Bridging the Week - October 2018 #2

by Katten Muchin Rosenman LLP

An international bank settled an enforcement action brought by the Commodity Futures Trading Commission for spoofing. However, in the process, the CFTC went out of its way to laud the bank for self-reporting the incident, as well as its cooperation in the CFTC’s investigation and voluntary efforts to enhance its internal processes to detect spoofing and train staff going forward. Separately, a UK-based financial institution was assessed a fine of the equivalent of approximately US $21.5 million by the Financial Conduct Authority for a cyber breach that detrimentally impacted some customers. Although the FCA acknowledged that the bank’s cybercrime framework was “appropriate,” it said that employees did not follow it. As a result, the following matters are covered in this week’s edition of Bridging the Weeks:

  • Self-Reporting and Cooperation of Non-US-Based Bank Acknowledged by CFTC in Agreeing to US $800,000 Fine for Spoofing by Traders (includes Legal Weeds1 and Legal Weeds2);
  • UK Bank Fined GB £16.4 Million Related to Cyber-Attack Because of Employee Breakdowns (includes Compliance Weeds);
  • International Financial Regulator Coordinator Says Crypto-Assets Currently Pose No Threat to Financial Stability (includes My View); and more.

Please  click here for the Video Version.

Article Version


  • Self-Reporting and Cooperation of Non-US-Based Bank Acknowledged by CFTC in Agreeing to US $800,000 Fine for Spoofing by Traders: The Bank of Nova Scotia – a Toronto, Canada-headquartered bank – agreed to pay a fine of US $800,000 to resolve charges brought by the Commodity Futures Trading Commission related to purported spoofing transactions by unnamed traders on its New York precious metals trading desk from June 2013 through June 2016. 

Typically, said the CFTC, a trader would place a small order for gold or silver futures on the Commodity Exchange, Inc. at or near the best price, followed by a larger order on the opposite side of the market away from the best price. The goal of the spoofing order was to suggest greater buying or selling interest, and to induce execution of the trader’s small order. If the trader was successful, the trader’s small order would be executed after which the trader would cancel the larger order, alleged the CFTC.

According to the CFTC, BNS was alerted to the potential spoofing trading of one its NY-based traders by its futures commission merchant. In response, BNS conducted an internal review, terminated the one trader, and self-reported the trading activity to the CFTC, including providing “thousands of documents,” other information and analysis. BNS also implemented an enhanced surveillance system, hired a full-time surveillance monitor, and augmented its spoofing training programs, said the CFTC.

In a press release issued by the CFTC in connection with publication of the relevant settlement order, James McDonald, CFTC Director of Enforcement, stated that BNS received a “substantially-reduced penalty” because of its self-reporting and cooperation. 

Legal Weeds1: Last year, Mr. McDonald made clear that potential wrongdoers who voluntarily self-report their violations, fully cooperate in any subsequent CFTC investigation, and fix the cause of their wrongdoing to prevent a re-occurrence will receive “substantial benefits” in the form of significantly lesser sanctions in any enforcement proceeding and “in truly extraordinary circumstances,” no prosecution at all. (Click here for background in the article “New Math: Come Forward + Come Clean + Remediate = Substantial Settlement Benefits Says CFTC Enforcement Chief” in the October 1, 2017 edition of Bridging the Week.)

Since then, the CFTC Division of Enforcement has routinely reiterated this view in connection with settlements of enforcement actions where it acknowledged self-reporting and cooperation. This settlement is the latest example.

Legal Weeds2: I don't ordinarily cover traditional fraud cases in Bridging the Week as they don't typically provide insight into novel legal theories or important new lessons for legitimate industry participants. However, a recent victory by the CFTC in its enforcement action against Gregory L. Gramalegui is worth noting. In that case, the CFTC prevailed in a litigation against Mr. Gramalegui where it had charged violations of the anti-fraud provisions of relevant law and disclosure requirements of CFTC rules in connection with his solicitation of customers for a futures trading system and an advisory service, among other offenses. The federal court in Colorado hearing this matter found that the CFTC proved its allegations and assessed a fine against Mr. Gramalegui of US $1.9 million and ordered disgorgement.

