt entity to qualify for this exemption. Thus, control of ownership interests means that one or more exempt entities entirely control all of the ownership interests in the reporting company, in the same way that an exempt entity must wholly own all of a subsidiary’s ownership interests for the exemption to apply.

Selected Additional Matters Covered by the New FAQs
Reporting Company Ownership Subject to Dispute: If ownership of a reporting company is the subject of active litigation, all individuals who own or control (or claim to own or control) at least 25% of the company’s interests are considered beneficial owners, and BOI must be submitted for each individual (in addition to BOI for all individuals who exercise substantial control over the company). If, after the legal dispute is solved, the reporting company has different beneficial owners from those initially reported, an updated BOI report must be filed within 30 calendar days after the litigation is resolved.
Third-Party Couriers or Delivery Service Employees: Third-party courier or delivery service employees who solely deliver documents to a secretary of state are not company applicants, as long as the third-party courier, the delivery service employee, and the delivery service that employs them play no other roles in the creation or registration of the reporting company.
Automated Incorporation Service: An automated incorporation service’s employees are not company applicants if the service solely provides software, online tools, or generally applicable written guidance for the creation of a reporting company and its employees are not directly involved in filing creation documents.
No Photo on Identification Document for Religious Reasons: If a beneficial owner’s or company applicant’s identification document does not include a photograph for religious reasons, the reporting company may submit an image of that identification document when submitting its report, provided that the document is otherwise an acceptable type of identification. If the individual in question obtains a FinCEN identifier, then the burden of providing the identification document to FinCEN would fall on the individual and not on the company (which would only need to report the FinCEN identifier).
No Permanent Residential Address: When a reporting company must report an individual’s residential address, but no such permanent address is available, the reporting company should report the residential address that is current at the time of filing the report. If the address later changes, the reporting company must submit an updated report within 30 days from such change. The use of a FinCEN identifier by the individual will eliminate the company’s need to submit an updated report, although the individual would be required to update his or her address with FinCEN directly.

by: Evgeny Magidenko of ArentFox Schiff LLP

For more news on Corporate Transparency Act Compliance, visit the NLR Corporate & Business Organizations section.

DOL Announces New Independent Contractor Rule

On January 9, 2024, the United States Department of Labor (“DOL”) announced a new rule, effective March 11, 2024, that could impact countless businesses that use independent contractors. The new rule establishes a six-factor analysis to determine whether independent contractors are deemed to be “employees” of those businesses, and thus imposes obligations on those businesses relating to those workers including: maintaining detailed records of their compensation and hours worked; paying them regular and overtime wages; and addressing payroll withholdings and payments, such as those mandated by the Federal Insurance Contributions Act (“FICA” for Social Security and Medicare), the Federal Unemployment Tax Act (“FUTA”), and federal income tax laws. Further, workers claiming employee status under this rule may claim entitlement to coverage under the businesses’ group health insurance, 401(k), and other benefits programs.

The DOL’s new rule applies to the federal Fair Labor Standards Act (“FLSA”) which sets forth federally established standards for the protection of workers with respect to minimum wage, overtime pay, recordkeeping, and child labor. In its prefatory statement that accompanied the new rule’s publication in the Federal Register, the DOL noted that because the FLSA applies only to “employees” and not to “independent contractors,” employees misclassified as independent contractors are denied the FLSA’s “basic protections.”

Accordingly, when the new rule goes into effect on March 11, 2024, the DOL will use its new, multi-factor test to determine whether, as a matter of “economic reality,” a worker is truly in business for themself (and is, therefore, an independent contractor), or whether the worker is economically dependent on the employer for work (and is, therefore, an employee).

While the DOL advises that additional factors may be considered under appropriate circumstances, it states that the rule’s six, primary factors are: (1) whether the work performed provides the worker with an opportunity to earn profits or suffer losses depending on the worker’s managerial skill; (2) the relative investments made by the worker and the potential employer and whether those made by the worker are to grow and expand their own business; (3) the degree of permanence of the work relationship between the worker and the potential employer; (4) the nature and degree of control by the potential employer; (5) the extent to which the work performed is an integral part of the potential employer’s business; and (6) whether the worker uses specialized skills and initiative to perform the work.

In its announcement, the DOL emphasized that, unlike its earlier independent contractor test which accorded extra weight to certain factors, the new rule’s six primary factors are to be assessed equally. Nevertheless, the breadth and impreciseness of the factors’ wording, along with the fact that each factor is itself assessed through numerous sub-factors, make the rule’s application very fact-specific. For example, through a Fact Sheet the DOL recently issued for the new rule, it explains that the first factor – opportunity for profit or loss depending on managerial skill – primarily looks at whether a worker can earn profits or suffer losses through their own independent effort and decision making, which will be influenced by the presence of such factors as whether the worker: (i) determines or meaningfully negotiates their compensation; (ii) decides whether to accept or decline work or has power over work scheduling; (iii) advertises their business, or engages in other efforts to expand business or secure more work; and (iv) makes decisions as to hiring their own workers, purchasing materials, or renting space. Similar sub-factors exist with respect to the rule’s other primary factors and are explained in the DOL’s Fact Sheet.

