Zoom Settles Dispute with Federal Trade Commission Regarding Cyber Security Practices

Cyber security

Earlier this month, the Federal Trade Commission (“FTC”) reached a settlement with Zoom Video Communications, Inc. (“Zoom”) regarding alleged misrepresentations related to its security program.  The FTC alleged that Zoom misled users by “touting that it offered ‘end-to-end, 256-bit encryption’ to secure users’ communications, when in fact it provided a lower level of security.

As part of the settlement, Zoom must (1) ensure that its representations to consumers regarding its privacy and security practices are accurate, and (2) update its security practices with a comprehensive new program that includes vulnerability management, annual documentation of risks and new security safeguards such as multi-factor authentication.

The FTC’s regulatory action against Zoom highlights the need for all businesses to ensure that representations regarding privacy and security practices are accurate and implement enterprise-wide cybersecurity protocols that take the specific risks faced by an organization into account.

NC Business Court Discusses the Limits of Attorney-Client Privilege When Attorneys Wear Multiple Hats

Male lawyer or Counselor working in courtroom have meeting with client are consultation with

Attorneys, and clients, are often guilty of taking the position that any communication involving an attorney is privileged and not subject to disclosure.  The law, of course, is much more nuanced.  In today’s world, where reliance on in-house counsel is expanding, and attorneys are consulted as much for their business advice as their legal advice, questions regarding the extent of attorney-client privilege have become more complex.

 

On November 9, 2020, the North Carolina Business Court issued a very helpful opinion analyzing the extent of attorney-client privilege in scenarios where attorneys serve in multiple roles within an organization.  Chief Judge Bledsoe’s opinion in Buckley LLP v. Series 1 of Oxford Insurance Company NC LLC, 2020 NCBC 81, resolved competing motions to compel, where each side sought to compel documents being withheld by the other on the basis of attorney-client privilege and the work product doctrine.

Overview

Plaintiff Buckley, LLP is a law firm that obtained an insurance policy through Defendant Oxford, which included coverage for the loss of key employees.  One of Buckley’s named partners, Andrew Sandler, retired shortly after the policy went into effect, and Buckley filed a $6 million dollar claim with Oxford under the policy.  Oxford refused to pay the claim, arguing that certain exclusions in the policy apply.  Significantly, Oxford contended that Buckley failed to inform Oxford of material facts regarding Sandler prior to the policy taking effect.  Prior to the date of the policy, Buckley had already received allegations of misconduct by Sandler and retained the law firm of Latham & Watkins to investigate the misconduct allegations.  Sandler negotiated a retirement agreement with Buckley rather than participate in the investigation and left Buckley shortly after the policy took effect.

In discovery, Buckley sought Oxford’s internal communications and documents related to its investigation of Buckley’s claim.  Oxford’s general counsel was a member of the team that reviewed Buckley’s claim, and Oxford withheld many of those documents involving its general counsel on the basis of attorney-client privilege.  Similarly, Oxford sought discovery of Buckley’s documents and communications with Latham & Watkins regarding the internal investigation of the misconduct allegations.  Buckley refused to produce its communications with Latham & Watkins on the grounds of attorney-client privilege.  Both sides filed competing motions to compel, which the Business Court resolved in a single opinion.  The Business Court ultimately ordered both parties to produce many, but not all, of the documents they were withholding.

Attorney-Client Privilege

Attorney-client privilege only attaches when the communication “is made in the course of giving or seeking legal advice for a proper purpose.”  As a general rule, if an attorney is not acting as a legal advisor when the communication was made—for instance, by providing financial advice or acting as a business advisor—it is not privileged.  In instances where communications contain both legal and business advice, courts will look to the “primary purpose” of the communication.

Applying these principles, the Business Court found that many of Oxford’s general counsel’s communications were not privileged.  The Business Court concluded that Oxford’s general counsel had a substantial role in the company in reviewing and processing claims for payment.  The Business Court noted that some of the general counsel’s communications reflected the primary purpose of providing legal advice, but most showed her engaging in claim review “in the ordinary course of Oxford’s business.”

