On Tuesday, November 12, 2019, the U.S. Federal Trade Commission (“FTC” or “Commission”) announced a proposed settlement with InfoTrax Systems, L.C. (“InfoTrax”), a third-party service provider, regarding multiple data security failures. As a result of these security shortcomings, a hacker accessed about one million consumers’ sensitive personal information after more than twenty intrusions into InfoTrax’s network. This settlement marks one of the first instances in which the FTC has alleged a violation of the FTC Act predicated solely upon the failure to maintain reasonable security measures by a third-party service provider. The settlement is also notable for a Commissioner’s concurring statement criticizing the settlement’s standard twenty-year term.
Continue Reading Latest FTC Data Privacy Settlement May Signal More Direct Approach to Regulating Data Security
Be Prepared: How to Proactively Account for Data Privacy
Have the right policies in place
– Ensure clear, readily accessible, and (where necessary) country-specific policies are in place indicating the permitted uses of company devices and other IT equipment, including messaging services. If you allow employees to use their own devices to perform work, make sure your policies adequately address issues of access in the context of investigations.
Continue Reading Be Prepared: How to Proactively Account for Data Privacy
Incorporating Data Privacy Considerations Into Investigations
Many investigations, particularly those that are cross-border in nature, are likely to present data privacy issues, and managing these issues is frequently a key consideration in an investigation. By keeping data privacy laws in mind as soon as an investigation starts, an organization will avoid the risk that it has failed to satisfy certain requirements, thereby exposing itself to the possibility of a fine or sanction from a regulator.
Continue Reading Incorporating Data Privacy Considerations Into Investigations
Best Practices for Negotiating the Scope of an Investigative Request
When a company receives a request for information from an investigating authority, one initial issue is whether to cooperate with the request or to assume an adversarial (or at least non-cooperative) position. Even if the company ultimately decides to contest the authority’s characterization of the conduct, it is often in the company’s best interest to agree to cooperate with the investigation and the authority’s requests (to the extent they are reasonable and lawful). In this vein, there are three important ways to establish and maintain a cooperative posture with an investigating authority, while also protecting the company’s interests in the process.
Continue Reading Best Practices for Negotiating the Scope of an Investigative Request
Before You Press Send: Protecting Privilege and Complying With Limitations on Data Dissemination When Responding to an Investigative Request
One critical issue to consider in responding to an investigative request is whether by producing the requested data, the company will be waiving a privilege or violating legal confidentiality obligations, including data privacy restrictions.
Continue Reading Before You Press Send: Protecting Privilege and Complying With Limitations on Data Dissemination When Responding to an Investigative Request
Public Relations Considerations When Managing a Crisis
In an increasingly global, regulated, and litigious environment, companies face unanticipated and potentially destabilizing events that often play out in the public eye. Frequently, the issues organizations face during large-scale, often public, crises require more than exclusively legal skills, but also communications skills. Below we discuss three key steps in the process for handling the public relations aspects of any crisis: (1) assembling a crisis-response team, (2) deciding whether or not to make a public statement, and (3) crafting the public message.
Continue Reading Public Relations Considerations When Managing a Crisis
New York States Extends the Statute of Limitations for Claims Brought Under Martin Act to Six Years
On August 26, 2019, New York Governor Andrew Cuomo signed into law legislation extending the statute of limitations for claims brought under the Martin Act from three to six years. The statute reverses a New York Court of Appeals decision holding that Martin Act claims must be brought within three years.
Continue Reading New York States Extends the Statute of Limitations for Claims Brought Under Martin Act to Six Years
Rule 21F–17: Guidance on Drafting Confidentiality and Non-Disclosure Agreements
The Dodd-Frank Wall Street Reform and Consumer Protection Act goes further than other statutes in providing protection to whistleblowers. In addition to broadening prohibitions against retaliation, the Securities and Exchange Commission promulgated Rule 21F-17 to ensure companies could not interfere with an individual’s efforts to raise concerns and communicate directly with the SEC.
Continue Reading Rule 21F–17: Guidance on Drafting Confidentiality and Non-Disclosure Agreements
Five Building Blocks for Effective Internal Controls to Comply with U.S. Whistleblower Protections
U.S. whistleblower protections broadly provide public and private sector employees with protection from retaliation for reporting potential concerns about misconduct. Companies that are ill-prepared to handle complaints internally not only face potential lawsuits from whistleblowers, but also open themselves up to substantial regulatory scrutiny and perhaps enforcement actions.
Continue Reading Five Building Blocks for Effective Internal Controls to Comply with U.S. Whistleblower Protections
Whistleblowers: Who Are They and Why Should You Care?
While legal protections for whistleblowers in the United States were first adopted in the late 1970s for federal employees, statutory protections enacted in the last 20 years have substantially increased protection beyond the federal workforce to certain private-sector employees. These protections create a number of potential issues for companies today, ranging from employee retaliation lawsuits to regulatory investigations.
Continue Reading Whistleblowers: Who Are They and Why Should You Care?