In this midyear update, we cover a number of significant corporate governance developments that have taken place over the first half of the year and since our Corporate Governance 2023 Year-End Review.
We note first the Supreme Court's landmark decision in Loper Bright, setting aside the Chevron doctrine, under which a court would defer to an agency's interpretation of a relevant statute where the statute was silent or ambiguous.1 Loper Bright will give impetus to increased challenges to agency authority and may require boards to reassess the regulatory environment for their businesses going forward. We also note the Federal Trade Commission's (FTC) new final rule that bars most employers from using non-compete clauses and recent challenges to it.
We then turn to governance developments in Securities Regulation and Delaware Corporate Law upon which we have reported or where there are important updates, environmental, social and governance (ESG) related litigation and regulatory issues, data privacy and cybersecurity matters, and artificial intelligence (AI) questions.
Loper Bright: The End of Chevron Deference in Regulatory Matters
On June 28, the Supreme Court overturned the Chevron doctrine in a pair of consolidated cases known under the lead case, Loper Bright.2 In Loper Bright, several family fishery businesses challenged regulations issued by the National Marine Fisheries Service. The regulations, which implemented the Magnuson-Stevens Fishery Conservation and Management Act (MSA), required fishing vessel owners to pay for observers to monitor their compliance with federal fisheries law. The MSA itself is silent as to whether vessel owners must pay for these observers. The D.C. Circuit deferred to the agency's interpretation of the statute under the Chevron doctrine and upheld the regulations.
- The Supreme Court framed the issue presented as whether Chevron "should be overruled or clarified." A six-justice majority led by Chief Justice John Roberts overruled Chevron because the Administrative Procedure Act (APA) requires courts to "exercise their independent judgment" when interpreting statutes. Therefore, the court itself must determine the "best reading" of the statute and cannot defer to the agency's interpretation.
- The majority reasoned that it is the province of the courts "to say what the law is" and that agencies do not have special competence in statutory interpretation. However, the opinion recognized that courts should respect agency interpretations of statutes, especially when they are issued nearly contemporaneously with the statute at issue and remain consistent over time. The Court also noted that cases decided under Chevron are still good law entitled to statutory stare decisis.
- Three justices dissented in an opinion written by Justice Elena Kagan. The dissent argued that Chevron deference reflected Congress' acknowledgment that it cannot write perfectly complete statutes. Congress therefore intended for agencies to resolve any ambiguities, largely because agencies have technical subject matter expertise that courts lack.
Three days after deciding Loper Bright, the same 6 – 3 Supreme Court majority, this time speaking through Justice Amy Coney Barrett, dealt another blow to the modern administrative state in Corner Post, Inc. v. Board of Governors of the Federal Reserve System, No. 22-1008. The majority held that the six-year period allowed by statute to challenge a final agency action such as a rule begins to run not when the rule is promulgated (or agency action otherwise becomes final), but instead when the particular plaintiff bringing the challenge is injured. Justice Ketanji Brown Jackson's dissent described the holding as having "far-reaching results [that are staggering." It remains to be seen how many plaintiffs will now challenge rules previously thought to have been past the time to bring a challenge, but Corner Post and Loper Bright together herald a new era for more aggressive challenges to agency action.
FTC's Rule Banning Non-Competes Subject to Immediate Challenges
On May 7, the FTC published its final Non-Compete Clause Rule, which generally bans the use of non-compete clauses with workers as an unfair method of competition. As of the rule's effective date, currently scheduled to be Sept. 4, employers will not be able to enter into new non-competes with workers. Moreover, existing non-compete arrangements will be invalidated, other than those with "senior executives," narrowly defined to include only executives who receive annual compensation in excess of $151,164 and are in "policy-making positions," including chief executive officers, presidents and others who have policy-making authority across a business entity; C-suite officers of subsidiaries who do not exercise policy-making authority across the entire organization would not be considered to be "senior executives" under this definition. The final rule also exempts non-competes entered into "in connection with a bona fide sale of a business entity, of the person's ownership interest in a business entity, or of all or substantially all of a business entity's operating assets."
With respect to existing non-competes (other than those with "senior executives"), the rule requires companies to provide notice to the worker that the non-compete "will not be, and cannot legally be, enforced." Such notice must be provided by the effective date of the rule.
