Stinson Leonard Street's Emerging Trends Newsletter - Q3
We are thrilled to bring you the third installment of Stinson Leonard Street's Emerging Trends newsletter. We are proud of the depth and breadth of experience and knowledge across our firm's 13 offices nationwide and are excited to share this through the Emerging Trends newsletter.
Attorneys from several different practice areas and from across our firm's geographic footprint will regularly share their insights in to the latest legal developments in various industries and the impact these will have on our clients' businesses.
We hope you enjoy the newest installment and be sure to be on the lookout for upcoming issues.
Who's at Fault When No One's at the Wheel?
Joy Syrcle – Business Litigation
From Google’s Self-Driving Car Project to Uber’s pilot testing of self-driving cars set to launch this fall in Pittsburg, autonomous vehicles are quickly becoming part of our daily reality. While in time this technology may dramatically reduce traffic accidents by eliminating human error and problems caused by distracted or impaired driving, car crashes will still happen. Who is liable for an injury suffered as a result of a crash involving a self-driving vehicle? Can an individual in an autonomous vehicle be negligent for not assuming control of the vehicle to prevent an accident? Does a company such as Uber assume greater liability through use of automated vehicles in its business? This is largely uncharted territory. This past September, in the first lawsuit of its kind, the family of a man who died in a crash involving Tesla’s Autopilot technology filed suit in China. Tesla may also soon be facing litigation in the U.S. in relation to Florida resident Joshua Brown who died in May while using the autopilot function of the manufacturer’s Model S.
There are a few cases arising from analogous technology that could provide insight on how courts might handle claims involving autonomous vehicle technology. For example, most cases involving injuries caused in the use of industrial robots were attributed to employee’s failures to take safety precautions. Similarly, in one case involving a crash while an airplane was controlled by autopilot, the court faulted the pilot’s failure to retake control of the plane. Conversely, plaintiffs have been successful in claims against vehicle manufacturers, alleging the cruise control function in vehicles caused the vehicle to unexpectedly accelerate or fail to brake.
Laws of individual states may also contain provisions relevant in allocating civil liability. Nine states have passed legislation related to the testing and use of autonomous vehicles. Florida, for example, specifies that an individual causing the autonomous vehicle to engage is the “operator,” and this statutory provision could be used in a civil suit to argue the driver maintains some obligation in the handling of the vehicle. Washington D.C. expressly requires that a human driver be “prepared to take control of the autonomous vehicle at any moment.” Nevada law, on the other hand, provides that an individual utilizing a self-driving vehicle is exempted from statutory prohibitions against texting while diving, specifying that these persons are not deemed to be operating the vehicle for the purpose of that prohibition.
Further complicating this analysis are aftermarket products that convert standard vehicles into autonomous or semi-autonomous vehicles. Michigan, Nevada, and Washington D.C. have each enacted laws to limit liability of an original manufacturer of a converted vehicle. While these limitations are narrow, they are examples of statutory protections for manufacturers. Companies should consider whether other situations exist that may be appropriate for similar legislative protections at either the state or federal level.
Manufacturers could also attempt to reduce liability through extensive disclosure statements and by requiring purchasers to sign acknowledgement or waiver forms. This protection, however, would likely extend only to the purchaser of the vehicle and not to any other person suffering damage in a crash.
The full extent to which liability for crashes involving autonomous vehicles will be shifted from vehicle owners/operators remains to be seen, and manufacturers and businesses utilizing self-driving vehicle technology should be prepared to defend against litigation that will most certainly ensue.
Proposition 65 Amendments: Products Sold in California Have New Warning Requirements
Benjamin Woodard– Business Litigation and Michelle Corrigan – Business and Commercial Litigation
In 1986, California voters passed the Safe Drinking Water and Toxic Enforcement Act, otherwise known as Proposition 65. It requires the California Office of Environmental Health Hazard Assessment (OEHHA) to publish a list of chemicals known to cause cancer, birth defects, or other reproductive harm. The current list includes over 800 chemicals. Proposition 65 further requires companies to provide a “clear and reasonable” warning before knowingly and intentionally exposing anyone in California to a listed chemical.
A great deal of controversy developed over the years as to what constitutes a “clear and reasonable” warning. Although Proposition 65 contains a safe harbor provision wherein a manufacturer or distributor may protect itself by placing warnings on its products, historically, the regulations dealing with the safe harbor provision have been difficult to understand and apply to specific situations.
