In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Data Protection Impact Assessments: Are You Ready? | Privacy World

Introducing Our AI Webinar Series | Privacy World

Scott Warren to Speak at Legal Plus 3rd Annual Asia International Arbitration and Competition Law Summit | Privacy World

SYMPOSIUM: Stephanie Faber to Speak at the 3rd Annual France-Singapore Symposium on Law and Business | Privacy World

Florida Joins the Privacy Pack with an Opt-In to Sale of Sensitive Data | Privacy World

Singapore Introduces New Law to Order Removal, Blocking of Harmful Online Content | Privacy World

California Federal Court Dismisses Direct and Derivative Liability CIPA Claims Brought Against Website Operator Concerning Chat Feature | Privacy World

NIST Not Voluntary in the Volunteer State: Tennessee Privacy Law Requires Comprehensive Written Privacy Program that Conforms to a Voluntary Framework. Will this Framework Become a De-Facto National Approach to Judging Compliance with New Privacy Obligations? | Privacy World

New CISA Guidelines Lay Out Unified International Principles on Security-by-Design and Security-by-Default | Privacy World

BREAKING: Seventh Circuit Affirms Dismissal of Lawsuit Alleging Violation of Genetic Right to Privacy, Rebuffing Claims Premised on Stock Purchase of Genetic Testing Company | Privacy World

Law360 Publishes “CFPB’s Hazy ‘Abuse’ Definition Creates Compliance Questions” Article by Keith Bradley and David Coats | Privacy World

Governor Inslee Signs Washington My Health My Data Act Into Law: First-of-Its-Kind Consumer Health Data Law, Explained | Privacy World

Comparing Arkansas’ Social Media Safety Act to Utah’s Social Media Regulation Act | Privacy World

Federal Court Dismisses Privacy Claims Brought Against Website Operator, Finding Online Subscriptions for Electronic Newsletter Insufficient To Impose Liability Under Federal Video Privacy Protection Act | Privacy World

UNSUBSCRIBED! Public Comment Period Open for the FTC’s Proposed Amendments to the Negative Option Rule | Privacy World

Ninth Circuit Court of Appeals Holds Invasion of Privacy and Wiretapping Claims Against E-Commerce Company Not Subject to Binding Arbitration | Privacy World

The UK’s new Minister for Data and Digital Infrastructure suggests that loss of the EU adequacy decision would not be a ‘complete disaster’. Is that view likely to fuel EU concerns? | Privacy World

Singapore Financial Institutions to Meet Stricter Data Protection and Consumer Safeguards | Privacy World

Montana, Tennessee or ____________?: Which State Will Pass the Next Privacy Law? | Privacy World

This year has widened the landscape of consumer privacy protections, with dozens of comprehensive privacy bills moving through state legislatures and becoming enacted. So far in 2023, Iowa’s Act Relating to Consumer Data Protection (“Iowa Privacy Law”) and Indiana’s Consumer Data Protection Act (“ICDPA”) were signed into law. These two laws join the Virginia Consumer Data Protection Act (“VCDPA”), California Privacy Rights Act (“CPRA”), Colorado Privacy Rights Act (“CPA”), Connecticut’s Public Act No. 22-15 (“CTPA”), and Utah Consumer Privacy Act (“UCPA”) in the state comprehensive consumer privacy law framework. The Iowa Privacy Law becomes effective on January 1, 2025, and the ICDPA becomes effective on July 1, 2026. The VCDPA and CPRA (amending the California Consumer Privacy Act or “CCPA”) went into effect on January 1, 2023, while the CPA and CTPA go into effect on July 1, 2023. The UCPA will go into effect December 31, 2023. Continue Reading Data Protection Impact Assessments: Are You Ready?

The rapid developments in Artificial Intelligence (AI) are bringing AI tools to the forefront of corporate practices. When used correctly, AI technologies can offer companies significant opportunities, but on the reverse, they can pose risks to many facets of a business’s operations and reputation.

To address challenges businesses will face because of these developments, we are hosting several AI webinars over the coming months, in collaboration with our experienced colleagues from practice groups across Squire Patton Boggs’ global platform.

Be sure to register for our first two webinars, linked below.

Top Ten Things In House Counsel Should Consider About AI

May 24, 2023

11:30 a.m. – 12:30 p.m.