The rule will likely face legal challenges by business groups. Further, according to the online newsletter of the U.S. Senate Health, Education, Labor and Pensions Committee, its ranking member, Senator Bill Cassidy, has indicated that he will seek to repeal the rule. Also, in the coming months, the United States Supreme Court is expected to decide two cases that could significantly weaken the regulations issued by federal agencies like the DOL’s new independent contractor rule, Loper Bright Enterprises v. Raimondo and Relentless Inc. v. U.S. Dept. of Commerce. We will continue to monitor these developments.1

In the meantime, we recommend that businesses engaging or about to engage independent contractors take heed. Incorrect worker classification exposes employers to the FLSA’s significant statutory liabilities, including back pay, liquidated damages, attorneys’ fees to prevailing plaintiffs, and in some case, fines and criminal penalties. Moreover, a finding that an independent contractor has “employee” status under the FLSA may be considered persuasive evidence of employee status under other laws, such as discrimination laws. Additionally, existing state law tests for determining employee versus independent contractor status must also be considered.

1 The DOL’s independent contractor rule is not the only new federal agency rule being challenged. On January 12, 2024, the U.S. House of Representatives voted to repeal the NLRB’s recently announced joint-employer rule, which we discussed in our Client Alert of November 10, 2023.

Eric Moreno contributed to this article.

School Law & Legislative Update: New Laws In Effect 2024

Act 24 of 2023:

Effective 11/06/2023. Adds Section 1302.1 to the Public School Code entitled “Military Child Advance Enrollment” to require schools to develop a policy on enrollment of students to allow a child whose parent or guardian is an active duty member of the armed forces and has received orders to transfer into or within the Commonwealth of Pennsylvania to enroll in the school district prior to establishing residency for purposes of Section 1302 upon providing a copy of the official military orders and proof of the parent/guardian’s intention to move into the school district. This proof may include a signed contract to purchase a home, a signed lease, or statement from the parent/guardian stating their intention to move into the school district.

Act 26 of 2023:

Effective 01/05/2024. Repeals section 1112 of the Public School Code that prohibits teachers from wearing any dress, mark emblem or insignia indicative of their faith or denomination. This Act was passed on November 6, 2023 and is effective in 60 days.

Act 33 of 2023:

Effective 12/13/2023. Omnibus amendments to the Public School Code of 1949 including the following provisions:

Read the entirety of Act 33 here.

HIGHLIGHTS INCLUDE:

• Added a new Article XII-B entitled “Educator Pipeline Support Grant Program.” This is a new program within the Pennsylvania Higher Education Assistance Agency (PHEAA) to awards grants to individuals who are seeking placement as student teachers. Ten million dollars is available for implementation of the program, and the minimum grant available to a student teacher is $10,000. An additional minimum grant of $5,000 is available to a student teacher who is student teaching in a school entity in an area that “attracts few student teachers” or that “has a high rate of open teaching positions.” In addition to the student teacher receiving a grant payment, the student teacher’s cooperating teacher shall also receive a minimum grant of $2,500, unless the cooperating teacher receives compensation from an institution of higher education for servicing as a cooperating teacher.

• Section 1302-C (relating to school safety) is amended to now require that when a school police officer is appointed by a court, the court order must be submitted to the School Safety and Security Committee established under Section 1302-B. In addition, a school that has previously applied to court to appoint a person to act as a school police officer prior to the effective date of this subsection is required, within 120 days of the effective date of this subsection, submit a copy of the court order relating to the appointment of each school police officer to the committee. This subsection takes effect immediately.

• Adding a new Article XXVI-L entitled “School environmental Repairs Program,” to provide for a restricted account in the Commonwealth general fund to provide grants for the abatement or remediation of environmental hazards in school buildings; PDE is to develop an application process for schools to apply for the grants; eligible projects include abatement or remediation of lead in water sources, asbestos and mold inside the school building; the school must have a local match of at least 50% of the total cost of all the projects listed in its application; the local match may come from any non-state source funding, including federal and local donations, and the local match must be documented as part of the application.

Act 35 of 2023:

Effective 12/13/2023. Omnibus amendments to the Public School Code of 1949 including the following:

Read the entirety of Act 35 here.

HIGHLIGHTS INCLUDE:

• Section 130 is added to include a new section entitled “Public Job Posting Database” which is a public database to be established and maintained by PDE for both public and nonpublic schools to voluntarily advertise job vacancies.

