On 8 August 2019, the US Securities and Exchange Commission (SEC) issued for public comment certain proposed amendments to Regulation S-K.1 Regulation S-K principally governs the content of disclosure documents filed by US domestic issuers. Therefore, generally speaking, most of these proposed amendments to Regulation S-K will not affect foreign private issuers (FPIs). This alert briefly discusses the portions the Proposing Release that would apply to FPIs and certain additional information in the Proposing Release that may be of interest to them.

Background: Regulation S-K

Regulation S-K is the central source of the information required to be disclosed by US domestic issuers in registration statements under the US Securities Act of 1933, as amended (the Securities Act) and in periodic reports under the US Securities Exchange Act of 1934, as amended (the Exchange Act).2 The SEC issued these recent proposed amendments as part of its broader efforts to make disclosure documents more readable and easier for investors to navigate, and in response to a legislative mandate to the SEC to review Regulation S-K and pare it back where possible.

The proposed amendments would affect parts of Item 101 (Business Description),3 Item 103 (Legal Proceedings) and Item 105 (Risk Factors). The SEC characterizes its current disclosure requirements as “prescriptive” in that the same quantitative disclosure thresholds apply to all issuers or require all issuers to disclose the same type of information, which may not reflect information that is material to every business. The proposed amendments to Items 101 and 105 reflect SEC determinations to adopt “principles-based” disclosure, which the SEC believes will be tailored to issuers’ particular circumstances and, at least for these items, to move away from the “prescriptive disclosure” requirement. The SEC also believes that the changes to these items may elicit disclosure with a greater focus on information that is material to individual businesses. In contrast, Item 103 (Legal Proceedings), would remain prescriptive, reflecting the SEC’s belief that disclosure of such matters depends less on the specific characteristics of individual issuers. The proposed revisions to Item 103 include amendments intended to eliminate repetitive disclosure and raise the monetary threshold for disclosure of certain proceedings.

The immediate reaction to the proposed amendments has been mixed. Many public companies – particularly larger that are more closely watched by shareholders and the media and those that face “activist” shareholders — tend to over disclose, rather than potentially face shareholders lawsuits arising out of adverse events. The SEC’s intention to address such over disclosure is particularly evident in the proposed revisions to Item 105 (Risk Factors) discussed below.

Application of Proposing Release to FPIs

Regardless of the proposal’s ultimate effects on US domestic issuers, the immediate effects on FPIs would be limited since, as noted above, Regulation S-K applies principally to US domestic issuers.4 The content of disclosure documents filed by FPIs is set forth primarily in SEC Form 20-F. Form 20-F is, essentially, a stand-alone catalog of required disclosures by FPIs. FPIs must file Form 20-F both to register a class of securities under the Exchange Act (generally in connection with a listing) and as an annual report under the Exchange Act. Form 20-F is also the source of most of the information required to be included in registration statements under the Securities Act filed by FPIs. However, an FPI that registers its securities for sale under the Securities Act is required to provide a discussion of risk factors in accordance with Item 105 of Regulation S-K. Thus, the proposed changes to Item 105 will affect disclosure by FPIs should they choose to conduct a registered public offering in the US.

The SEC’s Proposing Release contains the following key changes to Regulation S-K Item 105 (Risk Factors):

  • Documents containing risk factor disclosure exceeding 15 pages would have to include summary risk factor disclosure in the forepart of the prospectus or report, under an appropriate heading.
  • In lieu of disclosing the “most significant” risk factors as now required, issuers would be required to disclose “material” risk factors.
  • Risk factors would be required to be organized under relevant headings.

The SEC is proposing these revisions to Item 105 “to address the lengthy and generic nature of the risk factor disclosure presented by many registrants,” and notes that a contributing factor to the increased length of risk factor disclosure appears to be the inclusion of “generic, boilerplate risks that could apply to any offering or registrant.”5 The first and third bullets above appear to reflect existing practices by many issuers, and should be familiar to many FPIs. The EU Prospectus Directive requires a risk factors summary and, as noted by the SEC in the Proposing Release, many issuers already organize their risk factors disclosure under relevant headings.6 The second bullet above, replacing disclosure of the “most significant risks” with disclosure of “material” risks, is intended to emphasize disclosure of the risks to which a reasonable investor would attach importance in making investment decisions.7 The SEC believes that this change could result in risk factor disclosure more tailored to the facts and circumstances of each issuer, reducing immaterial disclosure and thereby shortening risk factor disclosure.

Apart from the specific changes to Item 105 that will affect FPIs when they register securities under the Securities Act, FPIs will also be interested in the SEC’s requests for comments on all the proposed revisions at pages 53-54, 64 and 74 of the Proposing Release. On these pages, the SEC solicits comments specifically addressing whether comparable changes should be made to the analogous disclosure requirements of Form 20-F. It is interesting to note that question 27, on page 53, acknowledges that the requirements of Form 20-F are largely prescriptive, rather than principles-based. Paradoxically perhaps, the prescriptive nature of Form 20-F for FPIs may be contrasted with the principles-based approach for financial statements embodied in International Financial Reporting Standards (IFRS), used by many FPIs to prepare the financial statements included in their SEC filings. Unlike IFRS, US GAAP used by US domestic issuers is considered to be “rules-based,” i.e., prescriptive. Thus, if the amendments to Regulation S-K are adopted as proposed, the use of prescriptive versus principles-based disclosure for the non-financial and financial portions of disclosure documents filed by US domestic companies and FPIs could reflect contrasting trends, with US issuers providing principles-based non-financial disclosure and rules-based financial statements and FPIs doing just the opposite. If any such contrasting trend were perceived as an impediment to comparability of disclosure by US issuers and FPIs, that might ultimately motivate the SEC to revise Form 20-F to provide for principles-based disclosure requirements as well. A countervailing consideration could be the fact that the present non-financial portions of Form 20-F were revised in 1999 to harmonize Form 20-F with the non-financial international disclosure standards endorsed by the International Organization of Securities Commission (IOSCO). One of IOSCO’s objectives was the promotion of the use of a single disclosure document that would be accepted in multiple jurisdictions. In its request for comments regarding possible revisions to Form 20-F comparable to the proposed Regulation S-K amendments, the SEC asked specifically whether such revisions would reduce the ability of FPIs to use a single document in multiple jurisdictions.8

The comment period for the proposed amendments expires 60 days following publication of the Proposing Release in the Federal Register.

1. See Securities and Exchange Commission Release No. 33-10668, Modernization of Regulation S-K Items 101, 103, and 105, available at https://www.sec.gov/rules/proposed/2019/33-10668.pdf (the Proposing Release).

2. The full title of Regulation S-K is “Standard Instructions for Filing Forms Under the Securities Act of 1933, the Securities Exchange Act of 1934 and Energy Policy and Conservation Act of 1975.” The complete text of Regulation S-K is set forth as Part 229 of Title 17 of the Code of Federal Regulations.

3. This Alert does not discuss the proposed revisions to Item 101 of Regulation S-K, the business description required to be provided by US domestic issuers. The Proposing Release includes an extensive description and explanation of these proposed amendments at pp. 12-54 of the release.

4. Regulation S-K also governs disclosures by non-US companies that elect to use US domestic registration and reporting forms, and by foreign issuers that do not qualify as FPIs. The SEC’s rules define “foreign private issuer” as any foreign issuer other than a foreign issuer that has more than 50 percent of its outstanding voting securities owned directly or indirectly owned of record by US residents and having (i) a majority of its executive officers or directors who are US citizens or residents, (ii) more than 50% of its assets located in the US, or (iii) its business administered principally in the US.

5. Proposing Release at pp. 65, 66. The Proposing Release also acknowledges that commentators attribute the growing length of risk factor disclosure to the litigation risk associated with a failure to disclose if events turn negative.

6. Proposing Release at p. 71.

7. The SEC’s position reflects the definition of “material” in Rule 405 under the Securities Act, under which material information is “information . . . to which there is a substantial likelihood that a reasonable investor would attach importance in determining whether to purchase the security.

8. Proposing Release at p. 53.

The post US: SEC Proposes Amendments to Regulation S-K: What Foreign Private Issuers Need to Know appeared first on Global Compliance News.


On August 5, 2019, President Trump issued Executive Order 13884 (“Venezuela EO”) blocking all property of the Government of Venezuela (“GOV”), a significant escalation of sanctions against the regime of President Maduro.  Statements issued by the White House and State Department indicate that this escalation is meant to target the Maduro regime for its continued abuses of human rights and repression.  The US Department of Treasury’s Office of Foreign Assets Control (“OFAC”) concurrently issued 12 amended general licenses and 13 new general licenses, new and revised FAQs, and guidance related to the provision of humanitarian assistance and support to the Venezuelan people.

The Venezuela EO targets only the GOV and entities owned 50% or more or otherwise controlled by the GOV, and thus does not place Venezuela under a full territorial embargo. Transactions with private Venezuelan parties that can be effected without the involvement of the GOV remain permissible.

