Normalizing U.S. Relations with Cuba: What is ahead?

On December 17, President Obama announced that he will take steps to normalize relations with Cuba, prompting questions about what this means for an island nation that has existed under a Cold War-era embargo for more than 50 years. The announcement indicates a dramatic shift in U.S. foreign policy toward Cuba, affecting not only diplomatic relations but also U.S.-Cuban economic ties and travel. Mr. Obama, however, carefully pointed out that the shift in U.S. policy will begin with executive action. The U.S. embargo against Cuba is codified in legislation, meaning that Congress must act to lift these sanctions entirely. Close observers of congressional politics may agree that this will probably present a challenge to normalization.

Click here for the issued Client Alert.

EU Art. 29 Proposes Class Actions to Enforce Privacy Rights

This post was written by Cynthia O’Donoghue.

This month, the Article 29 Data Protection Working Party (Working Party) and the French Data Protection Authority (CNIL) held the European Data Governance Forum, an international conference focusing on the issues of privacy, innovation and surveillance in Europe. The conference highlighted many of the issues raised in the Joint Statement released by the Working Party in November.

The Joint Statement emphasises the need to address “both the lack of confidence in (foreign or national) governments, intelligence and surveillance services, as well as the underlying problem of how to control access to massive amounts of personal data” in this digital age.

The Working Party proposed a series of principles and actions to create a framework enabling “private companies and other relevant bodies to innovate and offer goods and services that meet consumer demand or public needs, whilst allowing national intelligence services to perform their missions within the applicable law but avoiding a surveillance society”.

Some the key messages suggested by the Working Party include:

  • Protection of personal data as a fundamental right
  • Strengthening public awareness and individual empowerment to help individuals limit their exposure to excessive surveillance
  • No secret, massive and indiscriminate surveillance

The use of surveillance systems can be seen as privacy-intrusive, whereas establishing an effective privacy framework focused on transparency, accountability and restoring trust, can act as a counterbalance.

Privacy Authorities Urge Mobile Apps to Implement Privacy Policies

This post was written by Cynthia O’Donoghue.

In December, 23 privacy authorities – many of which are members of the Global Privacy Enforcement Network (GPEN) – signed an open letter to the operators of seven app marketplaces, urging them to improve consumers’ access to privacy information on mobile apps.

The letter states that:

  • Mobile apps that collect data in and through mobile devices within an app marketplace store must provide users with privacy practice information (for example, privacy policy links)
  • Privacy policy links must clearly inform users about the collection and use of their data before they download the app
  • Marketplace operators must implement the necessary protections to ensure the privacy practice transparency of apps offered in their stores

This letter comes in light of this year’s privacy sweep which we reported on in September. One observation of particular concern was that 85% of the mobile apps reviewed failed to explain clearly how they were collecting, using and disclosing personal information.

With the proliferation of apps, it is clear that privacy and data protection authorities are keen to ensure that apps provide transparency to consumers, and a good privacy policy may help app developers to stand out from the competition.

Oregon Breach Notification Law Changes on the Horizon

This post was written by Divonne Smoyer and Christine Czuprynski.

On December 10, Oregon Attorney General Ellen Rosenblum testified in front of the joint Oregon Senate and House Judiciary Committee on the evolving nature of not only data collection and use, but also on cybersecurity incidents and hacking, and the need to amend the Oregon data breach notification law to provide enforcement authority to the state Department of Justice. Extending enforcement authority to the attorney general’s office within that department will allow the attorney general to use the state’s Unlawful Trade Practices Act to enforce failures-to-notify and other violations of the statute.

In seeking enforcement authority, Attorney General Rosenblum is also asking that the law be amended to require breached entities to notify the state Department of Justice. The law requires notification to affected individuals, and to the consumer reporting agencies under certain circumstances, but at this time does not require notification to any state regulator. Currently, 15 states require breached entities to notify the state attorney general or other regulators, and New Jersey requires notification to be made to the state police.