Timeline of Proposition 65 Proposed Amendments
Three years ago, California’s Governor Jerry Brown announced his proposal to reform Proposition 65. In response, OEHHA issued a notice to repeal and replace the requirements under Proposition 65 for a “clear and reasonable” warning. However, OEHHA’s January 2015 proposal arguably made compliance even more burdensome. For instance, the January 2015 proposal considerably changed the warnings requirements specified in Proposition 65, including the establishment of a proposed requirement that warning labels identify each specific chemical in any product sold in California, among a list of 12 chemicals (the “dirty dozen”), identified by OEHHA as commonly found in consumer products. Chemicals listed among the “dirty dozen” included lead, phthalates, chlorinated Tris, benzene, and mercury.
In November 2015, due in part to considerable opposition, OEHHA formally withdrew its January 2015 proposal and released new draft amendments to Proposition 65. Significantly, the November 2015 proposal for Proposition 65 eliminated the “dirty dozen” provision and made several other clarifications. Modifications to the November 2015 proposals were issued in March 2016.
The New Amendments
In August 2016, the November and March proposals modifying Proposition 65’s safe harbor warning label requirements were adopted. Below is a list of the new requirements for product warnings under Proposition 65 as amended:
- Warnings on nonfood products must contain a symbol with a black exclamation point in a yellow equilateral triangle with a black outline (“the symbol”):
- The warning should also contain the word “WARNING” in all capital letters and bold type (“the warning identification”);
- Warnings must state that the product “can expose” a user to chemicals known to the state of California to cause cancer, birth defects, and/or other reproductive harm. The prior version of Proposition 65 only required a statement that the product “contained” a chemical.
- Warnings must identify one or more chemicals for each potential health effect (i.e., cancer, birth defects, reproductive harm).
- Warnings must include a link to a new Proposition 65 website that will be operated by OEHHA.
- Warnings on product labels can be shortened to only include the symbol and warning identification discussed above, a statement that the product can expose the user to one or more chemicals that can cause cancer, birth defects, and/or reproductive harm (it does not need to list the specific chemicals), and a link to the new OEHHA website.
- Warnings must be presented in additional languages under certain circumstances.
- Product-specific warnings may be provided via electronic device/process that automatically provides the warning to the purchaser prior to or during the purchase of the product.
- For internet sales, warnings must be provided on the product display page, or a clearly marked hyperlink using the warning identification discussed above.
The new provisions will not take effect until August 30, 2018. Before that date, product manufacturers and distributors may continue to use the current safe harbor warning language of Proposition 65, or warning language approved by California courts as “clear and reasonable.”
Recent Delaware Case Law Clarifies Irrebuttable Business Judgment Rule
Drew Kuettel – Corporate Finance
A recent Delaware case provides useful guidance that corporations (and their counsel) can use to fend off challenges to breach of fiduciary duty claims in certain M&A transactions. The takeaway from this case - a disinterested, uncoerced, fully informed stockholder vote can “cleanse” a transaction otherwise subject to the “entire fairness” standard of review, absent a conflicted controlling stockholder. The import of this point of law is that it provides a clear description of how to structure M&A decision-making processes in order to dispose, at an early stage, shareholder claims of breaches of fiduciary duties.
In Larkin v. Shah, C.A. No. 10918-VCS (Del. Ch. August 25, 2016), former shareholders of Auspex Pharmaceuticals, Inc. (Auspex) sued Auspex’s board of directors for breach of fiduciary duties in connection with the sale of the business to Teva Pharmaceutical Industries Ltd. (Teva) for roughly $3.2 billion in cash in a two-step, short form merger. Under this structure, Teva first acquired a majority of the outstanding voting equity by publicly offering to buy shares of Auspex’s stock directly from its shareholders (the Tender Offer). Auspex would then be merged into a Teva subsidiary (without a shareholder vote) pursuant to Section 251(h) of the Delaware General Corporate Law (DGCL). This structure, known as a “two-step” merger, streamlined the acquisition because it eliminated the time and expenses associated with conducting a shareholder vote since, through the Tender Offer, Teva acquired a majority of the voting power, thus rending the results of a shareholder vote a foregone conclusion.
