Holland & Knight - China Practice Newsletter: September - October 2023

China Practice Newsletter

Holland & Knight is a U.S.-based global law firm committed to provide high-quality legal services to our clients. We provide legal assistance to Chinese investors and companies doing business or making investments in the United States and Latin America. We also advise and assist multinational corporations and financial institutions, trade associations, private investors and other clients in their China-related activities. With approximately 2,000 professionals in 34 offices, our lawyers and professionals are experienced in all of the interdisciplinary areas necessary to guide clients through the opportunities and challenges that arise throughout the business or investment life cycles.

We assist Chinese clients and multinational clients in their China-related activities in areas such as international business, mergers and acquisitions, technology, oil and energy, healthcare, real estate, environmental law, private equity, venture capital, financial services, taxation, intellectual property, private wealth services, data privacy and cybersecurity, labor and employment, ESOPs, regulatory and government affairs, and dispute resolutions.

We invite you to read our China Practice Newsletter, in which our authors discuss pertinent Sino-American topics. We also welcome you to discuss your thoughts on this issue with our authors listed within the document.

霍兰德奈特律师事务所是一家位于美国的全球性法律事务所，我们致力于向客户提供高质量的法律 服务。我们向在美国及拉丁美洲进行商业活动或投资的中国投资人及公司提供他们所需的各类法律 协助。我们也向跨国公司、金融机构、贸易机构、投资人及其他客户提供他们于其与中国相关活动 中所需的咨询和协助。我们在 34 个办公室的 2000 多名对各领域有经验的律师及专业人员能够协助客 户处理他们在经营或投资过程中所遇到的各种机会及挑战。

我们向中国客户及从事与中国有关活动的跨国客户提供法律协助的领域包括国际商业、企业并购、 科技法律、石油及能源、医疗法律、房地产、环保法律、私募基金、创投基金、金融法律服务、税务、知识产 权、私人财富管理法律服务、信息隐私及网络安全、劳动及雇佣法律、员工持股计划、法令遵循及 政府法规、及争议解决。

我们邀请您阅读刊载我们各作者就与中美有关的各议题所作论述的 China Practice 期刊。我

们也欢迎您向本期刊的各作者提供您对各相关议题的看法。

Three Recent ITC Decisions Demonstrate New Willingness to Find U.S. Patents Invalid Under Section 101

HIGHLIGHTS

 The U.S. International Trade Commission (ITC) adjudicates complaints filed by U.S patent owners against infringing imports, including products imported from China.

 Patent infringement allegations can be defeated at the ITC by showing either that the asserted claims or the "domestic industry" claims are invalid.

 Historically, the ITC has infrequently found claims invalid under 35 USC § 101, but three recent decisions suggest that raising such arguments may be an effective strategy.

The U.S. International Trade Commission (ITC or Commission) is an independent federal agency that evaluates infringement complaints filed by U.S. intellectual property rights owners against accused imports.1 ITC administrative law judges (ALJs) issue initial determinations that are reviewed by the ITC's Commissioners. If a violation is found, U.S. Customs and Border Protection can bar the importation of infringing imports, and any U.S. inventories must be removed or destroyed.2 Typically, U.S. patents are asserted at the ITC, and the most common country of origin of accused products is China. To establish ITC standing, a patent owner must provide proof that they own the asserted patent, the accused products are imported, and at least one valid, patent claim is practiced by the patentee's products or the products of a licensee.3 This final condition is known as the ITC's "domestic industry" requirement. To defeat a claim of patent infringement, the accused infringer can demonstrate that the asserted claims, or the claims relied on for the domestic industry requirement, are invalid. The ITC often does not find claims invalid under 35 USC § 101, but recent decisions suggest a greater willingness to do so.

INVALIDITY UNDER 35 U.S.C. § 101

Section 101 permits the patenting of "any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof."4 Patents claiming "[l]aws of nature, natural phenomena, and abstract ideas" are improper because they claim "basic tools of scientific and technological work."5 To determine whether a claim covers patentable subject matter, the ITC must engage in a two-step inquiry. First, it must "determine whether the claims at issue are directed to one of those patent-ineligible concepts."6 If not, the inquiry ends. "A relevant inquiry at Alice Step 1 is 'whether the claims in the[] patent[] focus on a specific means or method that improves the relevant technology or are instead directed to a result or effect that itself is the abstract idea and merely invoke generic processes and machinery.'"7 Only if one or more claims are found to be directed to a patent-ineligible concept does the inquiry then turn to the second step: examination of the elements of each claim "both individually and 'as an ordered combination' to determine whether the additional elements 'transform the nature of the claim' into a patent-eligible application."8 A patent is directed to ineligible subject-matter only if it fails both steps. Section 101 also precludes a patentee from obtaining a second patent on an invention that "would have been obvious from the subject matter of the claims in the first patent, in light of the prior art."9 This "obviousness-type double patenting" is intended to prevent a patentee from unfairly extending its patent term by obtaining different patents for essentially the same invention. "First, the court 'construes the claim[s] in the earlier patent and the claim[s] in the later patent and determines the differences.' Second, the court 'determines whether those differences render the claims patentably distinct.'"10 A later claim

that is not patentably distinct from – i.e., is obvious over or anticipated by – an earlier claim is invalid for obviousness-type double patenting.11

Certain Light-Emitting Diode Products, Fixtures, and Components Thereof, Inv. No. 337-TA-1213

In the 337-1213 investigation, one of the asserted patents was accused of being invalid under Section 101 for claiming ineligible subject. Representative claim 1 recited: "[a] lighting device comprising at least one solid state light emitter, said lighting device, when supplied with electricity of a first wattage, emitting output light having a wall plug efficiency of at least 85 lumens per watt of said electricity."12 The ALJ first considered "whether the claims in the patent focus on a specific means or method that improves the relevant technology or are instead directed to a result or effect that itself is the abstract idea and merely invoke generic processes and machinery."13 The ALJ found that the claims are "directed to a result or effect that itself is the abstract idea," and noted the patentee's position that the claims read on any means of achieving the claimed efficiencies.14 Next, the ALJ determined that the additional claim elements did not transform the nature of the claim into a patent-eligible application because 1) the claims only recited a generic solid state emitter, and 2) the patent specification focused on one approach to achieving the efficiency goal, but the claims read on any structure that achieves the claimed efficiency.15 The fact that the claims would cover unknown, future technologies was found to be a strong indication that they are directed to the abstract idea of efficiency itself.16 The ALJ therefore found the asserted patent invalid under Section 101, and the Commission affirmed that determination on review.

Certain Polycrystalline Diamond Compacts and Articles Containing Same, Inv. No. 337-TA-1236

The 337-1236 investigation centered around sintered polycrystalline diamond compacts (or assemblies) that could be used for heavy drilling operations.

The asserted patents purportedly taught that manufacturing diamond compacts with certain manufacturing parameters would result in products having certain improved performance parameters and certain electromagnetic characteristics. Specifically, the claims at issue were directed to a "diamond compact" that "exhibits" certain material property limitations (e.g., coercivity, electrical conductivity, thermal stability, etc.). Importantly, the claims at issue at the conclusion of the investigation were only article of manufacture claims, with no method of manufacture claims being decided.

In describing these claims, the Commission agreed with the ALJ that the relevant claim limitations were nothing more than "performance measures" and "side effects."17 For example, the Commission determined that claim limitations such as "wear resistance" was simply a performance measure and that certain electrical or magnetic properties where nothing more than a "side effect" of the fabrication processes or characteristics of the finished product.18 In describing the claims and patents, the ALJ stated:

"In short, nothing in the asserted patents, or the rest of the record, suggests that any of these parameters solve any problems, rather than simply being measures of other, actually beneficial characteristics. Nor are the electrical and magnetic parameters sufficiently tied to any such beneficial characteristics through inherency, as explained above. There may be some causal connection between [certain] design and fabrication choices, on the one hand, and electrical and magnetic behavior, on the other hand. But that causal connection is so loose and generalized that the claimed limitations appear to be little more than side effects; thus, the recitation of, say, an electrical conductivity [] appears to be gratuitous rather than inventive." 19

In finding that the remaining claim limitations recited nothing more than the common structure of diamond compacts, and that there were no other limitations defining the structure or manufacture of the diamond compacts to be different than what came before, the Commission stated that the asserted claims "are directed

to the abstract idea of stronger [diamond compacts] that achieve the claimed performances and desired [side effects] no matter how implemented.20

Because the Commission also agreed with the ALJ's findings that the claims "invoke [] well-understood, routine, [and] conventional components to apply the abstract ideas" that are "generic to all [compacts]," the Commission easily found Step 2 of the Alice test satisfied and all asserted claims invalid under 35 USC § 101.21

Certain Video Processing Devices and Products Containing the Same, Inv. No. 337-TA-1323

In the 337-1323 investigation, a parent patent application was filed followed by a string of related continuation and divisional applications all sharing a common specification. One of the related applications issued as the Asserted Patent, U.S. Patent No. 878.22 The last patent in the family was U.S. Patent No. 8,867,855 (the 855 patent). Significantly, no terminal disclaimer was filed. Because of the claims of priority made by and between the original and subsequent applications, the patents in the family would ordinarily have expired on the same date. However, due to patent term adjustments made pursuant to 35 U.S.C. § 154 during prosecution, the 855 patent expired before the asserted 878 patent, even though the application resulting in the 855 patent was filed after 878 patent had already issued.23

The accused infringer argued that the 878 patent was invalid under Section 101 due to obviousness-type double patenting because any differences between it and the other patents in the family related to limitations were not patentably distinct and would have been obvious to a person of ordinary skill.24

The parties also disputed whether earlier-expiring patents can be used as double patenting references as a matter of law when that early expiration was due to a patent term extension. The Commission found that earlier-expiring patents can be used as double patenting references and agreed with the ALJ that the differences between the 878 patent were not patentably distinct because the differences concern standard frameworks that were known to persons of ordinary skill at the relevant time.25

In view of the foregoing, we are seeing a trend at the ITC where Section 101 is being embraced, even beyond the well-known applications of that case law. Therefore, it is strategically beneficial to consider the impact of invalidity attacks under 35 USC § 101 beyond the traditional "computer implemented" claims, and consider looking more closely at system or apparatus claims that are directed to nothing more than performance goals or simple "side effects" or an unclaimed manufacturing process or physical attribute.

NOTES

1 19 U.S.C. § 1337

2 19 U.S.C. § 1337(d) and (f)

3 19 U.S.C. § 1337(a)

4 35 U.S.C. § 101

5 Mayo Collaborative Servs. v. Prometheus Labs., Inc., 566 U.S. 66, 70 (2012).

6 Certain Light-Emitting Diode Products, Fixtures, and Components Thereof, Inv. No. 337-TA-1213, Final ID, (Aug. 17, 2021) citing Alice Corp. Pty. v. CLS Bank Int’l, 573 U.S. 208, 216 (2014), affirmed in relevant part by the Commission, (Dec. 16, 2021).

7 Id at 21, citing Free Stream Media Corp. v. Alphonso Inc., 996 F.3d 1355, 1363 (Fed. Cir. 2021).

8 Id. at 19-20, citing Alice Corp. Pty. v. CLS Bank Int’l, 573 U.S. 208, 217 (2014).

9 In re Longi, 759 F.2d 887, 893 (Fed. Cir. 1985).

10 Sun Pharm. Indus., Ltd. v. Eli Lilly & Co., 611 F.3d 1381, 1385 (Fed. Cir. 2010) (alteration in original) (quoting Pfizer, Inc. v. Teva Pharm. USA, Inc., 518 F.3d 1353, 1363 (Fed. Cir. 2008)).

