Emerging Trends Newsletter - Q3

Stinson Leonard Street

We are thrilled to bring you the third installment of Stinson Leonard Street's Emerging Trends newsletter. We are proud of the depth and breadth of experience and knowledge across our firm's 13 offices nationwide and are excited to share this through the Emerging Trends newsletter.

Attorneys from several different practice areas and from across our firm's geographic footprint will regularly share their insights in to the latest legal developments in various industries and the impact these will have on our clients' businesses.

We hope you enjoy the newest installment and be sure to be on the lookout for upcoming issues.


Who's at Fault When No One's at the Wheel?

Joy Syrcle – Business Litigation

From Google’s Self-Driving Car Project to Uber’s pilot testing of self-driving cars set to launch this fall in Pittsburg, autonomous vehicles are quickly becoming part of our daily reality. While in time this technology may dramatically reduce traffic accidents by eliminating human error and problems caused by distracted or impaired driving, car crashes will still happen. Who is liable for an injury suffered as a result of a crash involving a self-driving vehicle? Can an individual in an autonomous vehicle be negligent for not assuming control of the vehicle to prevent an accident? Does a company such as Uber assume greater liability through use of automated vehicles in its business? This is largely uncharted territory. This past September, in the first lawsuit of its kind, the family of a man who died in a crash involving Tesla’s Autopilot technology filed suit in China. Tesla may also soon be facing litigation in the U.S. in relation to Florida resident Joshua Brown who died in May while using the autopilot function of the manufacturer’s Model S.

There are a few cases arising from analogous technology that could provide insight on how courts might handle claims involving autonomous vehicle technology. For example, most cases involving injuries caused in the use of industrial robots were attributed to employee’s failures to take safety precautions. Similarly, in one case involving a crash while an airplane was controlled by autopilot, the court faulted the pilot’s failure to retake control of the plane. Conversely, plaintiffs have been successful in claims against vehicle manufacturers, alleging the cruise control function in vehicles caused the vehicle to unexpectedly accelerate or fail to brake.

Laws of individual states may also contain provisions relevant in allocating civil liability. Nine states have passed legislation related to the testing and use of autonomous vehicles. Florida, for example, specifies that an individual causing the autonomous vehicle to engage is the “operator,” and this statutory provision could be used in a civil suit to argue the driver maintains some obligation in the handling of the vehicle. Washington D.C. expressly requires that a human driver be “prepared to take control of the autonomous vehicle at any moment.” Nevada law, on the other hand, provides that an individual utilizing a self-driving vehicle is exempted from statutory prohibitions against texting while diving, specifying that these persons are not deemed to be operating the vehicle for the purpose of that prohibition.

Further complicating this analysis are aftermarket products that convert standard vehicles into autonomous or semi-autonomous vehicles. Michigan, Nevada, and Washington D.C. have each enacted laws to limit liability of an original manufacturer of a converted vehicle. While these limitations are narrow, they are examples of statutory protections for manufacturers. Companies should consider whether other situations exist that may be appropriate for similar legislative protections at either the state or federal level.

Manufacturers could also attempt to reduce liability through extensive disclosure statements and by requiring purchasers to sign acknowledgement or waiver forms. This protection, however, would likely extend only to the purchaser of the vehicle and not to any other person suffering damage in a crash.

The full extent to which liability for crashes involving autonomous vehicles will be shifted from vehicle owners/operators remains to be seen, and manufacturers and businesses utilizing self-driving vehicle technology should be prepared to defend against litigation that will most certainly ensue.


Proposition 65 Amendments: Products Sold in California Have New Warning Requirements

Benjamin Woodard – Business Litigation and Michelle Corrigan – Business and Commercial Litigation

In 1986, California voters passed the Safe Drinking Water and Toxic Enforcement Act, otherwise known as Proposition 65. It requires the California Office of Environmental Health Hazard Assessment (OEHHA) to publish a list of chemicals known to cause cancer, birth defects, or other reproductive harm. The current list includes over 800 chemicals. Proposition 65 further requires companies to provide a “clear and reasonable” warning before knowingly and intentionally exposing anyone in California to a listed chemical.

