On October 2, 2019, the World Trade Organization (WTO) issued an arbitration decision in European Communities and Certain Member States – Measures Affecting Trade in Large Civil Aircraft, WT/DS316/ARB. The decision authorizes the United States to impose $7.5 billion in tariffs on EU imports for EU subsidies to Airbus, making the ruling the largest in the WTO’s history and providing a partial conclusion to one of the longest running WTO disputes. The US Trade Representative (USTR) announced in a press release, which is available here, that the Trump Administration plans to impose tariffs beginning October 18. USTR stated that the bulk of these tariffs will be applied to imports from France, Germany, Spain, and the United Kingdom, and that the tariff increases will be limited to 10 percent on large civil aircraft and 25 percent on agricultural and other products. The European Union is awaiting a damage award in a WTO counter-complaint against the United States and Boeing where it has sought authorization to levy duties on $12 billion worth of US products.

Background of the Dispute

The Boeing/Airbus litigation dates back to 2004 when the United States initiated WTO proceedings arguing that EU subsidies to Airbus violated the WTO Agreement on Subsidies and Countervailing Measures and the 1994 General Agreement on Tariffs and Trade. Nine months later, the European Union initiated proceedings alleging that the United States was providing WTO-inconsistent subsidies to Boeing. In the years since, the WTO has ruled that the United States and European Union both provided infringing subsidies. The United States and European Union have each made changes to comply with these rulings, but the WTO has found continued infringements. A decision on the EU case regarding US subsidies is expected in the coming months.

Potential US Measures

The United States will receive authority to impose the retaliatory tariffs as early as this month, once the WTO’s Dispute Settlement Body formally accepts the arbitration award. In its press release, USTR announced that the United States has requested the WTO to schedule a meeting on October 14 to approve a US request for authorization to take the countermeasures against the European Union. Under Section 301 of the Trade Act of 1974, the USTR has the discretion to impose tariffs on EU products for violations of the WTO trade rules, or USTR could use the arbitration decision as a starting point for further negotiations with the European Union. USTR has published two lists of EU products that could be the target of the duties that cover more than $20 billion worth of EU exports, which are available here and here. The key EU exports that USTR will likely target include wine, cheeses, motorcycles, aircraft parts, and certain helicopters. Additional listed products include seafood products, produce, certain clothing and textile products, glassware, and certain metal products and metal alloys. USTR is not required to impose tariffs on the full amount authorized by the WTO, or to apply all the tariff increases at one time.

The UK Department for International Trade issued a press statement following the ruling stating that the United Kingdom and other EU Member States subject to the case had already complied with the WTO ruling and so did not see a basis for the United States to retaliate at this point. The United Kingdom also pointed out that in a corresponding procedure brought by the European Union against the United States, it was clear that the United States had taken no steps to comply, and so retaliation against the United States would be justified.

Implications for the WTO System and US-EU

This decision and the imminent decision in the EU case will bring to a head a long running dispute that has roiled transatlantic relations for decades. The United States and the European Union could eliminate the other’s threat of retaliation if it were to modify its legislation to comply with the WTO rulings. Short of that, the United States and the European Union will be able to impose retaliatory tariffs on imports from the other, or to negotiate a resolution between the parties.

President Trump, who calls himself “Tariff Man” and argues that foreigners pay tariffs imposed by the United States, may view this decision in the US case as providing leverage with the European Union. However, an authorization to retaliate in the EU case will likely tee up a stand-off. It may not matter much in practice if the United States’ retaliation authorization is substantially larger than the European Union’s, given the large amount of trade covered by the authorizations. Increased import tariffs would harm exporting businesses and their customers in both America and Europe, and escalating tensions could unsettle markets in a time of growing economic uncertainty. As a result, there may be increased interest in finding a negotiated path forward.

One clear winner is the WTO’s appellate body. The United States has criticized the appellate body and tied up nominations of new judges such that the appellate body will soon cease to have a quorum necessary to operate. In this case, the appellate body has, as designed, made the legal determinations necessary to ascertain WTO members’ rights. These determinations have cleared the way for the protagonists, the United States and European Union, to find a resolution.


The post WTO Authorizes US Tariffs in Boeing/Airbus Arbitration Decision appeared first on Global Compliance News.


The California legislative session ended with a bang on 13 September, when legislators passed several noteworthy amendments to the California Consumer Privacy Act (CCPA). The California governor has until 13 October to act on these amendments. We have outlined below the amendments that materially alter the original scope or requirements of the CCPA and that will impact CCPA compliance activities for many organizations.

Limited Personnel Exemption

Assembly Bill 25, the amendment exempting personal information collected from employees and other personnel from the scope of the CCPA, was passed in a revised form. Under this final version of the amendment, the rights of access, correction and opt-out of sale do not apply to employees, job applicants, owners, directors, staff, officers, contractors and medical staff (collectively, “personnel”). However, businesses will still be required to meet the notice requirements laid out in Section 1798.100 for personnel and personnel still benefit from the private right of action in the event of a data breach as provided in Section 1798.150. The same provisions apply to personal information collected from personnel in the context of providing benefits, as well as information related to personnel’s emergency contact information. Importantly, this limited exemption expires after one year. While California legislators have made an affirmative commitment that they will address employee data privacy during the course of the next year, if they fail to do so prior to 1 January 2021, personnel information obtained from personnel and/or in the context of benefits will then be subject to the full requirements of the CCPA.

Limited B2B Information Exemption

Assembly Bill 1355 provides business-to-business (B2B) companies a limited reprieve from complying with all the requirements of the CCPA in the context of communications and transactions with other companies, organizations, and government agencies. Personal information that is collected in the course of B2B communications or transactions from or about an employee, owner, director, officer or contractor of a business or government agency is exempt from most CCPA requirements. Notably, however, this exemption does not apply to the right to opt out of the sale of personal information, the obligation not to discriminate against a consumer for attempting to exercise other rights, or the private right of action in the event of a data breach. Like the limited personnel exemption, this exemption also expires after one year, at which point business contact information will be covered by the CCPA if the legislature does not take further action in the interim. This being said, B2B companies that do not sell (as this term is defined by the CCPA) business contact information will still have to closely re-examine their other California personal information collection, to determine if and to what extent they must comply with CCPA requirements for other types of personal information they collect, such as for marketing purposes with prospective customers.