The new sanctions prohibit virtually all US Person dealings with the GOV by blocking the property and interests in property of the GOV that are in the United States, that come within the United States, or that come within the possession or control of US Persons (i.e., US companies and their branches, US banks, US citizens and permanent resident aliens, any person physically located in the United States). GOV funds, contracts or other property interests that come into the possession or control of US Persons must be blocked and reported to OFAC.

The GOV is defined broadly under the Venezuela EO and includes:

  • any political subdivision, agency, or instrumentality thereof, including the Central Bank of Venezuela (“CBV”) and Petroleos de Venezuela (“PdVSA”);
  • any person owned or controlled, directly or indirectly, by the foregoing, which potentially expands the reach of the prior sanctions against PdVSA so that they now cover PdVSA affiliates that are less than 50% owned but still controlled by PdVSA; and
  • any person who has acted or purported to act directly or indirectly for or on behalf of any of the foregoing, including as a member of the Maduro regime.

The Venezuela EO also includes expansive authority to block any other person determined by the US Government to (i) have “materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, any person” who is blocked under the Venezuela EO, or (ii) to be owned or controlled by, or have acted on behalf of any person who is blocked under the Venezuela EO. Thus, even non-US companies could be exposed to the risk of collateral designation as Specially Designated Nationals (“SDNs”) if they materially assist or provide goods or services to GOV entities.

Newly Issued General Licenses

OFAC has concurrently amended and issued numerous general licenses authorizing certain activities by US Persons. Below we highlight several key general licenses.

  • Wind Down of Transactions with the GOV

Newly issued General License 28 authorizes all transactions and activities ordinarily incident and necessary to the wind down of operations, contracts, or other agreements involving the GOV that were in effect prior to August 5, 2019. All wind down activities must be completed by September 4, 2019. General License 28 does not extend the authorization of wind-down periods that have expired for PdVSA, CBV, or other GOV entities that were previously designated as SDNs.

  • Intellectual Property Related Transactions

Newly issued General License 27 authorizes certain transactions, including payments of fees to the GOV related to the filing, receipt, renewal, maintenance, and prosecution of patents, trademarks, copyright, and other forms of intellectual property. General License 27 does not authorize assignments, licensing or other transfers of intellectual property to the extent such activities involve the GOV, for example, where recordal or the payment of fees is required or where the assignment is to a GOV entity. This general license does not have an expiration date.

  • Transactions with the Government of the Interim President of Venezuela

Consistent with the US Government’s official recognition of Juan Guaidó as the Interim President of Venezuela, newly issued General License 31 authorizes US Persons to engage in all otherwise prohibited transactions involving (i) the Venezuelan National Assembly; (ii) the Interim President of Venezuela Juan Guaidó and his representatives and staff; and (iii) any person appointed by Guaidó to the board of directors or as an executive officer of a GOV entity, unless otherwise prohibited under relevant sanctions. This general license does not have an expiration date.

  • Transactions Related to Port and Airport Operations in Venezuela

New General License 30 authorizes all transactions and activities involving the GOV that are ordinarily incident and necessary to operations or use of ports and airports in Venezuela. Exports or reexports of diluents, whether directly or indirectly, to the GOV are prohibited.  This general license does not have an expiration date.

  • Dealings Between Financial Institutions and the GOV

In newly issued FAQ 680, OFAC advises that it expects financial institutions to conduct due diligence on their own direct customers (including, for example, their ownership structure) to confirm that those customers are not persons whose property and interests in property are blocked. With regard to other types of transactions where a financial institution is acting solely as an intermediary and fails to block transactions involving a sanctions target, OFAC will consider the totality of the circumstances surrounding the bank’s processing of the transaction to determine what, if any, regulatory response is appropriate.

In addition, newly issued General License 21 authorizes: (i) US financial institutions to debit any account blocked pursuant to the Venezuela EO or EO 13850 held by that financial institution in payment or reimbursement for normal service charges owed by the owner of the blocked account, and (ii) transfers of funds or credit by US financial institutions between blocked accounts by their branches or offices, as long as no transfers are made from accounts in the United States to accounts outside the United States and provided that the transfer is from one blocked account to another blocked account held in the same name. Normal service charges include charges in payment or reimbursement for interest due; cable, telegraph, internet, or telephone charges; postage costs; custody fees; small adjustment charges to correct bookkeeping errors; as well as minimum balance charges, notary and protest fees, and charges for reference books, photocopies, credit reports, transcripts of statements, registered mail, insurance, stationery and supplies, and other similar items. This general license does not have an expiration date.

  • Humanitarian Assistance and Support for the Venezuelan People, Sales of Ag/Med Commodities

OFAC amended General License 20A (authorizing official activities of certain international organizations) and issued several general licenses to ensure the continued flow of humanitarian goods and services to the Venezuelan people including, General License 22 (goods and services related to Venezuela’s mission to the United Nations), General License 23 (authorizing funds transfers related to certain third-country diplomatic/consular funds), General License 24 (transactions involving telecommunications and mail), General License 25 (export/reexport for the exchange of communications over the Internet), General License 26 (emergency and medical services), and General License 29(transactions involving certain activities by nongovernmental organizations). These general licenses do not have an expiration date. OFAC also issued Guidance emphasizing that OFAC will maintain a favorable specific licensing policy for supporting the provision of humanitarian assistance, and all specific license applications will be reviewed on a case-by-case basis.

Amended General Licenses

  • Transactions with PDVH, CITGO, and NYNAS AB

Most dealings with PDV Holding, Inc. (“PDVH”), CITGO Holding, Inc. (“CITGO”), and Nynas AB and their subsidiaries continue to be authorized (although still subject to certain limitations) under amended General License 7C (valid for 18 months from the effective date of General License 7C or its subsequent renewal), General License 2A (no expiration), and General License 13C (valid through October 24, 2019).

  • Transactions with PdVSA

Amended General License 8C continues to authorize all transactions and activities ordinarily incident and necessary to operations in Venezuela involving PdVSA or its 50%-or-more-owned subsidiaries that are otherwise prohibited by Executive Order 13850 and now the Venezuela EO, for the following entities and their subsidiaries: Chevron Corporation; Halliburton; Schlumberger Limited; Baker Hughes; and Weatherford International. This amended General License 8C does not, however, appear to cover such operations involving PdVSA entities that are less than 50% owned by PdVSA but nonetheless still controlled and now blocked under the new Venezuela EO. (Valid through October 24, 2019.)

Amended General License 10A continues to authorize US Persons in Venezuela to purchase from PdVSA or its 50%-or-more-owned subsidiaries (again, apparently not including entities less than 50% owned but still controlled by PdVSA) refined petroleum products for personal, commercial, or humanitarian uses, but it does not allow the commercial resale, transfer, exportation, or reexporation of those products. It also clarifies that payments of taxes, fees, and import duties to, and purchase or receipt of permits, licenses, or public utility services from, the GOV related to the purchase of such products are authorized. This general license does not have an expiration date.

  • Dealings in Debt and Securities

General License 3F was amended to cover transactions otherwise prohibited by the Venezuela EO. US Persons can continue to engage in transactions related to, provide financing for, and otherwise deal in bonds that (i) are specified in the Annex to General License 3F provided that any divestments or transfer of, or facilitation of divestment or transfer of, any holdings in those bonds are to a non-US person; or (ii) were issued prior to the effective date of Executive Order 13808 by US Person entities owned or controlled, directly or indirectly, by the GOV (e.g., CITGO Holding, Inc.). The wind-down of financial contracts and other agreements entered into prior to February 1, 2019 at 4:00 p.m. EST involving the specified bonds is also authorized. (Valid through September 29, 2019.)

General License 9E was also amended to explicitly cover transactions otherwise prohibited by the Venezuela EO. US Persons can continue to engage in (i) transactions that are ordinarily incident and necessary to dealings in any debt of, or equity in, PdVSA or any entity owned 50% or more by PdVSA (but again, apparently not those entities less than 50% owned but still controlled by PdVSA) (together, “PdVSA securities”) issued prior to August 25, 2017, provided that any divestment or transfer of, or facilitation of divestment or transfer of, any holdings in such debts must be to a non-US person, (ii) transactions that are ordinarily incident and necessary to dealing in bonds issued prior to August 25, 2017 by the following PdVSA entities and their subsidiaries: PDVH, CITGO, and Nynas, and (iii) transactions ordinarily incident and necessary to wind-down of financial contracts or other agreements that were entered prior to January 28, 2019 at 4:00 p.m. EST involving PdVSA securities.  The latter authorization is valid through September 29, 2019.

  • Sales of Ag/Med Commodities

Amended General License 4C continues to authorize US Persons to engage in certain transactions ordinarily incident and necessary to the export/reexport from the United States or by US Persons of agricultural commodities, medicine, medical devices, replacement parts and components for medical devices, and now also software updates for medical devices, to Venezuela or to persons in third countries purchasing specifically for resale to Venezuela. This general license does not have an expiration date.

