While some forms of payments fraud have existed for centuries (like forged checks), others have emerged more recently. And as banking technology and payment methods evolve, fraudsters are doing their part to keep pace, including by updating classic payment fraud schemes to take advantage of the COVID-19 pandemic. Payments fraud generally falls into two categories:
unauthorized payments – such as unauthorized ACH debits, altered or forged checks, or transactions initiated after an account takeover; and
scams – such as fraudulently induced payments, “bad check” scams, and revocable payment fraud.
Some of these traditional fraud schemes have been tailored to take advantage of the pandemic situation by targeting vulnerable consumers (e.g., through imposter or work-from-home scams) and state unemployment agencies, which are defrauded when criminals use consumers’ stolen personally identifiable information (PII) to fraudulently apply for unemployment insurance in the victim’s name, then transfer funds through a “money mule” account.
A variety of different laws, regulations, and payment system rules are relevant to payments fraud, and different rules apply based on the type of transaction and nature of the fraud.
Core laws applicable to payments fraud include:
For check transactions: UCC Article 3 – Negotiable Instruments[1], and Article 4 – Bank Deposits and Collections[2];
For consumer electronic fund transfers: the Electronic Fund Transfer Act[3] and its implementing regulation, Regulation E[4]; and
For commercial funds transfers: UCC Article 4A – Funds Transfers.
Other laws may also have relevance, such as the various prohibitions on unfair, deceptive and abusive acts or practices (UDAAP), anti-money laundering requirements under the Bank Secrecy Act[5] (BSA), and the privacy and data security requirements for financial institutions under the Gramm-Leach-Bliley Act[6] (GLBA). Further, private sector payment system rules, such as the NACHA Operating Rules for ACH[7], may also apply, particularly with respect to the allocation of loss between financial institutions. Which laws apply, and how, may depend on characteristics of the transaction, including the payment channel, whether the payment was unauthorized or resulted from a scam, and whether it is a consumer or commercial transaction.
Check Fraud
Traditional types of check fraud include check alteration (e.g. changes to the payee or amount of a check), check forgery (a forged drawer’s signature), counterfeit checks, and bad check scams (where a consumer receives a bad check, deposits it, and is asked to send some or all of the provisionally credited funds to a third party).
The UCC generally requires a paying bank to recredit its customer’s account when it pays an unauthorized check, which provides customers protection against checks that are not properly payable. In addition, transfer and presentment warranties determine the allocation of loss between the depositary bank and the paying bank.[8]Whereas, in a bad check scam, the loss is likely to fall on the consumer who deposited the bad check when the check is returned unpaid by the paying bank. In these bad check schemes, fraudsters take advantage of a victim’s lack of understanding of payment system functionality and applicable legal framework by instructing the victim to transfer funds through an irrevocable payment channel (wire transfer) or a method that is difficult to trace and recover (purchasing and mailing a prepaid card) once the depositary bank provisionally credits the funds.
Wire Transfer Scams
Business email compromise (BEC) is a sophisticated form of payments fraud that has emerged in recent years. BEC targets businesses in which employees are tricked into sending funds to a fraudster (typically by wire transfer, but sometimes an ACH credit transfer). BEC is carried out through the compromise of legitimate email accounts and social engineering. Many large banks have taken action to try and prevent their customers from falling victim to BEC, including extensive education campaigns.
For commercial transactions, the allocation of loss that results from a BEC scam between the commercial customer and the bank is determined by Article 4A’s security procedure framework. In particular, the commercial customer (Sender) is not liable to the Sending Bank for a funds transfer that was not authorized. However, the transfer can be deemed “authorized” if the Sending Bank verified the authenticity of the instruction using a mutually agreed upon “security procedure,” the security procedure is commercially reasonable, and the bank accepted the payment order in “good faith” and in compliance with the security procedure.
COVID-19 Scams
Fraudsters have taken advantage of the COVID-19 pandemic to target vulnerable consumers, such as the elderly and unemployed. These scams provide a new twist on classic payment fraud schemes, and have taken various forms, including:
those involving government impersonators;
fraudulent cures, medical equipment or charities;
work-from-home fraud;
contact tracing scams; and
scams relating to the CARES Act Economic Impact Payments.
These criminal acts may involve an “imposter scam” scenario, or utilize the “bad check” or fraudulently induced wire transfer schemes, with legal responsibility for the loss determined by existing payment laws and regulations as applicable.
Fraudsters have also targeted state unemployment agencies with scams in which a criminal submits fraudulent unemployment insurance claims using consumers’ stolen personally identifiable information (PII), and instructs payments to accounts controlled by money mules (generally by ACH), who themselves may be either witting or unwitting participants and may be lured to participate through good-Samaritan, romance, and work-from-home schemes. This type of fraud has been facilitated by recent large scale data breaches that led to widespread access to consumer PII that can be used to perpetrate payments fraud and for other illicit purposes, such as identity theft.
Notably, FinCEN has released advisories providing financial institutions guidance on potential red flags of such schemes for purposes of Suspicious Activity Reporting obligations under the Bank Secrecy Act, including where a customer receives multiple state unemployment insurance payments to their account within the same disbursement timeframe from one or multiple states, or receives an unemployment insurance payment from a different state from where the customer lives or works.[9]
Policy Considerations
As banks undertake more measures to help customers avoid becoming victims of payments fraud schemes, it is important to consider whether by doing so they are altering the “delicate balance” of interests contemplated under existing loss allocation rules for fraudulent payments and, if so, how that may impact the availability and pricing of certain types of payments in the future.
[8] For example, under the UCC, the depositary bank generally bears the loss for improper endorsements and alterations, while the paying bank generally bears the loss for a forged drawer’s signature or a counterfeit check. These UCC provisions reflect the long-standing rule from Price v. Neal, 3 Burr. 1354, 97 Eng. Rep. 872 (KB. 1763).
Most-Favored Nations (MFN) clauses (also known as antidiscrimination clauses or most-favored customer clauses) are common in business today. These provisions require that the supplier will treat a particular customer no worse than all other customers (and sometimes even better). They are often coupled with some sort of monitoring mechanism, such as the power to audit the supplier. For example, imagine a flour mill signs a requirements contract with Bakery A that contains an MFN clause. The mill cannot then turn to Bakery B and offer the flour at a lower price without either a) offering the same to Bakery A or b) breaching the requirements contract. These clauses can extend beyond price to other contractual terms and conditions (e.g., product release dates, promotional prices, or product offerings).
Common as they may be, a series of lawsuits out of New York and California will subject those very clauses to scrutiny under U.S. antitrust law. First, a class action suit against Amazon and the five largest book publishers in the United States—Hachette Book Group, HarperCollins Publishers, Macmillan Publishing Group, Penguin Random House, and Simon & Schuster (the “Big Five”)—alleges that MFN clauses in ebooks agency contracts amount to an illegal price-fixing agreement.[1] The suit echoes a 2012 suit against Apple and the Big Five that culminated in a consent decree restricting the use of MFN clauses that prevented ebook retailers from adding their own discounts.
The second class action accuses Valve, Inc. of using MFN clauses in its contracts with game developers—both big (Ubisoft) and small (Rust)—to maintain its monopoly in personal computer video game sales through its online marketplace Steam as well as stifle competition more generally. The complaint alleges that the MFN clauses cause game prices across online marketplaces to be the same even though stores like the Epic Games Store take a smaller commission than Valve. Rather than pass those savings on to the consumer, the developers must maintain higher prices to remain profitable on Steam.
While the suits target different markets, they boil down to the same issue: when do MFN clauses become anticompetitive? As the panels to a day-long public workshop on these types of clauses by the 2012 Department of Justice and Federal Trade Commission indicate, it depends on the market at issue, the contracting parties, and the effect on that market. On the one hand, MFN clauses are practical and advantageous in that they eliminate the purchaser’s risk in negotiating a bad deal under unstable pricing conditions, reduce transaction costs in re-negotiating agreements upon discovery of lower prices, and are generally benign when market power is absent. On the other hand, MFN clauses as a price-monitoring mechanism can be used to facilitate collusion amongst competitors; discounts to the purchaser’s competitors and new market entrants, regardless of their size, are effectively foreclosed, resulting in increased prices overall. For these reasons and more, MFN clauses alone are subject to the rule of reason—a lenient standard that requires a rigorous market analysis.
So, what made Amazon and Valve targets for these suits? Market power. Amazon was public enemy number two (second only to Google) in the House Judiciary Committee’s antitrust report on competition in digital markets, which denounced Amazon’s impact on small- and medium-sized enterprises dependent on the monopolist’s platform. A humble bookseller no more, the class action alleges that Amazon now enjoys a stunning 90% of the ebook market. As for Valve, European antitrust regulators recently fined them 1.6 million euros (approx. $2 million) for the practice of restricting access to games based on physical location, which the European Commission deemed an illegal partition of the Digital Single Market. And U.S. regulators may turn towards Valve if the class action is correct in asserting that 75% of all PC games sold in the United States are through Steam. Both companies have inordinate market share for online sales at a time when antitrust enforcement is experiencing a renaissance and the digital economy is subject to exacting scrutiny.
The suits should not be a cause for alarm for most companies using MFN clauses. After all, when small purchasers in unconcentrated markets use MFN clauses to reduce price fluctuations or to commit to a long-term business relationship, courts should recognize that the economic efficiencies outweigh the anticompetitive effects. But when big tech closes off competition by maverick firms, keeps a watchful eye on its supplier through auditing rights or algorithmic pricing, and guarantees dominance over an extended period of time, it is no surprise that consumers, competitors, and Congress cry foul. MFN clauses have a time and a place, but it is not at the top.
The United Kingdom Government introduced a National Security and Investment Bill (the “Bill”) to Parliament in November 2020. It passed the House of Commons on 20 January 2021 and will now make its way through the House of Lords. When enacted, the Bill will give the Government unprecedented new powers to investigate and block corporate deals that it suspects might threaten the security of the UK, with potentially thousands of deals having to be pre-notified and cleared by the Government each year. While it is not limited to foreign investment, non-UK investors may attract additional scrutiny. Deal-makers will therefore now need to navigate a new regulatory regime that is much more onerous than the current limited national security intervention powers, and in addition to the usual UK merger control rules.
This piece looks at the background to the Bill, the mandatory notification procedure it will introduce, the Government’s powers to ‘call-in’ other deals for review, how it will assess national security risks and the potential implications of the Bill for investors.
The Bill a Government white paper, a Parliamentary Select Committee inquiry, and various interim measures stemming from concern over foreign investment in UK assets, including Chinese investment in the Hinkley Point nuclear power plant and Huawei’s involvement in the UK 5G network. There have also been allegations of ‘aggressive acquisitions’ during the COVID-19 pandemic, with the Government giving itself new intervention powers to protect the UK’s capability to combat public health emergencies. There was therefore little surprise when the Government announced a new framework to allow further scrutiny of transactions and investments. At present, the UK Government can only intervene in a transaction on national security grounds where the deal meets the thresholds for UK merger control. The bar for that has recently been lowered for targets with potential national security implications in order to facilitate more Government intervention, but the Bill will replace that regime with a greatly expanded role for the State.