The plaintiffs alleged that the board of directors (many of whom were affiliated with certain venture capital firm stockholders of Auspex) engaged in a flawed sales process that failed to yield the best value for the company’s public stockholders. According to the plaintiffs, in order to meet personal liquidity needs, the venture capital stockholders controlled and caused the board to accept the first all-cash transaction they could find, at the cost of considering other offers with cash and stock components and to the detriment of Auspex’s other stockholders. Alternatively, the plaintiffs argued that the directors approved the transaction under a conflict of interest. In either scenario, the “entire fairness” standard (the highest level of judicial scrutiny applicable to board actions) would apply.
Vice Chancellor Joseph Slights III, writing for the Delaware Court of Chancery, disagreed with the assertion that entire fairness applied to the transaction due to the presence of an uncoerced, fully informed, disinterested shareholder vote in favor of the transaction, without a conflicted controller, that “cleansed” the transaction such that the business judgment standard of review (the least exacting level of scrutiny) inarguably - applied. If the business judgment rule inarguably applies to the transaction, the board action may only be overturned by judicial intervention based on a claim of corporate waste–i.e., that the decision “cannot be ‘attributed to any rational business purpose’”–a very high standard for plaintiffs to meet. Cede & Co. v. Technicolor, Inc., 634 A.2d 345, 361 (Del. 1993).
First, the fact that 78% of the Auspex shareholders decided to sell their shares pursuant to the Tender Offer satisfied the uncoerced, fully informed, disinterested stockholder voting requirement. A few months prior to Larkin, the Court of Chancery held that the tender offer portion of a “two-step” merger under DGCL § 251(h) has the same cleansing effect as an uncoerced, fully informed, disinterested shareholder vote in favor of the transaction, notwithstanding the fact that a tender offer is statutorily required or that the transaction would otherwise be subject to heightened Revlon scrutiny. In re Volcano Corporation Stockholder Litigation, C.A. No. 10485-VCMR (Del. Ch. June 30, 2016) (a stockholder is no less exercising her “free and informed chance to decide on the economic merits of a transaction” simply by virtue of accepting a tender offer rather than casting a vote).
Second, there was no conflicted controller present. Although a stockholder (or block of affiliated stockholders) owning less than a majority of the outstanding shares may be deemed a “controller,” such a holder must wield “such formidable voting and managerial power that, as a practical matter, [it is] no differently situated than if [it] has majority voting control” and that it “triggers the . . . concern that independent directors’ free exercise of judgment has been compromised.” Larkin, C.A. No. 10918-VCS at 34. In Larkin, the venture capital stockholders collectively held 23.1% of Auspex’s stock, and the plaintiffs’ complaint failed to state any well-pled allegations that would permit a reasonable inference that any such controller or control block could “exercise actual control over [Auspex’s] board.” Id. at 36.
Larkin provides a clear roadmap for corporations to follow when structuring a M&A decision-making process, particularly when the target is a publically-traded entity.
"Gotta Catch 'Em All!"™ – Pokemon™ Go Gives Rise to New Class Action Suits
Katie Bechina – Business Litigation
The latest smartphone sensation, Pokémon Go, has led to a new series of class action lawsuits concerning private property rights. Pokémon Go, released in July by creator Niantic, is a GPS-based game that allows players to “catch” virtual creatures known as “Pokémon.” Participants explore their towns and neighborhoods looking for over 150 kinds of Pokémon and items at depots called “Pokéstops.” The app even allows competitors to battle other players’ Pokémon at locations called “Gyms.”
Niantic has programmed the app to spawn virtual Pokémon, Pokéstops, and Gyms at countless locations around the world. The app blends reality and virtual reality, using a smartphone’s camera to show the “real world” on the phone screen and to populate virtual creatures, depots, and battle arenas. However, the app fails to distinguish between public and private property, meaning a personal residence could be the home to a popular Gym, a Pokéstop, or a rare Pokémon.
Days after the app debuted, some homeowners began to notice people of all ages lingering on their property, trying to be the first one to “catch ‘em all.” They watched helplessly as players peered through their windows and trekked across their lawns to catch Pokémon, battle other players at Gyms, or collect items from Pokéstops.
In response to these Pokémon “trainers” invading their property, homeowners in North America have filed lawsuits to enforce their property and privacy rights. For example, in July 2016, a New Jersey man filed a proposed class action suit in California federal court against Niantic, The Pokémon Company (the marketer and licensing agent of the Pokémon brand), and Nintendo Company (32% owner of The Pokémon Company). Marder v. Niantic, Inc. et al., Case No. 4:16-cv-04300 (N.D. Cal. July 29, 2016).
This suit alleges a claim for nuisance against Niantic. By placing Pokéstops and Gyms on or near private property without the permission of owners, the complaint argues that the game and Pokémon “trainers” are invading the use and enjoyment of their property. The plaintiff also alleges a claim for unjust enrichment against all three defendants, explaining that the private property of the proposed class has contributed to the game’s prosperity and popularity.
As the game becomes more prevalent and the number of players grows, more disputes have arisen. For instance, a Michigan couple filed a proposed class action suit in California federal court in July, and members of a Florida condo association did the same in late August. Dodich v. Niantic, Inc. et al., Case No. 3:16-cv-04556 (N.D. Cal. Aug. 10, 2016); The Villas of Positano Condominium Ass’n v. Niantic, Inc. et al., Case No. 3:16-cv-05091 (N.D. Cal. Sept. 2, 2016). Another proposed class action case was even filed in Alberta, Canada. Schaeffer v. Niantic, Inc. et al., Case No. 1601-01491 (Court of Queen’s Bench of Alberta Aug. 10, 2016). Each suit contains allegations similar to the New Jersey case; they claim that Niantic has created a nuisance by placing Pokéstops and Gyms on or near private property and that the defendants are wrongfully profiting from the success that using the private property has created.
Each case is still in the early stages of litigation, making outcomes difficult to predict. Still, they show that as technology advances and further permeates society, the law continues to evolve. Companies with similar technology should consult with counsel to evaluate their legal risks.
Increased Focus on Enforcementof Whistleblower Rules by Federal Regulators
Stephen Quinlivan – Corporate Finance and Bryan Pitko – Corporate Finance
Enforcement of whistleblower rules continues to be a key focal point for federal regulators based on recent actions taken by the SEC, CFTC, and OSHA in this area.
Recent SEC settlements of enforcement cases involving the whistleblower provisions under the Dodd Frank Act have put companies and their counsels on notice that restrictions on employee communications with outside parties in severance and confidentiality agreements may be viewed by regulators as impeding an individual’s ability to communicate with regulators about possible securities law violations in breach of whistleblower rules.
One such case, settled August 10th, involved the addition of a monetary recovery prohibition to certain severance agreements (entered into nearly two years after the adoption of the whistleblower rules) that was alleged to have violated the SEC’s prohibition on any impediments to communications with the SEC about securities law violations. The SEC appears to have been particularly concerned with restrictive language that forced employees leaving the company to waive possible whistleblower awards or risk losing their severance payments and other post-employment benefits.
The terms of settlement in these cases are driving companies to mitigate any risk of such violations, including the addition of language in future confidentiality and severance agreements to explicitly provide an employee with the right to communicate with the SEC (and other federal agencies) about potential securities law violations without company approval. Likewise, for further prophylactic effect, companies may consider broad communications highlighting that any existing agreements with former employees do not restrict such former employees’ ability to provide information to the SEC or accept SEC whistleblower awards.
The rules are broadly applicable to any employer subject to SEC jurisdiction. That includes public companies, broker-dealers, investment advisers, and advisers in municipal securities transactions. The rules may also apply to private equity portfolio companies and any other entity that has sold or is selling securities in private placements, issuing securities in private merger transactions, or redeeming securities from shareholders.
Meanwhile, proposed regulations at the CFTC suggest that the SEC’s regulatory cousin is moving to expand its ability to administer rules designed to protect the rights of whistleblowers consistent with the SEC’s authority in this area. As part of a continuing effort to harmonize the SEC’s and the CFTC’s whistleblower programs, the CFTC has recently proposed amendments to its whistleblower rules that reinforce its anti-retaliation authority under the Commodity Exchange Act. The proposed amendments would prohibit the enforcement of confidentiality and pre-dispute arbitration clauses in agreements impacting actions by potential whistleblowers and prohibit employers from threatening, harassing, or retaliating against individuals who participate in the CFTC’s whistleblower program.
The Occupational Safety and Health Administration (OSHA) has similarly moved to align itself with the SEC and CFTC with its recent issuance of guidance regarding settlement agreements with whistleblowers under Section 806 of the Sarbanes-Oxley Act. As in the SEC’s recent settlements and the CFTC’s proposed rules, OSHA’s guidance acts to prohibit “gag” provisions often found in confidentiality or non-disparagement clauses that “prohibits, restricts, or otherwise discourages a complainant from participating in protected activity,” which includes “filing a complaint with a government agency, participating in an investigation, testifying in proceedings, or otherwise providing information to the government.”
Circuits Further Split Regarding Statute of Limitations for Disgorgement in SEC Enforcement Actions
Jessica Pixler – Business Litigation
The Securities and Exchange Commission (SEC) typically has five years from the date a claim accrues to bring “an action, suit or proceeding for the enforcement of any civil fine, penalty, or forfeiture, pecuniary or otherwise” pursuant to 28 U.S.C. § 2462. This has led courts to different conclusions as to whether this statute of limitations applies to equitable or quasi-equitable remedies, including the remedy of disgorgement. In the summer of 2016, the Eleventh Circuit held that Section 2462 applies to disgorgement, but the Tenth Circuit shortly thereafter reached the opposite conclusion.
The Eleventh Circuit decided Securities and Exchange Commission v. Graham on May 26, 2016, in which the SEC appealed a district court ruling that Section 2462 applied to its request for disgorgement, among other remedies. 823 F.3d 1357 (11th Cir. 2016). The district court found that disgorgement would require the defendants to relinquish money and property and was thus the same as forfeiture, to which Section 2462 expressly applies. The Eleventh Circuit agreed, looking to the ordinary meanings of “disgorgement” and “forfeiture” and concluded that “for the purposes of § 2462 the remedy of disgorgement is a ‘forfeiture,’ and § 2462’s statute of limitation applies.” Id. at 1363. It declined to find that “technical” differences between the two terms were meaningful. Id. at 1363-64. Therefore, the Court found that Section 2462 barred the SEC’s request for disgorgement.
Less than three months later, the Tenth Circuit came to the opposite conclusion in Securities and Exchange Commission v. Kokesh, 20016 WL 443785, No. 15-2087 (10th Cir. August 23, 2016). In prior cases, the Tenth Circuit found disgorgement was remedial, not punitive. Id. at *4 (citing United States v. Telluride Co., 146 F.3d 1241, 1247 (10th Cir. 1998)). Under the Tenth Circuit’s approach, disgorgement does not punish a defendant; it merely puts the defendant in the same position he would have been in had he not engaged in the wrongful acts. Id. at *4. Even when the defendant was required to disgorge more than he personally gained or benefitted from the wrongdoing, disgorgement was nonetheless not punitive. Id. at 4-5. The Court compared an SEC enforcement action to a personal injury claim wherein courts do not consider it punitive to require the defendant to pay for all damages caused, even where the defendant has not personally gained. Id. at *5. The Tenth Circuit explained that forfeiture, as listed in Section 2462, must be viewed historically to mean a taking of “tangible property used in criminal activity.” Id. at *5. The non-punitive remedy of disgorgement does not fit within this type of forfeiture, and therefore Section 2462 does not apply.
The effect of Graham and Kokesh remains to be seen, but it seems likely that until the Supreme Court resolves the issue, the remaining circuits will have to choose sides. Prior to Graham, the D.C. Circuit weighed in on the issue, most recently finding that disgorgement orders are not penalties and therefore are not subject to the five-year statute of limitations in Section 2462. See Riordan v. Securities and Exchange Commission, 627 F.3d 1230 (D.C. Cir. 2010). In circuits that adopt the view of the Tenth and D.C. Circuits, the SEC is permitted to seek disgorgement of funds associated with wrongdoing that occurred more than five years prior to the accrual of the claim, which could significantly increase a defendant’s exposure. In comparison, the application of the statute of limitations in the Eleventh Circuit provides defendants facing disgorgement with more predictable and limited exposure. Until the Supreme Court resolves this split, defendants in undecided circuits must grapple with the risk of the additional exposure that would come with their circuit’s adoption of the Tenth and D.C. Circuit’s approach.
The New York State Department of Financial Services Proposes Robust Cybersecurity Rules
Zane Gilmer – Financial Services and Class Action Litigation
On September 13, 2016, the New York State Department of Financial Services (DFS) proposed new rules that would require certain “Covered Entities” to establish and implement cybersecurity programs designed to protect nonpublic consumer information (Nonpublic Information) and technology systems from cyber-attacks (Proposed Rules). Below are some of the highlights of the Proposed Rules:
Covered Entities
The Proposed Rules would apply to any person or entity “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law, or the financial services law.”
The Proposed Rules would not apply to a Covered Entity with (i) fewer than 1,000 customers in each of the last three calendar years; (ii) less than $5,000,000 in gross annual revenue in each of the last three fiscal years; and (iii) less than $10,000,000 in year-end total assets.
Effective Date
The Proposed Rules are subject to a 45-day notice and public comment period and, if approved, would be effective beginning January 1, 2017 (Effective Date). Covered Entities would then have 180 days from the Effective Date to comply.
Cybersecurity Program
Covered Entities must establish a cybersecurity program designed to perform the following “core cybersecurity functions”:
- Identify internal and external cyber risks by identifying Nonpublic Information stored on the Covered Entity’s systems and how that information can be accessed
- Use defensive infrastructure and the implementation of policies and procedures to protect Nonpublic Information and the Covered Entity’s systems
- Detect certain “Cybersecurity Events”
- Respond to identified or detected Cybersecurity Events
- Recover from Cybersecurity Events
- Fulfill regulatory reporting obligations
Cybersecurity Policy
Covered Entities must implement and maintain a written cybersecurity policy addressing the following areas:
- Information security
- Data governance and classification
- Access controls and identity management
- Business continuity and disaster recovery planning and resources
- Capacity and performance planning
- Systems operations and availability concerns
- Systems and network security and monitoring
- Systems and application development and quality assurance
- Physical security and environmental controls
- Customer data privacy
- Vendor and third-party service provider management
- Risk assessment
- Incident response
The cybersecurity policy must be reviewed by the Covered Entity’s board of directors, or equivalent governing body, and approved by a senior officer of the Covered Entity.
Appointment of Chief Information Officer and Other Cybersecurity Personnel
A Covered Entity must appoint a qualified individual to serve as the entity’s chief information security officer, who will be responsible for overseeing and implementing the entity’s cybersecurity program. In addition, each Covered Entity must employ cybersecurity personnel to manage the entity’s cybersecurity risks.
Penetration Testing and Vulnerability Assessments
A Covered Entity’s cybersecurity program must include annual penetration testing and quarterly vulnerability assessments.
Audit Trail System
Cybersecurity programs must include implementing and maintaining audit trail systems that track, maintain, and log certain data, including financial transactions necessary to enable the Covered Entity to detect and respond to a Cybersecurity Event.
Limiting Access Privileges and Multi-Factor Authentication
A Covered Entity’s cybersecurity program must limit access privileges to the entity’s systems that provide access to Nonpublic Information solely to those individuals who require such access. In addition, each Covered Entity must require multi-factor authentication for accessing internal systems, plus privileged access to database servers that provide access to Nonpublic Information, and for individuals accessing web applications that contain Nonpublic Information.
Annual Risk Assessments
Each Covered Entity is required to conduct an annual risk assessment of its information systems.
Third-Party Vendors
Each Covered Entity is required to implement written policies and procedures that are designed to ensure the security of Nonpublic Information and the Covered Entity’s information systems that are accessible to or maintained by third parties that do business with the Covered Entity.
Limitations on Data Retention and Encryption of Nonpublic Information
Each Covered Entity is required to implement policies that require the destruction of Nonpublic Information that is no longer necessary.
Employee Training and Monitoring
Each Covered Entity must implement policies, procedures, and controls that are designed to monitor user activity and detected unauthorized use. In addition, each Covered Entity must require that all personnel attend regular cybersecurity awareness training sessions.
Incident Response Plan
Each Covered Entity must implement a written incident response plan that is designed to respond immediately to a Cybersecurity Event. The plan must address at least the following areas:
- The internal processes for responding to a Cybersecurity Event
- The goals of the incident response plan
- The definition of roles, responsibilities, and decision-making authority
- External and internal communications and information sharing
- Remediation of any weaknesses in information systems and other controls
- Documentation and reporting concerning Cybersecurity Events and response activities
- The evaluation and revision of the incident response plan following a Cybersecurity Event
Notices of Cybersecurity Event to DFS Superintendent
Each Covered Entity is required to notify the DFS superintendent of any Cybersecurity Event “that has a reasonable likelihood of materially affecting the normal operation of the Covered Entity or that affects Nonpublic Information.” The notice must be provided no later than 72 hours after the Covered Entity becomes aware of the incident.