  • Dealings with the CBV, Banco Bicentenario del Pueblo, and Banco del Tesoro

Amended General License 15B and General License 16B now cover Banco del Tesoro (in addition to the previously covered Banco de Venezuela and Banco Bicentenario del Pueblo), but otherwise remain unchanged.(Valid through March 21, 2020.)

  • Transactions Related to Integracion Administradora de Fondos de Ahorro Previsional, S.A.

Amended General License 18A continues to authorize certain transactions ordinarily incident and necessary to maintain or operate Integracion Administradora de Fondos de Ahorro Previsional, S.A., whose fund administrator is owned 50% or more by Bandes Uruguay. This general license does not have an expiration date.

All of the above-described general licenses are subject to important terms and limitations. Companies should, therefore, carefully review the amended and newly issued general licenses and other relevant regulations when considering dealings with and/or exports/reexports to or involving Venezuela


The foregoing is intended only to provide a general summary of recent developments regarding the escalation of US sanctions and export controls targeting Venezuela. If you have any questions about how these changes might affect your company or if you require advice on any specific transactions or plans, please contact one of the members of Baker McKenzie’s International Commercial Practice Group.

The post US Government Escalates Sanctions Against the Government of Venezuela appeared first on Global Compliance News.


A vexing issue under the California Consumer Privacy Act is how to interpret the definition of “sale” and how to know if exceptions – like that for a “service provider” – apply.

When asked, most companies state honestly they do not “sell” customer data, but the CCPA defines the term in a surprisingly broad way that sweeps in any arrangement involving an exchange of value (“consideration”) between the business and a third party or another business for the personal information. The definition of sale may expansively apply to disclosures to vendors that process data for their own analytics or other secondary purposes.

In general, the CCPA imposes strict requirements on the “sale” of personal information (e.g., “Do Not Sell My Personal Information” button on homepages, rights to opt out, and the like). Businesses should, therefore, conduct due diligence on a case-by-case basis as to whether to seek shelter from the definition of “sale” under the CCPA for disclosures to a “service provider.” The due diligence should involve a review under the existing contractual terms and may require modifications to the underlying agreement and obligations of the parties.

What qualifies as a ‘service provider’?

The CCPA distinguishes between service providers and third parties by describing a third party in the negative and the requirements for a written contract that governs a data transfer between parties. Under the law’s construction, a “service provider” is:

(1) A legal entity organized for profit.

(2) That processes personal information on behalf of a business.

(3) To which the business discloses a consumer’s personal information for a business purpose.

(4) Pursuant to a written contract that prohibits the legal entity from retaining, using, or disclosing the personal information for any purpose (including a commercial purpose) other than performing the services specified in the contract.

Businesses must also:

(5) Provide proper notice to consumers about personal information sharing practices.

(6) Obligate the service provider from further collecting, selling or using the personal information except as necessary to perform the business purpose.

In addition, if the service provider agrees to additional contractual terms to assure that it does not qualify as a “third party,” the business will benefit from certain liability protection. In particular, the business would need to include a provision in the written contract that

(7) Prohibits the recipient from:

(a) Selling the personal information.

(b) Retaining, using or disclosing the personal information for any purpose other than performing the services.

(c) Retaining, using or disclosing the personal information outside of the direct business relationship between the recipient and the business.

The business would also need to:

(8) Obtain a certification that the recipient understands these restrictions and will comply with them.

In practice, the provisions required under elements (7) and (8) largely overlap with those of elements (1) through (6), but they are treated separately here to help understand how they may be applied to actual scenarios.

How does the service-provider exception play out in practice?

Website-hosting provider

A website-hosting provider would be a logical vendor to consider as a service provider, depending on the specifics of the arrangement. For example, does the provider assert broad rights to use personal information collected on the site for its own purposes? Does the provider exchange any consideration with third-party advertising agencies with respect to cookies and other tags placed on users of the site?

These factors would suggest that the vendor might not meet element (6) and might be reluctant to enter into a written contract that significantly cuts back on these rights. Also, what about element (3), which suggests that the business must physically disclose the data to the vendor and the vendor cannot directly collect the data from the consumer? It seems unlikely that a vendor should be disqualified from the service-provider exception on this basis alone, as there is no strong public policy reason why an agent cannot be hired to collect data on behalf of a business, but because there is no official guidance on this point, it will be important to track this issue carefully.

Customer relationship management provider

A CRM provider would also seem to be a good candidate for the service-provider exception, again depending on the specifics. For example, what if the CRM provider uses personal information of multiple customers to perform broad market analysis and forecasting of trends and provide that data back to each of its business customers as a service?

Although the data is not shared in identifiable form across the different business customers, the underlying analysis would use the personal information and would benefit multiple customers. This appears to raise an issue under element (6) and a potential concern for the contractual obligations under elements (4), (7) and (8). The extent of the concern, however, could potentially be reduced by further contractual terms. For example, if the “business purpose” as defined in the services contract included an obligation for the provider to deidentify data and to use the data for analytics in order to provide the market and trending analysis back to the business customer, this could bring these activities closer to a use on behalf of the business and the definition of “service provider.”

Independent auditor

Unlike the prior two examples, an independent auditor is an example that might be at odds with the core definition of a service provider and omitted from the exception. The federal securities laws generally require publicly held companies to engage an independent auditor to report on the accuracy of financial reports that the company files with the U.S. Securities and Exchange Commission. By definition, the auditor is not collecting and analyzing information “on behalf of” the company when it analyses data, including personal information, as an independent assessor of the company’s financial statements. As such, an independent auditor likely does not meet element (2) where it does not act “on behalf of” the business.

What are the other options?

If the vendor is not a “service provider,” does that mean the disclosure is always a “sale”? No.

The business should examine whether there are other grounds to show that the disclosure is not a sale. For example, regarding the independent auditor, the business could say that there is no valuable consideration exchanged for the personal information obtained in the audit given that an auditor does not in any meaningful sense pay for the data. The business could also assert the independent auditor is not a “third party” that triggers the “sale” provision if the business imposes a written contract that includes elements (7) and (8). Note that these elements do not include the “on behalf of” requirement that applies to service providers, so it might fit for an independent auditor.

Ultimately, in preparation for the CCPA, each business should conduct a due diligence process across its personal information sharing arrangements to determine whether disclosures that do not appear to meet the exceptions described above are subject to other exceptions to sale, such as sharing at the direction of the consumer. A thoughtful assessment is needed given the newness of the rules and the complexity of arrangements in the digital age.

*This article was first published on iapp.org.

The post US: How to Know If Your Vendor is a ‘Service Provider’ Under CCPA appeared first on Global Compliance News.



On 27 March 2019, in Lorenzo v. SEC, the US Supreme Court handed the Securities and Exchange Commission (the “SEC”) a victory. In this case, the Supreme Court held that Francis Lorenzo, an investment banker, could be liable under Rule 10b-5 for disseminating material misleading statements even though he had not made the statements.

Lorenzo refines the law that previous cases had established regarding the liability of “non-makers” of material misleading statements. Certainly, this case expands the applicability of the anti-fraud liability under Rule 10b-5.

The statutory foundation of the anti-fraud liability in the United States

Section 10(b) of the Securities Exchange Act of 1934 imposes liability on any person who employs a manipulative or deceptive device in connection with the purchase or sale of a security. Rule 10b-5 specifies the type of conduct that gives rise to liability. In particular, the conduct can consist of:

  • the employment of any device, scheme, or artifice to defraud (subparagraph (a));
  • the making of a material misstatement or the omission to state a material fact that makes the statement misleading (subparagraph (b)); or
  • any act or practice which operates as a fraud (subparagraph (c)).

Section 10(b) and Rule 10b-5, however, do not apply primary liability to aiders and abettors. An aider and abettor is a person who knowingly or recklessly provides substantial assistance to another person who violates the securities law. Thus, an aider and abettor can only be secondarily liable with respect to a primary violation of the securities law, such as Section 10(b) and Rule 10b-5.

The law before Lorenzo

Historically, the Supreme Court had denied a right of action under Rule 10b-5(b) for material misstatements against a party who had not made the statements. According to the Supreme Court, such right of action amounted to an impermissible claim for a primary violation against an aider and abettor. In particular, the Supreme Court denied such right in Central Bank of Denver v. First Interstate Bank of Denver, 511 US 164 (1994), Stoneridge Investment Partners v. Scientific-Atlanta, 552 US 148 (2008), and Janus Capital Group, Inc. v. First Derivative Traders, 564 US 135 (2011).