11 Id. at 1385 (alteration in original).

12 Certain Light-Emitting Diode Products, Fixtures, and Components Thereof, Inv. No. 337-TA-1213, Final ID, at 5-6.

13 Id, at 21, citing Free Stream Media Corp., 996 F.3d at 1363.

14 Id. at 22.

15 Id. at 26.

16 Id at 28.

17 Certain Polycrystalline Diamond Compacts and Articles Containing Same, Inv. No. 337-TA-1236, Comm'n Op. at 26 (Oct. 26, 2022).

18 Id at 20, 24-26

19 Id at 20.

20 Id. at 33.

21 Id. at 33-34.

22 Certain Video Processing Devices and Products Containing the Same, Inv. No. 337-TA-1323, Order No. 47 Granting Motion for Summary Determination, at 2 (May 1, 2023); affirmed by the Commission in relevant part, (Aug. 1, 2023).

23 Id at 3.

24 Id at 24-27.

25 Id. at 9, citing In re Berg, 140 F.3d 1428, 1432 (Fed. Cir. 1998) (framing the test as, "if the scope of the application and the patent claims is not identical, the court must ask whether the former defines merely an obvious variation of the latter.").

ITC 最近的三项裁决显示了其根据第 101 条裁定美国专利无效的新意愿

原文作者：James B. Coughlan 及 Terry J. Wikberg

重点摘要

 美国国际贸易委员会 (ITC) 对美国专利所有人针对侵权进口产品（包括从中国进口的产品）提出的投 诉进行裁决。

 通过证明所主张的权利要求或“国内产业”权利要求无效，可以在国际贸易委员会驳回专利侵权指控。

 从历史上看，ITC 很少根据《美国法典》第 35 册第 101 条 （35 USC § 101 ）认定主张无效，但最近 的三项裁决表明，提出此类论点可能是一种有效的策略。

美国国际贸易委员会（ITC 或委员会）是一个独立的联邦机构，负责评估美国知识产权所有者针对被指控进口产 品提出的侵权投诉。1 ITC 行政法官 (ALJ) 做出初步裁决，并由 ITC 委员进行审查。如果发现违规行为，美国海 关和边境保护局可以禁止侵权进口产品的进口，并且任何美国库存都必须被清除或销毁。2 通常，美国专利是在 国际贸易委员会主张的，被指控产品最常见的原产国是中国。为了确立 ITC 诉讼地位，专利所有人必须提供证 据证明他们拥有所主张的专利、被指控的产品是进口的、并且专利权人的产品或被许可人的产品实施了至少一项 有效的专利权利要求。3 这一最终条件被称为 ITC 的“国内产业”要求。为了驳回专利侵权主张，被诉侵权人可以 证明所主张的权利要求或国内产业要求所依据的权利要求无效。 ITC 通常不会根据《美国法典》第 35 册第 101 条（35 USC § 101）认定主张无效，但最近的决定显示其更愿意这样做。

35 USC § 101 下的无效

第 101 条允许对“任何新的和有用的过程、机器、制造或物质组合物，或其任何新的和有用的改进”授予专利。4 声称“自然规律、自然现象和抽象思想”的专利是不恰当的，因为它们声称“科学和技术工作的基本工具” 。 5 为了确 定一项权利要求是否涵盖可专利事项，ITC 必须进行两步调查。首先，它必须“确定有争议的权利要求是否针对 那些不符合专利资格的概念之一。” 6 如果没有，则调查结束。 “Alice 第一步的相关询问是‘专利中的权利要求是 否集中于改进相关技术的特定手段或方法，还是针对本身是抽象概念并仅仅调用的结果或效果” 7 只有当发现一个 或多个权利要求涉及不符合专利资格的概念时，调查才会转向第二步：审查每项权利要求的要素“单独地和‘作为 有序组合’ ’以确定附加要素 8 是否‘将权利要求的性质’转变为符合专利资格的申请。” 只有在这两个步骤都失败的 情况下，专利才会针对不合格的事项。部分 第 101 条法律还禁止专利权人获得“根据现有技术，从第一项专利的 权利要求的主题中显而易见的”发明的第二项专利。9 这种“显而易见性双重专利”旨在防止专利权人通过对本质上 相同的发明获得不同的专利来不公平地延长其专利期限。 “

首先，法院‘解释在先专利中的权利要求和在后专利中 的权利要求，并确定差异。’其次，法院‘确定这些差异是否使权利要求在专利上具有独特性。’” 10 在后的权利要 求与在先的权利要求不具有专利性区别，即明显超过在先的权利要求或由在先的权利要求预见，对于显而易见性 类型的双重专利申请是无效的。11

某些发光二极管产品、固定装置及其组件，编号： 337-TA-1213 号

在 337-1213 调查中，其中一项所主张的专利因主张不合格事项而被指控根据第 101 条无效。代表性权利要求 1

所述：“[a]包括至少一个固态发光体的照明设备，当向所述照明设备提供第一瓦数的电力时，其发射的输出光具 有每瓦特至少 85 流明的墙壁插头效率。电。”12 行政法官首先考虑“专利中的权利要求是否侧重于改进相关技术

的特定手段或方法，还是针对本身是抽象概念且仅调用通用流程和机械的结果或效果” 。 13 行政法官发现，权利 要求“针对本身就是抽象概念的结果或效果”，并指出专利权人的立场，即权利要求解读为实现所声称的效率的任 何手段。14 接下来，行政法官确定附加权利要求要素并未将权利要求的性质转变为符合专利资格的申请，因为 1) 权利要求仅列举了一种通用固态发射器，2) 专利说明书重点关注了一种实现该权利要求的方法。效率目标，但 权利要求适用于实现所声称的效率的任何结构。15 事实上，这些声明将涵盖未知的未来技术，这一事实强烈表明 它们是针对效率本身的抽象概念。16 因此，行政法官根据第 101 条裁定所主张的专利无效，委员会在审查后确认 了这一决定。

某些多晶金刚石复合片和含有该复合片的物品，Inv. 337-TA-1236 号

337-1236 调查的重点是可用于重型钻井作业的烧结多晶金刚石复合片（或组件）。

据称，所主张的专利教导说，以某些制造参数制造金刚石复合片将导致产品具有某些改进的性能参数和某些电磁 特性。具体而言，所涉权利要求针对“表现出”某些材料特性限制（例如矫顽力、导电性、热稳定性等）的“金刚石 复合体”。重要的是，调查结束时有争议的主张只是制造物品主张，尚未确定制造方法主张。

在描述这些索赔时，委员会同意行政法官的观点，即相关主张限制只不过是“绩效衡量标准”和“副作用” 。 17 例如 ，委员会确定诸如“耐磨性”之类的索赔限制只是一种性能衡量标准，而某些电或磁性能只不过是制造工艺或成品 特性的“副作用” 。 18 在描述权利要求和专利时，行政法官表示：

“简而言之，所主张的专利或其余记录中没有任何内容表明这些参数中的任何一个都可以解决任何问题， 而不仅仅是衡量其他实际上有益的特性。电参数和磁参数也没有与任何参数充分相关。如上所述，这些 有益特性是通过内在性产生的。一方面，[某些]设计和制造选择与另一方面电和磁行为之间可能存在某种 因果关系。但这种因果关系是如此松散和普遍化所声称的限制似乎只不过是副作用；因此，举例来说， 电导率的叙述似乎是无缘无故的，而不是创造性的。 ” 19

委员会认为，其余主张限制只不过是描述了钻石复合体的共同结构，并且没有其他限制将钻石复合体的结构或制 造定义为与以前不同，委员会指出，所提出的主张 “旨在实现更坚固的[金刚石压块]的抽象概念，无论如何实 施，都能实现所声称的性能和所需的[副作用]。 20

由于委员会也同意 ALJ 的调查结果，即这些权利要求“援引了[]易于理解的、例行的、[和]传统的组成部分来应用“ 对所有[压缩物]通用的抽象思想”，因此委员会很容易发现步骤二满足 Alice 测试的要求，并且根据 35 USC § 101 规定，所有主张均无效。21

某些视频处理设备和包含该设备的产品，编号： 337-TA-1323 号

调查中，提交了一项母专利申请，随后提交了一系列共享共同规格的相关延续申请和分案申请。其 中一项相关申请作为主张的专利发布，美国专利号 878。 22

在 337-1323

该系列中的最后一项专利是美国专利号 8,867,855（ 855 专利）。值得注意的是，没有提交最终免责声明。由于原始申请和后续申请之间提出了优先权要求，同族专 利通常会在同一天到期。然而，由于在起诉期间根据 35 USC § 154

进行了专利期限调整，因此 855 专利在所主 张的 878 专利之前到期，尽管导致 855 专利的申请是在 878 专利已经授权之后提交的。23

被诉侵权人辩称，根据第 101 条，878 专利因显而易见性重复专利而无效，因为该专利与同族其他专利之间有 关限制的任何差异均不具有明显的专利性，并且对于普通技术人员而言是显而易见的。24

双方还就法律问题上就是否可以将较早到期的专利用作双重专利参考进行了争论，因为较早到期的专利是由于专 利期限延长而导致的。委员会发现较早到期的专利可以用作双重专利参考，并同意 ALJ 的观点，即 878 专利之 间的差异在专利方面并不明显，因为这些差异涉及相关时间普通技术人员已知的标准框架。25

鉴于上述情况，我们看到了一种 ITC 趋势，即 101 条正在被接受，甚至超出了判例法的众所周知的适用范围。

因此，在传统的“计算机实现”主张之外，考虑 35 USC § 101 规定的无效攻击的影响，并考虑更密切地关注只针 对性能目标或简单的“副作用”或无人申索的制造过程或物理属性的系统或设备的主张，这在战略上是有益的。

附注

1 19 《美国法典》 1337 条。

2 19 《美国法典》1337(d) 和 (f)条。

3 19 《美国法典》第 1337(a) 条。

4 35 《美国法典》第 101 条。

5 梅奥协作服务。诉普罗米修斯实验室公司。 , 566 美国 66, 70 (2012)。

6 某些发光二极管产品、固定装置及其组件，编号：第 337-TA-1213 号，最终 ID ，（2021 年 8 月 17 日）援引 Alice Corp. Pty. v. CLS Bank Int'l , 573 US 208, 216 (2014)，经委员会相关部分确认，（ 2021 年 12 月 16 日）。

7 同上。第 21 页，援引 Free Stream Media Corp. 诉Alphonso Inc. 案。 、 996 F.3d 1355、1363（联邦通告 2021）。

8 同上。第 19-20 页，援引 Alice Corp. Pty. 诉CLS Bank Int'l 案，573 US 208, 217 (2014)。

9 关于 Longi ，759 F.2d 887, 893（Fed. Cir. 1985）。

10 太阳药业. Indus., Ltd. 诉礼来公司 (Eli Lilly & Co. ) , 611 F.3d 1381, 1385 (Fed. Cir. 2010) (原件修改) (引用 Pfizer, Inc. v. Teva Pharm. USA, Inc. , 518 F.3d 1353, 1363 (Fed. Cir. 2008) ）。

11 同上。第 1385 页（原始更改）。

12 某些发光二极管产品、固定装置及其组件，编号：编号 337-TA-1213，最终 同上，第 5-6 页。

13 同上 ，第 21 页，引用 Free Stream Media Corp. ，996 F.3d，第 1363 页。

14 同上。 第 22 页。

15 同上。 第 26 页。

16 同上。 第 28 页。

17 某些多晶金刚石复合片和含有该复合片的物品，Inv. 337-TA-1236，Comm'n Op。 26 日（2022 年 10 月 26 日）。

18 同上。 第 20、24-26 页。

19 同上。 第 20 页。

20 同上。 第 33 页。

21 同上。 第 33-34 页。

22 某些视频处理设备和包含该设备的产品，编号：第 337-TA-1323 号，第 47 号命令，批准简易裁决动议，第 2 页

（2023 年 5 月 1 日）；经委员会相关部分确认（2023 年 8 月 1 日）。

23 同上。 第 3 页。

24 同上。 第 24-27 页。

25 同上。第 9 页，引用 In re Berg , 140 F.3d 1428, 1432 (Fed. Cir. 1998)（将测试框架为：“如果申请的范围与专利权利 要求的范围不相同，法院必须询问前者是否仅定义了后者的明显变体。”）。

Tri-Seal Compliance Note Issued on Export Controls, Sanctions Violations Self-Disclosures

HIGHLIGHTS

 The U.S. Department of Justice (DOJ), Department of Commerce's Bureau of Industry and Security (BIS) and Department of the Treasury's Office of Foreign Assets Control (OFAC) in late July issued a Tri-Seal Compliance Note (Compliance Note) outlining policy memoranda and regulations on voluntary self-disclosures for violations of sanctions, export controls and other national security laws.

