Author Archives: Allison Caffarone

VinDAX Is the Seventh Cryptocurrency Exchange Hacked This Year: What Should Investors Be Considering?

by Mark S. Bergman, Roberto Finzi, Christopher D. Frey, Manuel S. Frey, David S. Huntington, Jeannie S. Rhee, Raphael M. Russo, Jonathan H. Ashtor, Steven C. Herzog, Daniel J. Klein, and Apeksha S. Vora

On November 5, 2019, Vietnam-based cryptocurrency exchange VinDAX was hacked, losing half a million U.S. dollars’ worth of funds spread across 23 different cryptocurrencies.[1] The VinDAX hack marks the latest in a series of cryptocurrency exchange hacks and data breaches that have taken place this year, and is part of a larger and growing trend of digital currency heists that have occurred since Bitcoin, the first cryptocurrency, was introduced in 2008.[2] In July of this year, Japan-based cryptocurrency exchange Bitpoint was also hacked, losing about $32 million in cryptocurrency,[3] and earlier this year, hackers stole $16 million worth of cryptocurrency from New Zealand-based Cryptopia.[4] Losses from cryptocurrency hacks this year alone are reported to have totaled around $1.39 billion worth of assets.[5] Continue reading →

Anti-Corruption Enforcement in Mexico: A Possible Turning Point?

by Andrew M. Levine, Kara Brockmeyer, and Marisa R. Taney

In recent years, anti-corruption enforcement has become increasingly globalized. New anti-corruption laws have proliferated, along with deepening commitments to enforcing such laws. Sometimes, like in Brazil, active enforcement has followed promptly after the adoption of new laws. Other times, as in the case of Mexico, the journey from enactment to enforcement has proven more challenging.

Amidst much fanfare, Mexico adopted its new National Anti-Corruption System in mid-2016. Many hoped Mexico would seize the opportunity and shortly thereafter pursue significant anti-corruption enforcement. But key posts within the anti-corruption system remained unfilled, and no significant enforcement ensued. Continue reading →

The Rise of Deepfake Audio Means It’s Time to Revisit Business Email Compromise Scams and Ways to Reduce Risk

by Avi Gesser, Clara Y. Kim, and Thomas Harris-Warrick (The Crypsis Group)

We first wrote about Business Email Compromise (“BEC”) scams in 2015. Over the last four years, these attacks have continued unabated. According to the FBI (PDF: 1.77 MB), in just the last year alone, there were over 20,000 reported BEC scams, with adjusted losses of over $1.2 billion. One reason this threat persists is that cybercriminals have used increasingly sophisticated methods to trick companies into wiring money to them instead of the legitimate payee.

Indeed, in a twist on traditional BEC scams, a fraudster recently used an AI-based software to mimic the voice of a CEO on the phone, successfully tricking another executive into sending money to a supplier. The AI was sophisticated enough that it was able to recreate the slight German accent of the CEO such that the executive thought he recognized his CEO’s voice. With the rise of AI and deepfakes, BEC scams may get harder to detect, so it is worth revisiting the measures companies should consider employing to reduce those risks. Continue reading →

New York’s Shield Act and Related Cybersecurity Requirements

by Maria T. Vullo

Data privacy is a hot topic. The media seemingly reports on a data breach virtually every day. Cybersecurity is often referenced as the most significant threat that our country faces. Indeed, nation states target governments and businesses in order to obtain information and gain leverage in a war that involves a different type of weapon. At the same time, consumers increasingly are becoming concerned about the use of their private data by businesses that have obtained their information through financial transactions and online purchases. The big technology companies are facing investigations based on their use, and sale, of private information. Although there have been a number of highly-publicized data breaches over the last few years, the Equifax data breach, reported in September 2017, attracted significant attention because of the company’s utter failure to employ cybersecurity safeguards and its lack of an incident response plan, which led to legislative hearings, governmental investigations, and private class actions.

With this backdrop, we have seen a proliferation of legislative actions to address data privacy concerns. The European Union had acted early, with the passage of the General Data Protection Regulation (“GDPR”).[1] In the U.S., although several proposed statutes have been introduced in Congress, the federal government continues to be plagued by political differences, and thus the states appropriately are responding with new laws to protect their residents. Last year, California passed the California Consumer Privacy Act (“CCPA”), a particularly broad statute that imposes stringent standards and provides a private right of action for California consumers against companies that have experienced a data breach of their personal information.[2] Other states followed, including New Jersey and Oregon. Most recently, New York has joined these other states in enacting data privacy laws to protect the private information of New York residents.[3] Continue reading →