In these cases, the defendants were not the makers of the statements. In Central Bank, Central Bank was the indenture trustee. In Stoneridge, Scientific Atlanta and Motorola were clients of the issuer. In Janus, Janus Capital Management and Janus Capital Group were, respectively, the issuer’s investment adviser and the investment adviser’s controlling entity. Despite that all the defendants had knowingly or intentionally participated in the “making” of the material misstatements, none of them was found to have violated Rule 10b-5(b). The logic behind the holdings, as explained in Janus, was that the defendants did not have ultimate authority over the content of the statements and how and whether to communicate the statements.

The Supreme Court, however, only considered Rule 10b-5(b). Nothing was held on the application of Rule 10b-5(a) or (c) to a non-maker of material misstatements. This is where Lorenzo refines the law.

Lorenzo v. SEC

Francis Lorenzo, the defendant, was a director of an investment banking firm engaged in a $15 million bond offering. Lorenzo, under instructions of his supervisor, contacted via email potential investors stating that the issuer had intellectual property assets worth $10 million while in reality the assets were almost worthless. Significantly, Lorenzo and his supervisor knew that the assets were almost worthless.

The Supreme Court held Lorenzo liable under Rule 10b-5. Even though Lorenzo could not be liable under Rule 10b-5(b) for making material misstatements as his supervisor had “ultimate authority” (and so was a maker) over the misstatements, Rule 10b-5(b) is not exclusive of Rule 10b-5(a) or (c). Thus, Rule 10b-5(a) and (c) can apply to a claim filed for material misstatements against a non-maker. The Supreme Court stated that if Rule 10b-5(b) prevented the application of Rule 10b-5(a) and (c), then a non-maker could never be liable as primary violator of Rule 10b-5 even though such non-maker had intentionally, knowingly or recklessly disseminated material misstatements.

Overseas application of Lorenzo

The rule devised in Lorenzo may also apply overseas. In Robert Morrison v. National Australia Bank, 561 US 247 (2010), the Supreme Court held that Rule 10b-5 applies any time a security is purchased or sold in the United States or if a security purchased or sold is listed on a US stock exchange. Lorenzo’s holding, however, will not apply where the foreign securities transaction has no connection with the United States.


Lorenzo has provided the SEC and private parties with a sharper weapon. In the future, non-makers can be liable as primary violators under Rule 10b-5. This means that anyone, including investment bankers acting as underwriters or placement agents, could be held liable through their active and knowing participation in the distribution of a misstatement made by a different person. Whether Lorenzo will actually translate in an increase in litigations by the SEC and private parties against investment bankers (or any other non-maker), however, is difficult to predict as Lorenzo’s outcome was facilitated by Lorenzo’s admission of his knowing dissemination of a material misstatement.

The post The implications of Lorenzo v. SEC on Rule 10b-5 appeared first on Global Compliance News.


Law360 (July 3, 2019, 1:11 PM EDT) — Three recent decisions arising under the National Labor Relations Act highlight that ambiguity and inattentiveness are the twin banes of labor and employment attorneys. In all three cases, the dispute arose because two personnel policies or approaches overlapped, opening the way for conflicting claims. As these cases demonstrate, letting the National Labor Relations Board decide, “who is on first” can have significant consequences and can trigger an onslaught of litigation. Unfortunately, instead of resolving the uncertainty, these three NLRB decisions merely pushed the dispute into another forum where additional litigation may occur to resolve the underlying issues.

Danger From Overlapping Policies

The first decision arose in a workforce with two different bargaining units.[1] The first unit had negotiated a workplace harassment policy that placed the responsibility of resolving workplace harassment complaints in the hands of a third party: an arbitrator who had the power to issue a binding decision.

While the policy provided only bargaining-unit employees could initiate harassment complaints, it allowed complaints against bargaining-unit employees, as well as employees outside the bargaining unit, and nonemployees. The second unit was subject to a nonharassment policy that created a committee of union and employer members who established rules governing unit-member conduct. During two rounds of contract negotiation, the second unit had rejected the employer’s proposal to incorporate third-party arbitration procedures similar to those the first union had in place.

The facts underlying the dispute arose when two employees, each a member of a different bargaining unit, got into an argument, and exchanged curse words and racial slurs. After the confrontation, one employee, who was a member of the arbitration-process unit, filed a harassment complaint in that process. The arbitrator concluded that the other employee, who was a member of the bargaining unit that had rejected arbitration, had violated the policy and ordered the employee suspended for 30 days. When the employer announced it was suspending that employee, his union filed a charge with the NLRB.

In a divided 2-1 decision, over a lengthy and rigorous dissent by member Marvin Kaplan, members Lauren McFerran and William Emanuel found the employer had violated its duty to bargain (imposed by Section 8(a)(5) of the NLRA) when it applied the arbitration harassment policy to the nonconsenting bargaining unit. The majority reasoned that the employee against whom the claim was brought was protected by his own unit’s policy, which stated that it was the exclusive remedy. Further, his unit had repeatedly and consistently rejected proposals to incorporate the arbitration procedure.

Because the employer could not have misunderstood the unit’s decision not to be bound by arbitration procedures, the board found that the employer unlawfully modified the labor agreement. Further, this unilateral change occurred without giving the unit an opportunity to bargain over significant changes to the disciplinary system — a substantial term and condition of employment. Accordingly, the NLRB held the employer unlawfully changed terms and conditions of the employment without prior notice and opportunity to bargain.
In dissent, Kaplan suggested the two policies could coexist. In his view, after the third party arbitration harassment process concluded, the second union could grieve the discipline as being improper using the grievance procedure in its collective bargaining agreement. Kaplan’s approach is not new. In fact, it is the approach adopted in W.R. Grace v. United Rubber Workers.[2] In that decision, the U.S. Supreme Court held the employer to its collective bargaining agreement, which required it to apply strict seniority when making layoff decisions, and to the terms of a voluntary consent decree, which required the use of racial preferences.

Intervention in Federal Lawsuits

The second decision involved the application of a mandatory statutory arbitration policy to a discharged and formerly union represented ex-employee’s lawsuit.[3] The NLRB’s decision in Anheuser Busch was triggered when the employer filed a motion in a federal district court seeking to compel the arbitration of the now ex-employee’s discrimination claim. This procedural posture is a reminder that employment lawyers need to be aware of labor laws. In Anheuser Busch, the NLRB, by a 2-1 majority, ruled the motion to compel arbitration did not violate the employer’s duty to bargain.

The dispute occurred after Anheuser Busch had adopted a mandatory arbitration policy that all job applicants were required to sign. However, the arbitration policy did not apply to union-represented employees. The former employee had applied for work, signed the arbitration policy and was hired into a union-represented position. Six years later, in March 2010, he was terminated. The union filed a contractual grievance claiming that the discharge was not issued fairly and impartially.

Ultimately, a “multi plant grievance committee” upheld the termination. Subsequently, the terminated employee filed a discrimination charge, and upon receipt of his notice of right to sue, filed a federal discrimination suit on April 3, 2012, whereupon the employer filed a motion to compel arbitration. The employee then filed an unfair labor practice charge with the NLRB claiming the attempt to apply the mandatory arbitration procedure to him violated the employer’s duty to bargain and requesting the NLRB order the employer to withdraw the motion to defer to arbitration.

In another 2-1 decision the NLRB majority concluded otherwise. In its view, it could not interfere with the pending court litigation as neither of the two exceptions to abstention which would have permitted its intervention in ongoing litigation identified by the Supreme Court in Bill Johnson’s Restaurants v. NLRB were applicable.[4]

Under Bill Johnson’s Restaurants, the NLRB may intervene in court litigation where the lawsuit is baseless and filed with a retaliatory purpose. Litigation that is not both baseless and retaliatory may violate the NLRA only if it falls within one of two exceptions: (1) a suit that is preempted by federal law, and (2) a suit that has an illegal objective. The general counsel argued that NLRB intervention was appropriate because the second exception applied: that is, the claim had an illegal objective. The majority rejected the illegal objective claim finding that a unilateral change was not the equivalent of an “illegal objective.” The dissent, McFerran, disagreed on this point.

The district court had stayed its ruling on the motion to compel while the NLRB considered this issue. The majority closed its opinion by noting it was in no way suggesting how the court should rule. Consequently, the employer is back in court to continue litigating a discharge that occurred on May 3, 2010.

No Signed Agreement Proves Costly

In the third decision, Cetta v. NLRB,[5] the D.C. Circuit enforced the NLRB’s decision in a striker replacements case, Michael Cetta Inc. d/b/a Sparks Restaurant.[6] In Cetta, the court faulted an employer for not obtaining striker replacements’ signatures on their offer letters. The case is a vivid reminder of the value of documents and suggests the trend toward paperless or a policy-free human resources regimen is a fraught one.

In December 2014, 36 waiters and bartenders at Spark’s Restaurant went on strike against their employer. After nine days, the strikers abandoned the strike and made an unconditional offer to return to work. The employer refused their offer to return to work claiming that it had lawfully hired “permanent replacements” to fill the striking employees positions. Under long-standing NLRB precedent, economic strikers must be reinstated when their replacements are temporary, however they do not have to be reinstated immediately when permanent replacements have been hired.

