After a hiatus of almost two years, the Canadian Government has finally recommenced its long-awaited overhaul of existing federal private sector privacy legislation. On June 16, 2022, Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts known as the Digital Charter Implementation Act, 2022 (“Bill C-27”) received its first reading in Parliament. The Artificial Intelligence and Data Act is not covered in this article and will be summarized separately.

Similar to its predecessor privacy reform bill, Bill C-11,^[1] Bill C-27 introduces bold new measures into Canada’s privacy law that will significantly impact Canadian businesses: Canadian businesses will be required to invest in the protection of personal information or face heavy administrative monetary penalties for non-compliance. Furthermore, these measures bring Canadian privacy law it into closer alignment with the European Union’s (the “EU”) General Data Protection Regulation (the “GDPR”), and Québec’s privacy reforms introduced by the recently enacted Bill 64. Closer alignment with the GDPR and Bill 64 will assist Canada in maintaining its adequacy status under the GDPR and being considered a substantially similar jurisdiction under Bill 64, respectively. This allows for Canadian businesses to transfer personal information from the EU and Québec to Canada and provinces outside of Québec without additional data protection safeguards. The following are highlights from Bill C-27. Those who are familiar with Bill C-11 will note that Bill C-27 reintroduces many of the same concepts that were first introduced by Bill C-11.

New Enforcement Powers and Financial Punishments for Contraventions to the Act

The Consumer Privacy Protection Act (“CPPA”), which will repeal Part 1 of Canada’s existing federal private sector privacy act, the Personal Information Protection and Electronic Documents Act, now expands the enforcement powers of the federal Privacy Commissioner of Canada (the “Commissioner”). Following investigation and inquiry into a contravention of the CPPA, the Commissioner can issue orders to organizations to ensure that organizations comply with the CPPA.^[2] Contravening a compliance order is an offense subject to financial punishment as set out below.^[3]

The Commissioner can also recommend to the newly established Personal Information and Data Protection Tribunal (the “Tribunal”) that it should impose financial penalties if an organization has contravened the CPPA.^[4] The Tribunal presides over hearings related to financial penalties recommended by the Commissioner and non-penalty-related appeals.^[5] The Tribunal can impose administrative monetary penalties for contraventions of the CPPA up to the greater of $10,000,000 or 3% of the organization’s gross global revenue in its financial year before the one in which the penalty is imposed.^[6]

Moreover, the CPPA introduces new offenses with even higher financial punishments. These offenses include:

• if an organization fails to report to the Commissioner any breach of security safeguards involving personal information under its control where the breach may result in a reasonable risk of significant harm to an individual,^[7]
• if an organization fails to keep and maintain a record of every breach of security safeguards involving personal information,^[8]
• if an organization attempts to re-identify individuals using de-identified information not in accordance with the prescribed exceptions,^[9] and
• if an organization disposes of personal information after an individual has requested access to it and the individual has not exhausted the individual’s recourse under the CPPA.^[10]

Any organization that is found guilty of any of the offenses listed above can face a fine up to the greater of $25,000,000 or 5% of the organization’s gross global revenue in its financial year before the one in which the organization is sentenced for indictable offenses, or $20,000,000 or 4% for summary convictions, respectively.^[11]

Private Right of Action

The CPPA establishes a new private right of action for individuals who are affected by an act or omission by an organization that constitutes a contravention of the CPPA. The private right of action allows these individuals to sue the organization for damages for loss or injury that the individual has suffered as a result of the organization’s contravention of the CPPA. To commence this action, the Office of the Privacy Commissioner and the Tribunal must have made findings that the organization has contravened the CPPA, and the finding must not have been appealed to the Tribunal or the Tribunal must have denied the appeal.^[12]

Codification of the 10 Privacy Principles and New Requirements

The CPPA codifies the Ten Fair Information Principles of the Personal Information Protection and Electronic Documents Act (“PIPEDA”) into law^[13] and introduces new requirements on organizations.

Privacy Programs

Every organization must implement and maintain a privacy management program, which, among other requirements, must be attuned to the volume and sensitivity of the personal information being collected, used, and stored.^[14] These programs are reviewable by the Commissioner on request, who may provide guidance and recommend corrective measures to the organization.^[15]

Anonymous and De-identified Information

Bill C-27 contains a revised definition of de-identified information and has added a definition of “anonymise” to distinguish between the two forms of information. “Anonymise” means to irreversibly and permanently modify personal information, in accordance with generally accepted best practices, to ensure that no individual can be identified indirectly or directly from the information by any means. By contrast, “de-identify” means to modify personal information so that an individual cannot be directly identified from it, though a risk of the individual being identified remains. Anonymous information is not personal information;^[16] indeed, to anonymise personal information amounts to its disposal.^[17] De-identified information is always personal information except with respect to certain provisions.^[18]

Consent

Drawing on the Commissioner’s previously published “Guidelines for obtaining meaningful consent,” the CPPA explicitly prescribes how organizations acquire valid consent. In most cases, an organization must obtain express consent from an individual and disclose the following information:

• the purposes for the collection, use, or disclosure of personal information determined by the organization,
• the way in which the personal information is to be collected, used, or disclosed,
• reasonable foreseeable consequences of the collection, use, or disclosure of personal information when obtaining consent from an individual,
• the specific type of personal information that is to be collected, used, and disclosed, and
• the names or types of third parties to which the organization may disclose personal information when obtaining consent from an individual.^[19]

This information must be written in plain language that an individual to whom the organization’s activities are directed would reasonably be expected to understand.^[20]

Bill C-27 states that the personal information of minors would be considered to be sensitive personal information.^[21] Consequently, according to the previous guidance of the Commissioner, organizations would require express consent to collect, use, and disclose personal information of minors.

Additionally, Bill C-27 allows for organizations to collect and use personal information without knowledge and consent of individuals if the collection and use are made for a business activity in which the organization has a legitimate interest that outweighs the potential adverse effect on the individual resulting from that collection or use.^[22] This new exception is subject to a reasonableness test. Organizations wishing to avail themselves of this new exception must perform assessments of how the business activity would adversely impact the individual,^[23] document those assessments,^[24] and disclose descriptions of these business activities to individuals publicly.^[25]

Automated Decision Systems

The Bill also specifically references an organization’s privacy obligations around automated decision systems—any technology that assists or replaces the judgment of human decision- makers through the use of a rules-based system, regression analysis, predictive analytics, machine learning, deep learning, a neural network, or other techniques. Organizations that use personal information to inform their automated decision systems to make predictions about individuals are required to:

• deliver a general account of the organization’s use of any automated decision system to make predictions, recommendations, or decisions about individuals that could have significant impacts on them,^[26] and
• retain the personal information related to the decisions for sufficient period of time to permit the individual to make a request for access^[27] (as described below).

Security Safeguards and Breaches of Security Safeguards

Bill C-27 has expanded the scope of security safeguards to include reasonable measures to authenticate the identity of the individual to whom the personal information relates. Furthermore, the Bill confirms that organizations must protect personal information through physical, organizational, and technological security safeguards. The level of protection provided by those safeguards must be proportionate to the sensitivity of the information. In addition to the sensitivity of the information, the organization must, in establishing its security safeguards, take into account the quantity, distribution, format, and method of storage of the information. The security safeguards must protect personal information against, among other things, loss, theft and unauthorized access, disclosure, copying, use, and modification, and must include reasonable measures to authenticate the identity of the individual to whom the personal information relates.

