Lock on Computer

On February 9, 2022, the Securities and Exchange Commission (the SEC) issued proposed rules 206(4)-9 under the Investment Advisers Act of 1940, as amended (Advisers Act) and 38a-2 under the Investment Company Act of 1940 (Investment Company Act) (such rules collectively referred to as the ‘cybersecurity risk management rules’), to require investment advisers registered under the Advisers Act (advisers) and registered investment companies under the Investment Company Act (funds) to adopt and implement significant new written cybersecurity policies and procedures. At a high level, the proposed rules would require annual reviews, add new disclosure requirements, and add new SEC and investor reporting requirements, among other requirements.
Continue Reading SEC Proposes New Cybersecurity Rules for Investment Advisers and Investment Companies

FingerprintIn yet another blow to employers facing claims under the Illinois Biometric Information Privacy Act (“BIPA” or the “Act”) (740 ILCS 14/1 et seq.), the Illinois Supreme Court held that the Illinois Workers’ Compensation Act (“IWCA”) (820 ILCS 305/1 et seq.) does not preempt BIPA claims for statutory damages brought by employees.  The Court’s holding in McDonald v. Symphony Bronzeville Park, LLC, et al. awas not unexpected by most BIPA practitioners, and will likely trigger the resumption of many dozens of BIPA workplace lawsuits which were stayed while the Illinois justices considered the case.
Continue Reading Illinois Supreme Court Eliminates Another BIPA Defense

Phone and gavelThanks to the Supreme Court’s decision in Facebook v. Duguid, 141 S. Ct. 1163 (2021), 2021 will go down as one of the most significant years in the history of the Telephone Consumer Protection Act, 47 U.S.C. § 227 (“TCPA”).  And while the second half of 2021 did not produce the fireworks that we saw earlier in the year, there are still some cases worthy of note as we enter the new year.  We summarize here developments since our last update, listed by issue category in alphabetical order.
Continue Reading TCPA Turnstile: 2021 came in like a lion, and went out more like a lamb for TCPA law (TCPA Case Update Vol. 16)

The U.S. Supreme Court dealt a blow last week to litigants—both criminal and civil—who have attempted to use the “exceeds authorized access” provision of the Computer Fraud and Abuse Act (“CFAA” or “Act”), 18 U.S.C. § 1030, to hold former employees, competitors and others accountable for inappropriately utilizing electronic information.  In its 6-3 decision in Van Buren v. United States, the Court resolved a long-standing split on the scope of Section 1030(a)(2), providing a narrow answer to the question of whether an individual “exceeds authorized access” to electronic information in violation of the CFAA if he or she is authorized to access the information but does so for an improper purpose.  The holding will make it more difficult for prosecutors and civil litigants to wield the CFAA in some scenarios where data is misused, but not necessarily stolen.
Continue Reading Supreme Court Slashes CFAA Claims Involving Authorized Access for an Illicit Purpose

The following August 28 blog post inspired the Law360 article, “Employers Should Be Wary Of Turning Over Employee Info,” published on October 5, 2017. See full article below.

When a government agency requests the contact information for a company’s employees, whether by subpoena, CID or otherwise, its knee-jerk reaction may be to produce the data without a second thought. After all, failing to comply with an agency’s information request can have serious consequences, including significant fines and attorneys’ fees. However, employers are also obligated to protect their employees’ personal information from improper disclosure. In fact, most states have passed data privacy and security laws to protect employees’ personal information against unauthorized use and identity theft. A recent ruling authored by a Department of Labor Administrative Law Judge offers some tips to employers facing demands for their employees’ confidential personal information.[1]

In July, ALJ Steven Berlin ruled that the DOL Office of Federal Contract Compliance’s demand for employee contact information from Google was overbroad and intrusive on employee privacy. The OFCCP requested the name, address, telephone number and personal e-mail address of over 25,000 Google employees in connection with an audit of the tech giant’s compensation practices. Judge Berlin substantially limited the OFCCP’s request, citing a number of employee privacy concerns.
Continue Reading Lessons for Employers from a Recent ALJ Decision Narrowing the DOL’s Requests for Employees’ Contact Information

If you follow developments in TCPA case law, you’ve probably heard by now that the DC Circuit Court of Appeals last week overturned the 2015 FCC Order that had required TCPA opt-out notices on both solicited and unsolicited faxes. The court held that the FCC’s rule was “unlawful to the extent that it requires opt-out notices on solicited faxes.” See Bais Yaakov of Spring Valley v. FCC, et al., Case No. 14-1234 (D.C. Cir.). In fact, the DC Circuit—despite years of FCC guidance, 13 consolidated appeals and more than two dozen lawyers participating in the briefing—seemed to view this as a relatively simple issue of statutory construction: “The text of the Act provides a clear answer to the question presented in this case. . . . Congress drew a line in the text of the statute between unsolicited fax advertisements and solicited fax advertisements. Unsolicited fax advertisements must include an opt-out notice. But the Act does not require (or give the FCC authority to require) opt-out notices on solicited fax advertisements. It is the Judiciary’s job to respect the line drawn by Congress, not to redraw it as we might think best.”
Continue Reading DC Circuit Opts Out of Flawed FCC Ruling

Smiling PigPlaintiffs’ lawyers across the land have trumpeted the U.S. Supreme Court’s decision in Spokeo as a victory (or at least not a loss). Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016).  At least one plaintiff’s lawyer has gone so far as to suggest that defense lawyers who raise Spokeo-based arguments should fear sanctions.  As a Southern colleague of mine would say, those lawyers are trying to make a silk purse of a sow’s ear.