A great deal of controversy developed over the years as to what constitutes a “clear and reasonable” warning. Although Proposition 65 contains a safe harbor provision wherein a manufacturer or distributor may protect itself by placing warnings on its products, historically, the regulations dealing with the safe harbor provision have been difficult to understand and apply to specific situations.

Timeline of Proposition 65 Proposed Amendments

Three years ago, California’s Governor Jerry Brown announced his proposal to reform Proposition 65. In response, OEHHA issued a notice to repeal and replace the requirements under Proposition 65 for a “clear and reasonable” warning. However, OEHHA’s January 2015 proposal arguably made compliance even more burdensome. For instance, the January 2015 proposal considerably changed the warnings requirements specified in Proposition 65, including the establishment of a proposed requirement that warning labels identify each specific chemical in any product sold in California, among a list of 12 chemicals (the “dirty dozen”), identified by OEHHA as commonly found in consumer products. Chemicals listed among the “dirty dozen” included lead, phthalates, chlorinated Tris, benzene, and mercury.

In November 2015, due in part to considerable opposition, OEHHA formally withdrew its January 2015 proposal and released new draft amendments to Proposition 65. Significantly, the November 2015 proposal for Proposition 65 eliminated the “dirty dozen” provision and made several other clarifications. Modifications to the November 2015 proposals were issued in March 2016.

The New Amendments

In August 2016, the November and March proposals modifying Proposition 65’s safe harbor warning label requirements were adopted. Below is a list of the new requirements for product warnings under Proposition 65 as amended:

  • Warnings on nonfood products must contain a symbol with a black exclamation point in a yellow equilateral triangle with a black outline (“the symbol”):
  • The warning should also contain the word “WARNING” in all capital letters and bold type (“the warning identification”);  
  • Warnings must state that the product “can expose” a user to chemicals known to the state of California to cause cancer, birth defects, and/or other reproductive harm. The prior version of Proposition 65 only required a statement that the product “contained” a chemical.
  • Warnings must identify one or more chemicals for each potential health effect (i.e., cancer, birth defects, reproductive harm).
  • Warnings must include a link to a new Proposition 65 website that will be operated by OEHHA.
  • Warnings on product labels can be shortened to only include the symbol and warning identification discussed above, a statement that the product can expose the user to one or more chemicals that can cause cancer, birth defects, and/or reproductive harm (it does not need to list the specific chemicals), and a link to the new OEHHA website.
  • Warnings must be presented in additional languages under certain circumstances.
  • Product-specific warnings may be provided via electronic device/process that automatically provides the warning to the purchaser prior to or during the purchase of the product.
  • For internet sales, warnings must be provided on the product display page, or a clearly marked hyperlink using the warning identification discussed above.

The new provisions will not take effect until August 30, 2018. Before that date, product manufacturers and distributors may continue to use the current safe harbor warning language of Proposition 65, or warning language approved by California courts as “clear and reasonable.”


Recent Delaware Case Law Clarifies Irrebuttable Business Judgment Rule

Drew Kuettel – Corporate Finance

A recent Delaware case provides useful guidance that corporations (and their counsel) can use to fend off challenges to breach of fiduciary duty claims in certain M&A transactions. The takeaway from this case - a disinterested, uncoerced, fully informed stockholder vote can “cleanse” a transaction otherwise subject to the “entire fairness” standard of review, absent a conflicted controlling stockholder. The import of this point of law is that it provides a clear description of how to structure M&A decision-making processes in order to dispose, at an early stage, shareholder claims of breaches of fiduciary duties.