Plaintiffs in several litigations have challenged the rule and the FTC's power to promulgate it. On July 3, the U.S. District Court for the Northern District of Texas in Ryan LLC v. Federal Trade Commission enjoined the FTC from enforcing and implementing the rule against the plaintiffs in that action only. The U.S. Chamber of Commerce has filed a motion for summary judgment seeking an order vacating the rule, and the court has indicated it will rule on that and other motions by Aug. 30 (just five days prior to the rule's effective date).
On July 23, a separate federal court in Pennsylvania rejected a challenge to the rule in ATS Tree Services, LLC v. Federal Trade Commission. There, the U.S. District Court for the Eastern District of Pennsylvania ruled that the plaintiff was not entitled to a preliminary injunction because it was not likely to succeed on the merits — because the FTC had acted within its authority in promulgating the rule — and had not established it would suffer irreparable harm in the absence of an injunction.
There remains significant uncertainty regarding whether the rule will go into effect on Sept. 4.
Securities Regulation and Corporate Law Developments
Supreme Court Limits SEC's In-House Adjudicative Powers
On June 27, the Supreme Court held that it is unconstitutional for the Securities and Exchange Commission (SEC) to administratively adjudicate fraud-based enforcement actions involving civil penalties.
In 2011, the SEC opened an investigation into anti-fraud violations of the Securities Act of 1933, the Securities Exchange Act of 1934 (Exchange Act), and the Investment Advisers Act of 1940 by investment manager George Jarkesy Jr. and his investment adviser, Patriot28 LLC. The SEC alleged that Jarkesy and Patriot28 misrepresented the investment strategies that they used, the auditor and prime broker that they relied upon, and the value of their funds. The SEC brought the action administratively and sought civil penalties, among other remedies.
The administrative law judge held Jarkesy and Patriot28 liable. They then sought review by the SEC itself. The Commission imposed civil penalties of $300,000, ordered Patriot28 to disgorge "ill-gotten gains" of nearly $685,000, and barred Jarkesy from associating with brokers, dealers and advisers, among other measures. Jarkesy and Patriot28 appealed to the Fifth Circuit, which vacated the SEC's order, holding that the imposition of civil penalties violated the defendants' Seventh Amendment right to a jury trial. As Kramer Levin previously reported, the SEC filed a petition for cert with the Supreme Court, which the Court granted last July.
The Supreme Court affirmed the Fifth Circuit's judgment and held that when the SEC seeks civil penalties for securities fraud, the defendant is entitled to a jury trial under the Seventh Amendment. The Court's reasoning was twofold. First, the SEC's anti-fraud provisions mirror common law fraud claims, which are legal in nature rather than equitable, and therefore implicate the defendant's Seventh Amendment right to a jury trial. Second, the "public rights" exception is inapplicable. This exception allows Congress to assign certain "legal" matters to agencies for adjudication. However, because securities violations target "the same basic conduct" as common-law fraud, they concern private, not public, rights and must be adjudicated in Article III courts.
Three justices, led by Justice Sonia Sotomayor, dissented. They argued that under the Court's Atlas Roofing decision, the SEC's administrative process was constitutional.
Supreme Court Grants Certiorari To Determine Scope of Required Corporate Risk Disclosures
On June 10, the Supreme Court granted certiorari in Facebook, Inc. v. Amalgamated Bank3to review a Ninth Circuit Court of Appeals decision holding that Facebook could be held liable under Section 10(b) and Rule 10b-5 for failures to disclose risks that had occurred in the past but had no known risk of occurring in the future.
In 2016, Facebook disclosed in its Form 10-K that failures to prevent or mitigate improper access to or disclosure of users' data could harm Facebook's reputation and its competitive position. In March 2018, Amalgamated Bank filed a securities class action alleging that Facebook had made materially misleading and false statements and omissions in this filing because Facebook knew of two prior occasions where its data hadbeen improperly collected by Cambridge Analytica, so this risk was not merely hypothetical.
The district court dismissed the plaintiffs' claim for failure to plead falsity, scienter and loss causation under Rule 9(b). A split Ninth Circuit panel reversed on the falsity point. It relied on In re Alphabet4to hold that falsity allegations can survive a motion to dismiss when they are based on a plausible allegation that the reporting company stated that a risk "could" occur when it had materialized in the past. The dissent argued that Facebook's statement was not false because the risk of future data breaches was still unknown at the time that the statement was made.
