On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act” or the “Act”), which expands data breach notification obligations under New York law and for the first time imposes affirmative cybersecurity obligations on covered entities.

The Act makes five principal changes to existing New York law:

  1. Expanding the law’s jurisdiction to entities that maintain private information of New York residents, regardless of whether or not such entities actually conduct business within the State;
  2. Broadening the scope of “private information” triggering notification obligations in the event of a breach, including to biometric data;
  3. Expanding the definition of a “breach” to include unauthorized “access” to private information, in addition to unauthorized “acquisition” of such information;
  4. Increasing civil penalties for violations of notification obligations; and
  5. For the first time, affirmatively requiring covered businesses to develop, implement, and maintain “reasonable” data security safeguards, which include, among other things, conducting risk assessments and addressing identified risks.

The first four provisions go into effect on October 23, 2019, while the fifth provision requiring companies to adopt and maintain a cybersecurity compliance program becomes effective on March 21, 2020.

Please click here to read the full alert memorandum.

Global Crisis Management Series:  This post is part 6 in a series concerning topics further elaborated on in Cleary Gottlieb’s Global Crisis Management Handbook—a desk reference for spotting issues and avoiding common mistakes when faced with a crisis.  The current version is available here.

The overall success of an investigation depends on the flow of communications between those overseeing an investigation, those conducting it and the company’s relevant stakeholders.  As such, it is necessary to identify responsibilities and define the structure of communications at the outset of the investigation.  Continue Reading Dealing with an Investigation: Communication

Global Crisis Management Series:  This post is part 5 in a series concerning topics further elaborated on in Cleary Gottlieb’s Global Crisis Management Handbook—a desk reference for spotting issues and avoiding common mistakes when faced with a crisis.  The current version is available here.

Effectively dealing with a crisis often requires disclosure to government authorities, shareholders, and other stakeholders, even when many facts remain unknown.  Companies must toe a delicate line when assessing when, to whom, and how much to disclose, especially in the absence of complete information.  Continue Reading Disclosure and Notification Considerations When Managing a Crisis

On July 3, SEC Chairman Jay Clayton issued a statement signaling a policy change in SEC settlements and the consideration of applications for waiver of collateral consequences flowing from those settlements, such as the loss of certain significant procedural advantages in (or even outright exemption from) the securities registration process.[1]  In practice, this change could both streamline the process of settling enforcement actions with the SEC and provide additional certainty to settling entities, which, under the current regime, must decide whether to settle a matter before completing and knowing the outcome of negotiations over waivers. Continue Reading SEC to Allow Settling Parties to Submit Simultaneous Settlement Offers and Applications for Waiver from Disqualifications

Global Crisis Management Series:  This post is part 4 in a series concerning topics further elaborated on in Cleary Gottlieb’s Global Crisis Management Handbook—a desk reference for spotting issues and avoiding common mistakes when faced with a crisis.  The current version is available here.

Depending on the matter, data collection and management can be among the most daunting and logistically difficult tasks. Ensuring that the full relevant universe of data is being preserved and considered and that accurate recordkeeping is being performed is essential to managing large volumes of information and, in turn, facilitating fact-finding goals and risk assessment. Continue Reading Dealing with an Investigation: Data Collection and Management

Last month, Representative Jim Himes (D-Conn) and his co-sponsors, Representatives Carolyn B. Maloney (D-NY) and Denny Heck (D-WA), introduced H.R. 2534:  The Insider Trading Prohibition Act.  Unlike its substantially similar predecessor, H.R. 1625, which was introduced by Representative Himes on March 25, 2015, H.R. 2534 has gained some momentum in the U.S. House of Representatives, having been unanimously approved by the Financial Services Committee in May 2019.  Although the bill is only at the preliminary stage, if the proposal eventually proceeds further in the process of becoming law, it will represent a potentially significant shift in and clarification of U.S. insider trading laws. Continue Reading H.R. 2534: Insider Trading Prohibition Act – Congress Considers Enacting Changes to Insider Trading Law Under Section 10(b)

Last month, Representative Maxine Waters, Chair of the House Financial Services Committee, introduced a discussion draft of the “Bad Actor Disqualification Act of 2019” (the “Proposed Act”).  Similar to proposed legislation Rep. Waters introduced in 2015 and 2017, the effect of the Proposed Act, if passed, would be to dramatically increase the burdens on institutions seeking waivers from disqualifications under the federal securities laws, including those for Well-Known Seasoned Issuers (“WKSI”), certain exemptions from registering securities offerings, and protection from fraud claims predicated on forward-looking statements.  Indeed—given that the Proposed Act would require that all waiver applications be open to public comment and hearing and vote by the Securities and Exchange Commission (“Commission” or “SEC”), and that the Commission be barred from considering the “direct costs” of a denial to the applicant, but rather only the interests of the public, investors, and market integrity—the effect may be to essentially eliminate waiver applications and grants in all but the most severe cases.  The Proposed Act targets “the largest financial institutions on Wall Street,” which, unsurprisingly given their business models, request and receive a disproportionate share of waivers.  However, by its terms the Proposed Act applies more broadly to all issuers and is not limited to financial institutions.

Please click here to read the full alert memorandum.

Global Crisis Management Series:  This post is part 3 in a series concerning topics further elaborated on in Cleary Gottlieb’s Global Crisis Management Handbook—a desk reference for spotting issues and avoiding common mistakes when faced with a crisis.  The current version is available here.

The beginning stages of an investigation are often the most critical.  At the outset of any investigation, information is often limited and events are unfolding quickly.  As a result, it is important to develop a clear and adaptable plan that is appropriately scoped, identifies the right team and sets forth the steps that will be taken as part of the investigation.  Having a written plan in place is crucial to making sure that all relevant stakeholders are on the same page about what activities the investigation will include.  It also ensures that the investigation is managed effectively and is guided by a clear set of objectives.  Continue Reading Dealing with an Investigation: Planning Ahead

On June 17, 2019, in a decision interpreting the Fifth Amendment’s Double Jeopardy Clause, the United States Supreme Court in Gamble v. United States upheld the doctrine of dual-sovereignty.[1]  In doing so, the Court confirmed that one sovereign may prosecute a defendant under its laws even if another sovereign has already prosecuted the defendant for the same conduct, notwithstanding the Fifth Amendment’s prohibition against multiple prosecutions for the “same offence.”[2]  While Gamble does not represent a shift in the law, the Court’s opinion has implications for companies facing parallel investigations by the Department of Justice (“DOJ”) and other prosecutors, whether state or foreign authorities. Continue Reading Supreme Court Upholds Dual-Sovereignty Doctrine Allowing Parallel Criminal Prosecutions At Home and Abroad

Global Crisis Management Series:  This post is part 2 in a series concerning topics further elaborated on in Cleary Gottlieb’s Global Crisis Management Handbook—a desk reference for spotting issues and avoiding common mistakes when faced with a crisis.  The current version is available here.

Choices made at the outset of a crisis can play a critical role in a company’s ability to maintain future privilege claims.  Recent cases highlight the risks of:

  1. Sharing privileged communications with third-party consultants;
  2. Conducting witness interviews through non-lawyers; and
  3. Discussing the crisis with a former employee.

Continue Reading Preserving Privilege in a Crisis