In Larkin v. Shah, C.A. No. 10918-VCS (Del. Ch. August 25, 2016), former shareholders of Auspex Pharmaceuticals, Inc. (Auspex) sued Auspex’s board of directors for breach of fiduciary duties in connection with the sale of the business to Teva Pharmaceutical Industries Ltd. (Teva) for roughly $3.2 billion in cash in a two-step, short form merger. Under this structure, Teva first acquired a majority of the outstanding voting equity by publicly offering to buy shares of Auspex’s stock directly from its shareholders (the Tender Offer). Auspex would then be merged into a Teva subsidiary (without a shareholder vote) pursuant to Section 251(h) of the Delaware General Corporate Law (DGCL). This structure, known as a “two-step” merger, streamlined the acquisition because it eliminated the time and expenses associated with conducting a shareholder vote since, through the Tender Offer, Teva acquired a majority of the voting power, thus rending the results of a shareholder vote a foregone conclusion.

The plaintiffs alleged that the board of directors (many of whom were affiliated with certain venture capital firm stockholders of Auspex) engaged in a flawed sales process that failed to yield the best value for the company’s public stockholders. According to the plaintiffs, in order to meet personal liquidity needs, the venture capital stockholders controlled and caused the board to accept the first all-cash transaction they could find, at the cost of considering other offers with cash and stock components and to the detriment of Auspex’s other stockholders. Alternatively, the plaintiffs argued that the directors approved the transaction under a conflict of interest. In either scenario, the “entire fairness” standard (the highest level of judicial scrutiny applicable to board actions) would apply.

Vice Chancellor Joseph Slights III, writing for the Delaware Court of Chancery, disagreed with the assertion that entire fairness applied to the transaction due to the presence of an uncoerced, fully informed, disinterested shareholder vote in favor of the transaction, without a conflicted controller, that “cleansed” the transaction such that the business judgment standard of review (the least exacting level of scrutiny) inarguably - applied. If the business judgment rule inarguably applies to the transaction, the board action may only be overturned by judicial intervention based on a claim of corporate waste–i.e., that the decision “cannot be ‘attributed to any rational business purpose’”–a very high standard for plaintiffs to meet. Cede & Co. v. Technicolor, Inc., 634 A.2d 345, 361 (Del. 1993).

First, the fact that 78% of the Auspex shareholders decided to sell their shares pursuant to the Tender Offer satisfied the uncoerced, fully informed, disinterested stockholder voting requirement. A few months prior to Larkin, the Court of Chancery held that the tender offer portion of a “two-step” merger under DGCL § 251(h) has the same cleansing effect as an uncoerced, fully informed, disinterested shareholder vote in favor of the transaction, notwithstanding the fact that a tender offer is statutorily required or that the transaction would otherwise be subject to heightened Revlon scrutiny. In re Volcano Corporation Stockholder Litigation, C.A. No. 10485-VCMR (Del. Ch. June 30, 2016) (a stockholder is no less exercising her “free and informed chance to decide on the economic merits of a transaction” simply by virtue of accepting a tender offer rather than casting a vote).

Second, there was no conflicted controller present. Although a stockholder (or block of affiliated stockholders) owning less than a majority of the outstanding shares may be deemed a “controller,” such a holder must wield “such formidable voting and managerial power that, as a practical matter, [it is] no differently situated than if [it] has majority voting control” and that it “triggers the . . . concern that independent directors’ free exercise of judgment has been compromised.” Larkin, C.A. No. 10918-VCS at 34. In Larkin, the venture capital stockholders collectively held 23.1% of Auspex’s stock, and the plaintiffs’ complaint failed to state any well-pled allegations that would permit a reasonable inference that any such controller or control block could “exercise actual control over [Auspex’s] board.” Id. at 36.

Larkin provides a clear roadmap for corporations to follow when structuring a M&A decision-making process, particularly when the target is a publically-traded entity.


