PCCE Seeking New Executive Director

After a wonderful and successful year, PCCE’s current Executive Director, Allison Caffarone ’03, will be stepping down to join Hofstra Law School. Allison was a tremendous addition to PCCE. Among other things, she was responsible for organizing our two most recent events, The New Face of AML Enforcement and Compliance and A New Model for Incentivizing Antitrust Compliance Programs.  She also is organizing (and will stay to finalize) our fall conference.  Please join us in recognizing Allison’s hard work. Thank you Allison for everything you did during your time here as PCCE’s Executive Director.

In light of Allison’s imminent departure, PCCE is seeking a new Executive Director. We are looking for people with enforcement experience and are open to speaking with people transitioning out of the government and into private practice. While we would prefer a candidate who would be interested in working with us long term, we are willing to work with short-term arrangements as well. We would need the candidate to be able to start anywhere between now and October 12, 2019.

A full description of the job is below: Continue reading

UK Law Commission Recommends Reforms to Money Laundering Suspicious Activity Reports

by Karolos Seeger, Aisling Cowell, Andrew Lee, and Natasha McCarthy

The Law Commission has published an extensive report examining the UK’s current Suspicious Activity Report (“SAR”) regime for notifying suspected money laundering to the National Crime Agency (“NCA”) and outlining 19 recommendations for reform.[1] These include both legislative and non-legislative mechanisms designed to improve the efficiency and effectiveness of the consent regime. This report follows a July 2018 consultation paper, which was discussed in a previous client update.[2] Interestingly, the Law Commission reviewed a sample of hundreds of SARs to help it analyse the potential impact of the various proposals and lend support to its final recommendations.

In short, the existing SAR regime will be largely retained, with the recommendations having limited practical effect, especially for organisations outside the regulated sector. We summarise below the key recommendations and consider their likely impact. Continue reading

Assistant Attorney General Makan Delrahim Delivers Remarks at the New York University School of Law Program on Corporate Compliance and Enforcement

Wind of Change*: A New Model for Incentivizing Antitrust Compliance Programs

Makan Delrahim
Assistant Attorney General
Antitrust Division
U.S. Department of Justice

Remarks as Prepared for Delivery at New York University School of Law Program on Corporate Compliance and Enforcement (July 11, 2019)

I.     Introduction

Thank you, Professor First for your kind introduction and for inviting me back to this great institution.  Let me also thank Professor Jennifer Arlen and Executive Director Allison Caffarone, along with everyone involved in the Program on Corporate Compliance and Enforcement (PCCE), for organizing this event.  You should be proud of the incredible enduring program you have developed exploring the causes of corporate misconduct and the nature of effective enforcement and compliance.

It is great to be back at NYU Law School and to be joined by many colleagues from across the Department of Justice and other government officials, scholars, and leaders in the antitrust bar and the world of corporate compliance.  Continue reading

SCOTUS Expands Scope of FOIA Trade Secrets and Commercial Information Exemption

by Michael S. Flynn, Randall D. Guynn, Michael Kaplan, Neil H. MacBride, Paul J. Nathanson, Annette L. Nazareth, Margaret E. Tahyar, and Eric B. Lewin

The Supreme Court has updated an important Freedom of Information Act (“FOIA”) exemption for the digital age.  In Food Marketing Institute v. Argus Leader Media (PDF: 125 KB), the Supreme Court last week significantly expanded the scope of FOIA Exemption 4.  FOIA Exemption 4 is the exemption most commonly claimed by private-sector entities when seeking to protect competitively sensitive information that must be disclosed to a federal agency.  It shields from disclosure “trade secrets and commercial or financial information obtained from a person and privileged or confidential.”[1]  Beginning with a D.C. Circuit decision in 1974, National Parks & Conservation Ass’n v. Morton, 498 F.2d 765 (D.C. Cir. 1974), courts have interpreted FOIA Exemption 4 narrowly.  For commercial or financial information to be “confidential,” a number of federal courts of appeals have required a showing of “substantial competitive harm” from disclosure.  Proving “substantial competitive harm” has proven difficult in practice, and, in this digital age, there is an increasing awareness that information and data are valuable.  The majority opinion in Food Marketing, written by Justice Gorsuch, squarely repudiated the “substantial competitive harm” test in favor of a less difficult standard, thereby broadening Exemption 4.