AI Webinar Series: The ABC’s of GAI

June 8, 2023

11:30 a.m. – 12:30 p.m.

Stay tuned for information on future webinars on the following topics:

  • AI Focus on Europe
  • AI Focus on APAC
  • AI Focus on US
  • The Use of AI in the Employment Context
  • Navigating Contracting Challenges Related to AI
  • Operationalizing an AI Program

As always, the PW team will continue to monitor the developing AI and privacy law landscape to keep you in the loop. For more information contact your SPB relationship partner.

On May 18th, Scott Warren, Partner, Tokyo/Shanghai, will be speaking at the Legal Plus 3rd Annual Asia International Arbitration and Competition Law Summit held in Hong Kong on the topic “China’s New Personal Data Export Restrictions: Are You Ready?” Scott is speaking from 2:40-3:00 p.m. Hong Kong time on the challenges facing companies and solutions to comply with China’s newly implemented data export regulations. These include the various rules that apply depending on what data is being exported, the newly released Standard Contract, the required Personal Information Privacy Impact Assessment and the filing requirements with the data privacy authority. This is an in-person all-day event in Hong Kong and there are significant discounts available for in-house counsel. For more information on the event or to register, click here.

 

Stephanie Faber will be speaking at the 3rd Annual France-Singapore Symposium on Law and Business which will take place in Paris on May 11-12, 2023.

The symposium is organized by the Singapore Academy of Law, Embassy of France in Singapore in collaboration with Paris Bar, the Université Paris 1 Panthéon-Sorbonne, the Asian Business Law Institute, the French Cour de Cassation, Paris city of Law (Paris place de droit) and the French Ministry of Justice. It will bring together experts from France and Singapore to provide insights to the discourses at the intersection of law, business and the use of technology.

Stephanie will join a panel on “Navigating data protection in Europe and Singapore” composed of Zee Kin Yeong, Assistant Chief Executive (Data Innovation and Protection) at Infocomm Media Development Authority of Singapore and Deputy Commissioner of the Personal Data Protection Commission in Singapore, Emmanuel Leroux, Lawyer at the CNIL, European and International Affairs Department, Lucas Nicolet-Serra, Counsel at K&L Gates Straits Law LLC. The panel will be moderated by Clarisse Girot, Head of the Data Governance and Privacy Unit of the OECD, which supports the work of the OECD in the field of data governance, data flows and privacy.

Florida is the latest state to pass a consumer privacy bill, pending Governor DeSantis’ signature, that will go into full effect on July 1, 2024.

While the Florida Digital Bill of Rights found in S.B. 262 provides similar rights as the other state laws going into effect, it also differs in important and significant ways. The primary difference is the definition of a “controller.” A controller must have $1 billion in global gross revenue (a significant departure from the $25 million dollar requirement in other states), and at least one of the following: i) 50% of global gross revenue coming from the sale of advertisements online; ii) operates a consumer smart speaker and voice command service; or iii) operates an app store or digital distribution platform with at least 250,000 different software applications. Based on these threshold requirements, most of the bill is clearly intended to target only a select group of businesses. However, there are obligations placed on businesses that don’t meet the full definition of a controller in Section 501.715, as we discuss below. Continue Reading Florida Joins the Privacy Pack with an Opt-In to Sale of Sensitive Data

On May 8, 2023, the Online Criminal Harms Bill[1] (Bill) was introduced for its first reading in Singapore’s Parliament.

The Bill empowers a competent public authority[2] to issue any of five distinct types of directions:

  1. A Stop Communication Direction, which requires a person or entity to remove, stop posting or transmitting, and/or disable access to online criminal content so it is not accessible by any persons in Singapore.
  2. A Disabling Direction, which requires an online service provider (such as a social media platform or instant messaging provider) to disable access to specified content, such as material that had been posted or transmitted on or through an online service. This extends to disabling access to any identical copies of the relevant material, as well as to any location on the online service from where the content could be retrieved.
  3. An Access Blocking Direction, which requires an internet service provider to block access by persons in Singapore to any material or location such as a website.
  4. An Account Restriction Direction, which requires an online service provider to stop or restrict interaction between an account on its online service from communicating and interacting with any persons in Singapore.
  5. An App Removal Direction, which requires an app store to stop distributing an app to, and to stop enabling the download of this app by, any persons in Singapore.

Continue Reading Singapore Introduces New Law to Order Removal, Blocking of Harmful Online Content

A growing area of privacy litigation concerns claims brought under federal and state wiretapping laws against website operators.  In many of those cases, plaintiffs allege that their personal information was improperly intercepted and disclosed to third parties, including in relation to information purportedly provided through a website’s chat feature.  Last month, a federal court in California rejected certain claims under these circumstances, signaling growing skepticism of this legal theory.  Licea v. Old Navy, LLC, 2023 WL 3012527 (C.D. Cal. Apr. 19, 2023).  Read on to learn more.

In Licea, Plaintiff alleged that Old Navy’s website contains an online chat feature.  Plaintiff’s claims concerned two functions allegedly embedded in the chat feature.  The first function allegedly allowed Defendant to “record[ ] and create[ ] transcripts” of all customer conversations conducted in the chat. The second function, Plaintiff asserted, allowed third-party companies to intercept customer chats in “real time” and “retain transcripts.”

Plaintiff filed suit under the California Invasion of Privacy Act (“CIPA”), seeking to represent a putative class of consumers who accessed Defendant’s website and used the chat feature.  Section 631(a) of CIPA prohibits “intentional wiretapping,” “willfully attempting to learn the contents or meaning of a communication in transit over a wire,” or “attempting to use or communicate information obtained as a result of engaging in either of the two previous activities.”  Defendant moved to dismiss the Complaint, including Plaintiff’s Section 631(a) claims.  Assessing the adequacy of Plaintiff’s complaint, the Court ruled in favor of Defendant for Plaintiff’s claims under this subsection.

Defendant first argued that Plaintiff failed to plausibly allege that any communications were intercepted in transit as required for liability under the statute.  On that front, the Court disagreed.  Resolving all reasonable inferences to be drawn from the Complaint in Plaintiff’s favor (as is required for purposes of a motion to dismiss), the Court held the allegations that Defendant (1) uses a third-party service to “covertly embed[ ] code into its chat feature that automatically records and creates transcripts of all such private conversations,” and (2) “allows at least one third party … to secretly intercept in real time, eavesdrop upon, and retain transcripts of Defendant’s chat communications with unsuspecting website visitors” sufficed in regards to this element (at least at the pleadings stage).

However, the Court ruled Plaintiff’s CIPA Section 631(a) claims failed for other reasons.  Importantly, CIPA exempts from liability any individual or entity who is a “party” to the “communication.  As a result, one participant in a conversation cannot be held to have wiretapped another.  Here, because Defendant was a party to the customer chats at issue in Plaintiff’s complaint, the party-exemption applied and Defendant could not be directly liable for wiretapping under CIPA.

Plaintiff’s Complaint alleged in the alternative that Defendant violated CIPA’s wiretap provision by “aid[ing] and abett[ing] … at least one third party to eavesdrop upon conversations.” In support of this allegation Plaintiff offered only the conclusory assertion that “Defendant … allows a third party to eavesdrop on such communications … to harvest data for financial gain”.  The Court held this allegation was insufficient to plead a claim for derivative liability under CIPA, also dismissing Plaintiff’s Section 631(a) derivative liability claim on this basis.  Notably, Plaintiff’s claim under Section 632.7 of CIIPA was found adequately pled and survived dismissal.

This case is congruent with the rulings of a handful of other courts dismissing similar CIPA claims this year although case law in this area is decidedly mixed.  CIPA precedent continues to evolve as the plaintiff’s bar seeks to expand state and federal wiretap laws to apply in the context of website analytics and chat tools.  These features are commonly used by online retailers to improve website functionality and enhance the experience of website visitors.  Moreover, most website visitors arguably consented to these practices, as these issues are frequently addressed in a company’s online terms of service.  In light of the rise in CIPA litigation, website operators have also adopted other specific privacy disclaimers or introductory statements for consumer chat sessions. For more, stay tuned.  Privacy World will be there to keep you in the loop.