"Gotta Catch 'Em All!"™ – Pokemon™ Go Gives Rise to New Class Action Suits

Katie Bechina – Business Litigation

The latest smartphone sensation, Pokémon Go, has led to a new series of class action lawsuits concerning private property rights. Pokémon Go, released in July by creator Niantic, is a GPS-based game that allows players to “catch” virtual creatures known as “Pokémon.” Participants explore their towns and neighborhoods looking for over 150 kinds of Pokémon and items at depots called “Pokéstops.” The app even allows competitors to battle other players’ Pokémon at locations called “Gyms.”

Niantic has programmed the app to spawn virtual Pokémon, Pokéstops, and Gyms at countless locations around the world. The app blends reality and virtual reality, using a smartphone’s camera to show the “real world” on the phone screen and to populate virtual creatures, depots, and battle arenas. However, the app fails to distinguish between public and private property, meaning a personal residence could be the home to a popular Gym, a Pokéstop, or a rare Pokémon.

Days after the app debuted, some homeowners began to notice people of all ages lingering on their property, trying to be the first one to “catch ‘em all.” They watched helplessly as players peered through their windows and trekked across their lawns to catch Pokémon, battle other players at Gyms, or collect items from Pokéstops.

In response to these Pokémon “trainers” invading their property, homeowners in North America have filed lawsuits to enforce their property and privacy rights. For example, in July 2016, a New Jersey man filed a proposed class action suit in California federal court against Niantic, The Pokémon Company (the marketer and licensing agent of the Pokémon brand), and Nintendo Company (32% owner of The Pokémon Company). Marder v. Niantic, Inc. et al., Case No. 4:16-cv-04300 (N.D. Cal. July 29, 2016).

This suit alleges a claim for nuisance against Niantic. By placing Pokéstops and Gyms on or near private property without the permission of owners, the complaint argues that the game and Pokémon “trainers” are invading the use and enjoyment of their property. The plaintiff also alleges a claim for unjust enrichment against all three defendants, explaining that the private property of the proposed class has contributed to the game’s prosperity and popularity.

As the game becomes more prevalent and the number of players grows, more disputes have arisen. For instance, a Michigan couple filed a proposed class action suit in California federal court in July, and members of a Florida condo association did the same in late August. Dodich v. Niantic, Inc. et al., Case No. 3:16-cv-04556 (N.D. Cal. Aug. 10, 2016); The Villas of Positano Condominium Ass’n v. Niantic, Inc. et al., Case No. 3:16-cv-05091 (N.D. Cal. Sept. 2, 2016). Another proposed class action case was even filed in Alberta, Canada. Schaeffer v. Niantic, Inc. et al., Case No. 1601-01491 (Court of Queen’s Bench of Alberta Aug. 10, 2016). Each suit contains allegations similar to the New Jersey case; they claim that Niantic has created a nuisance by placing Pokéstops and Gyms on or near private property and that the defendants are wrongfully profiting from the success that using the private property has created.

Each case is still in the early stages of litigation, making outcomes difficult to predict. Still, they show that as technology advances and further permeates society, the law continues to evolve. Companies with similar technology should consult with counsel to evaluate their legal risks.


Increased Focus on Enforcement of Whistleblower Rules by Federal Regulators

Stephen Quinlivan – Corporate Finance and Bryan Pitko – Corporate Finance

Enforcement of whistleblower rules continues to be a key focal point for federal regulators based on recent actions taken by the SEC, CFTC, and OSHA in this area.

Recent SEC settlements of enforcement cases involving the whistleblower provisions under the Dodd Frank Act have put companies and their counsels on notice that restrictions on employee communications with outside parties in severance and confidentiality agreements may be viewed by regulators as impeding an individual’s ability to communicate with regulators about possible securities law violations in breach of whistleblower rules.