Clarification to the Definition of “Personal Information”

The original text of the CCPA defined “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” — an extremely expansive definition. The amendments narrowed this definition by adding a reasonableness standard. That is, “personal information” must identify, relate to, describe, be reasonably capable of being associated with, or could reasonably be linked with a particular consumer or household. This means that businesses will still have to evaluate whether a particular piece of personal information is capable of being associated with a consumer or household, but this association must be reasonable in light of the information and means reasonably available to the business. Further, the amendments clarify that “personal information” does not include de-identified or aggregate information, or “publicly available information” that is lawfully made available from federal, state, or local government records.

FCRA and Vehicle Industry Exemptions

The CCPA amendments also clarified two further exemptions, one related to the Fair Credit Reporting Act (FCRA) and one related to the vehicle industry. Specifically, activities related to consumer credit reports are exempt from the CCPA, to the extent that the information is subject to the FCRA and the activities are allowed by the FCRA. Previous versions of the CCPA limited this exemption to the “sale” of information from consumer reports, but the final version of the CCPA expands the scope of the exemption to all such activities.

Further, a consumer’s right to opt-out of the “sale” of personal information does not apply to vehicle information or ownership information exchanged between a car manufacturer and new car dealer, so long as the information is used to carry out a vehicle repair covered by warranty or recall (so long as the recipient does not sell, share or use that information for any other purpose) and the information is not further shared or sold for any other purposes.

Other Notable Amendments . . . and Those that Failed

For businesses that operate exclusively online and have a direct relationship with a consumer from whom they collect personal information, only one method of access or deletion request will be required to be provided — an email address for submitting requests. This clarification has a significant impact on those businesses that operate exclusively online, since they will no longer be required to set-up a toll-free number in order to comply with CCPA requirements.

One important amendment, Assembly Bill 846, which would have protected certain loyalty programs, was removed from consideration and tabled until next year. This amendment addressed loyalty reward, discount and similar programs, and included a prohibition on the sale of personal information collected as part of those programs, as well as a limited exception to that prohibition.

The post California Consumer Privacy Act Update: What Has Changed and What Remains the Same? appeared first on Global Compliance News.


Latest release of HITRUST MyCSF® brings innovations in custom assessments, user interface, third-party assurance, and control inheritance

FRISCO, Texas – September 26, 2019 – HITRUST, a leading data protection standards development and certification organization, today announced a significant new release of its information risk and compliance assessment SaaS platform. HITRUST is continually innovating MyCSF® to help streamline and simplify how organizations assess information risk and manage compliance. The October 2019 release features a redesigned user interface, capability to create custom assessments tailored to specific regulatory or control requirements, streamlined workflows throughout the third-party assurance process, and sharing of assessments with third parties through the HITRUST Assessment XChange™.

MyCSF was designed from the start as an information risk assessment and compliance tool and engineered to streamline assessing, reporting, and remediating information risk and compliance. In addition the platform can be used to build a robust ISRM program, lending insight into an organization’s security posture and areas of improvement, benchmarking against the scores of similar organizations.

New features include:

  • Custom Assessments: Tailor assessments to fit an organization’s needs, selecting some or all of the controls in any of 44 authoritative sources that are mapped and harmonized in the HITRUST CSF, including ISO 27XXX, NIST 800-53, NIST Cybersecurity Framework, NIST 800-171, PCI, HIPAA, HITECH, GDPR, FFIEC, and CCPA. Customizations could include assessing against one or multiple authoritative sources, regulatory factors, or control requirements without having to add CSF baseline controls.
  • Custom Roles: Create and define access control permissions tailored to the organization.
  • Redesigned User Interface: Modern, sleek, and streamlined interface enables intuitive and faster workflow.
  • Integration to Third-Party Assurance Process: MyCSF fully supports the HITRUST CSF Assurance Program including assessment entry, assessor assignments, and submission.  It also includes role assignment and workflows for the recently added Internal Assessor role, allowing internal audit and other departments to aid in the CSF Assessment process.
  • Enhanced Shared Responsibility Support: Updated functionality within MyCSF supports the HITRUST Shared Responsibility Program for inheriting controls from cloud and other service providers, streamlining the assessment and working process.
  • Integration with HITRUST Assessment XChange Portal: Makes sharing risk assessment data with third parties simple, secure, and efficient. Satisfies and streamlines customer requests to provide CSF Assessment Reports as well as customer communications concerning Corrective Action Plans (CAPs), Interim Assessments, and more.
  • Enhanced API: MyCSF also offers expanded API functions for integration with GRC and other systems.

For more information, including the MyCSF data sheet, go to https://hitrustalliance.net/mycsf.

For more information on the HITRUST Assessment XChange, go to https://hitrustax.com.

The post HITRUST Enhances Best in Class Information Risk and Compliance Assessment Platform appeared first on HITRUST.


Federal Chief Information Security Officer Grant Schneider, speaking Thursday at the Cybersecurity and Infrastructure Security Agency’s summit, said agencies have “come a long way” on cybersecurity.

He pointed to overall higher Federal Information Security Management Act, and Federal Information Technology Acquisition Reform Act scores as evidence that government has turned a corner on cyber.

“I think we’re all far more operationally focused with agencies,” Schneider said. “We’re able to hold agencies accountable, or at least highlight where they’re at on metrics and really get a lot of the basic stuff done and done well.”

cybersecurity, Jeanette Manfra, DHS
Jeanette Manfra, assistant director for cybersecurity at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency

Jeanette Manfra, the assistant director for cybersecurity at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, said less time spent enforcing basic cyber hygiene standards allows CISA to play more of a cyber oversight role, providing “operational implementation guidance” of polices and setting standards.

Through two of its signature programs – Continuous Diagnostics and Mitigation, and its cyber hygiene program – Manfra said CISA has made it easier for agencies to show tangible progress in meeting their cybersecurity goals.

“What I think we’ve done well is find ways to identify indicators of success. If you don’t have an incident response plan, you probably are not doing very well. If you don’t have a patch continuous management process and policy, there are probably some problems in your organization,” she said. “There’s well understood, in the community, key indicators of success — that you can evaluate an organization just at a high level and say, ‘OK, well, you probably want to work on these things.”

That evolution in roles, she said, plays into CISA’s mission statement of “securing today and defending tomorrow.”

But if cybersecurity is a team sport, questions still remain about bringing one former player back onto the field: The federal cybersecurity coordinator.

House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) urged Trump’s new National Security Adviser Robert O’Brien to bring back the cybersecurity coordinator, and argued the White House “has done little to address the vacuum left behind” when former adviser John Bolton eliminated the position last year.

“With cyber threats becoming more sophisticated and growing by the day, including the persistent threat to our election systems, there is no reason that the White House should have allowed this position to be eliminated,” Thompson said in a statement Thursday.

