Securities Law Compliance and Disclosure

As we previously reported, since 2017 employees have filed dozens of employment class actions claiming violations of Illinois’ 2008 Biometric Information Privacy Act (“BIPA”). In short, BIPA protects the privacy rights of employees, customers, and others in Illinois against the improper collection, usage, storage, transmission, and destruction of biometric information, including biometric identifiers, such as retina or iris scans, fingerprints, voiceprints, and scans of face or hand geometry. Before collecting such biometric information, BIPA requires an entity to: (1) provide written notice to each individual of the collection; (2) obtain a signed release from each individual for the collection of biometric data; and (3) make available a policy that contains a retention schedule and guidelines for the permanent destruction of the biometric data.

One of the unresolved legal issues was whether an entity’s failure to comply with BIPA’s requirements, absent an actual injury, was sufficient to sustain a claim under that law. On January 25, 2019, the Illinois Supreme Court weighed in on this issue in Rosenbach v. Six Flags Entertainment Corp., holding that mere collection of an individual’s biometric information may be enough to state a claim under BIPA.

In Rosenbach, a parent sued on behalf of her child after he was fingerprinted entering a Six Flags theme park. Neither the parent nor the child signed a release, Six Flags did not provide a written notice provided to the child or the parent, and Six Flags did not have a publicly available policy regarding the retention or destruction of the biometric information. Nonetheless, there have been no known data breaches on Six Flags systems, and the complaint did not allege any other harm to the parent or her son.

The Illinois Supreme Court found that the legislative intent behind BIPA dictated that a technical violation of the law, such as failure to provide notice or obtain a release, is sufficient to state a claim under the Act. Under BIPA, an “aggrieved” party is similar to the concept of the injury-in-fact requirement for standing in federal court. There, the Court found that the “injury is real and significant.”

In light of the Rosenbach decision, it is even more important that employers with operations in Illinois consider taking the following action:

(1)  First, determine if your company collects, uses, stores, or transmits any employee’s (or other individual’s) biometric information or identifiers that may be covered by BIPA (e.g., using fingerprint recognition technology for time keeping purposes or to access a company-issued property or devices).

(2)  If your company does collect, use, store, or transmit biometric data/identifiers, you should:

(a)  develop or review existing, written policies concerning the collection, storage, use, transmission, and destruction of that information, consistent with industry standards;

(b)  implement policies concerning proper notice to employees (and other affected individuals) about the company’s use, storage, etc., of such data and obtain written and signed consent forms from all affected persons; and

(c)  establish practices to protect individuals’ privacy against improper disclosure of biometric data/identifiers, using the methods and standard of care that they would apply to other material deemed confidential and sensitive.

Importantly, providing proper notice includes identifying the specific reason for the collection, storage, and use of the biometric data, as well as how long the employer will use or retain such data. 740 Ill. Comp. Stat. 14/15(a), (b); 14/10.

Featured on Employment Law This Week: New Legislation Eases Disclosure Requirements for Startups under the Dodd-Frank Wall Street Reform.

Startups offering equity plans get regulatory relief. The legislation that President Trump signed in May to ease regulations under the Dodd-Frank Wall Street Reform and Consumer Protection Act also contained some good news for startups. The law adjusts the Rule 701 thresholds, which allow private companies to offer equity to employees without registering the sales as public offerings.

Watch the segment below.

Katherine LofftFrom our colleague at Epstein Becker Green Katherine R. Lofft, on the TechHealth Perspectives blog:

There are myriad opportunities right now for new businesses and talented entrepreneurs targeting healthcare, particularly in the IT sector. It’s an exciting time for people and companies looking to harness the promise of innovation and the power of technology to improve health care delivery, empower patients and lower costs.

However, even the best ideas usually require money to get off the ground. Sometimes they require more capital than the founders or management, or their family and friends, have available. While there are many individuals and institutions around the country with money to invest, it can be hard for the average start-up or emerging business to identify and appeal to them, or to distinguish itself from competing investment opportunities.

In view of existing prohibitions on the use of general solicitation and advertising in private offerings of equity, many entrepreneurs, founders and early-stage business leaders turn to so-called “finders” (sometimes called “brokers” or “promoters”) to access capital. Finders are typically individuals, often with no other relationship to the company, who commit to leverage their network of contacts and connections to help a company identify investors and/or secure funding. The consideration under these arrangements often involves payment of a fee or commission based on a percentage of the funds invested.

Now, you might be asking, what’s the problem with this kind of arrangement? Only this: If an individual is involved in the purchase or sale or securities and receives or expects to receive a commission (whether payable in cash or other consideration, such as stock) as a result of the transaction, the individual must be properly licensed under federal, and often under state, law. The use of unlicensed “finders” or brokers can result in serious consequences not only for the individual finder or broker, but also for the company/issuer.

Read the full post on the TechHealth Perspectives blog

On March 22, 2011 the U.S. Supreme Court handed down a decision which is likely to have serious repercussions for companies in the bio/pharma tech space.  In MATRIXX INITIATIVES, INC., ET AL. v. SIRACUSANO ET AL., the Court rejected Matrixx argument that reports regarding the adverse effect of Zicam, its leading revenue generating product, were not statistically significant and therefore not material.

Noting that the analysis of materiality under the securities laws in fact specific, the Court appears to have relied heavily on two factors:

1. The methodologies and requirements of the FDA; and 

2. Public statements issued by Matrixx regarding its future revenues and  also that reports indicating that Zicam caused anosmia were “ ‘completely unfounded and misleading’ ” and that “ ‘the safety and efficacy of zinc gluconate for the treatment of symptoms related to the common cold have been well established.”

Methodologies and requirements of the FDA. As to the FDA methodologies, the Court noted, that “Both medical experts and the Food and Drug Administration rely on evidence other than statistically significant data to establish an inference of causation.  Because adverse reports can take many forms, assessing their materiality is a fact-specific inquiry, requiring consideration of their source, content, and context. The Court conceded that “Something more than the mere existence of adverse event reports is needed to satisfy that standard, but that something more is not limited to statistical significance and can come from the source, content, and context of the reports.”  Significantly the Court noted that the FDA defines an “[a]dverse drug experience” as “[a]ny adverse event associated with the use of a drug in humans, whether or not considered drug related.” 21 CFR §314.80(a) (2010). Federal law imposes obligations on pharmaceutical manufacturers to report adverse events to the FDA. During the relevant class period of the case, manufacturers of over-the-counter drugs, such as Zicam Cold Remedy, had no obligation to report adverse events to the FDA. However, in 2006, Congress enacted legislation to require manufacturers of over-the-counter drugs to report any “serious adverse event” to the FDA within 15 business days. See 21 U. S. C. §§379aa(b), (c).

Public statements issued by Matrixx regarding its future revenues. The Court Noted that Matrixx told the market that revenues were going to rise 50 and then 80 percent “when it had information indicating a significant risk to its leading revenue-generating product.”  And as  Court observed, Matrixx had not, in fact, conducted any studies and had “… received reports from medical experts and researchers that plausibly indicated a reliable causal link between Zicam and anosmia.”

The Court’s decision points to the importance of analyzing adverse product reports’ content and context and not relying on the fact that statistics may appear to render the reports merely anecdotal.  As always, public statements need to be made with care and with a  recognition that external factors can render what is said or even what is not said, actionable under the securities laws.