Author: Kelly McElroy

ESG Data Assurance Requirements: 10 Steps to Prepare for the Legal Implications

Posted on by Kelly McElroy

    Research shows a substantial percentage of companies are not prepared for the environmental, social and governance (ESG) data assurance requirements. Only 25% of companies feel they have the ESG policies, skills and systems in place to be ready for independent ESG data assurance. This is despite the fact that two-thirds of companies must disclose such data or will soon be expected to do so on a mandatory basis.

    One of the core challenges for companies planning for ESG assurance is a need for more internal skills and experience. Learn how these requirements will impact corporate and financial services companies. Plus, uncover the proactive steps your company can take to prepare for the legal implications of these requirements.

    Impact on Corporate and Financial Services Companies

     

    The ESG data assurance requirements create the following opportunities if handled correctly, in addition to challenges for corporate and financial services companies:

    Opportunities

    • Reduced risk and compliance costs: Proactive data quality management can help avert costly fines associated with regulatory non-compliance.
    • Competitive advantage: Companies prioritizing data assurance can distinguish themselves in the marketplace as trustworthy and reliable partners.
    • Improved decision-making: Trusted data results in better-informed decisions at all organizational levels—from product development and customer service—to risk management and compliance.
    • Enhanced trust and credibility: Strong data assurance processes can build trust with your customers and investors by committing to transparency and data integrity.

     

    Challenges

    • Evolving regulatory landscape: Keeping up with the ever-changing regulatory landscape, especially in areas like ESG reporting, can be exhaustive for your internal resources.
    • Increased costs and complexity: Implementing and maintaining effective data assurance programs requires an investment in technology, personnel and processes, which can be a financial and administrative burden on your company.
    • Lack of talent and expertise: This can have significant consequences for your company, resulting in operational challenges, inaccurate data, and increased costs and inefficiencies. Moreover, finding and retaining skilled professionals with data governance and assurance expertise can take time and effort.

     

    You can gain a competitive edge by preparing and leveraging the potential benefits. Conversely, the implications of non-compliance can be significant and multifaceted, from regulatory fines and penalties to negative brand perception.

    Key Steps to Prepare

    Here are some proactive steps you can take to prepare for the ESG data assurance requirements:

     

    1. Stay informed:Monitor emerging standards for ESG data assurance, including the proposed International Standard on Sustainability Assurance (ISSA) 5000 and legislative developments. Acquaint yourself with relevant regulations in your jurisdiction and industry.

     

    1. Conduct a risk assessment:Find areas where your ESG data collection, management and reporting practices might be vulnerable to legal risks because of possible inaccuracies.

     

    1. Develop robust internal controls:Establish strong data governance policies and internal controls to confirm data accuracy and consistency within your company.

     

    1. Invest in data management systems:Upgrade your technology and data infrastructure to assist in effective and trustworthy data collection, retrieval and storage.

     

    1. Examine disclosure obligations:Recognize your legal responsibilities for ESG data disclosure, both mandatory and voluntary, under stock exchange listing requirements and relevant regulations.

     

    1. Establish ESG reporting policies:Create thorough policies for ESG data collection, verification, aggregating and reporting. Ensure they support recognized standards and best practices.

     

    1. Provide training:Offer training for employees engaged in ESG data collection, management and reporting to guarantee compliance with internal policies and legal requirements.

     

    1. Consider independent assurance:Evaluate the need for independent third-party assurance of your ESG data to enhance stakeholder confidence and mitigate legal risks. Select reputable assurance providers who adhere to relevant standards and ethical codes.

     

    1. Conduct due diligence with suppliers and partners:Assess the ESG practices of your suppliers and partners to ensure alignment with your commitments and avoid reputational risks.

     

    1. Partner with legal experts: Consult with legal professionals specializing in ESG and sustainability to guarantee compliance with relevant laws and regulations and navigate potential legal risks associated with your ESG data disclosures. For legal inquiries, please contact us at Pastore LLC.

     

    By taking these proactive steps, you can begin to prepare for the evolving ESG data assurance requirements. The legal landscape is dynamic, so staying updated and adapting your strategies is crucial.

     

    This article is intended for informational purposes and does not constitute legal advice.

     

    (Julie D. Blake, JD, LLM, CIPP, CIPM, is an experienced commercial litigator and data privacy expert with expertise in cybersecurity, data privacy breaches, risk assessment and data privacy policy review.)

    Navigating the New Cybersecurity Rules: What Companies Need to Know

    Posted on by Kelly McElroy

    Public companies must report their cybersecurity risk management, governance and strategy on their annual filings for fiscal years ending on or after Dec. 15, 2023, to comply with the recently imposed Securities and Exchange Commission (SEC) rules.