Christopher Krebs
CISA Director Chris Krebs

CISA Director Chris Krebs said the cybersecurity coordinator, when the position was created about a decade ago, focused on “blocking and tackling,” and helping DHS engage with public and private partners. But now with CISA in place, Krebs said the agency and its partners have taken on more of that role as a coordinator.

“Now, 10 years later, we’re in a spot where a coordinator has a different job. It’s not blocking and tackling. It’s ensuring that we’re most effective coordinating policy and implementation across the interagency,” Krebs told reporters.

“There is coordination, so don’t take the lack of a coordinator for a lack of coordination,” he added.

Krebs said he has yet to meet with O’Brien, but said he would make cybersecurity a top priority at their first meeting. And if the White House brings back the coordinator role, Krebs said he would take all the help he can get.

“I think there’s space. I will take anybody in a federal agency that wants to play in this game. We will do an all-hands approach. So if a federal cybersecurity coordinator is in our future, then I really look forward to working with him,” he said.

While agencies have shown measurable progress on cybersecurity compared to where they were a decade ago, Schneider said IT modernization plays a major role in mitigating cyber vulnerabilities.

“We don’t want to build the next decade’s legacy systems tomorrow,” Schneider said. “We instead want to move to shared services and try to get agencies out of the business of doing some things that that they need not be in the business of.”

Short-term cyber goals for agencies, he said, include establishing a “federal baseline for cybersecurity,” while longer-term goals include a move toward security as a shared service, as outlined in the Office of Management and Budget’s Quality Services Management Offices memo.

Grant Schneider, federal chief information security officer

But cyber readiness remains a moving target, and measuring the criteria for what makes an effective strategy can be an elusive goal.

“Can you be totally green across your scorecard and get [hacked] tomorrow by a nation-state? Absolutely,” Schneider said. “It’s an amount of, are you doing what you need to do to be as protected as possible, but it doesn’t get you to someplace that’s ‘safe.'”

Looking ahead at the next wave of cyber vulnerabilities, Donna Dodson, the National Institute of Standards and Technology’s chief cybersecurity adviser, said her agency is doubling down on efforts to build security into internet of things devices, and ensure that industry is building the right software into devices to ensure confidence devices are secure, and not circling back “after the fact” on cybersecurity.

“As we look around in our networks and in our infrastructure, we see IoT in places and spaces across the federal government and with industry. It’s almost like the IT days, we really didn’t realize it was there,” Dodson said, adding that zero trust and identity management needs to play a role.

NIST held a workshop last month seeking feedback from industry partners following the release of an IoT internal report in June and a roadmap released in April that laid out areas where NIST could further advance its cybersecurity framework.

Dodson said NIST plans to hold a workshop next week that will look at “AI from a trust perspective.” The agency will also host a workshop looking for feedback on the “human factors” of IoT “smart home” devices.


Expands role of Internal Audit Department participation in streamlining HITRUST CSF Assessments

FRISCO, Texas–HITRUST, a leading data protection standards development and certification organization, released updated guidance for placing reliance on the results of previously performed audits, assessments, and inspections. These policy and methodology updates create opportunities for greater assessment efficiency and customer cost savings.

HITRUST has historically afforded two opportunities for External Assessors (formerly referred to as HITRUST CSF Assessors) to rely on the results of previously performed control testing, one being inheritance of the results of other HITRUST CSF Assessments, and the other reliance on audit reports and certifications issued by third-party auditors (such as SOC 2 Type II reports) that meet the requirements as established by the CSF Assurance program. The recently released updates clarify these options by specifying associated timing, scope, and documentation requirements.

These updates also introduce opportunities for Internal Audit or other departments, meeting specific objectivity and resource qualification requirements, to directly participate and support the CSF Assessment process, more specifically creating a new role in the CSF Assurance process called Internal Assessor. Internal Assessors will aid in the CSF Assessment process by performing testing and verification on various aspects of the process. External Assessors will now have the option of relying on work performed by an assessed entity’s Internal Assessors, which not only creates efficiencies and cost savings, but also greater organizational alignment as it relates to information security and privacy control requirements. The Internal Assessor role in the CSF Assurance process will bring benefits to both External Assessors and assessed entities:

  • Assessed entities already performing robust pre-assessment testing in advance of their HITRUST CSF Validated Assessment can expect lower overall HITRUST CSF Assessment costs, as duplicate testing performed by their assessor can be reduced.
  • Teams with deep knowledge of the organization’s internal controls (such as Internal Audit, Risk Management, and Compliance) can now have a defined role in the overall HITRUST CSF Assessment process.

“Integrating Internal Audit teams into the CSF Assessment process can be very beneficial for organizations,” says Ken Vander Wal, Chief Compliance Officer, HITRUST. “In addition to the efficiency, time, and cost savings, it can better align information security and compliance across the organization.”

Those interested in learning more, including the specific requirements for Internal Assessors, are encouraged to read the recently released CSF Assurance Program advisory notices, available at https://hitrustalliance.net/csf-assurance-bulletin/.

In addition, MyCSF is also being enhanced to enable a defined role and updated workflow to support the addition of Internal Assessors.

To read the blog visit: https://blog.hitrustalliance.net/using-work-others-initiative-hitrust-streamlines-security-control-assessments-promote-culture-risk-management-collaboration/.

The post HITRUST Releases Guidance for Relying on the Work of Others appeared first on HITRUST.


On 8 August 2019, the US Securities and Exchange Commission (SEC) issued for public comment certain proposed amendments to Regulation S-K.1 Regulation S-K principally governs the content of disclosure documents filed by US domestic issuers. Therefore, generally speaking, most of these proposed amendments to Regulation S-K will not affect foreign private issuers (FPIs). This alert briefly discusses the portions the Proposing Release that would apply to FPIs and certain additional information in the Proposing Release that may be of interest to them.

Background: Regulation S-K

Regulation S-K is the central source of the information required to be disclosed by US domestic issuers in registration statements under the US Securities Act of 1933, as amended (the Securities Act) and in periodic reports under the US Securities Exchange Act of 1934, as amended (the Exchange Act).2 The SEC issued these recent proposed amendments as part of its broader efforts to make disclosure documents more readable and easier for investors to navigate, and in response to a legislative mandate to the SEC to review Regulation S-K and pare it back where possible.