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

NIST Not Voluntary in the Volunteer State: Tennessee Privacy Law Requires Comprehensive Written Privacy Program that Conforms to a Voluntary Framework. Will this Framework Become a De-Facto National Approach to Judging Compliance with New Privacy Obligations? | Privacy World

New CISA Guidelines Lay Out Unified International Principles on Security-by-Design and Security-by-Default | Privacy World

BREAKING: Seventh Circuit Affirms Dismissal of Lawsuit Alleging Violation of Genetic Right to Privacy, Rebuffing Claims Premised on Stock Purchase of Genetic Testing Company | Privacy World

Law360 Publishes “CFPB’s Hazy ‘Abuse’ Definition Creates Compliance Questions” Article by Keith Bradley and David Coats | Privacy World

Governor Inslee Signs Washington My Health My Data Act Into Law: First-of-Its-Kind Consumer Health Data Law, Explained | Privacy World

Comparing Arkansas’ Social Media Safety Act to Utah’s Social Media Regulation Act | Privacy World

Federal Court Dismisses Privacy Claims Brought Against Website Operator, Finding Online Subscriptions for Electronic Newsletter Insufficient To Impose Liability Under Federal Video Privacy Protection Act | Privacy World

UNSUBSCRIBED! Public Comment Period Open for the FTC’s Proposed Amendments to the Negative Option Rule | Privacy World

Ninth Circuit Court of Appeals Holds Invasion of Privacy and Wiretapping Claims Against E-Commerce Company Not Subject to Binding Arbitration | Privacy World

The UK’s new Minister for Data and Digital Infrastructure suggests that loss of the EU adequacy decision would not be a ‘complete disaster’. Is that view likely to fuel EU concerns? | Privacy World

Singapore Financial Institutions to Meet Stricter Data Protection and Consumer Safeguards | Privacy World

Montana, Tennessee or ____________?: Which State Will Pass the Next Privacy Law? | Privacy World

New York Releases Data Security Guide to Help Businesses Protect Personal Information | Privacy World

Selfie ID Biometric Verification Vendor’s Bid for Dismissal of BIPA Class Action Rejected by Federal Court | Privacy World

CONFERENCE: SPB’s Kristin Bryan to speak at the Cybersecurity & Privacy Protection Conference | Privacy World

Vietnam Issues Much-awaited Landmark Data Protection Law | Privacy World

Registration Open: Society for the Policing of Cyberspace Event Featuring SPB’s Scott Warren and Kristin Bryan | Privacy World

Follow the Leader: Indiana Becomes Latest State to Enact Consumer Privacy Statute | Privacy World

Recordings Available: The Expanding Landscape of Biometric Data Law: Where We Are and What’s to Come | Privacy World

UK Data Protection Law Reform: Battle lines drawn? | Privacy World

 

 

This article was originally published on Privacy World on May 4, 2023 and was updated on May 16, 2023.

The Tennessee Information Protection Act (“TIPA”), signed into law on May 11, 2023, is a hodgepodge of the current U.S. state consumer privacy laws, but with a notable twist.

What’s the Same

Like the other state privacy laws, TIPA includes role-based processing (controller vs. processor), privacy rights for Tennessee residents acting only in a personal context, privacy notice requirements, transparency, data minimization and security obligations, limits on sensitive data processing and targeted advertising, and data protection assessment requirements. TIPA is enforced by the Attorney General (i.e., no private right of action) subject to a 60-day cure period.

What’s Different

Some of the notable differences between TIPA and the other state privacy laws are:

  • TIPA’s data minimization provision limits use beyond the disclosed purposes without consent, suggesting some kind of pre-collection notice is necessary regardless of authentication. TIPS has a few other references to privacy notices, but they are not helpful in interpreting Section 3204(c).
  • Under the TIPA, a controller or processor has an affirmative defense to a cause of action for a violation of TIPA if the controller or processor “creates, maintains, and complies with a written privacy [program] policy that” (1) reasonably conforms to U.S. Department of Commerce’s, National Institute of Standards and Practices (“NIST”) voluntary privacy framework (“NIST PF”) or other documented policies, standards, and procedures designed to safeguard consumer privacy, (2) is updated to reasonably conform with subsequent revisions of NIST PF or comparable privacy framework, and (3) provides a person with the substantive rights required by the TIPA. (47-18-3213).