The NLRB rejected the employer’s “permanent replacement” rational using an objective evidence standard. In order to show that it lawfully hired permanent replacements, the employer must show that there was a mutual understanding between the employer and the replacements that their employment was permanent.

The NLRB found that because the offer letters given to the replacement employees were unsigned, they did not demonstrate that the replacement workers considered themselves permanent replacements. No replacement workers testified. Consequently, under well-established precedent the employer was obligated to discharge the replacement workers and return the strikers to their former positions. Because it had failed to do so, the employer committed an unfair labor practice and was ordered to discharge the replacements, reinstate the strikers and pay them back pay for the period (now totaling over five years) they had been out of work.

In Belknap v. Hale,[7] the Supreme Court held that an employer could avoid breach of contract suits brought by replacement workers discharged as part of a strike settlement or by order of a court or arbitrator. The court held that employers could avoid these suits if they obtained the replacement workers’ signatures on documentation acknowledging that discharge could occur as part of a strike settlement. In light of the D.C. Circuit’s opinion in Cetta, a Belknap letter serves a significant additional role — it is objective evidence the strike replacements are permanent.

If history is any indicator, the discharged replacement workers will now sue their former employer claiming their terminations were a breach of their contracts of employment and that they were permanent replacements.

Courts and the board apply the rules pertinent to strike situations with rigorous exactitude. Employers facing strike situations by union represented or unrepresented employees would be well served to dot their i’s and cross their t’s.

Cautions for Employers

Employers should avoid overlapping or inconsistent policies or arrangements. Where there is overlap, there is the potential for conflicting claims and these situations are riddled with potential hurdles. As the adage goes, anything that can go wrong will: A litigant will discover and leverage the overlap at the worst possible time.

Employers and their employment counsel should keep the National Labor Relations Act in mind even if their workforces are nonunion. It was only a few years ago that then-NLRB General Counsel Richard Griffin caused a stir by rewriting employee handbooks. The expiration of his term does not mean non-union employers can ignore the NLRA; the NLRA has a myriad of applications to even nonunion workers.

Finally, employers should be mindful of the serial litigation, which can result if policies are not thoughtfully formulated and implemented.

In Pacific Maritime Association, the employer went through the third-party harassment process and a NLRB trial and appeal. The NLRB’s decision leaves open the possibility that the employer may have a second arbitration proceeding or a suit to confirm an award. The decision also points to the undesirability of micro units. In Anheuser Busch, the employer went through a grievance process, an agency investigation, an NLRB trial and appeal, and is in the midst of a federal lawsuit.

The employer in Spark’s Restaurant has endured a strike, an NLRB trial and appeal, and a court of appeals decision. Depending on the applicable statute of limitation, it may still face a state court wrongful discharge claim from the replacement workers.

All three May decisions were presaged by decisions issued by the Supreme Court in 1983. This underscores the premium of consulting experienced labor counsel.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc. or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

[1] Pacific Maritime Associates, 367 NLRB No. 121 (2019).

[2] W.R. Grace v. United Rubber Workers461 U.S. 757 (1983).

[3] Anheuser-Busch, 267 NLRB No. 132 (2019).

[4] Bill Johnson’s Restaurants v. NLRB, 461 U.S. 731 (1983)

[5] Cetta v. NLRB, No. 18-1165 (D.C. Cir. May 20, 2019)

[6] Michael Cetta, Inc. d/b/a Sparks Restaurant, 366 NLRB No. 97 (2018).

[7] Belknap v. Hale, 463 U.S. 491 (1983).

The post US: Overlapping Policies Prove Costly To Employers appeared first on Global Compliance News.


In 2018, California enacted the California Consumer Privacy Act (“CCPA”), the first state-level “omnibus” privacy law, which imposes broad obligations on businesses to provide state residents with transparency and control of their personal data. This year, Maine and Nevada have followed suit and passed legislation focused on consumer privacy, and Pennsylvania has a consumer privacy bill currently under legislative review. Other states in which US companies do business saw similar legislation, such as Hawaii, Illinois, Massachusetts, Mississippi, New Mexico, New York, Rhode Island, Texas, and Washington. However, those state bills did not pass this year. Nonetheless, companies should consider that those state bills could be reintroduced and garner support should privacy become a hot topic for state residents and the US generally going forward.

The chart, which can be accessed above, provides a high-level summary of the new state privacy laws that have been enacted, and it also summarizes the Pennsylvania bill, which, if signed into law, will become effective immediately. We will provide updates regarding the Pennsylvania bill as they become available, and we will continue to track state-level consumer privacy legislative efforts. If you have any questions, please do not hesitate to reach out to the Contact Partners listed.

Click here to download the chart.

The post US State Omnibus Privacy Laws – A Primer appeared first on Global Compliance News.


Selling or trading personal information — a common practice in the adtech industry — is increasingly under regulatory scrutiny and legislators around the world are contemplating measures that put clear limits around such practices, increase transparency and put consumers in control over their data. By way of example, the German competition agency has been investigating the adtech sector for some time, the UK is following suit and Australia is contemplating a code for social media and online platforms which trade in personal information.

As of 1 July 2019 (Maine), and 1 October 2019 (Nevada), some companies will have to comply with additional requirements and restrictions regarding personal information selling under new U.S. state laws that seem inspired by, but are not as broad as the California Consumer Privacy Act (CCPA) (for detailed articles on the CCPA, please see an alert by Lothar Determann here and an article by Brian Hengesbaugh and Harry Valetk here). Maine’s Act to Protect the Privacy of Online Customer Information requires prior opt-in to data selling (the CCPA requires offering opt-out) and introduces new notice requirements, but only for broadband providers. Nevada’s Senate Bill 220 applies to any operator of online services, within or outside Nevada, but not offline and “selling” is more narrowly defined than under the CCPA.

Maine’s Act to Protect the Privacy of Online Customer Information

Who and what data are protected?

Customers of broadband Internet access service that are physically located and billed for service received in Maine are protected with respect to their customer personal information, defined as:

  • personally identifying information about a customer, including but not limited to the customer’s name, billing information, social security number, billing address and demographic data
  • information from a customer’s use of broadband Internet access service, including but not limited to web browsing history and a number of other categories of data

The definition of “customers” is much more limited than the definition of “consumers” under the CCPA. Unlike the CCPA, which generally protects California residents, online and offline, even when they are physically outside the state, under the Maine law customers must subscribe to broadband services and both be physically located in Maine and billed for services received in Maine to be protected under the law.

The definition of protected information is also more limited than under the CCPA. While the CCPA covers any information relating to a California resident or household, the Maine law only protects data relating to broadband services. Data relating to broadband services, however, is broadly protected under the Maine law.

Who must comply?

Unlike the CCPA, which applies to most businesses world-wide and in all industries, the Maine law is limited to providers of broadband Internet access service operating within Maine.

“Broadband Internet access service” means a mass-market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all Internet endpoints, including any capabilities that are incidental to and enable the operation of the service, excluding dial-up Internet access service.

“Provider” means a person who provides broadband Internet access service.

How to comply?

Provide notice, seek express opt-in consent before collecting personal information, and protect personal information.

Providers must provide notice of its obligations and customers’ rights under the law to its customers at the point of sale and on their publicly accessible website. Just as the CCPA, because of its prescriptive details (e.g. disclosing an opt-out right with respect to non-personally identifiable information pertaining to a customer) this adds another jurisdiction specific disclosure requirement for companies.

Subject to several exemptions including to provide the service, providers must seek express prior opt-in consent before using, disclosing, selling or permitting access to a customer’s personal information. Any consent given may be revoked at any time. Unlike the CCPA, which defines “sale” of personal information broadly as any sharing for “monetary or other valuable consideration,” the Maine law is silent on the definition of sale.

Like the CCPA, the Maine law includes an antidiscrimination right and a provider may not refuse to serve a customer who does not provide consent or charge a penalty or offer a customer a discount based on the customer’s decision to provide or not provide consent. But unlike the CCPA, under the Maine law there is no carve out permitting charging a different price or offering a different level of services if that difference is reasonably related to the value provided by the customer’s data.

The following is exempted from the law’s opt-in requirements and a provider may collect, retain, use, sell and permit access to customer personal information without customer approval:

  • for the purpose of providing the service from which such information is derived or for the services necessary to the provision of such service
  • to advertise or market the provider’s communications-related services to the customer
  • to comply with a lawful court order
  • to initiate, render, bill for and collect payment for broadband Internet access service
  • to protect users of the provider’s or other providers’ services from fraudulent, abusive or unlawful use of or subscription to such services
  • to provide geolocation information concerning the customer to:
    • for the purpose of responding to a customer’s call for emergency services, a public safety answering point; a provider of` emergency medical or emergency dispatch services; a public safety, fire service or law enforcement official; or a hospital emergency or trauma care facility
    • the customer’s legal guardian or a member of the customer’s immediate family in an emergency situation that involves the risk of death or serious physical harm
    • a provider of information or database management services solely for the purpose of assisting in the delivery of emergency services in response to an emergency. Providers that use, disclose, sell or permit access to customer personal information beyond the exemptions will have to build in an express opt-in option when selling services to new customers and reach out to existing customers to seek their express opt-in (and if they don’t get it, stop existing practices that would be prohibited from July 1, 2019). But notably, providers may sell customer personal information as necessary to provide their services which may suggest that sharing with commonly relied upon service providers that routinely use information for analytics and to improve its own services would not trigger the opt-in requirement.