Although many post-Spokeo decisions have not yielded dismissal, many have, and they have done so based largely on Spokeo, which does more than reaffirm prior notions of standing and rather strengthens them in a way that is quite beneficial to corporate defendants facing trumped-up claims with no real harm.  One of the most recent defense victories post-Spokeo is Meyers v. Nicolet Rest. of De Pere, LLC, 2016 U.S. App. LEXIS 22139 (7th Cir. Dec. 13, 2016).
Continue Reading Spokeo Was a Loss for Plaintiffs, Seventh Circuit Reaffirms

After nine months of intense negotiations and uncertainty, and despite ongoing criticisms from powerful data protection regulators, the new EU-U.S. Privacy Shield program went into effect this week as the U.S. Department of Commerce began accepting applications online. Some companies that are self-certifying their compliance have already submitted their documentation and many more are expected to do so in the coming days and weeks as they seek shelter under the replacement for the long-standing EU-U.S. Safe Harbor arrangement that was invalidated by the European Court of Justice last year.

Companies can now “sign up” for the Privacy Shield list, but they should not expect a rubber stamp from the Commerce Department just because they have self-certified. To ensure that their applications are approved, companies should take the following steps:

  • Confirm that they are eligible to participate—not all organizations are. Only companies subject to the jurisdiction of the FTC or the DOT may participate at this time
  • Develop a Privacy Shield-compliant privacy policy statement
  • Identify their independent recourse mechanism—under the new framework, self-certifying organizations must provide an independent recourse mechanism available to investigate unresolved complaints at no cost to the individual
  • Ensure that they have compliance verification mechanisms in place
  • Designate contacts within their organizations to serve as liaisons regarding the Privacy Shield
  • Review the information required to self-certify
  • Go online to www.privacyshield.gov to self-certify


Continue Reading Time to Raise Your Shield: The New EU-U.S. Framework Is Here

It’s been awhile since last we published for our firm blog Media & Privacy Risk Report, and one thing is largely to blame: ransomware attacks on our clients have been keeping us very busy. We’ve learned many lessons from these attacks that we plan to share over the coming months with our readers. But the focus of this post is recent guidance from the Office of Civil Rights of the Department of Health and Human Services (OCR) indicating that any ransomware attack involving protected health information PHI) could be a data breach with Health Insurance Portability and Accountability Act (HIPAA) reporting obligations.

Often in ransomware matters, a hacker encrypts data and demands that a ransom be paid (usually in Bitcoin) before the hacker will decrypt the data and make it once again accessible to the data owner (or covered entity) or maintainer (or business associate). But just because a hacker has frozen your data, does that mean that the hacker has accessed, acquired or exfiltrated your data? Isn’t it possible that a hacker could freeze your data without accessing, acquiring or exfiltrating it? By analogy, couldn’t someone render the locks on your house unusable (and thus your house inaccessible to you without a forced break-in) without actually accessing your house, acquiring anything within your house, or taking anything out of your house? It would seem that the answer would be yes. But if the OCR is asked that question, the presumption is that the answer is no, at least in the realm of ransomware attacks.
Continue Reading OCR: Ransomware Attack Often Is a Data Breach

On Wednesday, President Obama signed the federal Defend Trade Secrets Act of 2016 (the “Act”) that passed both houses of Congress in late April.  The statute is the first federal statutory protection afforded to trade secrets and could have a significant impact on trade secrets litigation nationwide.  The passage of the law comes as no surprise, and much has already been written about what it means for the future of these disputes.  But what about those who are currently involved in trade secrets litigation —could the Act change the course of those cases?  There is not a definitive answer, but it is something that all litigants should consider now that the Act has become law.

The first question is whether the Act applies at all in such instances. The Act applies to “any misappropriation of a trade secret (as defined in section 1839 of title 18, United States Code, as amended by this section) for which any act occurs on or after the date of the enactment of this Act.” S. 1890, 1144th Cong. § 2(e) (emphasis added). “Misappropriation” is defined as “(A) acquisition of a trade secret of another by a person who knows or has reason to know that the trade secret was acquired by improper means; or (B) disclosure or use of a trade secret of another without express or implied consent.  18 U.S.C. § 1839(5).  So, in litigation where the “use” of trade secrets is ongoing, there may be an argument that the Act applies.
Continue Reading Impact of Defend Trade Secrets Act on Pending Cases is Unclear