In a ruling that maintains the status quo created by the Illinois Supreme Court’s holding in Cothron v. White Castle System, Inc., 2023 IL 128004, the Seventh Circuit recently affirmed the trial court’s ruling that certain of the defendant’s alleged violations of the Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14/1 et seq., are not barred by the five-year statute of limitations.  As discussed in greater detail in an earlier BIPA Bellweather post the Illinois Supreme Court’s Cothron decision held that a separate claim accrues under BIPA each and every time biometric data or information is collected, scanned and/or disclosed. 

Continue Reading SEVENTH CIRCUIT FOLLOWS ILLINOIS SUPREME COURT PRECEDENT AND FINDS BIPA CLAIMS TIMELY  

On July 26, 2023, the SEC issued proposed rules under the Securities Exchange Act of 1934 and the Investment Advisers Act of 1940 to address conflicts of interest that the SEC believes are associated with the use by broker-dealers and investment advisers of predictive data analytics (PDA) and PDA-like technologies, such as artificial intelligence (AI), in investor interactions. The proposed rules seek to prevent firms from using these technologies to influence investor behavior to the investor’s detriment and the benefit of the firm.

Continue Reading SEC Proposes New Requirements to Address Conflicts of Interest in the Use of Artificial Intelligence and Similar Technologies

On July 26, 2023, the SEC issued proposed rules under the Investment Advisers Act of 1940 to narrow the types of smaller investment advisers that can register with the SEC in reliance on the Internet adviser exemption. Currently, an investment adviser with less than $25 million in assets under management that would ordinarily be too small to register with the SEC may register so long as it provides investment advice to clients exclusively through an interactive website and engages in appropriate recordkeeping. An adviser also may provide investment advice to fewer than 15 clients through other means during the preceding 12 months. The amendments are designed to modernize the exemption and address investment advisers that rely on the exemption but continue to provide non-Internet-based advice through adviser personnel.

Continue Reading SEC Proposes Amendments to the Internet Adviser Exemption

On August 8, 2023, the United States Securities and Exchange Commission (the “SEC” or the “Commission”) announced that 11 Wall Street firms (10 broker-dealer firms and one dually-registered investment adviser) agreed to settle charges for failing to properly maintain and preserve electronic communications relating to firm business. This included text messages and other messages sent through applications contained on personal devices of employees and not subject to firm record retention systems (referred to as “off-channel communications”). The announcement underscores that regulatory scrutiny of recordkeeping obligations remains a high priority for the SEC’s Division of Enforcement. Specifically, the SEC continues to focus on holding registered entities accountable for failing to maintain and preserve off-channel communications pursuant to statutory requirements. As part of the settlements, the firms agreed to pay combined penalties of $289 million, admit liability, and implement improvements to their respective compliance policies and procedures.

1. SEC’s Sustained Efforts to Enforce Recordkeeping Obligations in Recent Years

As broker-dealers and investment advisers adapted to remote working environments, the SEC has repeatedly highlighted the essential role of recordkeeping obligations under the Securities Exchange Act of 1934 (“Exchange Act”) and the Investment Advisers Act of 1940 (“Advisers Act”). The Commission has brought dozens of enforcement actions over the past two years, resulting in over $1.5 billion in penalties, to enforce books and records requirements under federal securities laws. 

This line of high-profile enforcement actions concerning off-channel communications originated in December 2021. In the first off-channel settlement, a large Wall Street firm admitted that its employees, including supervisors and senior-level employees, utilized unapproved communication methods, which led to business communications not being properly maintained or preserved.[1] As a result, the Wall Street firm could not provide the Commission with requested business communications during an SEC investigation. Due to the firm’s violations, it agreed to pay a $200 million civil money penalty and to retain a compliance consultant to conduct a comprehensive review of the firm’s policies and procedures concerning the retention of electronic communications found on personal devices and the firm’s framework for addressing non-compliance by its employees with the corresponding policies and procedures. 

In September 2022, the SEC settled similar off-channel communications charges with 15 broker-dealers and one affiliated investment adviser for a combined $1.1 billion in civil money penalties. The SEC found that the 16 firms routinely communicated about business matters using personal devices that did not maintain or preserve the substantial majority of the off-channel communications.  Moreover, the settlements required that the various firms admit the securities law violations and agree to retain compliance consultants to conduct comprehensive reviews of the policies and procedures concerning off-channel communications. 

In May 2023, the SEC announced it had reached similar settlements with two financial institutions for civil money penalties exceeding $22 million, after the firms self-reported recordkeeping policy failures relating to off-channel communications.

Most recently, in June 2023, a broker-dealer admitted to violating Section 17(a) of the Exchange Act, and Rule 17a-4(b)(4) thereunder, for failing to properly preserve approximately 47 million “on-channel,” or firm-captured, electronic communications. The settlement order noted that eight ongoing SEC investigations into the firm’s operations were compromised due to a failure in the firm’s communication retention policies. As a result, the broker-dealer agreed to pay a $4 million civil money penalty.[2]

2. Latest Settlements Highlight the SEC’s Continued Focus on Monitoring Issues Associated with Off-Channel Communications

The August 8, 2023 settlement orders, similar to previously announced settlements, contained SEC findings that employees at all levels of the firms’ operations utilized personal messaging platforms, including iMessage, WhatsApp, and Signal, to discuss business matters. The SEC found that since these communications were sent through unapproved methods, the messages were not maintained and preserved in compliance with the applicable federal securities laws.  Accordingly, the broker-dealers were charged with violating Section 17(a) of the Securities Exchange Act and Rule 17a-4 thereunder. One dually registered broker-dealer and investment adviser was also charged with violating Section 204 of the Advisers Act and Rule 204-2 thereunder.