The proposed amendments would affect parts of Item 101 (Business Description),3 Item 103 (Legal Proceedings) and Item 105 (Risk Factors). The SEC characterizes its current disclosure requirements as “prescriptive” in that the same quantitative disclosure thresholds apply to all issuers or require all issuers to disclose the same type of information, which may not reflect information that is material to every business. The proposed amendments to Items 101 and 105 reflect SEC determinations to adopt “principles-based” disclosure, which the SEC believes will be tailored to issuers’ particular circumstances and, at least for these items, to move away from the “prescriptive disclosure” requirement. The SEC also believes that the changes to these items may elicit disclosure with a greater focus on information that is material to individual businesses. In contrast, Item 103 (Legal Proceedings), would remain prescriptive, reflecting the SEC’s belief that disclosure of such matters depends less on the specific characteristics of individual issuers. The proposed revisions to Item 103 include amendments intended to eliminate repetitive disclosure and raise the monetary threshold for disclosure of certain proceedings.

The immediate reaction to the proposed amendments has been mixed. Many public companies – particularly larger that are more closely watched by shareholders and the media and those that face “activist” shareholders — tend to over disclose, rather than potentially face shareholders lawsuits arising out of adverse events. The SEC’s intention to address such over disclosure is particularly evident in the proposed revisions to Item 105 (Risk Factors) discussed below.

Application of Proposing Release to FPIs

Regardless of the proposal’s ultimate effects on US domestic issuers, the immediate effects on FPIs would be limited since, as noted above, Regulation S-K applies principally to US domestic issuers.4 The content of disclosure documents filed by FPIs is set forth primarily in SEC Form 20-F. Form 20-F is, essentially, a stand-alone catalog of required disclosures by FPIs. FPIs must file Form 20-F both to register a class of securities under the Exchange Act (generally in connection with a listing) and as an annual report under the Exchange Act. Form 20-F is also the source of most of the information required to be included in registration statements under the Securities Act filed by FPIs. However, an FPI that registers its securities for sale under the Securities Act is required to provide a discussion of risk factors in accordance with Item 105 of Regulation S-K. Thus, the proposed changes to Item 105 will affect disclosure by FPIs should they choose to conduct a registered public offering in the US.

The SEC’s Proposing Release contains the following key changes to Regulation S-K Item 105 (Risk Factors):

  • Documents containing risk factor disclosure exceeding 15 pages would have to include summary risk factor disclosure in the forepart of the prospectus or report, under an appropriate heading.
  • In lieu of disclosing the “most significant” risk factors as now required, issuers would be required to disclose “material” risk factors.
  • Risk factors would be required to be organized under relevant headings.

The SEC is proposing these revisions to Item 105 “to address the lengthy and generic nature of the risk factor disclosure presented by many registrants,” and notes that a contributing factor to the increased length of risk factor disclosure appears to be the inclusion of “generic, boilerplate risks that could apply to any offering or registrant.”5 The first and third bullets above appear to reflect existing practices by many issuers, and should be familiar to many FPIs. The EU Prospectus Directive requires a risk factors summary and, as noted by the SEC in the Proposing Release, many issuers already organize their risk factors disclosure under relevant headings.6 The second bullet above, replacing disclosure of the “most significant risks” with disclosure of “material” risks, is intended to emphasize disclosure of the risks to which a reasonable investor would attach importance in making investment decisions.7 The SEC believes that this change could result in risk factor disclosure more tailored to the facts and circumstances of each issuer, reducing immaterial disclosure and thereby shortening risk factor disclosure.

Apart from the specific changes to Item 105 that will affect FPIs when they register securities under the Securities Act, FPIs will also be interested in the SEC’s requests for comments on all the proposed revisions at pages 53-54, 64 and 74 of the Proposing Release. On these pages, the SEC solicits comments specifically addressing whether comparable changes should be made to the analogous disclosure requirements of Form 20-F. It is interesting to note that question 27, on page 53, acknowledges that the requirements of Form 20-F are largely prescriptive, rather than principles-based. Paradoxically perhaps, the prescriptive nature of Form 20-F for FPIs may be contrasted with the principles-based approach for financial statements embodied in International Financial Reporting Standards (IFRS), used by many FPIs to prepare the financial statements included in their SEC filings. Unlike IFRS, US GAAP used by US domestic issuers is considered to be “rules-based,” i.e., prescriptive. Thus, if the amendments to Regulation S-K are adopted as proposed, the use of prescriptive versus principles-based disclosure for the non-financial and financial portions of disclosure documents filed by US domestic companies and FPIs could reflect contrasting trends, with US issuers providing principles-based non-financial disclosure and rules-based financial statements and FPIs doing just the opposite. If any such contrasting trend were perceived as an impediment to comparability of disclosure by US issuers and FPIs, that might ultimately motivate the SEC to revise Form 20-F to provide for principles-based disclosure requirements as well. A countervailing consideration could be the fact that the present non-financial portions of Form 20-F were revised in 1999 to harmonize Form 20-F with the non-financial international disclosure standards endorsed by the International Organization of Securities Commission (IOSCO). One of IOSCO’s objectives was the promotion of the use of a single disclosure document that would be accepted in multiple jurisdictions. In its request for comments regarding possible revisions to Form 20-F comparable to the proposed Regulation S-K amendments, the SEC asked specifically whether such revisions would reduce the ability of FPIs to use a single document in multiple jurisdictions.8

The comment period for the proposed amendments expires 60 days following publication of the Proposing Release in the Federal Register.

1. See Securities and Exchange Commission Release No. 33-10668, Modernization of Regulation S-K Items 101, 103, and 105, available at https://www.sec.gov/rules/proposed/2019/33-10668.pdf (the Proposing Release).

2. The full title of Regulation S-K is “Standard Instructions for Filing Forms Under the Securities Act of 1933, the Securities Exchange Act of 1934 and Energy Policy and Conservation Act of 1975.” The complete text of Regulation S-K is set forth as Part 229 of Title 17 of the Code of Federal Regulations.

3. This Alert does not discuss the proposed revisions to Item 101 of Regulation S-K, the business description required to be provided by US domestic issuers. The Proposing Release includes an extensive description and explanation of these proposed amendments at pp. 12-54 of the release.

4. Regulation S-K also governs disclosures by non-US companies that elect to use US domestic registration and reporting forms, and by foreign issuers that do not qualify as FPIs. The SEC’s rules define “foreign private issuer” as any foreign issuer other than a foreign issuer that has more than 50 percent of its outstanding voting securities owned directly or indirectly owned of record by US residents and having (i) a majority of its executive officers or directors who are US citizens or residents, (ii) more than 50% of its assets located in the US, or (iii) its business administered principally in the US.