First, the Bill will introduce a pre-closing notification obligation for certain deals, which the Government estimates will catch over 1,000 transactions per year. Second, it will empower the Government to ‘call-in’ acquisitions it considers may give rise to a national security risk, up to five years after the deal has completed. As an anti-avoidance measure, the latter power will apply to any deal completed on or after 12 November 2020 (the day after the Bill was introduced to Parliament).
Mandatory Notification
Scope
The obligation to notify the of a deal will arise where an investor acquires a right or interest in a “qualifying entity” that participates in particular activities within certain key sectors. A qualifying entity can be any form of legal entity (e.g. a company, partnership or trust) and includes non-UK entities that carry on activities in the UK or supply goods or services to persons in the UK. The Bill gives the Government wide powers to make regulations specifying the sectors of the economy and the types of transaction and activity that will engage the notification obligation.
The Government launched a public consultation on the sectors and deals it proposes should be covered, which closed in early January. The results have not yet been announced so it remains to be seen whether the responses will affect the Government’s plans, but the consultation identified 17 sectors as raising potential concerns. These include not only the most obvious candidates but also broad categories that may not have immediately obvious national security implications. The proposed sectors are:
Advanced Materials
Advanced Robotics
Artificial Intelligence
Civil Nuclear
Communications
Computing Hardware
Critical Suppliers to Government
Critical Suppliers to the Emergency Services
Cryptographic Authentication
Data Infrastructure
Defence
Energy
Engineering Biology
Military and Dual-Use Technologies
Quantum Technologies
Satellite and Space Technologies
Transport
There is no minimum target turnover or deal value threshold for the notification obligation to apply, and it will catch deals involving non-UK entities that are active in the UK.
Level of Control
A “notifiable acquisition” will arise where the transaction results in the acquiring person either acquiring a right or interest equivalent to at least 15% of the shares or voting rights in the target, or gaining control over the target. Gaining control of an entity means acquiring either:
more than 25% of the shares or voting rights, with a new notifiable acquisition if an existing shareholder passes thresholds of 50% or 75%; or
voting rights that enable the acquirer to ensure or prevent the passage of any class of resolution.
Consequences
The Bill provides that a notifiable acquisition will be void if it completes without Government approval. It is not clear what that will mean in practice. Most obviously, it would mean that the terms of the deal would be legally unenforceable. If the parties were content to implement the deal regardless, the Government would have the same powers to unwind a non-notified deal as it has under the voluntary regime (see below).
There will also be very significant corporate and personal consequences for failing to clear a notifiable acquisition. A person who completes such a deal (including any director, manager etc. of a body corporate) risks a criminal conviction with up to five years imprisonment, an unlimited fine, or both. Alternatively, the Government will be able to impose civil penalties of up to the greater of 5% of turnover or £10 million.
Unlike the voluntary regime, the mandatory notification obligation will not have effect so will not affect deals closed prior to the Bill becoming law. However, investors in UK businesses (and businesses with UK interests) should follow the Bill with keen interest, in anticipation of being faced with a significant new regulatory hurdle in 2021.
The ‘Call-in’ Regime and Voluntary Notification
The Bill does not just create risk for deals that qualify as notifiable acquisitions; it also empowers the Government to ‘call-in’ non-notifiable deals for review where it perceives national security concerns.
Scope
This power will exist where a “trigger event” takes place in relation to a “qualifying entity” (see above) or a “qualifying asset”, and the Government thinks the deal could create a national security risk.
The term “qualifying asset” covers a very broad range of assets, including land and corporeal moveable property as well as “ideas, information or techniques which have industrial, commercial or other economic value” (the Bill gives the examples of trade secrets, databases, source code, algorithms, formulae, designs, software, and plans, drawings and specifications). In each case, the asset must be either within the UK or its territorial sea (in the case of land or corporeal property), or otherwise used in connection with activities carried on in the UK or the supply of goods and services to persons in the UK.
A “trigger event” will occur where a person gains control of a qualifying entity or asset. Control of an entity is defined as explained above (and so the 15% threshold does not apply to the call-in power), or where the acquirer gains material influence over the target’s policy (reminiscent of the ‘control’ test in UK merger control). For an asset, gaining control means a person acquiring a right or interest in, or in relation to, the asset that makes them able to use the asset or direct or control how it is used (or able to use it / direct its use to a greater extent). There is, again, no minimum turnover or deal value threshold.
These very broad definitions will give the Government a call-in power over essentially any type of deal where a national security risk might be identified.
Timings
The call-in power can be invoked within six months of the Government becoming aware of the trigger event, up to a maximum of fiveyears after the trigger event. This extremely long window is intended to ensure no transactions slip through the net, either by accident or by design.
This lengthy risk period can be avoided by voluntarily sending notification of the relevant transaction (either before or after completion) to a new Investment Security Unit under the remit of the Business Secretary. As with merger control, it will be for the Government to decide whether the notification contains sufficient information, which means it will control the clock. Once the Government accepts the notification it will have 30 working days to decide whether to call-in the deal for further investigation over an additional 30 working day period (extendible to 75 working days).
A key point to note is that all deals completed after 12 November 2020 will come within the scope of the call-in regime, with the six month / five year periods only commencing when the relevant provisions of the Bill take effect. This anti-avoidance measure means the Bill must already be factored into deals that might raise UK national security considerations, particularly because the process to have a deal cleared via voluntary notification will not even become available until the Bill is fully enacted and in force. In the interim period, parties will have no option but to decide whether to proceed at risk.
Consequences
Where the Government identifies a risk to national security it can impose remedies to prevent, remedy or mitigate that risk. The Bill gives a wide discretion on the remedies that can be imposed, but options are likely to include:
unwinding a completed deal (e.g. by divestment of the relevant entity or asset);
prohibiting a deal that has not yet been completed;
requiring the business to appoint someone to supervise and potentially control any activities that would cause a national security concern; and
operational restrictions, such as making UK security clearance a condition of a person accessing particular information, working at a particular site, taking part in certain operations, or even holding a management role in the organisation.
If a completed deal is called-in or notified, the Government will be able to impose interim orders to prevent the review process being frustrated, most obviously by prohibiting the acquirer from integrating the acquired business or asset into its own operations. Such orders are routinely made in merger control cases, but may well be even stricter in the national security context.
In a further parallel with UK merger control (also, in principle, a voluntary regime), the potential consequences of completing a deal only for it to be called-in for review – including the administrative and financial burden of complying with an interim order, as well as the substantive risk of a forced sale of the entity or asset purchased – mean that buyers and investors are likely to err on the side of caution and try to make any deal that might have national security implications conditional on Government clearance.
Interestingly (and very much unlike merger control), the Bill confers a power on the Government to give financial assistance to an entity in consequence of an order. That perhaps reflects a principle that the State should meet at least part of any additional cost incurred by a private entity as a result of measures imposed on national security grounds.
How Will National Security Risks Be Assessed?
The Bill does not define potential risks to national security in any meaningful sense. However, the Government has published a draft ‘Statement of Policy Intent’ describing how it expects to use the call-in power.
The Government expects to consider three risk factors:
Target risk: the entity or asset subject to the trigger event could be used to undermine UK national security (e.g. the entity or asset plays a key role in national security matters or could, simply because of its nature, put national security at risk if it fell into the ‘wrong’ hands – there is likely to be significant overlap here with the sectors identified for mandatory notification);
Trigger event risk: the acquisition itself could undermine national security (e.g. because it could facilitate unauthorised access to sensitive information, or give a hostile actor leverage over the UK in other matters); and
Acquirer risk: the identity of the acquirer would give rise to national security concerns.
On the latter risk, a range of factors would need to be considered on a case-by-case basis, but the nationality of the acquirer – while not formally part of any test under the Bill – will surely be a key issue. However, concerns will not necessarily be limited to nationals of hostile states: in 2019 the UK Government intervened in the acquisition of the British satellite telecommunications company Inmarsat plc by Connect Bidco, a US-UK-Canadian joint venture, obtaining undertakings to ensure the maintenance of strategic services and prevent unauthorised access to sensitive information.
The various risks will be considered in combination – for example, the draft Statement of Policy Intent notes that a pension fund investing in UK infrastructure would involve a target risk but no acquirer risk.
Use and Application
At this point, it is only possible to speculate as to how strictly the Government will apply the powers in the Bill and, in particular, how many deals will need to be notified pursuant to the Bill. By the Government’s own estimate, however, mandatory filings alone will result in between 1,000 and 1,830 notifications per year.
For the voluntary regime, and notwithstanding that the draft Statement and other guidance documents give some indication of how risks will be assessed, it will take time to build up a body of precedent that will allow buyers to consider when to notify. Even that may be complicated by the need for confidential decisions in light of the obvious sensitivities. Buyers are therefore likely to err on the side of caution for some time, in which case the Government should also expect to receive a large number of voluntary notifications.
There will therefore be an enormous increase in the number of cases dealt with compared to the current public interest intervention regime, under which only 12 transactions have been reviewed on national security grounds since 2003 (albeit with a recent uptick following reductions to the applicable turnover thresholds, including the frustration of Chinese-backed Gardner Aerospace Holdings’ proposed acquisition of Impcross, a UK manufacturer of aerospace components).
The Bill will impose a strict and wide-ranging new regime that has the potential to cause significant disruption to deals and investments. It is essential that investors, sellers and advisers are aware of the risks involved, including for any deal completed after 12 November 2020, and plan their transactions accordingly.
On January 19, 2021, the American Bar Association (ABA) Derivatives and Futures Law Committee’s Innovative Digital Products and Processes Subcommittee (IDPPS) Jurisdiction Working Group released an update to its comprehensive white paper addressing jurisdictional issues associated with digital products, including cryptocurrencies and other digital assets, and digital processes, such as blockchain.[1]
The updated white paper gives an in depth analysis of several current issues in the cryptocurrency and digital asset space that have developed since the March 2019 publication of the first white paper, including:
rapid development of Stablecoins;
growth of the decentralized finance movement and the increasing number of state central banks exploring the creation of virtual currencies;
2020 guidance from the CFTC concerning “actual delivery” of digital assets and related litigation;
The SEC’s Digital Asset Framework, its first issuance of digital asset-related no-action letters, and further developments in its key enforcement actions targeting significant digital asset projects;
SEC staff guidance on the custody of digital asset securities under the rules applicable to broker-dealers;
Recent case law developments in certain CFTC enforcement actions involving digital assets;
New developments regarding the Travel Rule’s application to virtual asset service providers;
FinCEN’s first assessment of civil money penalties against a peer-to-peer virtual currency exchanger; and
International developments, including the EU’s recent approval of the Sixth Anti-Money-Laundering Directive.
