On August 26, 2019, New York Governor Andrew Cuomo signed into law legislation extending the statute of limitations for claims brought under the Martin Act from three to six years. The statute reverses a New York Court of Appeals decision holding that Martin Act claims must be brought within three years. Continue Reading New York States Extends the Statute of Limitations for Claims Brought Under Martin Act to Six Years

Global Crisis Management Series:  This post is part 9 in a series concerning topics further elaborated on in Cleary Gottlieb’s Global Crisis Management Handbook—a desk reference for spotting issues and avoiding common mistakes when faced with a crisis.  The current version is available here.

The Dodd-Frank Wall Street Reform and Consumer Protection Act (“ Dodd-Frank”) goes further than other statutes in providing protection to whistleblowers.  In addition to broadening prohibitions against retaliation, the Securities and Exchange Commission (“SEC”) promulgated Rule 21F-17 to ensure companies could not interfere with an individual’s efforts to raise concerns and communicate directly with the SEC.[1]

SEC Rule 21F–17(a) prohibits any person from “imped[ing] an individual from communicating directly with the [SEC] about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement.”[2]  Following a series of enforcement actions in 2015 and 2016, the Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert urging companies to evaluate whether their confidentiality and non-disclosure agreements, among other internal documentation, contained provisions that were inconsistent with Rule 21F–17.[3]  Companies can implement a few simple best practices to ensure compliance with Rule 21F–17. Continue Reading Rule 21F–17: Guidance on Drafting Confidentiality and Non-Disclosure Agreements

Global Crisis Management Series:  This post is part 8 in a series concerning topics further elaborated on in Cleary Gottlieb’s Global Crisis Management Handbook—a desk reference for spotting issues and avoiding common mistakes when faced with a crisis.  The current version is available here.

U.S. whistleblower protections broadly provide public and private sector employees with protection from retaliation for reporting potential concerns about misconduct.  Companies that are ill-prepared to handle complaints internally not only face potential lawsuits from whistleblowers, but also open themselves up to substantial regulatory scrutiny and perhaps enforcement actions.  Continue Reading Five Building Blocks for Effective Internal Controls to Comply with U.S. Whistleblower Protections

In late July 2019, U.S. federal and state regulators announced three headline‑grabbing data privacy and cybersecurity enforcement actions against Equifax and Facebook.  Although coverage of these cases has focused largely on their striking financial penalties, as important are the terms the settlements imposed on the companies’ operations as well as their officers, directors, and compliance professionals—and what they signal about potential future enforcement activity to come. Continue Reading July 2019 Privacy and Cybersecurity Enforcement: Lessons for Management and Directors

Global Crisis Management Series:  This post is part 7 in a series concerning topics further elaborated on in Cleary Gottlieb’s Global Crisis Management Handbook—a desk reference for spotting issues and avoiding common mistakes when faced with a crisis.  The current version is available here.

While legal protections for whistleblowers in the United States were first adopted in the late 1970s for federal employees, statutory protections enacted in the last 20 years have substantially increased protection beyond the federal workforce to certain private-sector employees.  These protections create a number of potential issues for companies today, ranging from employee retaliation lawsuits to regulatory investigations.

This note provides a high-level description of the primary whistleblower legal protections in the United States today.  Companies are well-advised to keep these protections in mind as they implement and enhance their compliance programs.  The right policies and procedures—tailored to a company’s particular risk profile—can reduce the risk of whistleblower complaints and ensure that concerns are appropriately investigated internally and remediated as necessary to reduce costly and intrusive regulatory scrutiny.  Continue Reading Whistleblowers: Who Are They and Why Should You Care?

On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act” or the “Act”), which expands data breach notification obligations under New York law and for the first time imposes affirmative cybersecurity obligations on covered entities.

The Act makes five principal changes to existing New York law:

  1. Expanding the law’s jurisdiction to entities that maintain private information of New York residents, regardless of whether or not such entities actually conduct business within the State;
  2. Broadening the scope of “private information” triggering notification obligations in the event of a breach, including to biometric data;
  3. Expanding the definition of a “breach” to include unauthorized “access” to private information, in addition to unauthorized “acquisition” of such information;
  4. Increasing civil penalties for violations of notification obligations; and
  5. For the first time, affirmatively requiring covered businesses to develop, implement, and maintain “reasonable” data security safeguards, which include, among other things, conducting risk assessments and addressing identified risks.

The first four provisions go into effect on October 23, 2019, while the fifth provision requiring companies to adopt and maintain a cybersecurity compliance program becomes effective on March 21, 2020.

Please click here to read the full alert memorandum.

Global Crisis Management Series:  This post is part 6 in a series concerning topics further elaborated on in Cleary Gottlieb’s Global Crisis Management Handbook—a desk reference for spotting issues and avoiding common mistakes when faced with a crisis.  The current version is available here.

The overall success of an investigation depends on the flow of communications between those overseeing an investigation, those conducting it and the company’s relevant stakeholders.  As such, it is necessary to identify responsibilities and define the structure of communications at the outset of the investigation.  Continue Reading Dealing with an Investigation: Communication

Global Crisis Management Series:  This post is part 5 in a series concerning topics further elaborated on in Cleary Gottlieb’s Global Crisis Management Handbook—a desk reference for spotting issues and avoiding common mistakes when faced with a crisis.  The current version is available here.

Effectively dealing with a crisis often requires disclosure to government authorities, shareholders, and other stakeholders, even when many facts remain unknown.  Companies must toe a delicate line when assessing when, to whom, and how much to disclose, especially in the absence of complete information.  Continue Reading Disclosure and Notification Considerations When Managing a Crisis

On July 3, SEC Chairman Jay Clayton issued a statement signaling a policy change in SEC settlements and the consideration of applications for waiver of collateral consequences flowing from those settlements, such as the loss of certain significant procedural advantages in (or even outright exemption from) the securities registration process.[1]  In practice, this change could both streamline the process of settling enforcement actions with the SEC and provide additional certainty to settling entities, which, under the current regime, must decide whether to settle a matter before completing and knowing the outcome of negotiations over waivers. Continue Reading SEC to Allow Settling Parties to Submit Simultaneous Settlement Offers and Applications for Waiver from Disqualifications

Global Crisis Management Series:  This post is part 4 in a series concerning topics further elaborated on in Cleary Gottlieb’s Global Crisis Management Handbook—a desk reference for spotting issues and avoiding common mistakes when faced with a crisis.  The current version is available here.

Depending on the matter, data collection and management can be among the most daunting and logistically difficult tasks. Ensuring that the full relevant universe of data is being preserved and considered and that accurate recordkeeping is being performed is essential to managing large volumes of information and, in turn, facilitating fact-finding goals and risk assessment. Continue Reading Dealing with an Investigation: Data Collection and Management