On November 30, 2023, the Illinois Supreme Court issued a much-anticipated decision in Mosby v. The Ingalls Memorial Hospital, answering a certified question about whether biometric information collected from health care workers is protected by the Illinois Biometric Information Privacy Act (BIPA) if that information is used for purposes related to health care treatment, payment, or operations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Court ruled that when health care worker data is collected for purposes of health care treatment, payment, or operations under HIPAA, the information is excluded from protection under BIPA.

Mosby involved a putative class action claim brought by nurses whose biometric information allegedly was collected to identify them before dispensing medication to patients.  The trial court and Illinois Appellate Court had ruled that these collections were covered by BIPA because BIPA’s exclusions for “health care treatment, payment, or operations under HIPAA” were directed at protecting patient data, not health care worker data.

Continue Reading Illinois Supreme Court: Collection of Biometric Data for Health Care Treatment, Payment, or Operations Is Exempt from BIPA

President Biden issued an Executive Order on October 30, 2023 designed to place the United States at the forefront of law and regulation of Artificial Intelligence (AI). The Executive Order on the “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence” creates binding disclosure requirements for companies that are either developing certain large language AI models or acquiring or possess sufficient computing power to run such AI implementations (as described below). The Order also establishes, and directs several federal agencies to establish, industry benchmarks for ensuring robust, reliable, repeatable and standardized testing and evaluations of AI systems, create new standards for AI safety and security.

The Order contains a lot of detailed provisions and initiatives involving nearly every government agency and calling for wide-ranging studies and recommendations on nearly every facet of AI, significant provisions of which are described below.

Of particular note, however, the President invoked the Defense Production Act to impose certain requirements that will go into effect 90 days after the issuance of the Order. There are two significant requirements going into effect affecting companies that employ AI models and companies that employ or provide large computing capacity that can be used for AI.

Continue Reading President Biden Issues Far-Reaching Executive Order on Artificial Intelligence

In one of the first lawsuits to allege that generative AI companies violate the U.S. Copyright Act by using copyrighted works to train machine learning models, Judge Stephanos Bibas of the Delaware Circuit Court recently denied the majority of issues raised in cross motions for summary judgment filed by plaintiff Thomson Reuters and defendant Ross Intelligence Inc.  The court declined to issue a dispositive ruling on the hot-button question of whether the fair use doctrine protects generative AI companies that use copyrighted materials to train their programs.

Thomson Reuters (owner of Westlaw) sued Ross Intelligence, a legal-research generative AI startup, in May 2020, alleging that Ross was liable for both copyright infringement and tortious interference with contract.  The allegations against Ross stem from its endeavor to create a search engine that uses machine learning and artificial intelligence to provide answers to commonly asked legal questions.

In need of material to train its generative AI, Ross attempted to obtain a license to use Westlaw.  When Westlaw turned Ross away, it asked third-party legal research companies to provide it with legal material — much of which those legal research companies obtained from Westlaw.  Thomson Reuters contends that Ross copied large portions of Westlaw’s Headnotes and Key Number System.

Continue Reading AI Versus Westlaw Copyright Bellwether Hurtles Toward Jury as Summary Judgment Largely Denied

In a recent decision in a defamation case filed against a Gannett-owned publication and the Associated Press, the Seventh Circuit rejected what it dubbed a “novel interpretation” of an established legal principle, instead upholding the doctrine known as the “single publication rule.”

The U.S. Court of Appeals for the Seventh Circuit in an opinion published August 31 affirmed the United States District Court for the Southern District of Indiana’s dismissal of the libel suit that the plaintiff, the National Police Association (“NPA”), brought against the media outlets. The Court ultimately noted that there was “no basis for the NPA’s theory of liability.”

The case originated in 2019 when the Indianapolis Star and the Associated Press published articles about police departments across the country warning via social media constituents about fundraising “scams” claiming to raise money for the departments. The posts referred to NPA solicitations, and the articles featured statements from officials characterizing the NPA’s efforts as misleading to the public.

Continue Reading 7th Circuit Rejects “Novel Interpretation” of Restatement, Upholds Single Publication Rule

Under UK data protection legislation, individuals, also called “data subjects”, have the right to make a data subject access request (DSAR) to organisations that “process” their personal data.  Similar rights are required by both the EU’s General Data Protection Regulation and the California Consumer Privacy Act.  Amongst other things, as part of a DSAR, data subjects can expect to receive a copy of their personal data.