Service Providers

Under the CCPA, organizations have control over personal information even when a service provider collects, uses, and discloses the personal information on the organization’s behalf.^[28] The new Bill C-27 requires organizations to ensure, by contract or otherwise, that the service provider provides an “equivalent” level of protection, rather than “substantially similar” protection, the baseline protection used under Bill C-11.^[29] The change from “equivalent” to “substantially similar” seems to suggest that Bill C-27 is endeavoring to impose a stronger or less flexible standard on organizations that use service providers.

“Service provider” is now broadly defined under the Bill as an organization, including a parent corporation, subsidiary, affiliate, contractor, or subcontractor, that provides services for or on behalf of another organization to assist the organization in fulfilling its purposes.

In addition, service providers now have an obligation to maintain adequate security safeguards to protect personal information and inform the organization that controls the personal information of any breach of the service provider’s security safeguards as soon as feasible.^[30] If a service provider violates the latter, the Tribunal may impose an administrative monetary penalty as described above.^[31]

Codes of Practice and Certification Programs

The CPPA allows the Commissioner to approve and certify codes of practice and certification programs designed by non-governmental entities. These codes and certifications must offer the same or substantially the same or greater protection of personal information as under the CPPA. However, the organizations that comply with these codes of practice or certification programs must still meet their obligations under the CPPA.^[32]

New Rights for Individuals

In addition to codifying the information rights for individuals discussed in the PIPEDA’s Fair Information Principles,^[33] CPPA establishes three new rights for individuals regarding their personal information: 

• Data mobility rights: Individuals can request an organization directly transfer their personal information from one organization to another (subject to both organizations being part of a data portability framework).^[34]
• Transparency and explanation rights: Individuals can request an explanation from organizations that use automated decision systems using the individual’s personal information to make a prediction, recommendation, or decision about the individual that could have a significant impact on the individual.^[35]
• Disposal rights: Individuals can request an organization dispose of their personal information in specific circumstances.^[36] Under the proposed Act, “dispose” means the organization will be responsible for permanently and irreversibly deleting the personal information or to anonymize it, as defined under the Act.

However, these rights do not extend to de-identified information derived from an individual’s personal information.^[37]

Next Steps

While this is only the first reading of Bill C-27, we anticipate the second reading will happen shortly, and debates and committee will follow, which may result in additional changes to the draft Bill.

1. An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts also known as the Digital Charter Implementation Act, 2020. ↑

2. CPPA, s. 93(2). ↑

3. CPPA, s.128. ↑

4. CPPA, s.94(1). ↑

5. The Personal Information and Data Protection Tribunal Act (“PIDPTA”). See PIDPTA, s. 5. ↑

6. CPPA, s. 95(4). ↑

7. CPPA, s. 58(1) and 128. ↑

8. CPPA, s. 60(1) and 128. ↑

9. CPPA, s. 75 and 128. ↑

10. CPPA, s. 69 and 128. ↑

11. CPPA, s.128. ↑

12. CPPA, s. 107. ↑

13. The Ten Fair Information Principles are as follows: Accountability; Identifying Purposes; Consent; Limiting Collection; Limiting Use, Disclosure and Retention; Accuracy; Safeguards; Openness; Individual Access; and Challenging Compliance. ↑

14. CPPA, s. 9. ↑

15. CPPA, s.10. ↑

16. CPPA, s.6(5). ↑

17. CPPA, s.2(1). ↑

18. CPPA, s.2(3). ↑

19. CPPA, s.15(3). ↑

20. CPPA, s. 15(4). ↑

21. CPPA, s.2(2). ↑

22. CPPA, s.18(3). ↑

23. CPPA, s. 18(4). ↑

24. CPPA, s.18(5). ↑

25. CPPA, s.62(2)(b). ↑

26. CPPA, s. 62(2)(c). ↑

27. CPPA, s.54. ↑

28. CPPA, s. 7(2). ↑

29. CPPA, s.11(1). ↑

30. CPPA, s. 57(1) and 61. ↑

31. CPPA, s. 94(m). ↑

32. CPPA, s. 76-81. ↑

33. The right to withdraw consent from a provider to collect, use, and disclose their personal information, and to access and correct their personal information. ↑

34. CPPA, s. 72. ↑

35. CPPA, s. 63(3). Bill C-27 limits this right to decisions that could have a significant impact on the individual. Moreover, organizations no longer need to account for how the prediction, recommendation, or decision was arrived at but instead must only explain the reasons or principal factors that led to the prediction, recommendation, or decision. ↑

36. CPPA, s. 55(1). Bill C-27 narrows this right to three specific circumstances: (i) the information that was collected, used, or disclosed in contravention of the CPPA; (ii) the individual has withdrawn consent in whole or in part to the collection, use, or disclosure of their personal information; or (iii) the information is no longer necessary for the continued provision of a product or service requested by the individual. Bill C-27 also expands the exceptions contained in Bill C-11 for organizations to deny disposal requests. ↑

37. CPPA, s. 2(3). ↑

Lisa R. Lifshitz, Roland Hung, Cameron McMaster

The Mendes Hershman Student Writing Contest is a highly regarded legal writing competition that encourages and rewards law students for their outstanding writing on business law topics. Papers are judged on research and analysis, choice of topic, writing style, originality, and contribution to the literature available on the topic. The distinguished former Business Law Section Chair Mendes Hershman (1974–1975) lends his name to this legacy. Read the abstract of this year’s third-place winner, Matthew Shalna of University of Miami School of Law, Class of 2023, below. 

Religious employees in the workplace are under-protected by Title VII. In 1977, the Supreme Court of the United States in Trans World Airlines v. Hardison established the standard for what constitutes the “reasonable accommodation” of an employee’s religious beliefs. Specifically, the Supreme Court established that, if the carrying out of a request for a religious accommodation would impose more than a de minimis burden on employers, that accommodation imposes an undue hardship and is therefore not reasonable. Consequently, this created an incredibly employer-friendly standard for religious discrimination claims.

With a recent influx of religious exemption requests regarding the COVID-19 vaccine, the reasonable accommodation standard is back in the spotlight. Additionally, multiple Supreme Court Justices—particularly, Justice Alito, Justice Thomas, and Justice Gorsuch—have expressed interest in replacing the “de minimis” standard with something that provides greater protection for religious interests. This creates an interesting prospect in employment discrimination: will the Court revisit the de minimis standard it attached to religious reasonable accommodation and expand religious protections for employees? And if so, is COVID-19 vaccine litigation the proper vehicle with which to revisit the standard?

This Note explores whether the de minimis standard is likely to change in the near future, and if so, what a new standard should like. Particularly, this Note uses religious challenges to recent workplace COVID-19 vaccine mandates as a means to evaluate the current strength of the de minimis standard. Ultimately, this Note argues that the de minimis standard needs to be altered, specifically in a manner that (1) requires that reasonableness be analyzed from the employee’s, not the employer’s, perspective, and (2) replaces the de minimis standard with one that requires employers to bear a greater cost to avoid liability. This Note further concludes, however, that although de minimis needs to be replaced, COVID-19 vaccine litigation is not the proper vehicle for such a change.

Arbitration clauses are very common. So are disputes about whether a dispute has to be arbitrated or instead can be heard in court. The Supreme Court has been dealing with the “arbitra­tion versus litigation” issue repeatedly over the last few years. A lot of recent Supreme Court case law is heavily pro-arbitration. Case law stresses that an agreement to arbitrate has to be enforced to at least the same extent as any other agreement—after all, a deal is a deal, so if the parties agreed to arbitrate, they should be required to arbitrate. But it’s clear that even that pro-arbitration tendency has its limits. A court can’t simply make up new rules, even if the new rule favors arbitration.

