The Covid-19 virus has forced substantially increased numbers of employees to work from home, potentially for an extended period of time. Against an already cluttered landscape of other business-critical issues they have to deal with, businesses also need to be mindful of the increased risk to cyber, and other types of data security, that this presents. This risk is amplified where employees are required to use personal devices to access business information, due to the limited supply of work devices. Continue Reading Protecting Data During the Covid-19 Crisis
Business in the time of COVID-19: US Cybersecurity and Privacy Issues for You to Consider
The current COVID-19 pandemic raises some significant issues and risks relating to cybersecurity and data privacy in the US that should be considered carefully and addressed appropriately. Concerns range from cybercriminals targeting a newly-remote workforce with clever phishing scams that prey on the environment of uncertainty, to worries that the crisis will give cover to expanded and potentially problematic uses of technologies such as geolocation and facial recognition. Many businesses are unsure of whether and how to collect and disclose their employees’ health information under applicable privacy laws during an outbreak of infectious disease such as we are experiencing. This article addresses these and other data protection-related issues businesses are facing and offers some helpful guidance on mitigating such issues. Continue Reading Business in the time of COVID-19: US Cybersecurity and Privacy Issues for You to Consider
Further Update from ICO on COVID-19 and Individuals
The ICO has updated its own blog with more helpful information, this time for individuals who may be worried about the increased processing of their own personal data and sensitive information, in light of the ongoing COVID-19 crisis.
Of interest to businesses and employers, is the recognition that whilst employees might think requests for information about their health and recent travel are excessive, as we have previously reported employers and organisations do have legal obligations to protect staff. It may be reasonable to ask questions, but requests should not go further than is necessary and the disclosure of information gathered (such as a positive test result), should not be widely circulated; telling colleagues that someone is ill may well be necessary, but sharing the name of the infected employee could be too much.
Recommendations by the CNIL in the Context of COVID-19
On March 6, 2020, the CNIL published recommendations on the collection of personal data in the context of COVID-19. Health data is particularly protected within the framework of a series of regulations (notably GDPR, French Data Protection Act and French Public Health Code).
Restrictions
The CNIL insists that employers cannot take measures likely to impair the privacy of the data subjects, in particular, by collecting health data that would go beyond the management of suspected exposure to the virus.
For example, employers must refrain from collecting in a systematic and generalized manner, or through individual inquiries and requests, information relating to the search for possible symptoms presented by an employee/agent and their relatives. It is, therefore, not possible to implement, for example: Continue Reading Recommendations by the CNIL in the Context of COVID-19
Update – ICO Issues Guidance on Data Protection and Coronavirus (COVID-19)
Further to our earlier blog on the data protection aspects of responding to COVID-19, we note that the ICO have now issued guidance on the matter, answering some of the key questions for organisations, businesses and employers.
This is helpful guidance, issued under a statement aimed at public bodies and health practitioners, (so could easily be overlooked), but is very relevant to the issues and worth reading in full.
In summary, the guidance covers questions on:
- Data protection compliance (there is an understanding that resources might be diverted from the usual compliance efforts at this time);
- Contacting individuals (the sending of public health messages without consent);
- Homeworking for staff (and security measures needed);
- Telling staff that colleagues may have potentially contracted COVID-19 (you can, subject to safeguards – read on);
- Collecting health data (you can, but read on for how best to do this); and
- Sharing information with authorities (you can, if it is necessary).
The ICO has stated that the safety and security of the public is their primary concern, which is reassuring and sensible, whilst maintaining that data protection principles still apply.
Data Protection Issues Raised by Guidance and Efforts to Prevent the Spread of COVID-19
As government agencies and businesses attempt to deal with the ramifications of Covid-19, the potential impact on privacy rights should not be overlooked. Certain measures that are under consideration to help combat the threat of the Covid-19 virus raise a number of questions about the practical impact of current guidance and efforts to prevent the spread of infection. Clearly, in light of the serious global threat posed by this virus, application of the data protection must be proportionate. We examine the two questions frequently asked questions from our clients:
- Can you ask employees about their travel plans (either before or after a holiday abroad)?
- Can you require employees to undergo a medical examination or submit to tests to check their temperature?
2025 Mass Arbitration Year in Review
Mass arbitrations—where a plaintiffs’ firm brings dozens, hundreds, or thousands of identical claims against a business—is a mechanism increasingly relied upon by the plaintiffs’ bar in the past few years. This is because mass arbitrations enable a plaintiffs’ firm to create settlement pressure by leveraging unavoidable arbitration fees borne by a business regardless of the merits of the claims filed. Further powered by litigation funding, plaintiffs’ firms have used the mass arbitration device to bring vexatious claims and escape review of the merits or any downside risk.