Among its claims, the CFTC charged Mr. Gramalegui with making false statements to it in connection with a provision of law added as part of the Dodd-Frank Wall Street Reform and Consumer Protection Act in 2010. This provision renders it illegal for a person to make a false or misleading statement to the CFTC or omit material information to deceive the Commission, "if the person knew, or reasonably should have known, the statement was false or misleading" in connection with material facts. (Click here to access 7 U.S.C. § 9(2).)

According to the Court, "a statement is actionable under this section when it is either literally untrue or when it fails to include all information necessary to give the recipient a complete and accurate picture of the state of affairs communicated." Here the court found that the defendant violated this provision of law when he told the CFTC in connection with a deposition that he did not advertise for clients but that clients found him through Google and other search engines; he did not send out marketing emails between September 2014 and 2015; and he played no role in a statement on his website that "most traders have made enough on one trade to pay for the[ir] monthly subscription," as well as when he did not tell the CFTC that he communicated to customers other than through one identified email account and that he had altered the copy of his website prior to producing it to the CFTC, among other statements and misstatements. Each of these statements was false or misleading, said the court. Moreover, the court concluded that each of these misstatements and omissions was material and, accordingly, gave rise to a violation of the relevant provision of law.

Mom always said to tell the truth. The CFTC has tools to sanction persons for not following mom's advice. (Click here to access the court's full decision.)

  • UK Bank Fined GB £16.4 Million Related to Cyber-Attack Because of Employee Breakdowns: The United Kingdom’s Financial Conduct Authority fined Tesco Personal Finance plc GB £16.4 million (US $21.5 million) for failing to exercise “due skill, care and diligence” in protecting its customers from the consequences of a cyber-attack in November 2016 involving bank-issued debit cards. 

According to the FCA, because of a design flaw in the debit cards, the attackers used an algorithm to generate authentic debit card numbers, and used these numbers to engage in thousands of unauthorized customer debit card transactions. After the cyber-attack began and was first detected early on Saturday, November 5, 2016, staff committed a number of errors which delayed fully stopping the cyber-attack and restoring normal debit card use by all customers until November 9. Among these errors was that, once the cyber-attack was discovered, the internal team responsible for helping to resolve the cyber-attack emailed a fraud strategy inbox as opposed to telephoning the internal fraud analyst, as required by procedures. This, claimed the FCA, delayed resolution by 21 hours as the email was not reviewed promptly over the weekend. Additionally, once the cause of the cyber-attack was recognized, a number of initial fixes were ineffective. However, because the first fix was not monitored, Tesco did not recognize until only after a “few hours” that the fix did not work and that fraudulent transactions were increasing.

Although the FCA acknowledged that Tesco’s cybercrime framework was “appropriate,” it said that relevant individuals did not follow it. According to FCA, “[Tesco’s] financial crime framework was clear and each body within the framework had an appropriate role and each body worked together to achieve the common purpose of mitigating the risk of cybercrime.” Unfortunately, said the FCA, a cybercrime framework “is only as good as the individuals who work within it.”

Ultimately, 8,261 current accounts were impacted by the cyber-attack. The bank reimbursed customers for direct losses and removed all pending debits, as well as refunded all fees, charges, and interest that had been charged.

The FCA indicated that it would have fined Tesco GB £23.5 million (US $30.9 million) but for Tesco’s “high level of cooperation” during the FCA’s investigation, immediate retention of a third-party consultant to review the incident, implementation of the consultant’s recommendations, and other mitigation measures.

