On July 30, 2024, Meta Platforms, Inc. (formerly known as Facebook, Inc.) agreed to pay $1.4 billion to the State of Texas to settle a lawsuit alleging that Meta unlawfully captured and used biometric identifiers of millions...more
The Texas Data Privacy and Security Act (“TDPSA” or the “Act”) came into effect on July 1, 2024. The TDPSA applies to any person who (i) conducts business in the state of Texas or produces a product or service consumed by...more
For more than a decade, the U.S. Securities and Exchange Commission (the “SEC”) has been able to bring enforcement actions in either federal court or the agency’s internal venue. Not anymore. On June 27, 2024, the U.S....more
7/1/2024
/ Administrative Law Judge (ALJ) ,
Administrative Proceedings ,
Article III ,
Civil Monetary Penalty ,
Enforcement Actions ,
Jury Trial ,
Public Rights Doctrine ,
SCOTUS ,
SEC v Jarkesy ,
Securities and Exchange Commission (SEC) ,
Securities Exchange Act of 1934 ,
Securities Fraud ,
Seventh Amendment
On April 12, 2024, the U.S. Supreme Court unanimously held that, in the absence of an otherwise misleading statement, a failure to disclose information required by Item 303 of Regulation S-K (“Item 303”) does not support a...more
4/18/2024
/ Disclosure Requirements ,
Failure To Disclose ,
Financial Services Industry ,
Macquarie Infrastructure Corp v Moab Partners LP ,
Omissions ,
Rule 10(b) ,
Rule 10b-5 ,
SCOTUS ,
Securities and Exchange Commission (SEC) ,
Securities Fraud ,
Securities Regulation ,
Securities Violations
The facts are an oft-told business email compromise horror story: a hacker interjects themselves into an email discussion of a business deal, changes the wire instructions to their own account, and disappears with the...more
Public companies are now required to comply with new cybersecurity disclosure requirements in their Annual Reports on Form 10-K for fiscal years ending on or after December 15, 2023. In preparing this cybersecurity...more
3/5/2024
/ Annual Reports ,
Chief Information Security Officer (CISO) ,
Cyber Incident Reporting ,
Cybersecurity ,
Disclosure Requirements ,
Form 10-K ,
Form 8-K ,
Popular ,
Regulation S-K ,
Securities and Exchange Commission (SEC) ,
SolarWinds
On November 14, the Securities and Exchange Commission (“SEC”) published its 2023 annual enforcement report which revealed a continuation of 2022’s record-setting enforcement activity.1 The SEC imposed $4.95 billion in...more
Recent enforcement actions brought by the Securities and Exchange Commission (“SEC”) signal that the SEC is paying close attention to public company financial reporting and will continue to punish misleading accounting and...more
On September 12, 2023, Delaware governor John Carney signed the Delaware Personal Data Privacy Act (the “DPDPA” or the “Act”) into law. The DPDPA protects the privacy rights of consumers in Delaware and regulates the...more
9/20/2023
/ Consumer Privacy Rights ,
Data Collection ,
Data Controller ,
Data Privacy ,
Data Processors ,
Data Selling ,
Data-Sharing ,
Delaware ,
Geolocation ,
New Legislation ,
Personal Data ,
Sensitive Personal Information ,
State Privacy Laws
In advance of its September 8, 2023 board meeting, the California Privacy Protection Agency (“CPPA”), the state’s privacy regulatory body, has unveiled draft regulations that could significantly impact cybersecurity...more
9/7/2023
/ Artificial Intelligence ,
Automated Decision Systems (ADS) ,
California ,
California Privacy Protection Agency (CPPA) ,
Consumer Privacy Rights ,
Corporate Counsel ,
Cybersecurity ,
Data Management ,
Regulatory Agenda ,
Risk Assessment ,
State Privacy Laws
The Department of Homeland Security’s Transportation Security Administration (“TSA”) has issued an amended directive on pipeline security, SD-Pipeline-2021-02D (the “Directive”). The Directive is based on and supersedes the...more
On July 26, 2023, the Securities and Exchange Commission (“SEC”) voted to approve final rules governing cybersecurity disclosures of public companies (“Final Rules”). The Final Rules make meaningful changes to the current and...more
On July 10, 2023, the European Commission (the “Commission”) adopted an adequacy decision for the EU-U.S. Data Privacy Framework (the “Framework”).