The Supreme Court decided Morgan v. Sundance, Inc. on May 23, 2022. Robyn Morgan had been an employee at one of the Taco Bell franchises Sundance owns. She commenced a collective action (similar to a class action) against Sundance in federal court, claiming that Sundance violated the Fair Labor Standards Act. She alleged that because Sundance did not want to pay overtime to employees working more than forty hours a week, it recor­ded the hours employees worked in the wrong week.

At first, Sundance did not argue the case should be arbitrated. Instead, it moved to dismiss the collective action. After the court denied the motion to dismiss, Sundance answered the complaint and asserted fourteen defenses—though it did not raise arbitration as a defense. Sundance then participated in a mediation that ultimately did not succeed in resolving the dispute with Morgan.

After the mediation failed—eight months into the case—Sundance decided it wanted to ar­bitrate after all, and asked the court to refer the dispute to arbitration. That request set the stage for the issue before the Supreme Court. At what point does someone who participates in a litigation lose the right to demand arbitration? Most lower courts held that a party who participates in litigation without moving to arbitrate has waived its right only if the failure to seek arbitration earlier somehow prejudices the other side. The general rule is that a party can waive a right simply by relinquishing or abandoning it. It is not necessary that anyone else be affected. But under this majority rule, arbitration is different: a party can waive arbitration by participating in court proceedings only if that participation prejudiced the opponent. The justification for this special rule was the federal policy favoring arbitration. To effectuate that policy, anything that promotes arbitration is a good thing, so these courts imposed a prejudice rule on top of the normal waiver rules.

Morgan insisted that Sundance had waived its right to arbitrate by participating in litigation for eight months. Sundance for its part insisted that it did not matter: Morgan was not prejudiced by whatever Sundance had done in court, so there could not have been a waiver.

The Supreme Court decided unanimously that waiver is the same for arbitration as it is for any other right: it can be waived whether or not someone else is prejudiced. So just as a person can waive any other right simply by relinquishing it knowingly, a litigant can waive the right to arbitrate just by relinquishing it knowingly. Federal policy does favor arbitration, but that does not mean courts can create additional requirements, such as a showing of prejudice. Therefore, Morgan would be able upon remand to argue that Sundance had waived its right to arbitrate, even though Morgan had not suffered any prejudice due to Sundance’s eight months in court.

Did Sundance in fact waive its right to arbitrate by filing an answer and going to media­tion? The Supreme Court did not rule on that issue. It referred the issue back to the lower court, noting that in the lower court, “the waiver inquiry would focus on Sundance’s conduct,” but not on any prejudice to Morgan.

The upshot is that agreements to arbitrate have to be treated just like other agreements—no worse, certainly, but no better, either. If they are valid they must be enforced, but if one side waives its rights, it can no longer seek to enforce the agreement—precisely the same as with any other contract.

A federal statute, 28 U.S.C. § 1782, empowers a district court to authorize discovery from persons or entities located in the United States “for use in a proceeding in a foreign or international tribunal.” In recent years, circuit courts across the country have split on the issue of whether a “foreign or international tribunal” includes private arbitration panels. On June 13, 2022, the U.S. Supreme Court answered the question squarely. It decided two consolidated cases, ZF Automotive US, Inc. v. Luxshare, Ltd. and AlixPartners, LLP v. Fund for Protection of Investors’ Rights in Foreign States. The Court held unanimously that Section 1782 only permits discovery in connection with proceedings involving “governmental or intergovernmental adjudicative bodies.” This includes courts, of course, but also regulatory agencies or arbitral bodies clothed with governmental authority.

This holding means that parties in private arbitrations in other countries may no longer use Section 1782 to obtain discovery from persons in the US. Before this decision, savvy parties could seek out a friendly district court in a part of the country where Section 1782 was authorized for private arbitrations. Now that is no longer an option.

Background

ZF Automotive concerned a dispute between a Michigan company and a Hong Kong company over the sale of certain business units. The parties had agreed that disputes would be submitted to arbitration before the German Institute of Arbitration (“DIS”), a private arbitral institution in Berlin. The United States District Court for the Eastern District of Michigan granted the Hong Kong company’s request to take discovery from the Michigan company under Section 1782, and the Sixth Circuit Court of Appeals declined to disturb the district court’s decision. (The Sixth Circuit had decided in 2019 that Section 1782 could be used to obtain discovery for private arbitrations.^[1])

AlixPartners was a dispute between the Republic of Lithuania and a Russian investment fund over a failed bank. The Russian fund initiated arbitration under the Lithuania–Russia bilateral investment treaty, claiming that Lithuania had expropriated an investment in a failed Lithuanian bank without appropriate compensation, in violation of the treaty. After the fund commenced arbitration proceedings, it petitioned the Southern District of New York for an order authorizing discovery from AlixPartners LLP and its Chief Executive Officer, who had served previously as temporary administrator of the failed bank. In opposing the application, AlixPartners argued that the arbitration was not a “foreign or international tribunal” under Section 1782. The district court granted the Section 1782 discovery request, and the Second Circuit affirmed.

The Supreme Court’s Decision

The Supreme Court reversed the decisions in both ZF Automotive and AlixPartners. It reversed ZF Automotive because it held that Section 1782 only authorized discovery for governmental tribunals. It reversed Alix Partners because, although the arbitration in that case was proceeding pursuant to a treaty between two governments, the arbitration panel itself was not created by governments and was not exercising sovereign power.

The unanimous decision authored by Justice Barrett looked to the language of the statute in light of both the statute’s history and the context of other statutes. Standing alone, the word “tribunal” ordinarily might mean a court or court-like body, but could plausibly be read more broadly as well. But the word should not be read alone. It is part of the phrase “foreign or international tribunal.” A “foreign tribunal” is more naturally viewed as one that owes its existence to a foreign government. In other words, a “foreign tribunal” is a tribunal of a foreign country, not merely a tribunal in a foreign country. This conclusion was reinforced by internal evidence of Section 1782’s language, which refers to the “the practice and procedure of the foreign country or the international tribunal.” In the Court’s view, this language does not easily apply to private arbitral panels.

Other evidence supported this conclusion as well. The current version of Section 1782 had come about as a result of Congress establishing a Rules Commission in 1958 to “recommend procedural revisions ‘for the rendering of assistance to foreign courts and quasi-ju­dicial agencies.’” Both courts and quasi-judicial agencies are, of course, creatures of government. Private arbitral panels are not. Note also that the Federal Arbitration Act does not permit discovery for private arbitrations in the US that is anywhere near as broad as permitted under Section 1782. There is no reason to believe that Congress wanted to authorize broader discovery for private arbitrations abroad than domestically. The upshot is that a “foreign tribunal” is created by one sovereign, and an “international tribunal” is created by more than one sovereign.

 In both the cases it was addressing (ZF Automotive and Alix Partners), the Supreme Court held that foreign governments had not created the arbitral panels to exercise sovereign power. The panel in ZF Automotive was created by contract, so no governmental power was involved at all. The panel in Alix Partners was convened pursuant to treaty—but although the treaty was between two governments, the panel authorized to hear the dispute was not a creature of any government. That meant Section 1782 could not be used for the treaty-based arbitration, either.