The need for this update reflects the rapid evolution of the digital asset and cryptocurrency space. As regulators worldwide endeavor to keep pace with this ever-developing industry, it is imperative that market participants continue to keep themselves informed of the applicable legal and regulatory landscape, as detailed in this update. Several key developments merit further discussion below, as we expect that regulators will focus on these areas in the coming years.
A. Stablecoins
Stablecoins were developed in response to the price volatility of bitcoin and other cryptocurrencies.[2] As their name suggests, Stablecoins aim to “increase price stability,” given that their value is tied to fiat currencies, which typically are “stable and liquid.”[3] The stability of Stablecoins should increase their market acceptance, particularly for payment purposes.[4]
In 2019, the Swiss Financial Market Supervisory Authority (FINMA) released Stablecoin guidelines.[5] This guidance noted that while Swiss law lacks specific provisions to regulate Stablecoins, they would be treated the same as any other blockchain-based tokens. The specific characteristics of Stablecoins can influence which financial laws apply. For example, if a token is linked to a particular fiat currency, it likely would be categorized as a deposit under the banking laws. The updated white paper explores FINMA’s and other regulators’ evolving approaches to Stablecoins in more depth.
B. Actual Delivery
The Commodity Exchange Act (CEA) provides that agreements, contracts, or transactions in commodities—other than foreign currencies or securities—entered into by or offered to retail customers on a leveraged, margined, or financed basis must be regulated as or “as if” they were futures, unless covered by an exemption.[6] This effectively means that a non-exempt transaction may be executed only on or subject to the rules of a CFTC-regulated exchange, and persons providing services in connection with nonexempt transactions may be covered by one of the CEA’s registration categories for professionals.
One oft-discussed exception to this requirement is for contracts for commodity sales that result in actual delivery of the commodity within 28 days. The CFTC has been grappling for years with its interpretation of the term “actual delivery.”[7] The need to clarify the meaning of actual delivery in virtual currency transactions became more pronounced in 2016, when the CFTC brought its first enforcement action against a trading platform that offered retail commodity transactions in virtual currency without registering with the CFTC.[8] In its settlement order against that platform, Bitfinex, the CFTC took the position that delivery of bitcoin purchased with borrowed funds to a private, omnibus settlement wallet where the coins were held for the benefit of the buyer but also as collateral for the loan did not constitute actual delivery, because the buyer did not have any rights to access or use the purchased bitcoin until released by Bitfinex following satisfaction of the loan. In March 2020, the CFTC addressed the uncertainty surrounding the concept of “actual delivery” in the context of digital asset transactions by issuing an interpretation that aligns with the approach it employed in Bitfinex. This guidance provides, in part, that the actual delivery exception applies only when a customer secures possession and control of, and has the ability to use freely in commerce, the entire quantity of the digital asset no later than 28 days from the date of the transaction, rendering any lien on the digital asset as a means to secure repayment incompatible with actual delivery.[9] The updated white paper examines the CFTC’s actions in this area in greater depth.
C. SEC Digital Asset Framework and Other Enforcement Issues
In April 2019, the SEC’s Strategic Hub for Innovation and Financial Technology (FinHub) published the Digital Asset Framework,[10] which provides guidance regarding FinHub’s view as to whether a given digital asset would be considered a security—and thus subject to SEC regulation—under the test set forth in SEC v. W.J. Howey Co.[11] The SEC staff also recently issued its first digital-asset-related no-action letters, confirming that two digital assets that essentially function as stored-value cards would not be deemed securities. The Framework and other developments concerning the SEC’s regulation of digital assets are discussed in detail in the updated white paper.
The white paper also addresses the regulatory uncertainty attending digital assets, which could potentially frustrate law enforcement and innovation. The CFTC and the SEC appear to be coordinating in combatting perceived fraudulent activity involving cash market transactions in digital assets, but their coordination does not necessarily mean that where only one agency initiates an action, only that agency has jurisdiction. One legislative attempt to address this regulatory uncertainty is the Digital Commodity Exchange Act of 2020 (DCEA), which was introduced to fill regulatory gaps that exist between the CFTC and the SEC and to provide a clear means by which market participants could ensure that their transactions in digital assets comply with the law. The updated white paper includes more detailed discussion of the DCEA.
D. Travel Rule
FinCEN’s Travel Rule has been a recent focus of international attention, with the Financial Action Task Force (FATF) adopting an interpretive note in June 2019 confirming that countries should apply provisions similar to the Travel Rule to virtual asset services providers.[12] In the United States, FinCEN has confirmed that the Travel Rule is the most commonly cited violation by the IRS against money services businesses engaged in virtual currency money transmission.[13] The updated white paper expands on this topic in detail.
[1] By Michael Spafford and Katherine Berris of Paul Hastings, Jonathan Marcus of Skadden, and Daren Stanaway of Interactive Brokers.
[2] Tim Swanson, Why Bitcoin Needs Fiat (And This Won’t Change in 2018), Coindesk (Jan. 4, 2018), https://www.coindesk.com/bitcoin-still-needs-fiat-currency-wont-change-2018/.
[4] FINMA, Supplement to the Guidelines for Enquiries Regarding the Regulatory Framework for Initial Coin Offerings (ICOS) (2019), https://www.finma.ch/en/news/2019/09/20190911-mm-stable-coins/.
[7] American Bar Association Derivatives and Futures Law Committee Innovative Digital Products and Processes Subcommittee Jurisdiction Working Group, Digital and Digitized Assets: Federal and State Jurisdiction Issues 61 (2020), https://www.americanbar.org/content/dam/aba/administrative/business_law/buslaw/committees/CL620000pub/digital_assets.pdf.
[8]SeeIn reBFXNA Inc., CFTC No. 16-19 [2016-2017 Transfer Binder] Comm. Fut. L. Rep. (CCH) ¶ 33,766 (June 2, 2016).
[9] Retail Commodity Transactions involving Certain Digital Assets, 85 Fed. Reg. 37,734, 37,742–43 (June 24, 2020).
[10] SEC, Strategic Hub for Innovation and Financial Technology, Framework for “Investment Contract” Analysis of Digital Assets (Apr. 3, 2019), https://www.sec.gov/corpfin/framework-investment-contract-analysis-digital-assets.
[12] See FATF, Outcomes FATF Plenary, 16-21 June 2019 (June 21, 2019), https://www.fatfgafi.org/publications/fatfgeneral/documents/outcomes-plenary-june-2019.html. FinCEN subsequently “applauded” FATF’s interpretation. See FinCEN, Prepared Remarks of FinCEN Director Kenneth A. Blanco at Chainalysis Blockchain Symposium (May 13, 2020), https://www.fincen.gov/news/speeches/prepared-remarks-fincen-directorkenneth-blanco-delivered-consensus-blockchainsymposium.
[13]See FinCEN, Prepared Remarks of FinCEN Director Kenneth A. Blanco at Chainalysis Blockchain Symposium (Nov. 15, 2019), https://www.fincen.gov/news/speeches/prepared-remarks-fincen-director-kenneth-blancochainalysis-blockchain-symposium.
Buried in the $740.5 billion National Defense Authorization Act for 2021[1] (“NDAA”) are numerous provisions that affect financial services law. Although the news media directed most of their coverage to Congress’s override of President Trump’s veto of the massive bill[2], this article discusses a few of the provisions that should be of interest to the financial services bar.
Disgorgement Authority
Of major significance is a provision that enhances the Securities and Exchange Commission’s (“SEC”) authority to seek disgorgement remedies in conjunction with an enforcement action.[3] The provision addresses a limitation on the SEC’s authority to seek equitable remedies against bad actors. In Kokesh v. SEC, the U.S. Supreme Court held that the five-year statute of limitations in 28 USC § 2462 applies when the SEC seeks disgorgement from those who have wrongfully enriched themselves. The court held that “disgorgement, as it is applied in SEC enforcement proceedings, operates as a penalty under § 2462. Accordingly, any claim for disgorgement in an SEC enforcement action must be commenced within five years of the date the claim accrued.”[4] In testimony before the U.S. Senate Committee on Banking, Housing, and Urban Affairs, SEC Chairman Jay Clayton asserted that the Kokesh decision has had the
anomalous effect of allowing the most “successful” perpetrators of fraud—those whose frauds are well-concealed and stretch beyond the five-year limitations period—to keep their ill-gotten gains. Since Kokesh was decided, an estimated $1.1 billion in ill-gotten gains has been unavailable for possible distribution to harmed investors, much of which is tied to losses by investors.[5]
Chairman Clayton further noted:
I greatly appreciate the bipartisan, bicameral work underway to address this issue, and I welcome the opportunity to continue to work with Congress to ensure the Commission is able to seek recoveries in cases of well-concealed, long-running frauds so that defrauded retail investors can get their investment dollars back while remaining true to the principles embedded in statutes of limitations.[6]
Apparently, those efforts bore fruit in the NDAA. The legislation amends Section 21(d) of the Securities Exchange Act of 1934 (“Exchange Act”), granting the SEC the authority to seek disgorgement against the person who received “unjust enrichment.” Congress included a statute of limitations of ten years for equitable remedies in most instances. The statute of limitations “clock” does continue to run during any time that the bad actor is outside of the United States.
I have prepared a mark-up showing how Congress amended Section 21 of the Exchange Act (in “Hill-speak” a “Ramseyer”). I have struck through deletions and marked the legislative changes in italics. It appears below:
H.R. 6395
The “William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021”
******
Amendments of Title LXV – Miscellaneous
******
SEC. 6501. INVESTIGATIONS AND PROSECUTION OF OFFENSES FOR VIOLATIONS OF THE SECURITIES LAWS
[Page 1238]
(a) IN GENERAL. —Section 21(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78u(d)) is amended —
(3) CIVIL MONEY PENALTIES IN CIVIL ACTIONS.— AND AUTHORITY TO SEEK DISGORGEMENT
(A) AUTHORITY OF COMMISSION.—Whenever it shall appear to the Commission that any person has violated any provision of this title, the rules or regulations thereunder, or a cease and-desist order entered by the Commission pursuant to section 21C of this title, other than by committing a violation subject to a penalty pursuant to section 21A, the Commission may bring an action in a United States district court to seek, and the court shall have jurisdiction to impose, upon a proper showing, a civil penalty to be paid by the person who committed such violation.“jurisdiction to—
“(i) impose, upon a proper showing, a civil penalty to be paid by the person who committed such violation; and
“(ii) require disgorgement under paragraph (7) of any unjust enrichment by the person who received such unjust enrichment as a result of such violation.”
(B) AMOUNT OF PENALTY. —
(i) FIRST TIER. — The amount of the penaltya civil penalty imposed under subparagraph (A)(i) shall be determined by the court in light of the facts and circumstances. For each violation, the amount of the penalty shall not exceed the greater of (I) $5,000 for a natural person or $50,000 for any other person, or (II) the gross amount of pecuniary gain to such defendant as a result of the violation.