5. Proposing Release at pp. 65, 66. The Proposing Release also acknowledges that commentators attribute the growing length of risk factor disclosure to the litigation risk associated with a failure to disclose if events turn negative.

6. Proposing Release at p. 71.

7. The SEC’s position reflects the definition of “material” in Rule 405 under the Securities Act, under which material information is “information . . . to which there is a substantial likelihood that a reasonable investor would attach importance in determining whether to purchase the security.

8. Proposing Release at p. 53.

The post US: SEC Proposes Amendments to Regulation S-K: What Foreign Private Issuers Need to Know appeared first on Global Compliance News.


Establishes New Board Subcommittee and Leverages Automation and Analytics to Drive Further Improvements in Quality, Consistency, and Efficiency of CSF Assessments and Reports

FRISCO, Texas – September 4, 2019 – HITRUST, a leading data protection standards development and certification organization, continues its commitment to improving and ensuring the quality, consistency, and efficiency of information security and privacy assessments with the establishment of a new Quality Assurance Subcommittee of its Board of Directors, release of new Assurance Advisories, and introduction of new quality verification capabilities within the HITRUST MyCSF.

The unique approach of HITRUST’s Assurance Program affords numerous oversight and quality advantages over other assurance programs and certifying bodies, most notably that HITRUST has centralized the assurance and compliance aspects for all HITRUST CSF reporting. This translates into HITRUST CSF Assessment Reports being more consistent and more reliable than other reports which do not centralize robust reporting and review processes. Many advantages are gained by incorporating assessment requirements, assessment guidance, assessor training, assessment platform, and automated and manual quality assurance reviews into a single holistic program across the overall assurance ecosystem. This approach enables HITRUST to continuously monitor adherence to assessment requirements by assessed entities, assessor firms, and the HITRUST Assurance team.

Leveraging this centralized reporting and oversight enables continuous improvement to each aspect of the HITRUST CSF Assurance Program thereby increasing efficiency, integrity, transparency, consistency and ultimately the ‘rely-ability’—a term defined by HITRUST as the ability to rely upon, or trust, the information provided by another—of the HITRUST CSF Assessment Reports.

To provide additional governance and oversight of the CSF Assurance Program, a new Quality Assurance Subcommittee of the Board of Directors is being formed. This further demonstrates HITRUST’s recognition of the importance of quality and consistency.

Ken Vander Wal, HITRUST’s Chief Compliance Officer and Chairman of the new Quality Assurance Subcommittee, spoke to his new role, saying, “I view the role of the Quality Subcommittee similar to that of an Audit Committee. It will independently review what controls and processes HITRUST has in place to ensure quality and consistency across the entire program, review metrics used by HITRUST to measure quality at every level of the process, provide feedback where changes are required, and make recommendations for process improvements when appropriate.”

Other prominent subcommittee members include Kevin Charest, Divisional Vice President and Chief Information Security Officer, Health Care Service Corporation; Robert Booker, Chief Information Security Officer, UnitedHealth Group; and Mike Calhoun, Director of Benefit Plan and Supplier Governance, AT&T. The subcommittee will be briefed on key indicators quarterly by HITRUST’s Vice President of Assurance, Bimal Sheth, and HITRUST’s Vice President of Compliance, Jeremy Huval.

HITRUST also recently released new Assurance Advisories which introduce an updated assessment scoring rubric, updated PRISMA control maturity weightings, and a new automated quality checking capability that will be released in the HITRUST MyCSF platform. These advisories are based on analysis and feedback into areas that can improve upon HITRUST’s assurance process.

  • HITRUST’s scoring rubric assists organizations and their assessors in assessment scoring level determinations. This rubric’s recent enhancements bring improved usability, added clarity, and better harmonization with HITRUST’s Risk Analysis Guide. Key changes include adding definitions for assessment terminology, assessment examples and guidance, and inclusion of a scoring lookup table for each of the five levels of HITRUST’s PRISMA maturity model (Policy, Procedure, Implemented, Measured, and Managed).
  • The PRISMA maturity model’s updated point weightings better reflect the value that each maturity level brings to an organization’s risk management stance. The increased weighting of the Implemented level, which is now worth double any other single level, aligns to the priority that mature organizations place on the implementation and operation of controls relative to other maturity levels.
  • The use of quality-focused analytics is reflective of HITRUST’s ongoing commitment to innovation. Dozens of automated routines will help identify potential issues prior to submissions of an assessment. Potential scoring inconsistencies, compliance gaps, and commenting issues will be brought to the attention of organizations and their assessors before submitting the assessment for assurance review by HITRUST. This automation also equips HITRUST to perform Quality Assurance checks in a more timely manner— reducing the lead time between assessment submission and report issuance.

To read more about the newly implemented Assurance Advisories, visit  https://hitrustalliance.net/csf-assurance-bulletin/.

Read the full press release here.

The post HITRUST Further Invests to Ensure ‘Rely-Ability’ of Information Risk Assessments appeared first on HITRUST.


On August 5, 2019, President Trump issued Executive Order 13884 (“Venezuela EO”) blocking all property of the Government of Venezuela (“GOV”), a significant escalation of sanctions against the regime of President Maduro.  Statements issued by the White House and State Department indicate that this escalation is meant to target the Maduro regime for its continued abuses of human rights and repression.  The US Department of Treasury’s Office of Foreign Assets Control (“OFAC”) concurrently issued 12 amended general licenses and 13 new general licenses, new and revised FAQs, and guidance related to the provision of humanitarian assistance and support to the Venezuelan people.

The Venezuela EO targets only the GOV and entities owned 50% or more or otherwise controlled by the GOV, and thus does not place Venezuela under a full territorial embargo. Transactions with private Venezuelan parties that can be effected without the involvement of the GOV remain permissible.

The new sanctions prohibit virtually all US Person dealings with the GOV by blocking the property and interests in property of the GOV that are in the United States, that come within the United States, or that come within the possession or control of US Persons (i.e., US companies and their branches, US banks, US citizens and permanent resident aliens, any person physically located in the United States). GOV funds, contracts or other property interests that come into the possession or control of US Persons must be blocked and reported to OFAC.

The GOV is defined broadly under the Venezuela EO and includes:

  • any political subdivision, agency, or instrumentality thereof, including the Central Bank of Venezuela (“CBV”) and Petroleos de Venezuela (“PdVSA”);
  • any person owned or controlled, directly or indirectly, by the foregoing, which potentially expands the reach of the prior sanctions against PdVSA so that they now cover PdVSA affiliates that are less than 50% owned but still controlled by PdVSA; and
  • any person who has acted or purported to act directly or indirectly for or on behalf of any of the foregoing, including as a member of the Maduro regime.