The Supreme Court granted certiorari as to the question of whether risk disclosures are false or misleading when they do not disclose a risk that has materialized in the past, even if it is unknown whether the risk will occur in the future and whether it will harm the company.5
On April 12, the Supreme Court unanimously held that failing to make disclosures required under Item 303 of Regulation S-K can only be actionable under Section 10(b) of the Exchange Act and Rule 10b-5 if the omission makes an affirmative statement misleading.
In Macquarie Infrastructure Corp. v. Moab Partners, L.P., a regulation essentially banned one of Macquarie Infrastructure Corp.'s (MIC) key products.6MIC reported on the short-term effects that this ban would have on demand for its products but not the long-term financial effects it would have on its business. After the ban took effect, MIC's stock price fell. Moab Partners argued that disclosure of the long-term effects was necessary under Item 303 of Regulation S-K, which requires registrants to disclose when known events are reasonably likely to affect their financial condition. It argued that failure to make this required disclosure gave rise to a Section 10(b) violation. The Second Circuit agreed.
The Supreme Court had granted certiorari in this case to answer the question of whether failing to make a required Item 303 disclosure can support a private claim under Section 10(b) in the absence of a misleading affirmative statement. The Court unanimously held that it cannot. Since Rule 10b-5(b) makes only half-truths and not "pure omissions" actionable, a private cause of action can only materialize if the omission causes an affirmative statement to be misleading.
Fifth Circuit Vacates SEC Rule Regulating Private Funds Advisers
On June 5, the Fifth Circuit vacated SEC rules that prohibited investment advisers from giving investors preferential treatment concerning redemption rights and portfolio information.7The rules also barred investment advisers from charging private funds for the costs of government investigations without the consent of the funds' investors.
The Fifth Circuit held that the SEC lacked authority under Sections 211(h) and 206(4) of the Investment Advisers Act of 1940 to issue the rules based on its reading of the Advisers Act in conjunction with the Investment Company Act and the Dodd-Frank Act.
First, the Fifth Circuit read the applicable sections of the Advisers Act in light of the Investment Company Act, which was also passed in 1940. It found that the Investment Company Act was intended to maintain a "market-driven" relationship between a private fund, its adviser, and outside investors and that the rules impermissibly altered this relationship.
Second, the Fifth Circuit found that Section 211(h) of the Advisers Act was a codification of Section 913(h) of the Dodd-Frank Act. According to the court, the Dodd-Frank Act was only intended to protect "retail investors," who are generally not sophisticated enough to invest in private funds. Therefore, since the SEC's rules only protected sophisticated investors and not retail investors, the Fifth Circuit held that the SEC lacked authority to issue them. The SEC did not appeal.
SEC Secures Jury Verdict in Shadow Insider Trading Trial
On April 5, a federal jury in SEC v. Panuwat found that a corporate executive engaged in insider trading by using material nonpublic information concerning his own company to trade in the securities of a different company operating within the same industry. This is the first time that the SEC has successfully brought an insider trading claim where the use of material nonpublic information was used in connection with a third party.
Matthew Panuwat, an executive at a biopharmaceutical company called Medivation, learned that Pfizer was going to acquire Medivation. Based on that information, he bought call options in another pharmaceutical company, Incyte. As he expected, Incyte's stock rose 8% after Medivation's acquisition announcement, and Panuwat made just over $100,000.
The SEC alleged that Panuwat breached his duties to Medivation by trading on material nonpublic information about the company, in violation of its insider trading policy. The district court denied both Panuwat's motion to dismiss and his motion for summary judgment. A key issue at these stages was the degree of the connection between the two companies. At summary judgment, the court held that nonpublic information related to one company can be material to another company if they share a sufficient "market connection."
The SEC ultimately prevailed at trial. On May 29, Panuwat moved for judgment as a matter of law and for a new trial. His motion is pending.
SEC and FinCEN Propose Rule Requiring Investment Advisers To Enact Customer Identification Programs
On May 13, the SEC and the Financial Crimes Enforcement Network (FinCEN) of the U.S. Treasury Department announced a proposed rule that would require investment advisers to establish reasonable procedures to verify their customers' identities. The rule is responsive to Treasury Department findings that illicit funds can enter the U.S. financial system through investment advisers.