(ii) SECOND TIER. — Notwithstanding clause (i), the amount of penaltyamount of a civil penalty imposed under subparagraph (A)(i) for each such violation shall not exceed the greater of (I) $50,000 for a natural person or $250,000 for any other person, or (II) the gross amount of pecuniary gain to such defendant as a result of the violation, if the violation described in subparagraph (A) involved fraud, deceit, manipulation, or deliberate or reckless disregard of a regulatory requirement.
(iii) THIRD TIER.—Notwithstanding clauses (i) and (ii), the amount of penalty for each such violationamount of a civil penalty imposed under subparagraph (A)(i) for each violation described in that subparagraph shall not exceed the greater of (I) $100,000 for a natural person or $500,000 for any other person, or (II) the gross amount of pecuniary gain to such defendant as a result of the violation, if— (aa) the violation described in subparagraph (A) involved fraud, deceit, manipulation, or deliberate or reckless disregard of a regulatory requirement; and (bb) such violation directly or indirectly resulted in substantial losses or created a significant risk of substantial losses to other persons.
(C) PROCEDURES FOR COLLECTION. — [No change.]
* * * * *
(D) SPECIAL PROVISIONS RELATING TO A VIOLATION OF A
CEASE-AND-DESIST ORDER. [No change.]
* * * * *
(4) PROHIBITION OF ATTORNEYS’ FEES PAID FROM COMMISSION DISGORGEMENT FUNDS.—Except as otherwise ordered by the court upon motion by the Commission, or, in the case of an administrative action, as otherwise ordered by the Commission, funds disgorged under paragraph (7) as the result of an action brought by the Commission in Federal court, or as a result of any Commission administrative action, shall not be distributed as payment for attorneys’ fees or expenses incurred by private parties seeking distribution of the disgorged funds.
(5) EQUITABLE RELIEF [No change.]
* * * * *
(6) AUTHORITY OF A COURT TO PROHIBIT PERSONS FROM PARTICIPATING IN AN OFFERING OF PENNY STOCK [No change.]
* * * * *
(7) DISGORGEMENT. — In any action or proceeding brought by the Commission under any provision of the securities laws, the Commission may seek, and any Federal court may order, disgorgement.
(8) LIMITATIONS PERIODS. —
(A) DISGORGEMENT. — The Commission may bring a claim for disgorgement under paragraph (7)—
(i) not later than 5 years after the latest date of the violation that gives rise to the action or proceeding in which the Commission seeks the claim occurs; or
(ii) not later than 10 years after the latest date of the violation that gives rise to the action or proceeding in which the Commission seeks the claim if the violation involves conduct that violates —
(I) section 10(b);
(II) section 17(a)(1) of the Securities Act of 1933 (15 U.S.C. 77q(a)(1));
(III) section 206(1) of the Investment Advisers Act of 1940 (15 U.S.C. 80b–6(1)); or
(IV) any other provision of the securities laws for which scienter must be established.
(B) EQUITABLE REMEDIES. —The Commission may seek a claim for any equitable remedy, including for an injunction or for a bar, suspension, or cease and desist order, not later than 10 years after the latest date on which a violation that gives rise to the claim occurs.
(C) CALCULATION. — For the purposes of calculating any limitations period under this paragraph with respect to an action or claim, any time in which the person against which the action or claim, as applicable, is brought is outside of the United States shall not count towards the accrual of that period.
(9) RULE OF CONSTRUCTION. — Nothing in paragraph (7) may be construed as altering any right that any private party may have to maintain a suit for a violation of this Act.”
*****
(b) APPLICABILITY— The amendments made by subsection (a) [i.e., of this amendment] shall apply with respect to any action or proceeding that is pending on, or commenced on or after, the date of enactment of this Act.[7]
Anti-Money Laundering Provisions
Protection of Algorithms
The NDAA includes a remarkable provision to protect the privacy of algorithms that financial institutions use for their anti-money laundering (“AML”) compliance programs. Division F of the NDAA includes many amendments to the Bank Secrecy Act (“BSA”), including provisions that expand the scope of the BSA to “value that substitutes for currency,”[8] presumably referring to cryptocurrency. Other provisions strengthen the Financial Crimes Enforcement Network (“FinCEN”) by establishing a FinCEN exchange to facilitate voluntary public-private sharing of information[9] and increase technical assistance for international cooperation.[10] This article does not attempt to discuss all of those provisions on a comprehensive basis. However, I will focus on one provision that may have implications beyond AML compliance, and will make a recommendation with respect to AML rules.
The NDAA amends the Bank Secrecy Act to protect the confidentiality of algorithms that financial institutions use for their AML efforts. Section 6209 amends 31 USC § 5318(o)(3) to provide that if a financial institution discloses to its regulator information about an algorithm that the institution uses in conjunction with its AML program, the regulator must not disclose that information to the public.
Hedge fund managers have had legitimate concerns about revealing the details of their trading algorithms to regulators for fear of public disclosure. Managers appreciate the need for regulatory oversight, but preferred that regulators look at actual trading patterns, rather than the algorithms, during examinations. Managers only wished to release information about the algorithms themselves after regulators have examined other, less proprietary data, but still have regulatory concerns.
This amendment to the Bank Secrecy Act protects the confidentiality of the algorithms that financial institutions use for AML purposes, i.e., a public purpose, rather than trading algorithms. Nonetheless, the provision demonstrates the sensitivity of algorithms and the need for confidentiality, at least in some settings.
Perhaps this amendment to the Bank Secrecy Act will validate hedge fund managers’ concerns about keeping their trading algorithms confidential unless regulators cannot reasonably discharge their oversight responsibility in any other way.
Recommendation to FinCEN
The author suggests that the Treasury Department and FinCEN should re-propose and adopt final AML rules for investment advisers. Remarkably, FinCEN has never adopted final rules subjecting investment advisers to AML requirements. Prior administrations have proposed rules, but never adopted them.
The FinCEN 2015 Proposal[11] reviewed the history of the proposal and I have summarized it below:
On September 26, 2002, FinCEN proposed rules requiring that unregistered investment companies establish AML programs (“Proposed Unregistered Investment Companies Rule”).[12]
On May 5, 2003, FinCEN proposed requiring that certain investment advisers establish AML programs (“First Proposed Investment Adviser Rule”).[13]
In June 2007, FinCEN announced that it was reconsidering both the Proposed Unregistered Investment Companies Rule and the First Proposed Investment Adviser Rule, and subsequently withdrew them.[14]
After Congress passed the Dodd Frank Act,[15] FinCEN decided to propose new AML rules for investment advisers. The proposal notes that the Dodd Frank Act required most investment advisers to be registered with the SEC. “Accordingly, FinCEN believes the two-pronged approach of the prior proposals is no longer necessary to address the money laundering and terrorist financing risks presented by SEC registered investment adviser clients and the unregistered investment companies that are managed by such advisers.”
Briefly, the proposal would have amended 31 CFR § 1010 to add a new subsection 100(nnn), defining an investment adviser as “[a]ny person who is registered or required to register with the SEC under section 203 of the Investment Advisers Act of 1940….” As a result, the proposal would have made such investment advisers subject to the AML requirements. Of course, the proposal included numerous other requirements.[16] For whatever reason, the Obama Administration never adopted a final rule requiring that investment advisers have AML rules.
On September 14, 2020, FinCEN published an advanced notice of rulemaking (“ANPRM”), seeking comments on ways to improve the current AML requirements. The proposal notes that “any such amendments would be expected to further clarify that such a program assesses and manages risk as informed by a financial institution’s risk assessment, including consideration of anti-money laundering priorities to be issued by FinCEN.”[17] The ANPRM does not include any reference to the 2015 Proposal. The Trump Administration did not otherwise pursue the issue of applying AML requirements to investment advisers.
In my view, the Biden Administration should re-propose rules subjecting investment advisers to AML rules. I cannot point to a specific regulatory failure to justify my suggestion. Nonetheless, I believe that it is time for FinCEN to adopt such requirements for the following reasons:
Investment advisers, particularly hedge funds, have AML programs. It would be foolish indeed for any investment manager not to have a program and wittingly or unwittingly to take “dirty” money. Any manager that accepted tainted money would face extreme reputational risk and probably would violate other statutes, depending on the circumstances.
In some circumstances, it may be wise to adopt rules in the absence of a crisis. As President Kennedy said, “the time to repair the roof is when the sun is shining.”[18] I suggest that FinCEN should propose and adopt new rules in an environment that would permit thoughtful consideration of a proposal and comments rather than hastily adopting ill-conceived rules in a crisis environment. The NRPRM noted above might inform such a proposal.
FinCEN’s rules should reflect the existing course of business that investment managers have with other, regulated financial institutions. AML rules for investment managers should integrate with the existing regulatory framework.
If FinCEN adopted AML rules that differ from existing practice, managers would have an opportunity to comply.
Thoughtful rules would help investment advisers do a better job of supporting the existing AML infrastructure. Establishing clear rules for investment advisers that complement existing rules and practices would benefit everyone.
[1] The William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, H.R. 6395, 116th Cong., 2d. Sess. (2021). The bill is 1,480 pages long.
[2] The House voted to override the veto on Dec. 28, 2020; the Senate voted to override on Jan. 1, 2021. See also WSJ, Jan. 1. 2021
[3] Section 6501 of the NDAA. See also A. Frankel, Congress hid a big gift to the SEC in defense spending bill awaiting Trump’s signature, Reuters, Dec. 23, 2020.
[5]Testimony of the Honorable Jay Clayton, Dec. 10, 2019 at text accompanying footnote 76. The Supreme Court subsequently upheld the SEC’s authority to seek disgorgement “an antecedent question” that Kokesh left unanswered. Liu v. SEC, 591 US ____ (2020), at slip op. 1.
[14] Withdrawal of the Notice of Proposed Rulemaking; Anti-Money Laundering Programs for Unregistered Investment Companies, 73 FR 65569 (Nov. 4, 2008); and Withdrawal of the Notice of Proposed Rulemaking; Anti-Money Laundering Programs for Investment Advisers, 73 FR 65568 (Nov. 4, 2008).
[15] The Wall Street Reform and Consumer Protection Act (“Dodd Frank Act”), Public Law 111–203, 124, Stat. 1376 (2010).
[16] FinCEN, Department of the Treasury, RIN 1506-AB10, (Aug. 15, 2015); 80 FR 52680 (Sept. 1, 2015)
Owners of closely held corporations or LLCs often find themselves litigating for control of their “Company.” When that happens, on which side of the caption does the Company line up? What role should it play? And should either warring faction enjoy access to the Company’s assets to fund that side’s litigation costs?
When derivative claims are asserted, the Company must be a party,[1] but when nothing is sought on behalf of or from the Company and all the owners are before the court, should the Company be a plaintiff or a defendant, or should it be left off the caption altogether? If it is not named as a party, the court may require the Company to become one so that it will be subject to the court’s orders.