 Though the Compliance Note does not impose new requirements, it does highlight the importance of self-disclosing suspected violations.

 Part of U.S. government efforts to encourage industry to help identify efforts by bad actors to evade U.S. sanctions and export controls, the Compliance Note also highlights recent changes in how agencies handle voluntary self-disclosures (or failures to self-disclose) that change the risk calculus of determining whether, when and to whom self-disclosure should be made.

The U.S. Department of Justice (DOJ), Department of Commerce's Bureau of Industry and Security (BIS) and Department of the Treasury's Office of Foreign Assets Control (OFAC) on July 26, 2023, issued a Tri-Seal Compliance Note (Compliance Note) outlining agency policy memoranda and existing regulations on voluntary self-disclosures (VSDs) of violations of sanctions, export controls and other national security laws. Collectively, the three agencies highlight the importance of voluntary self-disclosures as a way of identifying threats to national security.

BACKGROUND

The Compliance Note appears to be part of the coordinated and sustained effort by the agencies to prevent controlled technology and goods from being diverted to Russia, China and Iran.

A prior Tri-Seal Compliance Note issued in March 2023 focused on identifying red flags of diversion (e.g., the use of third-party intermediaries or transshipment points). In May 2023, the Treasury Department's Financial Crimes Enforcement Network (FinCEN) and BIS issued a joint alert identifying specific classes of goods/technology that Russia is seeking to acquire through deceptive means. In May 2023, BIS expanded the types of industrial items controlled for export to Russia to include many that are not normally controlled for export to most countries. (See Holland & Knight's previous alert, "United States Imposes Expanded Sanctions and Export Controls on Russia," May 24, 2023.)

Similarly, through the Compliance Note, the three agencies are encouraging voluntary self-disclosures as a way of helping the U.S. government identify intermediaries and other bad actors working with or for Russian, Iranian and other sanctioned countries' interests.

RECENT POLICY UPDATES NSD

DOJ's National Security Division (NSD), which is tasked with prosecuting criminal violations of sanctions and export control laws, encourages VSDs by emphasizing its policy toward companies that voluntarily selfdisclose, cooperate, and timely and appropriately remedy any noncompliance. For such companies, generally, the NSD will not seek a guilty plea or impose any fines, and the company will receive a non-prosecution agreement. Notably, the NSD's policy applies to other corporate criminal matters handled by the NSD, including violations of the Foreign Agents Registrations Act and Committee on Foreign Investments in the United States (CFIUS) regulations.

BIS

BIS, the agency that administers the Export Administration Regulations (EAR), emphasized its recent policy updates. In June 2022, BIS established a dual-track system to streamline the process of handling VSDs. Minor and technical infractions will be resolved on a "fast-track basis," with the issuance of a warning or no-action letter within 60 days of final submission. In addition, on April 18, 2023, the Assistant Secretary of Export Enforcement issued a memorandum on BIS' VSD policy clarifying the risk calculus on VSDs: Deliberate nondisclosure of an EAR violation will be considered an aggravating factor under BIS guidelines. Furthermore, if an entity submits a tip to BIS reporting a company's potential violation of the EAR, BIS will offer the possibility of mitigating credit to the whistleblowing entity if the tip leads to an enforcement action.

OFAC

OFAC encourages voluntary disclosures of potential sanctions violations by emphasizing penalty mitigation. In cases where a civil monetary penalty is warranted, a qualifying VSD can result in a 50 percent reduction in the base amount of a proposed civil penalty. The Compliance Note outlines situations where a disclosure will not qualify as a VSD, including cases where a disclosure contains false or misleading information, is materially incomplete, is not "self-initiated" or is a result of a suggestion made by another agency or official.

KEY TAKEAWAYS

 Adequate Diligence of Transactions Is Critical. Companies that trade internationally in certain products face a difficult risk environment with sanctioned countries using increasingly sophisticated methods to evade sanctions, whether through false documentation, spoofing Automatic Identification System (AIS) or use of intermediaries.

 The Calculus on Whether to Voluntarily Disclose to the U.S. Government, and to Whom, Is Changing. The benefits of making a voluntary self-disclosure are more consistent. For example, all DOJ departments were required to revise and publish written policies for voluntary disclosures with regard to mitigation of penalties and other benefits, with the hope that having clearer and more predictable treatment would encourage more voluntary disclosures. For example, the NSD issued its policy in March 2023. There are potentially substantial whistleblower rewards available for certain criminal conduct, such as international export violations.

 Failure to Make a Disclosure Could Constitute an "Aggravating Factor." Though it has created a dual-track process that will allow minor or technical violations to be resolved quickly with warnings or no-action letters, BIS cautioned that nondisclosure of significant possible violations, once discovered, would be an aggravating factor. For example, where the company's compliance team

identifies a potential serious violation, but management chooses not to voluntarily disclose, would be considered an aggravating factor.

 A Disclosure to One Agency Does Not Count as a Disclosure to the Other Agencies. In the Compliance Note, DOJ emphasized that making a disclosure to one agency does not constitute a voluntary disclosure to DOJ, and vice versa. Hence, companies should carefully consider and evaluate to which agencies to make a disclosure. For example, if there is evidence of intentional violations of sanctions laws, then a company should consider disclosing to both OFAC and DOJ.

 Time Is of the Essence. If the U.S. government discovers a potential violation from another party's disclosure or due to a whistleblower, the company will lose the benefits of a voluntary disclosure. Hence, making an initial disclosure quickly has significant advantages.

 U.S. Enforcement Agencies Construe Their Jurisdiction Broadly. Non-U.S. companies may face enforcement risk, and U.S. enforcement agencies have imposed penalties and export or other restrictions on non-U.S. companies for export and sanctions violations. Hence, particularly where transactions involve goods subject to U.S. export controls or funds flowing through the U.S. banking system, non-U.S. companies should evaluate the benefits of making a VSD.

 When a Potential Violation Is Suspected, Engage Experienced Outside Trade Counsel. When a potential violation comes to attention of management, its investigation and resolution should be given top high priority, and experienced outside counsel should be consulted. Whether to report a potential violation, through a voluntary disclosure or otherwise, and who to make such disclosure to, is driven by the particular facts and circumstances, including the company's and officer's duties under securities or other laws.

CONCLUSION

The issuance of the Tri-Seal Compliance Note encourages self-disclosure by emphasizing the benefits of VSDs. Private companies play a significant role in preventing sensitive technologies and goods from being used by U.S. adversaries and sanctioned individuals, entities and jurisdictions from abusing the U.S. financial system. Therefore, cooperation with the U.S. government is key to protecting national security. Notably, the BIS update that incentivizes companies to whistleblow on other entities makes nondisclosure of potential violations riskier. In light of this information, companies engaging in global business should carefully assess their internal compliance programs and supply chains to ensure that they are not violating any U.S. sanctions or export control laws and to consult with experienced trade counsel whenever a violation is suspected.

For more information on the implications of this Compliance Note or assistance with complying with export control and sanctions laws, please contact the authors or another member of Holland & Knight's International Trade Group.

原文作者： Jonathan M. Epstein、 Ronald A. Oleynik、 Libby Bloxom 和 Hailey H. Cho

重点摘要

 美国司法部 (DOJ)、商务部工业与安全局 (BIS) 和财政部外国资产控制办公室 (OFAC) 于 7 月下旬发 布了三部门合规说明 (Compliance Note)，概述了政策备忘录关于违反制裁、出口管制和其他国家安 全法的行为自愿自我披露的规定。

 尽管合规说明没有提出新的要求，但它确实强调了自我披露涉嫌违规行为的重要性。

 作为美国政府鼓励行业帮助识别不良行为者逃避美国制裁和出口管制的努力的一部分，合规说明还强 调了各机构处理自愿自我披露（或未能自我披露）方式的最新变化，这些变化改变了风险确定是否、 何时以及向谁进行自我披露的计算。

美国司法部 (DOJ)、商务部工业与安全局 (BIS) 和财政部外国资产控制办公室 (OFAC) 于 2023 年 7 月 26 日发 布了三部门合规说明（Compliance Note）概述有关违反制裁、出口管制和其他国家安全法的自愿的自我披露 ( VSD ) 的机构政策备忘录和现有法规。这三部门共同强调了自愿自我披露作为识别国家安全威胁的一种方式的 重要性。

背景

该合规说明似乎是各机构为防止受控技术和货物转移到俄罗斯、中国和伊朗而协调和持续努力的一部分。

于 2023 年 3 月发布的之前的三部门合规说明重点关注识别转移危险信号（例如，使用第三方中介机构或转运 点）。 2023 年 5 月，财政部金融犯罪执法网络 (FinCEN) 和工业与安全局 发布共同警示，识别俄罗斯试图通 过欺骗手段获取的特定类别的商品/技术。 2023 年 5 月，工业与安全局扩大了对俄罗斯出口受管制的工业品类 型，将许多通常不受对大多数国家出口管制的工业品纳入其中。 （请参阅 Holland & Knight 之前的提示文章， “美国对俄罗斯实施扩大的制裁和出口管制” ，2023 年 5 月 24 日。） 同样，通过合规说明，这三部门鼓励自愿自我披露，以此帮助美国政府识别与俄罗斯、伊朗和其他受制裁国家利 益合作或服务的中间人和其他不良行为者。

最近的政策更新 国家安全部门

DOJ 的国家安全部门 ( NSD ) 负责起诉违反制裁和出口管制法的刑事犯罪行为，该部门通过强调其对自愿自我 披露、合作以及及时适当纠正任何违规行为的公司的政策来鼓励自愿的自我披露。对于此类公司，一般来说，国 家安全部门不会寻求认罪或处以任何罚款，公司也会收到不起诉协议。值得注意的是， 国家安全部门的政策适

三部门发布关于出口管制、制裁违规行为自我披露的合规说明

用于国家安全部门处理的其他公司刑事案件，包括违反《外国代理人登记法》和美国外国投资委员会 ( CFIUS ) 法规的行为。

工业与安全局

负责管理《出口管理条例》(EAR) 的机构工业与安全局强调了其最近的政策更新。 2022 年 6 月，工业与安全 局建立了双轨系统，以简化自愿的自我披露的处理流程。轻微和技术性违规行为将在“快速通道基础上”得到解 决，并在最终提交后 60 天内发出警告或不采取行动信函。此外，2023 年 4 月 18 日，出口执法助理部长发布 了一份关于工业与安全局的自愿自我披露政策的备忘录，澄清了自愿的自我披露的风险计算：根据工业与安全局 指南，故意不披露《出口管理条例》违规行为将被视为加重处罚因素。此外，如果某个实体向工业与安全局提交 举报，报告某公司可能违反《出口管理条例》，如果该举报导致采取执法行动，工业与安全局将有可能减轻举报 实体的信用。

美国海外资产控制办公室

OFAC 通过强调减轻处罚来鼓励自愿披露潜在的制裁违规行为。在需要民事罚款的情况下，符合条件的自愿的 自我披露可以使拟议民事罚款的基本金额减少 50%。合规说明概述了披露不符合自愿的自我披露资格的情况， 包括披露包含虚假或误导性信息、实质上不完整、不是“自发”的或是其他机构或官员建议的结果的情况。