Compliance Weeds: Last month, the Securities and Exchange Commission settled an enforcement action against Voya Financial Advisors, Inc. – a registered broker-dealer and investment adviser – related to purported deficiencies in the firm’s cybersecurity procedures that the SEC alleged contributed to a cyber intrusion and compromise of customers’ personal information. These deficiencies constituted violations of the SEC’s Safeguard and Identity Theft Red Flags rules. (Click here for background in the article “Broker-Dealer Resolves SEC Charges That Inadequate Cybersecurity Procedures Led to Cyber Intrusion, Compromising Customer Personal Information” in the September 30, 2018 edition of Bridging the Week.)

Voya agreed to pay a fine of US $1 million to resolve the SEC’s enforcement action.

Earlier this year, AMP Global Clearing LLC, a Commodity Futures Trading Commission-registered FCM, agreed to pay a fine of US $100,000 to resolve an enforcement action brought by the Commission claiming that it failed to supervise a third party’s implementation of “critical” provisions of its information system security program. As a result of this failure, said the Commission, AMP’s technology system was compromised by an unauthorized individual (Infiltrator) who impermissibly copied approximately 97,000 files, including many files that contained confidential personal information. (Click here for background in the article “CFTC Says Futures Brokerage Firm’s Failure to Supervise Led to Unauthorized Cyber-Attack” in the February 18, 2018 edition of Between Bridges.)

Both SEC and CFTC-registered entities should ensure they maintain a robust information system security program to minimize the likelihood of a cyber-attack as well as policies and procedures expressly designed to detect, prevent and mitigate identity theft in connection with the opening and maintenance of any covered account. This program must be appropriate in light of the size and complexity of the financial institution and nature and scope of its activities. A covered account includes an account for personal, family or household purposes that is intended to permit multiple payments or transactions. This includes a brokerage account or an account at an investment company. However, a covered account also includes any account at a financial institution “where there is a reasonable or foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.”

All policies and procedures should be regularly reviewed and updated, as appropriate, and at least annual firm-wide training and ongoing evaluations of critical systems should be implemented. Firms should consider in advance how they would respond to different types and degrees of cyber-attacks. Periodic drills involving mock phishing episodes and cyber-attacks should also be considered to heighten employee readiness.

  • International Financial Regulator Coordinator Says Crypto-Assets Currently Pose No Threat to Financial Stability: The Financial Stability Board issued a report concluding that crypto-assets do not currently pose a “material risk” to global financial stability. However, if crypto-asset markets became more significant, market liquidity risks, volatility risks, leverage risks, and technological and operational risks “could possibly lead to financial stability implications,” claimed the FSB.

According to the FSB, today, crypto-asset ownership appears limited among a few market participants. This limits market depth and diminishes the ability of markets to handle large trading volumes. Moreover, noted the FSB, the value of crypto-assets is not derived from the value of underlying assets but from speculation. As a result, to date, the prices of crypto-assets have been “highly volatile.” Additionally, said the FSB, the distributed ledger technology underlying crypto-assets has “limited or no formal governance structure,” and may be subject to “technological errors and limitations.” Among other things, observed the FSB, “[d]ecentralisation and lack of or inadequate governance makes it difficult to resolve technological limitations or errors and may lead to uncertainty and ‘hard forks’ [in proof of work governance structures] by a subset of miners.”

The FSB expressed concern that if crypto-assets were more widely used, “negative developments involving crypto-assets could undermine confidence in certain aspects of the financial system and in financial regulators.”

The FSB indicated that, going forward, it will continue to monitor the risk of crypto-assets to financial stability on an “ongoing basis.” Established in 2009, the FSB is an international organization comprising representatives of national authorities responsible for financial stability in material international financial centers that monitors and makes recommendations about the global financial system.