When the Company is named a nominal defendant in the Complaint, the plaintiff runs the risk that the defendant owners will retain one lawyer to represent both them and the Company and pay that lawyer’s retainer (and eventually a lot more) from the Company’s treasury, even though as a practical matter that lawyer will be advancing one side’s position in the litigation against the other. In addition to whether that is fair, joint representation raises ethical issues.[2] The result is that the choice of counsel, the authority to choose counsel, and the use of Company funds to pay counsel become issues in a soon-to-follow pretrial application for relief by the plaintiff.[3]
These issues were addressed, but not conclusively resolved, in a case that came before the Texas Supreme Court on pretrial applications to disqualify defendants’ counsel.[4] The underlying dispute, which had not yet been decided by the lower court, was between twelve LLC owners and six “Governing Persons” collectively divided into two factions. The disagreement arose from the majority’s firing of the previously unanimously elected president and managing member who, with his supporters, claimed that a unanimous vote was required for dismissal. The minority’s Complaint, asserting derivative as well as direct claims, included the LLC as a named plaintiff. The defendant majority engaged a law firm that had previously represented the LLC, funded its litigation costs from the Company treasury, and asserted counterclaims.
Late in the litigation, the minority moved to disqualify defendants’ counsel charging (1) that the law firm, having previously been counsel to the plaintiff LLC, could not appear against its former client, and (2) that the defendant faction had no authority to hire a law firm to act for the LLC.
The court noted that the core issue underlying the litigation was who had the right to control the LLC’s management, and as to this issue, each faction’s position was that the other side’s position was incorrect and harmful to the LLC. The court observed that when stripped of the baggage of the derivative label, the Company’s alignment in the caption was immaterial to this issue, noting that “[C]ompanies in derivative litigation are simultaneously ‘plaintiffs’ and ‘defendants’ depending on how you look at it.”[5]
The court reviewed decisions from other jurisdictions questioning joint representation and found no categorical rule.[6] Based on Texas law and the Texas Rule serving as the basis for one of the applications made below, and in light of the timing of the motions to disqualify, the Texas Supreme Court upheld the lower court’s discretion not to grant disqualification. The core merits question of control was capable of being fairly litigated by the factions and lawyers for both sides presently before the court.
Whether defendants had the authority to hire counsel at Company expense was not determined at this stage of the proceeding. The authority to hire counsel for an LLC often turns on whether it is a “major” or “material” or “extraordinary” or “not in the usual course of business” decision that requires unanimity or high vote under either statute or operating agreement.
As to the inequity of one side’s use of Company money to pay its litigation costs, the court said that “adequate remedies exist” for subsequent recovery of any legal fees that may turn out to have been improperly paid from the other group’s interests in the LLC.
“Adequate remedies” after the fact may be viable if the personal resources of both sides fighting for control are such that each is able to fund its litigation costs without hardship. This may have been true in the Texas case. If one or both litigants have limited resources, the rights of one side to postlitigation remedies are of little avail when the other side is enjoying the real-time advantage of financing its position in the litigation with the Company’s funds. Courts do afford relief in those situations when timely application is made.[7]
[1] Meyer v. Fleming, 327 U.S. 161 (1946); Liddy v. Urbanek, 707 F.2d 1222 (11th Cir. 1983). In Cotter on behalf of Reading International, Inc. v. Kane, 473 P.3d 451 (Nev. 2020), the plaintiff, asserting that his termination as corporate president was void, filed a derivative action against the directors naming the corporation as a nominal defendant. Although the corporation had to remain neutral on the merits of the claim, the court allowed it to challenge the plaintiff’s standing because the corporation might later be called upon to indemnify the defendant directors.
[2] See, for example, In re Conduct of Kinsey, 680 P.2d 660 (Or.1983).
[3] When the court orders the Company to be represented by separate counsel, additional indirect costs are incurred by both parties. The Company’s lawyer, however, when acting as a neutral, may assist the court as would a guardian and perhaps facilitate amicable resolution.
[4] In re Murrin Brothers 1885, Ltd., 603 S.W.3d 53 (Tex. 2019).
[5]Id. at 58. Because the nominal defendant corporation stands to be the beneficiary of any derivative action recovery, its interests are not necessarily adverse to the plaintiff. Cotter on behalf of Reading International, Inc. v. Kane, note 1 supra.
[6] In addition to the cases cited, Rosenfeld v. Metals Selling Corp., 643 A.2d 1253, 1264 (Conn. 1994), and Messing v. FDI, Inc., 439 F.Supp. 776 (D. N.J. 1977) are also instructive.
[7] In Ehlinger v. Hauser, 785 N.W.2d 328 (Wis. 2010), the court, recognizing that the dispute was really between the two shareholders, and citing Matter of Clemente Bros., Inc., 239 N.Y.S.2d 703 (App. Div. 1963), aff’d o.b. 13 N.Y.2d 963 (1963), observing that “the corporation may not assume a ‘militant alignment on the side of one of the two equal, discordant stockholders,’ ” prohibited the corporation from paying the expenses incurred by one of the shareholders. Similarly, Matter of Penetent Corp., 605 N.Y.S.2d 691 (App. Div. 1993), affirmed the trial court’s grant of petitioner’s motion to restrain respondent from using corporate funds to pay for professional services incurred in the proceeding.
At the ABA Business Law Section’s annual meeting in Spring 2020, which went virtual for the first time due to the pandemic, the Section’s Gaming Law Committee took up the issue of sports betting and data security as a key emerging area that intersects with numerous other areas of law practice, including contracts, commercial transactions, securities regulation, business entity issues, tribal-state compacting, and intellectual property. Along with the authors of this article, Dennis Ehling (Partner with Blank Rome in Los Angeles), Raymond Luk, Jr. (Corporate Counsel for BorgWarner Inc., in Auburn Hills, Michigan), and Peter McLaughlin (Partner with Culhane Meadows in Boston) comprised the panel, which was co-sponsored by the Business Law Section’s Intellectual Property and Sports Law Committees. ABA Business Law Section members can watch the program for CLE credit on-demand here.
Introduction
A rapidly evolving subfield in gaming law concerns cybersecurity, data protection, and privacy rights. The swift expansion of legalized sports betting, as well as igaming, mobile gaming, daily fantasy sports (DFS), and competitive videogaming (esports), have created both opportunities and challenges for the business lawyer. Online and mobile platforms for sports betting and DFS, as well as team trademarks and design of esports games, raise issues related to intellectual property, data collection and reporting, data ownership, protection, and privacy, and ensuring data security. A business lawyer advising clients in these areas, or working directly in these industries, needs to know how data protection compliance and intellectual property interests operate in these rapidly developing contexts. Such matters also increasingly intersect with the dynamic area of digital currencies and cryptocurrencies, blockchain technologies and transactions, and compliance within and across jurisdictions, whether domestic or international.
Data security has always been a key issue for the gaming industry. Traditionally a “cash business,” the current $260 billion U.S. gaming industry runs primarily on transactions, often large ones. Like finance and banking institutions, casinos must be diligent in guarding against cybersecurity threats, especially as mobile and online transactions become the norm. The gaming industry also relies on computer systems for operating gaming devices, gaming floor security, and gathering and storing player data, among other functions, all of which can be targets for hackers and cheats. With the recent spread of legalized sports betting, data security is more important than ever.
Casinos and Cybersecurity
Like other industries that retain extensive customer data, the gaming industry is particularly vulnerable to cyber threats. The 2014 hacking of the Las Vegas Sands Corporation (LVS), which owns the Venetian and Palazzo casino resorts in Las Vegas as well as several casino resorts in Asia, provides a cautionary tale. As confirmed by the U.S. Director of National Intelligence, the cyber-attack was carried out by Iranian “hacktivists” in retaliation for LVS CEO Sheldon Adelson’s support of a U.S. military strike against Iran. Malware shut down company email and phone lines, and wiped out employee hard drives. Hackers stole customer credit card data, Social Security numbers, and driver’s license information. The company’s casino websites were taken over and defaced, prompting a one-week shutdown before the sites were restored. The cyber-attack impacted the majority of the company’s Las Vegas servers; the cost of recovering data and building new systems reportedly was in excess of $40 million.
The gaming industry has its own particular vulnerabilities as well. Several years ago, a Russian hacker devised a system to decipher the random number generator programs in slot machines. He then organized teams to visit casinos and identify vulnerable slot machines, before using a smartphone app to trigger a jackpot on the machine. Reportedly, the teams took in $250,000 a week from casinos around the world. In 2014, four team members pled guilty to federal fraud charges stemming from using the slot machine cheat in casinos in California, Illinois, and Missouri. The hacker also leveraged the success of the teams to attempt to extort the slot machine manufacturer. Though the extortion attempt was unsuccessful, the hacker bragged to magazine that he continues to earn millions through the scheme.
Sports Betting
Since the U.S. Supreme Court’s 2018 decision striking down the federal Professional and Amateur Sports Protection Act in Murphy v. NCAA, 584 U.S. ___, some 24 states plus the District of Columbia have legalized sports betting, with as many as a dozen more expected to take up sports wagering legislation in 2021. Commentators predict that as many as 45 states may have legal sports betting within five years. A growing number of states, including Indiana, Iowa, Nevada, New Jersey, Pennsylvania, Rhode Island, and West Virginia, have also legalized online and mobile sports betting.
Legal wagers on Super Bowl LIV in 2020 exceeded $270 million (though legal wagers continue to be eclipsed by the illegal market; the estimated total wagers for the Super Bowl were over $6 billion, placed by some 26 million bettors). Industry experts estimated that five million people placed their bets—both legal and illegal—via online or mobile platforms.
Next on the calendar, of course, was March Madness—the NCAA men’s basketball tournament. The American Gaming Association had predicted over $10 billion in wagers ($295 million made legally) by over 50 million Americans and some 100 million people around the world. The tournament was cancelled due to the pandemic—as were all collegiate and major-league professional sports throughout the U.S., as well as globally, throughout the summer and into the fall. This only raised the stakes. Industry commentators predict that latent and pent-up demand for sports and sports gambling opportunities will generate wagers of similar or even larger amounts for Super Bowl LV in Tampa Bay, as well for as the recently announced “bubble edition” of March Madness taking place in Indiana in spring 2021.
As more states enter the legalized sports betting market, many of them have minimal regulatory experience as compared to Nevada, where sports betting has been legal and highly regulated for decades. Even fewer states have experience with regard to online and mobile betting, as federal law has permitted states to legalize online gaming only for the last decade or so.
Sports Betting and Data Security
Cybersecurity experts warn about the risks posed by the lure of the anticipated handle, both legal and illegal, around sports betting. While money laundering and theft are concerns, so are data breaches of customer information, which in the long run may be even more valuable—and more damaging—to patron and operator alike. The customer data collected by casinos often is extensive. Bettors may be required to provide date of birth, Social Security number, physical and email addresses, and other personal identifying information. They may also be required to create accounts with financial and banking information, along with passwords and security questions. Customer habits and preferences may be tracked through players club cards and apps. For online and mobile betting, age (sometimes via date of birth) and location data is also collected.