This “ordinary course of business” analysis also applied to many of Buckley’s communications with Latham & Watkins.  The Business Court noted that materials “created in the ordinary course of business” and “pursuant to company policy” are typically discoverable and not privileged.  The Business Court noted that, in this instance, the internal investigation was required by Buckley’s own firm policies, which weighed heavily in favor of the documents’ disclosure.  The fact that Buckley chose to hire a prominent law firm to conduct the investigation did not automatically extend privilege to all of its communications with Latham.  The Business Court ultimately determined that many of the documents were “unrelated to the rendition of legal services” and ordered their production.

Takeaways

The Business Court’s opinion is a useful reminder that discovery is a broad tool in litigation, and a lawyer’s participation does not always render a document privileged.  Businesses working with attorneys in in-house or business advisory roles should consider the following, when facing questions of what might become public in a protracted litigation:

  • Was the attorney providing legal or business advice?
  • Did the advice require the attorney to use their legal expertise, or simply their business judgment?
  • Is the communication about a particular legal issue, or is it about our company’s ordinary business?
  • Why was this document created? Is it the result of a company policy?

New CFIUS Regulations Add Another Layer of Regulatory Considerations to Transactions Involving Foreign Investors

Earlier this year, new regulations promulgated by the Committee on Foreign Investment in the U.S. (the “CFIUS”) that implement the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”) took effect, strengthening the oversight authority and expanding the jurisdictional reach of the CFIUS.  Although the new CFIUS regulations initially went largely unnoticed by the vast majority of investors, investors are starting to feel the effect of these expanded regulations as they are advised by deal counsel of a need for targeted due diligence and additional representations and warranties related to CFIUS compliance obligations.

CFIUS Regulatory Framework

The CFIUS, which was created by the Defense Production Act of 1950, is tasked with reviewing any transaction “which could result in foreign control of any person engaged in interstate commerce in the United States.”  50 U.S.C. § 2170.  The basic premise of the regulatory scheme is that the CFIUS will review these transactions, assess the potential for impact on national security, and make formal recommendations to the President as to the appropriate mitigating action necessary to protect the national interest.

Recent Changes to CFIUS Regulations

Until recently, the CFIUS’s jurisdiction was limited primarily to acquisitions of U.S. businesses by non-U.S. businesses.  See Ralls Corporation v. Committee on Foreign Investment in the United States, 758 F.3d 296 (D.C. Cir. 2014).  Earlier this year, however, new CFIUS rules permanently expanded CFIUS jurisdiction to include certain “other” investments—namely, non-controlling foreign investments in U.S. businesses involved in certain critical technologies, critical infrastructure, or the personal data of U.S. nationals (referred to as “TID” businesses, for technology, infrastructure, and data). Covered non-controlling investments afford the foreign investor access to material nonpublic technical information or substantive involvement in the U.S. business’s decision-making with respect to the technology, infrastructure, or data.

In sum, the new CFIUS regulations expanded the jurisdiction of regulators to transactions involving U.S. businesses that: (1) produce, design, test, manufacture, fabricate, or develop “critical technologies”; (2) own, operate, manufacture, supply, or service “critical infrastructure”; or (3) maintain or collect “sensitive personal data” of U.S. citizens that may be exploited in a manner that threatens national security.  31 CFR § 800.211.  Thus, even if a transaction will not result in foreign control of a U.S. business, it may still be subject to CFIUS review if it involves a TID U.S. business.

Critical Technology

For purposes of CFIUS regulations, critical technology is defined as follows:

(a) Defense articles or defense services included on the United States Munitions List (USML) set forth in the International Traffic in Arms Regulations (ITAR) (22 CFR parts 120–130);

(b) Items included on the Commerce Control List (CCL) set forth in Supplement No. 1 to part 774 of the Export Administration Regulations (EAR) (15 CFR parts 730–774), and controlled—

(1) Pursuant to multilateral regimes, including for reasons relating to national security, chemical and biological weapons proliferation, nuclear nonproliferation, or missile technology; or

(2) For reasons relating to regional stability or surreptitious listening;

(c) Specially designed and prepared nuclear equipment, parts and components, materials, software, and technology covered by 10 CFR part 810 (relating to assistance to foreign atomic energy activities);

(d) Nuclear facilities, equipment, and material covered by 10 CFR part 110 (relating to export and import of nuclear equipment and material);

(e) Select agents and toxins covered by 7 CFR part 331, 9 CFR part 121, or 42 CFR part 73; and

(f) Emerging and foundational technologies controlled under section 1758 of the Export Control Reform Act of 2018 (50 U.S.C. 4817).