The Problem of Algorithmic Corporate Misconduct

by Mihailis E. Diamantis

Technology will soon force broad changes in how we conceive of corporate liability. The law’s doctrines for evaluating corporate misconduct date from a time when human beings ran corporations. Today, breakthroughs in artificial intelligence and big data allow automated systems to make many business decisions like which loans to approve,[1] how high to set prices,[2] and when to trade stock. [3] As corporate operations become increasingly automated, algorithms will come to replace employees as the leading cause of corporate harm. The law is not equipped for this development. Rooted in an antiquated paradigm, the law presently identifies corporate misconduct with employee misconduct. If it continues to do so, the inevitable march of technological progress will increasingly immunize corporations from most civil and criminal liability. Continue reading →

Planning for a Gathering Storm: Ransomware Preparation and Response

By Marshall L. Miller and Adam Sowlati

Ransomware attacks render an organization’s Information Technology systems inoperable or its data inaccessible, unless and until a ransom is paid. According to the FBI, since 2016, an average of 4,000 ransomware attacks have occurred daily, causing over $1 billion in damages annually. And ransomware is reportedly (PDF: 281 KB) growing in sophistication and increasingly targeting organizations. For example, 23 municipalities in Texas were struck last week in a coordinated attack. Companies would be well served by engaging in advance ransomware preparation.

Before an attack, companies should consider prophylactic preparatory steps, such as implementing reliable processes that back up IT systems and critical data to reduce ransomware exposure, securing cyber liability insurance to cover costs associated with significant ransomware incidents, and implementing incident response plans that include effective elevation procedures and account for the unique challenges of a ransomware attack. Fostering pre-attack relationships with law enforcement can also pay dividends, providing swift access to resources, intelligence, and experience to assist investigation and remediation. Continue reading →

Alicyn Cooley Joins PCCE as Executive Director

The NYU Program on Corporate Compliance and Enforcement (PCCE) is pleased to announce that Alicyn Cooley will be PCCE’s new Executive Director. Ms. Cooley will assume her new position on September 15, 2019. Continue reading →

UK Serious Fraud Office Publishes Corporate Co-operation Guidance

By Stephen Pollard, Christopher David, Lloyd Firth, and Leila Gaafar

On 6 August 2019, the UK Serious Fraud Office (‘SFO’) published Corporate Co-operation Guidance (‘Guidance’)[1]. This Guidance is designed to assist companies considering whether to self-report corporate wrongdoing to the SFO and, if so, how to achieve maximum co-operation credit to help avoid prosecution, or be offered the opportunity to enter into a Deferred Prosecution Agreement (‘DPA’). In doing so, it clarifies the SFO’s position on various key investigative themes, including: data gathering and production; the company’s dealings with individual witnesses and suspects; and the implications of asserting legal professional privilege (‘Privilege’) over witness accounts obtained during an internal investigation. Continue reading →

Why Sustainable Governance Enables Regulation Best Interest Compliance

by Beth Haddock

I. Important SEC Signal on Conflicts of Interests

On June 5, the SEC announced two major changes with the release of new Regulation Best Interest (“Reg BI”) for broker-dealers (“BDs”) and Commission Interpretation/Standard of Conduct for Investment Advisers (“RIAs”).

A close read of both initiatives reveals that disclosure alone may not adequately address conflicts of interest (“COIs”) under either Reg BI or the fiduciary standard for RIAs. The new efforts to protect retail investors under Reg BI and advisory clients more generally under the Commission Interpretation will compel regulatory compliance programs at both BDs and RIAs to consider adopting a new sustainable governance approach for compliance controls in order to effectively detect, mitigate and/or eliminate COIs. Such reforms can also ensure more fulsome and accurate disclosures and help in discerning when using “may” or “will” appropriately communicates informed notice and securing consent. Continue reading →

European Parliament Adopts New Whistleblower Directive

by Dr. Katja Langenbucher

The history of whistleblower protection under European Law is short. Ten European countries have provided effective protection for whistleblowers in their national laws. For the rest, protection remained fragmented and uneven across policy areas. Only since 2014 have EU institutions been obliged to introduce internal rules protecting whistleblowers who are officials of the EU institutions. By the end of 2015, the EU Parliament adopted similar rules. The EU Commission expressed general support of whistleblower protection in 2016, then being concerned with tax evasion, and in 2017 started a public consultation on the topic. The EP followed up with a resolution and an own-initiative report by its Committee on legal affairs, leading to the “Proposal for a directive of the European Parliament and of the Council on the protection of persons reporting on breaches of Union Law (COM(2018)0218).“ On 16 April 2019, this proposal was adopted by the European Parliament. It now needs to be approved by the Commission for Member States to have two years to transpose its rules.

Whistleblower protection has to strike a delicate balance. For the whistleblower to come forward, we need to provide him with safe reporting channels and efficient protection against negative consequences. Corporations have a legitimate interest to avoid reputational damage if the disclosed accusations are false. The Directive aims at reconciling both concerns by (1) defining the areas of the law eligible for whistleblowing, (2) framing a profile of the whistleblower qualifying under the new rules, (3) setting out the type of information, (4) the reporting channels and (5) the protection offered. Continue reading →