But sports betting also has other valuable data: sports data.
Sports books offer wagers not just on the outcome of the game (win or moneyline), but on the score (over/under, point spread) and special events (proposition bets, such as whether the game will go into overtime or whether a particular player will score a touchdown). In-play or live betting allows bettors to place wagers after an event has started and up to the time of its conclusion. The odds on all of these bets are driven by sports data on all features of the players, teams, contests, and leagues. The security of sports data is critical to the integrity of legalized sports betting. As sports betting has one of the slimmest margins of any casino games, the security of sports data also is critical to the financial risk inherent in a casino’s sports book.
Sports data also is an intellectual property asset. Leagues and teams have claimed ownership of sports data, with the business plan of selling their official data to data analytics companies and oddsmakers, or charging integrity or data rights fees to the gaming industry. For example, in 2018, MGM Resorts entered into a 3-year deal with the NBA to receive league-verified data for some $25 million, followed by similar deals between MGM and the NHL and MLB. But there are unsettled questions regarding ownership, copyright, and fair use. Broadcasts of sporting events may be copyrightable, but the live game likely is not. Prior cases, including NBA v. Motorola, Inc., 105 F.3d 841 (2d Cir. 1997) (broadcasts, not games, are copyrighted; facts derived from broadcasts are not copyrighted; a sports broadcast is not “hot news”), Morris Communications Co. v. PGA Tour, 364 F.3d 1288 (11th Cir. 2004) (a sports league may charge a fee for access to proprietary data without violating antitrust laws), C.B.C Distribution & Marketing, Inc. v. MLB Advanced Media, 505 F.3d 818 (8th Cir. 2007) (a fantasy sports operator’s use of baseball statistics in the public domain is protected by the First Amendment), and Daniels v. FanDuel, Inc., 909 F.3d 876 (7th Cir. 2018) (college athletes’ names, likenesses, and statistical data are “newsworthy” and may be used without an athlete’s permission), provide clear answers to issues that are increasingly significant, or even novel, in the post-Murphy legal environment as the legal sports betting industry—and its demands for data—expand.
Similar considerations and questions with regard to data security and intellectual property apply to DFS and esports.
Applicable Data Security Laws
While data protection, data privacy, and data-breach notification are recognized as critical dimensions of cybersecurity law, regulation, and policy, these issues have yet to be addressed in any comprehensive legislation in the U.S Not so elsewhere. The European Union’s comprehensive General Data Protection Regulation (GDPR) took effect in 2018. The GDPR regulates the processing of personal data within its territoriality requirements. Processing of personal data includes collection, use, storage, organization, disclosure, or any other operation performed on personal data. Personal data is defined as any information relating to an identified or identifiable person, including names, identification numbers, location data, IP addresses, etc. The GDPR’s territoriality requirements bring within its scope any organization with an “establishment” in the EU that processes personal data as part of that establishments’ activities.
As for the U.S., there is not yet a single, comprehensive federal data protection law. There are several federal laws that address data security in specific areas, including:
Children’s Online Privacy Protection Act (COPPA)
Computer Fraud and Abuse Act (CFAA)
Consumer Financial Protection Act (CFPA)
Electronic Communications Privacy Act (ECPA)
Family Educational Rights and Privacy Act (FERPA)
Federal Trade Commission Act (FTC Act)
Health Insurance Portability and Accountability Act (HIPAA)
Fair Credit Reporting Act (FCRA)
These laws, however, speak to highly diverse forms of data and expectations of privacy, with divergent requirements for relevant industry actors.
States, however, have moved more rapidly to address privacy, cybersecurity, and data breaches, passing or at least considering hundreds of bills across all 50 states, territories, and the District of Columbia, many of which focus heavily on consumer protection. At least 25 states have laws addressing data security practices in the private sector, more than half of them passed in the last five years. Most states also now have data disposal laws, governing how companies destroy or render indecipherable the personal information obtained from customers and employees. The California Consumer Privacy Act (CCPA) is notable for its comprehensive approach, as it applies to most for-profit companies that do business in the state, and regulates all “personal information,” encompassing nearly any and all information that a business might collect from a customer.
Conclusion
The rapid expansion of legalized sports betting, as well as the emergent areas of DFS and esports, have created both opportunities and challenges for the business lawyer. In particular, online and mobile platforms for sports betting and DFS, as well as team trademarks and design of esports games, raise rapidly mounting issues and dynamic questions related to intellectual property and data protection, privacy, and security.
A business lawyer advising clients in these areas, or working directly in the gaming industry or with public officials who either have or claim a stake in the success of gaming regulation, needs to know how data protection compliance and intellectual property interests operate in these rapidly developing contexts as they merge with gaming law in retail casino operations and online or mobile wagering alike.
Fortunately, the ABA’s Business Law Section, including its Gaming Law, Intellectual Property, and Sports Law Committees, will continue to spotlight these issues as they arise and evolve.
The year 2020 was an unprecedented year, but one thing remained constant: the number of Fair Credit Reporting Act (FCRA) case filings continued to increase dramatically.[1] In addition to new filings, the year saw several key decisions handed down by federal courts, shedding light on diverse issues such as the matching procedures of credit reporting agencies (CRAs), Article III standing, the meaning of “maximum possible accuracy,” and preemption of state credit reporting laws. As FCRA cases continue to be filed with increasing frequency, CRAs, employers seeking to screen new hires, and other FCRA-regulated entities should examine these decisions and their consequences carefully. To that end, we’ve compiled the following list of ten key FCRA decisions of 2020.
Williams v. First Advantage LNS Screening Solutions
In January 2020, the Eleventh Circuit affirmed a $250,000 compensatory damages award and reduced a $3.3 million punitive damages award to $1 million in an individual mixed-file claim brought pursuant to section 1681e(b) of the FCRA.[2] In Williams, the plaintiff sued defendant First Advantage for alleged violations of the FCRA in connection with twice attributing the criminal background information of another individual to the plaintiff.
The court recognized that although First Advantage had a policy requiring use of a third identifier before attributing criminal information to a subject with a common name, evidence indicated that this policy was not followed in practice. Based on this evidence, the Eleventh Circuit affirmed the district court’s denial of First Advantage’s motion for judgment as a matter of law with respect to willfulness under the FCRA.
The court also affirmed the jury’s compensatory damages award but found that the $3.3 million punitive damages—at a ratio of 13:1 to the compensatory damages—was unconstitutionally excessive. The court noted that the Supreme Court had previously found that a 4:1 ratio was “close to the line” of unconstitutionality and that an award that exceeded a single-digit ratio was likely a violation of the Due Process Clause. Ruling that a 4:1 ratio was appropriate here based on the state court’s assessment of First Advantage’s conduct, the court reduced the award to $1 million.
As evidenced by Williams, challenges to matching procedures utilized by the background screening industry continue to be an area of focus in FCRA litigation. This decision is also significant regarding the availability (and constitutional limits) of punitive damages.
Ramirez v. TransUnion LLC
In February, the Ninth Circuit issued its decision in a class action case watched closely by consumer reporting agencies.[3]Ramirez involved a product offered by TransUnion to identify consumers with names designated by the Department of the Treasury’s Office of Assets Control (OFAC) as posing a national security threat. A jury ultimately awarded $8 million in statutory damages and $52 million in punitive damages to the class members, finding that TransUnion failed to comply with certain disclosure requirements under the FCRA. TransUnion appealed on various grounds, including that many of the class members lacked Article III standing.
On appeal, the Ninth Circuit held for the first time that “every member of a class certified under Federal Rule of Civil Procedure 23 must satisfy the basic requirements of Article III standing.” However, the court went on to rule that a “material risk of harm” was sufficient to confer standing to each class member. The Ninth Circuit held that “a real risk of harm arose when TransUnion prepared the inaccurate reports and made them readily available to third parties,” even though most class members’ reports were never actually disclosed to a third party.
The Supreme Court granted certiorari in December 2020, to consider “whether either Article III or Rule 23 permits a damages class action where the vast majority of the class suffered no actual injury, let alone an injury anything like what the class representative suffered.”
Walker v. Fred Meyer, Inc.
In March, the Ninth Circuit issued important guidance for employers obtaining background checks on potential or current employees.[4] The plaintiff in Walker claimed that his employer violated the FCRA by not disclosing its background check process in a “clear and conspicuous” disclosure contained “in a document that consists solely of the disclosure.” Although the district court held the disclosure form signed by the plaintiff was a standalone document, the Ninth Circuit reversed, finding that certain provisions in the disclosure form referenced other rights under federal and state law and, in so doing, violated the FCRA’s requirement that the document consist “solely of the disclosure.”
The Ninth Circuit held that in addition to a “plain statement” that a report may be obtained for employment purposes, a standalone disclosure may include a “concise explanation” of that statement. The court cautioned, however, that the explanation must not be so long or confusing that it detracts from the disclosure or in any way makes the disclosure unclear and conspicuous.
Separately, the Ninth Circuit also affirmed that employers, in a pre-adverse action letter sent before taking action against an applicant or employee, are not required to provide employees or applicants with an opportunity to directly discuss a consumer report with the employer. Rather, it is sufficient for the employer to provide notice in a pre-adverse action letter that describes the consumer’s ability to dispute the completeness or accuracy of the information with the CRA.
Luna v. Hansen & Adkins Auto Transport, Inc.
In April, shortly after the Walker decision, the Ninth Circuit issued another decision interpreting the FCRA’s disclosure requirements for employers conducting background checks on potential hires.[5] Whereas Walker looked at the language of the disclosure, Luna focused on the format of the disclosure and its accompanying authorization.
The disclosure form in Luna was a separate page included within a larger group of application materials. The plaintiff argued that including the disclosure page alongside other materials violated the FCRA’s “standalone” requirement. The court rejected this argument, stating that while the disclosure itself cannot contain other unrelated information, “no authority suggests that a disclosure must be distinct in time, as well.”
The court in Luna also weighed in on the “clear and conspicuous” prong of the FCRA’s disclosure requirement—one of the issues left open in Walker. The court reiterated that a disclosure must be “readily noticeable” and in a “reasonably understandable form.” The court found the employer’s disclosure (featuring a bold, all-caps heading and simple explanatory statement) to meet the clear and conspicuous requirement, saying “applicants, such as big-rig truckers, can be expected to notice a standalone document featuring a bolded, underlined, capital-lettered heading.”
Finally, the Ninth Circuit also dispensed with the employee’s claim that the authorization for an employer to obtain a consumer report on an applicant also needed to be in a clear and conspicuous standalone document. The court found no statutory support for this position.
Davis v. C&D Security Management, Inc. et al.
