Preparing for an Uptick in Congressional Investigations of Corporations

by Susanna M. Buergel, H. Christopher Boehning, Jessica S. Carey, Michael E. Gertzman, Roberto J. Gonzalez, Udi Grofman, Jeh Charles Johnson, Jonathan S. Kanter, Brad S. Karp, Mark F. Mendelsohn, and Alex Young K. Oh

Beginning next month, Democrats will control the House of Representatives for the first time since 2010.  Given the pent-up demand for House Democrats to make robust use of their oversight and investigative authorities, the current relative lull in congressional investigations of corporations is expected to end.  Corporations across sectors should anticipate an uptick in investigative activity. 

In addition to holding the majority for the first time in nearly a decade, this will be the first time that Democrats control the House since a 2015 rule change that empowered a number of committee chairs to subpoena witnesses or documents unilaterally.  The chairs of the following committees, among others, have this authority: Energy and Commerce; Financial Services; Intelligence; Judiciary; Natural Resources; and  Oversight and Government Reform.[1] Continue reading

DOJ Tells Tech Companies to Develop “Responsible Encryption”

by Laura Goodall, Michael Mugmon, and John F. Walsh

On November 29, 2018, in a speech at the Georgetown University Law School, Deputy Attorney General Rod Rosenstein renewed his call for tech companies to build into their products the means for law enforcement to legally access decrypted data, the development of so-called “responsible encryption.”[1] Mr. Rosenstein analogized such encryption to requirements that buildings disable elevators in the event of a fire but still retain firemen’s access, and he beseeched the private sector to work with the government to mitigate the security threats posed by rapid technological advances.

Summary of Mr. Rosenstein’s Address

Detailing the threat of ransomware, Mr. Rosenstein warned that the “malicious use of technology will be more pernicious and pervasive tomorrow than it is today, and even more difficult to combat.” To “forestall those ominous consequences,” he proposed three steps: Continue reading

SEC’s First “Red Flags” Enforcement Case Focuses on Board’s Role

by Craig A. Newman

A little-noticed consent decree entered into by the U.S. Securities and Exchange Commission earlier this year should be setting off alarm bells for financial firms and their boards of directors.

In a cease and desist order against Voya Financial Advisors, the investment advisory unit of Voya Financial, the SEC – for the first time – enforced its “Identity Theft Red Flags Rule” in punishing the firm for allegedly lackluster data security practices. The SEC charged that hackers were able to access sensitive client information including Social Security Numbers, account balances and even details of client investment accounts. The commission called out the company’s board of directors for failing to “administer and oversee” compliance with the rule. Continue reading

New Guidance on the GDPR’s Territorial Scope – Are You Covered?

by Jeremy Feigelson, Jane Shvets, and Robert Maddox

The European Data Protection Board (“EDPB”)—a working group of representatives of the EU data protection authorities—has issued Guidelines (PDF: 255 KB) on the territorial scope of the EU General Data Protection Regulation (“GDPR”), which are open for comment until 18 January 2019. The Guidelines clarify one of the main areas of concern for non-EU companies: when will GDPR reach them?

There are five key takeaways from the Guidelines: Continue reading

New DOJ Policy Revises “Yates Memorandum”

by Michael W. Peregrine and Rebecca Martin

A new Department of Justice policy (the “Policy”) modifies critical elements of the prominent 2015 “Yates Memorandum” on individual accountability. Introduced on November 29 by Deputy Attorney General Rod J. Rosenstein (the “DAG”), the Policy is manifested, in part, by specific revisions to Justice Manual (previously referred to as the U.S. Attorneys’ Manual).

The Policy clarifies the relationship between the scope of a defendant’s disclosures regarding individuals and qualifying for cooperation credit, particularly in the context of civil litigation. In so doing, it also raises critical compliance oversight issues for corporate governance. Continue reading

The Vital Report that Directors are Overlooking

by Stephen Stubben and Kyle Welch

With limited time, corporate directors are accustomed to monitoring firms by using aggregated information that is supplied by firms’ management. Nearly every task conducted by a board of directors involves data curated by employees working for a firm’s CEO. A critical challenge for directors is to be informed of important situations that may have been lost in data aggregation or that may have been selectively not reported. Indeed, this is why firms with stellar directors and high-quality external auditors still have major public debacles. One way a corporate director can obtain unfiltered information regarding a firm’s operations and potential problems within a firm is by reviewing reports made by employees through internal reporting systems (also known as internal whistleblowing systems). The problem with this solution is that there have been differing views and understandings as to how to appropriately manage these systems and interpret these submitted reports—until now. Continue reading

