Vol. 73 No. 1 -- Winter 2017/2018

  January 2018

Articles

Business & Corporate

SEC Cybersecurity Guidelines: Insights Into the Utility of Risk Factor Disclosures for Investors

73(1): 1-34 (Winter 2017/2018) In October 2011, the SEC issued new guidelines for disclosure of cybersecurity risks. Some firms responded to these guidelines by issuing new risk factor disclosures. This article examines the guidelines and cybersecurity disclosures in the context of existing laws governing securities regulation. It then examines empirical results from firm disclosures following the new guidelines. Evidence shows a relatively small proportion of firms chose to modify their risk factor disclosures, with most firms choosing not to disclose any specific cybersecurity risk. Moreover, disclosing firms generally experienced significant negative stock market price effects on account of making new disclosures. Rather than viewing disclosure as a positive signal of management attentiveness, investors apparently viewed it as a cautionary sign.

Business & Corporate

Public Company Virtual-Only Annual Meetings

73(1): 35-52 (Winter 2017/2018) Public companies traditionally hold annual shareholder meetings using a formal in-person format. Some companies have more recently supplemented the meeting with audio or video streaming and are now adding an electronic component to a physical meeting to allow for remote participation, commonly referred to as a “hybrid meeting.” A relatively small but fast-growing number of companies are holding their annual shareholder meetings on an electronic-only basis with no physical meeting, known as a “virtual-only meeting.” This article discusses the legal landscape for virtual-only meetings, briefly reviews the history of the practice, and explores the controversy they present with certain institutional investors and activists. Its objective is to provide an initial roadmap of legal and practical considerations for companies considering virtual only shareholders meetings.

Business & Corporate

Death by Auction: Can We Do Better?

73(1): 53-84 (Winter 2017/2018) The purpose of a business divorce is to sever the business relationship between or among the owners of the business. The most common judicial means of achieving this goal is a state dissolution statute. Most state dissolution statutes empower courts to sever the business relationship through various means. Some states even permit the entity or the other equity interests to avoid dissolution by exercising a statutory right to buy out the plaintiff’s interests.

Business & Corporate

Securities on Blockchain and the Uniform Commercial Code

73(1): 85-108 (Winter 2017/2018) This article initially provides a high-level description of blockchain technology intended to be accessible to those without a technical background, and illustratively describes an existing blockchain system that already evidences securities issued and being traded. The article then sets forth and analyzes how Article 8 of the Uniform Commercial Code covers blockchain securities as “uncertificated securities.” Finally, the article provides guidance to corporate lawyers faced with giving a legal opinion relating to the issuance and sale of securities on a blockchain.

Business & Corporate

Crypto Transaction Dispute Resolution

73(1): 109-152 (Winter 2017/2018) The rapid evolution of anonymous, autonomous, and distributed blockchain-based smart contracting creates friction and enforceability issues with existing legal and jurisdictional principles, calling the future governance of blockchain technology into question. The effective governance of blockchain technology and smart contracting is essential to ensuring its continuing evolution. Based on the mathematical principles underlying the disposition of blockchains, we propose and evaluate an alternative approach to the existing legal exercise of jurisdiction that is inherent in blockchain technology itself. We call this “distributed jurisdiction.”

Survey

Survey

Business & Corporate

Survey - Cyberspace Law

73(1): 173-303 (Winter 2017/2018) As all business lawyers understand, the Internet is just as central to the realm of commercial transactions. Keeping current with cyberlaw developments is imperative for any lawyer who advises business clients, and the Cyberspace Law Committee is here to help. This year’s survey, covering the year ending May 2017, includes four subject areas: privacy and data security, intellectual property, contracting and payments, and consumer protection.

Business & Corporate

Survey of the Law of Cyberspace: An Introduction

73(1): 173-176 (Winter 2017/2018) As all business lawyers understand, the Internet is just as central to the realm of commercial transactions. Keeping current with cyberlaw developments is imperative for any lawyer who advises business clients, and the Cyberspace Law Committee is here to help. This year’s survey, covering the year ending May 2017, includes four subject areas: privacy and data security, intellectual property, contracting and payments, and consumer protection.

Business & Corporate

Privacy Developments: Private Litigation, Enforcement Actions, and Settlements

73(1): 177-190 (Winter 2017/2018) Over the last year there have been several record-setting settlements in privacy related litigation. Privacy litigation has continued apace, while the Federal Trade Commission (“FTC”) has sought to expand its enforcement role. Unsurprisingly, privacy compliance remains a fast-developing area of the law with significant traps for unwary businesses. This survey reviews some of the key developments in these areas over the past year.

Business & Corporate

Unauthorized Access to Computerized Information

73(1): 199-206 (Winter 2017/2018) During the year covered by this survey, several court decisions dealt with intrusions into computer systems that were challenged under various laws. Parts II and III of this survey focus on use of another’s password and what constitutes loss under the Consumer Fraud and Abuse Act (“CFAA”). Part IV covers two class actions filed against tech giants for interception of e-mails in transit for the purpose of targeting advertisements. Part V addresses a case involving undisclosed sharing of children’s online video viewing data. Finally, Part VI provides an update on a proposed amendment to the Electronic Communications Privacy Act (“ECPA”).