 交易的充分勤勉至关重要。从事某些产品国际贸易的公司面临着困难的风险环境，受制裁国家使用日 益复杂的方法来逃避制裁，无论是通过虚假文件、欺骗自动识别系统 (AIS) 还是利用中介机构。

 关于是否自愿向美国政府以及向谁披露信息的考量正在发生变化。自愿自我披露的好处更加一致。例 如，司法部所有部门都被要求修订和发布有关减轻处罚和其他福利的自愿披露的书面政策，希望通过 更清晰和更可预测的处理来鼓励更多的自愿披露。例如，国家安全局于 2023 年 3 月发布了政策。对 于某些犯罪行为（例如国际出口违规行为），举报人可能会获得巨额奖励。

 未能披露可能构成“加重因素”。尽管工业与安全局建立了双轨流程，允许通过警告或不采取行动信函 迅速解决轻微或技术性违规行为，但工业与安全局警告说，一旦发现重大可能违规行为，不披露将是 一个加重因素。例如，如果公司的合规团队发现了潜在的严重违规行为，但管理层选择不自愿披露， 则将被视为加重处罚因素。

 向一个机构的披露不算作向其他机构的披露。在合规说明中，司法部强调，向一个机构进行披露并不 构成向司法部自愿披露，反之亦然。因此，公司应仔细考虑和评估向哪些机构进行披露。例如，如果 有证据表明故意违反制裁法，那么公司应考虑向外国资产控制办公室和司法部披露。

 时间就是生命。如果美国政府发现另一方的披露或举报人可能存在违规行为，该公司将失去自愿披露 的好处。因此，快速进行初步披露具有显着的优势。

 美国执法机构广泛解释其管辖权。非美国公司可能面临执法风险，美国执法机构对违反出口和制裁行 为的非美国公司实施处罚和出口或其他限制。因此，特别是当交易涉及受美国出口管制的货物或流经 美国银行系统的资金时，非美国公司应评估制作自愿的自我披露的好处。

 当怀疑存在潜在违规行为时，请聘请经验丰富的外部贸易律师。当潜在的违规行为引起管理层的注意 时，应高度重视调查和解决问题，并应咨询经验丰富的外部律师。是否通过自愿披露或其他方式报告 潜在的违规行为，以及向谁进行此类披露，取决于特定的事实和情况，包括公司和管理人员根据证券 或其他法律承担的职责。

结论

三部门合规说明的发布以强调自愿的自我披露的好处来鼓励自我披露。私营公司在防止敏感技术和商品被美国对 手使用以及受制裁的个人、实体和司法管辖区滥用美国金融体系方面发挥着重要作用。因此，与美国政府的合作 是保护国家安全的关键。值得注意的是，工业与安全局更新鼓励公司举报其他实体的奖励，这这使得不披露潜在 违规行为的风险更大。根据这些信息，从事全球业务的公司应仔细评估其内部合规计划和供应链，以确保其不违 反任何美国制裁或出口管制法律，并在怀疑存在违规行为时咨询经验丰富的贸易法律顾问。

如需了解有关本合规说明影响的更多信息或遵守 出口管制和制裁法律方面的帮助，请联系作者或 Holland & Knight 国际贸易法律团队的其他成员。

SEC Finalizes Cybersecurity Incident and Governance Disclosure Obligations for Public Companies

HIGHLIGHTS

 The long-awaited U.S. Securities and Exchange Commission (SEC) cybersecurity rules for public companies have finally arrived, with some improvements from the proposed rules released in March 2022.

 Still, the final rules will likely create significant compliance challenges as well as litigation and enforcement risks for public companies. Bottom line, companies will need to thoroughly analyze their internal disclosure controls with respect to cybersecurity threats and incidents, reassess their cybersecurity risk management processes and governance practices, and expend substantial effort in drafting their cybersecurity disclosures to minimize such risks.

 This Holland & Knight alert provides a closer look at the SEC's final rules and offers a number of key takeaways and considerations for public companies.

The long-awaited U.S. Securities and Exchange Commission (SEC) cybersecurity rules for public companies have finally arrived. On July 26, 2023, a divided SEC adopted new rules requiring each public company to, among other things, 1) report a material cybersecurity incident within four business days after determining that such incident is material, 2) describe its processes for assessing, identifying and managing material risks from cybersecurity threats and whether those risks are reasonably likely to materially affect its business strategy, operations or financial condition, and 3) disclose its cybersecurity governance practices, including the board's oversight of cybersecurity risk and management's process to manage, monitor, detect, mitigate and remediate cybersecurity incidents.

Public companies must comply with the cybersecurity incident reporting obligations 90 days after publication in the Federal Register or by Dec. 18, 2023, whichever is later. Smaller reporting companies are given an additional 180 days to comply. Public companies must provide the other disclosures beginning with annual reports for fiscal years ending on or after Dec. 15, 2023; the rules are applicable to foreign private issuers (FPIs).1

Since his arrival at the SEC, Chair Gary Gensler has indicated that the agency will use its rulemaking powers to regulate the cybersecurity posture and resiliency of reporting companies and other SEC regulated entities. As part of those efforts, in March 2022, the SEC proposed cybersecurity risk and incident disclosure rules for public companies, which received more than 150 comments.2 The final rules somewhat reduce and narrow the overly granular aspects of those proposed rules (e.g., status of remediation and data compromise in cybersecurity incident Form 8-K disclosures, risk management activities taken to prevent and detect cybersecurity incidents, cybersecurity expertise on the board, etc.).

Despite these improvements, the final rules were not adopted without controversy and generated vigorous dissents from Commissioners Hester Peirce and Mark Uyeda, who viewed the final rules as an overreach of SEC authority, of dubious benefit to investors and as potential aids to cybercriminals. They also raised concerns with respect to the time pressure that public companies will be under to report cybersecurity incidents, likely based on incomplete information, which might induce speculative trading. In addition, these

rules will likely create significant litigation and enforcement risks for public companies. Bottom line, public companies will need to thoroughly analyze their internal disclosure controls with respect to cybersecurity threats and incidents, reassess their cybersecurity risk management processes and governance practices, and expend substantial effort in drafting their cybersecurity disclosures to minimize these risks.

This Holland & Knight alert provides a summary of the final rules and offers some key takeaways. For a redline of the new and amended text of Forms 8-K and 10-K, as well as the text of new Item 106 of Regulation S-K, see Appendix A

CYBERSECURITY REQUIREMENTS FOR PUBLIC COMPANIES

Reporting Material Cybersecurity Incidents

The SEC has amended Form 8-K by adding new Item 1.05 to require public companies to disclose, within four business days after the company determines that it has experienced a material "cybersecurity incident," certain information about the incident.3 Expanding on the proposed rules definition, a "cybersecurity incident" is now defined as "an unauthorized occurrence, or series of related unauthorized occurrences, on or conducted through a registrant's information systems that jeopardizes the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein." The SEC emphasized that what constitutes a "cybersecurity incident" should be "construed broadly …" and may include an accidental exposure of data.

The final rules substantially departed from the proposed rules with respect to the required information to be disclosed related to a material cybersecurity incident. Instead of the litany of items concerning the cybersecurity incident (such as whether data was compromised and whether the incident has been remediated), disclosure will be primarily focused on "the impacts of a material cybersecurity incident, rather than on requiring details regarding the incident itself." To that end, for each material cybersecurity incident, Item 1.05(a) will require registrants to describe:

 the material aspects of the nature, scope and timing of the incident, and

 the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.4

The SEC, however, included an Instruction to Item 1.05 that a "registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant's response or remediation of the incident."

Notably, the triggering event for disclosure is not the date of the cybersecurity incident. Instead, disclosure would be required within four business days after the company determines that a cybersecurity incident it has experienced is material. The SEC dedicated a substantial portion of the final rule release to address comments concerning this timing requirement and clarified that public companies need to gather sufficient information after the discovery of the incident in order to conduct the materiality determination. The SEC noted that "[i]n the majority of cases, the registrant will likely be unable to determine materiality the same day the incident is discovered," and "in the majority of cases registrants will have had additional time leading up to the materiality determination, such that disclosure becoming due less than a week after discovery should be uncommon." Notwithstanding the permitted exercise of discretion (which is consistent with the longstanding concept of "ripeness" in determining materiality), the SEC expects public companies to make their materiality determinations "without unreasonable delay."5 In addition, the SEC expects public companies to report cybersecurity incidents within four business days even if companies do not have complete information about the incident but know enough to determine that an incident is material.

Materiality is to be determined under long-standing precedent: whether there is a substantial likelihood that a reasonable shareholder would consider the information as important or as having significantly altered the total mix of information made available.6 The SEC acknowledged that this materiality analysis "is not a mechanical exercise" but rather would require the company to consider "all relevant facts and circumstances surrounding the cybersecurity incident."7

One of the more significant changes from the proposed rule is the inclusion of a highly limited delay provision mirroring the one offered up by the agency concerning the proposed Safeguards Rule for regulated entities. A public company may delay notification for up to 30 days only if the U.S. Attorney General determines that disclosure poses a substantial risk to national security or public safety and so notifies the SEC of this determination. If the Attorney General determines that disclosure continues to pose a substantial risk to national security or public safety, the delay can be extended a second time for up to an additional 30 days and, in extraordinary circumstances, it can be extended a third time for an additional 60 days. Thereafter, if the Attorney General indicates that further delay is necessary, the SEC will consider the request and may grant relief only through an exemptive order.8

In response to public comments, the SEC somewhat streamlined the proposed requirements to update cybersecurity incident disclosure by removing express requirements to report further material developments regarding an incident in Forms 10-Q and 10-K, which would have required companies to provide periodic updates about previously disclosed cybersecurity incidents when a material change, addition or update occurred.9 Presumably, however, registrants may need to include information in their periodic reports regarding the status of cybersecurity incidents disclosed in Forms 8-K, particularly if an incident creates potentially material uncertainties, costs or other adverse implications.

The SEC will make the cybersecurity incident reporting on Form 8-K subject to a limited safe harbor from liability under Section 10(b) or Rule 10b-5 under the Exchange Act for a failure to timely file.10 Importantly, this limited safe harbor does not exempt companies from antifraud liability – or other liability under other provisions of the federal securities laws – for representations made in Form 8-K or elsewhere concerning a cybersecurity incident or its cybersecurity risk. Notably, a failure to timely file an Item 1.05 Form 8-K would not affect a public company's ability to register securities on Form S-3.

Disclosures of Cybersecurity Risk Management and Strategy

The final rules add Item 106(b) to Regulation S-K, which requires detailed disclosure about a public company's cybersecurity risk management processes 11 The SEC again scaled back the proposed rule, removing certain granular disclosure requirements, such as the activities it undertakes to prevent, detect and minimize effects of cybersecurity incidents. However, as adopted, the new rules require public companies to describe their "processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats12 in sufficient detail for a reasonable investor to understand those processes." Such disclosures "should address" the following nonexclusive list of items:

 whether and how any such processes have been integrated into the registrant's overall risk management system or processes

 whether the registrant engages assessors, consultants, auditors or other third parties in connection with any such processes, and

 whether the registrant has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider

In addition, public companies must describe "whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how." The new disclosure requirements will apply primarily to Form 10-K.

Cybersecurity Governance Disclosures

The SEC also added two additional items under Item 106(c) of Regulation S-K, which requires public companies to make two governance-related disclosures concerning: 1) board oversight of cybersecurity risks and associated processes, and 2) management's role in assessing and managing material cybersecurity risks.

New Item 106(c)(1) of Regulation S-K requires public companies to describe board oversight of risks from cybersecurity threats. In addition, if applicable, public companies are to "identify any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats," and describe "the processes by which the board or such committee is informed about such risks."

