Author Archives: Clarissa Santiago

DOJ Announces Revised Export Control and Sanctions Enforcement Policy for Companies, Including Financial Institutions

by H. Christopher Boehning, Jessica S. Carey, Christopher D. Frey, Michael E. Gertzman, Roberto J. Gonzalez, Brad S. Karp, Mark F. Mendelsohn, Richard S. Elliott, Karen R. King, and Anand Sithian

On December 13, the U.S. Department of Justice’s (“DOJ”) National Security Division (“NSD”) announced a new policy designed to encourage business organizations to make voluntary self-disclosures (“VSDs”) to the DOJ in connection with potentially willful export control and economic sanctions violations (the “Revised VSD Policy”).[1] The policy, which only applies to voluntary self-disclosures to NSD’s Counterintelligence and Export Control Section (“CES”), revises a 2016 DOJ policy on the same topic. As the policy notes, in the export control and sanctions context, criminal violations require proof of willfulness, defined as knowledge that the conduct violated the law.[2] Continue reading

What the Last Year of Cyber Enforcement Tells Us About the FTC’s Compliance Expectations

by Avi Gesser and Molly O’Malley Clarke

With 2019 coming to a close, we wanted to take a look at what can be learned from the FTC’s cybersecurity enforcement actions this year. As we have previously noted, the FTC came under criticism last year in the LabMD decision for not providing companies with sufficient clarity as to what it expects in terms of their cybersecurity measures. So we thought it would be helpful to see if the FTC’s cybersecurity settlements in 2019 provide any guidance for what the FTC believes companies should (and should not) be doing to protect consumer data. Continue reading

The EPPO and International Co-Operation –– New Kid on the Block

by Karolos Seeger, Jane Shvets, Robin Lööf, Alma M. Mozetič, Martha Hirst, Antoine Kirry, Alexandre Bisch, Ariane Fleuriot, Dr. Thomas Schürrle, Dr. Friedrich Popp, Dr. Oliver Krauß

The European Public Prosecutor’s Office (“EPPO”) is a new European Union body responsible for investigating and prosecuting criminal offences affecting the EU’s financial interests in 22 of its 28 Member States.[1] The EPPO is expected to begin investigations in November 2020.

Fraud against the financial interests of the EU is an international phenomenon: in 2018, the European Anti-Fraud Office (“OLAF”) concluded 84 investigations into the use of EU funds, 37 of which concerned countries outside the EU.[2] In this part of our series of analyses of the EPPO[3] we, therefore, consider the framework for the EPPO’s future international co-operation. This includes dealings with enforcement authorities in non-participating EU Member States as well as the rest of the world.

Continue reading

A 14.5 Million Euro Fine for Failing to Get Rid of Old Files – Data Minimization Is Becoming a Stand-Alone Cybersecurity Obligation

by Avi Gesser, Matthew Kelly, Will Schildknecht, Dr. Vera Jungkind (Hengeler Mueller), and Dr. Carolin Raspé (Hengeler Mueller)

We have written several times here over the last few years about data minimization being an important part of an effective cybersecurity program.  For most companies, the total amount of data that they control grows substantially each year, and more data generally creates more data protection risks.  Companies that have implemented effective data minimization programs are careful to collect only the data that they are likely to use, and routinely get rid of old data that they no longer need, thereby significantly reducing their data protection risks.  A recent enforcement action by the Berlin Data Protection Commissioner echoes recent U.S. regulatory developments in suggesting that companies without data minimization procedures face not only increased cybersecurity and privacy risks, but also regulatory risks—ones that can lead to penalties even when they don’t lead to a specific cyber incident.  In other words, data minimization is becoming a stand-alone regulatory obligation, in addition to being a key component of cybersecurity best practices. Continue reading

The Incomparable Value of Service in Secret: Lessons from the SEC’s Office of the Whistleblower

by Jordan A. Thomas

Nearly ten years ago, following a global financial collapse spurred by serial wrongdoing, Congress enacted the Dodd-Frank Wall Street Reform and Consumer Protection Act. Within its 2,000 pages of sweeping reform was the charge to establish an investor protection initiative, which emerged as the SEC Whistleblower Program. Its three pillars—anonymity safeguards, substantial monetary bounties, and significant employment protections—shaped a first-of-its-kind paradigm to encourage individuals to report suspected violations of the federal securities laws. The formidable combination of these programmatic mainstays and an enforcer armed with early actionable intelligence has proven to be a game changer. It’s not just recoveries and reform, however. Behind the results, including in the just-released Office of the Whistleblower’s Annual Report to Congress, stand everyday people willing to take a bold step forward, to be the outsider and the anti-hero, no matter the size of Goliath and his balance sheet. Continue reading