If the provider receives written notice from the customer notifying the provider that the customer does not permit the provider to use, disclose, sell or permit access to non-customer personal information the provider collects pertaining to such customer (opt-out), the law also prohibits the provider from using, disclosing, selling or permitting access to such information.

As already required by numerous data privacy and security laws in other U.S. states and jurisdictions around the world, providers must take reasonable measures to protect customer personal information from unauthorized use, disclosure or access.

Sanctions and remedies

Maine’s Act to Protect the Privacy of Online Customer Information does not provide for sanctions and remedies specific to violations of that law. The sanctions and remedies can be found in chapter 15 of Maine’s title 35-A on Public Utilities.

If a provider violates title 35-A on Public Utilities, causes or permits a violation of the title or omits to do anything that the title requires it to do it may be liable in damages to the person injured as a result.

For willful violations, the Maine Public Utilities Commission may impose an administrative penalty for each violation in an amount that does not exceed $5,000 or .25% of the annual gross revenue that the provider received from sales in Maine, whichever amount is lower. Each day a violation continues constitutes a separate offense. The maximum administrative penalty for any related series of violations may not exceed $500,000 or 5% of the provider’s annual gross revenue that the provider received from sales in Maine, whichever amount is lower. For a violation in which a provider was explicitly notified by the commission that it was not in compliance and that a failure to comply could result in the imposition of administrative penalties, the commission may impose a penalty that does not exceed $500,000. The commission may also require disgorgement of profits or revenue realized as a result of a violation. The commission may, in an adjudicatory proceeding, suspend or revoke the authority of a provider to provide service upon a finding that the provider is unfit to provide safe, adequate and reliable service at rates that are just and reasonable.

Nevada’s Senate Bill 220

Who and what data are protected?

Consumers who reside in Nevada are protected with respect to their covered information.

Covered information means “any one or more of the following items of personally identifiable information about a consumer collected by an operator through an Internet website or online service and maintained by the operator in an accessible form: … A first and last name … Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.”

Compared to the CCPA, the Nevada law defines consumer in a more limited (and more intuitive) way as “a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes”. Also, unlike the CCPA, the Nevada law only protects consumers when seeking or acquiring those things “from the Internet website or online service of an operator.” But like the CCPA, the law lacks any limiting reference to Nevada residents having to be physically located in Nevada to be protected.

The Nevada law’s definition of covered information is more limited compared to the CCPA’s any “information that . . . relates to . . . a particular consumer or household,” because it does not extend to household information and is limited to information collected by an operator online and maintained in an accessible form.

Who must comply?

Unlike the CCPA, only “operators”, as opposed to the CCPA’s broadly defined “businesses”, must comply.

Subject to certain exemptions as noted below, “Operator” means a person who owns or operates an Internet website or online service for commercial purposes; collects and maintains covered information from Nevada resident consumers who use or visit the Internet website or online service; and purposefully directs its activities toward Nevada, consummates some transaction with Nevada or a resident thereof, purposefully avails itself of the privilege of conducting activities in Nevada or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the United States Constitution.

Like the CCPA, this definition would cover many businesses without a physical presence in Nevada but with a commercial website accessed by Nevada residents.

Similarly to the CCPA, the key exemptions are financial institutions or its affiliates that are subject to the Gramm-Leach-Bliley Act and entities that are subject to the Health Insurance Portability and Accountability Act of 1996, and third parties that operate, host, or manage an Internet website or online service on behalf of its owner, and generally, manufacturers of motor vehicles or persons who repairs or services motor vehicles are also exempt.

How to comply?

Every operator of an online service purposefully addressed to Nevada consumers must establish a designated request address through which a consumer may submit a verified request directing the operator not to make any sale of any covered information the operator has collected or will collect about the consumer and respond to such requests. There is no language in the text of the bill limiting this obligation to establish a request address and respond to requests to businesses that are currently selling information.

Nevertheless, given that the Nevada law defines “selling” only as exchanging personal information specifically for monetary consideration and for onward licensing or sale, far less companies should be affected by the opt-out right than by the CCPA. Most businesses do not sell personal information for monetary considerations. The legislative history indicates that the Nevada bill is targeted to businesses that are selling information for specific monetary consideration. Thus, the definition of “selling” under the Nevada law should be interpreted far more narrowly than potentially broad interpretation of the CCPA, which could be understood to cover any exchange of personal information for any valuable consideration, monetary or otherwise – and by extension pretty much any contract, given that contracts by definition involve consideration.

First of all, any contracts not involving payments are excluded from the Nevada law. Second, even contracts involving payments are arguably not covered by the Nevada law’s definition of “selling” if the payment is intended for a service and the data sharing is coincidental, given the definitional focus on monetary consideration for information under the Nevada law. This may leave only arrangements whereby online operators are paid specifically for personal information of Nevada-based consumers./

Those operators who currently do sell personal information for monetary considerations should consider stopping the practice, given the increasing hostility to such forms of data monetization. Or, companies can establish a designated address for consumers to opt-out of data selling, respond to opt-out requests within 60 days, and stop data selling when requested.

Most operators must already, under existing Nevada law, provide a website privacy notice with information about its data collection practices. The new requirement to also establish a designated request address must be implemented either by establishing an email address, toll-free number or Internet website.

Subject to broad exemptions, sale is defined as the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons. The following is exempted from the definition of sale:

  • the disclosure of covered information by an operator to a person who processes the covered information on behalf of the operator
  • the disclosure of covered information by an operator to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer
  • the disclosure of covered information by an operator to a person for purposes which are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator
  • the disclosure of covered information to a person who is an affiliate (controls, is controlled by or is under common control with another company) of the operator
  • the disclosure or transfer of covered information to a person as an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the person assumes control of all or part of the assets of the operator. An operator who has received a verified request from a consumer not to sell their personal information shall respond within 60 days after receiving the request and must not sell any covered information collected about the consumer. If the operator determines that an extension is reasonably necessary, the operator may extend by not more than 30 days the period to respond and must notify the consumer of such extension.

Sanctions and remedies

The Nevada Attorney General can bring a civil action for an injunction or penalties up to $5,000 for each violation.

Further resources you may be interested in

Your must-have resource for Global Data Privacy, Baker McKenzie’s 2019 Global Data Privacy & Security Handbook, now combines and consolidates our renowned privacy-related handbooks into one resource. We have revised our content to make it more concise, comparable and practice-relevant while still providing detailed overviews of the increasingly complex and sophisticated data privacy and security standards in around 50 countries.

Click here to download the handbook.

The post US: Maine and Nevada’s New Data Privacy Laws and the California Consumer Privacy Act Compared appeared first on Global Compliance News.


In recent years, following the launch of the Bitcoin network, offers of digital assets have been made to investors in the United States. Historically, the U.S. Securities and Exchange Commission (the “SEC”) has suspiciously viewed and investigated these transactions on the assumption that the offer of digital assets (also known as “tokens”) constituted an offer of securities. On several occasions, the SEC found that those offerings had been conducted in violation of U.S. securities laws.

In the past, the SEC viewed cryptocurrencies like Bitcoin and Ether as non-securities in light of the decentralized nature of their networks, which excluded the existence of a central party whose efforts could be a key factor in the enterprise. On April 3, 2019, the SEC, through its Strategic Hub for Innovation and Financial Technology (the “FinHub”), released a framework (the “Framework”) for analyzing whether a digital asset is a security. In particular, this framework provides guidance on whether a digital asset is an investment contract under Section 2(a)(1) of the U.S. Securities Act of 1933.

The Framework has found application in practice already. On April 3, 2019, the SEC released its first “no-action” letter regarding an offering of tokens, requested by TurnKey Jet, Inc., and on April 11, 2019, Blockstack Token LLC filed a preliminary offering circular under Regulation A of the Securities Act for the offering of tokens of its network.

The discussion below represents an effort to identify the critical points of the latest developments in the US cryptocurrency space, both from a US and Australian perspective.