Key Takeaways

As a result of these decisions, parties in strictly private foreign or international arbitrations cannot use Section 1782 to obtain discovery from persons or entities in the United States. The Supreme Court foreclosed any future arguments that an arbitration is governmental just because “the law of the country in which it would sit . . . governs some aspects of arbitrations” or local courts enforce the arbitral agreement. But it did leave the door open just a bit:

None of this forecloses the possibility that sovereigns might imbue an ad hoc arbitration panel with official authority. Governmental and intergovernmental bodies may take many forms, and we do not attempt to prescribe how they should be structured.

As a result of this caveat, we can expect some amount of future litigation about what may constitute a “foreign or international tribunal” for Section 1782 purposes, though not as much as may have occurred had the Supreme Court made a somewhat less restrictive decision (say, one that permitted using Section 1782 for treaty-based arbitrations but not contract-based). It is also rea­sonable to expect that arbitration clauses in a number of foreign contracts—and certainly in treaties—may be crafted deliberately either to come within or to stay outside the parameters of Supreme Court’s definition of tribunals that qualify for Section 1782 assistance.

1. Abdul Latif Jameel Transportation Co. v. FedEx Corp, 939 F.3d 710 (6th Cir. 2019) ↑

Our newest collection of videos takes a deeper dive into our recent Hybrid Spring Meeting CLE programs, covers chats with authors of newly released Business Law books, and provides insight into business law practice areas. Watch now!

Read more about the three business law video series and eleven videos in the collection below.

CLE: A Deeper Dive

Who Is the Client? The Ethics Rule Implications for In-House Counsel and Outside Counsel

Shannon “A.J.” Singleton and Alicia Still delve into the ethical requirements for in-house counsel and outside counsel, extending the discussion of a Showcase CLE program at the ABA Business Law Section’s 2022 Hybrid Spring Meeting (now available as on-demand CLE). Their conversation hits on the in-house implications of ABA Model Rule of Professional Conduct 4.2, what it takes to forge relationships with colleagues on the business side and why it matters, and more.

ESG: Business Risk and the New Legal and Regulatory Frontier

Neera Chatterjee, E. Christopher Johnson, Jr., and Martina E. Vandenberg explore the ins and outs of environmental, social, and governance (ESG) risk criteria, extending the discussion of a Showcase CLE program at the ABA Business Law Section’s 2022 Hybrid Spring Meeting (now available as on-demand CLE). “They’re not their own silos with separate strategies,” Chatterjee said. “Everything is interconnected… you’ve got to think across the organization.” In this video, they discuss dealing with climate-related financial risks in the banking world, addressing forced labor from multiple perspectives, and companies’ role in looking toward solutions.

Social Justice Intersecting with Sports: Is It Right?

A dynamic panel including a top journalist, legal practitioners, and senior executives in sports dives into social justice issues in the field and their legal implications, extending the discussion of a Showcase CLE program at the ABA Business Law Section’s 2022 Hybrid Spring Meeting (now available as on-demand CLE). With Jeffrey Schlerf leading the discussion, the panelists—Sterling Hawkins, Terence Moore, Ashley Hibbett Page, and Ty Thomas—weigh in on a broad range of trends. Their conversation ranges from athlete activism and discrimination lawsuits, to league policies that contribute to DEI issues, to legal developments in the realm of name, image, and likeness for collegiate athletes, and more. 

State of the States in Gaming 2022

Alexander Denton and Stephanie Maxwell explore the state of gaming law in Tennessee and Georgia and how it fits into developments across the country, extending the discussion of a CLE program at the ABA Business Law Section’s 2022 Hybrid Spring Meeting (now available as on-demand CLE). “Tennessee is on the forefront of a national conversation that’s happening about the authorization of legal sports wagering,” Denton said. Their conversation touches on the unique features of Tennessee’s sports wagering regulations, skill gaming in Georgia, the speed of recent changes, and more.

Practice Area Insights

Artificial Intelligence and Its Impact on Business Law: An Introduction

“Artificial intelligence with human intelligence really works together to increase productivity, check for error, keep everything cost-effective,” says Ingeuneal C. Gray. In this video, Gray—Commercial Vice President of the American Arbitration Association and chair of the CLE program “Artificial Intelligence in International Arbitration” at the ABA Business Law Section’s 2022 Hybrid Spring Meeting—provides an incisive overview of AI’s power and growing effects on the legal profession.

Balancing Buyer and Supplier Responsibilities: Model Contract Clauses for International Supply Chains

The COVID-19 pandemic brought “the kind of supply chain disruption that really had not been contemplated on such a scale before,” says Susan A. Maslow. Maslow is deeply knowledgeable about supply chain complexities; she and David V. Snyder are vice chair and chair of the ABA Business Law Section’s Working Group to Draft Model Contract Clauses to Protect Human Rights in International Supply Chains. In their conversation, they discuss their work on the Model Contract Clauses (MCCs) as a means to bring human rights policies into practice, the tricky commercial law issues at play, shifts between the first version and recent second version of the MCCs, and more.

Digital Assets: A Brave New World

A draft of amendments to the Uniform Commercial Code to address emerging technologies is nearing completion. In this conversation, vice chair of the drafting committee Juliet Moringiello, R. Marshall Grodner, and Christopher Odinet discuss the amendments’ effort to provide a broad framework for transacting with digital assets, from cryptocurrency to non-fungible tokens and “just about any other digital thing that we may not think of right now.” Delving into consumer concerns related to NFTs, the challenges of enacting UCC amendments in the states, and more, these experts provide a perceptive look at the nuts and bolts behind digital assets’ hype.

SPACs: Here to Stay?

Special purpose acquisition companies, or SPACs, have attracted tremendous attention in recent years, with a spike in SPAC IPOs in 2021 since tempered by increased litigation and scrutiny from regulators. In this video, Business Law Today author Frantz Jacques, who has written about the evolution of the SPAC landscape, delves into the driving forces behind SPACs’ meteoric rise; recent developments including the SEC’s SPAC rules proposal; and what’s next in the SPAC world.

Book Chats

Director’s Technology Handbook: Tips and Strategies for Advising Corporate Directors

“There is no such thing as a company that isn’t a technology company today,” says Michael Fleming, contributor to Director’s Technology Handbook: Tips and Strategies for Advising Corporate Directors. “Even if you’re making buggy whips, you’re running a website on Buggy Whip Dot Com, or whatever the case may be.” Designed to be a practical reference tool, Director’s Technology Handbook provides guidance to help boards of directors and lawyers who advise them to decipher critical technology issues and the legal implications that can affect the organizations they serve. In this conversation, Fleming discusses the book’s origins, the range of expertise of its contributors, and its attempt to empower corporate directors to ask the right questions.

ESG in the Boardroom: A Guidebook for Directors

With ESG, CSR, and sustainability now a dynamic and critical focus of corporate governance, ESG in the Boardroom: A Guidebook for Directors provides needed insight on ESG matters, including discussions on the role of the board, ESG landscape, litigation and risk management, corporate culture and governance, and more. In this conversation, editors Katayun I. Jaffari and Stephen A. Pike discuss the shifts that put ESG on the radar, the increased sophistication of stakeholders and asset managers in engaging with businesses, and the depth of knowledge among the book’s contributors.