    In the U.S., almost all publicly traded companies with a focus on consumers and a large number of financial services corporations have experience in cybersecurity. This results from cybersecurity regulations being implemented by various federal agencies and all states. Specifically, the Safeguards Rule in Gramm-Leach-Bliley (GLB) requires the following types of  financial institutions to address cybersecurity to establish extensive measures:

     

    • Banks
    • Savings and loans
    • Insurance companies
    • Broker-dealers
    • Investment advisers

    The SEC implemented a prior set of disclosure rules for reporting firms to give investors the necessary data to evaluate the impact of a cyberattack. Further, many other registered firms have enacted cyber procedures on their own initiative, based on responsible legal guidance.

    As a result, following the introduction of the new law, financial services firms, consumer-oriented reporting firms and businesses that have independently implemented cyber policies shouldn’t have any significant implementation issues. However, those that haven’t will have a considerable undertaking to address these new requirements. Therefore, the 10K revisions will have an extensive impact on these companies.

    The rule’s provisions will likely sanction those failing to comply with the change. This could involve letters of caution, fines and suspension.

     

    Navigate the Cybersecurity Requirements by Taking Steps

    Here are some steps to help your company navigate the new cybersecurity requirements:

    Ensure a written information security policy (WISP) is in place. This creates a framework for cyber management and typically calls for creating and upkeeping a risk assessment manual and a written asset inventory.

    The WISP also includes procedures addressing access controls, identity and access management, entitlement transparency, and other important topics listed below:

     

    Access to Entitlement Transparency

    Human Resources (HR) should be able to provide immediate access to your company’s entitlement transparency structure, including a complete listing of access by each employee to the firm’s system from initial employment to departure.

    Upon employee advancement or transfer, the employee’s new superior, HR and an appropriate senior techie should reassess the employee’s access. This should be an established firm procedure and not a one-off. If an employee has been reprimanded in any way or has a questionable employment history, this should be maintained in their file.

     

    Departure/Termination Procedures

    Creating definitive procedures that can be immediately implemented upon termination plays a significant role in your company’s cybersecurity. These procedures should include immediate notification company-wide of an announced departure, especially if it’s a termination for cause.

    Upon notification of an employee’s departure, immediately implement access restrictions. Upon departure, execute an immediate and complete access shutdown. It’s important to understand that current employee’s access to a former employee’s HR files is often a critical factor in illegal intrusions into the firm’s systems. In all of this, consider when a current or former employee is involved in a breach and what you would want to know about him/her to evaluate the situation properly.

     

    Password Protection Policy

    A strong password protection policy is mandatory for access security and should incorporate a requirement for multi-factor verification, including a user code and a password. The password should have eight alphanumeric characters with at least one symbol, should be changed every 90 days and not repeated for at least six months. Three errors in an attempted entry should suspend use for at least an hour and be reported to IT.


    Data Loss Protection

    One of WISP’s primary functions is to ensure that your company’s designated information requiring security is adequately protected in accordance with its degree of risk.

    This review should be based on:

     

    • Guidance from National Institute of Standards and Technology (NIST) releases and guidelines
    • Relevant industry guidelines
    • Operational manuals
    • Data maps
    • Audits (internal and external)
    • Testing (internal and external)
    • Other appropriate mechanisms

     

    Finally, determine if the company’s personal identifiable information (PII) and other designated data are being properly identified, maintained and protected within the firm’s systems.

     

    Security Devices and Review

    To accomplish compliant, sophisticated protection, the company should employ technology such as encryption, firewalls, intrusion detection and protection systems, as well as monitoring and auditing devices. One approach is to institute a defense-in-depth strategy using the devices above layered within the firm’s systems. This review’s determination is vital to your company and should be documented and maintained in the WISP Manual.

    After an incident, the entire team should conduct follow-up reviews to make recommendations for corrective and remedial action, and it should then oversee and approve this action.

     

    Training

    In conjunction with legal, IT and outside IT forensic vendors, your company should develop cybersecurity training programs, including mock and tabletop sessions. Develop and provide regular cybersecurity awareness training for all personnel and regularly update this to reflect current risks.

    The chief compliance officer (CCO), in conjunction with the chief information security officer (CISO), should conduct follow-up reviews. To establish an effective training program, they should work with legal and IT and outside legal and IT advisers.

    Training should also discuss the appropriate handling of customer’s requests for username and password changes, wire transfers and identity verification—particularly those involving large money transfers to an overseas location or third parties. This should include sound practices regarding opening e-mail attachments and links, including using simulated phishing campaigns where the firm identifies and retests employees who failed the exercise.