Among other developments these past two weeks involving crypto-assets:

  • ICO Claiming SEC Approval Halted by SEC: The Securities and Exchange Commission obtained an emergency order from a federal court in California against Blockvest, LLC, a purported digital asset-related financial products and services company, and Reginald Ringgold, III, the claimed founder of Blockvest, in connection with the firm’s initial coin offering of its BLV digital token. According to the SEC, the defendants falsely claimed that their ICO received regulatory approval from the SEC when it did not, and misrepresented that Blockvest had a relationship with Deloitte, a public accounting firm, when it did not. The SEC also charged that the defendants misrepresented their status with the National Futures Association even after being warned to stop such false claims by NFA. The emergency order froze defendants’ assets and temporarily prohibited them from violating the anti-fraud laws.
  • trueEX Submits Self-Certification of Bitcoin Physically Delivered Swap Contract to CFTC: trueEX LLC – a Commodity Futures Trading Commission swap execution facility – submitted to the Commission new product terms and conditions for a physically delivered uncleared bitcoin swap contract that will be available solely to eligible contract participants. The contract size of the swap, as proposed, will be one bitcoin, and would have maturity dates of the last Friday of the nearest three serial months, and the nearest four months in the quarterly cycle of March, June, September, and December. Each trueEX participant trading bitcoin swaps must first appoint a settlement agent that will provide cash settlement services, including margining and final settlement. Holders of bitcoin swap contracts will be subject to initial and variation margin obligations; the contracts do not appear intended to be fully collateralized. Absent objection, trueEX amended rules and regulations will be effective no earlier than October 17, 2018.
  • FinCEN Issues Iran Warning to Crypto Exchanges: The Financial Crimes Enforcement Network of the US Department of Treasury issued an advisory to help financial institutions, including money service businesses engaging in cryptocurrency activities, comply with US sanctions against Iran, the Government of Iran or Iranian financial institutions unless exempt. FinCEN warned virtual currency providers that have Bank Secrecy Act and US sanctions obligations to be aware of and have appropriate systems to comply with all relevant sanctions and anti-money laundering/combating the financing of terrorism requirements. Among other things, FinCEN indicated that relevant institutions “should consider reviewing blockchain ledgers for activity that may originate or terminate in Iran.”
  • SEC Reconsiders GraniteShares Bitcoin ETFs: The Securities and Exchange Commission sought comments on Cboe BZX Exchange, Inc.’s proposed rule change to authorize the listing and trading of shares of the GraniteShares Bitcoin Exchange Traded Fund and the GraniteShares Short Bitcoin ETF. In August 2018, the SEC’s Division of Trading and Markets, pursuant to delegated authority, disapproved the proposed rule change, but the Commission promptly indicated it would review the determination. Each fund proposes to track bitcoin futures contracts. The SEC will accept comments to the proposed rule change proposal for 21 days following the publication of its notice in the Federal Register.

My View: The crypto-asset market is very small today compared to other financial assets. According to the FSB, the market    capitalization of crypto-assets peaked on January 8, 2018, at an estimated US $830 billion, 35 percent of which was attributable to bitcoin. As of October 4, market capitalization had declined to approximately US $210 billion. This represented .9 percent of the market capitalization of the S&P 500 on that date, and 2.8 percent of the global value of gold.

Views on the potential benefits of distributed ledger technology and associated crypto-assets are widely divergent. Last week Nouriel Roubini, Professor of Economics at the Stern School of Business, New York University, testified before the US Senate Committee on Banking, Housing and Community Affairs that “[b]itcoin and other cryptocurrencies represent the mother of all bubbles” and that “blockchain is the most over-hyped – and least useful – technology in human history.” Alternatively, Peter Van Valkenburgh, Director of Research at Coin Center, argued before the same subcommittee that “the benefits of [blockchain] technology are real.” He said that digital cash offers “efficiencies that existing electronic transmission cannot,” digital identity “may solve many of our online security woes,” and the internet of things “may spur greater security, competition, and an end to walled gardens of non-interoperability for connected devices.”

(Click here to access the published version of Mr. Roubin’s testimony, and here for Mr. Valkenburgh’s presentation.)