Although the draft version of the TIPA required a written privacy program that conforms with NIST PF, the published version incorporated an amendment that provides for the application of any comparable privacy framework in order to qualify for the affirmative defense and removes the absolute obligation to use a framework altogether. The amendment was considered in April, but publicly available Tennessee government sources did not clarify the revisions, leaving those tracking the bill in the dark until the signed law was published on May 15, 2023. The published law contains the following amendments:

  • The TIPA now provides that businesses are subject to the law if they exceed $25 million in revenue, in addition to meeting one of the thresholds. Businesses must also either (1) control or process the personal information of at least 25,000 consumers and derive over 50% of their revenue from the sale of personal information, or (2) control or process personal data from over 175,000 consumers (up from 100,000 consumers in the original draft bill).
  • The published law removes the consumer right to request that a controller disclose the categories of personal information the business sold about the consumer, third parties it was sold to, and categories of personal data that were disclosed.
  • The published law adds certain requirements for controllers receiving a deletion request. When personal information about a consumer is obtained from a source other than a consumer, controllers shall retain a record of the deletion request and minimum information necessary to ensure that the consumer’s personal information remains deleted. Controllers must also refrain from using retained personal information for prohibited purposes under TIPA or shall opt the consumer out of the processing of such personal information.
  • The TIPA grants additional opt-out rights, including the right to opt out of sale, targeted advertising, and profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. Originally, consumers only had the right to opt out of sale.
  • The TIPA no longer requires a consumer to request that the controller provide a privacy notice. A controller must provide a privacy notice regardless of consumer request.
  • The published law lowers civil penalties, from up to $15,000 per violation to up to $7,500 per violation. The TIPA also removed the requirements to consider certain listed criteria and considerations in the assessment of civil penalties, and consumers will not be able to get “appropriate relief” when they are affected by a violation.
  • Finally, the effective date was changed by one year. TIPA will now go into effect on July 1, 2025, a year later than originally proposed.

Conforming to NIST PF

It is unclear what it would mean to “conform” to NIST PF, which is a set of flexible constructs and tools, not an auditable checklist of requirements or even standards, to aid in the development and operation of an enterprise-wide privacy risk governance and ethical processing program, designed to be adaptable to each organization’s needs, risk tolerance, values and circumstances. Here is an entertaining video about NIST PF published by NIST. NIST PF describes itself as “a risk management tool” that “can assist an organization in its efforts to optimize beneficial uses of data and the development of innovative systems, products, and services while minimizing adverse consequences for individuals”.

“The Privacy Framework can help organizations answer the fundamental question, ‘How are we considering the impacts to individuals as we develop our systems, products, and services?’ To account for the unique needs of an organization, use of the Privacy Framework is flexible, although it is designed to complement existing business and system development operations. The decision about how to apply it is left to the implementing organization. For example, an organization may already have robust privacy risk management processes, but may use the Core’s five Functions as a streamlined way to analyze and articulate any gaps. Alternatively, an organization seeking to establish a privacy program can use the Core’s Categories and Subcategories as a reference. Other organizations may compare Profiles or Tiers to align privacy risk management priorities across different roles in the data processing ecosystem. The variety of ways in which the Privacy Framework can be used by organizations should discourage the notion of ‘compliance with the Privacy Framework’ as a uniform or externally referenceable concept.” [Emphasis added.]

So while the NIST PF was designed as a voluntary framework to help enterprises better develop and manage a program for managing privacy risks, and not a blueprint for the minimum requirements of a program, controllers and processors under the TIPA can create a written privacy governance document that could take any number of reasonable forms and approaches, but based on the NIST PF, at least in part, to articulate and measure program elements, goals, controls, performance measurement, and processes, including data management, risk and impact assessments, transparency, accountability and training.