One such case, settled August 10th, involved the addition of a monetary recovery prohibition to certain severance agreements (entered into nearly two years after the adoption of the whistleblower rules) that was alleged to have violated the SEC’s prohibition on any impediments to communications with the SEC about securities law violations. The SEC appears to have been particularly concerned with restrictive language that forced employees leaving the company to waive possible whistleblower awards or risk losing their severance payments and other post-employment benefits.

The terms of settlement in these cases are driving companies to mitigate any risk of such violations, including the addition of language in future confidentiality and severance agreements to explicitly provide an employee with the right to communicate with the SEC (and other federal agencies) about potential securities law violations without company approval. Likewise, for further prophylactic effect, companies may consider broad communications highlighting that any existing agreements with former employees do not restrict such former employees’ ability to provide information to the SEC or accept SEC whistleblower awards.

The rules are broadly applicable to any employer subject to SEC jurisdiction. That includes public companies, broker-dealers, investment advisers, and advisers in municipal securities transactions. The rules may also apply to private equity portfolio companies and any other entity that has sold or is selling securities in private placements, issuing securities in private merger transactions, or redeeming securities from shareholders.

Meanwhile, proposed regulations at the CFTC suggest that the SEC’s regulatory cousin is moving to expand its ability to administer rules designed to protect the rights of whistleblowers consistent with the SEC’s authority in this area. As part of a continuing effort to harmonize the SEC’s and the CFTC’s whistleblower programs, the CFTC has recently proposed amendments to its whistleblower rules that reinforce its anti-retaliation authority under the Commodity Exchange Act. The proposed amendments would prohibit the enforcement of confidentiality and pre-dispute arbitration clauses in agreements impacting actions by potential whistleblowers and prohibit employers from threatening, harassing, or retaliating against individuals who participate in the CFTC’s whistleblower program.

The Occupational Safety and Health Administration (OSHA) has similarly moved to align itself with the SEC and CFTC with its recent issuance of guidance regarding settlement agreements with whistleblowers under Section 806 of the Sarbanes-Oxley Act. As in the SEC’s recent settlements and the CFTC’s proposed rules, OSHA’s guidance acts to prohibit “gag” provisions often found in confidentiality or non-disparagement clauses that “prohibits, restricts, or otherwise discourages a complainant from participating in protected activity,” which includes “filing a complaint with a government agency, participating in an investigation, testifying in proceedings, or otherwise providing information to the government.”


Circuits Further Split Regarding Statute of Limitations for Disgorgement in SEC Enforcement Actions

Jessica Pixler – Business Litigation

The Securities and Exchange Commission (SEC) typically has five years from the date a claim accrues to bring “an action, suit or proceeding for the enforcement of any civil fine, penalty, or forfeiture, pecuniary or otherwise” pursuant to 28 U.S.C. § 2462. This has led courts to different conclusions as to whether this statute of limitations applies to equitable or quasi-equitable remedies, including the remedy of disgorgement. In the summer of 2016, the Eleventh Circuit held that Section 2462 applies to disgorgement, but the Tenth Circuit shortly thereafter reached the opposite conclusion.

The Eleventh Circuit decided Securities and Exchange Commission v. Graham on May 26, 2016, in which the SEC appealed a district court ruling that Section 2462 applied to its request for disgorgement, among other remedies. 823 F.3d 1357 (11th Cir. 2016). The district court found that disgorgement would require the defendants to relinquish money and property and was thus the same as forfeiture, to which Section 2462 expressly applies. The Eleventh Circuit agreed, looking to the ordinary meanings of “disgorgement” and “forfeiture” and concluded that “for the purposes of § 2462 the remedy of disgorgement is a ‘forfeiture,’ and § 2462’s statute of limitation applies.” Id. at 1363. It declined to find that “technical” differences between the two terms were meaningful. Id. at 1363-64. Therefore, the Court found that Section 2462 barred the SEC’s request for disgorgement.