Continue Reading 2025 Mass Arbitration Year in Review
Singapore to Amend Cybersecurity Law
On December 15, 2023, the Cyber Security Agency of Singapore (CSA) published a consultation paper on a draft Cybersecurity (Amendment) Bill 2023 (Bill).
Singapore’s Cybersecurity Act (Act) has been in force since 2018. With a rapidly changing cyber threat landscape, the Bill aims to update Singapore’s laws on cybersecurity and address the emerging challenges posed in cyberspace.
The provisions in the Bill will extend the coverage of Singapore’s cybersecurity laws to a broader group of entities, including:
- Computing vendors – Previously, only provider-owned critical information infrastructure (CII) would have been subject to the obligations under the Act. These include having to submit certain specified information to the CSA, being subject to regular audits and risk assessments, participating in cybersecurity exercises and reporting incidents. However, with the amendments proposed in the Bill, non-provider-owned CII that use computing vendors to deliver essential services will also be caught and subjected to the duties thereunder. In addition, the Bill will close operational gaps in the Act, such as clarifying that designated CII, even if located overseas entirely, will be bound by the obligations under the Bill.
- Foundational digital infrastructure – These refer to major providers of digital infrastructure that provide services of a foundational nature to Singapore, and which will be either designated or specified by the minister or commissioner. They could be services that promote the availability, latency, throughput or security of digital services in Singapore, or which the impairment or loss of service provisioning could lead to a disruption to a large number of businesses or organisations.
- Entities of special cybersecurity interest – These refer to entities that are especially attractive targets of malicious threats due to the sensitive data they possess, or functions performed, which if compromised could impact on the defence, foreign relations, economy, public health, public safety or public order of Singapore.
- Systems of temporary cybersecurity concern – These refer to systems that are critical to Singapore for a time-limited period, and which are susceptible to a high risk of cyberattacks during that period. One example is the systems set up specifically to support high-profile international events hosted in Singapore (e.g. the World Economic Forum), or the distribution of vaccines during the COVID-19 pandemic.
The consultation exercise will close on 15 January 2024.
If you would like to understand or discuss the implications of the Bill, feel free to contact the author or your usual firm contact.
Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.
Cybersecurity Technology Licensor Beats Securities Fraud Suit, but Ninth Circuit Continues Idiosyncratic View on Pleading Standard for Tender Offer Claims
The United States Court of Appeals for the Ninth Circuit recently affirmed a California federal district court’s dismissal of a shareholder’s securities fraud complaint against cybersecurity technology company Finjan Holdings, Inc. In re Finjan Holdings, Inc., No. 21-16702, 2023 WL 329413 (9th Cir. Jan. 20, 2023). While the ruling is a win for Finjan, it continues the Ninth Circuit’s minority view on the ease with which shareholders can initiate securities law claims arising from tender offers.
Case Background
Finjan develops security technologies for mobile devices and invests in intellectual property related to mobile and computer security. 2023 WL 329413, at *3. While it holds itself out as a cybersecurity company, most of Finjan’s revenue comes from (1) lawsuits accusing others of violating its IP or (2) threatening patent infringement lawsuits to extract licenses for the use of its IP. Id. As a non-practicing entity, Finjan has litigated against many cybersecurity technology software providers, achieving several settlements and multi-million dollar verdicts.
In the summer of 2020, Finjan was sold to Fortress Investment Group, LLC (“Fortress”) after a strategic review process Finjan conducted with the help of Atlas Technology Group LLC (“Atlas”), beginning in 2018. Id. at *2-3. The share price for Finjan, which went public in 2013, was $3.94 on Nasdaq on the day it announced it had hired Atlas for the strategic review in 2018, and early parties’ offers expressing interest in buying Finjan in fall 2018 ranged from $4.29 to $5.10 per share. Id. at *3. As Finjan’s stock decreased in 2018 and 2019, only two potential acquirers remained interested: Fortress, its eventual buyer, and a company known only as Party B in legal filings. Id. at *4. In June 2020, after negotiations with Party B stalled, the Finjan board approved a sale to Fortress and accepted a tender offer of $1.55 per share. Id.
After the sale was announced and shareholder approval of the deal was necessary, Finjan, according to the shareholder’s complaint, directed Atlas to prepare a fairness assessment of the deal using considerably lower revenue projections than the revenue projections Finjan had made a few months earlier before the COVID-19 pandemic. The revised revenue projections made after the sale were the subject of the putative class action, brought by Robert Grier, a former Finjan shareholder. Id. at *5.