     

    Vendor Selection and Management

    Vendors play an essential role in a company’s business and, as a result, have a significant involvement in cybersecurity. Vendors and employees are two major risk factors in cybersecurity breaches.

    As such, have an established due diligence process for the selection of vendors, which should focus on cybersecurity awareness. As a part of your cybersecurity program, develop a strong vendor management plan. Finally, ensure all vendor contracts contain pertinent provisions and employ regular oversight practices.

     

    Cyber-Insurance

    Check your existing policies for their cyber insurance coverage. If appropriate, discuss with your insurer to address any areas requiring additional coverage. You don’t necessarily need to obtain a separate cybersecurity policy if you have proper coverage otherwise. Also, the employment of a WISP can significantly assist a firm in evaluating the need for and securing appropriate insurance.

     

    Phishing

    No U.S. business, small or large, can escape phishing attacks. These can result in the loss of substantial sums of money, often in six and seven figures, and valuable, susceptible company information. As a result, phishing problems can be reduced through training and testing, which includes demonstrations of various attacks experienced by peer firms. Although there’s no easy solution, regular and informed testing and training can effectively address this problem.

     

    Testing

    Regular testing is required of all WISPs and involves internal testing by firms and independent outside vendors. Most testing aims to ensure that key controls, systems and procedures of a WISP meet established standards.

    One of the most important types of testing is third-party penetration testing. Penetration testing is an essential element in any cybersecurity program. It simulates an internal or external attack on a company’s computer network to detect its vulnerabilities and evaluate your firewall system’s effectiveness.

    In conjunction with legal, compliance and a trusted outside vendor, IT should develop cybersecurity training and testing programs, including mock and tabletop sessions. These tests should be administered periodically (annually, quarterly and when necessary) by capable internal or outside technology experts and can be invaluable to your cybersecurity program.

     

    Incident Response Plan

    Lastly, a major element of a WISP is its Incident Response Plan, which provides a procedural structure for your company to respond to a cybersecurity incident expeditiously. The plan should contain specific policies and procedures for responding to a cyber incident with specific provisions.

     

    The plan should require the firm to establish an incident response team (IRT) responsible for addressing all cyber incidents. Depending on the company and the cyber incident, the IRT can comprise members from IT, compliance, legal, HR and other relevant departments. Each member should be a seasoned officer sophisticated in the firm’s technical systems and operations.

     

    Partner with Legal Experts for Assistance

    A law firm with a sophisticated cybersecurity group can assist with all the undertakings described above and do so expeditiously and cost-effectively. Pastore LLC has a sophisticated group of seasoned counsel who can direct the development and completion of a WISP and be crucial players in effectively advising on any cyber incident.

     

    This article is intended for informational purposes and does not constitute legal advice.

     

    (Jack Hewitt is a securities lawyer and focuses on securities litigation and regulatory advice and counsel to broker-dealers, investment banks and investment advisers. His work involves virtually every aspect of the federal and state securities laws, including equity, fixed income and derivatives trading, market manipulation, net capital, short-selling, suitability, record retention, insider trading, cybersecurity and registration issues.)

    What Standard of Care Applies When Engaged in Fitness Activities?

    Posted on by Kelly McElroy

    The fitness industry, while promoting health and wellness, is not immune to legal challenges. Businesses in this sector, particularly in states like Connecticut, need to be vigilant about potential litigation, especially concerning negligence and contract breaches. This article aims to guide fitness facility operators on how to mitigate these risks, incorporating real case examples and legal principles.

    Understanding the Risks: Negligence  

    Negligence forms the core of many lawsuits in the fitness industry. Cases often revolve around personal training, where trainers may fail to consider clients’ medical conditions, provide unsuitable exercises, or inadequately supervise workout sessions. These oversights and decisions can lead to severe injuries, ranging from fractures to more serious conditions like heart attacks or strokes due to overexertion.

    In Connecticut, the standard of care in fitness-related injuries can vary based on the nature of the activity. Importantly, Conn. Gen. Stat. § 52-572h makes clear that a participant’s assumption of the risk does not bar recovery in negligence actions in Connecticut and instead, the standard of “comparative negligence” applies.

    The Connecticut Supreme Court in Jaworski v. Kiernan (1997) established that the duty owed to a participant in a sport where physical contact is inherent or expected is not to engage in reckless or intentional conduct, rather than the ordinary standard of acting in a reasonable manner under the circumstances.