The rule applies to registered investment advisers and exempt reporting advisers. It requires these advisers to establish Customer Identification Procedures that are robust enough to allow the adviser to "form a reasonable belief that it knows the identity of each customer." While the rule establishes minimum requirements for these procedures, they may be tailored to the size and business of each adviser.
SEC Issues Risk Alert Regarding Compliance With Rule 206(4)-1, the Marketing Rule
On April 17, the SEC Division of Examination published a Risk Alert about investment advisers' compliance with amended Rule 206(4)-1 under the Investment Advisers Act of 1940, also known as the Marketing Rule. It found that most advisers had implemented appropriate policies, procedures and trainings to ensure that they and their supervised persons do not violate the rule. However, the SEC also found instances of insufficient policies and noncompliance.
Policies were deemed insufficient where they did not cover all applicable marketing channels such as social media sites, were not in writing or were not tailored to address specific advertisements, among other reasons. Noncompliance was found where advisers made untrue or unsubstantiated statements of material fact — for example, statements that advisers were conflict-free when they were not, inadequate descriptions of the risks or limitations associated with their services, and disclosures made in unreadable fonts on websites or in videos.
SEC Adopts Final Rules Regarding SPAC IPOs and SPAC Business Combinations
On Jan. 24, the SEC adopted final rules expanding the requirements that special purpose acquisition companies (SPACs) must comply with when conducting initial public offerings (IPOs). Key aspects of the rules expand disclosure under new Subpart 1600 of Regulation S-K. The rules also cover business combination transactions (de-SPAC transactions) between SPACs and target companies after an IPO. The SEC adopting release also provides guidance on when a SPAC may be classified as an investment company under the Investment Company Act.
The rules require expanded disclosure regarding SPAC sponsors, including details about their compensation, potential conflicts of interest, dilution of public shareholders and other arrangements involving SPAC sponsors. Further, the rules align the potential liability for de-SPAC transactions with that for traditional IPOs by requiring the target company to be a co-registrant with the SPAC and file a registration statement on Form S-4 or F-4 under the Securities Act for a de-SPAC transaction.
Lastly, the final rules exclude SPACs from the safe harbor provisions of the Private Securities Litigation Reform Act for projections and other forward-looking statements. Instead, under new Item 1609 of Regulation S-K, companies in de-SPAC transactions must disclose their reasoning and analysis regarding the use of projections.
Delaware Governor Signs Into Law Amendments to Delaware's General Corporation Law
On July 17, Delaware Gov. John Carney signed into law amendments to the Delaware General Corporation Law (DGCL) from Senate Bill 313. Effective Aug. 1, 2024, and applying retroactively, these amendments were introduced to reverse three recent Delaware Court of Chancery decisions and provide more predictability to corporate practices.
One significant amendment is in response to the West Palm Beach Firefighters' Pension Fund v. Moelis & Co. case, where the court invalidated certain stockholder approval rights for constraining the board of directors' authority. The new Section 122(18) now permits Delaware corporations to enter into agreements with stockholders that may limit the board's discretion, regardless of whether such agreements are expressly permitted in the corporation's certificate of incorporation, provided that they do not violate the DGCL or the corporation's certificate of incorporation. Additionally, Section 122(5) reaffirms that the board cannot delegate fundamental board-level functions unless authorized under the corporation's certificate of incorporation.
A former Twitter stockholder's lawsuit, Crispo v. Musk, prompted amendments to new Section 261(a)(1) of the DGCL. These amendments allow merger agreements to contract for penalties for breaches, including penalties based on the loss of stockholder premiums. Also, new Section 261(a)(2) permits the appointment of stockholder representatives to enforce rights under a merger agreement.
The Sjunde Ap-Fonden v. Activision Blizzard decision highlighted deficiencies in the merger approval process, prompting the introduction of new Sections 147, 232(g), and 268(a) and (b) to the DGCL. These sections clarify that boards can approve agreements in "substantially final form," ensure that annexed documents are considered part of the notice, and remove specific technical requirements for merger agreements where stockholders do not receive stock in the surviving corporation.