Business & Corporate

Some Aspects of the EU’s New Framework for Personal Data Privacy Protection

73(1): 207-214 (Winter 2017/2018) This survey will first briefly describe the role of the Data Protection Officer (“DPO”), introduced by the European Union’s new General Data Protection Regulation (“GDPR”), which will enter into force on May 25, 2018. The discussion of DPOs will draw from the Guidelines on Data Protection Officers (“Guidelines”) issued by the Article 29 Working Party (“Art. 29 WP”).3 Second, the survey will address the new Privacy Shield framework that governs data transfer from the EU to the United States.

Business & Corporate

New York State Rule Reaches Beyond the State’s Borders in Requiring Corporate Boards to Implement Cybersecurity Protections

73(1): 239-242 (Winter 2017/2018) In December 2016, responding to the surge of cyber-attacks targeting financial services institutions, the New York State Department of Financial Services (“DFS”) promulgated a rule (“DFS Rule” or “Rule”), titled Cybersecurity Requirements for Financial Services Companies, that will require financial institutions “to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.”

Business & Corporate

Developments Related to the Safe Harbors Under the Digital Millennium Copyright Act

73(1): 243-258 (Winter 2017/2018) This contribution to the Annual Survey examines how the desire to hold intermediaries accountable has played out within the context of the DMCA. The last year has seen both efforts by rights holders to erode the protections of the safe harbors and new procedures that raise the burdens on service providers seeking to qualify for them. But it has also seen courts recognize the important First Amendment considerations that Internet access implicates.

Business & Corporate

Cyberspace-Related Patent Developments

73(1): 259-266 (Winter 2017/2018) The October 2016 Supreme Court term included only a few patent matters, most notably extending Kirtsaeng’s copyright exhaustion doctrine to patents. In the meantime, the Federal Circuit—the appeals court for most patent litigation—has continued to refine the Supreme Court’s broad-stroke pronouncements into more concrete guidance, refining post-grant reviews and patent subject matter eligibility, particularly for software-related patents.

Business & Corporate

A Snapshot of Online Contracting Two Decades After ProCD v. Zeidenberg

73(1): 267-276 (Winter 2017/2018) The following mid-2016 to mid-2017 snapshot confirms the courts’ reluctance to deny formation of integrated contracts in the online context: they generally found enforceable those schemes that included a click-to-agree button near a means to view the terms, and also looked for (and generally found) constructive notice of terms in browsewrap or sign-up-wrap schemes that did not expressly tie continued use to acceptance of the terms. However, while unconscionability boundaries have been argued to and stated by the courts, the overwhelming proportion of online contracting decisions have enforced arbitration, choice-of-forum, and class-action waiver clauses. There has been no significant change in the landscape.

Consumers

Two Steps Forward, One Step Back: Developments in the Law Affecting Electronic Payments and Financial Services

73(1): 277-288 (Winter 2017/2018) This survey reports on (1) the proposal by the Office of the Comptroller of the Currency (“OCC”) regarding “fintech” charters, which states have challenged in actions still pending; (2) changes to Regulation CC regarding remote check deposit and disputes over altered or forged checks; (3) the Supreme Court’s decision in Expression Hair Designs, which may create the potential for challenges to required regulatory disclosures; (4) a modification by the Internal Revenue Service (“IRS”) of its demand for Bitcoin user information from a virtual currency exchange, after facing court challenges and congressional inquiries; (5) new payroll card regulations in Connecticut, Pennsylvania, and New York—with the New York rule being invalidated by another state agency, throwing the whole controversy into the state courts; (6) recent enforcement actions by the Consumer Financial Protection Bureau (“CFPB”) and Federal Trade Commission (“FTC”) regarding unfair and deceptive acts and practices; and (7) the CFPB’s “final rule” regarding prepaid accounts.

Business & Corporate

Recent FTC Regulation of the Internet of Things

73(1): 289-294 (Winter 2017/2018) The Federal Trade Commission (“FTC”) defines the Internet of Things (“IoT”) as “the ability of everyday objects to connect to the Internet and to send and receive data.” As of 2015, there were approximately 25 billion devices connected to the Internet, and experts estimate that, by 2020, there will be 50 billion devices. While the IoT offers consumers convenience and connectivity, the information collected by these devices is not necessarily secure. These security risks could be exploited by hackers to gain unauthorized access to personal information, facilitate attacks on other programs, and create risks to personal safety. In addition, because many IoT devices collect personal information, their spread raises privacy concerns. As a result of these recognized risks, the FTC has brought a series of actions against companies in the IoT industry for the unauthorized gathering of personal information and for failing to adequately secure that information once gathered.