• Section 131 is added to include a requirement that school entities, which includes charter schools, to submit information about instructional vacancies to PDE by August 31, 2024. The information required to be submitted includes the total budgeted number of instructional employees and vacancies included in the final adopted budget; and the quarterly average number of instructional vacancies had by the school during the school year. This information is to be posted on PDE’s website.

Act 52 of 2023:

Effective 12/14/2023 (see note about retroactivity). Adds a new Section 1525.1 to the Public School Code of 1949 entitled “Calculation of Average Daily Membership for a Dual Credit Course.” This section provides that a high school student who is enrolled in a dual credit course may be included in the school entity’s average daily membership.
This section shall apply retroactively to July 1, 2023.

Act 55 of 2023:

Effective 02/12/2024. Amends Section 1403 of the Public School Code of 1949 to provide for dental screenings by a school dentist or public health dental hygiene practitioner (previously only permitted dental examinations by a dentist).

Act 56 of 2023:

Effective 12/14/2023. Adds a new Section 103 to the Public School Code of 1949 entitled “Minimum Number of Days or Hours.” Provides that beginning in the 2023-2024 school year, a school entity is required to provide a minimum of 180 days or instruction OR 900 hours of instruction at the elementary level or nine hundred ninety (990) hours of instruction at the secondary level. This section does not preempt or supersede a collective bargaining agreement that was entered into prior to the effective date of this section. This Act is effective immediately. (Previously the requirement was 180 days AND the hours requirement). Note, However, That This Section Appears To Not Be Applicable To Charter Schools.

2024: The Year of the Spot Bitcoin ETP

The US Securities and Exchange Commission (SEC) is making 2024 a significant year for exchange-traded products (ETPs) by declaring effective the registration statements of ten Bitcoin ETPs, and approving their listing on one of the major stock exchanges. This is a monumental step to bringing access to Bitcoin to a broader retail market in the US For over a decade, the staff of the SEC (Staff) had denied or otherwise blocked applications to list spot Bitcoin ETPs, claiming, in part, that there were insufficient protections against market manipulation in the underlying Bitcoin market. The approvals issued this week unlock – although do not widely open – a previously dead bolted door to registered products offering direct exposure to Bitcoin, providing an opportunity for retail investors to have easier access to exposure to Bitcoin in a regulated product.

The approvals follow the US federal appeals court ruling in August 2023 that the SEC was “arbitrary and capricious” in its decision to reject an application by the NYSE Arca to list shares of the Grayscale Bitcoin Trust. In granting the approvals, Chair Gensler acknowledged that the law had changed following the Grayscale decision stating “we are now faced with a new set of filings similar to those we have disapproved in the past. Circumstances, however, have changed.” Rather than appeal the court ruling, the staff of the SEC chose to engage with the sponsors of proposed spot Bitcoin ETPs to discuss parameters necessary for approval, including the inclusion of additional disclosure and other requirements to provide for investor protection. In approving the listing of the ETPs, the SEC relied, in part, on its confirmation that the “CME bitcoin futures market has been consistently highly correlated with this subset [(Coinbase and Kraken)] of the spot [B]itcoin market throughout the past 2.5 years,”¹ a fact which was heavily leaned upon in the Grayscale decision. Among the requirements insisted upon by the Staff were requirements that the ETPs effect sales and redemptions of ETP creation units solely in cash (rather than in-kind) and hardcoding of key service providers (including Bitcoin custodians) into the listing rule. The SEC’s approved all listing rule applications simultaneously, in an effort to prevent a single ETP from having a first mover advantage.

While this initial round of approvals is promising for the ETP and cryptocurrency industries, it does not signal a general acceptance of all spot cryptocurrency ETPs. Rather, the SEC granted approval only to ETPs investing in Bitcoin, and it is unclear whether it will be receptive to products investing in other crypto assets. Chair Gensler’s statement in announcing the approvals indicated that he and the staff remain skeptical of digital assets generally, including Bitcoin, stating that the approval is not an endorsement of Bitcoin and that investors should remain cautious and aware of the risks. Issuers wishing to offer similar products with other digital asset investments may now have examples to follow, but will still need to undergo a comprehensive review process, and ultimate approval is not guaranteed. Moreover, future exchange-traded products seeking to directly invest other cryptocurrencies or digital assets may have to satisfy a correlation test similar to that which was relied on by the SEC in approving the current products and may not be able to do so.

¹ SEC Release, Order Granting Accelerated Approval of Proposed Rule Changes, as Modified by Amendments Thereto, to List and Trade Bitcoin-Based Commodity-Based Trust Shares and Trust Units, No. 34-99306 (10 January 2024).

Tag: business

2023 Cybersecurity Year In Review

Like this: