As we have previously written, the privacy and security requirements of the New York Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) are effective as of March 21, 2020. The SHIELD Act implements broad new data security requirements for all businesses that have the private information of New York residents, and reaches beyond New York’s own borders to compel companies – including companies that do not do business in New York – to take affirmative steps to protect the personal and private information of New York residents that the company may be collecting or storing. Initially, the SHIELD Act expands the definition of “private information” that must be safeguarded to include any information that can be used to identify a person, in combination with a social security number, a driver’s license number, a financial account number, or biometric information. Separate and apart from these “data elements,” the definition of “private information” also now includes “a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.” Second, the SHIELD Act applies to any company that possesses the private information of even a single New York resident – even if the company does not conduct business in New York. All companies must...
Tagged: New York Law
State legislatures from California and New York have taken action to respond to rising privacy concerns by enacting legislation to protect consumers and their personal information, and the New Jersey legislature is actively working to pass similar legislation to enhance the privacy and security obligations applicable to personal information obtained from New Jersey consumers. This legislation typically requires businesses to inform residents of certain rights regarding the collection or sale of their personal information and to provide notice to residents if a security incident at the company involves their personal information. As deadlines quickly approach for the enforcement of these laws, it is important for businesses to take action now and revisit privacy, security, and storage practices, as well as the associated policies for maintaining appropriate data privacy and security throughout the organization. The California Consumer Privacy Act (CCPA), which takes effect January 1, 2020, accords significant new privacy rights to consumers and imposes corresponding new requirements on businesses. In general, the CCPA mandates businesses to implement procedures to provide notice to consumers at or before the collection of personal information, to respond to consumers’ requests for the production or deletion of their collected information or to opt-out from its sale, and to create privacy policies detailing their processes for selling or distributing consumer data....
Enough Said: Southern District of New York Decision Reiterates Limits of Disclosure Obligations Under Securities Laws
The Southern District of New York’s recent decision in Employees Retirement System of the City of Providence v. Embraer S.A. may provide useful guidance for companies struggling with disclosure obligations in the midst of ongoing investigations into potential unlawful conduct. Defendant Embraer, S.A., a Brazilian aircraft manufacturer, made a series of disclosures regarding external and internal investigations into potential U.S. Foreign Corrupt Practices Act (FCPA) violations. Specifically, in November 2011, Embraer disclosed investigations by the U.S. Department of Justice (DOJ) and Securities and Exchange Commission (SEC) and advised that it had retained outside counsel to conduct an internal investigation. Although the company repeatedly warned that it may be required to pay substantial fines or incur other sanctions, it also stated early in the investigation that it did not believe there was a basis to estimate reserves or quantify any loss contingency. In July 2016, Embraer announced that settlement negotiations with the DOJ and SEC had progressed to a point warranting recognition of a $200 million loss contingency. Nearly three months later, the company announced a settlement that included a fine of over $107 million and disgorgement of nearly $84 million in profits. On December 13, 2016, Employees’ Retirement System of the City of Providence filed an amended class action complaint alleging violations of Securities Exchange Act...
On October 11, 2016, the Supreme Court of New York, Appellate Division, First Department, decided 2138747 Ontario, Inc. v. Samsung C&T Corp., et al., which serves as a reminder to attorneys that New York’s borrowing statute applies even where the parties agreed to a New York choice-of-law provision. The borrowing statute, CPLR 202, provides that, when a non-New York resident sues on a cause of action accruing outside New York, the complaint must be filed timely under the statute of limitations of both New York and the jurisdiction where the cause of action accrued. The statute’s underlying objective is to prevent forum shopping by nonresident plaintiffs. In Ontario, the plaintiff, a corporation formed under the law of Ontario, Canada, was a creditor of SkyPower Corporation, a bankrupt Canadian renewable energy developer. SkyPower’s bankruptcy trustee assigned to the plaintiff all of its claims against the defendants. The plaintiff then sought damages against the defendants for a breach of a nondisclosure and confidentiality agreement (NDA), which contained a broad New York choice-of-law provision. The plaintiff’s complaint was untimely under Ontario’s two-year statute of limitations but was timely under New York’s six-year statute of limitations. The trial court found that Ontario’s two-year statute of limitations applied and dismissed the case. The Appellate Division affirmed. Although the court found...
On December 28, 2016, the New York Department of Financial Services (“DFS”) published an updated version of its proposed “Cybersecurity Requirements for Financial Services Companies.” The updated regulations will become effective on March 1, 2017. As previously reported, these regulations are an important step in the ongoing national dialogue about reasonable and necessary cybersecurity standards for all businesses.
Regulations Proposed by NY Department of Financial Services are a Significant Development for Regulated Entities … and Everyone Else
On September 13, 2016, New York Governor Andrew M. Cuomo announced new first-in-the-nation proposed regulations to protect against the ever growing threat of cyber-attacks in the financial services industry. The proposed regulations, to be enforced by the New York State Department of Financial Services, would apply only to an entity regulated by the NY Department of Financial Services – from a multi-national bank to a “mom-and-pop” operation. However, the regulations are important for all companies to review and consider, regardless of their location or scope of operations, because the proposal represents an important step in the ongoing national dialogue about reasonable and necessary cybersecurity standards for all businesses.
“Bound by the Terms of His Bargain”: Third Circuit Underscores the Difficulty of Vacating Arbitration Awards
In a recent precedential decision, Whitehead v. The Pullman Grp., LLC, the Third Circuit reminded litigants that it’s as tough as ever to vacate an arbitration award – and cast further doubt on the viability of the “manifest disregard of the law” standard here. Appellant Pullman entered into a contract with two singer-songwriters in May 2002, which gave him the exclusive option to purchase their song catalog following a 180-day due diligence period.
Third Circuit Holds That Personal Injury Plaintiffs’ “Mere Continuation” Successor Liability Claims Against Purchaser of Bankrupt Debtor’s Assets Belong to Bankruptcy Estate, Not Plaintiffs
In In re Emoral, Inc., the Third Circuit, in a decision of first impression, held that personal injury claims of individuals allegedly harmed by a bankrupt debtor’s products cannot be asserted against the purchaser of the debtor’s assets since they are “generalized claims” which belong to the debtor’s estate and not to the harmed individuals.
New York Appellate Division Reminds New York Practitioners That They Ignore CPLR 3212(a)’s Filing Deadlines at Their Peril
In Kershaw v. Hospital for Special Surgery, the First Department of New York’s Appellate Division affirmed the denial of a summary judgment motion for being untimely filed, notwithstanding that the tardy motion clearly had merit, as emphasized by the dissent. In so doing, the Kershaw Court reinforced the notion that attorneys who disregard the filing deadlines set forth by the New York courts under the New York Civil Practice Law and Rules (“CPLR”) do so at their own peril.
New York Court Upholds Separate Entity Rule, Quashes Non-Party Subpoenas Seeking Information on Overseas Bank Accounts
In Ayyash v. Koleilat, the Supreme Court of the State of New York, New York County, upheld and arguably extended the New York “separate entity” rule, which provides that each branch of a bank is treated as a separate entity, in no way concerned with accounts maintained by depositors in other branches or at a home office. Under this rule, a New York branch cannot be compelled to turn over assets maintained at another branch of the same bank. The Court’s decision appears to extend this rule to hold that — at least in circumstances where international comity considerations support broad application of the separate entity rule — a New York branch cannot be compelled to provide information or discovery concerning assets maintained at a foreign branch.