Court Dismisses Stockholder Suit Against Meta: Affirms a Firm-Specific Model of Corporate Management
On April 30, the Delaware Court of Chancery dismissed an action against Meta Platforms Inc., its board of directors, and its founder, Mark Zuckerberg.8The court rejected the plaintiff's novel argument that Meta's directors breached their fiduciary duties to shareholders by prioritizing profits for Meta over broader economic and societal interests that affect the diversified portfolios of Meta's shareholders.
The plaintiff argued that if decisions that maximize Meta's short-term profits simultaneously harm public health or the rule of law, then Meta shareholders who are diversified will suffer financially from the costs that these decisions impose on society. Meta moved to dismiss, arguing that this novel theory conflicts with long-standing Delaware corporate law that allows corporate directors to consider the impact of their decisions on broader constituencies but does not require them to do so.
The Chancery Court agreed with Meta and dismissed the claim. It held that directors owe fiduciary duties to the corporation and its stockholders as stockholders of the specific corporation, not as diversified investors.
The NY LLC Transparency Act: What You Need To Know Now
On Dec. 23, 2023, New York Gov. Kathy Hochul signed into law the LLC Transparency Act (NY LLCTA). This statute requires limited liability companies (LLCs) formed or registered to do business in New York to report information about their "beneficial owners," with some exceptions. The NY LLCTA largely mirrors the Federal Corporate Transparency Act (CTA) but only applies to LLCs formed or registered to do business in New York.
The definition of "beneficial owners" under the NY LLCTA is similar to that under the CTA and includes senior officers and individuals who exercise substantial influence over important business decisions and those who own or control at least 25% of the company's ownership interests.
Based on a March 1 amendment to the NY LLCTA, the effective date of the statute is Jan. 1, 2026.
ESG Litigation and Regulatory Issues
Fifth Circuit Remands Challenge to Department of Labor (DOL) Rules Concerning Consideration of ESG Factors After Loper Bright
On July 18, the Fifth Circuit remanded Utah v. Su to the Northern District of Texas for reconsideration following the Supreme Court's landmark decision in Loper Bright.9The Texas district court had previously upheld DOL rules concerning how retirement plan beneficiaries may consider ESG factors when making investment choices and exercising shareholder rights.
- The rules, issued in 2022, provide somewhat more flexibility than their 2020 predecessors in terms of how fiduciaries may consider how ESG concerns affect ERISA plan investments. They are premised on the notion that ESG risks may impact the long-term returns of managed investments.
- As Kramer Levin previously reported, on Jan. 26, 2023, a coalition of Republican attorneys general had challenged the rules in Texas, alleging that they violated ERISA by allowing fiduciaries to consider nonpecuniary ESG concepts over retirement plan participants' financial returns. They also alleged that the DOL lacked the requisite authority to issue the rule.
- The Texas district court upheld the rules,10holding that assessing whether ESG factors materially affect the risk or return of an investment, as the rules require, falls squarely within ERISA's mandate that fiduciaries discharge their duties "solely in the interest of the participants and beneficiaries." The court analyzed the rules under Chevron and the APA. The coalition appealed.
The Fifth Circuit vacated the Texas district court's decision after noting that Loper Bright "pared back agencies' leeway to interpret their own statutory authority." The Court of Appeals instructed the Texas district court to reconsider the merits of the challenge in light of Loper Bright.
New EU Directive Puts 'Sustainability' Due Diligence Center Stage
On May 24, the European Council adopted the EU Corporate Sustainability Due Diligence Directive (CS3D). This directive, which is part of the European Green Deal, requires EU member states to pass legislation within two years mandating companies to conduct far-reaching "due diligence" designed to identify and remediate direct and indirect environmental and human rights impacts of their activities. The directive applies to EU and non-EU companies meeting minimum gross revenue and employment thresholds.
The member states' national laws must require companies to adopt climate change mitigation plans and due diligence policies to identify, prevent and mitigate environmental and human rights issues. The climate change mitigation plans should be designed to align the business with the goals of transitioning to a sustainable economy, limiting global warming to 1.5°C above 2005 levels and achieving climate neutrality by 2050. The due diligence policies must be directed at the company's own operations and those of its subsidiaries, and certain upstream and downstream "business partners."
According to the directive, EU members' national statutes must also include penalties for noncompliance. Authorities within each member state will be responsible for enforcing the CS3D.
