January 25, 2021

More on “SEC Rulemaking: Will 2020’s Efforts Be Undone?”

Last week, President Biden’s Chief of Staff, Ronald Klain, issued a memo to heads of executive departments & agencies to freeze new & pending rules (and guidance) until the incoming administration’s appointees have a chance to review them. This is a separate thing from the ability that Congress has to overturn recent laws under the Congressional Review Act – which, as I blogged earlier this month and this Cooley blog tracks through in great detail, could apply to SEC rules that have been adopted since last summer.

Here are three “regulatory freeze” points worth noting:

1. The regulatory freeze imposed by the new administration is a pretty routine thing – see this Davis Polk blog explaining the impact of a similar memo issued by the Trump administration in 2017 – but these notices still tend to generate a lot of questions each time around.

2. Because Klain’s memo expansively defines the term “rule,” this Gibson Dunn memo suggests the SEC could have an opening to delay rules that have not yet become effective.

3. However, like freezes issued under prior administrations, this one is addressed just to executive departments & agencies and doesn’t appear to apply to independent agencies like the SEC – nor does it request that independent agencies voluntarily comply with the freeze, as some prior iterations have done.

Given that last point, it appears right now that the SEC’s recently adopted and not-yet-effective rules on streamlined MD&A and financial disclosures, private placements, etc. will still go effective as planned. If there are any announcements one way or the other, we’ll make sure to blog about them here.

GDPR: First US Tech Company Gets Dinged – More To Come?

In mid December, the Irish Data Protection Commission announced that it was assessing a $546,000 fine against Twitter for late notification of a data breach that occurred in late 2018. Companies are supposed to notify the regulator 72 hours after a breach – but Twitter waited about two weeks, saying it didn’t appreciate the severity of the issue. It’s not the first GDPR fine against an American company – but this WSJ article explains that it’s an important bellwether because it’s the first in a long pipeline of privacy cases involving US tech companies, including Facebook, Apple and Google – and privacy advocates want those fines to be assessed more quickly than the two years it took for Twitter.

If you enjoy tracking this type of thing, check out this list of “major” GDPR fines to-date. This D&O Diary blog emphasizes that US companies should be paying attention to EU regulations and that privacy-related issues are a growing area of corporate risk:

The regulatory risk is an important exposure, and could also result not just in regulatory enforcement actions, but also follow-on actions as investors and others allege that companies either failed to take steps to protect the company against regulatory action or misrepresented the level of its regulatory compliance. No matter how you slice it, privacy-related issues and concerns represent a significant potential future source of corporate liability exposures.

Edgar: Goodbye “Fake” Filings, Hello Reliability!

In August, Lynn blogged about amendments the SEC had proposed making to Reg S-T in order to promote the reliability and integrity of Edgar submission. The SEC recently announced that it had adopted those amendments – by adding new Rule 15 of Reg S-T, which will become effective if & when the final rule is published in the Federal Register. Although this might be the nail in the coffin for “fake” SEC filings that we enjoy blogging about so much, we’re celebrating that these improvements could help resolve Edgar outages and other administrative problems.

Another big part of Rule 15 is that it establishes a process for the SEC to notify filers and other “relevant persons” – vendors or suppliers who make the submission on behalf of the company – about actions that it takes under the rule. That will hopefully make it even easier to resolve submission issues, although the Commission will typically just continue to work with filers in advance of taking action, as it already does. Here are the steps that new Rule 15 will allow the SEC to take:

• Redact, remove, or prevent dissemination of sensitive personally identifiable information that if released may result in financial or personal harm;

• Prevent submissions that pose a cybersecurity threat;

• Correct system or Commission staff errors;

• Remove or prevent dissemination of submissions made under an incorrect EDGAR identifier;

• Prevent the ability to make submissions when there are disputes over the authority to use EDGAR access codes;

• Prevent acceptance or dissemination of an attempted submission that it has reason to believe may be misleading or manipulative while evaluating the circumstances surrounding the submission, and allow acceptance or dissemination if its concerns are satisfactorily addressed;

• Prevent an unauthorized submission or otherwise remove a filer’s access; and

• Remedy similar administrative issues relating to submissions

And in related news, the SEC announced that it has named Jed Hickman as the Director of the SEC’s Edgar Business Office. Jed’s been serving as Acting Director of that office since April 2019. The person holding this office has authority to take the actions under new Rule 15 – as well as under existing rules about filing date adjustments and the continuing hardship exemption.

Liz Dunshee