31 C.F.R. § 800.215.  The nuances of each of these critical technologies should be carefully considered when engaging in a transaction involving foreign investors.

Sensitive Personal Data

The CFIUS also may review certain transactions involving U.S. businesses that maintain or collect sensitive personal data of U.S. citizens that may be exploited in a manner that threatens national security. “Sensitive personal data” is defined to include ten categories of data maintained or collected by U.S. businesses that (i) target or tailor products or services to certain populations, including U.S. military members and employees of federal agencies with national security responsibilities, (ii) collect or maintain such data on at least one million individuals, or (iii) have a demonstrated business objective to maintain or collect such data on greater than one million individuals and such data is an integrated part of the U.S. business’s primary products or services. The categories of data include types of (1) financial (e.g., bank account statements, credit applications, payment history, credit reports, credit scores); (2) geolocation, (3) health data (similar to HIPPA’s definition of non-public health information), (4) e-mail communications, (5) chat or other similar communications, (6) biometrics, and (7) information regarding government contractors.  See 31 C.F.R. § 800.241.

While this may seem like an unreasonable burden, the administrative record includes policy statements that inject some degree of restraint into the definition of sensitive personal data.  84 FR 50177.  More specifically, the ancillary information published in the federal register provides the following:

Given that most companies collect some type of data on individuals, the proposed rule protects national security while attempting to minimize any chilling effect on beneficial foreign investment by focusing on the sensitivity of the data itself, as well as the sensitivity of the population about whom the data is maintained or collected. In particular, the proposed rule identifies specific categories of data that constitute sensitive personal data only if the U.S. business (a) targets or tailors its products or services to sensitive U.S. Government personnel or contractors, (b) maintains or collects such data on greater than one million individuals, or (c) has a demonstrated business objective to maintain or collect such data on greater than one million individuals and such data is an integrated part of the U.S. business’s primary products or services. The proposed definition also includes all genetic information and generally carves out data pertaining to a U.S. business’s own employees.

Id. at 50177-78 (emphasis added).

It is also of note that the information collected does not qualify unless it includes “identifiable data.”  31 C.F.R. § 800.239.  Based on the administrative record, it is clear that regulators wanted businesses to use common sense in assessing whether data constituted “identifiable data” by including the following as part of the administrative record:

In some cases, a U.S. business may maintain or collect the data described in § 800.241(a)(1)(ii)(A)-(J), but it is not possible to attribute such data to any specific individual. For example, a U.S. business may store health records on its servers, but those records are encrypted such that only a third party in possession of the encryption key can read the data. The U.S. business in these circumstances would not be maintaining or collecting sensitive personal data. The proposed rule makes clear, however, that identifiable data is not limited to data that includes an individual’s name or other obvious identifier, but rather includes any personal identifier, as defined in § 800.239.

84 FR 50178 (emphasis added).  Thus, if the information is encrypted or otherwise anonymized, it will not qualify as identifiable dataSee 31 C.F.R. § 800.202 (“The term anonymized data means data from which all personal identifiers have been completely removed.”).

Mandatory Filings

Another significant change in the review regime is the introduction of mandatory filings for certain transactions. Historically, all filings made to the CFIUS were submitted on a voluntary basis. However, FIRRMA introduces, and the new regulations implement, the concept of mandatory filings. Despite this, the process remains mostly based on voluntary filings, with a relatively small number of transactions requiring a mandatory filing, namely, (i) a substantial foreign government investment in a TID U.S. business, or (ii) controlling or non-controlling investments in critical technologies within the scope of the CFIUS Pilot Program on critical technologies.