It is significant that the justices were unanimous in rejecting the “substantial competitive harm” test.  They disagreed about whether harm has any role to play in Exemption 4.  In an opinion concurring in part and dissenting in part, Justice Breyer explained that he “would clarify that a private harm need not be ‘substantial’ so long as it is genuine.”[2]  In contrast, the majority wouldn’t apply a harm test at all, arguing that such a test is not supported by the statute.  Instead, the majority explained its test as follows: Continue reading

District Court Finds Allegations That Data Breach Exposed Publicly Available and Non-Sensitive Personal Information Sufficient for Article III Standing

Potentially signaling an expansion of the scope of constitutional standing in data breach cases, a district court in the Northern District of California recently held that the exposure of users’ non-sensitive, publicly available personal information may be sufficient to establish an injury-in-fact.[1]

Background: The decision was issued in a class action lawsuit brought against Facebook, alleging breach of contract, negligence, and violation of the California Unfair Competition Law, among other state law claims, based on a 2018 data breach.   The breach resulted from a coding vulnerability that allowed hackers to steal information from 15 million users.  Though the stolen information included usernames and basic contact information (i.e., phone numbers and email addresses), and in some cases also included users’ birthdates, hometowns, workplaces, education information, religious views, and prior activities on Facebook, the plaintiffs did not allege the breach of information traditionally considered sensitive, such as social security numbers or credit card information. In its motion to dismiss the complaint, Facebook argued that the named plaintiffs had not established Article III standing because they had not alleged any particularized injury: the stolen information was publicly-available, and the only potential injury was the minimal time spent deleting phishing emails.  The court rejected Facebook’s argument, holding that one plaintiff had adequately alleged two injuries: (i) the substantial risk of future identity theft and (ii) the lost time responding to the data breach.

Regarding the risk of identity theft, the court rejected Facebook’s argument that the plaintiff had not suffered an injury-in-fact because the breach involved no sensitive information.  Despite recognizing that all of the information was otherwise publicly available, the court nonetheless determined that information “need not be sensitive to weaponize hackers in their quest to commit further fraud or identify theft.”  In the court’s view, an “‘increased risk of identity theft’” can occur even when the stolen information is not traditionally sensitive personal information, because the proper inquiry is not “the minutia” of what information had been taken, but whether the data “gave hackers the means to commit fraud or identify theft.”

Here, the court viewed the stolen information as equivalent to sensitive information because it was “immutable,” personally identifying, and of a nature and amount to “provide further ammo . . . to g[i]ve hackers the means to commit fraud or identity theft.”  The public availability of the information was “irrelevant,” because “constructing this information from random sources bit by bit” would be difficult for hackers.  The court also inferred that the goal of the breach was to facilitate fraud and identity theft, emphasizing the plaintiff’s receipt of phishing emails and text messages after the breach, and the hackers’ use of searches to cull information from millions of users.

The court also held that the lost time spent responding to the data breach could constitute an economic injury.  Under the court’s reasoning, even de minimis time spent sorting through phishing emails could be sufficient based on an expectation that “[m]ore phishing e‑mails will pile up” over time.

Takeaway: Courts remain split over the threshold for alleging standing in data breach cases.  Although the Second, Fourth, and Eighth Circuits have determined that allegations based on the risk of future harm are insufficient, the D.C., Third, Sixth, Seventh, Ninth, and Eleventh Circuits have held that alleging a substantial risk of future harm is sufficient to satisfy the Article III injury requirements.  But the question remains—when are allegations of future harm too “speculative” to constitute an injury?  This month’s decision in Schmidt v. Facebook answered that the exposure of a sufficient amount of public, non-sensitive information may create a future risk of harm that is as substantial and imminent as the exposure of social security numbers because it makes social engineering attacks easier.  Should this decision gain traction among other courts, it would ease plaintiffs’ burden to establish standing in a broad array of data breach lawsuits.

Footnotes

[1] Schmidt v. Facebook, Inc., No. C 18-05982 WHA (JSC), 2019 WL 2568799 (N.D. Cal. June 21, 2019).

Continue reading

Arbitration Now Requires Knowledge of Criminal Law Principles

By Stéphane Bonifassi

Bring arbitrators and criminal-law experts in a room together these days and watch a debate about applicable laws unfold.

Arbitrators naturally tend to focus on the contract, the dispute at hand and the laws governing both.  Criminal lawyers, like me, think it’s important for arbitrators to consider other laws, especially criminal laws, to ensure the enforceability of arbitral awards and to ensure that no one is held criminally liable for one reason or the other, including the arbitrators themselves. I experienced this paradigm-shifting debate firsthand working on a project initiated by Professor Mark Pieth of the Basel Institute on Governance.