    However, this heightened standard of care does not always apply.  In Jagger v. Mohawk Mountain Ski Area, Inc. (2004), the court found that, in non-contact sports like skiing, participants are expected to engage in the sport reasonably and appropriately. This “ordinary” standard of care has also been applied in evaluating whether providing standard fitness safety equipment (in the form of a yoga mat) was actionable conduct Schmus v. Davis (2021) and even in sporting activities where physical contact seems unavoidable – like boxing – where the plaintiff, as a trainee, enlisted the defendant trainer, as a trainer for instruction in fitness boxing. They were not co-participants in an athletic contest. Robles v. Dean (2017).

    Practical Steps to Mitigate Risks

    1. Regular Equipment Maintenance and Safety Checks: Regularly inspect and maintain equipment to prevent accidents.
    2. Qualified Personnel: Employ qualified trainers and ensure they are well-versed in handling diverse client needs and health considerations. This reduces the risk of injuries due to inappropriate training methods.
    3. Effective Use of Waivers: Develop comprehensive and specific waivers, clearly outlining the risks involved in various fitness activities. Remember, the clarity and specificity of a waiver can be pivotal in legal defenses.
    4. Emergency Protocols and Staff Training: Establish clear procedures for handling injuries and emergencies. Ensure all staff members are trained to respond effectively and document incidents thoroughly.
    5. Insurance Coverage: Maintain adequate insurance to cover potential claims. This not only provides financial protection but also ensures compliance with legal standards.
    6. Legal Consultation: Regularly consult with legal experts to ensure that all operational practices, contracts, and waivers align with current laws and regulations.
    7. Client Communication and Education: Educate clients about the risks associated with fitness activities and the importance of acknowledging their health conditions and limitations.

    By addressing these key areas, fitness facilities can significantly reduce the risk of litigation. It’s not just about legal protection; it’s also about creating a safe and responsible environment for clients to pursue their health and fitness goals.

     

    This article is intended for informational purposes and does not constitute legal advice.

    (Paul Fenaroli is an Associate Attorney at Pastore admitted in Connecticut and the District of Connecticut. He provides private companies with a full range of business law services covering formations, mergers, acquisitions, corporate governance, securities offerings and litigation)

    Pastore Files Federal Complaint in AI Venture Capital Dispute

    Posted on by Kelly McElroy

    Pastore has been retained by the author of the leading text used at Harvard in the “Starting a Private Investment Firm” course to pursue business torts committed by his former AI Venture Capital Fund General Partner and its affiliated individuals. The defendants, spanning Colorado and Texas, are alleged to have purposefully manipulated the client to build the AI fund, and then cut him out of the carry and returns. The case is pending in the District of Connecticut.

    Personal Financial Data Rights Rule: Strategies for Financial Institutions

    Posted on by Kelly McElroy

    Financial institutions are vulnerable to the complex and dynamic regulatory landscape. Forty-two percent of organizations cited facing regulatory issues and compliance changes within the next 2-5 years as a top challenge. Financial institutions must be adaptable and remain informed on the latest industry regulations to operate effectively.

    An example is the new Personal Financial Data Rights rule (PDFR) the Consumer Financial Protection Bureau (CFPB) proposed on Oct. 19, 2023. The proposed rule is the first application to implement Section 1033 of the Consumer Financial Protection Act, which charged the CFPB with implementing personal financial data sharing standards and protections. The CFPB expects to cover additional products and services in future rulemaking.

    Currently in its notice-and-comment period, which will end on Dec. 29, 2023, the proposed rule would require depository and nondepository entities to:

    • Make some data regarding consumer transactions and accounts available to consumers and authorized third parties.
    • Establish obligations for third parties accessing a consumer’s data, including important privacy protections.
    • Provide basic standards for data access.
    • Promote fair, open and inclusive industry standards.

    The requirements would be implemented in phases, with larger providers being subject to them much sooner than smaller ones. Community banks and credit unions with no digital interface with their customers would be exempt from the rule’s requirements.

    If approved, this will profoundly change how financial institutions handle consumer’s financial data and present compliance challenges. Financial institutions failing to comply with the proposed PFDR rule could face legal ramifications such as civil penalties, cease-and-desist orders, reputational damage and consumer and data breach lawsuits. Specific legal implications will depend on the nature of the violation, consumer damage and relevant laws and regulations in effect at the time.

    Although the PFDR is still in the proposal phase and subject to change, it’s key for financial institutions to take steps to minimize risks.

    Here are some strategies to consider in preparation:

    Focus on Compliance

    To increase compliance, carefully review the PFDR rule and its requirements. Be sure to examine crucial areas such as data access rights, data use restrictions, data security standards and covered data. Review your current procedures and practices to determine which ones may not comply. Then develop a thorough implementation plan defining the actions to achieve compliance. This includes timelines, communication strategies and resource allocation.