Model Business Corporation Act Annotated, Fifth Edition

The Model Business Corporation Act Annotated, Fifth Edition, is an invaluable resource for understanding developments under the MBCA, the general corporation statute for 30+ states and the source of many provisions in the general corporation’s statutes of states that have entirely adopted it. The annotation is created by the ABA Business Law Section’s Corporate Laws Committee, which promulgates the MBCA. In this conversation, Jonathan C. Lipson of the Corporate Laws Committee explains the development and uses of the annotation, which surveys “all of the important case law, all the important analysis of each provision of this Model Act,” as well as the comprehensive, searchable online site that accompanies purchases of the four-volume set available from the ABA.

Are you adding “discrimination” to your #MeToo representations alongside “sexual harassment?” Have you considered employing the “has investigated” alternative to the popular “no allegations” variation?

We last conducted an in-depth review of #MeToo representations and warranties when they were still new in 2019, and, because we have continued to see these provisions included in even some of the largest M&A deals, we recently took a fresh look. We reviewed 311 billion-dollar M&A agreements signed between January 2018 and March 2022 containing #MeToo representations and warranties.

We have identified the most common approaches deal parties have taken in drafting these provisions over the past four years, as well as new and emerging approaches worth considering.

These Are Not Mere ‘Compliance With Laws’ Reps

The #MeToo representation and warranty, also referred to as a “Weinstein clause,” is a provision in mergers and acquisitions agreements that emerged around 2018 along with the #MeToo movement. These provisions were designed to address heightened liability risks associated with sexual harassment incidents—especially risks associated with allegations of sexual harassment against C-suite level employees—and are now commonly included in M&A agreements across industries, transaction structures, and deal sizes.

These clauses are typically included alongside labor and employment reps in M&A agreements in which the representing party, usually the target, makes a statement regarding its involvement in and/or handling of allegations of sexual harassment, sexual misconduct, or other similar incidents. They are distinct from “compliance with laws” representations—which may state that a party is in compliance with all laws including those regarding sexual harassment—in that #MeToo representations separately and specifically address the involvement of the party (including, typically, the party’s directors, officers, and employees) in incidents of sexual harassment or misconduct, and/or how the party has responded to such incidents.

Although, as discussed below, there is a wide variety of these provisions used by parties, covering a spectrum of conduct and events related to incidents of sexual harassment, as with representations and warranties in M&A agreements generally, parties also use qualifiers and delimitations to tailor and narrow the scope of coverage of the representation.

The result is often that each individual #MeToo rep and warranty found in an agreement covers a very specific and constrained set of circumstances and period of time. And there are practical reasons for this.

Ideally, a party should be making a representation regarding facts and events that it has actually verified to be true and for which exceptions can be disclosed if specific disclosures are being made in the deal. In transactions involving parties with extensive multi-jurisdictional operations—like those we reviewed involving household-name parties—specific, delineated, and qualified parameters for the types of conduct and events covered by a #MeToo representation are likely a practical necessity. Without a narrower scope, the representation cannot realistically be verified to be true, and exceptions cannot be identified and disclosed.

We found a very small number of provisions containing a reference to disclosures in our review, which may be a result of the tailored and constrained construction of these provisions.

Target or Seller Reps Qualified by Knowledge

As mentioned above, we reviewed 311 M&A agreements with a value of $1 billion or greater containing #MeToo representations and warranties dated between January 1, 2018, and March 28, 2022. More than half the agreements we reviewed were executed in 2021 or 2022. Though we didn’t limit our search by jurisdiction, the majority of the agreements we reviewed (85%) were governed, at least in part, by Delaware law.

Using Bloomberg Law’s Precedent Search, we conducted an advanced search of M&A agreements filed with the Securities & Exchange Commission via EDGAR. (Note: The search results we reviewed can be accessed here. The total number of search results is greater than 311 due to duplicate filings made by different parties and unrelated keyword hits. These were excluded from our review.)

The results of our review reflect some of the same basic characteristics we first observed in 2019, shortly after alert deal lawyers first began drafting these provisions. For example, the vast majority (87%) of the #MeToo reps reviewed were made only by the target or seller (not mutually with the acquirer); nearly three-quarters (72%) contained some form of knowledge qualifier (often as a defined term with a capital “K” for Knowledge); 83% contained a lookback period (typically three to five years); and 66% contained a limitation as to the level of employees involved in, or subject to, the allegations or claims of sexual harassment or misconduct (most commonly “directors, officers, or employees at the level of Vice President or above”).

Of the 311 agreements reviewed, thirty-nine (13%) contained mutual #MeToo representations made by both the target and/or seller and the acquirer.

Surprisingly, only twenty-seven of the 311 agreements reviewed (9%) contained a reference to disclosures (most typically such references are framed as exceptions to the representation being made, e.g., “Except as disclosed in Schedule [X] . . .”).

A small number of provisions contained two different lookback periods that were applied to different portions of the same representation. For example, some had a longer lookback period for a knowledge-qualified “no allegations” representation and a shorter lookback period for a non-qualified statement that there have been no settlement agreements. In these instances, the parties seem to have balanced the burden posed by unqualified representations on the party making the representation by shortening the time period covered, and, conversely, the party to which the representation was being made negotiated a longer lookback when it was qualified by knowledge. These examples may illustrate the extent to which these provisions can be subject to negotiation.

The majority of the #MeToo representations we reviewed were framed as statements that certain events have not occured. “No allegations” was, by far, the most popular phrasing (contained in 70% of the agreements we reviewed), with “no settlement agreements” coming in second (59%). (As discussed below, these two are most often paired together in these representations.)

There is a wide range of other types of events that parties stated have not occurred—“no actions,” “no claims,” and “no complaints,” among others. All of these “no [events]” statements can be qualified either by materiality (e.g., “no material allegations”), by the form of the event or how it occurred (e.g., “no written allegations” or “no written or oral allegations”), and even by how such events were communicated to the representing party (e.g., no allegations made “through the Company’s anonymous employee hotline or any formal human resources communication channels”).

More than one-third of the provisions we reviewed contained some form of materiality qualifier, and roughly one-tenth included a blanket materiality qualifier applying to the entire representation (e.g., “Except as would not, individually or in the aggregate, reasonably be expected to have a Company Material Adverse Effect. . .”). In a manner very familiar to M&A lawyers, multiple materiality and other qualifiers were applied at once in some instances.

A Different Approach

The most common combination of events covered in the #MeToo representations we reviewed was “no allegations” and “no settlements.” (Other types of agreements, such as tolling agreements, non-disparagement agreements, confidentiality agreements, nondisclosure agreements, or other out-of-court arrangements were sometimes listed alongside settlement agreements). Sample language reflecting this common variation can be found in the graphic below as well as with annotations here.

Some parties, however, have begun to take a very different approach. Rather than making a “no [events]” statement, in 14% of the agreements we reviewed, the party making the representation stated that it had investigated any allegations of sexual harassment it was aware of, typically without making any representation that “no [events]” such as allegations have occurred—on that they are silent. This “has investigated” formulation is most commonly combined with a statement that the party has also undertaken corrective action in response to the misconduct, represented in 10% of the agreements we reviewed. Sample language reflecting this common variation can be found in the graphic below as well as with annotations here.