Federal Privacy Legislation Is Coming. Maybe. Here’s What It Might Include

by Avi Gesser, Jon Leibowitz, Mathew Kelly, Joseph Kniaz, and Daniel F. Forester

Momentum is building for federal data privacy legislation, in large part due to the passage of the California Consumer Privacy Act (CCPA) (which goes into effect in 2020) and other states enacting or considering their own consumer privacy laws.  These developments have businesses concerned that they will face a patchwork of inconsistent and onerous state privacy laws, which is currently the case with breach notification.  Many leading tech companies, trade groups, and the U.S. Chamber of Commerce have voiced support for a national privacy law.  On top of these domestic considerations, the EU’s General Data Protection Regulation (“GDPR”), a sweeping privacy law that affects many U.S. companies conducting business in the EU, is also now in effect.  Several legislative proposals have been put forward in Congress, and we are starting to see the broad outlines of a potential law.  But for many of the details, there is still nothing close to a consensus.  Here are some of the issues that will likely be the subject of the most intense debate in the next congressional term: Continue reading

OFAC Reaches Settlement with Cobham Holdings, Inc. for Violations Resulting from Deficient Screening Software

by H. Christopher Boehning, Jessica S. Carey, Michael E. Gertzman, Roberto J. Gonzalez, Brad S. Karp, Richard S. Elliott, Rachel M. Fiorill, and Karen R. King

On November 27, 2018, the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) announced a nearly $90,000 settlement agreement with Virginia-based Cobham Holdings, Inc. (“Cobham”), a global provider of technology and services in aviation, electronics, communications, and defense, on behalf of its former subsidiary, Aeroflex/Metelics, Inc. (“Metelics”).[1] The settlement involves three shipments of goods through distributors in Canada and Russia to an entity that did not appear on OFAC’s Specially Designated Nationals and Blocked Persons List (the “SDN List”), but was blocked under OFAC’s “50% rule” because it was 51% owned by a company sanctioned under the Russia/Ukraine sanctions program. This is the second OFAC action of which we are aware that has relied on the 50% rule.  The apparent violations appear to have been caused by Metelics’s (and Cobham’s) reliance on deficient third-party screening software.

While difficult to predict, OFAC’s decision to pursue this action—involving only three shipments, a violation of the 50 percent rule, and where the root cause of the apparent violations is attributable to deficient sanctions screening software—may signal a raising of OFAC’s compliance expectations, consistent with Treasury Under Secretary Sigal Mandelker’s warning in a recent speech that private sector companies “must do more to make sure [their] compliance systems are airtight.”[2]

Below, we describe the settlement, OFAC’s penalty calculation, and several lessons learned. Continue reading

Sustainable Finance and ESG reporting – EU pushing ahead, SEC cautious

by Dr. Katja Langenbucher

The market for “sustainable finance” has grown exponentially over the last few years.  The term usually denotes investment approaches that consider environmental, social and governance factors (“ESG”) in portfolio selection and management.  Following up on the Paris Agreement of 2016, the European Union has ambitious plans to mobilize private capital for contribution to sustainability concerns such as climate change and pollution.

In January 2018, the EU High-Level Expert Group on Sustainable Finance published its final report. [1]  It suggests focusing on common taxonomy and standards, investor duties, transparency of asset managers, governance of companies, and enhanced powers of the European Supervisory Authorities.  In March 2018, the European Commission went ahead with an action plan, announcing a number of short and long-term legislative steps that should be taken. Continue reading

Virtual Currencies, Manipulation, Cooperation, and More: CFTC Enforcement Division’s 2018 Annual Report

by Nowell Bamberger, Robin Bergen, and Emily Michael

On November 15, 2018, the Division of Enforcement (the “Division”) of the U.S. Commodity Futures Trading Commission (“CFTC”) released its Annual Report on the Division of Enforcement (PDF: 1.95 MB) (the “Report”), highlighting the enforcement division’s recent initiatives and reinforcing its focus on cooperation and self-reporting.  The Report provides a succinct overview of the Division’s enforcement priorities over the last year, discusses its overall enforcement philosophy, sets out key metrics about the cases brought in the last year, and highlights its key initiatives for the coming year.  While the Division’s priorities—preserving market integrity, protecting customers, promoting individual accountability, and increasing coordination with other regulators and criminal authorities—do not mark a departure from prior guidance, the Report does highlight the Division’s particular focus on individual accountability and a few target areas of enforcement.  Continue reading