The SEC’s Framework

The Framework analyzes whether tokens of a network are investment contracts under the U.S. Supreme Court’s test devised in S.E.C. v. W. J. Howey Co., 328 U.S. 293 (1946) (the “Howey test”). Under this test, an investment contract exists if (i) there is an investment of money, (ii) in a common enterprise, (iii) with a reasonable expectation of profits derived from the efforts of third parties. The first two prongs require little analysis as, based on the SEC’s experience, tokens are purchased in exchange for value (investment of money) and investors either share the risks and profits deriving from the development of the network or each of them relies directly on the developer’s success (common enterprise). Thus, the third prong of the Howey test becomes critical.

Reliance on efforts of others

The third parties on whom investors can rely are promoters, sponsors, developers, referred as “Active Participants”. The Active Participant’s efforts can be relied on when they express “control” of the network where tokens are circulated. Whether any Active Participant has control of the network is ultimately determined based on the totality of the circumstances. According to the elements listed in the Framework, however, control can be reasonably assumed to exist if an Active Participant is (i) responsible for the development and improvement of the network and the tokens, (ii) responsible for the management of the network and the circulation of the tokens (such as determining whether and where the tokens will trade); and (iii) not part of a dispersed community but rather has a primary role in the development, improvement and management of the network and the tokens.

Reasonable expectation of profits

The existence of a reasonable expectation of profits under the Howey test is similarly based on the totality of the circumstances. Such expectation, however, can be reasonably assumed if the holders of tokens (i) own rights to participate in the profits of the network or (ii) expect that an Active Participant’s efforts will determine an increase in the value of the tokens marketed as investment, with that value having little (if any) connection with the market price of the goods or services that can be purchased on the network using its native tokens.

Exclusion of the third prong

The structure and purpose of the network and its tokens can neutralize the reasonable expectation of profits. If the network and the tokens are designed and implemented solely to satisfy consumer needs, purchasers of tokens cannot have any reasonable expectation of profits.

Also in this case, the determination of whether a network and its tokens are meant to satisfy consumer needs is based on the totality of the circumstances. It is possible, however, to draw a red line connecting all the factors listed in the Framework. In particular, the satisfaction of consumer needs is likely the object of a network and its tokens if the tokens:

  • can be used and redeemed in connection with the purchase of goods and services;
  • are not available in disproportionate quantities compared to the amount of goods and services that can be bought for consumption; and
  • are not marketed and do not trade as investments.

The SEC “no-action” letter for TurnKey

TurnKey created a digital network where air carrier and air taxi operator services could be purchased and sold. The currency on the network consisted of tokens that could be purchased from TurnKey. The network hosted three different types of participants: (i) consumers, (ii) brokers of air carrier and air taxi operator services and (iii) carriers.

Notably, TurnKey had “control” of the network and its tokens. TurnKey had developed the network, exclusively using its own capital resources . TurnKey had also the exclusive right to issue and remove the tokens. Furthermore, TurnKey defined itself as “Program Manager”.

The SEC granted “no-action” relief because:

  • TurnKey had already fully developed the network so that the proceeds from the sale of the tokens could not be used for development purposes;
  • the tokens had a 1:1 exchange ratio to US dollars, which greatly minimized the risk of participants trading tokens for speculative purposes, and also created a strong connection between the value of the tokens and the value of the air carrier and air taxi operator services that could be purchased on the network;
  • the tokens could be traded only within the network and could be repurchased by TurnKey only at a discount to face value;
  • consumers who held tokens did not have any equity interests in TurnKey nor any rights to dividends, distribution rights or voting rights; and
  • TurnKey provided no rewards to consumers who purchased tokens and did not market purchase of tokens as an investment.

As a result, no participant could have a reasonable expectations of profits from the purchase and sale of tokens. Despite the strict approach taken by the SEC, the value of holding and using the tokens consisted in the fact that the blockchain technology provided a more efficient payment settlement than the traditional banking system.

Through the TurnKey no-action letter, the SEC implied that no element is determinative in categorizing a digital asset as investment contract under the securities law. Even though an Active Participant has “control” of the network and its tokens, other elements can exclude the application of the securities laws to a digital asset.

Although this no-action letter is a favorable outcome for TurnKey, we believe that the restrictions imposed on issue, trading, and redemption of the network tokens are fairly uncommon and are unlikely to be attractive to most token projects.

The “Blockstack” Regulation A offering

Blockstack’s network had some similar features to the network that TurnKey had devised. Blockstack had “control” of its network and tokens because it was the only participant who could develop and manage the network and control the issue of tokens. Moreover, tokens served a commercial purpose as they could be used as currency to purchase the services the network offered, specifically applications such as Graphite, which is a decentralized alternative to Google Docs.

Despite these similarities, however, there is a stark difference which tilted the SEC’s analysis in favor of viewing Blockstack’s tokens as investment “securities” and so required the filing of an offering circular with the SEC:

  • Blockstack was still in the process of developing the network and planned to use the offer proceeds for that purpose;
  • the tokens offered are freely tradeable on a registered exchange or alternative trading system (and so outside of their native network);
  • Blockstack committed to have the tokens listed for trading when such exchange or alternative system is approved by the Financial Industry Regulatory Authority; and
  • rewards are granted for crypto mining activities.

These elements imply that the purchase of tokens can have a speculative flavor and thus that the tokens are an investment. As a result, token purchasers can have a reasonable expectation of profits.

Blockstack’s offering circular provides a practical example of tokens that are securities and thus should be registered with the SEC under the Securities Act if offered to the public. More interestingly, the application of the securities law, consistent with the Framework, is also driven by Blockstack’s intent to offer the tokens for trading on a registered exchange and alternative trading system, which is an intent to offer the tokens for a speculative purpose, even though such exchange and alternative trading system do not currently exist.

It should also be noted that Blockstack’s offering circular introduced a type of security that can be treated as “flexible” over time. The offering circular, consistent with the Framework, disclosed that the tokens offered as securities may not be securities in the future if the characteristics of the network and/or the tokens change. What this means is that the protection of the securities law could disappear post-investment.

If Blockstack’s offering circular is declared “effective”, Regulation A can become the go-to avenue for offerings of tokens (up to US$50 million in one year) because

  • under Regulation A, offerings can be made to any investors, regardless of their degree of sophistication; and
  • securities sold under Regulation A are not “restricted” and thus are freely tradeable after purchase from the issuer.

For smaller token offers, including those which are clearly securities under US law, this is of interest because, in contrast with the traditional registration statement for an equity IPO, an issuer pursuing an offer of securities under Regulation A will benefit from:

  • an expedited SEC review process; and
  • lighter disclosure requirements.

Regulation A, however, applies only to a specific type of issuer. In particular, Regulation A is available only to issuers incorporated in the United States or Canada with their principal place of business in the United States or Canada.

Relevance of new SEC Framework to interpretation of Australian securities laws

The SEC takes a different approach from securities regulators in many other countries, including Australia. Whereas other regulators look to classify tokens as (broadly) securities, utility tokens or payment tokens, the SEC starts by taking an expansive view of what a security token is. This leads to tokens that may, in other jurisdictions, be classified as utility tokens being considered as securities by the SEC. For example, common features of a utility token such as tradability, centralised development of the network, centralised issuance of tokens, and the ability to acquire tokens for speculative investment, could all lead to classification as a security in the United States.

In Australia, the comparable concept to the US “investment contract” under the Howey test is a managed investment scheme (“MIS”). Like the Howey test, the definition of a MIS has three main elements. These are (i) a contribution of money or value, (ii) the contributions are pooled, or used for a common enterprise, to produce financial benefits, and (iii) contributors do not have day-to-day control of operations. The “common enterprise to produce financial benefits” element is similar to the Howey test element that there be “a reasonable expectation of profits derived from the efforts of third parties”.

The SEC takes the clear view that if token buyers expect that the price or value of their tokens will increase due to the activities of promoters or others, then this satisfies the test for an expectation of profits. For example, raising funds to develop a network or operations, or selling tokens on the basis that they will be listed on an exchange, are factors considered in the Framework. As seen in the TurnKey example above, the issuer went to great lengths to eliminate the possibility of token holders seeking to profit by selling their tokens.

Will Australian regulators interpret the MIS test of “producing financial benefits” in the same way, where a utility token does not otherwise give any right to profits or capital of the business? Or will this be the start of a wider divergence of regulatory approach between the SEC and other regulators?


The Framework is the first step by the SEC to remove the clouds of uncertainty regarding the criteria that make a digital asset a “security” under US law. Certainly, it is a commendable effort. The Framework, however, provides a totality of the circumstances approach that may leave market participants doubtful about what elements listed in the Framework are “heavier” than others. In this respect, the TurnKey no-action letter and Blockstack’s offering circular clarify one point. “Control” of the network and its tokens is not alone determinative.

There is a general consensus among practitioners that the application of the criteria listed in the TurnKey no-action letter could provide a very narrow escape from the application of the securities law, something that is viewed as potentially stifling the development of blockchain technology. However, Regulation A could strike the right balance between protection of the public and promotion of the development of blockchain technology.

