March 2, 2021

Amended SEC Whistleblower Rules Noted in Recent Awards

Back in September, Liz blogged about the SEC’s adoption of amendments to the SEC’s whistleblower awards program, which had been in the works for a while. With a new SEC, whistleblower awards continue rolling along. Last week the SEC issued two press releases relating to awards that high-lighted certain aspects of the amendments.

First, this SEC press release announced an award of more than $9 million. What’s unique about this award is that the SEC’s press release says it marks the first SEC whistleblower award based on a non-prosecution agreement or deferred prosecution agreement since the amendments to the SEC’s whistleblower program became effective last December. Some may recall the amendments to the SEC whistleblower rules included a change allowing awards based on deferred prosecution agreements and non-prosecution agreements entered into by the DOJ.  The SEC’s press release doesn’t say how much the whistleblower received from the original award, but another $9 million coming from the related DOJ action is a nice payday.  Here’s an excerpt:

The whistleblower provided significant information about an ongoing fraud to the SEC that enabled a large amount of money to be returned to investors harmed by the fraud. The SEC in turn provided that information to the DOJ. The whistleblower also provided significant assistance by traveling at the whistleblower’s own expense to be interviewed by DOJ.

Also last week, the SEC announced two additional whistleblower awards totaling more than $1.7 million.  Although the award amounts were smaller for these awards, the SEC highlighted in its press release that the whistleblowers provided Forms TCR to the Commission within 30 days of their first learning of the Form TCR filing requirement under the agency’s new whistleblower rules. Not sure we’ve seen the agency draw attention to Form TCR previously, here’s an excerpt about that:

‘As these awards show, deserving whistleblowers may receive an award if they comply with the Form TCR filing requirements within 30 days of first obtaining actual or constructive notice of the filing requirement or 30 days from the date the whistleblower hires a lawyer to represent them in connection with the whistleblower’s previous submission of information to the Commission, whichever occurs first, and they otherwise meet the eligibility requirements,’ said Jane Norberg, Chief of the SEC’s Office of the Whistleblower.  ‘These whistleblowers earned their awards by providing high quality information that supported a pair of successful Commission enforcement actions.’

Compliance Programs Stay on Front Burner, Virginia Passes Privacy Legislation

Over the last year, as California’s Consumer Privacy Act became effective, we blogged about some of the late changes and here’s John’s blog about passage of the California Privacy Rights and Enforcement Act of 2020. Although various states have proposed privacy laws, Virginia is the first state this year to adopt new privacy legislation. Virginia’s Consumer Data Protection Act is awaiting the governor’s signature and presuming it’s signed, it is slated to take effect in January 2023. This Morgan Lewis memo outlines considerations for businesses, here are a few takeaways:

First, unlike the CCPA’s limited private right of action for security breaches, Virginia’s legislation does not provide for a private right of action. Instead, the attorney general will have the exclusive right to enforce the law.

Second, Virginia’s legislation would impose stricter requirements than the CPRA as to how businesses obtain consent from consumers before processing sensitive data. While the CPRA accounts for sensitive personal information and permits consumers to submit opt-out requests specific to this sensitive personal information, the Virginia legislature borrowed the stricter standard in the GDPR and requires a business to obtain affirmative consent before any sensitive data may be collected and processed.

Third, covered businesses that only process consumer requests to opt out of the sale of personal data will need to expand their opt-out compliance programs. If passed, the Virginia legislation goes further than just granting Virginians the right to opt out of the sale of their personal data and broadens that opt-out right to the use of personal data for targeted advertising and profiling purposes.

Companies that have already taken measures to comply with the CCPA, CPRA and GDPR likely have a head start to ensure compliance with Virginia’s legislation. But, the differences with Virginia’s legislation probably mean it’d be a good idea to add compliance program review back to the to-do list. For a comparison between Virginia’s legislation and the CCPA, this GreenbergTraurig blog has a chart showing how certain aspects of Virginia’s legislation are broader than the CCPA.

Our March E-Minders is Posted

We have posted the March issue of our complimentary monthly email newsletter. Sign up today to receive it by simply entering your email address!

– Lynn Jokela