For example, California requires notification to the state attorney general when a data breach affects more than 500 California residents. Once received, California posts the notifications on its website for public review. Using the information it has received in these breach notification letters, California has produced two breach reports – the most recent released in October 2014 – that highlight the most common types of breaches, the type of information stolen in breaches, and which industry sectors are victimized by breaches most often.

The attorney general is also working to expand the definition of “personal information,” the loss of which requires notification under the law. The changes contemplated in Oregon follow a current trend among the states to add biometric data, as well as medical and health information, to the list of the type of information that, if breached, triggers the notification statute.

One Year Later: Consumers Can Proceed Against Target in Data Breach Lawsuit

This post was written by Paul Bond and Christine Czuprynski.

On the one-year anniversary of Target’s announcement that it had suffered a massive data breach, Judge Magnuson in the District of Minnesota cleared the way for a consumer class action against the retailer to move forward into discovery. Earlier this month, the court ruled that the financial institution class actions can also proceed.

In the consumer case, Target argued that the plaintiffs failed to allege injury, and thus had Article III standing to proceed with the suit in federal court. The court found that consumers did claim enough injury to proceed, citing to their allegations that they suffered “unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees.” The judge also will allow the consumers to pursue their claims for injunctive relief, by which plaintiffs seek to force Target to adopt new information security measures. The judge will allow the consumers discovery as to Target’s duty to disclose, and how well it performed that duty.

The judge analyzed state consumer protection and data breach notification laws of each state, demonstrating the complexity of this multi-district litigation. The consolidated consumer class action alone involves 114 named plaintiffs from all but five states, and asserts theories under 50 states’ laws. When Target raised the issue of standing in the five states with no named plaintiff resident, the court ruled that such an Article III standing analysis was premature at the motion-to-dismiss stage, and could be reassessed after the class-certification stage.

In the course of this decision, Judge Magnuson gave Target a few concessions, dismissing certain claims under certain state laws, and indicated as to many points that Target would be able to later assert their defenses. Judge Magnuson dismissed with prejudice the consumers’ bailment claim, which alleges that consumers trusted Target with their personal information as property. The judge also dismissed the unjust enrichment claim that was based on a theory that plaintiffs were overcharged for goods at Target because the goods included a premium for adequate data security that did not exist. However, the court allowed plaintiffs to proceed with the unjust enrichment claim based on the theory that had Target notified customers in a timely manner, plaintiffs would not have shopped at the store, and thus Target was not entitled to receive the money plaintiffs spent at the store.

EU Council Agrees on Partial General Approach to General Data Protection Regulation

This post was written by Cynthia O’Donoghue.

At the latest meeting in Brussels, Justice ministers agreed on a partial general approach. Andrea Orlando, Italy’s Minister for Justice and President of the Council, expressed the importance of this consensus on one of the “most politically sensitive issues on data protection reform”.

The press release states that the partial general approach includes articles which “are crucial to the question of the public sector (Article 1, Article 6, (paragraphs (1) and (2), Article 21) as well as chapter IX … and the latest recitals”. Chapter IX examines personal data processing for statistical, scientific and medical research purposes, as well as provisions dealing with freedom of expression, employment and social protection.

Despite consensus, the press release also states that the agreement was reached on the basis that:

  • Nothing is agreed until everything is agreed
  • It is without prejudice to any horizontal questions
  • It does not mandate the Council Presidency to engage in informal trialogues with the European Parliament on the text

In light of this, it appears that adoption of the Data Protection Regulation may not happen until 2016.

UK Public Authority Forced To Identify Private Sector Consultant Under Freedom of Information Act

This post was written by Kate Brimsted and Cynthia O’Donoghue.

The First Tier Tribunal General Regulatory Chamber (Information Rights) (the “FTT”), in the case of Alan Matthews v Information Commissioner [2014] EA/2012/0147, ruled that – despite being “personal data” – the name and qualifications of a private consultant should be released in response to a request under the Freedom of Information Act 2000 (“FOIA”). This overturned a June 2012 decision by the Information Commissioner (the “ICO”) that such information was exempt from release.