The Framework, however, remains silent on other key issues. For example, how can brokers and investment advisers who hold clients’ assets satisfy the custody rules? How can auditors comply with the securities law in connection with offerings of tokens? Can a digital platform trade securities and non-securities? Unfortunately, today these questions have no answers. Further guidance on these issues will be needed.


The post US Securities and Exchange Commission Framework to Regulate Cryptocurrencies appeared first on Global Compliance News.


On 15 May 2019, President Trump issued an Executive Order on Securing the Information and Communications Technology and Services Supply Chain that authorizes the Commerce Secretary to regulate the acquisition and use of information and communications technology and services from a “foreign adversary.”

Broadly speaking, the order authorizes the creation of national security focused import regulation mirroring the long-standing export control and foreign investment regimes. The order represents a dramatic expansion of federal power without Congressional involvement. Given the pervasiveness of information and communications technology and services throughout the economy and the globalization of supply chains, practical effects could be far-reaching and surprising.

The Commerce Secretary has 150 days (until mid October) to promulgate regulations implementing the Supply Chain Order. The Commerce Department has broad discretion, and businesses developing, making and using information and communications technology and services should consider weighing in with the department on the scope, content and effect of this new regulatory program.


In promulgating the Supply Chain Order under International Emergency Economic Powers Act of 1977, the President declared a national emergency, asserting the order was necessary because “foreign adversaries are increasingly creating and exploiting vulnerabilities in information and communications technology and services … in order to commit malicious cyber-enabled actions, including economic and industrial espionage.” In the President’s words, “openness must be balanced by the need to protect our country against critical national security threats.”

Regulatory Authorization

The Supply Chain Order provides that the Commerce Secretary, in consultation with other agencies, may prohibit or condition the acquisition, importation, transfer, installation, dealing in, or use by persons subject to U.S. jurisdiction of information and communications technology or services “designed, developed, manufactured, or supplied” by persons owned, controlled or directed by a “foreign adversary” where the Secretary believes there is an “unacceptable risk” to U.S. national security.

The term “information and communications technology or services” is defined capaciously as “hardware, software, or other product or service primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means, including transmission, storage, and display.” Products ranging from watches to cars now include information and data processing technologies. Just about the only things not potentially covered by the Supply Chain Order are raw materials and other commodities.

A “foreign adversary” is any foreign government, entity or individual “engaged in a long‑term pattern or serious instances of conduct significantly adverse to the national security.” Thus, prohibitions and restrictions could extend to products and services from specific companies and individuals as well as more broadly from particular countries.

In sum, the Supply Chain Order authorizes the Commerce Secretary to regulate from where and from whom businesses operating in the United States may acquire information and communications technology and services. If the Secretary deems that a particular country or entity presents an “unacceptable risk,” he can prohibit U.S. persons from using products or services made or supplied by that “foreign adversary.” He could also prohibit U.S. businesses from buying inputs from foreign firms from allied countries that employ, say, programmers or technicians the Secretary thinks are subject to the direction of a foreign adversary. Arguably, he could even effectively prohibit U.S. companies from employing in the United States foreign individuals the Secretary believes are subject to the direction of a foreign adversary. Given the centrality of the United States to information and communications technologies and services globally, one could expect any such U.S. prohibitions would have global repercussions.

Implementing Regulations

The Commerce Secretary is to publish implementing regulations by mid October 2019. The regulations will presumably define (1) the types of technologies or services that will be covered, (2) the countries, companies and people (“foreign adversaries”) that will be the target of regulation, and (3) procedures and conditions to license particular transactions and classes of transactions. Given how much discretion the Commerce Secretary has in designing the regulatory regime, it will be important for interested parties to provide input.

Interagency Consultation and Decision Authority

In promulgating and applying these regulations, the Commerce Secretary is to consult with other economic and security agencies. This list of agencies overlaps significantly with the Committee on Foreign Investment in the United States (CFIUS), which has decades of experience in applying U.S. foreign investment law. However, in the investment context, the ultimate decision power rests with the President, and CFIUS operates by consensus, which has a moderating effect. Under the Supply Chain Order, the Commerce Secretary is the decision-maker, and he need not heed input from other agency heads.


The Supply Chain Order is a remarkable appropriation of legislative authority by the executive and it will likely lead to new and disruptive market interventions. As dramatic as it is, the order is but one of series of recent regulatory measures prompted by national security concerns arising from commercial transactions, with other measures relating to sanctions, foreign investment, dual use exports, and government procurement. [1] While tariffs on U.S./China trade have attracted the most attention, the expanding regulation in the name of national security may prove more durable and important, reflecting as it does growing geo-strategic competition and concerns over new vulnerabilities created by technology.

[1] Foreign Investment Risk Review Modernization Act of 2018 (expanding foreign investment regulation); Export Control Reform Act of 2018 (requiring identification and regulating for export “emerging and foundation technologies”); Section 889 of National Defense Authorization Act for Fiscal Year 2019 (FY19 NDAA) (prohibiting use by U.S. agencies of services or equipment from certain foreign companies).

The post US: President Trump Issues Supply Chain Executive Order appeared first on Global Compliance News.


Update Ensures the HITRUST CSF Continues to Provide the Most Comprehensive Global Privacy and Security Framework Available

HITRUST, a leading data protection standards development and certification organization, today announced it will release version 9.3 of its HITRUST CSF® during the third quarter of 2019.

Learn more about HITRUST, and the HITRUST CSF by attending our
HITRUST 2019 Conference in May. Click here to learn more. 

The HITRUST CSF controls framework addresses security, privacy, and regulatory challenges facing organizations in industries such as healthcare, financial services, retail, hospitality and travel. These updates reflect HITRUST’s continuing commitment to facilitate HITRUST CSF’s adoption in multiple industries, both domestically and internationally.

By incorporating numerous international, federal and state governmental regulations as well as recognized standards the HITRUST CSF helps organizations address information risk management and compliance challenges through a comprehensive, risk-based flexible framework of prescriptive and scalable controls. By including both privacy and security standards, the HITRUST CSF uniquely enables organizations to address the big picture of data protection. Most privacy regulations require appropriate security measures, which the HITRUST CSF helps identify.

By allowing organizations to conduct a comprehensive privacy and security assessment, the HITRUST CSF encourages cooperation between these disciplines and assists in achieving better compliance with regulatory requirements and best practices. Through the HITRUST CSF Assurance Program, organizations who obtain HITRUST CSF Certification covering both privacy and security can demonstrate that they are achieving high standards in their data protection program.

HITRUST ensures the HITRUST CSF relevancy and remains current to the needs of organizations by regularly updating the framework to incorporate new standards and regulations. HITRUST CSF v9.3 will include new requirements placed on organizations by the California Consumer Privacy Act (CCPA). Passed in 2018, the new legislation takes effect January 1, 2020 with enforcement of the new law taking effect on July 1, 2020. The CCPA is similar to the European Union’s General Data Protection Regulation (GDPR) which takes additional steps to protect the transmission, sharing and storage of consumer data. HITRUST CSF v9.3 also reflects key differences of the two laws, including the applicability, requirements for data access, and detailed requirements about opt-out methods.

The HITRUST CSF v9.3 will also reflect updates to a number of authoritative sources, including:

  • Centers for Medicare & Medicaid Services’ (CMS) Information Security ARS: CMS Minimum Security Requirements for High Impact Data, version 3.1.
  • The Federal Risk and Authorization Management Program (FedRAMP).
  • IRS Publication 1075: Tax Information Security Guidelines for Federal, State and Local Agencies: Safeguards for Protecting Federal Tax Returns and Return Information.
  • The National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity: Framework Core – Subcategories, v1.1.
  • South Carolina’s Bill 4655, the Insurance Data Security Act.

HITRUST understands the challenges of assembling and maintaining the many and varied programs needed to manage information risk and compliance. The HITRUST Approach provides organizations an integrated information risk management and compliance approach that ensures all programs are aligned, maintained, and comprehensive to support an organization’s information risk management and compliance objectives.

The HITRUST CSF provides the depth and breadth of controls organizations need to efficiently and effectively assess the strength of their risk-based protection programs and their compliance with multiple regimes through one assessment, as well as the structure, clarity, functionality, and cross-references to authoritative sources, eliminating the need for organizations to interpret, engage, and harmonize the multitude of frameworks and standards. The HITRUST CSF leverages nationally and internationally accepted standards and regulations such as GDPR, ISO, NIST, PCI, FFIEC, FTC and HIPAA to ensure a comprehensive set of baseline security and privacy controls. The CSF normalizes these requirements and provides clarity and consistency, reducing the burden of compliance with the varied requirements that apply to organizations.

Organizations interested in assessing against any of the authoritative sources in the HITRUST CSF can do so by leveraging the HITRUST MyCSF tool. More information can be found at www.hitrustalliance.net.

The post New Version of HITRUST CSF® Incorporates California Consumer Privacy Act, NIST Cybersecurity Framework and Additional Legislation & Standards appeared first on HITRUST.