Conclusion and Insight
While many institutions have already taken significant strides to address cybersecurity threats, if the Proposed Rules are enacted, Covered Entities will be required to go beyond what many institutions have already done. As such, Covered Entities should begin evaluating their cybersecurity programs and preparing for possible changes based on the Proposed Rules. Further, even non-Covered Entities should pay attention to the outcome of these proposals as they will likely serve as a template for other states and regulators to propose similar requirements.
Is Your Company's Website at Risk for ADA Non-Compliance?
Angie Fletcher – Banking and Financial Services and Samir Mehta – Intellectual Property and Technology
Recently, businesses across the country have become targets of innovative demands letters and lawsuits arising under the Americans with Disabilities Act (ADA). Disabled plaintiffs are working with law firms and advocacy organizations across the country, alleging that the businesses’ websites fail to provide access to people with certain disabilities. These demands and lawsuits are aggressively testing the limits of how the ADA applies to websites. Any businesses with a commercial website should take notice and prepare accordingly.
The ADA became law in 1990, and it aimed to prohibit discrimination against individuals with disabilities. Title III of the ADA prohibits discrimination on the basis of disability in “places of public accommodation.” Initially, the term “places of public accommodation” was applied to stores, restaurants, movie theaters, schools, and other commercial businesses that were open to the general public. Neither Title III nor any other part of the ADA specifically discusses “website accessibility” for the disabled. However, as the Internet has risen in importance in our lives, many advocates, plaintiffs, and courts now argue that websites should qualify as “places of public accommodation.”
The recent demands and lawsuits essentially argue that websites must be designed to allow for “access” by people with certain disabilities who may have difficulty viewing, hearing, or interacting with some Internet content. People with disabilities who have the most significant concerns and tend to be the plaintiffs in the lawsuits include those with blindness, low vision, deafness, hearing loss, learning disabilities, cognitive limitations, limited movement, speech disabilities, photosensitivity, and epilepsy.
Due to this influx of litigation, courts have varied in their application of the ADA to company websites, but many have held that the ADA does cover websites. For example, in March of 2016, a California state court ordered a Colorado-based company to make its website accessible to persons with visual impairment based on a Title III ADA lawsuit. Further, the California court ordered the company to pay $4,000 in damages and over $100,000 in legal fees.1
It is also notable that the U.S. Department of Justice (DOJ) has issued guidance and proposed amendments to the ADA that would more clearly require websites to be ADA compliant. In addition to the risk of litigation, entities that are charged with Title III violations can face civil penalties from the government, which may reach a maximum of $75,000 for a first violation and $150,000 for repeated violations. Given the DOJ’s increased interest in website compliance, there is reason to believe that DOJ enforcement actions related to websites may increase in the coming years.
How can businesses avoid exposure to litigation and government enforcement? Fortunately, there are tools and systems for making websites and Internet content accessible to persons with disabilities. While the DOJ has not issued binding rules or regulations on ADA compliance for websites (those are expected sometime in 2018), the DOJ and plaintiffs have consistently suggested that websites can be made ADA compliant by following the Web Content Accessibility Guidelines (WCAG-2.0). The WCAG-2.0 defines how to make web content more accessible to a wide range of people with disabilities, including ones with visual, auditory, physical, speech, cognitive, language, learning and neurological disabilities. Some of the WCAG 2.0 Guidelines include offering users text alternatives (increasing font, braille, speech, symbols, or simpler language), prerecorded audio-only or video-only content, and color distinctions by separating the foreground from the background. A complete list of the WCAG-2.0 Guidelines can be found here. In addition to applying WCAG-2.0, we recommend that businesses review the terms of a settlement agreement between businesses and the DOJ related to website accessibility. These public settlement agreements give insight into how the DOJ interprets the ADA. Finally, we recommend that our clients review their websites for accessibility to disabled users, and engage a third-party vendor who can assist with website redesign to prevent potential violations.