    Take a Proactive Approach to Data Management

    Thoroughly evaluate any third-party service providers and vendors who access your customer data to ensure they comply with the PFDR rule’s data security and privacy requirements. In addition, clarify data access rights in user agreements and contracts with those parties. To limit third parties’ use and disclosure of data, apply contractual provisions.

    Additionally, boost your data security by applying robust cybersecurity actions. This will protect your customer data from unauthorized misuse and breaches. In a breach, be prepared with a well-defined incident response plan.

    Build Consumer Trust

    It’s imperative to communicate with your customers about what the rule is and what their data rights are, along with providing educational materials and other resources. To make certain your customers understand and approve how their data will be used and shared, provide detailed consent procedures.

    Restrict authorized third-party data usage by creating firm policies and verifying that the data will only be used for authorized purposes and not shared or sold without consent. Finally, employ effective processes for responding to customer complaints and inquiries concerning security and data access.

    Seek Legal Counsel

    Consulting with legal counsel with expertise in the financial services industry will help you navigate the PFDR rule complexities and ensure compliance. The specific legal approach will depend on your financial institution’s unique circumstances.

    Skilled legal counsel can address your concerns and increase compliance by:

    • Keeping you informed on developing regulations and providing guidance through existing changes to data procedures.
    • Providing guidance on how to comply with the rule while evaluating consumer privacy and data security concerns.
    • Addressing potential legal issues swiftly and effectively to mitigate risks.
    • Handling litigation risks and guarding against potential lawsuits.

    In summary, although the PFDR rule is still in its final development stages and it’s feasible that regulations may evolve, prepare by staying informed and adapting your strategies accordingly.

    By investing in legal counsel early on, you can leverage the expertise of professionals to mitigate risks, prevent costly mistakes and take advantage of the opportunities presented by this new regulatory landscape. For legal inquiries, please contact us at Pastore LLC.

    This article is intended for informational purposes and does not constitute legal advice.

    (Julie D. Blake, JD, LLM, CIPP, CIPM, is an experienced commercial litigator and data privacy expert with expertise in cybersecurity, data privacy breaches, risk assessment and data privacy policy review.)

    Preparing for the Impending AI Regulations: A Legal View

    Posted on by Kelly McElroy

    Due to artificial intelligence’s (AI) significant impact on business operations, companies must stay informed on evolving data privacy and transparency regulations. Recent research shows a steady increase in global AI adoption, with 35% of companies incorporating AI into their operations and another 42% considering it. Furthermore, 44% of organizations strive to integrate AI into their existing applications and processes.

    Discover how to start preparing for forthcoming AI regulations that will govern the ethical use of this technology. This will help avoid problems like legal issues, fines, damaged reputation and loss of customer trust.

    On Oct. 30, 2023, the White House issued an executive order to manage AI risks and expanded on the voluntary AI Risk Management Framework released in January 2023. The directive aims to ensure the safe, responsible and fair development and use of AI. Federal authorities will evaluate AI-related threats and provide guidelines for businesses in specific industries according to the following timeline:

    • Within 150 days of the date of the order: A public report will be issued on best practices for financial institutions to manage AI-specific cybersecurity risks.
    • Within 180 days of the date of the order: The AI Risk Management Framework, NIST AI 100-1, along with other appropriate security guidance, will be integrated into pertinent safety and security guidelines for use by critical infrastructure owners and operators.
    • Within 240 days of the completion of the guidelines: The Federal Government will develop and take steps to mandate such guidelines, or appropriate portions, through regulatory or other appropriate action. Also, consider whether to mandate guidance through regulatory action in authority and responsibility.

    The Office of Management and Budget (OMB) released a new draft policy on Nov. 3, 2023. The policy is seeking feedback on the use of AI in government agencies. This guidance establishes rules for AI in government agencies. It also promotes responsible AI development and improves transparency. Additionally, it safeguards federal employees and manages the risks associated with AI use by the government.

    Here are some approaches to consider when planning for the impending AI regulations:

    Stay Well Informed  

    Constantly monitor the development of AI regulations at the local, national and international levels. Examine which regulations directly impact your company’s use of AI. Consult with legal counsel specializing in AI and technology law to thoroughly understand how it will affect your company. Also, become acquainted with core legal principles rooted in AI regulations.

    Conduct a Risk Assessment

    A risk assessment is crucial for compliance and reducing legal liability, especially with emerging AI regulations. Begin by analyzing your AI systems for possible violations of existing laws and regulations, including consumer protection, anti-discrimination and data privacy.

