Author Archives: Alexandra Andrei

Congress Passes Foreign Extortion Prevention Act, Targeting “Demand Side” of Foreign Bribery

by Kara Brockmeyer, Andrew M. Levine, David A. O’Neil, Winston M. Paes, Jane Shvets, Bruce E. Yannett, Douglas S. Zolkind, and Erich O. Grosz

Top left to right: Kara Brockmeyer, Andrew M. Levine, David A. O’Neil, and Winston M. Paes
Bottom left to right: Jane Shvets, Bruce E. Yannett, Douglas S. Zolkind, and Erich O. Grosz (Photos courtesy of Debevoise & Plimpton LLP)

On December 14, 2023, the U.S. Congress approved the Foreign Extortion Prevention Act (“FEPA”), which will make it a federal crime for any foreign government official to demand or receive a bribe from a U.S. citizen, resident or company in exchange for taking or omitting to take official action or conferring any improper business-related advantage.[1] This legislation, which is part of the National Defense Authorization Act and expected to be signed into law by President Biden, substantially expands U.S. enforcement authority with respect to foreign bribery and aligns with the Biden Administration’s elevation of anti-corruption enforcement to a national security priority.

Continue reading

The Data Act – the EU’s Bid to “Ensure Fairness in the Digital Environment and a Competitive Data Market” – Has Been Adopted

by Hope Anderson, Clara Hainsdorf, Tim Hickman, Dr. Sylvia Lorenz, and Jenna Rennie

Left to right: Hope Anderson, Clara Hainsdorf, Tim Hickman, Dr. Sylvia Lorenz, and Jenna Rennie (Photos courtesy of White & Case LLP)

On November 27, 2023, the European Union (“EU”) adopted the final text of the Data Act, marking an effort to create a harmonized, cross-sectoral data sharing framework with the stated goal of ensuring fair access to and use of data.

The Data Act is part of the European Data Strategy Package,[1] which aims for the EU to take a leading role in our networked world. Following the Data Governance Act,[2] which facilitates voluntary data sharing by businesses, individuals and the public sector, the Data Act is the second key piece of legislation aiming to make generated data more available for reuse. To that end, the Data Act seeks to maximize the value of data and to stimulate a competitive data market in which open opportunities for data-driven innovations make data more accessible for all.

Continue reading

CISA Releases Revised Draft of Secure Software Development Self-Attestation Form

by Michael T. Borgia, Andrew M. Lewis, and Patrick J. Austin

Photos of the authors

Left to right: Michael T. Borgia, Andrew M. Lewis, and Patrick J. Austin. (Photos courtesy of Davis Wright Tremaine LLP)

Once Finalized, the Form will Establish Secure Software Development Baselines for Companies that Provide Software to the Federal Government

The Cybersecurity and Infrastructure Security Agency (CISA) has released a revised draft of its Secure Software Development Attestation Common Form (“Form”).  The Form, once finalized, will obligate vendors providing software to the federal government to attest to enumerated practices to secure their software, third-party components, and the development environment.  Software vendors to federal agencies are advised to review the draft Form and assess their current secure development practices—both for in-house and third-party developed software—against the Form’s relevant attestations and the supporting NIST guidance.  Software producers unable to make any of the required attestations should prioritize conforming their software development practices to the Form’s attestations and NIST guidance, and should consider whether to pursue a plan of action and milestones (POA&M) with their federal agency customers once the Form is finalized.

Continue reading

Hackers Turned Whistleblowers: SEC Cybersecurity Rules Weaponized Over Ransom Threat

by Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Matthew E. Kaplan, Erez Liebermann, Benjamin R. Pedersen, Steven J. Slutzky, Jonathan R. Tuttle, Matt Kelly, and Kelly Donoghue

Top left to right: Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Matthew E. Kaplan, and Erez Liebermann
Bottom left to right: Benjamin R. Pedersen, Steven J. Slutzky, Jonathan R. Tuttle, Matt Kelly, and Kelly Donoghue (Photos courtesy of Debevoise & Plimpton LLP)

On November 7, 2023, the profilic ransomware group AlphV (a/k/a “BlackCat”) reportedly breached software company MeridianLink’s information systems, exfiltrated data and demanded payment in exchange for not publicly releasing the stolen data. While this type of cybersecurity incident has become increasingly common, the threat actor’s next move was less predictable. AlphV filed a whistleblower tip with the U.S. Securities and Exchange Commission (the “SEC”) against its victim for failing to publicly disclose the cybersecurity incident. AlphV wrote in its complaint[1]:

We want to bring to your attention a concerning issue regarding MeridianLink’s compliance with the recently adopted cybersecurity incident disclosure rules. It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules.

As we have previously reported, the SEC adopted final rules mandating disclosure of cybersecurity risk, strategy and governance, as well as material cybersecurity incidents. This includes new Item 1.05 of Form 8-K, which, beginning December 18,­ will require registrants to disclose certain information about a material cybersecurity incident within four business days of determining that a cybersecurity incident it has experienced is material. Though AlphV jumped the gun on the applicability of new Item 1.05, its familiarity with, and exploitation of their target’s public disclosure obligations is a further escalation in a steadily increasing trend of pressure tactics by leading ransom groups.