Continue Reading A Rise in DSARs: Why Can Data Subject Access Requests Be Such a Burden?

In a ruling that maintains the status quo created by the Illinois Supreme Court’s holding in Cothron v. White Castle System, Inc., 2023 IL 128004, the Seventh Circuit recently affirmed the trial court’s ruling that certain of the defendant’s alleged violations of the Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14/1 et seq., are not barred by the five-year statute of limitations.  As discussed in greater detail in an earlier BIPA Bellweather post the Illinois Supreme Court’s Cothron decision held that a separate claim accrues under BIPA each and every time biometric data or information is collected, scanned and/or disclosed. 

Continue Reading SEVENTH CIRCUIT FOLLOWS ILLINOIS SUPREME COURT PRECEDENT AND FINDS BIPA CLAIMS TIMELY  

On July 26, 2023, the SEC issued proposed rules under the Securities Exchange Act of 1934 and the Investment Advisers Act of 1940 to address conflicts of interest that the SEC believes are associated with the use by broker-dealers and investment advisers of predictive data analytics (PDA) and PDA-like technologies, such as artificial intelligence (AI), in investor interactions. The proposed rules seek to prevent firms from using these technologies to influence investor behavior to the investor’s detriment and the benefit of the firm.

Continue Reading SEC Proposes New Requirements to Address Conflicts of Interest in the Use of Artificial Intelligence and Similar Technologies

On July 26, 2023, the SEC issued proposed rules under the Investment Advisers Act of 1940 to narrow the types of smaller investment advisers that can register with the SEC in reliance on the Internet adviser exemption. Currently, an investment adviser with less than $25 million in assets under management that would ordinarily be too small to register with the SEC may register so long as it provides investment advice to clients exclusively through an interactive website and engages in appropriate recordkeeping. An adviser also may provide investment advice to fewer than 15 clients through other means during the preceding 12 months. The amendments are designed to modernize the exemption and address investment advisers that rely on the exemption but continue to provide non-Internet-based advice through adviser personnel.

Continue Reading SEC Proposes Amendments to the Internet Adviser Exemption

On August 8, 2023, the United States Securities and Exchange Commission (the “SEC” or the “Commission”) announced that 11 Wall Street firms (10 broker-dealer firms and one dually-registered investment adviser) agreed to settle charges for failing to properly maintain and preserve electronic communications relating to firm business. This included text messages and other messages sent through applications contained on personal devices of employees and not subject to firm record retention systems (referred to as “off-channel communications”). The announcement underscores that regulatory scrutiny of recordkeeping obligations remains a high priority for the SEC’s Division of Enforcement. Specifically, the SEC continues to focus on holding registered entities accountable for failing to maintain and preserve off-channel communications pursuant to statutory requirements. As part of the settlements, the firms agreed to pay combined penalties of $289 million, admit liability, and implement improvements to their respective compliance policies and procedures.

1. SEC’s Sustained Efforts to Enforce Recordkeeping Obligations in Recent Years

As broker-dealers and investment advisers adapted to remote working environments, the SEC has repeatedly highlighted the essential role of recordkeeping obligations under the Securities Exchange Act of 1934 (“Exchange Act”) and the Investment Advisers Act of 1940 (“Advisers Act”). The Commission has brought dozens of enforcement actions over the past two years, resulting in over $1.5 billion in penalties, to enforce books and records requirements under federal securities laws. 

This line of high-profile enforcement actions concerning off-channel communications originated in December 2021. In the first off-channel settlement, a large Wall Street firm admitted that its employees, including supervisors and senior-level employees, utilized unapproved communication methods, which led to business communications not being properly maintained or preserved.[1] As a result, the Wall Street firm could not provide the Commission with requested business communications during an SEC investigation. Due to the firm’s violations, it agreed to pay a $200 million civil money penalty and to retain a compliance consultant to conduct a comprehensive review of the firm’s policies and procedures concerning the retention of electronic communications found on personal devices and the firm’s framework for addressing non-compliance by its employees with the corresponding policies and procedures. 