Less than three months later, the Tenth Circuit came to the opposite conclusion in Securities and Exchange Commission v. Kokesh, 20016 WL 443785, No. 15-2087 (10th Cir. August 23, 2016). In prior cases, the Tenth Circuit found disgorgement was remedial, not punitive. Id. at *4 (citing United States v. Telluride Co., 146 F.3d 1241, 1247 (10th Cir. 1998)). Under the Tenth Circuit’s approach, disgorgement does not punish a defendant; it merely puts the defendant in the same position he would have been in had he not engaged in the wrongful acts. Id. at *4. Even when the defendant was required to disgorge more than he personally gained or benefitted from the wrongdoing, disgorgement was nonetheless not punitive. Id. at 4-5. The Court compared an SEC enforcement action to a personal injury claim wherein courts do not consider it punitive to require the defendant to pay for all damages caused, even where the defendant has not personally gained. Id. at *5. The Tenth Circuit explained that forfeiture, as listed in Section 2462, must be viewed historically to mean a taking of “tangible property used in criminal activity.” Id. at *5. The non-punitive remedy of disgorgement does not fit within this type of forfeiture, and therefore Section 2462 does not apply.

The effect of Graham and Kokesh remains to be seen, but it seems likely that until the Supreme Court resolves the issue, the remaining circuits will have to choose sides. Prior to Graham, the D.C. Circuit weighed in on the issue, most recently finding that disgorgement orders are not penalties and therefore are not subject to the five-year statute of limitations in Section 2462. See Riordan v. Securities and Exchange Commission, 627 F.3d 1230 (D.C. Cir. 2010). In circuits that adopt the view of the Tenth and D.C. Circuits, the SEC is permitted to seek disgorgement of funds associated with wrongdoing that occurred more than five years prior to the accrual of the claim, which could significantly increase a defendant’s exposure. In comparison, the application of the statute of limitations in the Eleventh Circuit provides defendants facing disgorgement with more predictable and limited exposure. Until the Supreme Court resolves this split, defendants in undecided circuits must grapple with the risk of the additional exposure that would come with their circuit’s adoption of the Tenth and D.C. Circuit’s approach.


The New York State Department of Financial Services Proposes Robust Cybersecurity Rules

Zane Gilmer – Financial Services and Class Action Litigation

On September 13, 2016, the New York State Department of Financial Services (DFS) proposed new rules that would require certain “Covered Entities” to establish and implement cybersecurity programs designed to protect nonpublic consumer information (Nonpublic Information) and technology systems from cyber-attacks (Proposed Rules). Below are some of the highlights of the Proposed Rules:

Covered Entities

The Proposed Rules would apply to any person or entity “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law, or the financial services law.”

The Proposed Rules would not apply to a Covered Entity with (i) fewer than 1,000 customers in each of the last three calendar years; (ii) less than $5,000,000 in gross annual revenue in each of the last three fiscal years; and (iii) less than $10,000,000 in year-end total assets.

Effective Date

The Proposed Rules are subject to a 45-day notice and public comment period and, if approved, would be effective beginning January 1, 2017 (Effective Date). Covered Entities would then have 180 days from the Effective Date to comply.

Cybersecurity Program

Covered Entities must establish a cybersecurity program designed to perform the following “core cybersecurity functions”:

  • Identify internal and external cyber risks by identifying Nonpublic Information stored on the Covered Entity’s systems and how that information can be accessed
  • Use defensive infrastructure and the implementation of policies and procedures to protect Nonpublic Information and the Covered Entity’s systems
  • Detect certain “Cybersecurity Events”
  • Respond to identified or detected Cybersecurity Events
  • Recover from Cybersecurity Events
  • Fulfill regulatory reporting obligations

Cybersecurity Policy

Covered Entities must implement and maintain a written cybersecurity policy addressing the following areas:

  • Information security
  • Data governance and classification
  • Access controls and identity management
  • Business continuity and disaster recovery planning and resources
  • Capacity and performance planning
  • Systems operations and availability concerns
  • Systems and network security and monitoring
  • Systems and application development and quality assurance
  • Physical security and environmental controls
  • Customer data privacy
  • Vendor and third-party service provider management
  • Risk assessment
  • Incident response

The cybersecurity policy must be reviewed by the Covered Entity’s board of directors, or equivalent governing body, and approved by a senior officer of the Covered Entity.