Pieth, who rightly recognized the differing position between arbitrators and financial crime litigators two years ago, invited representatives from academia, arbitration, and financial crime litigation to help him put together a toolkit for arbitrators that will guide them through the increased scrutiny that surrounds companies entering into contracts with arbitration clauses. His academic assistant and author of “Proving Bribery, Fraud and Money Laundering in International Arbitration” Kathrin Betz helped Pieth synthesize our discussions and viewpoints to develop “Corruption and Money Laundering in International Arbitration – A Toolkit for Arbitrators,” published May 30. Continue reading

Regulating the Use of Data in the United Kingdom’s Financial Sector

by Alun Milford

It is just over a year since the European Union’s General Data Protection Regulation came into force. It strengthened Europe’s already highly evolved legal framework for the protection of personal data and provided for much heavier penalties for breaches of those protections than had hitherto been available. For example, under the old law the maximum penalty the United Kingdom’s regulator could impose for a data protection breach was £500,000 whereas under the new law the maximum penalty throughout Europe is the higher of 20,000,000 euros or 4% of the firm’s annual worldwide turnover in the preceding financial year. The prospect of penalties on this scale has concentrated the minds of businesses with European operations, whether headquartered there or not. 

For firms in the United Kingdom’s regulated financial sector a particular concern was the prospect of having to comply with two distinct regulatory frameworks – one for the conduct of business and the other for the protection of personal data – policed by two distinct regulators – the Financial Conduct Authority and the Information Commissioner’s Office – where both regulators now had the power to impose very significant sanctions for the same conduct. In this blog I consider the functions of the respective regulators, the areas of overlap or common interest in their work and the way in which the regulators have indicated they will approach those areas of common interest. Continue reading

The Biggest Risk with CCPA May Be Cybersecurity, Not Privacy: 10 Things Companies Are Doing Now to Prepare

by Avi Gesser, Matthew Kelly, Will Schildknecht, and Clara Y. Kim

By now, most major U.S. companies are generally aware of the new privacy requirements (PDF:187 KB) that will be imposed by the California Consumer Privacy Act (“CCPA”) when it goes into effect on January 1, 2020, including data access and deletion rights for consumers as well as restrictions on selling personal information.  But, at least in the short term, it is likely that the CCPA’s cybersecurity requirements will have the most significant impact on companies.

Unfortunately, the CCPA does not spell out its cybersecurity requirements explicitly.  Rather, it creates a private right of action for California consumers against companies that have experienced a cyber breach if their personal information has been taken by an unauthorized person.  A successful action requires that the exfiltration or disclosure be of unencrypted personal data and result from the company’s violation of its duty to implement and maintain reasonable security procedures and practices. § 1798.150(a)(1). Continue reading

Blockchain and the New Regulatory Havens

by Omri Marian

Over the past few years, small jurisdictions that are known as “tax havens” have been engaged in a race to become leading hubs for blockchain technology. In a recent article, I explore the extent of this phenomenon, its drivers, and its regulatory ramifications. In short, I argue that the traditional tax havens model is in decline due to recent coordinated international efforts to shut down abusive tax havens practices. Blockchain technology, however, offers similar commodities as offered by tax havens jurisdictions. Blockchain technology is not (yet) subject to coordinated international regulatory efforts. Tax havens seem to have identified the opportunity to offer their traditional regulatory commodities’ via the medium of the blockchain technology. I argue that the rise of so-called “Blockchain Havens” presents significant regulatory challenges that can only be addressed via coordinated global efforts. Continue reading

Willfulness and Negligence are Mutually Exclusive Standards of Liability (Something We All Intuitively Knew Already)

Greg Morvillo and Christine Hanley

Rudyard Kipling famously quipped “Oh, East is East and West is West and never the twain shall meet.”  Although crafted in 1889, this sentiment is newly applicable to a D.C. Circuit Court of Appeals opinion in The Robare Group v. S.E.C, 922 F.3d 468, 479-80 (D.C. Cir. 2019).  The D.C. Circuit essentially held that Willfulness is Willfulness and Negligence is Negligence, and never the twain shall meet, only less poetically.  This potentially landmark decision held that willfulness and negligence are mutually exclusive standards of liability – one requiring intent to commit wrongdoing and the other requiring a lack of intent to commit wrongdoing – and the SEC cannot impose civil liability under both standards for the same conduct. 

Robare arose out of a 2014 administrative cease and desist proceeding against The Robare Group (“TRG”), an investment advisory firm, and its principals and co-owners, Mark L. Robare and Jack L. Jones.  The complaint alleged that respondents received a fee from Fidelity Investments (“Fidelity”), which provided clearing services for TRG’s advisory clients, whenever TRG’s clients invested in certain funds offered on Fidelity’s online platform.  The SEC further alleged that TRG failed to disclose this fee and that TRG had a conflict of interest arising from the revenue-sharing arrangement between TRG and Fidelity.  Continue reading