In July, the Eastern District of Pennsylvania confirmed that a plaintiff lacks Article III standing to state a claim for violation of the FCRA premised solely on a failure to receive a copy of the background report and a summary of rights.[6] In Davis, the plaintiff applied for employment as a security guard with C&D Security and was ultimately denied the position twice. She brought suit on behalf of a putative class claiming that C&D Security failed to provide her with notice of the background check, a copy of her report, and a summary of her rights, as required under the FCRA.
Following Third Circuit precedent, the court held that Davis lacked an injury-in-fact since she ultimately became aware of her rights and timely brought suit against the employer. It cited the U.S. Supreme Court’s maxim in its landmark Spokeo decision that a bare procedural violation, divorced from any concrete harm, cannot satisfy the injury-in-fact requirement of Article III. Further, the court found that because Davis failed to establish her own standing, she could not seek relief on behalf of the putative class.
This decision highlights the critical role of Article III standing in FCRA cases, in both individual and class contexts. Companies defending FCRA class actions should consider standing issues at the forefront of the matter, rather than reserving them for the certification stage.
Moran v. The Screening Pros, LLC, et al.
Also in July, a California district court granted summary judgment in favor of a background screening agency, holding there was no willful or negligent violation of the FCRA despite the agency’s incorrect interpretation of the FCRA provision at issue.[7]
Plaintiff Moran filed suit after he was allegedly denied housing based on a screening report issued by The Screening Pros, LLC. The report included misdemeanor charges that had been filed ten years earlier but dismissed after six years, prior to the report. Moran argued that this violated the FCRA’s prohibition on reporting nonconviction adverse information older than seven years, pursuant to 15 U.S.C. § 1681c(a)(5). The district court dismissed the claim, holding that because the charges had only been dismissed six years prior, the dismissal fell within the seven-year period prior to issuance of the report. The Ninth Circuit reversed, holding that the seven-year reporting window for a criminal charge begins on the date of entry rather than on the date of disposition.
Despite this reversal, the district court granted summary judgment to The Screening Pros on remand because the violation of § 1681c(a)(5) was neither willful nor negligent. The district court’s holding was supported by the fact that this was an issue of first impression in the Ninth Circuit. FTC guidance available at the time the report was issued (but rescinded afterward) indicated that the seven-year reporting period ran from the date of the disposition.
While the decision in Moran was certainly favorable to the background screener defendant, courts are not likely to be as lenient moving forward, given that the holding in Moran was largely predicated on the fact that the FTC’s guidance was rescinded only after the report was issued.
Domante v. Dish Networks, LLC
In September, the Eleventh Circuit weighed in on the meaning of a “legitimate business need,” one of the permitted purposes for obtaining a screening report under § 1681b of the FCRA.[8] In Domante, the court held that requesting and obtaining a consumer report for verification and eligibility purposes is a legitimate business need under the FCRA.
Plaintiff Domante had previously filed and settled an FCRA suit against Defendant Dish Networks, LLC (Dish), after Domante’s personal information was stolen and used to open two accounts with Dish. To implement the terms of that settlement, Dish entered Domante’s personal information, including her Social Security number, into an internal system designed to prevent unauthorized accounts from being opened in the future.
When an attempt was made to open a new account using the last four digits of Domante’s Social Security number but a different name, Dish submitted the applicant’s information to a CRA to verify the applicant’s identity. The CRA matched the information with Domante and returned her credit report to Dish, which included Domante’s full Social Security number. Dish then blocked the application and requested that the CRA delete the inquiry from Domante’s credit record. Domante sued, arguing that Dish did not have a legitimate business need to pull her credit report because Dish knew or should have known that Domante was not the account applicant based on their prior settlement agreement.
The Eleventh Circuit noted that the false applicant provided only the last four digits of Domante’s Social Security number. Dish depended on the CRA’s credit report to obtain the full Social Security number for cross-checking with its internal records. Using the report for this verification and eligibility purpose was a legitimate business need.
A key takeaway for requesters of consumer credit reports is the importance of developing and maintaining internal verification and eligibility procedures that are consistent with the information contained in the requested report.
Consumer Data Industry Association v. Frey
In October, the district court of Maine held that the federal FCRA preempted burdensome credit reporting restrictions imposed by the Maine Fair Credit Reporting Act.[9] The Maine legislature passed two amendments to the Maine Fair Credit Reporting Act in 2019 prohibiting CRAs from including certain kinds of information in a consumer’s credit report. The amendments restricted reporting certain medical debts and debts that were the result of “economic abuse.” Both laws required CRAs to engage in extensive investigations of the underlying circumstances, conditions, and status of a consumer’s debts to determine whether those debts were reportable. The Consumer Data Industry Association (CDIA) filed suit, seeking declaratory judgment that both laws were preempted by the FCRA.
The court ruled in favor of the CDIA and held that the amendments were preempted by the FCRA. Engaging in a detailed analysis of the language and history of the FCRA’s preemption provisions, the court held that the FCRA preempted any state regulation of information contained in consumer reports. In doing so, the court rejected the narrower construction advocated by the state of Maine that would limit preemption to the specific types of information already regulated by the FCRA.
The court’s analysis in Frey will have important ramifications for other states seeking to impose their own restrictions on consumer credit reports and for any other present or future preemption claims against states by CRAs, furnishers and users. The state of Maine has filed an appeal of the district court’s decision, which will give the First Circuit an opportunity to rule definitively on this issue.
Settles v. Trans Union, LLC
The year 2020 saw an influx of complaints alleging that the “current pay status” reported by a furnisher is inaccurate when an account that was delinquent when closed is reported with a historical delinquency status. Settles was one such case where the theory was soundly rejected.[10]
In Settles, the plaintiff was overdue on his account by 120 days when his account was closed. His credit report showed that his account was closed, and the account balance was $0. However, the pay status reflected 120 days past due. The plaintiff brought suit claiming that this was materially misleading because the account could not be past due while also having a $0 balance. The court held that the reporting was not inaccurate or misleading. The court noted that it must look at the accuracy of the report as a whole, taking into account relevant context. It listed several cases holding that reporting historical data is not inaccurate.
This decision and others like it underscore that the inclusion of accurate historical account information on credit reports is allowable and not misleading, even when the current account information is different from the historical information and may even appear contradictory on its face.
Erickson v. First Advantage Background Services Corp.
Addressing a recurring issue bedeviling the background screening industry, the Eleventh Circuit confirmed in December that it is not inaccurate for a CRA to report a criminal or sex-offender record without matching the record to a subject consumer, as long as the CRA notifies the user of the report that the record needs further investigation before being attributed to the consumer.[11]
Plaintiff Erickson applied to be a Little League coach and was subjected to a background check. Unfortunately, his report identified a sex offender record of his estranged father, with whom he shared his name. In releasing the report, First Advantage explained to Little League that it was a name-only match and that further review was necessary to determine if the record belonged to Erickson. Erickson nevertheless filed suit, arguing that First Advantage violated the FCRA’s requirement that a CRA “follow reasonable procedures to assure maximum possible accuracy” of reported information. The district court ruled against him.
On appeal, the Eleventh Circuit weighed in on a debate that has reached several circuit courts: whether the FCRA’s “maximum possible accuracy” requirement demands more than technical accuracy. The court held that it does, following a plurality of circuit courts by holding that the FCRA requires reported information to be both factually true and “unlikely to lead to a misunderstanding.”
Despite rejecting a lenient test in favor of a more stringent one, the court affirmed that First Advantage’s report was neither inaccurate nor objectively misleading because no reasonable user in the shoes of the report’s intended user would be misled. The court focused on First Advantage’s cautionary disclaimer that further review was required. CRAs seeking compliance tips should note carefully the notifications First Advantage gave to the users of its reports, which the court found to be clear.
Conclusion
FCRA litigation continues to increase. With increased caseloads comes increased precedent, and going forward, we continue to expect to see more and more published FCRA decisions.
[1] WebRecon LLC, WebRecon Stats for Oct 2020 & Year-End Projections, https://webrecon.com/webrecon-stats-for-oct-2020-year-end-projections.
[2] Williams v. First Advantage LNS Screening Solutions, Inc., 947 F.3d 735 (11th Cir. 2020).
On September 4, 2020, in ABC Corporation I, et al. v. The Partnerships and Unincorporated Associations Identified on Schedule “A,” the U.S. District Court for the Northern District of Illinois held that plaintiffs could not conceal their identities in patent infringement suits by filing suit under pseudonyms. The plaintiffs had filed using pseudonyms to avoid tipping off the defendants and giving them the opportunity to reorganize under new seller aliases and to evade prosecution.
The plaintiffs create, manufacture, and sell products with patented designs. They anonymously filed a complaint, including exhibits under seal, alleging that the defendants had infringed plaintiffs’ patented designs. The plaintiffs alleged that the defendants were selling infringing products to consumers in Illinois and the United States through online stores that misleadingly portrayed the defendants as authorized online retailers. The plaintiffs asserted that the defendants regularly registered or acquired new seller aliases to conceal their identities and avoid the cessation of their business operations.
After the complaint was filed, the Northern District of Illinois issued an order to show cause why the documents should not be unsealed and why the complaint should not be stricken because the plaintiffs filed under pseudonyms. In response to the order, the plaintiffs cited Doe v. Village of Deerfield, which provided that with leave of the court, a party may file anonymously if there are “exceptional circumstances.” Such exceptional circumstances must outweigh both the public policy in favor of identified parties and the prejudice to the opposing party that would result from anonymity. Examples include, but are not limited to, the need to protect state secrets, trade secrets, or victims of abuse, as well as “a party’s allegation of fear of retaliation.”
Here, the plaintiffs’ theory for filing anonymously was to prevent the defendants from receiving advance notice of the lawsuit and creating new, fictitious seller names, thus evading the case. However, according to the court, this reasoning did not meet the necessary burden to proceed anonymously in the patent infringement case because the defendants could use new fictitious seller names even after the court issued a temporary restraining order. The court went on to hold that “[a] patent infringement case, without more, is not enough of a reason to circumvent the public disclosure requirements of the Federal Rules.” As a result, the complaint was stricken, and the court granted the plaintiffs leave to file an amended complaint reflecting the actual names of the entities.
The court’s decision further fleshes out “exceptional circumstances” in the context of intellectual property cases, excluding the desire to avoid tipping off an elusive defendant as a sufficient basis for filing a lawsuit anonymously. Consequently, in the absence of compelling grounds in favor of anonymity, plaintiffs may be required to provide their actual names in court filings related to patent infringement, despite any risks or fears associated with doing so.
Although filing a patent case as an anonymous plaintiff may not be an option unless exceptional circumstances can be shown, an alternative that might thwart a defendant’s evasion is to file a motion for a temporary restraining order contemporaneously with the complaint to maintain the status quo of the case. Contrary to the plaintiffs in ABC Corporation I who filed a complaint with the intention of later seeking a temporary restraining order, patent owners who file a complaint in conjunction with a motion for a temporary restraining order may successfully prevent defendants from removing any evidence of infringement and resurfacing under new seller aliases.