In 2011, an FOIA request was made by an individual, Alan Matthews, who had been unsuccessful in a bidding process to a now-defunct Local Development Agency, Business Link West Midlands Ltd (“Business Link”). An independent consultant had advised on the design of Business Link’s tendering process, and the individual believed it to be flawed.

The ICO then ruled that the identity of the consultant was exempt information under s40(2) FOIA, as it was personal data, and disclosure would contravene the principles of the Data Protection Act 1998.

In this appeal, the FTT ruled:
“…we believe there is a significant public interest in the disclosure of the identity of a consultant whose approval of a public contract tendering process is relied upon by a public authority to provide assurance as to its effectiveness and fairness. Against that we do not think that an individual accepting a role in the design and operation of such a process should expect to remain anonymous. He or she has taken on a public role and should expect to be answerable, alongside his or her client, for their respective roles in the project.”

Public authorities (and consultants who are engaged by them) should therefore be aware that the identity and professional credentials of consultants may have to be released to the public in the event of an FOIA request where a cogent public interest can be demonstrated.

New Hong Kong Competition Ordinance

Who should be aware of the new Competition Ordinance (Cap. 619) (CO)? – If you are operating a business offering goods or services in Hong Kong or considering acquiring one, it is important that you are aware of the new rules under the CO and plan for their introduction.

Click here for the issued Client Alert.

Draft Data Protection Regulation delayed

This post was written by Cynthia O’Donoghue and Kate Brimsted.

At the latest meeting in Brussels, Justice ministers failed to come to a consensus on the “one stop shop mechanism” and the role of the proposed European Data Protection Board (EDPB). The minutes state that while a “majority of ministers endorsed the general architecture of the proposal,” “further technical work is required".

Ahead of the meeting, Italy prepared a compromise proposal on the one-stop-shop plan. This proposal suggested the creation of a Lead Data Protection Authority (DPA) to deal with cross-border disputes, and for any disputes between DPAs to be referred to the EDPB.

Several Ministers disagreed with the proposal. In the UK, Theresa May released a statement expressing her concern that, “with legally binding powers for the EDPB to resolve disputes, the model proposed would fail to achieve the stated objectives of legal certainty, quick decisions and proximity for the data subject”.

In light of the conflict between Member States on these issues, the Data Protection Regulation likely may not be adopted until 2016.

FY 2015 Ebola Federal Funding: Congressional Increases and Program Support

This post was written by Lorraine M. Campos, Christopher L. Rissetto, and Robert Helland.

FY 15 Omnibus spending legislation sent to the President for signature. This past weekend, the Senate finished work on an omnibus spending bill, Consolidated and Further Continuing Appropriations Act, 2015 (“Act”), which funds most of the federal government for the remainder of FY 15. The House of Representatives passed this legislation last week and it now heads to the President’s desk for his promised signature. This legislation contains billions in new spending to fight the Ebola epidemic both in the United States and abroad.

$5.4 billion more to respond to Ebola. Congress had already appropriated $30 million in the FY 15 Continuing Resolution for the Centers for Disease Control (“CDC”) to respond to Ebola. The Act increases this appropriation dramatically among following agencies: (1) CDC; (2) Department of Defense (“DoD”); (3) Food and Drug Administration (“FDA”); (4) Health and Human Services Agency (“HHS”); (5) National Institutes of Health (“NIH”); and (6) Department of State (“DOS”). In total, $5.4 billion will be spent to fight Ebola both in the United States and abroad.