We are less than 10 years from the mining of the first 50 genesis bitcoins. Today the hype of distributed ledger technology and crypto-assets is likely far louder than the number of effective use cases. However, it is hard to imagine that elements of DLT – application of strong cryptography to support blockchains, transactions validated by a consensus protocol designed to be trustless, the capability to transmit and access a store of value anywhere and anytime, and the ability to code technology to self-execute contractual terms – are important innovations that continue to be developed and advanced. No one can predict whether any crypto-asset or specific blockchain existent today will survive tomorrow or even be around in today’s form. However, DLT and crypto-assets of some kind are likely to be with us for a long time.

More Briefly:

  • Interdealer Broker, CEO and Senior Manager Named in CFTC Enforcement Action for Communicating Fake Bids, Offers and Executions in FX Options Market; Board Chairman Settles Related Supervisory Charges: TFS-ICAP, LLC and TFS-ICAP Ltd. were charged by the Commodity Futures Trading Commission with attempting to deceive and deceiving their clients through fake bids and offers and fake trades involving foreign exchange options from 2008 through 2015. The purpose of the purported wrongful actions, said the CFTC, was to create an impression of greater liquidity and tighter spreads on TFS-ICAP’s trading platform to induce clients to trade. Two senior managers at TFS-ICAP – Jeremy Woolfenden, Global Head of Emerging Markets FX Options, and Ian Dibb, CEO of TFS-ICAP from 2011 through the present time – were also charged by the CFTC for the companies’ violations and failure to supervise because of their purported knowledge and encouragement of the alleged wrongdoing. The CFTC seeks disgorgement of benefits, fines, and registration bans, among other penalties against all defendants. The CFTC filed its enforcement action in a federal court in Manhattan. Separately, Michael Leibowitz, Chairman of the Board of TFS-ICAP agreed to pay a fine of US $250,000 for not developing or having implemented policies and procedures that prohibited the alleged wrongful conduct.
  • CBOE Futures Exchange Amends and Reissues Guidance on ECRPs: Cboe Futures Exchange issued revised guidance on authorized exchange of contract for related position transactions – more commonly referred to as exchange for related position transactions on other derivative exchanges. On CFE, authorized ECRP transactions must involve (1) a CFE contract and a transaction in a related position or option on a related position; (2) actual transfer of ownership and an ability to perform the ECRP; and (3) separate parties on each side of the ECRP. The related position for an ECRP may include a security, a derivative, any commodity under applicable law, or a group or basket of any of the foregoing provided all related positions must have a high degree of price correlation to the underlying contract. No related position may be a contract traded on or subject to CFE rules, and no contingent ECRPs are permitted. An ECRP is an exception to the Commodity Futures Trading Commission rule that all futures contracts must be openly and competitively executed. (Click here to access CFTC Rule 1.38.)
  • CME Group Exchanges Sanction Three Traders for Wash Sales, One for Spoofing: TRC World Group and two of its employees – Travis Haymore and John Morgan – resolved charges brought by a Chicago Board of Trade business conduct committee that, on various dates in August 2016, each respondent engaged in wash sales. The purpose of the transactions, said the CBOT, was to roll forward existing positions. TRC was also charged with failure to supervise for not providing appropriate training to its employees. TRC consented to a fine of US $30,000, while both Mr. Haymore and Mr. Morgan agreed to pay fines of US $10,000 and be suspended from trading on all CME Group exchanges for five business days. Separately, Eamon O’Floinn was charged in and settled a disciplinary action with the Chicago Mercantile Exchange for disruptive trading. According to CME, Mr. O’Floinn entered and canceled orders in various CME futures contracts during the pre-opening period that were not entered for purposes of execution, but to assess the depth of the order book. He purportedly engaged in such conduct from November 1, 2016, through June 15, 2017. He agreed to pay a fine of US $10,000 and a 10-day all CME Group exchange trading prohibition to resolve this matter.
  • Options Trader Who Settled Related Criminal Charges Resolves CFTC Enforcement  Action for Trading  Futures Options to Disguise Trading Losses: Thomas Lindstrom, the former options trader who engaged in unauthorized trading activities that led to a US $14 million loss for his employer, settled an enforcement action for his conduct with the Commodity Futures Trading Commission. Mr. Lindstrom agreed to pay a penalty of US $855,000 and restitution of US $14 million. Mr. Lindstrom pleaded guilty to criminal charges related to his matter in January 2018, and will be sentenced later this year. (Click here for background in the article “Trader Indicted for Exploiting Minimum Futures Pricing Convention to Hide Trading Losses and Causing Firm Collapse; CFTC Also Files Civil Charges” in the December 2, 2016 edition of Bridging the Week.) 
  • CFTC Proposes to Amend Rules to Track Previously Granted No-Action Registration Relief for CTAs and CPOs; Issues Cross-Border Swaps Reform White Paper: The Commodity Futures Trading Commission proposed rule amendments to codify existing staff advisories and no-action letters to authorize commodity pool operators to easier facilitate certain off-shore business, as well as registration relief for CPOs and commodity trading advisers who are or advise family offices or are advisers of business development companies. Separately, the National Futures Association issued guidance to CTAs and CPOs to assist them to more accurately report two financial ratios – the current asset/current liability ratio and total revenue/total expense ratio on quarterly filed NFA Forms PQR and PR. Among other things, NFA noted that both ratios must be calculated using the accrual method of accounting. Additionally, CFTC Chairman J. Christopher Giancarlo issued a white paper recommending a number of cross-border swaps reforms. Mr. Giancarlo recommended that the CFTC use its exemptive authority to authorize comparatively regulated non-US clearinghouses to provide clearing services to US customers indirectly through non-US clearing members and exempt comparably regulated non-US based trading venues from registration with the CFTC as swap execution facilities, among other reforms. (Click here for background on Mr. Giancarlo’s proposals in the article “CFTC Chairman Proposes to Reform Cross-Border Swaps Rules Guidance” in the September 9, 2018 edition of Bridging the Week.)
  • SEC Seeks More Views on Proposal for Security-Based Swap Dealers’ Capital, Margin and Segregation Requirements: The Securities and Exchange Commission reopened its comment period for amendments and new rules first proposed in October 2012 that address capital, margin and segregation requirements for certain security-based swap dealers and major security-based swap dealers, as well as net capital and liquidity requirements for broker-dealers who use an internal model for computing net capital. Comments will be accepted for 30 days following publication of the SEC’s proposals in the Federal Register.