With respect to management, new Item 106(c)(2) of Regulation S-K requires public companies to describe management's role in assessing and managing material risks from cybersecurity threats. Disclosure under this section should address the following nonexclusive items:

 whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise

 the processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents, and

 whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors

KEY TAKEAWAYS

The Final Rules Are Less Burdensome Than the Proposed Rules

As noted above, the proposed rules would have required disclosure of granular details concerning cybersecurity incidents and public companies' cybersecurity risk management policies and procedures, and would have placed heavy burdens on public companies to provide periodic reports of cybersecurity incidents and to assess the materiality of aggregated incidents.

The final rules eliminate many of these requirements and substantially reduce the disclosure burden. As a result, the final rules are more streamlined and manageable in comparison, and strike a better balance between informing investors and increasing the disclosure obligations and risks for public companies. The final rules also reduce, but do not eliminate, the increased cybersecurity risks the proposed rules would have created.

The Final Rules Could Create Additional Cybersecurity Risk

Although the final rules are less burdensome than proposed, the content of the final disclosures still could have the unintended result of making public companies more vulnerable to cyberattacks. If the disclosure of a company's cybersecurity risk management processes is expected to assist a non-cybersecurity expert in making informed investment decisions related to such company's cybersecurity posture and resiliency, then such disclosures will equally (if not more so) assist savvy cybercriminals in making their assessments concerning the cybersecurity posture and resiliency of such company. Cybercriminals potentially could hoist a public company with its own petard13 by utilizing its disclosure of cybersecurity risk management processes to identify vulnerabilities and design strategic cyberattacks against it.

Additionally, the public disclosure of a material cybersecurity incident prior to full containment and remediation could provide opportunities for cybercriminals to further target victim companies or their affected customers, employees or other constituents. Similarly, the disclosure of a material ransomware attack during the pendency of negotiations also could adversely affect a company's ransomware negotiation position and strategy.

The Final Rules Create Significant Litigation Risks

The incident reporting rules require public companies to disclose material aspects of the nature, scope and timing of a material cybersecurity incident. By requiring this disclosure within four business days after determining materiality, the Form 8-K filing may likely precede data breach notices to individuals and state Attorney General notices, as well as notices to all potentially affected business partners, customers and clients. Furthermore, providing such details prior to the completion of a forensic investigation and data mining efforts is likely to expose a company to premature litigation before it has a complete picture of the impact of the cybersecurity incident. Also, as many incident response investigations are conducted under attorney-client and work product privileges, disclosure of material aspects of the incident could potentially undermine the confidentiality associated with investigating the incident.

In addition to these risks, both the cybersecurity incident reporting obligations and cybersecurity risk management disclosures create significant risks that the SEC's Division of Enforcement and private litigants will use the company's representations as potential bases for liability under antifraud provisions and other grounds. The SEC's Division of Enforcement has already shown a willingness to charge violations of the disclosure controls and procedures provisions under the federal securities laws to hold companies liable in connection with cybersecurity incidents. The additional disclosure requirements of Items 106 of Regulation S-K present risks that the Division of Enforcement will utilize such provisions to penalize companies after they have been the victims of cybersecurity incidents.

To reduce some of these risks, public companies will need to assess their internal disclosure controls and procedures with respect to cybersecurity threats, develop policies and procedures to determine materiality of a reported cybersecurity threat or incident, ensure that these incidents are reported to senior management who are charged with authorizing public disclosures and carefully draft these required disclosures.

Third-Party Risks Create Heavy Burdens on Public Companies

The SEC highlighted companies' "increasing reliance on third-party service providers for information technology services …" as one of the reasons cybersecurity risks have increased.14 In addition, the final rules define information systems to include "information resources owned or used by the registrant,"15 and the SEC has recognized that this definition is intended to include third-party service providers.16 In the event of a cybersecurity incident at a third-party vendor, public companies may have difficulty obtaining timely information or obtaining sufficient details to make a materiality determination or disclose all the information required by Item 1.05 of Form 8-K.

Although the SEC recognized that public companies "may have reduced visibility into third-party systems" that they neither control nor own, the only guidance it provided was that public companies "should disclose based on the information available to them," and that the "final rules generally do not require that registrants conduct additional inquiries outside of their regulator channels of communication with third-party service providers pursuant to those contracts and in accordance with registrants' disclosure controls and procedures."17 Nevertheless, there will be ample opportunity to second guess a public company regarding what it knew or should have known about a cybersecurity incident at a third party and its potential impact on the company.

To reduce some of this risk, public companies (and companies considering becoming public companies) may want to reassess their cybersecurity and data privacy risks associated with their vendor management programs. This may include conducting due diligence reviews and cybersecurity audits, including contractual provisions to ensure timely and detailed cyber incident reporting, or even reconsidering the mix of internal and outsourced information technology systems.

The Delay Notification Provision Is Highly Limited and Impractical

Unlike state data breach laws that permit notifications to be delayed when law enforcement determines such notifications will impede an investigation, the SEC permits delayed notifications only for national security and public safety risks. In doing so, the SEC appears to strike an uncertain balance between the needs of investors and those of law enforcement, notwithstanding that the investing public may benefit far more from unimpeded criminal investigations against cybercriminals.

Moreover, the U.S. Attorney General must make the national security and public safety determination. Obtaining the Attorney General's approval within four days of a materiality determination will likely be difficult in practice. The process may even be burdensome for the Attorney General when factoring in the volume of cybersecurity incidents and the number of public companies that may be implicated by a particular incident. As noted earlier, details regarding the process to seek such a determination are yet to come.

The Final Rules Will Require Public Companies to Take Prompt Action

While not an express purpose of the final rules, there is little doubt that they reflect a desire of the SEC to influence corporate governance at public companies. As identified in the dissenting statement on the proposed rules issued by Commissioner Peirce, the final rules may affect the composition of boards of directors and management teams, and will likely cause substantive changes to management policies and procedures related to cybersecurity matters. In light of these final rules, each public company should carefully review its cybersecurity staffing and management teams. Integrating cybersecurity risk management into overall enterprise risk management will be more important than ever given the public spotlight that will now be focused upon these issues.

Each public company should also review how it allocates cybersecurity risk oversight at the board level and ensure that the board committees have sufficient authority and direction regarding these responsibilities. While likely directly implicating the audit committee, which often has charge of enterprise risk management, cybersecurity risk management may also require the attention of the compensation committee and the corporate governance committee insofar as managing these risks may have compensation and governance structure implications.

In addition, public companies should also review their disclosure controls and procedures surrounding cybersecurity to ensure that senior management is kept fully apprised of these events and is placed in the position to make well-informed decisions regarding disclosure of cybersecurity incidents. Even prior to these final rules, we have already seen at least two SEC enforcement actions based on inadequate disclosure controls and procedures with respect to cybersecurity matters.18

Although not the first time that Congress or the SEC has used disclosure to achieve substantive changes in corporate management,19 as noted above, the final rules are likely to have pervasive and unintended effects. Although the final rules eliminated a proposed requirement to identify board members with cybersecurity expertise, public companies will nevertheless have additional incentives to pursue directors with cybersecurity on their CVs, as well as to add to the ranks of their information technology management and staffs. Undoubtedly, the final rules will require public companies to devote increased time and financial resources to cyber risk management, governance and oversight, not only to protect themselves from substantive cybersecurity risk but also to protect themselves from securities litigation and enforcement risk.

NOTES

1 For calendar year companies, the annual report for the year ended Dec. 31, 2023, will be the first report in which cybersecurity risk management disclosures will be required.

2 In addition to the proposed cybersecurity rule for public companies, the SEC proposed separate cybersecurity regulations for investment advisers and companies and amendments to Regulation S-P (Safeguards Rule)

3 For FPIs, the SEC is amending Form 6-K.

4 Public companies will need to assess cybersecurity incidents not only with respect to the systems that they own but also on information resources "used by" the company, including cloud-based storage devices and virtual infrastructure. The SEC clarifies, however, that the "final rules generally do not require that registrants conduct additional inquiries outside of their regular channels of communication with third-party service providers pursuant to applicable contracts and in accordance with registrants' disclosure controls and procedures."

5 Instruction 1 to Item 1.05 of Form 8-K.

6 See, e.g., Basic, Inc. v. Levinson, 485 U.S. 224, 232 (1988); TSC Industries v. Northway, Inc., 426 U.S. 438, 449 (1976); Final Rule, at 80.

7 Final Rule, at 29 n.121.

8 The SEC stated that it has consulted with the U.S. Department of Justice (DOJ) to establish an interagency communication process to allow for the Attorney General's determination to be communicated to the SEC in a timely manner. The DOJ will notify the affected registrant that communication to the SEC has been made, so that the registrant may delay filing its Form 8-K. Presumably, further information regarding this process will be provided by SEC staff.

9 Instead, public companies will need to identify any Item 1.05(a) information that was not determined or available at the time the Form 8-K is initially filed and then file an amendment to the Form 8-K containing such information within four business days after learning the information.

10 See amendments to Rules 13a-11(c) and 15d-11(c).

11 For FPIs, the SEC is amending Form 20-F.

12 Cybersecurity threat is defined as "any potential unauthorized occurrence on or conducted through a registrant's information systems that may result in adverse effects on the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein."

13 To borrow a line from Hamlet, Act 3, Scene 4, Line 207, Wm. Shakespeare.

14 Final Rule, at 7.

15 Item 106(a)(3).

16 Final Rule at 78-79.

17 Id., at 31.

18 In the Matter of Blackbaud, Inc. (2023); In the Matter of First American Financial Corporation (2021).

19 Other examples include relatively low reporting thresholds for environmental proceedings to encourage environmental law compliance, Compensation Discussion and Analysis disclosure to influence compensation decisions, changes to audit committees and the auditor relationship caused by the Sarbanes-Oxley Act, and required disclosures and changes to compensation committee activities caused by the Dodd-Frank Act.

重点摘要

 期待已久的美国证券交易委员会 (SEC) 针对上市公司的网络安全规则终于出台，与 2022 年 3 月发布 的拟议规则相比进行了一些改进。

 尽管如此，最终规则可能会给上市公司带来重大的合规挑战以及诉讼和执行风险。最重要的是，公司 需要彻底分析其有关网络安全威胁和事件的内部披露控制，重新评估其网络安全风险管理流程和治理 实践，并花费大量精力起草网络安全披露，以尽量减少此类风险。

 Holland & Knight 的这份提示文章让您更仔细地了解 SEC 的最终规则，并为上市公司提供了一些关键 要点和注意事项。

期待已久的美国证券交易委员会（SEC）针对上市公司的网络安全规则终于出台了。 2023 年 7 月 26 日，意见 分歧的 SEC 通过了新规则，要求每家上市公司除其他外，1) 在确定重大网络安全事件为重大事件后的四个工作 日内报告该事件，2) 描述其评估、识别的流程管理来自网络安全威胁的重大风险，以及这些风险是否有可能对 其业务战略、运营或财务状况产生重大影响，以及 3) 披露其网络安全治理实践，包括董事会对网络安全风险的 监督以及管理层管理、监控、检测、减轻和补救网络安全事件。

上市公司在《联邦公报》发布后90 天或 2023 年 12 月 18 日（以较晚者为准）之前必须遵守网络安全事件报告 义务。规模较小的报告公司还有 180 天的时间来遵守规定。上市公司必须提供从 2023 年 12 月 15 日或之后结 束的财政年度年度报告开始的其他披露；该规则适用于外国私人发行人（FPI）。 1