The firms admitted the findings set forth in their respective SEC orders and agreed to pay penalties to the SEC that collectively amounted to $289 million. Moreover, the firms agreed to retain independent compliance consultants to conduct comprehensive reviews of their policies and procedures concerning the retention of electronic communications found on personal devices and their respective frameworks for addressing non-compliance by their employees with the associated policies and procedures. 

3. Key Takeaways: Recordkeeping Obligations to Remain a Major Priority for the SEC

The recent settlements reflect the SEC’s continued focus on enforcing recordkeeping requirements under the Exchange Act and Advisers Act. Sanjay Wadhwa, the SEC’s Deputy Director of the Division of Enforcement, warned in no uncertain terms: “we know that other SEC-regulated entities have committed similar violations, and so our work to enforce industry-wide compliance continues.” Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, reenforced that message, noting that these enforcement actions provide three key takeaways: “self-report, cooperate and remediate. If you adopt that playbook, you’ll have a better outcome than if you wait for us to come calling.” Accordingly, regulated businesses may benefit from reviewing their current recordkeeping policies and procedures to evaluate potential weaknesses and/or to evaluate the need to self-report any issues.


[1] See SEC Investigations Relating to Record Preservation Practices Likely to Continue (May 4, 2022), https://www.vedderprice.com/sec-investigations-relating-to-record-preservation-practices-likely-to-continue.

[2] See SEC Focus on Recordkeeping Obligations Continues: Regulated Entities Face Enhanced Scrutiny (June 28, 2023), https://www.vedderprice.com/sec-focus-on-recordkeeping-obligations-continues-regulated-entities-face-enhanced-scrutiny. 

Last week, a sharply divided U.S. Securities and Exchange Commission (“SEC”) significantly increased reporting requirements on public companies by adopting a Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule (the “Rule”)[1] that requires, among many other things, reporting of “cybersecurity incidents” within only four business days of a “materiality” determination (subject to limited exceptions involving national security or public safety, as determined by the U.S. Attorney General).  As justification for this extremely short reporting period, the SEC cited the 72-hour “discovery” and 24-hour ransom payment reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”).  But there is a critical distinction: The CIRCIA reporting requirements are confidential, whereas the reporting requirements under the Rule are public.  Why does that matter?  Among other reasons, a requirement for rapid public reporting may well lead to more cybersecurity incident class actions (whether meritorious or not).

Continue Reading <em>Cybersecurity Sheriffs Continue to Multiply and Crack Down – New SEC Rule Amps Up Public Company Pressure</em>

In a highly anticipated decision issued in February 2023, the Illinois Supreme Court held that a separate claim accrues under the Illinois Biometric Information Privacy Act (“BIPA” or the “Act”) (740 ILCS 14/1 et seq.) each and every time biometric data or information is collected, scanned and/or disclosed.  Defendant White Castle System, Inc. (“White Castle”) filed a petition for rehearing, seeking to overturn the Cothron decision.  On July 18, 2023, the Illinois Supreme Court denied White Castle’s petition and left in place a standard that is likely to have a profound impact on the valuation of BIPA claims.   

Continue Reading BIPA Bellweather: Back to the BIPA Norm—Illinois Supreme Court Refuses to Reconsider Cothron Decision

A recent announcement by California Attorney General Rob Bonta may curtail the relief experienced by California’s largest employers who are benefitting from the delayed enforcement of the newest California Consumer Privacy Act (“CCPA”) regulations

Continue Reading CCPA Relief at Risk:  California Attorney General Announces New Investigative Sweep

In a landmark decision, U.S. District Judge Matthew Kennelly vacated a $228 million damages award in Richard Rogers v. BNSF Railway Co., the first case tried to a verdict under the Illinois Biometric Information Privacy Act (“BIPA” or the “Act”) (740 ILCS 14/1 et seq.), and ordered a new jury trial limited to the question of damages. (See full Opinion and Order here.) The Rogers ruling applies the Illinois Supreme Court’s decision in Cothron v. White Castle System, Inc. finding that the amount of damages in a BIPA action is discretionary, not mandatory. A jury will ultimately exercise that discretion in a subsequent trial on damages.    

Continue Reading BIPA Bellweather: A Glimmer of Hope? Court Vacates $228 Million Judgement From First BIPA Jury Trial

Just over halfway through 2023, nationwide TCPA jurisprudence is focused on further delineating the scope of the TCPA. As the dust settles from earlier battles over defining ATDS requirements, the cases from this year are largely aimed at establishing who can bring a claim under the TCPA and what conduct the statute covers. We summarize here developments since our last update, listed in alphabetical order by topic area.

Continue Reading TCPA Turnstile: Scoping out the TCPA – 2023 Midyear Update (TCPA Case Update Vol. 18)