Appointment of Chief Information Officer and Other Cybersecurity Personnel

A Covered Entity must appoint a qualified individual to serve as the entity’s chief information security officer, who will be responsible for overseeing and implementing the entity’s cybersecurity program. In addition, each Covered Entity must employ cybersecurity personnel to manage the entity’s cybersecurity risks.

Penetration Testing and Vulnerability Assessments

A Covered Entity’s cybersecurity program must include annual penetration testing and quarterly vulnerability assessments.

Audit Trail System

Cybersecurity programs must include implementing and maintaining audit trail systems that track, maintain, and log certain data, including financial transactions necessary to enable the Covered Entity to detect and respond to a Cybersecurity Event.

Limiting Access Privileges and Multi-Factor Authentication

A Covered Entity’s cybersecurity program must limit access privileges to the entity’s systems that provide access to Nonpublic Information solely to those individuals who require such access. In addition, each Covered Entity must require multi-factor authentication for accessing internal systems, plus privileged access to database servers that provide access to Nonpublic Information, and for individuals accessing web applications that contain Nonpublic Information.

Annual Risk Assessments

Each Covered Entity is required to conduct an annual risk assessment of its information systems.

Third-Party Vendors

Each Covered Entity is required to implement written policies and procedures that are designed to ensure the security of Nonpublic Information and the Covered Entity’s information systems that are accessible to or maintained by third parties that do business with the Covered Entity.

Limitations on Data Retention and Encryption of Nonpublic Information

Each Covered Entity is required to implement policies that require the destruction of Nonpublic Information that is no longer necessary.

Employee Training and Monitoring

Each Covered Entity must implement policies, procedures, and controls that are designed to monitor user activity and detected unauthorized use. In addition, each Covered Entity must require that all personnel attend regular cybersecurity awareness training sessions.

Incident Response Plan

Each Covered Entity must implement a written incident response plan that is designed to respond immediately to a Cybersecurity Event. The plan must address at least the following areas:

  • The internal processes for responding to a Cybersecurity Event
  • The goals of the incident response plan
  • The definition of roles, responsibilities, and decision-making authority
  • External and internal communications and information sharing
  • Remediation of any weaknesses in information systems and other controls
  • Documentation and reporting concerning Cybersecurity Events and response activities
  • The evaluation and revision of the incident response plan following a Cybersecurity Event

Notices of Cybersecurity Event to DFS Superintendent

Each Covered Entity is required to notify the DFS superintendent of any Cybersecurity Event “that has a reasonable likelihood of materially affecting the normal operation of the Covered Entity or that affects Nonpublic Information.” The notice must be provided no later than 72 hours after the Covered Entity becomes aware of the incident.

Conclusion and Insight

While many institutions have already taken significant strides to address cybersecurity threats, if the Proposed Rules are enacted, Covered Entities will be required to go beyond what many institutions have already done. As such, Covered Entities should begin evaluating their cybersecurity programs and preparing for possible changes based on the Proposed Rules. Further, even non-Covered Entities should pay attention to the outcome of these proposals as they will likely serve as a template for other states and regulators to propose similar requirements.


Is Your Company's Website at Risk for ADA Non-Compliance?

Angie Fletcher – Banking and Financial Services and Samir Mehta – Intellectual Property and Technology

Recently, businesses across the country have become targets of innovative demands letters and lawsuits arising under the Americans with Disabilities Act (ADA). Disabled plaintiffs are working with law firms and advocacy organizations across the country, alleging that the businesses’ websites fail to provide access to people with certain disabilities. These demands and lawsuits are aggressively testing the limits of how the ADA applies to websites. Any businesses with a commercial website should take notice and prepare accordingly.