The Senate Appropriations Committee breaks down how those funds will be spent as follows:

  • $112 million will be appropriated to DoD for Ebola response and preparedness. Of this, $45 million will go to the Defense Advanced Research Projects Agency’s long-range research programs; $50 million to nearer-term research programs of the Defense Threat Reduction Agency; and $17 million for procurement of equipment.
  • $25 million will be appropriated for Ebola response and preparedness at FDA, including “increased medical countermeasure activities.”
  • $2.742 billion will be appropriated to HHS to respond to the Ebola epidemic in the United States and other countries threatened by the virus. Funding will be used to: (1) develop vaccines and treatments; (2) train health care workers; (3) bolster quarantine stations at ports of entry; (3) create isolation units; (4) reimburse hospitals providing care; and (5) send CDC personnel to countries affected by Ebola.
  • $238 million will be appropriated to the NIH for Ebola-related research.
  • $2.5 billion will be appropriated to DOS “to respond to the Ebola epidemic in West Africa and to strengthen public health capacity in other countries threatened by the virus.”

All of this $5.4 billion is deemed “emergency funding,” meaning it does not have to fall under the $1.1 trillion cap in discretionary spending for FY 15 that Congress agreed upon in the Bipartisan Budget Act of 2013.

Congress appropriated almost the entire amount requested by the President. The funds appropriated in the Act are close to the $6.18 billion in emergency funding requested by the President November 5, 2014. At a hearing before the Senate Appropriations Committee November 12, representatives from DoD, HHS and the Department of Homeland Security (“DHS”) testified on the need for the funds and where they would be used. Defense Deputy Secretary Heather Higginbotham testified of the continued need to contain the outbreak in West Africa and treat those with the disease. She noted, for example, that the funds will establish Community Care Centers across the region, to provide “medically safe places for individuals to receive basic care to help control the potential for continued transmission.” Sylvia Matthews Burwell, Secretary of HHS, testified that funds would help efforts to increase preparedness to Ebola in the United States by “improving readiness in hospitals, laboratories, and communities across the country.” DHS Secretary Jeh Johnson testified of the enhanced screening efforts for passengers and cargo from countries impacted by Ebola and how the additional funds would support those efforts.

It appears that Congress listened and delivered big. However, a dramatic increase in the response to Ebola will likely be the subject of additional congressional oversight as Republicans assume the majority in both the House and the Senate in the 114th Congress.

PCI Seeks to Help Organisations Educate Staff on Information Security with New Guidance

This post was written by Cynthia O’Donoghue.

In October, the Payment Card Industry (“PCI”) Security Standards Council published the Best Practices for Implementing a Security Awareness Program Information Supplement (“Supplement”) to help organisations educate their employees on the importance of protecting, the care in handling, and the risks of mishandling sensitive information.

The PCI Special Interest Group (“PCI SIG”) developed the Supplement with input from merchants, banks and service providers, to provide guidance on PCI Data Security Standard (“PCI DSS”) Requirement 12.6, which requires organisations to implement a security awareness programme.

The Supplement provides practical advice, including:

  • Assembling a security awareness team responsible for the development, delivery and maintenance of the security awareness programme
  • Determining roles for security awareness to tailor training appropriately
  • Developing security awareness content appropriate to each organisation’s time, resources and culture
  • Creating a security awareness checklist to plan and manage a security awareness training programme effectively

The Supplement includes a ‘Sample Mapping of PCI DSS Requirements to Different Roles, Materials and Metrics’ that shows how a training programme can incorporate PCI DSS, and a ‘Security Awareness Program Record’ to evidence a security awareness programme.

The Supplement could not come at a better time, as Cisco’s 2014 Annual Security Report found an increase of 14% in cyber-attacks since 2013. This guidance should help organisations in protecting their data, and will aid those who are gearing up for version 3.0 of the PCI DSS dealing with processing payment card information, which we reported on in April.

EU Art. 29 Releases Guidelines on the Right to be Forgotten

This post was written by Cynthia O’Donoghue.

In November, the Article 29 Data Protection Working Party (Working Party) released guidelines as to how the Data Protection Authorities (DPAs) assembled in the Working Party intend to implement the judgment of the Court of Justice of the European Union (CJEU) in the case of Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” (C-131/12) (Google Spain). The guidelines also contain a “list of common criteria” which the DPAs will apply to handle complaints.

The CJEU judgment set a milestone for EU data protection by granting individuals the right to request search engines to delist search results relating to them.

