Anjali C. Das Partner

Effective January 1, 2020, the California Consumer Privacy Act (CCPA) recognizes and enforces California consumers’ right to privacy and control over their personal information.

As the year draws to a close, it’s an especially good time to review your businesses’ cybersecurity policies and procedures as they relate to electronic protected health information under HIPAA regulations.

Public hearings were scheduled for the first week in December to receive comments on proposed regulations to the California Consumer Privacy Act, which goes into effect on January 1, 2020. Written comments will be accepted by the California Attorney General until 5:00 p.m. on December 6, 2019. The final regulations are expected to be released in early 2020 and will be enforced beginning in July 2020.

The Illinois Supreme Court gave the state’s Biometric Information Privacy Act more “punch” in a recent opinion holding that an individual does not need to prove harm to recover − a technical violation of the Act is sufficient to constitute standing.

Businesses that seek to obtain and preserve contracts with the U.S. government, or to deal in certain enumerated defense articles and services, are subject to strict privacy regulations. These include the Defense Federal Acquisition Regulation Supplements, which impose stringent minimum security requirements and reporting obligations, and the International Traffic in Arms Regulations, which contain approval, registration and records maintenance requirements.

The extra-territorial reach of the EU’s new General Data Protection Regulation means that non-EU companies that collect, store, transfer or otherwise process personal data of EU residents may be required to obtain express consent to use an individual’s personal data, in addition to maintaining internal records of the company’s personal data processing activities. Moreover, companies may have a mere 72 hours to notify EU regulatory authorities of a data breach involving the personal data of EU residents.

Under Australia’s Notifiable Data Breach Scheme, organizations, not limited to Australian companies, will be forced to promptly respond to and investigate actual or suspected data breaches concerning personal information. Failure to do so may result in the commencement of a regulatory action and/or the imposition of civil penalties. Companies with potential exposure are encouraged to become familiar with the new legal requirements.

On November 1, 2018, the long-awaited amendments to Canada’s Personal Information Protection and Electronic Documents Act will go into effect. These amendments and related regulations impose new mandatory notification obligations on companies in the event of a breach involving the personal information of Canadians.

While the California Consumer Privacy Act does not take effect until 2020, it is likely to spur other states – and perhaps the federal government – to enact broader legislative protections for the collection and use of individuals’ personal information. Meanwhile, all entities that do business in California and collect personal information of Californians should take prompt action to review and revise related assets and materials.

The speed of events and the fast-breaking news on the recent Equifax data breach discovered on July 29, 2017, has gone from bad to worse. An investigation revealed that the incident impacted 143 million consumers’ personally identifiable information, including names, social security numbers, dates of birth and driver’s license numbers.

The world recently experienced an unprecedented global cyberattack that targeted the public and private sectors, encrypting and locking electronic files. So far, it is estimated that hundreds of thousands of entities worldwide were victims of WannaCry ransomware; and just as WannaCry is subsiding, a new attack, Adylkuzz, is taking its place, crippling computers by diverting their processing power. Now the world needs to begin building a Cyber Defense Arsenal.

Wilson Elser Chicago partner Anjali Das has compiled a roundup of recent news, including litigation and mega settlements, developments in Delaware D&O law, D&O cyber liability, and recent D&O insurance coverage decisions.

In what appears to be an all-out assault on lax cybersecurity, the SEC has issued a new Alert in connection with its cybersecurity examination of Wall Street firms, entered a Cease and Desist Order against a firm for failing to adopt written policies or procedures to protect customer information, and issued an Investor Alert that highlights actions individuals should take if their personal information is compromised.

The SEC’s new disclosure guidance was intended to bring greater awareness and transparency to actual or potential cybersecurity risk that might be considered material to investors. However, the SEC has acknowledged that this guidance alone might not be sufficient to address investor concerns.

On May 13, 2014, the Court of Justice of the European Union found that an individual has the right to demand that Google remove links about him that he claimed were old and irrelevant. But which approach is best – the right to be forgotten or the right to know? The “right to be forgotten” as currently described by the Court of Justice could create a clash between freedom of speech, which is supported in the United States, and the EU’s broader concept of privacy.

Companies that plan to use social media to communicate material corporate information to investors should make sure they have effective policies, controls and safeguards in place to mitigate potential risk for violations of securities or other laws.

The U.S. Supreme Court’s reaffirmation of heightened standards for future harm may significantly aid corporations in obtaining dismissals for data security and cyber beach lawsuits where plaintiffs frequently cannot show that their personal information will subject them to identity theft or be used in a manner to cause them some other concrete financial harm.

The long-awaited Guidance on potential violations of the Foreign Corrupt Practices Act may provide some relief and useful tips for directors and officers of companies that have been increasingly concerned about potential exposure for successor liability emanating from FCPA violations by the acquired entity. 

Walmart is the latest high-profile target of a string of D&O claims involving the increasingly enforced Foreign Corrupt Practices Act. The SEC and DOJ have maintained an aggressive stance on FCPA violations and enforcement actions, which can lead to shareholder derivative civil actions.

Many China-based issuers have been targeted by regulators and investors alike for purported securities and accounting fraud that could ultimately cost D&O insurers millions in losses.

In light of the potential long arm of the Bribery Act, directors and officers (“D&O”) liability carriers should familiarize themselves with the potential increased exposure to their insureds. In addition, D&O insurers would be well advised to consider potential coverage issues under their policies for claims and investigations under the Bribery Act.

Many financial industry insiders and their insurers have been wondering where the Federal Deposit Insurance Corporation (FDIC) has been during the recent financial industry meltdown. As the appointed receiver of failed banks that are federally insured, the FDIC is expected to be at the forefront of litigation against the directors and officers (D&Os) of failed financial institutions.

Recently enacted sweeping financial legislation embodied in the Dodd-Frank Wall Street Reform and Consumer Protection Act (the Act) creates new concerns for directors and officers of all public companies – not just financial institutions.  D&Os will be subject to heightened public and regulatory scrutiny in connection with corporate governance and executive compensation.  Broad disclosure requirements regarding executive pay, coupled with potentially enormous financial incentives to corporate whistle-blowers, could lead to increased liability exposure for D&Os and their insurers.

A typical claim targeting directors and officers ("D&Os") in the context of a merger or acquisition is that the D&Os breached their fiduciary duties of care and loyalty by failing to get the best deal for shareholders.  However, in a boon to D&Os and their insurers, several recent Delaware court decisions have made it easier for defendants to successfully defend these types of claims.