The UK government’s reform of data protection laws and the mechanics of cross-border data transfers has accelerated in the first half of 2022.

Various European regulators, including the UK’s Information Commissioner’s Office (ICO) have expressed an intent to more closely monitor compliance with the data transfer rules and impose potentially significant fines where breaches are uncovered – capped in the UK at the higher of £17m or 4% of group worldwide turnover.  US recipients of personal data gathered in the UK (whether from a group subsidiary or otherwise) should act now to assess their current compliance and plug any gaps.

In order for personal data gathered in the UK to be transferred, in a compliant manner, to the US a number of steps must be taken:

Continue Reading UK-US Data Transfers Post Brexit

Is the right to compel arbitration waived only when the plaintiff can show prejudice from the defendant’s inconsistent actions and delay?  In Morgan v. Sundance, Inc., No. 21-328 (2022), the Supreme Court found that the Federal Arbitration Act (“FAA”) does not permit courts to create tests to favor arbitration over litigation, and that a showing of prejudice is not required for a claim of waiver.

Continue Reading U.S. Supreme Court Rejects Prejudice Element for a Claim of Waiver

Lock on Computer

Public companies may soon have another regulation to worry about when it comes to their cybersecurity regime.  Last week, citing the increase in cybersecurity incidents and the need for investors to be informed about cybersecurity risks in a timely matter, the Securities and Exchange Commission (SEC) proposed amendments to its rules that demand more of registrants when it comes to cybersecurity disclosures.

Continue Reading SEC Proposes Mandatory Cybersecurity Disclosures

Lock on Computer

On February 9, 2022, the Securities and Exchange Commission (the SEC) issued proposed rules 206(4)-9 under the Investment Advisers Act of 1940, as amended (Advisers Act) and 38a-2 under the Investment Company Act of 1940 (Investment Company Act) (such rules collectively referred to as the ‘cybersecurity risk management rules’), to require investment advisers registered under the Advisers Act (advisers) and registered investment companies under the Investment Company Act (funds) to adopt and implement significant new written cybersecurity policies and procedures. At a high level, the proposed rules would require annual reviews, add new disclosure requirements, and add new SEC and investor reporting requirements, among other requirements. Continue Reading SEC Proposes New Cybersecurity Rules for Investment Advisers and Investment Companies

FingerprintIn yet another blow to employers facing claims under the Illinois Biometric Information Privacy Act (“BIPA” or the “Act”) (740 ILCS 14/1 et seq.), the Illinois Supreme Court held that the Illinois Workers’ Compensation Act (“IWCA”) (820 ILCS 305/1 et seq.) does not preempt BIPA claims for statutory damages brought by employees.  The Court’s holding in McDonald v. Symphony Bronzeville Park, LLC, et al. awas not unexpected by most BIPA practitioners, and will likely trigger the resumption of many dozens of BIPA workplace lawsuits which were stayed while the Illinois justices considered the case. Continue Reading Illinois Supreme Court Eliminates Another BIPA Defense

Bell and gavel

One of the best ways for companies facing media and privacy risk to protect themselves from expensive class action litigation is by including an arbitration provision in the applicable terms and conditions. While it’s not always clear at the outset of litigation whether the plaintiff agreed to the terms, companies often have to invoke arbitration quickly out of fear that they will be found to have waived arbitration. But in its coming term, the U.S. Supreme Court is now poised to address the critical point of whether prejudice to the plaintiff is a necessary element for a finding of waiver. Continue Reading Supreme Court to address role of “prejudice” in evaluating waiver of arbitrability

Phone and gavelThanks to the Supreme Court’s decision in Facebook v. Duguid, 141 S. Ct. 1163 (2021), 2021 will go down as one of the most significant years in the history of the Telephone Consumer Protection Act, 47 U.S.C. § 227 (“TCPA”).  And while the second half of 2021 did not produce the fireworks that we saw earlier in the year, there are still some cases worthy of note as we enter the new year.  We summarize here developments since our last update, listed by issue category in alphabetical order. Continue Reading TCPA Turnstile: 2021 came in like a lion, and went out more like a lamb for TCPA law (TCPA Case Update Vol. 16)

FingerprintIn the aftermath of two recent appellate court decisions addressing when claims under the Illinois Biometric Information Privacy Act (“BIPA” or the “Act”) (740 ILCS 14/1 et seq.) accrue, it appears likely that the Illinois Supreme Court will need to provide clarity on this critical question. First, the Appellate Court of Illinois, First District, found in Watson v. Legacy Healthcare Financial Services, LLC, et al.  that claims under sections 15(a) and (b) of the Act accrue with each and every capture and use of a plaintiff’s biometric identifier or information. Second, in Cothron v. White Castle System, Inc. the Seventh Circuit Court of Appeals declined to directly address the issue of when a claim under BIPA accrues, and instead has certified the question for review by the Illinois Supreme Court. While the holding in Watson provides some clarity as to when certain BIPA claims accrue, it leaves open critical questions regarding how to calculate: (i) the number of BIPA violations; and (ii) monetary damages under the Act. Continue Reading Two Recent Developments Promise to Shed Light on Accrual of BIPA Claims

Phone and gavelThe first half of 2021 saw one of the most significant TCPA rulings in many years as Facebook v. Duguid, 141 S. Ct. 1163 (2021), appeared to settle the long-debated question of what constitutes an automatic telephone dialing system (“ATDS”).  But while the Supreme Court’s April ruling was extremely positive for the TCPA defense bar, it by no means brought an end to TCPA claims.  Significant cases have continued to yield decisions, including cases that have sought to interpret Facebook.  And the state of Florida stepped into the abyss in passing a “mini-TCPA” statute that went into effect earlier this month that regulates telemarketing at the state level, with a much broader definition of the relevant technology.  Thus, the TCPA (and related statute) litigation landscape, while upended to some degree, remains unsettled, and we’ll continue to provide our insights.  We summarize here developments since our last update, listed by issue category in alphabetical order. Continue Reading TCPA Turnstile: TCPA cases in a post-<i>Facebook</i> world (TCPA Case Update Vol. 15)

The U.S. Supreme Court dealt a blow last week to litigants—both criminal and civil—who have attempted to use the “exceeds authorized access” provision of the Computer Fraud and Abuse Act (“CFAA” or “Act”), 18 U.S.C. § 1030, to hold former employees, competitors and others accountable for inappropriately utilizing electronic information.  In its 6-3 decision in Van Buren v. United States, the Court resolved a long-standing split on the scope of Section 1030(a)(2), providing a narrow answer to the question of whether an individual “exceeds authorized access” to electronic information in violation of the CFAA if he or she is authorized to access the information but does so for an improper purpose.  The holding will make it more difficult for prosecutors and civil litigants to wield the CFAA in some scenarios where data is misused, but not necessarily stolen. Continue Reading Supreme Court Slashes CFAA Claims Involving Authorized Access for an Illicit Purpose