Part 1 of the guidelines attempts to interpret and answer the many questions left open by the judgment, and makes clear that the ruling applies to “generalist search engines”, not websites. Most importantly, the right to be forgotten is global, and that by de-listing only EU domains does not guarantee the rights of individuals, since that right extends where there is a clear link between the individual and the EU. Before search results can be de-listed, however, individuals are obliged to “sufficiently explain the reasons why they request de-listing, identify the specific URLs and indicate whether they fulfil a role in public life, or not”. The Working Party also clarified that search engines will not be obliged as a manner of general practice to inform the webmaster of the pages affected by de-listing, but that getting a fuller understanding of the circumstances of the de-listing request may be legitimate.

Part II of the guidelines provides a list of common criteria to aid DPAs’ complaint-handling and decision-making processes. The Working Party emphasises that each criterion applies in the light of the principles established by the CJEU, particularly in view of “the interest of the general public in having access to [the] information”.

The criteria provided by the Working Party will provide a useful guide for search engines seeking to understand how DPAs will interpret the ruling, and also to individuals seeking to better understand the scope of their rights.

FCC'S Notice of Opportunity To Comment on Robocalls and Call-Blocking Issues Raised by 39 Attorneys General

This post was written by Judith L. Harris and Divonne Smoyer.

On November 24, the FCC released a wide-ranging public notice seeking comment on a September 9, 2014, letter from the National Association of Attorneys General (NAAG), purportedly written “on behalf of the millions of Americans regularly receiving unwanted and harassing telemarketing calls.” The letter, signed by a bipartisan group of 39 AGs led by Chris Koster, the AG of Missouri, and Greg Zoeller, the AG of Indiana, raises issues relating to the legality and desirability of allowing telephone providers to implement call-blocking technology as a means of addressing unwanted telemarketing calls. NAAG’s letter to the FCC can be accessed here.

In its letter, NAAG references a July 2013 hearing before the Senate Subcommittee on Consumer Protection, Product Safety, and Insurance, at which witnesses from CTIA-The Wireless Association and US Telecom testified that “legal barriers prevent carriers from implementing advanced call-blocking technology to reduce the number of unwanted telemarketing calls.” In fact, it is true that the FCC has long prohibited call blocking in particular contexts as an “unjust and unreasonable practice” under the Communications Act of 1934, as amended.

Specifically, NAAG’s letter requests the FCC’s view in three areas:

  1. What, if any, legal and/or regulatory prohibitions bar telephone carriers (and VOIP service providers) from implementing call-blocking technology? Would the answer be any different if the companies’ customers were to “opt-into” use of the technology (either as a free service or for a fee)?
  2. According to US Telecom at the July 2013 hearing, telephone carriers can and do block “harassing and annoying” telephone traffic at their end-user customers’ request, but only for a “discrete set of specific phone numbers.” Could telephone carriers, at a customer’s request, legally block certain kinds of calls (for example, telemarketing calls) if technology could identify incoming calls as “originating or probably originating” from telemarketers?
  3. US Telecom describes the FCC’s position as being one of “strict oversight in ensuring the unimpeded delivery of telecommunications traffic.” Is this characterization accurate? If so, on what basis does the FCC claim that telephone carriers may not “block, choke, reduce or restrict telecommunications traffic in any way”?

In addition to seeking comment on these particular questions, the Commission, in its Public Notice, states that it is interested in hearing about what call-blocking technologies are available or under development in the United States and internationally, how they work, how these details should inform the Commission’s analysis, and whether differences in how specific technologies work might produce different outcomes under the law.

In its Notice, the FCC acknowledges having said in the past that, “‘except in rare circumstances,’ it ‘does not allow carriers to engage in call blocking.’” However, it then goes on to state that “it has not directly held that blocking calls upon customer request is unlawful,” and that “[i]ndeed the Commission has recognized ‘the right of individual end users to choose to block incoming calls from unwanted callers’” in certain circumstances.