The Venezuela EO also includes expansive authority to block any other person determined by the US Government to (i) have “materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, any person” who is blocked under the Venezuela EO, or (ii) to be owned or controlled by, or have acted on behalf of any person who is blocked under the Venezuela EO. Thus, even non-US companies could be exposed to the risk of collateral designation as Specially Designated Nationals (“SDNs”) if they materially assist or provide goods or services to GOV entities.

Newly Issued General Licenses

OFAC has concurrently amended and issued numerous general licenses authorizing certain activities by US Persons. Below we highlight several key general licenses.

  • Wind Down of Transactions with the GOV

Newly issued General License 28 authorizes all transactions and activities ordinarily incident and necessary to the wind down of operations, contracts, or other agreements involving the GOV that were in effect prior to August 5, 2019. All wind down activities must be completed by September 4, 2019. General License 28 does not extend the authorization of wind-down periods that have expired for PdVSA, CBV, or other GOV entities that were previously designated as SDNs.

  • Intellectual Property Related Transactions

Newly issued General License 27 authorizes certain transactions, including payments of fees to the GOV related to the filing, receipt, renewal, maintenance, and prosecution of patents, trademarks, copyright, and other forms of intellectual property. General License 27 does not authorize assignments, licensing or other transfers of intellectual property to the extent such activities involve the GOV, for example, where recordal or the payment of fees is required or where the assignment is to a GOV entity. This general license does not have an expiration date.

  • Transactions with the Government of the Interim President of Venezuela

Consistent with the US Government’s official recognition of Juan Guaidó as the Interim President of Venezuela, newly issued General License 31 authorizes US Persons to engage in all otherwise prohibited transactions involving (i) the Venezuelan National Assembly; (ii) the Interim President of Venezuela Juan Guaidó and his representatives and staff; and (iii) any person appointed by Guaidó to the board of directors or as an executive officer of a GOV entity, unless otherwise prohibited under relevant sanctions. This general license does not have an expiration date.

  • Transactions Related to Port and Airport Operations in Venezuela

New General License 30 authorizes all transactions and activities involving the GOV that are ordinarily incident and necessary to operations or use of ports and airports in Venezuela. Exports or reexports of diluents, whether directly or indirectly, to the GOV are prohibited.  This general license does not have an expiration date.

  • Dealings Between Financial Institutions and the GOV

In newly issued FAQ 680, OFAC advises that it expects financial institutions to conduct due diligence on their own direct customers (including, for example, their ownership structure) to confirm that those customers are not persons whose property and interests in property are blocked. With regard to other types of transactions where a financial institution is acting solely as an intermediary and fails to block transactions involving a sanctions target, OFAC will consider the totality of the circumstances surrounding the bank’s processing of the transaction to determine what, if any, regulatory response is appropriate.

In addition, newly issued General License 21 authorizes: (i) US financial institutions to debit any account blocked pursuant to the Venezuela EO or EO 13850 held by that financial institution in payment or reimbursement for normal service charges owed by the owner of the blocked account, and (ii) transfers of funds or credit by US financial institutions between blocked accounts by their branches or offices, as long as no transfers are made from accounts in the United States to accounts outside the United States and provided that the transfer is from one blocked account to another blocked account held in the same name. Normal service charges include charges in payment or reimbursement for interest due; cable, telegraph, internet, or telephone charges; postage costs; custody fees; small adjustment charges to correct bookkeeping errors; as well as minimum balance charges, notary and protest fees, and charges for reference books, photocopies, credit reports, transcripts of statements, registered mail, insurance, stationery and supplies, and other similar items. This general license does not have an expiration date.

  • Humanitarian Assistance and Support for the Venezuelan People, Sales of Ag/Med Commodities

OFAC amended General License 20A (authorizing official activities of certain international organizations) and issued several general licenses to ensure the continued flow of humanitarian goods and services to the Venezuelan people including, General License 22 (goods and services related to Venezuela’s mission to the United Nations), General License 23 (authorizing funds transfers related to certain third-country diplomatic/consular funds), General License 24 (transactions involving telecommunications and mail), General License 25 (export/reexport for the exchange of communications over the Internet), General License 26 (emergency and medical services), and General License 29(transactions involving certain activities by nongovernmental organizations). These general licenses do not have an expiration date. OFAC also issued Guidance emphasizing that OFAC will maintain a favorable specific licensing policy for supporting the provision of humanitarian assistance, and all specific license applications will be reviewed on a case-by-case basis.

Amended General Licenses

  • Transactions with PDVH, CITGO, and NYNAS AB

Most dealings with PDV Holding, Inc. (“PDVH”), CITGO Holding, Inc. (“CITGO”), and Nynas AB and their subsidiaries continue to be authorized (although still subject to certain limitations) under amended General License 7C (valid for 18 months from the effective date of General License 7C or its subsequent renewal), General License 2A (no expiration), and General License 13C (valid through October 24, 2019).

  • Transactions with PdVSA

Amended General License 8C continues to authorize all transactions and activities ordinarily incident and necessary to operations in Venezuela involving PdVSA or its 50%-or-more-owned subsidiaries that are otherwise prohibited by Executive Order 13850 and now the Venezuela EO, for the following entities and their subsidiaries: Chevron Corporation; Halliburton; Schlumberger Limited; Baker Hughes; and Weatherford International. This amended General License 8C does not, however, appear to cover such operations involving PdVSA entities that are less than 50% owned by PdVSA but nonetheless still controlled and now blocked under the new Venezuela EO. (Valid through October 24, 2019.)

Amended General License 10A continues to authorize US Persons in Venezuela to purchase from PdVSA or its 50%-or-more-owned subsidiaries (again, apparently not including entities less than 50% owned but still controlled by PdVSA) refined petroleum products for personal, commercial, or humanitarian uses, but it does not allow the commercial resale, transfer, exportation, or reexporation of those products. It also clarifies that payments of taxes, fees, and import duties to, and purchase or receipt of permits, licenses, or public utility services from, the GOV related to the purchase of such products are authorized. This general license does not have an expiration date.