For further information

CBOE Futures Exchange Amends and Reissues Guidance on ECRPs:

CFTC Proposes to Amend Rules to Track Previously Granted No-Action Registration Relief for CTAs and CPOs; Issues Cross-Border Swaps Reform White Paper:

CME Group Exchanges Sanction Three Traders for Wash Sales, One for Spoofing:

Interdealer Broker, CEO and Senior Manager Named in CFTC Enforcement Action for Communicating Fake Bids, Offers and Executions in FX Options Market; Board Chairman Settles Related Supervisory Charges:

International Financial Regulator Coordinator Says Crypto-Assets Currently Pose No Threat to Financial:

Options Trader Who Settled Related Criminal Charges Resolves CFTC Enforcement Action for Trading Futures Options to Disguise Trading Losses:

SEC Seeks More Views on Proposal for Security-Based Swap Dealers’ Capital, Margin and Segregation Requirements:

Self-Reporting and Cooperation of Non-US-Based Bank Acknowledged by CFTC in Agreeing to US $800,000 Fine for Spoofing by Traders:

UK Bank Fined GB £16.4 Million Related to Cyber-Attack Because of Employee Breakdowns:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Katten Muchin Rosenman LLP | Attorney Advertising

Written by:

Katten Muchin Rosenman LLP

Katten Muchin Rosenman LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at:

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit
  • New Relic - For more information on New Relic cookies, please visit
  • Google Analytics - For more information on Google Analytics cookies, visit To opt-out of being tracked by Google Analytics across all websites visit This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at:

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.