    Since AI systems gather and process large quantities of personal data, data protection and privacy are concerns. Companies should assess whether their AI systems comply with applicable data protection laws, such as the California Consumer Privacy Act (CCPA).

    Regarding anti-discrimination, companies should assess whether their AI systems are unbiased and initiate measures to mitigate any probable biases. Finally, create plans for any uncovered legal risks.

    Create a Powerful Infrastructure

    Determine whether existing procedures and policies sufficiently tackle AI development, deployment and usage. Make certain the right contractual agreements are in place with technology vendors, data providers and other stakeholders.

    In compliance with pertinent data privacy regulations, create strong data governance procedures for collecting, storing and using personal data. Regularly monitor and audit AI systems to detect legal compliance issues. Lastly, develop a thorough plan for responding to potential legal events such as data breaches.

    Partner with Legal Experts

    A team of legal experts specializing in AI can help ensure that legal considerations are incorporated throughout the development and deployment process. Companies can lower their legal risk by partnering with an external legal counsel specializing in corporate AI and other technology areas, including cybersecurity.

    In conclusion, addressing the legal aspects of AI improves compliance, and builds trust and confidence with stakeholders. Is your company legally protected in the AI-driven arena? For legal inquiries, please contact us at Pastore LLC.

    This article is intended for informational purposes and does not constitute legal advice.

    (Joseph M. Pastore III is chairman of Pastore, and focuses his practice on the financial services and technology industries, representing major multinational companies in state and federal courts, as well as before self-regulatory organizations such as FINRA, and government agencies such as the SEC.)

    (Julie D. Blake, JD, LLM, CIPP, CIPM, is an experienced commercial litigator and data privacy expert with expertise in cybersecurity, data privacy breaches, risk assessment and data privacy policy review.)

    Beyond Privacy Consent: How ‘Delete Act’ Changes Game for Companies

    Posted on by Kelly McElroy

    Companies provide data privacy consent to consumers as part of a “safe harbor” practice, but time may be running out.

    After all, the common ritual of privacy consent is flawed.

    Let’s say a consumer goes online and wants access to some information on your company’s website. Up pops a window with a privacy consent form that needs a signature. The convoluted language seemingly goes on forever, but clicking a box for approval makes it all go away.

    Viola!

    Now, the consumer can review their long sought-after information by checking a box. But let’s stop right there.

    Private data, which is more valuable than oil these days, is a lot like medication. Yet, we don’t let people take medicine without prescriptions because we know people can’t possibly understand all the particulars of medical terminology and decide for themselves.

    In other words, we are putting privacy content into the hands of people who don’t understand it. Meanwhile, consumers are granting access to companies with legacy systems that may not have the ability to categorize the inventory—let alone identify it—even though the surging volume may rival the Library of Congress.

    The court of public opinion is catching on. In a recent poll from Pew Research Center, a majority of Americans are concerned about their privacy in the hands of companies:

    • 81% of US adults are concerned about how companies use the data collected about them.
    • 67% of US adults have little to no understanding of how companies use the data they collect about them.
    • 72% of Americans say there should be more regulation than there is now.

    Well, the people may get what they want, so companies should begin protecting their assets now. Remember, the rest of the Bill of Rights don’t count if you don’t have privacy. If you can’t say what you want to someone without it becoming public, then that is really a violation of your First Amendment rights. Everything flows from privacy—even though it is not written in the US Constitution.

    So why is the status quo changing for companies when it comes to privacy consent? One word: California.

    The Golden State’s Long Legislative Arm

    California Governor Gavin Newsom recently signed the Delete Act (Senate Bill 362) into law, which gives consumers the ability to have companies delete their personal information with a single request.

    The new law requires “data brokers”—companies that sell or rent the personal data that they collect from customers—to register with the newly created California Privacy Protection Agency (CPPA) public registry and disclose the information they collect from consumers, as well as ongoing opt-out requests.

    The Delete Act also charges CPPA to create a website and database where state residents can opt out from tracking and request data removal from a set process.

    From a consumer perspective, the new law creates a sea change in California. Currently, there isn’t a uniform approach for consumers to request data removal from a data broker. And once it happens, private information can resurface due to the nature of ongoing data collection.

    From a corporate perspective, the new law has a long reach. If California were its own country, it would have the fifth-largest economy in the world. In other words, it carries sway. In addition to data privacy, California has a long track record of influencing legislative issues involving labor, the environment and marijuana just to name a few.