The Framework provides companies that opt in with a legitimate means of...more
7/14/2023
/ Cross-Border ,
Cybersecurity ,
Data Privacy ,
Data Transfers ,
EU ,
EU-US Privacy Shield ,
European Commission ,
European Economic Area (EEA) ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
US-EU Safe Harbor Framework
Internal investigations are key to good corporate governance when board of directors and general counsels are presented with allegations of misconduct. An effective internal investigation equips the company with information...more
The European Union’s (“EU”) Data Protection Commission (the “Commission”) recently fined Meta Ireland $1.3 billion (or €1.2 billion) for improper data transfers from the European Economic Area (“EEA”) to the United States in...more
Texas will soon join the growing list of states that have passed comprehensive data privacy legislation. House Bill 4, the Texas Data Privacy and Security Act (“TDPSA” or the “Act”), has a broad reach and will apply to all...more
6/1/2023
/ California Privacy Rights Act (CPRA) ,
Consumer Privacy Rights ,
Data Controller ,
Data Privacy ,
Data Processors ,
Federal Trade Commission (FTC) ,
General Data Protection Regulation (GDPR) ,
Opt-Outs ,
Proposed Legislation ,
State Labor Laws ,
Texas
On May 5, 2023, the Securities and Exchange Commission (“SEC”) issued an order (the “Order”)1 providing that it would pay a $279 million award to a whistleblower who assisted with the enforcement of an action by the SEC and...more
On March 15, 2023, the Securities Exchange Commission (“SEC”) issued three additional proposed rules that would expand the reach of the agency’s current cybersecurity guidance to new entities and augment existing...more
On March 14, 2023, the Securities and Exchange Commission (“SEC”) issued a cease-and-desist order (the “Order”)1 and charged DXC Technology Company (“DXC”), an IT company based in Virginia, with violations of Rule 100(b) of...more
Over the last several weeks, federal regulators and prosecutors have sent a strong signal to company executives that they will be using every tool in their arsenal to combat insider trading. The government’s crackdown has...more
After a rash of significant cybersecurity breaches and ransomware attacks affecting a wide set of industries, ranging from pipelines to technology companies, the Biden administration released its much-anticipated National...more
On February 22, 2023, the Securities and Exchange Commission (“SEC”) issued a cease-and-desist order (the “Order”) charging African Gold Acquisition Corp. (“African Gold”) with multiple violations of the Securities Exchange...more
The Supreme Court of Illinois recently held that use of a fingerprint system by White Castle, Inc. (“White Castle”) to authenticate employees, without the consent of the employees, entailed multiple violations of the Illinois...more
On January 9, 2023, the Securities and Exchange Commission (“SEC”) issued a cease-and-desist order (the “Order”)1 charging McDonald’s Corporation (“McDonald’s”) and its ex-CEO, Stephen Easterbrook, with multiple disclosure...more
1/25/2023
/ Breach of Duty ,
Cease and Desist Orders ,
CEOs ,
Civil Monetary Penalty ,
Compensation ,
Disclosure ,
Disclosure Requirements ,
Executive Compensation ,
Failure To Disclose ,
Fraternization Policies ,
Internal Investigations ,
McDonalds ,
Principal Executive Officer ,
Proxy Statements ,
Regulation S-K ,
Securities and Exchange Commission (SEC) ,
Securities Exchange Act ,
Separation Agreement ,
Termination for Cause
Epic Games, Inc. (“Epic”) agreed to pay a combined $520 million in two “record-breaking settlements” on Monday. The settlements resolve alleged violations of both the Federal Trade Commission Act (the “FTC Act”) and the...more