The ADA became law in 1990, and it aimed to prohibit discrimination against individuals with disabilities. Title III of the ADA prohibits discrimination on the basis of disability in “places of public accommodation.” Initially, the term “places of public accommodation” was applied to stores, restaurants, movie theaters, schools, and other commercial businesses that were open to the general public. Neither Title III nor any other part of the ADA specifically discusses “website accessibility” for the disabled. However, as the Internet has risen in importance in our lives, many advocates, plaintiffs, and courts now argue that websites should qualify as “places of public accommodation.”

The recent demands and lawsuits essentially argue that websites must be designed to allow for “access” by people with certain disabilities who may have difficulty viewing, hearing, or interacting with some Internet content. People with disabilities who have the most significant concerns and tend to be the plaintiffs in the lawsuits include those with blindness, low vision, deafness, hearing loss, learning disabilities, cognitive limitations, limited movement, speech disabilities, photosensitivity, and epilepsy.

Due to this influx of litigation, courts have varied in their application of the ADA to company websites, but many have held that the ADA does cover websites. For example, in March of 2016, a California state court ordered a Colorado-based company to make its website accessible to persons with visual impairment based on a Title III ADA lawsuit. Further, the California court ordered the company to pay $4,000 in damages and over $100,000 in legal fees.1

It is also notable that the U.S. Department of Justice (DOJ) has issued guidance and proposed amendments to the ADA that would more clearly require websites to be ADA compliant. In addition to the risk of litigation, entities that are charged with Title III violations can face civil penalties from the government, which may reach a maximum of $75,000 for a first violation and $150,000 for repeated violations. Given the DOJ’s increased interest in website compliance, there is reason to believe that DOJ enforcement actions related to websites may increase in the coming years.

How can businesses avoid exposure to litigation and government enforcement? Fortunately, there are tools and systems for making websites and Internet content accessible to persons with disabilities. While the DOJ has not issued binding rules or regulations on ADA compliance for websites (those are expected sometime in 2018), the DOJ and plaintiffs have consistently suggested that websites can be made ADA compliant by following the Web Content Accessibility Guidelines (WCAG-2.0). The WCAG-2.0 defines how to make web content more accessible to a wide range of people with disabilities, including ones with visual, auditory, physical, speech, cognitive, language, learning and neurological disabilities. Some of the WCAG 2.0 Guidelines include offering users text alternatives (increasing font, braille, speech, symbols, or simpler language), prerecorded audio-only or video-only content, and color distinctions by separating the foreground from the background. A complete list of the WCAG-2.0 Guidelines can be found here. In addition to applying WCAG-2.0, we recommend that businesses review the terms of a settlement agreement between businesses and the DOJ related to website accessibility. These public settlement agreements give insight into how the DOJ interprets the ADA. Finally, we recommend that our clients review their websites for accessibility to disabled users, and engage a third-party vendor who can assist with website redesign to prevent potential violations.




  1. "Retailer Must Make Website Accessible to Visually Impaired and Pay Plaintiff Legal Fees, Judge Rules," ABA Journal, March 2016

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Stinson LLP | Attorney Advertising

Written by:

Stinson LLP

Stinson LLP on:

Readers' Choice 2017
Reporters on Deadline

Related Case Law

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at www.jdsupra.com) (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at privacy@jdsupra.com.

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to privacy@jdsupra.com. We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to privacy@jdsupra.com.

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at: privacy@jdsupra.com.

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at www.jdsupra.com) (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit legal.hubspot.com/privacy-policy.
  • New Relic - For more information on New Relic cookies, please visit www.newrelic.com/privacy.
  • Google Analytics - For more information on Google Analytics cookies, visit www.google.com/policies. To opt-out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout. This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit http://www.aboutcookies.org which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at: privacy@jdsupra.com.

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.