  • A substantial foreign government investment in a TID business. Under the new regulations, there is a substantial interest if a foreign person obtains 25 percent or more voting interest in the TID business, and a foreign government owns 49 percent or more of the foreign person. FIRRMA §1705(v)(IV)(bb)(AA); 31 CFR §800.244;
  • CFIUS Pilot Program on critical technologies of Nov. 10, 2018. Controlling or non-controlling investments in U.S. businesses that produce, design, test, manufacture, fabricate or develop one or more critical technologies in one of 27 identified industries – including aviation, defense, semiconductors, telecommunications and biotechnology – are subject to a mandatory filing with CFIUS. The final regulations, for now, will continue to use the same NAICS codes. However, the CFIUS announced that it will issue a notice of proposed rulemaking, perhaps moving away from an industry-based approach for these filing requirements in favor of “export control licensing requirements.” In the meantime, mandatory declarations must be filed 45 days before the close of a transaction.

For either mandatory or voluntary filings, FIRRMA has developed an abbreviated filing process through a declaration, allowing parties to submit basic information to the CFIUS.  FIRRMA §1706(v)(1). These provisions are expanded in the new, final regulations.  31 CFR §800.401.  The declarations should generally not exceed five pages in length, and it is likely that a form will be ultimately designed to increase the ease and usefulness of the process. Although declarations are intended to streamline the process by moving less complex transactions through the CFIUS review process with less administrative burden on the filing companies, filing a declaration may actually increase the processing time: the CFIUS has 30 days to render a decision on a mandatory declaration, but may at that time require a full notice, adding a full review cycle to reach a decision, thereby delaying the overall timing of a mergers and acquisition transaction. This may act as a significant deterrent to the use of this mechanism.

Penalties

FIRRMA directs the CFIUS to impose certain fees on parties who violate the CFIUS review process. Any person who submits a material misstatement or omission in a declaration or notice, or who makes certain other false statements, may be liable for a civil penalty of up to $250,000 per violation.  31 C.F.R. 800.901(a). Any person who fails to comply with the mandatory filing procedures may be liable for a civil penalty of up to $250,000 or the value of the transaction, whichever is greater.  31 C.F.R. 800.901(b).  Furthermore, any person who, after Dec. 22, 2018, intentionally or through gross negligence violates a material provision of a mitigation agreement entered into before Oct. 11, 2018, will also be liable for a civil penalty of up to $250,000 or the value of the transaction.  31 C.F.R. 800.901(c).  Further guidance on penalties is expected in new rules to come from the CFIUS.

Conclusion

FIRRMA and the recently enacted final regulations make a variety of sweeping changes to the CFIUS process that will certainly bring more transactions under the scope of CFIUS review.  These changes were implemented in response to increased national security concerns but were carefully crafted to avoid suppressing foreign direct investment in the United States.  Nevertheless, given the significant penalties associated with violations of CFIUS regulations, it is extremely important that all parties to investment transactions take steps to ensure compliance with CFIUS regulations.

 

Regulators at the CFTC, FinCEN, and SEC Issue a Joint Statement on Activities Involving Digital Assets

On October 11, 2019, the chairman of the U.S. Commodity Futures Trading Commission (“CFTC”), the director of the Financial Crimes  Enforcement Network (“FinCEN”), and the chairman of the U.S. Securities and Exchange Commission (“SEC”) issued a joint statement (the “Joint Statement”) to remind persons and entities engaged in activities involving digital assets of their Anti-Money Laundering Countering the Financing of Terrorism (“AML/CFT”) obligations under the Bank Secrecy Act (“BSA”).

The Joint Statement reminds market participants that the AML/CFT obligations apply to entities the BSA defines as “financial institutions,” such as future commission merchants and introducing brokers obligated to register with the CFTC, money services business as defined by FinCEN, and broker-dealers and mutual funds obligated to register with the SEC. Primarily amongst the AML/CFT obligations is the requirement to develop and implement an effective anti-money laundering program and record keeping and reporting requirements, including requirements for reporting suspicious activity.

The BSA, among other things, requires certain regulated entities, including financial institutions, to develop and implement AML compliance programs reasonably designed to assure and monitor compliance with the BSA and its implementing regulations. At a minimum, a regulated entity’s AML compliance program must include:

  • A system of internal controls to ensure ongoing compliance;
  • Independent testing of AML compliance;
  • Designation of an individual or individuals responsible for managing BSA compliance;
  • A comprehensive training program for appropriate personnel; and
  • A customer identification program.