    Since the CPPA was signed into law in 2018, another ten states have enacted comprehensive data privacy laws. Bloomberg Law reports that at least 16 states have introduced privacy bills that include protections for health and biomedical identifiers in the 2022-2023 legislative cycle.

    Of course, different states with different laws could motivate Congress to streamline data privacy on a national scale. Most likely, certain differences will be settled in a court of law, which is why an ounce of prevention now will be worth a pound of data.

    A Golden Opportunity for Companies

    The CPPA may have until January 1, 2026, to create a database that will allow quick data deletion, but companies should act now to get out in front of the new norm for doing business.

    While the government can step in and create a national system to safeguard data privacy, it would be best for companies to take the lead and show consumers how it can be done while protecting Corporate America’s most valuable assets.

    In the dawn of the new age of data privacy, companies need to go beyond providing data privacy consent. Instead, corporations need to set up their own internal systems—privacy by design—

    that documents where the data is being stored, how it is used and who has access to it.

    Most importantly, companies need to conduct internal reviews of their data inventory to make sure what they are using as privacy protection is actually providing protection. This is where the potential legal problem arises. If a company complies with the law in such a way that it is not complying—and management is unaware—the company will be accountable and pay the price, which could be steep.

    Moving forward, think about personal information like a book in the library. When someone needs it, it will need to be checked in and checked out. If someone wants to know my birthdate, there should be a record of who, why and when.

    Companies should work with a legal team with data-privacy experience that could conduct a privacy analysis of their existing processes and inventory. The outcome should be a report that identifies areas of exposure—possible causes of action—from the mindset of a plaintiff’s attorney, as well as recommendations to proactively address any looming surprises.

    As the notion of privacy is reimagined in a digital world, providing data privacy consent forms will no longer be enough to protect a company’s balance sheet.

    (Julie D. Blake, JD, LLM, CIPP, CIPM, is an experienced commercial litigator and data privacy expert with expertise in cybersecurity, data privacy breaches, risk assessment and data privacy policy review.)

    Pastore Attorney Tyler W. Rutherford Quoted By Slate Concerning Sam Bankman-Fried’s Trial

    Posted on by Kelly McElroy

    Tyler W. Rutherford was recently interviewed and quoted in Slate Magazine’s recent breaking news article about the Sam Bankman-Fried’s criminal trial in the Southern District of New York. The article can be accessed here. Sam Bankman-Fried is the former CEO and Founder of FTX, which was previously one of the largest cryptocurrency exchanges in the world.

    As a firm that applies a long history of practice in traditional finance and securities to the realm of decentralized financial platforms, Pastore LLC can advise clients on best practices for compliance with regulations related to digital assets, and dispute resolution.

    Understanding Connecticut’s Legal Landscape for Health and Fitness Businesses

    Posted on by Kelly McElroy

    Introduction

    The health and fitness sector is a rapidly growing industry, particularly in Connecticut, where there’s a burgeoning market for everything from gyms and yoga studios to dietary supplements. However, this growth comes with its share of legal complexities, often specific to the state of Connecticut. At Pastore LLC, we offer specialized legal services in both corporate litigation and transactional matters, and we are committed to helping companies of all sizes navigate this intricate legal landscape.

    Connecticut State Regulations

    Licensing and Certification

    In Connecticut, gyms and health clubs are required to register with the Department of Consumer Protection. There may be specific requirements for other types of health and fitness businesses as well, such as yoga studios or martial arts centers.

    Health and Safety Codes

    Connecticut has specific safety standards that health and fitness establishments must meet. This includes proper maintenance of equipment, appropriate medical readiness, and sanitation standards, among others.

    Labor Laws

    Employee Contracts

    In Connecticut, while employers must comply with federal labor laws, they must also be mindful of the state’s particular regulations, including those pertaining to minimum wage, overtime, and occupational safety. Additionally, Connecticut imposes specific limitations on the enforceability of non-compete and non-solicitation clauses in employment agreements. These restrictions aim to balance the protection of business interests with the right of individuals to work and engage in their profession freely. Consequently, it is crucial for employment contracts drafted within Connecticut to conform to both federal standards and these nuanced state-specific legal obligations to ensure they are legally sound and enforceable.

    Independent Contractors vs. Employees

    The classification of workers as either employees or independent contractors is a hot topic in Connecticut and misclassification can result in hefty fines. Make sure you’re familiar with Connecticut’s criteria for classification to avoid legal pitfalls.

    Liability and Insurance

    Premises Liability

    Business owners in Connecticut are required to keep their property “reasonably safe” for visitors. Failure to do so can result in liability for any injuries that occur on your premises.