In September 2022, the SEC settled similar off-channel communications charges with 15 broker-dealers and one affiliated investment adviser for a combined $1.1 billion in civil money penalties. The SEC found that the 16 firms routinely communicated about business matters using personal devices that did not maintain or preserve the substantial majority of the off-channel communications.  Moreover, the settlements required that the various firms admit the securities law violations and agree to retain compliance consultants to conduct comprehensive reviews of the policies and procedures concerning off-channel communications. 

In May 2023, the SEC announced it had reached similar settlements with two financial institutions for civil money penalties exceeding $22 million, after the firms self-reported recordkeeping policy failures relating to off-channel communications.

Most recently, in June 2023, a broker-dealer admitted to violating Section 17(a) of the Exchange Act, and Rule 17a-4(b)(4) thereunder, for failing to properly preserve approximately 47 million “on-channel,” or firm-captured, electronic communications. The settlement order noted that eight ongoing SEC investigations into the firm’s operations were compromised due to a failure in the firm’s communication retention policies. As a result, the broker-dealer agreed to pay a $4 million civil money penalty.[2]

2. Latest Settlements Highlight the SEC’s Continued Focus on Monitoring Issues Associated with Off-Channel Communications

The August 8, 2023 settlement orders, similar to previously announced settlements, contained SEC findings that employees at all levels of the firms’ operations utilized personal messaging platforms, including iMessage, WhatsApp, and Signal, to discuss business matters. The SEC found that since these communications were sent through unapproved methods, the messages were not maintained and preserved in compliance with the applicable federal securities laws.  Accordingly, the broker-dealers were charged with violating Section 17(a) of the Securities Exchange Act and Rule 17a-4 thereunder. One dually registered broker-dealer and investment adviser was also charged with violating Section 204 of the Advisers Act and Rule 204-2 thereunder.

The firms admitted the findings set forth in their respective SEC orders and agreed to pay penalties to the SEC that collectively amounted to $289 million. Moreover, the firms agreed to retain independent compliance consultants to conduct comprehensive reviews of their policies and procedures concerning the retention of electronic communications found on personal devices and their respective frameworks for addressing non-compliance by their employees with the associated policies and procedures. 

3. Key Takeaways: Recordkeeping Obligations to Remain a Major Priority for the SEC

The recent settlements reflect the SEC’s continued focus on enforcing recordkeeping requirements under the Exchange Act and Advisers Act. Sanjay Wadhwa, the SEC’s Deputy Director of the Division of Enforcement, warned in no uncertain terms: “we know that other SEC-regulated entities have committed similar violations, and so our work to enforce industry-wide compliance continues.” Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, reenforced that message, noting that these enforcement actions provide three key takeaways: “self-report, cooperate and remediate. If you adopt that playbook, you’ll have a better outcome than if you wait for us to come calling.” Accordingly, regulated businesses may benefit from reviewing their current recordkeeping policies and procedures to evaluate potential weaknesses and/or to evaluate the need to self-report any issues.


[1] See SEC Investigations Relating to Record Preservation Practices Likely to Continue (May 4, 2022), https://www.vedderprice.com/sec-investigations-relating-to-record-preservation-practices-likely-to-continue.

[2] See SEC Focus on Recordkeeping Obligations Continues: Regulated Entities Face Enhanced Scrutiny (June 28, 2023), https://www.vedderprice.com/sec-focus-on-recordkeeping-obligations-continues-regulated-entities-face-enhanced-scrutiny. 

Last week, a sharply divided U.S. Securities and Exchange Commission (“SEC”) significantly increased reporting requirements on public companies by adopting a Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule (the “Rule”)[1] that requires, among many other things, reporting of “cybersecurity incidents” within only four business days of a “materiality” determination (subject to limited exceptions involving national security or public safety, as determined by the U.S. Attorney General).  As justification for this extremely short reporting period, the SEC cited the 72-hour “discovery” and 24-hour ransom payment reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”).  But there is a critical distinction: The CIRCIA reporting requirements are confidential, whereas the reporting requirements under the Rule are public.  Why does that matter?  Among other reasons, a requirement for rapid public reporting may well lead to more cybersecurity incident class actions (whether meritorious or not).

Continue Reading <em>Cybersecurity Sheriffs Continue to Multiply and Crack Down – New SEC Rule Amps Up Public Company Pressure</em>