SEC Issues Final Climate Disclosure Rules and Stays Implementation Pending Court Challenges
On March 6, the SEC adopted final rules requiring public companies to disclose information about the climate risks they face, their greenhouse gas emissions and their climate-related goals. State attorneys general, business interests and environmental groups filed actions challenging the rule in various courts across the country, which were consolidated in the Eighth Circuit. On April 4, the SEC voluntarily stayed the implementation of its rules pending the outcome of the litigation.11In a filing with the Eighth Circuit, the SEC indicated that it would publish a document in the Federal Register at the conclusion of its stay addressing a new effective date for the final rules.12
The new rules require SEC-reporting companies to make new disclosures in SEC filings and adopt new internal controls and procedures. Additionally, the rules differ from Californian and European regulations in several respects.13
- The final rules add provisions to Regulation S-K (Item 1500) and Regulation S-X (Article 1400). New Item 1500 requires all registrants to disclose climate risks that materially impacted the registrant's business or outlook; plans to manage material climate risks; scenario analyses used to plan for climate risks; board or management processes used to assess and manage climate risks; and climate-related goals such as emissions reduction goals.
- Additionally, new Item 1500 imposes disclosure requirements that vary by the type of filer. For instance, only large accelerated filers and accelerated filers that are not emerging growth companies or smaller reporting companies must report aggregate Scope 1 and Scope 2 emissions. Further, accelerated filers must include attestation reports from greenhouse gas emissions experts. In contrast to the Californian and European regimes, no registrant must report Scope 3 emissions. Additionally, many of the disclosures under Regulation S-K are deemed forward-looking statements and are subject to the safe harbor in the Private Securities Litigation Reform Act. However, Scope 1 and 2 greenhouse gas emission disclosures are not.
- For any filing made under Regulation S-K that includes audited financial statements (i.e., notQuarterly Reports on Form 10-Q), the notes to the financial statements must include disclosure regarding certain expenses incurred due to severe weather events and whether the registrant used carbon offsets or renewable energy targets as a material part of its transition plan.
In addition to the court challenges to the rules, Republicans in both houses of Congress began drafting a resolution under the Congressional Review Act to repeal the final rule. If it succeeds, the final rule would be rescinded and the SEC could not re-promulgate similar regulations without congressional authorization.
On Feb. 19, the Fifth Circuit vacated a three-judge panel's initial rejection of a challenge to Nasdaq's "Board Diversity" rules. The full court reheard the case on May 14.
The rules require Nasdaq-listed companies to disclose if they have diverse boards of directors or explain why they do not. The petitioners, Alliance for Fair Board Recruitment and National Center for Public Policy Research, had challenged the rules themselves as unconstitutional violations of equal protection and free speech, and the SEC's approval of the rules as violative of the Securities Exchange Act of 1934 and the Administrative Procedure Act.
At oral argument in May, the judges' questions focused largely on the extent to which the Exchange Act limits the types of disclosure requirements that the SEC can approve. The challengers argued that the Exchange Act does not give the SEC power to approve rules about "socially controversial matters," while the SEC contended that investors find board diversity important and the SEC is allowed to regulate disclosures concerning issues that are important to shareholders' investment and voting decisions.14The case is awaiting decision.
Data Privacy and Cybersecurity Matters
SEC Division of Corporate Finance Clarifies Form 8-K Disclosures of Material Cybersecurity Incidents
On Dec. 18, 2023, the SEC issued cybersecurity disclosure rules that require public companies to disclose cybersecurity incidents that are "determined by the registrant to be material" under Item 1.05 of Form 8-K.
On May 21, Erik Gerding, director of the SEC's Division of Corporation Finance, issued a statement clarifying that, in order to allow investors to more easily distinguish between material and immaterial cybersecurity threats, only cybersecurity incidents that are determined by a company to be material should be made under Item 1.05. Any voluntary disclosures, including those for which the reporting company has not yet determined the materiality, may be made under Item 8.01 of Form 8-K. To the extent a company later determines that the cybersecurity incident was material, it should file an Item 1.05 Form 8-K within four business days of such a determination.
Further, the SEC issued Compliance and Disclosure Interpretations for Form 8-K on June 24.15
SEC Adopts Significant Cybersecurity Amendments to Regulation S-P
On May 16, the SEC adopted final amendments to Regulation S-P. Regulation S-P is a set of privacy rules that govern how specific financial institutions handle nonpublic personal information. The rules apply to broker-dealers, investment companies, SEC-registered investment advisers and transfer agents. These "covered institutions" are responsible for protecting their own customers' information, their prior customers' information and information received from third-party financial institutions.