自加入 SEC 以来，加里 詹斯勒 (Gary Gensler) 主席表示，该机构将利用其规则制定权来监管报告公司和其他 SEC 监管实体的网络安全态势和弹性。作为这些努力的一部分，SEC 于 2022 年 3 月提出了针对上市公司的网 络安全风险和事件披露拟议规则，该规则收到了 150 多条评论。 2 最终规则在一定程度上减少并缩小了这些拟议 规则的过于细化的方面（例如，网络安全事件表 8-K 披露中的补救和数据泄露状态、为预防和检测网络安全事 件而采取的风险管理活动、董事会的网络安全专业知识等）。

尽管做出了这些改进，但最终规则的通过还是引起了争议，并引起了 Hester Peirce 委员和 Mark Uyeda 委员的 强烈反对，他们认为最终规则超出了 SEC 的权力，对投资者的好处可疑，并且可能为网络犯罪分子提供帮助。 他们还对上市公司报告网络安全事件所面临的时间压力表示担忧，这些事件可能是基于不完整的信息，这可能会 引发投机交易。此外，这些规则可能会给上市公司带来重大的诉讼和执行风险。最重要的是，上市公司需要彻底 分析其有关网络安全威胁和事件的内部披露控制，重新评估其网络安全风险管理流程和治理实践，并花费大量精 力起草网络安全披露，以尽量减少这些风险。

本 Holland & Knight 提示文章提供了最终规则的摘要，并提供了一些关键要点。有关表格 8 -K 和 10-K 的新文本 和修订文本的显示修订版，以及 S-K 法规新第 106 项的文本，请参阅 附录 A。

美国证券交易委员会最终确定上市公司的网络安全事件和治理披露义务 原文作者

报告重大网络安全事件

SEC 修订了 8-K 表格，添加了新的第 1.05 项，要求上市公司在确定发生重大“网络安全事件”后的四个工作日内 披露有关该事件的某些信息。 3 扩展拟议的规则定义，“网络安全事件”现在被定义为“在注册人的信息系统上或通 过注册人的信息系统进行的未经授权的事件或一系列相关的未经授权的事件，这些事件危及注册人信息的机密 性、完整性或可用性系统或其中存在的任何信息。”美国证券交易委员会强调，“网络安全事件”的构成应“广义地 解释……”，并且可能包括数据的意外泄露。

最终规则与重大网络安全事件相关所需信息披露的拟议规则存在很大差异。披露将主要集中于“重大网络安全事 件的影响，而不是要求有关事件本身的详细信息，而不是与网络安全事件有关的一连串项目（例如数据是否受到 损害以及事件是否已得到补救）” ”。为此，对于每个重大网络安全事件，第 1.05(a) 条将要求注册者描述：

 事件的性质、范围和时间的实质性方面，以及

 对注册人的重大影响或合理可能的重大影响，包括其财务状况和经营业绩。 4

然而，SEC 对第 1.05 项作出了指示，即“注册人无需披露有关其计划对事件的响应或其网络安全系统、相关网 络和设备或潜在系统漏洞的具体或技术信息，以免妨碍注册人对事件的响应或补救措施。”

值得注意的是，披露的触发事件不是网络安全事件的日期。相反，在公司确定其经历的网络安全事件重大后，需 要在四个工作日内进行披露。 SEC 在最终规则发布中专门讨论了有关这一时间要求的评论，并澄清上市公司需 要在事件发现后收集足够的信息，以便进行重要性确定。 SEC 指出，“在大多数情况下，注册人可能无法在事件 发现当天确定重要性”，并且“在大多数情况下，注册人将有额外的时间来确定重要性”决定，因此在发现后不到一 周的时间内披露应该是不常见的。”

尽管允许行使自由裁量权（这与确定重要性时“成熟度”的长期概念一致），美 国证券交易委员会仍希望上市公司“不会无理拖延”地做出重要性决定。 5 此外，美国证券交易委员会希望上市公 司在四个工作日内报告网络安全事件，即使公司没有有关事件的完整信息，但有足够的知识来确定事件是否重 大。

重要性将根据长期存在的先例来确定：理性的股东是否有很大可能认为该信息很重要，或者是否显着改变了所提 供的信息的总体组合。 6

美国证券交易委员会承认，这种重要性分析“不是机械练习”，而是要求公司考虑“围绕网 络安全事件的所有相关事实和情况” 。 7

拟议规则中最重要的变化之一是纳入了一项高度有限的延迟条款，其与该机构就受监管实体所提出的拟议保障规 则的条款相仿。仅当美国司法部长确定披露对国家安全或公共安全构成重大风险并因此将此决定通知 SEC 时， 上市公司才可以延迟最多 30 天的通知。如果司法部长确定披露继续对国家安全或公共安全构成重大风险，则可 以第二次延长延迟时间，最多再延长 30 天，在特殊情况下，可以第三次延长延迟时间额外 60 天。此后，如果 总检察长表示有必要进一步推迟，SEC 将考虑该请求，并且只能通过豁免令给予救济。 8

为了回应公众意见，美国证券交易委员会在某种程度上简化了更新网络安全事件披露的拟议要求，删除了在表格 10-Q 和 10-K 中报告有关事件的进一步重大进展的明确要求，这将要求公司定期提供有关信息的更新。先前披 露的重大变更、添加或更新发生时的网络安全事件。 9 然而，注册人可能需要在其定期报告中包含有关表格 8-K 中披露的网络安全事件状态的信息，特别是如果事件造成潜在的重大不确定性、成本或其他不利影响。

上市公司的网络安全要求

SEC 将根据《交易法》第 10(b) 条或第 10b-5 条规定，对表格 8-K 上的网络安全事件报告进行有限安全港保 护，免除因未能及时提交而承担的责任。 10 重要的是，这一有限的安全港并不免除公司因在表格 8-K 或其他地 方就网络安全事件或其网络安全风险做出的陈述而承担的反欺诈责任或联邦证券法其他条款规定的其他责任。值 得注意的是，未能及时提交表格 8-K 第 1.05 项不会影响上市公司在表格 S-3 上注册证券的能力。

网络安全风险管理和策略的披露

最终规则在 S-K 法规中添加了第 106(b) 条，要求详细披露上市公司的网络安全风险管理流程。 11 SEC 再次缩

减了提议的规则，取消了某些细粒度的披露要求，例如其为预防、检测和尽量减少网络安全事件影响而开展的活 动。然而，新规则要求上市公司详细描述其“用于评估、识别和管理网络安全威胁 12 重大风险的流程（如果 有） ，以便理性的投资者能够理解这些流程”。此类披露“应解决”以下非排他性的项目列表：

 此类流程是否以及如何整合到注册人的整体风险管理系统或流程中

 注册人是否聘请评估员、顾问、审计员或其他第三方参与任何此类流程，以及

 注册人是否有流程来监督和识别与其使用任何第三方服务提供商相关的网络安全威胁带来的风险 此外，上市公司必须描述“网络安全威胁带来的任何风险（包括之前任何网络安全事件造成的风险）是否已对注 册人产生重大影响或合理可能对注册人产生重大影响，包括其业务战略、运营业绩或财务状况如果是的话，又是 如何做到的。”新的披露要求将主要适用于 10-K 表格。

网络安全治理披露

SEC 还在 S-K 法规第 106(c) 项下增加了两项额外项目，要求上市公司做出两项与治理相关的披露：1) 董事会 对网络安全风险和相关流程的监督，以及 2) 管理层在评估和管理方面的作用重大网络安全风险。

S-K 法规新第 106(c)(1) 条要求上市公司描述董事会对网络安全威胁风险的监督。此外，如果适用，上市公司应 “确定负责监督网络安全威胁风险的任何董事会委员会或小组委员会”，并描述“董事会或此类委员会获悉此类风险 的流程” 。

在管理层方面，S-K 法规新的第 106(c)(2) 条要求上市公司描述管理层在评估和管理网络安全威胁重大风险方面 的作用。本节下的披露应涉及以下非排他性项目：

 是否以及由哪些管理职位或委员会负责评估和管理此类风险，以及这些人员或成员的相关专业知识， 并根据需要详细说明专业知识的性质

 这些人员或委员会了解并监控网络安全事件的预防、检测、缓解和补救的流程，以及

 这些人或委员会是否向董事会或董事会的委员会或小组委员会报告有关此类风险的信息

要点

最终规则比拟议规则减轻了负担

如上所述，拟议规则将要求披露有关网络安全事件以及上市公司网络安全风险管理政策和程序的详细信息，并将 给上市公司带来沉重的负担，要求其定期报告网络安全事件并评估整个事件的重要性。

最终规则消除了其中许多要求，并大大减轻了披露负担。因此，最终规则相比之下更加精简和易于管理，并在告 知投资者和增加上市公司的披露义务和风险之间取得了更好的平衡。最终规则还减少但并未消除拟议规则可能增 加的网络安全风险。

最终规则可能会带来额外的网络安全风险

尽管最终规则没有提议的那么繁重，但最终披露的内容仍然可能产生意想不到的结果，使上市公司更容易受到网 络攻击。如果披露一家公司的网络安全风险管理流程有望帮助非网络安全专家做出与该公司的网络安全态势和弹 性相关的明智投资决策，那么此类披露将同样（如果不是更多的话）帮助精明的网络犯罪分子有关该公司的网络 安全状况和弹性的评估。网络犯罪分子可能会利用一家上市公司披露的网络安全风险管理流程来识别漏洞并设计 针对其的战略网络攻击，从而让其陷入困境 13 。

此外，在全面遏制和补救之前公开披露重大网络安全事件可能为网络犯罪分子提供进一步针对受害公司或其受影 响的客户、员工或其他群体的机会。同样，在谈判悬而未决期间披露重大勒索软件攻击也可能对公司的勒索软件 谈判立场和战略产生不利影响。

最终规则带来重大诉讼风险

事件报告规则要求上市公司披露重大网络安全事件的性质、范围和时间的重要方面。通过要求在确定重要性后的 四个工作日内进行披露，8-K 表格的备案可能会先于向个人发出的数据泄露通知和州总检察长通知，以及向所有 可能受影响的业务合作伙伴、顾客和客户发出的通知。此外，在完成取证调查和数据挖掘工作之前提供此类详细 信息可能会使公司在全面了解网络安全事件影响之前面临过早的诉讼。此外，由于许多事件响应调查是在律师委托人和工作产品特权下进行的，因此事件的重大方面的披露可能会破坏与调查事件相关的机密性。

除了这些风险之外，网络安全事件报告义务和网络安全风险管理披露都会产生重大风险，SEC 执法部门和私人 诉讼当事人将利用公司的陈述作为反欺诈条款和其他理由下的潜在责任基础。美国证券交易委员会执法部门已经 表示愿意对违反联邦证券法披露控制和程序规定的行为提出指控，以追究公司对网络安全事件的责任。 S-K 条 例第 106 项的额外披露要求存在风险，即执法部门将在公司成为网络安全事件受害者后利用此类条款对其进行 惩罚。

为了减少其中一些风险，上市公司需要评估其有关网络安全威胁的内部披露控制和程序，制定政策和程序来确定 所报告的网络安全威胁或事件的重要性，确保将这些事件报告给高级管理层。负责授权公开披露并仔细起草这些 所需的披露。

第三方风险给上市公司带来沉重负担

越来越依赖第三方服务提供商提供信息技术服务……”是网络安全风险增加的原 因之一。 14 此外，最终规则将信息系统定义为包括“

美国证券交易委员会强调，公司“

注册人拥有或使用的信息资源” ， 15 并且 SEC 已认识到该定 义旨在包括第三方服务提供商。 16 如果第三方供应商发生网络安全事件，上市公司可能难以及时获取信息或获 取足够的详细信息来做出重要性确定或披露表格 8-K 第 1.05 项要求的所有信息。

尽管

SEC 承认上市公司

“可能降低了对其既不控制也不拥有的第三方系统的可见性”，但它提供的唯一指导是上 市公司“应根据其可获得的信息进行披露”，并且“最终规则通常不要求注册人根据这些合同并根据注册人的披露控 制和程序在其监管机构与第三方服务提供商的沟通渠道之外进行额外的询问。” 17 尽管如此，仍有充足的机会对 上市公司了解或应该了解第三方网络安全事件及其对公司的潜在影响进行二次猜测。