At this juncture, the Commission seeks comment, among other things, on whether and to what extent its prior precedent and applicable statutory provisions regarding call blocking applies to call-blocking technologies now on the market or under development. And – most importantly, perhaps – the Public Notice asks: “How should the Commission reconcile the obligation of voice providers to complete calls with protecting consumers from unwanted calls under the Telephone Consumer Protection Act (TCPA)?”

One can be quite confident that not only will the pro-consumer “public interest” lobby be out in force on this one – and probably with substantial Congressional support – but also that companies that produce and market call-blocking technologies, such as Nomorobo, Call Control and Telemarketing Guard (identified by NAAG in its letter), will be pushing hard. For this reason, among others, this issue should be of grave concern – not only to all who market via the telephone, but also to those who use the phone to reach their customers for other purposes, for example, in attempting to collect a debt.

Have you had experience with your lawful outgoing calls (debt collection, informational, even emergency, as well as telemarketing, calls) being blocked by the recipient’s carrier? If so, you might want to share that experience with the FCC or write to the Agency about the impact this issue could have on your business, or the price of your products or services or your ability to communicate important information to your customers. Comments are due December 24, 2014, and reply comments are due January 8, 2015. If you fall into a potentially affected category, you should consider getting involved.

In other, but related news: it appears that the attorneys general have recently been a very busy bunch! Not only have 39 of them weighed in on blocking technology at the FCC, but – virtually simultaneously – 38 attorneys general, some the same, some different, again through NAAG, also recently urged the FTC, in its planned update of the Telephone Sales Rule, to prohibit the use of pre-acquired account information (to reflect the Restore Online Shoppers’ Confidence Act). The AGs contend that prohibiting such information would ensure that a consumer has consented to a given transaction.

NAAG’s letter to the FTC also urges that the Agency better address negative option telemarketing because, the AGs contend, that practice often leads to confusion and “outright deception.” Finally, the AGs argue that telemarketers should be required to create and maintain records, and that the use of money transfers and certain other payment methods should be banned. NAAG’s letter to the FTC can be accessed here.

Second Circuit Reverses Major Insider Trading Convictions (or Preet Bharara's Terrible, Horrible, No Good, Very Bad Day)

This post was written by Jennifer L. Achilles, Lisa G. Blackburn, and Brandon D. Cunningham.

In a widely anticipated decision, the Second Circuit on Wednesday clarified the standard for insider trading actions against tippees, downstream recipients of inside information who trade on that information. The court overturned the criminal convictions of two hedge fund portfolio managers who were convicted in 2013 as part of a massive sweep by New York federal prosecutors targeting insider trading on Wall Street and beyond. The court held that it is not enough for the government to prove that a tippee knew the corporate insider disclosed confidential information; it must also prove that the tippee knew the tipper did so in exchange for personal benefit. This decision calls into question the multiple insider trading convictions recently secured by the Manhattan U.S. attorney’s office, and may pave the way for other similarly situated defendants, including former SAC Capital Advisors LP manager Michael Steinberg, to seek an acquittal.

Todd Newman and Anthony Chiasson were both charged in 2012 with violations of sections 10(b) and 32 of the 1934 Act, Rule 10b-5, Rule 10b5-2, 18 U.S.C. § 2, and 18 U.S.C. § 371. Newman and Chiasson allegedly received the May and August 2008 earnings numbers of Dell and NVIDIA before public release, and subsequently executed trades capitalizing on this information to a profit of $4 million and $68 million respectively. At trial, the government presented evidence that the two received inside information from financial analysts who were themselves two and three levels removed from the actual corporate insiders at Dell and NVIDIA. The government presented no evidence that either defendant knew he was trading on information obtained from insiders in violation of those insiders’ fiduciary duties to shareholders. Instead, the government argued that as sophisticated traders, Newman and Chiasson must have known that the information was not disclosed for any legitimate corporate purpose. The traders were subsequently convicted of insider trading and sentenced to 54 months’ and 78 months’ imprisonment, respectively.