In recent years, regulators have also made it clear that the AML compliance programs must be tailored to the products offered, customer demographics, and the transaction history. In sum, financial institutions must take a hard look at their individual characteristics and develop an AML program that is reasonably designed to prevent bank customers from using financial systems for illicit purposes. Given the growth of virtual currencies and potential risks associated with the use of virtual currency for illicit purposes, it should come as no surprise that regulators are increasingly focused on ensuring that regulated entities appropriately update their AML/CFT compliance programs to take the risks associated with virtual currency into account.

The Joint Statement makes clear that the regulation of virtual currencies and digital assets in the United States will continue to be developed and overseen by multiple regulatory agencies. To determine which agency’s regulations and obligations thereunder apply, one must look to the nature of the respective digital asset-related activities and the characteristics of the respective digital asset or virtual currency. The Joint Statement includes a warning that the label or terminology used by market participants to describe the respective activity or digital asset will not impact the specific regulatory treatment afforded such activity or asset.

In sum, digital assets present a number of regulatory challenges for covered persons and entities, which will need to develop specific, effective processes in order to satisfy their AML/BSA obligations. In light of these challenges, as well as heightened expectations of government stakeholders, covered persons and entities should review and update existing policies, procedures, and systems to ensure they have the necessary infrastructure to deal with the unique regulatory issues presented by digital assets and currency.

CVC Joint Policy Statement_508 FINAL_0

California Attorney General Releases Proposed CCPA Regulations

Earlier this month, California Attorney General (AG) Xavier Becerra released the draft regulations for the California Consumer Privacy Act (CCPA). The proposed rules, which set forth procedures for businesses covered under the CCPA to follow for compliance, should provide the framework for the final rules and give covered businesses a head start on updating their compliance policies. The rules can be found here.

CMS Proposes Revisions to Stark Law Aimed to Facilitate Value-Based Care

On October 9, 2019, the Centers for Medicare & Medicaid Services (CMS) of the Department of Health and Human Services (HHS) released its long-awaited Proposed Rule (Proposed Rule) updating and clarifying the physician self-referral (Stark Law) regulations, which was published in the Federal Register on October 17, 2019.

CMS’s Proposed Rule was released together with the HHS Office of Inspector General’s (OIG) proposed rule updating the anti-kickback statute and civil monetary penalty law regulations as part of HHS’s Regulatory Sprint to Coordinated Care, which aims to promote value-based care. HHS identified the regulations as they stand now as potential obstacles to value-based purchasing arrangements for providers and suppliers participating in federal health care programs and the commercial sector.  The proposals were launched following a series of HHS Requests for Information soliciting stakeholder feedback on (1) Stark Law burden reduction, (2) AKS and CMP refinements, and (3) reforms to the Health Insurance Portability and Accountability Act.

The proposed changes are delineated in a pair of rules issued by the Centers for Medicare and Medicaid Services (CMS) (proposed rulefact sheet) (Stark Law) and the Office of Inspector General (OIG) (proposed rulefact sheet) (AKS and CMP). The OIG rule also includes a new safe harbor for cybersecurity items, services, and modifications to the existing safe harbor for Electronic Health Records (EHRs).

While these proposed regulatory changes are expansive and relatively complicated, the overall direction of the changes to Stark, AKS, and CMP policies is to provide greater flexibility to providers engaging in value-based purchasing arrangements. The comment window extends through December 31, 2019. Given the potential impact of these proposed changes, there will likely be robust stakeholder feedback with finalization of the changes potentially coming sometime in the middle of 2020.

Delaware Court of Chancery Denies Director’s Motion to Compel Attorney-Client Privileged Documents

In Eric Gilmore v. Turvo, Inc., C.A. No. 2019-0472-JRS, the Delaware Court of Chancery denied a director’s Motion to Compel seeking attorney-client privileged communications between Turvo Inc.’s (“Turvo”) Preferred Directors, officers, or employees and an outside law firm. The general rule in Delaware is that all directors are within the umbrella of privilege between the Board and its counsel and, as a result, a Delaware corporation cannot assert privilege to deny a director access to legal advice furnished to the board during the director’s tenure. The communications in question took place before the Board meeting where the Preferred Directors removed plaintiff as CEO and retained the outside law firm as counsel to the Board. Plaintiff argued that, even though the Board had longstanding counsel, the outside law firm’s advice was being furnished to the Board prior to the formal engagement of the outside law firm by Turvo and therefore Plaintiff was entitled to the communications. The Court disagreed, holding that there was no basis to conclude that outside counsel had been retained by the Board before the meeting because there had been no act by the Board to hire the firm before the meeting. The Court found that any advice provided by outside counsel prior to being engaged by Turvo was in connection with its representation of one specific Preferred Stockholder of Turvo and the director it had appointed. As a result, Plaintiff was an outsider to the relationship and had no right to pierce it.