  • Dealings in Debt and Securities

General License 3F was amended to cover transactions otherwise prohibited by the Venezuela EO. US Persons can continue to engage in transactions related to, provide financing for, and otherwise deal in bonds that (i) are specified in the Annex to General License 3F provided that any divestments or transfer of, or facilitation of divestment or transfer of, any holdings in those bonds are to a non-US person; or (ii) were issued prior to the effective date of Executive Order 13808 by US Person entities owned or controlled, directly or indirectly, by the GOV (e.g., CITGO Holding, Inc.). The wind-down of financial contracts and other agreements entered into prior to February 1, 2019 at 4:00 p.m. EST involving the specified bonds is also authorized. (Valid through September 29, 2019.)

General License 9E was also amended to explicitly cover transactions otherwise prohibited by the Venezuela EO. US Persons can continue to engage in (i) transactions that are ordinarily incident and necessary to dealings in any debt of, or equity in, PdVSA or any entity owned 50% or more by PdVSA (but again, apparently not those entities less than 50% owned but still controlled by PdVSA) (together, “PdVSA securities”) issued prior to August 25, 2017, provided that any divestment or transfer of, or facilitation of divestment or transfer of, any holdings in such debts must be to a non-US person, (ii) transactions that are ordinarily incident and necessary to dealing in bonds issued prior to August 25, 2017 by the following PdVSA entities and their subsidiaries: PDVH, CITGO, and Nynas, and (iii) transactions ordinarily incident and necessary to wind-down of financial contracts or other agreements that were entered prior to January 28, 2019 at 4:00 p.m. EST involving PdVSA securities.  The latter authorization is valid through September 29, 2019.

  • Sales of Ag/Med Commodities

Amended General License 4C continues to authorize US Persons to engage in certain transactions ordinarily incident and necessary to the export/reexport from the United States or by US Persons of agricultural commodities, medicine, medical devices, replacement parts and components for medical devices, and now also software updates for medical devices, to Venezuela or to persons in third countries purchasing specifically for resale to Venezuela. This general license does not have an expiration date.

  • Dealings with the CBV, Banco Bicentenario del Pueblo, and Banco del Tesoro

Amended General License 15B and General License 16B now cover Banco del Tesoro (in addition to the previously covered Banco de Venezuela and Banco Bicentenario del Pueblo), but otherwise remain unchanged.(Valid through March 21, 2020.)

  • Transactions Related to Integracion Administradora de Fondos de Ahorro Previsional, S.A.

Amended General License 18A continues to authorize certain transactions ordinarily incident and necessary to maintain or operate Integracion Administradora de Fondos de Ahorro Previsional, S.A., whose fund administrator is owned 50% or more by Bandes Uruguay. This general license does not have an expiration date.

All of the above-described general licenses are subject to important terms and limitations. Companies should, therefore, carefully review the amended and newly issued general licenses and other relevant regulations when considering dealings with and/or exports/reexports to or involving Venezuela


The foregoing is intended only to provide a general summary of recent developments regarding the escalation of US sanctions and export controls targeting Venezuela. If you have any questions about how these changes might affect your company or if you require advice on any specific transactions or plans, please contact one of the members of Baker McKenzie’s International Commercial Practice Group.

The post US Government Escalates Sanctions Against the Government of Venezuela appeared first on Global Compliance News.


A vexing issue under the California Consumer Privacy Act is how to interpret the definition of “sale” and how to know if exceptions – like that for a “service provider” – apply.

When asked, most companies state honestly they do not “sell” customer data, but the CCPA defines the term in a surprisingly broad way that sweeps in any arrangement involving an exchange of value (“consideration”) between the business and a third party or another business for the personal information. The definition of sale may expansively apply to disclosures to vendors that process data for their own analytics or other secondary purposes.

In general, the CCPA imposes strict requirements on the “sale” of personal information (e.g., “Do Not Sell My Personal Information” button on homepages, rights to opt out, and the like). Businesses should, therefore, conduct due diligence on a case-by-case basis as to whether to seek shelter from the definition of “sale” under the CCPA for disclosures to a “service provider.” The due diligence should involve a review under the existing contractual terms and may require modifications to the underlying agreement and obligations of the parties.

What qualifies as a ‘service provider’?

The CCPA distinguishes between service providers and third parties by describing a third party in the negative and the requirements for a written contract that governs a data transfer between parties. Under the law’s construction, a “service provider” is:

(1) A legal entity organized for profit.

(2) That processes personal information on behalf of a business.

(3) To which the business discloses a consumer’s personal information for a business purpose.

(4) Pursuant to a written contract that prohibits the legal entity from retaining, using, or disclosing the personal information for any purpose (including a commercial purpose) other than performing the services specified in the contract.

Businesses must also:

(5) Provide proper notice to consumers about personal information sharing practices.

(6) Obligate the service provider from further collecting, selling or using the personal information except as necessary to perform the business purpose.

In addition, if the service provider agrees to additional contractual terms to assure that it does not qualify as a “third party,” the business will benefit from certain liability protection. In particular, the business would need to include a provision in the written contract that

(7) Prohibits the recipient from:

(a) Selling the personal information.

(b) Retaining, using or disclosing the personal information for any purpose other than performing the services.

(c) Retaining, using or disclosing the personal information outside of the direct business relationship between the recipient and the business.

The business would also need to:

(8) Obtain a certification that the recipient understands these restrictions and will comply with them.

In practice, the provisions required under elements (7) and (8) largely overlap with those of elements (1) through (6), but they are treated separately here to help understand how they may be applied to actual scenarios.

How does the service-provider exception play out in practice?

Website-hosting provider

A website-hosting provider would be a logical vendor to consider as a service provider, depending on the specifics of the arrangement. For example, does the provider assert broad rights to use personal information collected on the site for its own purposes? Does the provider exchange any consideration with third-party advertising agencies with respect to cookies and other tags placed on users of the site?

These factors would suggest that the vendor might not meet element (6) and might be reluctant to enter into a written contract that significantly cuts back on these rights. Also, what about element (3), which suggests that the business must physically disclose the data to the vendor and the vendor cannot directly collect the data from the consumer? It seems unlikely that a vendor should be disqualified from the service-provider exception on this basis alone, as there is no strong public policy reason why an agent cannot be hired to collect data on behalf of a business, but because there is no official guidance on this point, it will be important to track this issue carefully.

Customer relationship management provider

A CRM provider would also seem to be a good candidate for the service-provider exception, again depending on the specifics. For example, what if the CRM provider uses personal information of multiple customers to perform broad market analysis and forecasting of trends and provide that data back to each of its business customers as a service?

Although the data is not shared in identifiable form across the different business customers, the underlying analysis would use the personal information and would benefit multiple customers. This appears to raise an issue under element (6) and a potential concern for the contractual obligations under elements (4), (7) and (8). The extent of the concern, however, could potentially be reduced by further contractual terms. For example, if the “business purpose” as defined in the services contract included an obligation for the provider to deidentify data and to use the data for analytics in order to provide the market and trending analysis back to the business customer, this could bring these activities closer to a use on behalf of the business and the definition of “service provider.”