In addition to contemporaneously filing a complaint and a motion for a temporary restraining order, patent owners may notify third-party e-commerce websites and request the permanent removal of the seller and/or the infringing material. E-commerce companies, such as Amazon and Alibaba, provide platforms where owners may anonymously allege infringement of their patented works and report concerns with inappropriate listings, other sellers, and policy violations. Once a report is submitted, it is then evaluated through a multistep process that may result in the resolution of the alleged conflict. Such an option allows patent owners to potentially avoid the significant expense of federal litigation and seamlessly seek protection of their works without disclosing their names or any other identifiable information to the infringers. It would likely be more difficult for an infringer to evade the likes of Amazon with whom it already has a relationship as an Amazon seller.
Recognized international human rights have traditionally been framed in terms of the duties and obligations of states under treaties and other instruments and elements of international human rights law.[1] The main concern of human rights activists has generally been vertical protection, which refers to ensuring that individuals and groups get protection and required services and resources from the state. In the past, relatively little or no attention was paid to businesses’ responsibility for human rights. Many business ethicists were skeptical about whether businesses had any ethical responsibilities, and they noted that it was difficult and unfair to identify responsibilities in this area when the concept of human rights was so difficult to describe. Others clung to the traditional argument that states had exclusive responsibility with regard to human rights and that the role of businesses should be confined to complying with the laws and regulations promulgated by states with respect to workplace conduct, use of natural resources, and the like.[2]
In recent years, however, the criticism of businesses that accompanied the globalization that dominated the last decades of the twentieth century has shifted more and more attention to horizontal protection, which refers to individuals obtaining protection or services from nonstate actors such as businesses, nonstate armed groups, the media, and other people, groups, or institutions. For example, protecting women and children from violence in their homes; improving conditions for workers in factories, offices, and other workplaces; and reducing pollution from operations damaging the health of people living in surrounding communities must be addressed by strengthening horizontal protections and imposing higher human rights duties and responsibilities on businesses. These duties go beyond simply complying with the domestic laws and regulations of the countries in which businesses have made an affirmative choice to operate. The pressure to hold businesses, as well as states, accountable for human rights duties and obligations was exacerbated by highly publicized events such as the chemical gas leak at Union Carbide’s Bhopal pesticide plant in 1984 that killed thousands in India, the catastrophic Exxon Valdez oil spill in 1989, disclosures of child labor abuses among the supply chains of well-known global apparel and footwear companies, and the complicity of Western mining, oil, and gas companies in the violence perpetrated by governmental security forces in developing countries.[3]
The day-to-day operational activities and strategic decisions of businesses inevitably have an impact, both positive and negative, on one or more universally recognized human rights. On the positive side, businesses create jobs that provide workers and their families with a higher standard of living and give them the financial resources to pursue education and leisure. These businesses, having direct control over their operations, can take steps to make progress on fundamental human rights topics such as discrimination, sexual harassment, health and safety, and privacy. The philanthropic activities of businesses can also support the efforts of states and other nonstate actors such as nongovernmental organizations (NGOs) to alleviate poverty and improve education and housing conditions. Many businesses have been acknowledged and praised for the unique role they play in society as the creators of wealth, sources of employment, deliverers of new technologies, and providers of basic needs.[4]
At the same time, businesses, fixated on profits as their main and often seemingly exclusive goal and purpose, have repeatedly treated their workers poorly, engaged in dangerous or corrupt business activities, polluted the environment, developed and marketed products and services that harm consumers, and overseen development projects that have displaced or marginalized communities. Concern over these negative impacts of business activities has increased as corporations themselves have grown in size to the point where many of them are larger than some nation states. Moreover, as states struggle to balance their own budgets and provide their citizens with services that are part of basic human rights, they are turning to business for assistance. This trend has raised further concerns about whether companies can assume and carry out these responsibilities in an ethical fashion with due respect for human rights.
In this scenario, three key questions have emerged and are being hotly debated by a wide range of stakeholders around the world in a variety of forums: (1) What should be the appropriate scope of human rights duties and obligations for businesses and other nonstate actors; (2) how should those duties and obligations be formalized; and (3) what role should the state take in enforcing the human rights duties and obligations imposed on businesses and nonstate actors, and how should that role be integrated into the existing international human rights framework (e.g., a treaty)?[5] It is certainly true that some businesses have no interest in being held accountable for the human rights impacts of their activities and will never voluntarily participate in formulating laws, regulations, and standards that might hold them responsible for their violations of human rights. It is also likely, however, that progress toward viable formulations of the duties and responsibilities of businesses with respect to human rights is being hampered by a lack of consensus among states, businesses, multigovernmental organizations, NGOs, community groups, human rights activists, and other interested parties on how to frame and address key fundamental questions. Chief among such questions are what are human rights; who should be responsible for human rights; which human rights, if any, should businesses be responsible for; and what should be the scope of that responsibility?[6]
Articles 29 and 30 of the UN Declaration of Human Rights specify that no state, group, or person (presumably including business enterprises such as corporations) can infringe upon human rights. Building on that basic concept, it seems easy to arrive at the position that businesses should not knowingly expose their workers to dangerous working conditions or rely on forced labor, but even in these areas progress has been slow. However, looking at business activities through a human rights lens has raised novel and challenging questions when those activities bring into play rights that have traditionally been assigned to and carried out by the state:[7]
Social media businesses have been allowed to make their own decisions regarding the communications activities of visitors to their sites and can remove those communications if they violate policies created and enforced solely by the business. When a social media business removes a communication, does it violate the user’s freedom of expression, and should the business have a legal duty not to infringe on users’ freedom of expression?
Does a restaurant that fails to provide food to a homeless person who comes into the restaurant and asks for food infringe on the homeless person’s human right to be free from hunger, and should restaurants have an affirmative legal duty to provide food in such situations?
Does a utility company that provides electricity or water to households have a duty and obligation, based on human rights principles, to continue providing services to households that are unable or unwilling to pay? Similarly, do hospitals have a duty to provide emergency medical services to patients without insurance or other means to pay for such services?
In each of these situations, the question is whether human rights duties imposed on states should also be applied to nonstate actors such as businesses. In some cases, the first steps have been left to the businesses themselves. Such has been the case with social media businesses that make their own decisions regarding political advertising on their sites and how they can use data collected from visitors to the site within the business and shared with outside parties. Some states, pushed by a range of stakeholders, including consumers and human rights activists, are now beginning to realize that leaving these issues to businesses is untenable. It may be too early, however, to reliably predict the ultimate resolution. An obvious problem in several cases is whether and how imposing human rights obligations on businesses will impact their ability to remain in business and create positive human rights impacts for their stakeholders. (For example, a restaurant required to fulfill the unmet needs of homeless people in its community for food may eventually be unable to achieve the minimum level of profitability necessary to remain in business. This will cause workers to lose their jobs, reduce the revenues of their suppliers, and deprive governments of tax revenues that could be used to provide other support and assistance to the homeless community.)
The International Organization for Standardization (ISO), a worldwide federation of national standards bodies, developed ISO 26000 Guidance on Social Responsibility to serve as a guide for organizations based on principles of social responsibility. ISO 26000 highlights the social responsibility and engagement of stakeholders; the seven core subjects and issues pertaining to social responsibility, the second of which is human rights; and ways to integrate socially responsible behavior into the organization.[8] ISO 26000 maintains that states have a duty and responsibility to respect, protect, and fulfill human rights and that organizations have the responsibility to respect human rights by identifying and responding to members of vulnerable groups within their sphere of influence. This guideline points out that the responsibilities of organizations with respect to human rights are independent of the duties and obligations of the state, which means that organizations must act regardless of whether the state is unable or unwilling to fulfill its duty to protect. At a minimum, organizations should avoid passively accepting or actively participating in the infringement of the rights of others, a duty that can only be discharged by undertaking due diligence. Moreover, while the baseline responsibility for businesses and other nonstate organizations is to respect human rights, they need to take into account stakeholder expectations that go beyond respect. They may also want to make affirmative contributions to the fulfillment of human rights for their own sake.
The overall landscape relating to business and human rights has been transformed over the last few decades. Businesses now have access to specialized groups formed to provide assistance to companies in operationalizing human rights (e.g., the Business and Human Rights Resource Centre, the Global Business Initiative on Human Rights, Business for Social Responsibility, the Danish Institute for Human Rights, the Institute for Human Rights and Business, and Shift). States have responded to calls to strengthen their actions relating to human rights protection by developing and adopting national action plans on business and human rights. In addition, national human rights institutions (NHRIs), such as national human rights commissions, have shifted more of their attention toward business and human rights and are providing platforms for discussions among the key players, including businesses, government officials, and representatives of civil society.[9] NGOs, community groups, and human rights activists around the world continue to monitor the conduct of businesses relating to human rights, publicizing abuses, organizing consumer boycotts, initiating lawsuits, and participating in complaint mechanisms established in various human rights standards to facilitate the resolution of disputes.[10]
This article is an excerpt from the author’s new book, Business and Human Rights: Advising Clients on Respecting and Fulfilling Human Rights, published by the ABA Section of Business Law. More information on the book is available here.
[1] Alan S. Gutterman is a business counselor and prolific author of practical guidance and tools for legal and financial professionals, managers, entrepreneurs,, and investors on topics including sustainable entrepreneurship, leadership and management, business law and transactions, international law, and business and technology management. He is the co-editor and contributing author of several books published by the ABA Business Law Section, including The Lawyer’s Corporate Social Responsibility Deskbook, Emerging Companies Guide (3rd Edition), and Business and Human Rights: A Practitioner’s Guide for Legal Professionals. Alan is also currently a partner of GCA Law Partners LLP in Mountain View, California (www.gcalaw.com). More information about Alan and his work is available at his personal website at www.alangutterman.com.
[2] G. Brenkert, Business Ethics and Human Rights: An Overview, Business and Human Rights Journal 1, 277 (2016).
[3] The movement to focus attention on the impact of businesses on the environment and people actually has its roots earlier, in the 1960s and 1970s, with the formation of new activist organizations such as the World Wildlife Foundation (1961), Friends of the Earth (1971), and Greenpeace (1971). K. Earley, From Reactionto Purpose: The Evolution of Business Action on Sustainability, The Guardian (October 31, 2017).
[4] C. Mayer, Prosperity: Better Business Makes the Greater Good (2019).
[5] 1 An Introduction to Human Rights in Southeast Asia 17–18 (A. Sharom, J. Purnama, M. Mullen, M. Asuncion, and M Hayes eds., 2018).
[10] Id. (noting availability on information on a number of leading business and human rights lawsuits on the Corporate Legal Accountability Portal of the Business and Human Rights Resource Centre).
Connect with a global network of over 30,000 business law professionals