The Court’s ruling is a reminder to Delaware corporations of the weight the Court of Chancery will place on Board actions and engagement formalities in determining the availability of privilege in Board communications.

A link to the full case is below.

Gilmore v Turvo

Attorney Sean C. Wagner Gives Presentation in Washington, D.C. on Corporate Formation, Organization, and Governance Issues to Healthcare Industry Entrepreneurs

Wagner Hicks attorney Sean C. Wagner recently presented to a group of healthcare industry entrepreneurs at an event in Washington, D.C., during which he led a discussion on the importance of corporate formation, organization, and governance. During his presentation, Mr. Wagner highlighted common, preventable reasons for partnership disputes and the potentially disastrous consequences these disputes can have on otherwise successful businesses.

Wagner Hicks is a leader in providing comprehensive, proactive advice to businesses of all sizes and industries, including healthcare practices across the country, in matters involving shareholder disputes and derivative litigation, corporate governance, and other related matters.

Instagram: wagnerhicks.law
Facebook: @wagnerhicks.law
LinkedIn: https://www.linkedin.com/company/wagner-hicks-pllc

Lead Generator Pays $30 Million to Federal Trade Commission to Settle Deceptive Lead Generation Claims

The Federal Trade Commission (FTC) recently announced that Career Education Corporation (CEC) and its subsidiaries, American InterContinental University, Inc., AIU Online, LLC, Marlin Acquisition Corporation, Colorado Technical University, Inc., and Colorado Tech., Inc. (collectively, CEC), have been ordered to pay $30 million to the FTC to settle Federal Trade Commission charges that the operator used sales leads from lead generators that falsely told consumers they were affiliated with the U.S. military, and they used other unlawful tactics to generate leads. CEC’s lead generators also induced consumers to submit their information under the guise of providing job or benefits assistance. The FTC also charged that CEC’s lead generators falsely told consumers that their information would not be shared, and that both CEC and its lead generators illegally called consumers registered on the National Do Not Call (DNC) Registry.

This recent FTC enforcement action highlights the regulatory risk associated with lead generation and telemarketing activities. Given the significant regulatory risks, as well as the increasing risk of class action litigation brought under the Telephone Consumer Protection Act (TCPA), businesses should carefully evaluate their telemarketing practices to ensure compliance with the complex regulatory framework surrounding telemarketing activities.

The full text of the Proposed Stipulated Order for Permanent Injunction and Monetary Judgment is set forth below.

Career Education Corporation Proposed Stipulated Order for Permanent Injunction 8-27-19

New York Governor Cuomo Signs Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) into Law

On July 25, 2019, New York Governor Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) into law. The law amends the existing data breach notification law and adds new cybersecurity requirements. The SHIELD Act takes effect in March 2020.

The Governor also signed into law the Identity Theft Prevention and Mitigation Services Act (ITPMSA). The ITPMSA requires that credit reporting agencies suffering a breach involving Social Security numbers must provide five years of identity theft prevention and mitigation services to affected consumers. The ITPMSA takes effect in September 2019.

Changes to New York’s Data Breach Notification Law

The SHIELD Act makes several changes to the existing data breach notification law by imposing more stringent obligations on businesses handling private data of customers including:

  • Broadening the scope of information covered under the notification law to include biometric information and email addresses with their corresponding passwords or security questions and answers;
  • Updating the notification requirements and procedures that companies and state entities must follow when there has been a breach of private information;
  • Extending the notification requirement to any person or entity with private information of a New York resident, not just those who conduct business in New York State;
  • Expanding the definition of a data breach to include unauthorized access to private information; and
  • Creating reasonable data security requirements tailored to the size of a business.

If you need assistance developing and implementing a data privacy and cybersecurity compliance program that is sufficient to satisfy these new requirements, please contact us.