The Exchange Act Claim
Grier, in making his allegations, relied on Section 14(e) of the Securities Exchange Act of 1934 (“Exchange Act”), 15 U.S.C. § 78n(e), which prohibits the use of false or misleading statements in connection with a tender offer. Id. at *2. This statute and Supreme Court precedent set forth four elements to a § 14(e) claim: (1) Finjan did not actually believe the revenue projections and share-value estimations it issued to its shareholders (“subjective falsity”), (2) the revenue projections and share-value estimations did not reflect the company’s likely future performance (“objective falsity”), (3) the shareholders foreseeably relied on the revenue projections and share-value estimations in accepting the tender offer, and (4) shareholders suffered an economic loss as a result of the deal with Fortress. Id. at *2.
The parties agreed that only “subjective falsity,” i.e. whether Finjan believed the post-sale revised revenue projections, was at issue. The district court held that the subjective falsity element required allegations of scienter, a conscious, fraudulent state-of-mind and thus the “strong inference” heightened pleading standard of the Private Securities Litigation Reform Act (PSLRA) § 4(b)(2) for “particular states of mind” applied. Id.
According to the district court, Grier’s allegations did not rise to support the heightened strong inference standard of subjective falsity, so the district court dismissed the claim. Id.
On appeal, the Ninth Circuit held that the heightened “strong inference” standard under PSLRA § 4(b)(2) did not apply to § 14(e) claims for subjective falsity because one can negligently say a subjectively false statement and “negligence does not require proof of a mental state.” The Ninth Circuit acknowledged that such negligent subjectively false statements are rare but hypothesized that it was not impossible:
“It is rare for a speaker to express an opinion without knowing that he is
doing so. But it is not impossible. For example, an individual could negligently issue a statement that includes an opinion that the speaker does not hold. If a corporate executive prepares a statement truthfully indicating that he believes his corporation will have a revenue of $400 million over the next year, but through a scrivener’s error the statement is released to the public with the figure instead reading $40 million, then the corporate executive has perhaps negligently released a statement to the public with an opinion that the corporate executive does not believe.”
Rejecting a heightened pleading standard for a § 14(e) claim, the Court held that a reasonable inference of subjective falsity would be sufficient to allow the claim to proceed. Id. However, the Court held that the shareholder plaintiff in Fjnjan did not meet even the reasonable inference in his factual allegations and upheld the dismissal. Id. at *3. Put another way, there was no reasonable inference that “Finjan . . . believed that the revenue projections or share-value estimations provided to shareholders were inaccurate.” Id.
What the Ruling Means
The Ninth Circuit’s ruling that a § 14(e) tender offer claim is not subject to PSLRA’s heightened pleading standards for state of mind is a reaffirmance of its 2018 decision in Varjabedian v. Emulex Corp., 888 F.3d 399 (9th Cir. 2018).
That case created a split with five other Courts of Appeals—the Second, Third, Fifth, Sixth, and Eleventh Circuits—that the Supreme Court was poised to resolve before dismissing the certiorari petition as improvidently granted Emulex Corp. v. Varjabedian, 139 S. Ct. 1407 (2019). Until the Supreme Court resolves the split, some securities cases that might have been dismissed under the stronger pleading standard in other Circuits can survive under the lower standard the Ninth Circuit reaffirmed in Finjan.
However, the Ninth Circuit’s decision shows that even under the lower pleading standard, it still may be difficult for shareholders to show subjective falsity. Pleadings must contain a plethora of factual allegations that make it reasonable to infer the speaker knew that the statements given were false. Though that is a lower bar to clear than strong inference, it is still a high bar indeed.
The biggest privacy takeaway for companies? Finjan will still be around to bring infringement actions against cybersecurity software vendors used by countless companies. Privacy World will be here to keep you up to date on those significant actions.
2022 Q3 Artificial Intelligence & Biometric Privacy Report
Welcome to the 2022 Q3 edition of the Artificial Intelligence & Biometric Privacy Report, your go-to source for keeping you in the know on all recent major artificial intelligence (“AI”) and biometric privacy developments that have taken place over the course of the last three months. We invite you to share this resource with your colleagues and visit Squire Patton Boggs’ Data Privacy, Cybersecurity & Digital Assets and Privacy & Data Breach Litigation homepages for more information about our capabilities and team.
Also, we are extremely pleased to announce that our own Kristin Bryan was named as a 2022 Law360 Cybersecurity & Privacy MVP. As Law360 notes, “[t]he attorneys chosen as Law360’s 2022 MVPs have distinguished themselves from their peers by securing hard-earned successes in high-stakes litigation, complex global matters and record-breaking deals.” You can read more about Kristin’s Law360 award here: Law360 MVP Awards Go to 188 Attorneys From 78 Firms.
Continue Reading 2022 Q3 Artificial Intelligence & Biometric Privacy Report