Under the rules, covered institutions must prepare incident response plans outlining what the company will do to detect and recover from unauthorized access to or use of customer information. These plans must be routinely updated to ensure that they keep pace with developing technologies. As part of their incident response plans, covered institutions must implement vendor management programs to oversee how service providers protect customer information. If sensitive customer information has been compromised, covered institutions must notify the customer within 30 days of learning of the breach.
Lastly, the final amendments require covered institutions to maintain records of any unauthorized access to or use of their data, their investigations into such breaches, and their procedures for overseeing service providers.
Federal Privacy Bill Aims To Consolidate US Privacy Law Patchwork
The American Privacy Rights Act (APRA), a bill that imposes obligations on businesses to protect individual users' data, was jointly released by the Senate and U.S. House of Representatives on April 7. The APRA was marked up by House subcommittees on May 23, after the House had updated its version to amend the Children's Online Privacy Protection Act of 1998. The bill has bipartisan support and largely mirrors state privacy laws.
The APRA would apply to businesses that fall under the jurisdiction of the FTC and to common carriers under the Communications Act of 1934. It would also apply to nonprofits, in contrast to many state laws that exempt such organizations. Businesses defined as "large data holders" under the bill would be subject to additional notice and reporting requirements. Additionally, entities defined as "high-impact social media companies" would be barred from transferring first-party data to third parties without express user consent. This differs from state laws that merely require businesses to provide users with notice and the opportunity to opt out before transferring their data.
The proposed statute broadly defines the types of "covered data" it governs to include any data that can be linked to an individual. "Sensitive data" covers government identifiers, health and biometric information, financial data, geographic data, login credentials, and demographic information. Both of these definitions largely align with their state law equivalents; however, the APRA departs from state laws by defining information as "sensitive" only when it is used in a manner inconsistent with the individual's reasonable expectation of disclosure.
The bill would require all covered entities to create an internal role for either a data privacy officer or a data security officer, or both if the entity is a large data holder. Covered entities using algorithms derived from machine learning or other advanced data processing techniques would have to evaluate them to avoid harms to individuals and disparate impacts on various groups of people.
The APRA allows for enforcement at the federal and state levels, and individual enforcement through a private cause of action.
DoorDash Settles California Consumer Privacy Act Enforcement Action
On Feb. 23, the California Attorney General announced a settlement with DoorDash under the California Consumer Privacy Act (CCPA). The complaint alleged that DoorDash shared the names, addresses and transaction histories of its customers with KBM Group LLC (KBMG), a company with which it had partnered on marketing initiatives. In exchange for this data, DoorDash could advertise to customers of other companies with which KBMG worked. The complaint also alleged that DoorDash sold customers' personal information without disclosing that it was doing so.
The settlement required DoorDash to pay a $375,000 civil penalty and to submit annual reports concerning its compliance with the CCPA and the California Online Privacy Protection Act, among other injunctive measures. This settlement highlights that while it is often legal for companies to sell or exchange personal information, they must properly use consent and opt-out procedures before doing so.
AI Questions
States Take Varying Approaches to AI Regulation
Lawmakers in Colorado, Tennessee and Utah passed bills to regulate AI in the first half of 2024, adding to the efforts by their peers in 25 states, Puerto Rico, and the District of Columbia, who introduced similar bills in the 2023 legislative session.
Gov. Jared Polis signed the Colorado bill SB24-205 on May 17. It is the first state law in the country that requires developers of high-risk AI systems and the people or companies that use them to protect consumers from foreseeable risks of discrimination stemming from the algorithms. The law takes effect on Feb. 1, 2026, and is only enforceable by the Colorado Attorney General; there is no private right of action.
On March 21, Tennessee passed the Ensuring Likeness, Voice and Image Security Act, which prohibits the use of deepfakes, including AI-generated content of a person's voice and likeness to create false video or audio clips. The statute is intended to protect artists and others in the music industry. It took effect on July 1 and includes a private right of action.