Continue reading

SEC Charges SolarWinds and Its CISO with Fraud and Internal Controls Failures

by Nicole Friedlander, Anthony J. Lewis, Robert W. Reeder, John B. Sarlitto, Michael S. Drell, and Paulena B. Prager

Photos of the authors

Left to right: Nicole Friedlander, Anthony J. Lewis, Robert W. Reeder, John B. Sarlitto, Michael S. Drell, and Paulena B. Prager (Photos courtesy of Sullivan & Cromwell LLP)

Complaint Alleges Knowledge and Concealment of Poor Cybersecurity Practices and Heightened Cyber Risks

SUMMARY

On October 30, 2023, the Securities and Exchange Commission (“SEC”) filed a complaint against SolarWinds Corporation (“SolarWinds”) and its Chief Information Security Officer (“CISO”), alleging securities fraud and failures of reporting, internal control over financial reporting, and disclosure controls and procedures, in connection with a compromise of the company’s software product that was publicly revealed in December 2020.[1] The complaint (“Complaint”), filed in the Southern District of New York, alleges that SolarWinds and its CISO misled investors and customers about known, material cybersecurity weaknesses and risks, including several that allegedly enabled the compromise, through which U.S. government networks and corporations were infiltrated in a cyber espionage campaign by the Russian government. The SEC alleges that the defendants made materially false and misleading statements and omitted material facts on SolarWinds’ website and in its blog posts, press releases, initial registration statement (“Form S-1”), quarterly and annual SEC reports, and the current report on Form 8-K in which SolarWinds first disclosed the compromise. The SEC seeks declaratory and injunctive relief, disgorgement, a civil monetary penalty in an unspecified amount, and an order permanently prohibiting the CISO from acting as an officer or director of a public company.

Continue reading

What We Have Here Is a Failure to Communicate… Among Other Things

by Larissa Bungo

Larissa Bungo (Photo courtesy of the author)

Yes, if a tree falls in the forest and no one is there to hear it, the tree does make a sound. And, yes, if a data breach happens and you fail to timely notify affected customers, that’s an unfair practice. That’s just one of the lessons businesses can learn from the FTC’s proposed settlement with Global Tel*Link (GTL) and its subsidiaries, Telmate and TouchPay.

Another lesson? When it comes to safeguarding consumers’ personal information, the duty extends regardless of where the business stores the data and what it uses the data for—even testing. Read on to learn more. GTL is one of the country’s largest providers of communications and technology services for jails, prisons, and similar institutions, providing both communications and payment services for incarcerated consumers and their non-incarcerated contacts, including loved ones. According to the FTC’s complaint, in August 2020, unknown attackers accessed the personally identifiable information (“PII”) of hundreds of thousands of people who used GTL’s products when the data was left unprotected and accessible via the internet. This included: names, contact information, driver’s license numbers, passport numbers, Social Security numbers, payment card and financial account information, personal messages, health information, and grievance forms.

Continue reading

Consumers Are Voicing Concerns About AI

by Simon Fondrie-Teitler and Amritha Jayanti

Federal Trade Commission

This blog is part of a series authored by the FTC’s Office of Technology focused on emerging technologies and consumer and market risks, with a look across the layers of technology—from data and infrastructure to applications and design of digital systems.

Over the last several years, artificial intelligence (AI)—a term which can refer to a broad variety of technologies, as a previous FTC blog notes—has attracted an enormous amount of market and media attention. That’s in part because the potential of AI is exciting: there are opportunities for public progress by enhancing human capacity to integrate, analyze, and leverage information. But it’s also, perhaps in larger part, because the introduction of AI presents new layers of uncertainty and risk. The technology is altering the market landscape, with companies moving to provide and leverage essential inputs of AI systems, such as data and hardware – opening a window of opportunity for companies to potentially seize outsized power in this technology domain. AI is also fundamentally shifting the way we operate; it’s lurking behind the scenes (or, in some cases, operating right in our faces) and changing the mechanics by which we go about our daily lives. That can be unsettling, especially when the harms brought about by that change are tangible and felt by everyday consumers.

Continue reading

The Conviction of Sam Bankman-Fried – Yes, Fraud, but also Regulatory Arbitrage

by Maria T. Vullo

Maria T. Vullo (Photo courtesy of the author)

The much-anticipated jury verdict,[1] convicting former FTX CEO Sam Bankman-Fried (SBF) of seven felonies, after less than five hours of deliberations, demonstrates the strength of the prosecution’s case and that juries have no patience for financial fraud.  While many reports correctly note that fraud is at the core of the FTX/SBF case, the verdict also sends a clear message that regulatory arbitrage should not be tolerated.

Continue reading

SEC’s Focus on Off-Channel Communications Continues

by Tami Stark, Claudette Druehl, and Robert DeNault

From left to right: Tami Stark, Claudette Druehl, and Robert DeNault. (Photos courtesy of White & Case LLP)

On September 29, the U.S. Securities and Exchange Commission (“SEC”) brought its latest wave of enforcement actions related to “off-channel communications,” charging 10 additional firms with failing to maintain employee communications on personal devices that related to the firms’ business.  Over the past few years, the SEC has charged over 40 registrants in a sweep of off-channel communications actions and has levied over $1.5 billion in penalties.[1]

Continue reading

Former Prosecutors and Industry Experts React to Sam Bankman-Fried Trial Verdict

The NYU School of Law Program on Corporate Compliance and Enforcement (PCCE) is following the collapse of FTX and the civil and criminal enforcement actions arising from FTX’s and its founder’s alleged misconduct. In this post, several white collar defense, former federal prosecutors, and cryptocurrency experts, offer their reactions to the verdict in the Sam Bankman-Fried (SBF) trial on November 2, 2023.

Photos of the authors

Top left to right: William Komaroff, Seetha Ramachandran, David I. Miller, and Ijeoma Okoli
Bottom left to right: Jessica Lonergan, Tarek Helou, Elizabeth Roper, and Chehak Gogia
(Photos courtesy of authors)

Continue reading