Independent auditor

Unlike the prior two examples, an independent auditor is an example that might be at odds with the core definition of a service provider and omitted from the exception. The federal securities laws generally require publicly held companies to engage an independent auditor to report on the accuracy of financial reports that the company files with the U.S. Securities and Exchange Commission. By definition, the auditor is not collecting and analyzing information “on behalf of” the company when it analyses data, including personal information, as an independent assessor of the company’s financial statements. As such, an independent auditor likely does not meet element (2) where it does not act “on behalf of” the business.

What are the other options?

If the vendor is not a “service provider,” does that mean the disclosure is always a “sale”? No.

The business should examine whether there are other grounds to show that the disclosure is not a sale. For example, regarding the independent auditor, the business could say that there is no valuable consideration exchanged for the personal information obtained in the audit given that an auditor does not in any meaningful sense pay for the data. The business could also assert the independent auditor is not a “third party” that triggers the “sale” provision if the business imposes a written contract that includes elements (7) and (8). Note that these elements do not include the “on behalf of” requirement that applies to service providers, so it might fit for an independent auditor.

Ultimately, in preparation for the CCPA, each business should conduct a due diligence process across its personal information sharing arrangements to determine whether disclosures that do not appear to meet the exceptions described above are subject to other exceptions to sale, such as sharing at the direction of the consumer. A thoughtful assessment is needed given the newness of the rules and the complexity of arrangements in the digital age.

*This article was first published on iapp.org.

The post US: How to Know If Your Vendor is a ‘Service Provider’ Under CCPA appeared first on Global Compliance News.



On 27 March 2019, in Lorenzo v. SEC, the US Supreme Court handed the Securities and Exchange Commission (the “SEC”) a victory. In this case, the Supreme Court held that Francis Lorenzo, an investment banker, could be liable under Rule 10b-5 for disseminating material misleading statements even though he had not made the statements.

Lorenzo refines the law that previous cases had established regarding the liability of “non-makers” of material misleading statements. Certainly, this case expands the applicability of the anti-fraud liability under Rule 10b-5.

The statutory foundation of the anti-fraud liability in the United States

Section 10(b) of the Securities Exchange Act of 1934 imposes liability on any person who employs a manipulative or deceptive device in connection with the purchase or sale of a security. Rule 10b-5 specifies the type of conduct that gives rise to liability. In particular, the conduct can consist of:

  • the employment of any device, scheme, or artifice to defraud (subparagraph (a));
  • the making of a material misstatement or the omission to state a material fact that makes the statement misleading (subparagraph (b)); or
  • any act or practice which operates as a fraud (subparagraph (c)).

Section 10(b) and Rule 10b-5, however, do not apply primary liability to aiders and abettors. An aider and abettor is a person who knowingly or recklessly provides substantial assistance to another person who violates the securities law. Thus, an aider and abettor can only be secondarily liable with respect to a primary violation of the securities law, such as Section 10(b) and Rule 10b-5.

The law before Lorenzo

Historically, the Supreme Court had denied a right of action under Rule 10b-5(b) for material misstatements against a party who had not made the statements. According to the Supreme Court, such right of action amounted to an impermissible claim for a primary violation against an aider and abettor. In particular, the Supreme Court denied such right in Central Bank of Denver v. First Interstate Bank of Denver, 511 US 164 (1994), Stoneridge Investment Partners v. Scientific-Atlanta, 552 US 148 (2008), and Janus Capital Group, Inc. v. First Derivative Traders, 564 US 135 (2011).

In these cases, the defendants were not the makers of the statements. In Central Bank, Central Bank was the indenture trustee. In Stoneridge, Scientific Atlanta and Motorola were clients of the issuer. In Janus, Janus Capital Management and Janus Capital Group were, respectively, the issuer’s investment adviser and the investment adviser’s controlling entity. Despite that all the defendants had knowingly or intentionally participated in the “making” of the material misstatements, none of them was found to have violated Rule 10b-5(b). The logic behind the holdings, as explained in Janus, was that the defendants did not have ultimate authority over the content of the statements and how and whether to communicate the statements.

The Supreme Court, however, only considered Rule 10b-5(b). Nothing was held on the application of Rule 10b-5(a) or (c) to a non-maker of material misstatements. This is where Lorenzo refines the law.

Lorenzo v. SEC

Francis Lorenzo, the defendant, was a director of an investment banking firm engaged in a $15 million bond offering. Lorenzo, under instructions of his supervisor, contacted via email potential investors stating that the issuer had intellectual property assets worth $10 million while in reality the assets were almost worthless. Significantly, Lorenzo and his supervisor knew that the assets were almost worthless.

The Supreme Court held Lorenzo liable under Rule 10b-5. Even though Lorenzo could not be liable under Rule 10b-5(b) for making material misstatements as his supervisor had “ultimate authority” (and so was a maker) over the misstatements, Rule 10b-5(b) is not exclusive of Rule 10b-5(a) or (c). Thus, Rule 10b-5(a) and (c) can apply to a claim filed for material misstatements against a non-maker. The Supreme Court stated that if Rule 10b-5(b) prevented the application of Rule 10b-5(a) and (c), then a non-maker could never be liable as primary violator of Rule 10b-5 even though such non-maker had intentionally, knowingly or recklessly disseminated material misstatements.

Overseas application of Lorenzo

The rule devised in Lorenzo may also apply overseas. In Robert Morrison v. National Australia Bank, 561 US 247 (2010), the Supreme Court held that Rule 10b-5 applies any time a security is purchased or sold in the United States or if a security purchased or sold is listed on a US stock exchange. Lorenzo’s holding, however, will not apply where the foreign securities transaction has no connection with the United States.


Lorenzo has provided the SEC and private parties with a sharper weapon. In the future, non-makers can be liable as primary violators under Rule 10b-5. This means that anyone, including investment bankers acting as underwriters or placement agents, could be held liable through their active and knowing participation in the distribution of a misstatement made by a different person. Whether Lorenzo will actually translate in an increase in litigations by the SEC and private parties against investment bankers (or any other non-maker), however, is difficult to predict as Lorenzo’s outcome was facilitated by Lorenzo’s admission of his knowing dissemination of a material misstatement.

The post The implications of Lorenzo v. SEC on Rule 10b-5 appeared first on Global Compliance News.