On appeal, the Second Circuit held that the government and the district court had applied the wrong standard for tippee liability. In doing so, the court relied on the U.S. Supreme Court’s 1983 ruling in Dirks, which held that tippee liability is derivative of the related tipper liability, and that a personal benefit to the tipper is therefore a required element of tippee liability as well. While Dirks did not specifically consider whether a tippee must have knowledge of the tipper’s personal benefit, it did define a tipper’s breach of fiduciary duty as a breach of the duty of confidentiality in exchange for a personal benefit. Because a tippee’s knowledge of a breach of a fiduciary duty is an element of tippee liability, it follows naturally that a tippee must know the tipper disclosed confidential information for personal benefit. As for what constitutes sufficient evidence of a “personal benefit,” the court noted that mere friendship between the tipper and tippee, such as what was presented at the trial of Newman and Chiasson, was not enough. Instead, proof is required of a “meaningfully close personal relationship that generates an exchange that is objective, consequential, and represents at least a potential gain of a pecuniary of similarly valuable nature.”

In its appeal, the government relied on prior Second Circuit decisions that enumerated the elements of tippee liability without mentioning knowledge that the tipper disclosed the information for personal gain. The Second Circuit made short work of that argument, blaming any ambiguity in the law not on its prior decisions but on the “doctrinal novelty” of the government’s recent insider trading prosecutions, “which are increasingly targeted at remote tippees many levels removed from corporate insiders.” The court also noted that while it had been accused of being “somewhat Delphic” with respect to the elements of tippee liability, Judge Sullivan’s opinion in fact was the only district court opinion to hold that tippee knowledge of the tipper’s benefit was not required.

The Second Circuit’s opinion highlights the reality that the wrongfulness of insider trading lies not in the unequal access to market information, but in the knowingly wrongful use of that information. The court noted, “Although the Government might like the law to be different, nothing in the law requires a symmetry of information in the nation’s securities markets.”

Change Has Come: OFCCP Publishes Final Rule Implementing Executive Order Prohibiting Federal Contractors from LGBT Discrimination

This post was written by Lorraine M. Campos, David J. McAllister, and Nkechi Kanu.

The U.S. Department of Labor’s Office of Federal Contract Compliance Programs (“OFCCP”) published a final rule today, implementing Executive Order (“EO”) 13672, signed by President Obama July 21, 2014. Before EO 13762, federal contractors were only prohibited from discriminating against employees on the basis of race, color, religion, sex and national origin. EO 13762 now adds sexual orientation and gender identity to the protected classes.

The OFCCP final rule codifies these new protections in 41 C.F.R. Part 60-1. Under the revise regulations, the words “sex, or national origin” are replaced by “sex, sexual orientation, gender identity or national origin.” In order to comply with the revisions, federal government contractors and subcontractors must:

  • Take affirmative action to ensure that applicants and employees are not discriminated against on the basis of their sexual orientation and gender identity
  • Include sexual orientation and gender identity as prohibited bases of discrimination under the Equal Opportunity Clause
  • Include an updated Equal Opportunity Clause in new or modified subcontracts and purchase orders
  • Update the equal opportunity language used in job solicitations to include sexual orientation and gender identity as protected traits
  • Post updated notices that reflect that sexual orientation and gender identity are protected traits

The final rule does not, however, require federal contractors to set goals on the bases of sexual orientation or gender identity, nor does it require contractors to collect and analyze data on these bases.

The final rule applies to businesses that enter into a covered federal contract or subcontract on or after the effective date of the final rule. The rule will become effective early April 2015, 120 days after its publication in the Federal Register. OFCCP intends to publish compliance assistance materials, such as fact sheets and “Frequently Asked Questions,” before the final rule takes effect. In addition, OFCCP will host webinars that will describe the amended requirements and conduct workshops and forums to listen to any questions and concerns contractors and other stakeholders may have.

Federal contractors and subcontractors should review their current employment and hiring practices to ensure compliance with their obligations under the final rule. Further, these contractors will need to update their Affirmative Action and Equal Employment Opportunity policies and statements to include the new protected classes, and ensure that the language used in solicitations and posted notices are revised.