Because this “has investigated” variation is framed positively in terms of actions the party has taken, and does not address whether any allegations had been made in the first place, the scope of exceptions that would need to be disclosed here is more limited. As typically drafted, only situations in which the party became aware of an allegation and then did not investigate and/or take corrective action would need to be disclosed as exceptions, whereas a “there have been no allegations” clause variation would require any instances of allegations to be disclosed. In short, this variation is a smart choice for targets and sellers making #MeToo representations if they are confident in the consistency of their policies and procedures relating to the handling of such incidents and are in a position to verify the accuracy of the representation. This variation is also, arguably, favorable from an acquirer’s perspective, because it addresses how the target handles and responds to incidents, not just whether they have occurred.

Discrimination, Too

In addition to a wide range of events (e.g., allegations, suits, claims) covered, the current research revealed a broader spectrum of misconduct covered by these representations than we found in our 2019 research. In addition to the typical “sexual harassment” and “sexual misconduct” covered by #MeToo representations, nearly half of the provisions we reviewed also covered some form of discrimination.

Some of these instances covered sex or gender discrimination only, others called out racial discrimination specifically, and there were others that covered discrimination broadly without a limitation as to the type. And some representations covered more specific forms of workplace misconduct such as “hostile work environment” or “retaliation.”

While grouping sexual harassment together with discrimination is not new to M&A agreements—as they have been commonly seen together in “compliance with laws” labor and employment representations for decades—these provisions are different. In these instances, it appears the parties have built upon the classic #MeToo representation and warranty, following the same structure and explicitly referencing sexual harassment, by simply adding discrimination and other categories of misconduct.

This shift may be interpreted as an increasing recognition by deal parties of a need to explicitly address this type of misconduct outside the bounds of the typical “litigation” and compliance with laws (or similar) representations and warranties.

Key Takeaways

#MeToo representations and warranties, much like the movement itself, are very much alive and well, and continue to be a common inclusion even in very large deals. There is a wide variety of drafting options available to parties that are tailorable to parties’ circumstances. And our review shows that some parties are taking creative approaches and even totally rethinking the classic formulation.

This work was originally published on Bloomberg Law as “ANALYSIS: A Fresh Look at #MeToo Reps & Warranties in M&A Deals” on Jun. 7, 2022. Copyright 2022 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bloombergindustry.com. Reproduced with permission.

On June 14, 2022, the Minister of Public Safety of Canada, Marco Mendicino, introduced into Parliament the first reading of Bill C-26, An Act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other Acts (the “Bill”). The Bill amends the Telecommunications Act and enacts a new Act: the Critical Cyber Systems Protection Act (“CCSPA”), establishing a new cybersecurity compliance regime for federally regulated private industries and new powers for the Governor-in-Council and the Minister of Industry to order Canadian telecommunication services (“Telcos”) to take action to secure the protection of the Canadian telecommunications system, including against threats of interference, manipulation, or disruption. Noncompliance with either regime may result in high monetary penalties or imprisonment for individuals.

The Critical Cyber Systems Protection Act

The CCSPA introduces a new cybersecurity compliance regime for designated operators of critical cyber systems related to vital services and systems (“Designated Operators”). A critical cyber system is defined as a cyber system that, if its confidentiality, integrity, or availability were compromised, could affect the continuity or security of a vital service or system. Currently, the list of vital services and systems is comprised of the Canadian telecommunications system, the banking systems, and other federally regulated industries, such as energy and transportation. However, the Governor-in-Council may add new vital services and systems, and such Designated Operators will be governed by the CCSPA.

Under the CCSPA, Designated Operators must:

• establish a cybersecurity program (details of which are more fully provided in the CCSPA and its regulations) within ninety days of an order being made by the Governor-in-Council;
• implement and maintain a cybersecurity program, as well as annually review it;
• mitigate cybersecurity threats arising from their supply chains, or products and services offered by third parties;
• share their cybersecurity programs and notify appropriate regulators (namely, the Superintendent of Financial Institutions, the Minister of Industry, the Bank of Canada, the Canadian Nuclear Safety Commission, the Canadian Energy Regulator, and the Minister of Transportation) (the “Appropriate Regulators”) of material changes related to the business of Designated Operators and their cybersecurity programs;
• report cybersecurity incidents to the Canadian Security Establishment (the “CSE”);
• comply with and maintain the confidentiality of directions from the Governor-in-Council; and
• keep records related to the above.

To enforce these new obligations, the CCSPA grants to the Appropriate Regulators investigatory, auditing, and order-making powers, including issuing administrative monetary penalties (“AMPs”) of up to $1 million per day for individuals (such as directors and officers), and $15 million per day for other persons. Additionally, Designated Operators, and their directors and officers, may also be fined—or imprisoned if a director or officer—if either contravene specific provisions of the CCSPA; the amount of a fine is at the discretion of the federal court.

Telecommunication Act Amendments

The amendments to the Telecommunications Act (the “Amendments”) establish new order-making powers for the Governor-in-Council and the Minister of Industry (the “Minister”) to direct Telcos to take specific actions to secure the Canadian telecommunications system. Specifically, the Governor-in-Council may, by order,

• prohibit a Telco from using all the products and services offered by a specified person; and
• direct a Telco to remove all products provided by a specified person.

The Minister, after consultation with the Minister of Public Safety and Emergency Preparedness, may, by order,

• prohibit a Telco from providing services to a specified person; and
• direct a Telco to suspend any service to a specified person.

Additionally, the Amendments grant the Minister the power to direct Telcos to do anything or refrain from doing anything that is, in the Minister’s opinion, necessary to secure the Canadian telecommunications system, including the following:

• prohibiting Telcos from using any specified product in or in relation to Telcos’ network or facilities, or part thereof;
• prohibiting Telcos from entering service agreements for any product or service;
• requiring Telcos to terminate a service agreement;
• prohibiting the upgrade of any specified product or service; and
• subjecting the Telcos’ procurement plans to a review process.

Interestingly, Telcos will not be compensated for any financial losses resulting from these orders.

The Amendments introduce new enforcement powers for the Minister of Industry to monitor the Telcos’ compliance with the orders or future regulations, including investigatory powers and issuing AMPs of up to $25,000–$50,000 per day for individuals (such as directors and officers), and up to $10–$15 million per day for other persons. Moreover, contravention of orders or regulations may result in prosecution whereby the Telcos, and their directors and officers, may have to pay fines (whose amount is at the discretion of the court) or face imprisonment.

Information Sharing and Secrecy

The CCSPA and the Amendments require Designated Operators, Telcos, and any other person to share confidential information with the Appropriate Regulators, and Governor-in-Council and Minister, respectively, in furtherance of the objectives of the Bill. This confidential information may be shared with multiple federal government organizations, provincial and foreign counterparts, as well as international organizations, to pursue the objectives of the CCSPA and the Amendments. While these information exchanges will be governed by agreements and memorandums of understanding between the parties, the Minister may disclose the information if is necessary in the Minister’s opinion to secure the telecom system.

Given the national security purpose underlying this Bill, the secrecy of the orders is paramount. The orders from the Governor-in-Council and Minister may be subject to non-disclosure requirements. Moreover, for the sake of secrecy and expediency, the orders and directions of the Governor-in-Council and Minister do not follow the complete process outlined in the Statutory Instruments Act, and thus, are not registered, published, or debated in an open manner.

Recommendations

Given that the Bill has just been introduced, its passage is not guaranteed, and additional changes to the draft law may occur. However, and in the interim, if you are a provider of vital services and systems as described in the Bill, we recommend that you consider taking the following steps to improve your cyber resilience:

• Preemptively improve your security posture and processes to conform with the CSE’s best practices and guidance, or industry practices, and ensure that your contracts contain sufficient cybersecurity provisions to protect all parties in the supply chain; and
• given the secrecy and potential immediacy of Government orders and directives, Telcos and Designated Operators should draft contracts to flow down potential cyber security risks appropriately.

