The Second Circuit has made it easier for federal prosecutors to bring insider-trading cases.  In United States v. Blaszczak, decided on December 30, 2019, the Court held that the personal-benefit test—a judge-made rule that the government must prove a tipper expected to receive some benefit in exchange for disclosing confidential information—does not apply to insider‑trading prosecutions brought under certain federal criminal fraud statutes.  The Blaszczak decision thus opens the door to insider-trading prosecutions where a “personal benefit” would be difficult or impossible to prove.  The decision contained another notable holding:  a government agency’s confidential regulatory information can constitute “property,” such that its misappropriation can be the basis for an insider-trading prosecution under the criminal fraud statutes.  This holding—which triggered a dissent by one of the panel members—could facilitate insider‑trading prosecutions involving so-called “political intelligence” consultants, like Blaszczak, who collect and analyze information concerning government agency activity that can be used in making securities trading decisions.

Please click here to read the full alert memorandum.

On January 7, 2020, the U.S. Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released its 2020 Examination Priorities (“2020 Priorities”).  While at first blush the themes appear consistent with and predictable from their 2019 priorities, on closer read OCIE has provided some new insights and some unexpected focus areas.  The themes for the 2020 Priorities are:  retail investors, information security, financial technology (“Fintech”) and innovation (including digital assets and electronic investment advice), several areas covering registered investment advisers and investment companies, anti-money laundering, market infrastructure (clearing agencies, national securities exchanges, alternative trading systems, transfer agents), and oversight of the Financial Industry Regulatory Authority and Municipal Securities Rulemaking Board programs and policies.  OCIE also stressed the challenges it faced in light of last year’s government shutdown and resource constraints, as the Division of Enforcement did in its 2019 Annual Report (see our analysis here), and the challenges in examining non-U.S. advisers due to limits that foreign data protection and privacy laws may place on cross-border information transfers.  In this post, we analyze the highlights in and our takeaways from the 2020 Priorities. Continue Reading From the Expected to the Surprises: Highlights of SEC OCIE’s 2020 Priorities

In recent years, numerous senior executives have resigned or been terminated for engaging in undisclosed consensual relationships with subordinates. Such relationships are gaining particular attention in the wake of the heightened scrutiny around workplace behavior, because they raise concerns relating to, among other things, potential power imbalances and conflicts of interest in the workplace. Thus, it is increasingly important for companies to consider whether to institute policies governing close personal relationships, and what those policies might look like. We address a few key considerations to guide those decisions.

Please click here to read the full alert memorandum.

On Tuesday, November 12, 2019, the U.S. Federal Trade Commission (“FTC” or “Commission”) announced a proposed settlement with InfoTrax Systems, L.C. (“InfoTrax”), a third-party service provider, regarding multiple data security failures.  As a result of these security shortcomings, a hacker accessed about one million consumers’ sensitive personal information after more than twenty intrusions into InfoTrax’s network.  This settlement marks one of the first instances in which the FTC has alleged a violation of the FTC Act predicated solely upon the failure to maintain reasonable security measures by a third-party service provider.  The settlement is also notable for a Commissioner’s concurring statement criticizing the settlement’s standard twenty-year term. Continue Reading Latest FTC Data Privacy Settlement May Signal More Direct Approach to Regulating Data Security

On November 6, 2019, the SEC’s Division of Enforcement released its annual report (the “Report”) describing its enforcement actions from fiscal year 2019.[1]  Like prior reports, the Report quantifies the Division’s activities in a number of ways and discusses priority areas going forward.  The Report also brings front-and-center certain challenges the Division has faced – including difficulties navigating recent Supreme Court decisions that call into question the constitutionality of the SEC’s administrative proceedings and the agency’s ability to obtain disgorgement, as well as the impact of the government shut-down and general resource constraints. Continue Reading Headwinds and Shifting Priorities: Beyond the Numbers In The SEC Enforcement Division’s 2019 Annual Report

On November 1, 2019, the Supreme Court granted certiorari in Liu v. SEC to decide whether the Securities and Exchange Commission can obtain disgorgement as an equitable remedy in federal court enforcement actions.

The certiorari grant in this case is unusual, because the circuit courts that have considered the issue have all agreed that the SEC can obtain disgorgement from a district court exercising its equitable authority.

Depending on how the Court rules, this case could have major consequences for the SEC’s enforcement program and even for the inherent equitable powers of Article III courts.

Read the full Alert Memo here.

The final version of the California Consumer Privacy Act of 2018 is coming into view.

On October 10, California’s Attorney General released the long-anticipated draft regulations to implement the CCPA, and on October 12, the Governor signed into law five amendments to the CCPA passed during the 2019 legislative session.  (We previously discussed the CCPA here and the amendments here.)  While the Regulations are currently subject to public comment and may be further modified by the Attorney General in response to such comments, the shape of the law that will come into effect on January 1 seems largely in place.

Given the scope of the Regulations and some unanticipated new requirements they contain, this alert memorandum provides a guide for understanding the Regulations by (i) highlighting some welcome clarifications included in the Regulations; (ii) identifying unexpected new obligations they impose; (iii) describing inconsistencies between the Regulations and the CCPA; and (iv) discussing other provisions in the Regulations that implement the CCPA.

Please click here to read the full memorandum.

On October 3, 2019, the governments of the United Kingdom and United States signed the first-ever executive agreement governing cross-border data requests (the “Agreement”) pursuant to the US Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”).[1]  As contemplated by the CLOUD Act, the Agreement provides a mechanism for the governments to access and share data stored abroad by electronic communications services providers (“CSP”) in their respective countries in a timely manner.  The Agreement will enter into effect following a 180 day Congressional review period required by the CLOUD Act and a similar review by the UK Parliament.    Continue Reading United Kingdom and United States Governments Sign First-Ever CLOUD Act Agreement

Global Crisis Management Series:  This post is part 15 in a series concerning topics further elaborated on in Cleary Gottlieb’s Global Crisis Management Handbook—a desk reference for spotting issues and avoiding common mistakes when faced with a crisis.  The current version is available here.

Have the right policies in place

  • Ensure clear, readily accessible, and (where necessary) country-specific policies are in place indicating the permitted uses of company devices and other IT equipment, including messaging services. If you allow employees to use their own devices to perform work, make sure your policies adequately address issues of access in the context of investigations.
  • Draft and make accessible to employees a policy concerning the purposes for which, when, and by whom, suspicious log data can be accessed, and implement and enforce acceptable and unacceptable use of IT work facilities policies.
  • Evaluate policies regularly. Policies that allow monitoring of communications should be reviewed at least annually to assess whether they are the least intrusive means to achieve the stated purposes.
  • Stay informed on updates in the law surrounding monitoring, and note that these rules also apply to the monitoring of electronic communications in the workplace.

Continue Reading Be Prepared: How to Proactively Account for Data Privacy

On September 18, 2019, the Securities and Exchange Commission (“SEC”) filed its first civil suit alleging violations of broker-dealer registration requirements in U.S. digital asset markets.  In a case filed in the U.S. District Court for the Central District of California, the SEC alleged that Defendants ICOBox and its founder, Nikolay Evdokimov, illegally conducted an unregistered public securities offering for their 2017 initial coin offering (“ICO”), and have operated an unregistered brokerage service facilitating the launch of ICOs in digital asset securities since 2017. Continue Reading SEC Files First Suit Against Alleged Unregistered Broker-Dealer Operating in Digital Asset Markets