TIPA Section 3213(a) provides for a defense to violation of any of the TIPA, though what the elements of establishing the defense are remains uncertain. It seems that if you can establish a NIST-consistent written privacy program (or consistency with a comparable framework), that enshrines TIPA’s statutory rights and obligations, you can potentially avoid enforcement remedies for various TIPA violations, even if you do not cure within the 60-day cure period the Act otherwise provides. Section 3213(b) explains that the scale and scope of a privacy program that qualifies for the affirmative defense under subsection (a) is to be determined based on (1) the size and complexity of the business, (2) the nature and scope of the activities of the controller or processor, (3) the sensitivity of the personal information processed, (4) the cost and availability of tools to improve privacy protections and data governance, and (5) compliance with a comparable state or federal law. Although not explicitly stated, it would seem that an appropriate determination under subsection (b) is necessary to qualify for the affirmative defense under subsection (a). Further, subsection (c) provides that, in addition to the factors in subsection (b), certifications under the Asia Pacific Economic Cooperation’s Cross Border Privacy Rules System, and the Asia Pacific Economic Cooperation’s Privacy Recognition for Processors system may be considered. Thus, the APEC Privacy Framework appears to be intended as a measure of program appropriateness. Section 3213 was substantially broadened by the amendment to allow more flexibility in choice of framework and measure of appropriateness for judging a written privacy program.

So, practically, what does that really mean? The NIST framework is a paradigm that calls for using its unique nomenclature and methods of analysis to help a business manage personal data and privacy risk, and uses specific tools:

  • Core: A set of 5 primary privacy protection functional activities (Identify, Govern, Control, and Protect), which are subdivided into 18 categories and 100 subcategories of discrete outcomes. The idea is that senior management will select specific categories and subcategories as priority activities and outcomes, enterprise-wide, based on the business’s particular circumstances and values, and the minimum standards of applicable law.
  • Profiles: Sets of current state activities and goals for improvement built off of the selected Core categories and subcategories. This creates a way to measure performance and improvement.
  • Implementation Tiers: (Partial, Risk Informed, Repeatable, and Adaptive): Points of reference to measure the maturity of risk management, which tie to 4 designated, key components of the privacy program (Privacy Risk Management Process, Integration of the Risk Management Program, Data Processing Ecosystems Relationships and Workforce Management) and reflect the multi-stakeholder, cross-departmental philosophy underpinning the framework. The tiers are thought to help drive enterprise-wide budgeting, staffing, and training to help a business achieve its program goals, which may differ from business to business.

As noted above, under the TPIA, the “scale and scope” of the privacy program is to be “based on all of the following factors: (1) [t]he size and complexity of the controller or processor’s business; (2) [t]he nature and scope of the activities of the controller or processor; (3) [t]he sensitivity of the personal information processed; (4) [t]he cost and availability of tools to improve privacy protections and data governance; and (5) [c]ompliance with comparable state or federal law.” So, aside from operationalizing the rights and obligations mandated by applicable law, the robustness of a program, and of the level of privacy protection, will vary from business to business.

In short, NIST creates a language and process for discussing and measuring privacy risk management and information governance. At its core, it is a self-assessment and improvement tool. Further, the NIST framework calls for ethical decision-making around data practice decisions, but concedes that “there is no objective standard for ethical decision-making.” As mentioned, it also takes the approach that privacy is inherently a cross-disciplinary exercise that necessitates the participation by all internal data stakeholders. It is thought, by NIST’s creators, that the framework’s standard terminology and analytical models and tools will foster collaboration between Legal, HR, Product, IT, InfoSec, Marketing and Management and help a business stay on track with achieving both compliance with applicable law and its own privacy goals.

Other cybersecurity laws, such as ones in Connecticut and Ohio, require a cybersecurity program with “reasonable” controls. These laws do not define what is reasonable, but make available an affirmative defense to a tort claim that a business’ failure to “implement reasonable cybersecurity controls” results in a data breach. The affirmative defense is available when the defendant business can demonstrate that it conformed to one of the enumerated “industry recognized” cybersecurity frameworks, including NIST special publications 800-171 or 800-53 and 800-53a.

Complying with an industry data protection framework like NIST PF is clearly beneficial but, depending on the volume and sensitivity of a business’ information processing and available resources, the time and money needed to meaningfully adhere may prove overwhelming. And, whether TIPA’s specific reliance on the NIST PF will catch on – whether in other state privacy laws or as predominant means for privacy risk management– remains to be seen. What is clear, however, is that businesses subject to the TIPA can benefit from an affirmative defense if they develop a written privacy program that uses NIST, or a comparable framework, for developing and operating a formal privacy program. For those companies the NIST privacy framework can inform how they discuss and manage enterprise-wide data privacy risk and information governance.

For more information contact the authors or your SPB relationship partner.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.