为了降低部分风险，上市公司（以及考虑成为上市公司的公司）可能需要重新评估与其供应商管理计划相关的网 络安全和数据隐私风险。这可能包括进行尽职调查和网络安全审计，包括确保及时和详细的网络事件报告的合同 条款，甚至重新考虑内部和外包信息技术系统的组合。

延迟通知规定非常有限且不切实际

与州数据泄露法律允许在执法部门确定此类通知会妨碍调查时延迟通知不同，SEC 仅允许在国家安全和公共安 全风险的情况下延迟通知。在此过程中，美国证券交易委员会似乎在投资者的需求和执法部门的需求之间取得了 不确定的平衡，尽管投资公众可能会从针对网络犯罪分子的畅通无阻的刑事调查中受益更多。

而且，美国司法部长必须做出国家安全和公共安全的决定。实际上，在重要性确定后四天内获得总检察长的批准 可能很困难。考虑到网络安全事件的数量以及可能受特定事件牵连的上市公司的数量，这一过程甚至可能对司法 部长来说是一个负担。如前所述，有关寻求此类决定的流程的细节尚未公布。

最终规则将要求上市公司立即采取行动

虽然最终规则没有明确的目的，但毫无疑问，它们反映了 SEC 影响上市公司公司治理的愿望。正如皮尔斯委员 针对拟议规则发表的反对声明中指出的那样，最终规则可能会影响董事会和管理团队的组成，并可能导致与网络 安全事务相关的管理政策和程序发生实质性变化。根据这些最终规则，每家上市公司都应仔细审查其网络安全人 员配置和管理团队。鉴于现在公众的注意力集中在这些问题上，将网络安全风险管理整合到整体企业风险管理中 将比以往任何时候都更加重要。

每家上市公司还应审查如何在董事会层面分配网络安全风险监督，并确保董事会委员会在这些职责方面拥有足够 的权力和指导。虽然网络安全风险管理可能直接涉及通常负责企业风险管理的审计委员会，但网络安全风险管理 也可能需要薪酬委员会和公司治理委员会的关注，因为管理这些风险可能会对薪酬和治理结构产生影响。

此外，上市公司还应审查其有关网络安全的披露控制和程序，以确保高级管理层充分了解这些事件，并能够就网 络安全事件的披露做出明智的决策。即使在这些最终规则之前，我们已经看到至少两次 SEC 因网络安全问题披 露控制和程序不足而采取的执法行动。 18

尽管国会或 SEC 不是第一次利用信息披露来实现公司管理层的实质性变革， 19 如上所述，最终规则可能会产生 普遍的、意想不到的影响。尽管最终规则取消了确定董事会成员具有网络安全专业知识的拟议要求，但上市公司 仍然有额外的激励措施来寻找简历中具有网络安全知识的董事，并增加其信息技术管理和员工队伍。毫无疑问， 最终规则将要求上市公司投入更多的时间和财务资源用于网络风险管理、治理和监督，不仅是为了保护自己免受 实质性网络安全风险，也是为了保护自己免受证券诉讼和执行风险。

附注

1 对于历年公司，截至 2023 年 12 月 31 日的年度报告将是第一份需要披露网络安全风险管理的报告。

2 除了拟议的针对上市公司的网络安全规则外，SEC 还分别提出与网络安全有关的投资顾问和公司规则、以及 S-P 法规 （保障规则）修订案。

3 对于 FPI，SEC 正在修订表格 6-K。

4 上市公司不仅需要评估其拥有的系统的网络安全事件，还需要评估公司“使用”的信息资源的网络安全事件，包括基于云 的存储设备和虚拟基础设施。然而，美国证券交易委员会澄清说，“最终规则通常不要求注册人根据适用的合同并根据注册 人的披露控制和程序，在与第三方服务提供商的常规沟通渠道之外进行额外的调查。”

5 表 8-K 第 1.05 项的说明 1。

6 参见例如 Basic, Inc. v. Levinson , 485 US 224, 232 (1988)； TSC Industries 诉Northway, Inc.， 426 US 438, 449 (1976)；最终规则第 80 页。

7 最终规则第 29 页第 121 .n。

8 SEC 表示，它已与美国司法部 (DOJ) 协商建立机构间沟通流程，以便及时向 SEC 传达司法部长的决定。 DOJ 将通知受 影响的注册人已与 SEC 进行沟通，以便注册人可以推迟提交 8-K 表。据推测，有关此过程的更多信息将由 SEC 工作人员 提供。

9 相反，上市公司需要识别在最初提交表格 8-K 时尚未确定或可用的任何第 1.05(a) 项信息，然后在四个工作日内提交包含 此类信息的表格 8-K 修订案了解信息后。

10 参见规则 13a-11(c) 和 15d-11(c) 的修正案。

11 对于 FPI，SEC 正在修订 20-F 表。

12 网络安全威胁被定义为“在注册人的信息系统上或通过注册人的信息系统进行的任何潜在的未经授权的事件，可能会对 注册人的信息系统或其中驻留的任何信息的机密性、完整性或可用性造成不利影响。”

13 借用《哈姆雷特》中的一句台词，第 3 幕，第 4 场，第 207 行，威廉莎士比亚。

14 最终规则第 7 页。

15 第 106(a)(3) 项。

16 最终规则第 78-79 页。

17 同上。 第 31 页。

18 关于Blackbaud, Inc. (2023)；关于第一美国金融公司的问题（2021）。

19 其他例子包括环境诉讼的报告门槛相对较低，以鼓励环境法合规、薪酬讨论和分析披露以影响薪酬决策、《萨班斯-奥克 斯利法案》引起的审计委员会和审计师关系的变更，以及薪酬委员会所需的披露和变更多德弗兰克法案引起的活动。

New York Stands Ready to Rein in Covenants Not to Compete

HIGHLIGHTS

 The New York State Assembly recently passed Bill A01278, which would amend the New York Labor Code and prohibit covenants not to compete in employment agreements, with some notable exceptions.

 The legislation also gives covered individuals the right to bring civil action against employers who violate its tenets.

 The law would take effect 30 days after it is signed by Gov. Kathy Hochul, though it is unclear she will do so.

The New York State Assembly on June 20, 2023, passed Bill A01278, amending the New York Labor Code and prohibiting covenants not to compete, with certain notable exceptions, while also giving covered individuals the right to bring a civil action for violations of the law. Bill A01278 awaits the signature of Gov. Kathy Hochul and would become effective 30 days after it is signed.

Bill A01278 follows a trend of other states taking similar steps to curtail the usage of non-compete agreements. Illinois and Colorado recently passed legislation significantly restricting the use of non-compete agreements, and Minnesota this year passed a ban on most non-compete agreements. Additionally, the Federal Trade Commission (FTC) in January announced a proposed rule that would supersede all contrary state laws and essentially create a nationwide ban on non-compete agreements in employment contracts.

WHAT DOES BILL A01278 COVER?

Under the bill, employers may not require or accept a covenant not to compete from a covered individual.1 The bill broadly defines a covenant not to compete as "any agreement, or clause contained in an agreement, between an employer and a covered individual that prohibits or restricts [the] individual from obtaining employment, after the conclusion of employment with the employer."2 The definition of "covered individual" is similarly broad and covers any individual "who, whether or not employed under a contract of employment, performs work or services for another person on such terms and conditions that they are in a position of economic dependence on, and under an obligation to perform duties for, that other person."3 It remains unclear if independent contractors fall within the definition of a covered individual.

The bill expressly provides that employers may continue to prohibit "disclosure of trade secrets, disclosure of confidential and proprietary client information, or solicitation of clients of the employer that the individual learned about during employment."4 The legislation also permits an employer to enter into a covenant not to compete with an individual with an agreement that established a "fixed term of service." The bill, however, does not define "fixed term of service."

The bill pertains only to agreements reached after the law becomes effective. Existing agreements would not be impacted, unless they were to be modified after the effective date of the law.

WHAT ARE THE POTENTIAL CONSEQUENCES OF NONCOMPLIANCE WITH THE LAW?

The bill grants covered individuals the right to bring a civil action against employers alleged to have violated these provisions. Individuals would have two years after the alleged violation to bring a private right of action to void any non-compete clause that violates New York law and recover for lost compensation, damages, reasonable attorneys' fees and costs, and liquidated damages. Liquidated damages are capped at $10,000.

UNRESOLVED ISSUES

The bill does not address certain circumstances and raises numerous questions. For example, it does not include an exception in the context of a sale of a business and also is silent with regard to employee non-solicitation agreements.

Finally, there is also the question of how this bill would interact with the FTC's proposed rule banning covenants not to compete. Unlike the New York Bill, the FTC proposal would apply retroactively to covenant not to competes already in effect. However, the FTC proposal also includes a sale of business exception not found in New York's bill. Earlier this year, the New York State Senate had considered a separate proposal mirroring the FTC proposal, but that bill remains in committee.5 Its status going forward is unclear with the Senate having now approved the current bill.

TAKEAWAYS

It is unclear at this time if Hochul will sign the bill. However, she has previously voiced support for a ban on certain non-compete agreements. In her 2022 State of the State address, Hochul called for legislation that would prohibit non-compete agreements for employees making less than the state's median wage.

The bill, if enacted, will have a dramatic impact on New York employers. Employers should carefully review their policies on using non-compete agreements and be prepared to revise their form agreements if the bill becomes law. They also should consider whether their objectives to protect customer relationships, trade secrets and other confidential information can be achieved without a covenant not to compete, such as through well-drafted nondisclosure agreements and customer and employee non-solicitation agreements Employers also may consider using fixed-term agreements for select employees if a covenant not to compete is desired. For more information on this topic, please contact the authors or your Holland & Knight attorney.

NOTES

1 N.Y. A01278B § 1(191-d)(2).

2 Id. § 1(191-d)(1)(a).

3 Id. § 1(191-d)(1)(b).

4 Id. § 1(191-d)(5).

5 N.Y.S. Senate Bill S6748.

原文作者： Jennifer Lada 、 Phillip M. Schreiber 及 James Toohey

重点摘要

 纽约州议会最近通过了 A01278 法案，该法案将修订《纽约劳动法》并禁止在就业协议中约定不竞 争，但有一些值得注意的例外。

 该立法还赋予受保护的个人对违反其原则的雇主提起民事诉讼的权利。

 法律将在 Kathy Hochul 州长签署 30 天后生效，但目前尚不清楚她是否会这样做。

纽约州议会于 2023 年 6 月 20 日通过了 A01278 法案，修订了《纽约劳动法》并禁止签订不竞争契约，但某些 值得注意的例外除外，同时还赋予受保护个人就违法行为提起民事诉讼的权利。 A01278 法案正在等待州长

Kathy Hochul 的签署，并将在签署后 30 天生效。

A01278 法案遵循了其他州采取类似措施限制非竞争协议使用的趋势。伊利诺伊州和科罗拉多州最近通过了立 法，重大地限制非竞争协议的使用，明尼苏达州今年通过了对大多数非竞争协议的禁令。此外，联邦贸易委员会 (FTC) 一月份宣布了一项拟议规则，该规则将取代所有冲突的州法律，并在全国范围内禁止就业合同中的竞业禁 止协议。

根据该法案，雇主不得要求或接受受保护个人的不参加竞争的承诺。 1 该法案将不竞争契约广义地定义为“雇主 与受保护个人之间的任何协议或协议中包含的条款，在与雇主签订雇佣关系后禁止或限制个人获得就业” 。 2 “所 涵盖的个人”的定义同样广泛，涵盖“任何个人，无论是否根据雇佣合同受雇，按照该等的条款和条件为他人提供 工作或服务，使他们 处于经济依赖的地位”并有义务为该他人履行职责。” 3 目前尚不清楚独立承包商是否属 于受保护个人的定义范围内。

