Commercial Litigation Update

A federal judge recently concluded that the defendant in a white-collar securities dispute may not claim that his conversations with the artificial intelligence (“AI”) tool, Claude, are privileged. Litigators and clients now must take heed.

Biometric technologies—such as fingerprint scanners, facial recognition systems, and retina scans—are now commonplace in modern business operations. From employee timekeeping systems to facility security and customer-facing applications, these tools offer efficiency and convenience for many businesses. But these same conveniences have sparked backlash in the form of privacy litigation. In Illinois especially, companies are facing a surge of class-action lawsuits under the state’s Biometric Information Privacy Act (“BIPA”), a pioneering law that imposes strict requirements on the use of biometric data and hefty penalties for companies failing to adhere to the law. This trend is not confined to Illinois: a growing patchwork of similar laws in other states means that using biometrics without proper safeguards can expose companies nationwide to significant statutory damages and legal risks.

Recent decisions from the European Union (EU) have placed renewed focus on the use of common cookies used on ecommerce and other websites used by consumers and employees and transfers of personal data collected through cookies to the United States. The EU Data Protection Authorities (DPAs) found that the use of widely used website technologies (i.e., cookies and java script) to automatically collect identifiers from the users’ devices or through their use of internet protocols (e.g., IP addresses) resulted in the collection of personal data. The DPAs further found that the subsequent transfer of this data to Google servers located in the United States violated EU cross-border data transfer requirements because there were inadequate safeguards under the Schrems II decision invalidating the EU-US Privacy Shield. One notable impact of the decisions is to dismiss the adequacy of encryption technologies where the service provider (such as Google) has access to the cryptographic key and can be compelled to surrender it in order for the data to be decrypted and read by U.S. surveillance authorities. Consideration of the impact of these decisions is critically important for ecommerce and other websites operating in the EU, as well as more generally for organizations that transfer personal data of consumers and employees to the U.S.

Last week, FINRA published its 2022 Report on its Examination and Risk Monitoring Program (the “Report”), identifying key areas of focus for broker-dealer exams this year. The Report contains many of the same areas of focus as last year’s report, including anti-money laundering, cybersecurity, Reg BI and Form CRS, communications with the public, best execution and segregation of customer funds. Although the Report again identifies these general areas, it identifies new concerns and recent examination findings in those areas. In an effort to be user friendly, the Report highlights that new content in bold and identifies new areas for 2022. A key takeaway from the Report is the continued challenges posed by technology.