On March 13, Utah enacted a bill that requires people and entities to disclose any use of consumer-facing generative AI technologies, such as chatbots. This statute took effect on May 1 and is only enforceable by state agencies.
On March 18, the SEC settled two charges against two investment advisers for making false and misleading statements about their purported use of AI in their investment predictions. As policymakers worldwide draft AI-specific regulations, these actions demonstrate how regulators are using existing laws to govern claims about AI.
Delphia (USA) Inc. was fined $225,000 for allegedly stating that its AI could predict which companies were about to "make it big" without having the capabilities to do so. Global Predictions was fined $175,000 for claiming to be the "first regulated AI financial adviser" and saying it provided "[expert AI-driven forecasts." Neither company admitted or denied the allegations, but both agreed to stop making such statements.
Key Considerations Regarding the Recently Passed EU Artificial Intelligence Act
On March 13, the European Parliament approved new rules concerning the regulation of AI. This regulation impacts companies that are established in the EU and use AI, and those registered outside the EU that market their systems there.
The regulation classifies AI systems according to four levels of risk (prohibited, high-risk, limited-risk and minimal-risk) and governs them accordingly. For example, systems that categorize people based on biometric data about sensitive characteristics are prohibited, while those that utilize tools like chatbots are considered limited-risk. Fines for violations of the rules are highest for the highest-risk systems.
Footnotes
1. Chevron v. NRDC Inc., 467 U.S. 837 (1984).
2. Loper Bright was the lead case in the two consolidated cases of Loper Bright Enterprises et al. v. Raimondo, Sec. of Comm., et al., No. 22-451,and Relentless Inc., et al. v. Department of Commerce, et al., No. 22-1219.
3. No. 23-980, 2024 WL 2883752.
4. In re Alphabet Securities Litigation, 1 F.4th 687 (9th Cir. 2021).
5. On June 17, the Supreme Court granted certiorari in Nvidia Corp. v. E. Ohman J: or Fonder AB to consider certain pleading issues under the Private Securities Litigation Reform Act (PSLRA). In the October 2024 term, the Court will consider 1) the standard for alleging scienter based on internal company documents, and 2) whether expert opinions can satisfy the PSLRA's falsity requirement. See No. 23-970,2024 WL 3014476 (U.S. 2024).
6. No. 22-1165, 2024 WL 1588706 (U.S. 2024).
7. Nat'l Ass'n of Priv. Fund Managers v. Sec. Exch. Comm'n, No. 23-60471 (5th Cir., June 5, 2024), reviewing Private Fund Advisers; Documentation of Registered Investment Adviser Compliance Reviews, 88 Fed. Reg. 63206 (Sept. 14, 2023).
8. McRitchie v. Zuckerberg, et al., No. 2022-0890-JTL (Del. Ch., 2024).
9. No. 23-11097 (5th Cir.). This is an appeal of Utah v. Walsh, 2:23-CV-016-Z (N.D. Tex., Sept. 21, 2023). The plaintiffs substituted the name of the defendant, using Acting Secretary of Labor Julie Su instead of the former Secretary of Labor Marin Walsh.
10. Utah v. Walsh, 2:23-CV-016-Z (N.D. Tex., Sept. 21, 2023).
11. In the Matter of the Enhancement and Standardization of Climate-Related Disclosures for Investors, Order Issuing Stay, File No. S7-10-22 (April 4, 2024), https://www.sec.gov/files/rules/other/2024/33-11280.pdf.
12SEC's Omnibus Opposition to Petitioners' Motions for Stay Pending Disposition of Petitions for Review at 5 n. 2, State of Iowa, et al. v. SEC, No. 24-1522 and consolidated cases (8th Cir., Apr. 5, 2024).
13. On June 21, Gov. Gavin Newsom's administration released amendments to the Californian legislation that could delay implementation of the regulations may be delayed for two years. See RN 17560, 2023 – 2024 Leg. Sess. (Ca. 2024).
14. Andrew Ramonas, Nasdaq Board Diversity Regulations Face Skeptical Fifth Circuit, Bloomberg Law News (May 14, 2024), https://news.bloomberglaw.com/esg/nasdaq-board-diversity-regulations-face-skeptical-fifth-circuit.
15. See Exchange Act Form 9-K, SEC (June 24, 2024), https://www.sec.gov/divisions/corpfin/guidance/8-kinterp.htm.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.