If you are a supplier of products and services related to the critical cyber systems of Designated Operators as described in the Bill, we recommend that you consider taking the following steps:

• Preemptively improve your security posture and processes as described immediately above in anticipation of more strenuous cybersecurity requirements requested by Designated Operators; and
• anticipate shouldering more risk when contracting with Designated Operators and consult with your insurance provider accordingly.

Lisa R. Lifshitz, Cameron McMaster

In the following excerpt from The Real Hank Aaron: An Intimate Look at the Life and Legacy of the Home Run King (Triumph Books, 2022), author and recent ABA Business Law Section Showcase CLE panelist Terence Moore discusses racism and equity in baseball. The Showcase CLE “Social Justice Intersecting with Sports: Is It Right?” took place at the ABA Business Law Section’s Hybrid Spring Meeting on Friday, April 1, 2022. Read an article delving into the program’s topic or watch the program as on-demand CLE, free for members.

Among Hank’s pet peeves? It was the insistence of Major League Baseball officials, along with team executives and scouts, that they really did want more African Americans in the game. While forming sad faces, those baseball folks said they couldn’t find them, hadn’t discovered how to retain them, or believed African American athletes were more interested in football, basketball, and other stuff, or they said the dog ate the homework after somebody forgot to set the alarm clock.

Eight percent. Eight percent! On the high side, eight percent represented the number of African American players in Major League Baseball during most seasons in the 21st century, and franchises often had rosters with zero African American players, including the Atlanta Braves, Hank’s team of nearly 70 years as a player and executive. In contrast, when Hank broke Babe Ruth’s home run mark on April 8, 1974, the percentage of African Americans in Major League Baseball was three times higher than eight percent. His 1974 Braves were on the low side since he was one of seven African Americans on their 40-man roster, but that was still 18 percent, and that was more than twice baseball’s 21st century average for teams.

“They’re trying to get all these people from all over the world to come here to play Major League Baseball. (Those who run MLB) don’t give a hoot, not one hill of beans, about (an African American) person. Not one thing whether we play baseball or not,” Aaron told me during a 2007 interview, revealed for the first time in the book. “This game of baseball, and you have to look at it, that this game was so, it was just folding until Jackie Robinson came in and lifted it to another playing level and trying to make it exciting for the fans—both Black and White.”

Aaron then sighed heavily and slowly raised his voice, “Terence, it is amazing how this game has changed for the benefit of how they want [the public] to perceive it to be, you know? Yeah, just keep your eye on it. Watch what I tell you about this game. I guarantee you [what I say is true].”

It was true. By the 2021 baseball season, which began three months after Hank’s death, the game’s biggest star was Shohei Ohtani, a pitching and hitting sensation from Iwate Prefecture, Japan, located 6,700 miles, a Pacific Ocean, and several times zones west of Mobile, Alabama, the old stomping grounds of an African American who became the greatest Major League player ever. Now baseball has virtually no African Americans.

Courtesy of Hank’s personal experiences as a player and as an executive in Major League Baseball since the early 1950s, combined with my 1982 research for the San Francisco Examiner on the state of Blacks in the game to commemorate the 35th anniversary of Jackie Robinson breaking baseball’s color barrier, Hank had splendid reasons to believe the game he cherished wasn’t loving African Americans as much as it claimed. This vanishing act involving African American players in baseball happened too fast, too dramatically, and too blatantly after the 1970s for The Myth to be more than a myth by the 21st century.

About The Myth: To hear many folks tell it, especially those involved with Major League Baseball, African Americans rolled out of bed one day and just didn’t like the sport anymore.

For more, check out The Real Hank Aaron by Terence Moore: “A heartfelt portrait of Hank Aaron, featuring nearly 40 years of stories plus never-before-told insights from the home run king.”

On May 10, 2022, Connecticut Governor Ned Lamont signed Substitute Bill No. 6 (the “Connecticut Data Privacy Act” or “CTDPA”) into law. The CTDPA will become effective on July 1, 2023.

By enacting the CTDPA, Connecticut becomes the fifth state in the nation to implement a generally applicable consumer data privacy law, following the California Consumer Privacy Act and California Privacy Rights Act, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, and the Utah Consumer Privacy Act. While the CTDPA is similar to these other state laws, small differences between these laws can have a large and variable impact on a business’s data processing, considering data processing regulation is so fact-specific. The increase in the number of states passing data processing laws raises the stakes for businesses. Business attorneys should continue to monitor developments in other states, including regulatory developments in California related to changes to its data privacy laws set for January 2023.

The CTDPA applies to persons that either (A) conduct business in Connecticut, or (B) produce products or services that are targeted to residents of Connecticut; and that during the preceding calendar year: (1) controlled or processed the personal data of not less than 75,000 consumers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction), or (2) controlled or processed the personal data of at least 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data. The CTDPA applies to information that is linked or reasonably linkable to an identified or readily identifiable individual. The law also provides special protections for sensitive data, which includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status. Sensitive data also includes the processing of genetic personal data or certain biometric data, if the processing is for the purpose of uniquely identifying an individual, as well as precise geolocation data. The CTDPA employs a broader definition for “biometric data” than other state laws.

However, the CTDPA does not apply to, among other things:

• financial institutions or data subject to Title V of the federal Gramm-Leach-Bliley Act;
• certain activities regulated by the Fair Credit Reporting Act;
• de-identified data; or
• certain publicly available information.

The CTDPA also does not restrict a controller’s or processor’s ability to comply with other law, engage in certain fraud prevention and detection and security activities, or engage in certain internal processing uses, among other limited activities.

Consumer Rights

The CTDPA provides consumers with a number of rights related to their personal data. Under the CTDPA, consumers have the right to:

1. confirm whether or not a controller (the person that determines the purpose and means of processing personal data) is processing personal data;
2. access their personal data;
3. correct inaccuracies in their personal data;
4. delete personal data that the consumer provided or the controller obtained about the consumer;
5. obtain a portable copy of personal data that the consumer previously provided to the controller in a format that is readily usable and allows the consumer to transmit the data to another controller without impediment; and
6. opt out of the processing of personal data for (1) targeted advertising, (2) the sale of personal data, or (3) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

The first five rights listed above do not apply to pseudonymous data, provided the controller is able to demonstrate that any information necessary to identify the consumer is kept separately and subject to effective technical and organizational controls that prevent the controller from accessing such information. “Pseudonymous data” is defined by the CTDPA as personal data that cannot be attributed to a specific individual without the use of additional information provided such additional information is subject to the safeguards addressed above.

The CTDPA also requires controllers to adopt and offer, by July 1, 2025, a platform, technology, or mechanism that allows consumers to opt-out through an opt-out preference signal sent to the controller indicating such consumer’s intent to opt out of the sale or processing of personal data for the purposes of targeted advertising.

Controller Obligations

The CTDPA imposes different obligations depending on whether the business is a controller or a processor (the entity processing personal data on behalf of the controller). Therefore, a business will need to analyze whether it is (according to the CTDPA definitions) acting as a controller or a processor when engaging in any personal data processing.

