On August 8, 2023, the United States Securities and Exchange Commission (the “SEC” or the “Commission”) announced that 11 Wall Street firms (10 broker-dealer firms and one dually-registered investment adviser) agreed to settle charges for failing to properly maintain and preserve electronic communications relating to firm business. This included text messages and other messages sent

Just over halfway through 2023, nationwide TCPA jurisprudence is focused on further delineating the scope of the TCPA. As the dust settles from earlier battles over defining ATDS requirements, the cases from this year are largely aimed at establishing who can bring a claim under the TCPA and what conduct the statute covers. We summarize here developments since our last update, listed in alphabetical order by topic area.Continue Reading TCPA Turnstile: Scoping out the TCPA – 2023 Midyear Update (TCPA Case Update Vol. 18)

As 2022 comes to a close, we wanted to look back at the most significant Telephone Consumer Protection Act, 47 U.S.C. § 227 (“TCPA”) decisions of the year.  While we didn’t see the types of landscape-altering decisions that we saw in 2021, there’s still plenty to take note of.  We summarize here the biggest developments since our last update, listed by issue category in alphabetical order.
Continue Reading TCPA Turnstile: 2022 Year in Review (TCPA Case Update Vol. 17)

Much ink has been spilled over the Executive Order Enhancing Safeguards for United States Signals Intelligence Activities (the “Executive Order”) signed by President Biden in early October.  The Executive Order is supposed to establish the United States’ commitments reflected in the March 25, 2022 joint EU-U.S. announcement of the Trans-Atlantic Data Privacy Framework (the “Framework”).  While the Framework is described as an “agreement in principle” to facilitate cross-border transfer of personal data, the Executive Order is supposed to go further, toward actually implementing the promised protective measures.  But does it?
Continue Reading Does the Latest Move in Trans-Atlantic Privacy Really Change the Game?

The UK government’s reform of data protection laws and the mechanics of cross-border data transfers has accelerated in the first half of 2022.

Various European regulators, including the UK’s Information Commissioner’s Office (ICO) have expressed an intent to more closely monitor compliance with the data transfer rules and impose potentially significant fines where breaches are uncovered – capped in the UK at the higher of £17m or 4% of group worldwide turnover.  US recipients of personal data gathered in the UK (whether from a group subsidiary or otherwise) should act now to assess their current compliance and plug any gaps.

In order for personal data gathered in the UK to be transferred, in a compliant manner, to the US a number of steps must be taken:Continue Reading UK-US Data Transfers Post Brexit

Lock on Computer

On February 9, 2022, the Securities and Exchange Commission (the SEC) issued proposed rules 206(4)-9 under the Investment Advisers Act of 1940, as amended (Advisers Act) and 38a-2 under the Investment Company Act of 1940 (Investment Company Act) (such rules collectively referred to as the ‘cybersecurity risk management rules’), to require investment advisers registered under the Advisers Act (advisers) and registered investment companies under the Investment Company Act (funds) to adopt and implement significant new written cybersecurity policies and procedures. At a high level, the proposed rules would require annual reviews, add new disclosure requirements, and add new SEC and investor reporting requirements, among other requirements.
Continue Reading SEC Proposes New Cybersecurity Rules for Investment Advisers and Investment Companies

FingerprintIn yet another blow to employers facing claims under the Illinois Biometric Information Privacy Act (“BIPA” or the “Act”) (740 ILCS 14/1 et seq.), the Illinois Supreme Court held that the Illinois Workers’ Compensation Act (“IWCA”) (820 ILCS 305/1 et seq.) does not preempt BIPA claims for statutory damages brought by employees.  The Court’s holding in McDonald v. Symphony Bronzeville Park, LLC, et al. awas not unexpected by most BIPA practitioners, and will likely trigger the resumption of many dozens of BIPA workplace lawsuits which were stayed while the Illinois justices considered the case.
Continue Reading Illinois Supreme Court Eliminates Another BIPA Defense

Phone and gavelThanks to the Supreme Court’s decision in Facebook v. Duguid, 141 S. Ct. 1163 (2021), 2021 will go down as one of the most significant years in the history of the Telephone Consumer Protection Act, 47 U.S.C. § 227 (“TCPA”).  And while the second half of 2021 did not produce the fireworks that we saw earlier in the year, there are still some cases worthy of note as we enter the new year.  We summarize here developments since our last update, listed by issue category in alphabetical order.
Continue Reading TCPA Turnstile: 2021 came in like a lion, and went out more like a lamb for TCPA law (TCPA Case Update Vol. 16)

The U.S. Supreme Court dealt a blow last week to litigants—both criminal and civil—who have attempted to use the “exceeds authorized access” provision of the Computer Fraud and Abuse Act (“CFAA” or “Act”), 18 U.S.C. § 1030, to hold former employees, competitors and others accountable for inappropriately utilizing electronic information.  In its 6-3 decision in Van Buren v. United States, the Court resolved a long-standing split on the scope of Section 1030(a)(2), providing a narrow answer to the question of whether an individual “exceeds authorized access” to electronic information in violation of the CFAA if he or she is authorized to access the information but does so for an improper purpose.  The holding will make it more difficult for prosecutors and civil litigants to wield the CFAA in some scenarios where data is misused, but not necessarily stolen.
Continue Reading Supreme Court Slashes CFAA Claims Involving Authorized Access for an Illicit Purpose

The following August 28 blog post inspired the Law360 article, “Employers Should Be Wary Of Turning Over Employee Info,” published on October 5, 2017. See full article below.

When a government agency requests the contact information for a company’s employees, whether by subpoena, CID or otherwise, its knee-jerk reaction may be to produce the data without a second thought. After all, failing to comply with an agency’s information request can have serious consequences, including significant fines and attorneys’ fees. However, employers are also obligated to protect their employees’ personal information from improper disclosure. In fact, most states have passed data privacy and security laws to protect employees’ personal information against unauthorized use and identity theft. A recent ruling authored by a Department of Labor Administrative Law Judge offers some tips to employers facing demands for their employees’ confidential personal information.[1]

In July, ALJ Steven Berlin ruled that the DOL Office of Federal Contract Compliance’s demand for employee contact information from Google was overbroad and intrusive on employee privacy. The OFCCP requested the name, address, telephone number and personal e-mail address of over 25,000 Google employees in connection with an audit of the tech giant’s compensation practices. Judge Berlin substantially limited the OFCCP’s request, citing a number of employee privacy concerns.
Continue Reading Lessons for Employers from a Recent ALJ Decision Narrowing the DOL’s Requests for Employees’ Contact Information