    Indemnity Agreements

    These are especially crucial for businesses in the health and fitness industry, where there’s a high potential for injury. Connecticut law has specific requirements for these types of agreements, so they must be drafted carefully.

    Data Privacy

    Connecticut has enacted various laws to protect consumer privacy, including the Connecticut Insurance Information and Privacy Protection Act. If your health and fitness business collects personal or health data, you must ensure compliance with these state-specific regulations, in addition to federal laws like HIPAA.

    Intellectual Property

    Connecticut has established protections for trade secrets through the adoption of the Connecticut Uniform Trade Secrets Act (CUTSA), codified in Conn. Gen. Stat. Ann. §§ 35-50 to 35-58. CUTSA provides a legal framework for the protection of business information and know-how, defining trade secrets and setting forth the remedies available to victims of trade secret misappropriation. Through this act, Connecticut ensures that businesses can safeguard their competitive edge by securing their proprietary information.

    In addition to CUTSA, federal laws apply. Local practices can influence the process and enforcement, making it valuable to consult with legal professionals familiar with the Connecticut business environment.

    Conclusion

    Operating a health and fitness business in Connecticut comes with numerous state-specific legal considerations, from licensing and labor laws to liability and data privacy regulations. At Pastore LLC, we specialize in helping businesses navigate these complexities effectively. If you’re looking to understand your legal obligations better or require assistance with corporate litigation or transactional matters, contact us today.

     

    This article is intended for informational purposes and does not constitute legal advice.

    (Paul Fenaroli is an Associate Attorney at Pastore admitted in Connecticut and the District of Connecticut. He provides private companies with a full range of business law services covering formations, mergers, acquisitions, corporate governance, securities offerings and litigation)

    Understanding the Legal Landscape and Navigating Challenges

    Posted on by Kelly McElroy

    Mid-sized businesses, often viewed as the backbone of many economies, enjoy several advantages due to their scale and flexibility. However, their position in the marketplace can also make them susceptible to various legal challenges. Understanding the landscape of business litigation can be instrumental in helping these enterprises prepare for, respond to, and navigate legal disputes.

    What is Business Litigation?

    At its core, business litigation involves disputes arising out of commercial and business relationships. These include issues related to contracts, partnerships, and transactions. For a mid-sized business, litigation can come in various forms – from a dispute with a supplier over contract terms to a disagreement with a competitor over intellectual property rights.

    Why Mid-sized Businesses?

    Larger corporations often have entire legal teams dedicated to handling disputes, while smaller businesses might fly under the radar or lack the extensive contracts and partnerships that can lead to litigation. Mid-sized businesses, however, often engage in a significant number of transactions, making them more vulnerable to disputes, but may not always have the extensive in-house legal resources of larger corporations.

    Common Types of Lawsuits Involving Mid-sized Businesses:

    • Contract Disputes: The foundation of many business relationships, contracts, if ambiguous or breached, can lead to significant disagreements.
    • Shareholder and Partnership Disputes: Differences in opinion among business partners or shareholders can lead to internal strife and potential litigation.
    • Employment Disputes: These can range from wrongful termination claims to wage and hour disputes.
    • Intellectual Property Disputes: As businesses grow, protecting their intellectual assets becomes crucial, leading to potential disagreements with competitors or even within the industry.
    • Real Estate and Property Disputes: These can involve lease agreements, property rights, or disputes related to property values and damages.
    • Consumer-related Lawsuits: These can arise from claims of false advertising, product defects, or other consumer protection issues.

    Preparation is Key

    For mid-sized businesses, the adage “an ounce of prevention is worth a pound of cure” holds. Here are some proactive steps:

    • Clear Contracts: Ensuring that all business contracts are clear, specific, and legally sound can prevent many disputes.
    • In-house Counsel or Retained Lawyers: Having a dedicated legal advisor, even if on a retainer basis, ensures that the business has someone familiar with its operations and ready to advise when needed.
    • Insurance: Various insurances, like liability or errors and omissions insurance, can help protect against potential litigation.
    • Employee Training: Ensuring that employees are well-trained, especially in areas like compliance, can prevent issues down the line.

    Conclusion

    While business litigation is a reality that many mid-sized businesses may face, understanding the landscape and being prepared can make a significant difference. With the right strategies and resources, businesses can navigate these challenges effectively, ensuring that they continue to thrive and grow in a competitive marketplace.

     

    (Paul Fenaroli is an Associate Attorney at Pastore admitted in Connecticut and the District of Connecticut. He provides private companies with a full range of business law services covering formations, mergers, acquisitions, corporate governance, securities offerings and litigation)