Under the CTDPA, controllers must, among other things:

• provide a privacy notice containing specific disclosures, including the categories of personal data processed, the purposes for which personal data are processed, how a consumer may exercise a right, the categories of personal data that the controller shares with third parties, the categories of third parties with whom the controller shares personal data, an active electronic email address that the consumer may use to contact the controller, and—if selling personal data or processing personal data for targeted advertising—a clear and conspicuous disclosure of how a consumer can opt out;
• establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue;
• not process sensitive data without first obtaining the consumer’s consent or, in the case of a child, processing the data in accordance with the federal Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501 et seq., setting out specific standards for adequate consent;
• provide an effective mechanism for a consumer to revoke the consumer’s consent that is at least as easy as the mechanism by which the consumer provided the consumer’s consent and, upon revocation of such consent, cease to process the data as soon as practicable, but not later than fifteen days after the receipt of such request;
• not process the personal data of a consumer for purposes of targeted advertising, or sell the consumer’s personal data without the consumer’s consent, under circumstances where a controller has actual knowledge that, or willfully disregards whether, the consumer is at least thirteen years of age but younger than eighteen years of age;
• not discriminate against a consumer for exercising a right by denying a good or service to the consumer, charging the consumer a different price or rate for a good or service, or providing the consumer a different level of quality of a good or service; and
• establish a process for a consumer to appeal the controller’s refusal to take action on a request to exercise the consumer’s rights.

The CTDPA also requires controllers to conduct and document data protection assessments when conducting data processing that presents a heightened risk of harm to a consumer. Processing that presents a heightened risk of consumer harm includes:

• processing of personal data for the purposes of targeted advertising;
• sale of personal data;
• processing of personal data for profiling, where such profiling presents a reasonably foreseeable risk of certain types of harm to consumers; and
• the processing of sensitive data.

Processor Obligations

A processor must follow a controller’s instructions and must assist the controller in meeting the controller’s obligations, including obligations related to data security and breach notification, as well as provide necessary information to enable the controller to conduct and document data protection assessments. Persons processing personal data must also be subject to a duty of confidentiality.

The CTDPA imposes requirements for contracts between controllers and processors as well as requirements for engaging subcontractors, including requiring the subcontractor in writing to meet the obligations of the processor regarding personal data.

Enforcement

The Connecticut Attorney General has the exclusive authority to enforce the CTDPA. From July 1, 2023, until December 31, 2024, the attorney general must issue a notice of violation to the controller if the attorney general determines that a cure is possible. The controller will have sixty days to cure the violation. Beginning on January 1, 2025, the attorney general will have the authority to decide whether to grant a controller or processor the opportunity to cure an alleged violation, taking into consideration the number of violations, the size and complexity of the controller or processor, the nature and extent of the controller’s or processor’s processing activities, the substantial likelihood of harm to the public, and the safety of persons or property. A violation of the CTDPA will constitute an unfair trade practice. Penalties for engaging in an unfair trade practice include imposition of a restraining order, civil penalties of up to $5,000 for willful violations, and, in the case of private litigation, actual and punitive damages as well as court costs and attorneys’ fees.

The CTDPA does not provide for a private right of action by consumers.

After nearly twenty years, considering the increase of cyber attacks and the advent of crypto currency, the Federal Trade Commission (FTC) enacted a radically different Safeguards Rule that became effective January 10, 2022.^[1] Cybercriminals choose their targets wisely because they want maximum impact and profit. Financial institutions make juicy targets for cybercriminals due to their vast and ever-growing digitally stored, sensitive, non-personal information and the undeniable transformation of financial transactions of all types being conducted online. For example, the 2017 Equixfax data breach impacted 147 million customers and, as a result, Equifax agreed to pay at least $575 million (and potentially up to $700 million) as part of a global settlement with the FTC, the Consumer Financial Protection Bureau (CFPB), and fifty U.S. states and territories. The settlement alleged the credit reporting company’s failure to take reasonable administrative, technical, and physical safeguards to protect consumers’ information from unauthorized use or access caused the data breach.

The Equifax data breach was a disaster on multiple fronts. The four primary flaws that facilitated the security breach were:

1. The company failed to patch a well-known vulnerability (CVE-2017-5638) for its Open Source developing framework Apache Struts. At the time of the breach, the patch for CVE-2017-5638 had been available for six months.
2. Equifax failed to segment its ecosystem, allowing the attackers to seamlessly access multiple servers after gaining access through the web portal breach.
3. Usernames and passwords were stored in plain text, which the hackers used to escalate privileges to achieve deeper access.
4. Equifax failed to renew an encryption certificate for one of their internal tools, which allowed the hackers to exfiltrate data undetected over a period of months.

Additionally, over a month went by before Equifax finally publicized the breach. During this period, top executives sold company stock, giving rise to insider trading accusations. This is just one of the many recent examples of data breaches that exposed millions of people’s private data.

The importance of consumer financial privacy drove Congress to enact the Gramm-Leach-Bliley Act (“GLBA”) in 1999. The GLBA provides a framework for regulating the privacy and data security practices of a broad range of financial institutions. The GLBA imposed both the Privacy Rule (customer notification requirements) and the Safeguards Rule (standards for safeguarding certain information) on financial institutions. The original Safeguards Rule (16 CFR part 314) became effective on May 23, 2003, and the FTC has administered the Safeguards Rule ever since.

Under the new, revised Safeguards Rule the definition of “financial institutions” has been broadened to focus on business activities that are financial in nature.^[2] Moreover, “nonpublic personal information” now covers all customers who provide the covered business with such records, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates. Additionally, the Safeguards Rule identifies nine elements that a covered business’s information security program must include:

• Designate a qualified individual responsible for overseeing and implementing a financial institutions information security program and enforcing their information security program. Qualifications will depend upon the size and complexity of a financial institution’s information system and the volume and sensitivity of the customer information that the financial institution possesses or processes.
• Conduct and continuously monitor systems and data inventories.
• Protect by encryption all the customer information that is held or transmitted in transit over external networks and at rest.
• Implement multi-factor authentication (MFA) for any individual accessing any information system, unless the use of reasonably equivalent or more secure access controls has been approved in writing by a qualified individual at the financial institution.
• Develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates.
• Implement policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users.
• Establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information that is in the control of the financial institution.
• Regularly test, or otherwise monitor, the effectiveness of the safeguards’ key controls, systems, and procedures, including those used to detect actual and attempted attacks on, or intrusions into, information systems. Covered financial institutions are required to conduct penetration testing annually and vulnerability assessments at least every six months.
• Oversee service providers by requiring financial institutions to periodically assess service providers based on the risk they present and the continued adequacy of their safeguards.

The revised Safeguards Rule has some limits. First, the Safeguards Rule applies only to financial transactions “for personal, family, or household purposes.”  Second, the Safeguards Rule exempts financial institutions that collect information on fewer than 5,000 customers from the requirements of a written risk assessment, incident response plan, and annual reporting to the Board of Directors. Lastly, key provisions, including the appointment of a qualified individual and conducting a written risk assessment, do not become effective until December 9, 2022.

The FTC’s strengthening of financial privacy protections is part of a larger societal and governmental awakening to the need for greater information privacy and security protections. This revision, among other changes, is a signal to all businesses that use nonpublic personal information to begin to assemble their data teams, including privacy counsel, to assess their data governance requirements and cybersecurity hygiene.

1. 16 CFR Part 314 – STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION ↑

2. Covered financial institutions include: mortgage lenders, pay day lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, some travel agencies, automobile dealerships, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, non-SEC regulated investment advisors, entities acting as “finders,” and other entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. ↑