该法案明确规定，雇主可以继续禁止“披露商业秘密、披露机密和专有客户信息，或招揽个人在就业期间了解到 的雇主客户” 。 4 该立法还允许雇主与建立“固定服务期限”的个人签订不竞争约定。然而，该法案没有定义“固定 服务期限” 。

该法案仅适用于法律生效后达成的协议。现有协议不会受到影响，除非在法律生效后对其进行修改。

该法案赋予个人对涉嫌违反这些规定的雇主提起民事诉讼的权利。个人在涉嫌违规行为后两年内可以提起私人诉 讼，使任何违反纽约法律的竞业禁止条款无效，并获得赔偿损失、损害赔偿、合理的律师费和费用以及违约赔偿 金。违约金上限为 10,000 美元。

纽约准备好对不竞争的约定做出限制

法案 A01278 涵盖哪些内容？

不遵守法律的潜在后果是什么？

尚未解决的问题

该法案没有解决某些情况，并提出了许多问题。例如，它不包括企业出售情况下的例外情况，并且对于员工非招 揽协议也没有提及。

最后，还有一个问题是，该法案将如何与联邦贸易委员会提议的禁止不竞争契约的规则相互作用。与纽约州法案 不同的是，联邦贸易委员会的提案将追溯适用于已经生效的不竞争契约。然而，联邦贸易委员会的提案还包括纽 约州法案中没有的业务出售例外条款。今年早些时候，纽约州参议院考虑了一项反映联邦贸易委员会提案的单独 提案，但该法案仍在委员会审议中。

5 由于参议院现已批准当前法案，该法案的未来状况尚不清楚。

要点

目前尚不清楚 Hochul 州长是否会签署该法案。不过，她此前曾表示支持禁止某些不竞争协议。 Hochul 州长在 2022 年州情咨文中呼吁立法禁止工资低于该州工资中位数的员工签订竞业禁止协议。

该法案如果获得通过，将对纽约雇主产生巨大影响。雇主应仔细审查其使用竞业禁止协议的政策，并准备好在该 法案成为法律时修改其形式协议。他们还应该考虑是否可以在不签订不竞争承诺的情况下实现保护客户关系、商 业秘密和其他机密信息的目标，例如通过精心起草的保密协议以及客户和员工保密协议。如果需要签订不竞争的 契约，雇主也可以考虑对选定的员工使用定期协议。

有关此主题的更多信息，请联系作者或您的 Holland & Knight 律师。

附注

1 纽约 A01278B 法案 第 1(191-d)(2)条。

2 同上。第 1(191-d)(1)(a) 条。

3 同上。第 1(191-d)(1)(b) 条。

4 同上。第 1(191-d)(5) 条。

5 纽约州参议院 S6748 号法案。

About This Newsletter 有关本期刊

Information contained in this newsletter is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem. Moreover, the laws of each jurisdiction are different and are constantly changing. If you have specific questions regarding a particular fact situation, we urge you to consult competent legal counsel. Holland & Knight lawyers are available to make presentations on a wide variety of China-related issues.

本期刊所刊载的信息仅供我们的读者为一般教育及学习目的使用。本期刊并不是为作为解决某一法律问题的唯一 信息来源的目的所设计，也不应被如此使用。此外，每一法律管辖区域的法律各有不同且随时在改变。如您有关 于某一特别事实情况的具体法律问题，我们建议您向合适的律师咨询。美国霍兰德奈特律师事务所的律师能够对 许多与中国相关的问题提出他们的看法及建议。

About the Authors 关于本期作者

Libby Bloxom focuses her practice on a broad range of international trade regulatory and transactional matters, including foreign direct investment, industrial security, export control, sanctions and customs matters. Her practice also involves assisting clients in corporate jet transactions and structuring of corporate aircraft operations to comply with Federal Aviation Administration (FAA) regulations.

James B. Coughlan focuses on litigation before the U.S. International Trade Commission (ITC), where he formerly served as a senior staff attorney at the ITC's Office of Unfair Import Investigations. His representations have involved various technologies, including computer hardware and software, wireless communication devices, streaming audio and video technologies, integrated circuits, jet engines, hardware logic emulation devices, adhesives, medical devices and biotechnology methods for producing pharmaceuticals.

Shardul Desai has extensive experience in handling cyber intrusions and data breaches, trade secret thefts, emerging technology matters and complex white collar investigations. With a computer science and physics background, he is highly skilled and knowledgeable to advise companies on novel issues at the intersection of law, technology and data privacy. He is also a Certified Information Privacy Professional in the United States (CIPP/US) with the International Association of Privacy Professionals (IAPP).

Jonathan M. Epstein focuses his practice on international trade and aviation law. His trade practice includes advising clients in the aerospace, electronics, agrochemical, biochemical and other high-technology industries on export, import and related trade issues. His aviation practice focuses on representing clients before the Federal Aviation Administration (FAA) and the Department of Transportation (DOT), and assisting clients in corporate jet transactions and structuring of corporate aircraft operations to comply with FAA regulations.

Jennifer Lada represents international and domestic clients in state and federal court in matters ranging from complex commercial litigation and shareholder disputes to business torts, class actions, antitrust and employment matters. Her business litigation practice encompasses trial and appellate work, as well as representing clients in arbitration proceedings.

Scott Mascianica has a national practice where he regularly advises businesses and individuals in connection with government and internal investigations, enforcement-related litigation, cybersecurity-related misconduct and regulatory and compliance issues. He has extensive experience in matters facing public company issuers, board and audit committees, auditors and regulated entities. He is highly experienced at identifying potential misconduct and regulatory issues concerning public company and accounting disclosures (including Environmental, Social and Governance (ESG) disclosures), registered investment adviser obligations, auditing standards, evolving digital assets and cryptocurrencies issues, and cybersecurity obligations.

Ronald A. Oleynik is co-head of the International Trade Practice and focuses his practice in the area of international trade regulation. His experience includes a broad range of industrial security, customs, export control, trade policy, and public and private and international trade matters. He has substantial experience in assisting clients in complying with U.S. trade embargoes and economic sanctions programs involving countries such as Cuba, Iran, North Korea, Russia, and Syria. He works frequently with the U.S. Department of the Treasury's Office of Foreign Assets Control, which is responsible for implementing, administering and enforcing sanctions regulations that restrict business transactions involving designated countries and their nationals.

Paul Monsour represents public and private companies in securities regulation and corporate matters. He guides clients through securities regulation, capital markets transactions, corporate governance matters, mergers and acquisitions (M&A) and other general corporate issues. He has a deep understanding of the intersection between securities law disclosures and financial reporting and is particularly experienced with the disclosure and reporting requirements specific to oil and gas companies.

Ira N. Rosner has nearly four decades of experience helping entrepreneurs and corporate management teams create, fund, manage, grow and capitalize on their businesses. He has worked with a wide variety of companies, ranging from startup ventures to Fortune 100 enterprises, in a wide array of industries, including financial technology (FinTech) and financial services, construction, real estate (including REITs), healthcare, pharmaceuticals, aerospace and aviation, agriculture, energy, manufacturing, high tech, life sciences, retail, business outsourcing, telecommunications and insurance.

Phillip M. Schreiber practices in the area of labor and employment. His practice is divided between counseling employers on a wide variety of labor and employment matters, litigating labor and employment disputes, performing labor and employment due diligence in connection with business acquisitions and sales, and drafting executive employment agreements, handbooks and employment policies. He has extensive substantive experience in the areas of wage payment, overtime pay and minimum wage laws, the Family and Medical Leave Act (FMLA), biometric information protection, employment discrimination and harassment, disability accommodation, retaliation and retaliatory discharge, union-management relations, covenants not to compete, trade secret protection, reductions in force, paid sick leave laws and prevailing wage laws.

Terry J. Wikberg focuses his practice on patent, trademark, trade dress and trade secret litigation, as well as strategic counseling, patent prosecution and intellectual property (IP) portfolio development and acquisition. His practice also includes strategic client counseling in various complex corporate scenarios, including mergers and acquisitions (M&A), risk management and value generation, and IP monetization. He has extensive litigation experience representing plaintiffs and defendants at the U.S. International Trade Commission (ITC) and U.S. federal district courts throughout the country.

Hailey H. Cho is a paralegal in the Corporate – Trade Regulation practice in the firm's Washington, D.C., office.

Contact Our China Practice Attorneys | 与我们的 China Practice 律师联系

Primary Contacts 主要联系人：

Hongjun Zhang, Ph.D. 张红军博士 Washington, D.C. +1.202.457.5906 hongjun.zhang@hklaw.com

Juan M. Alcala | Austin +1.512.954.6515 juan.alcala@hklaw.com

Leonard A. Bernstein | Philadelphia +1.215.252.9521 leonard.bernstein@hklaw.com

Christopher W. Boyett | Miami +1.305.789.7790 christopher.boyett.@hklaw.com

Vito A. Costanzo | Los Angeles +1.213.896.2409 vito.costanzo@hklaw.com

Josias N. Dewey | Miami +1.305.789.7746 joe.dewey@hklaw.com

R. David Donoghue | Chicago +1.312.578.6553 david.donoghue@hklaw.com

Jonathan M. Epstein | Washington, D.C. +1.202.828.1870 jonathan.epstein@hklaw.com

Leonard H. Gilbert | Tampa +1.813.227.6481 leonard.gilbert@hklaw.com

Enrique Gomez-Pinzon | Bogotá +57.601.745.5800 enrique.gomezpinzon@hklaw.com

Paul J. Jaskot | Philadelphia +1.215.252.9539 paul.jaskot@hklaw.com

Adolfo Jimenez | Miami +1.305.789.7720 adolfo.jimenez@hklaw.com

Roth Kehoe | Atlanta +1.404.817.8519 roth.kehoe@hklaw.com

Mike Chiang 蒋尚仁律师 New York | +1.212.513.3415 San Francisco | +1.415.743.6968 mike.chiang@hklaw.com

Luis Rubio Barnetche | Mexico City +52.55.3602.8006 luis.rubio@hklaw.com

Francisco J. Sanchez | Tampa +1.813.227.6559 francisco.sanchez@hklaw.com

Robert J. Labate | San Francisco +1.415.743.6991 robert.labate@hklaw.com

Alejandro Landa Thierry | Mexico City +52.55.3602.8002 alejandro.landa@hklaw.com

Jeffrey W. Mittleman | Boston +1.617.854.1411 jeffrey.mittleman@hklaw.com

Anita M. Mosner | Washington, D.C. +1.202.419.2604 anita.mosner@hklaw.com

Ronald A. Oleynik | Washington, D.C. +1.202.457.7183 ron.oleynik@hklaw.com

Douglas A. Praw | Los Angeles +1.213.896.2588

doug.praw@hklaw.com

John F. Pritchard | New York +1.212.513.3233

john.pritchard@hklaw.com

Robert Ricketts | London +44.20.7071.9910 robert.ricketts@hklaw.com

Office Locations 办公室地点

Evan S. Seideman | Stamford +1.203.905.4518

evan.seideman@hklaw.com

Jeffrey R. Seul | Boston +1.617.305.2121

jeff.seul@hklaw.com

Vivian Thoreen | Los Angeles +1.213.896.2482

vivian.thoreen@hklaw.com

Shawn M. Turner | Denver +1.303.974.6645

shawn.turner@hklaw.com

Matthew P. Vafidis | San Francisco +1.415.743.6950

matthew.vafidis@hklaw.com

Stacey H. Wang | Los Angeles +1.213.896.2480

stacey.wang@hklaw.com

Charles A. Weiss | New York +1.212.513.3551

charles.weiss@hklaw.com

Jose V. Zapata | Bogotá +57.601.745.5940

jose.zapata@hklaw.co