Author Archives: Cara Ortiz

Fifth Circuit Vacates $4.3M in HIPAA Civil Penalties, Offering New View of HHS Regulations

by David P. Saunders and Allison N. Glover

On January 14, 2021, the Fifth Circuit vacated a $4.3 million penalty imposed by the U.S. Department of Health and Human Services (HHS) on M.D. Anderson Cancer Center (M.D. Anderson) in connection with three data incidents experienced by the center. University of Texas M.D. Anderson Cancer Center v. United States Department of Health and Human Services, No. 19-6022 (5th Cir.  January 14, 2021). In vacating the penalty, the Fifth Circuit held that (1) HHS had not shown that the loss of unencrypted electronic protected health information (PHI) on its own was sufficient to demonstrate a breach of any HIPAA rules and (2) the penalty imposed on M.D. Anderson was arbitrary, capacious, and unlawful because it exceeded HHS’ authority. Id. The Court’s decision potentially will have ripple effects for the future of HIPAA enforcement actions, including potentially spurring HHS to create new regulations. In the meantime, the University of Texas ruling could mean that fewer companies will report lost or stolen devices as a HIPAA data breach, turning on its head years of prior practice. Either way, the Fifth Circuit’s decision is a big one in terms of HIPAA enforcement.

Continue reading

Court Chips Away at Privilege Protections for Cyber Forensic Reports

by Jim Pastore, Luke Dembosky, Jeremy Feigelson, Avi Gesser, Corey Goldstein, and Mengyi Xu

On January 12, Judge James Boasberg of the U.S. District Court for the District of Columbia granted plaintiff Guo Wengui’s motion to compel production of a report (the “Report”) —and related materials—prepared by forensic vendor Duff & Phelps in Guo’s lawsuit against the law firm that formerly represented him, Clark Hill, PLC (the “Firm”). See Wengui v. Clark Hill, PLC, No. 19-cv-3195 (JEB), 2021 WL 106417 (D.D.C. Jan. 12, 2021). The court rejected claims the Report was protected by the work-product doctrine and attorney-client privilege.

Continue reading

Congress Passes Anti-Money Laundering Legislation Banning Anonymous Shell Companies

by Andrew WeissmannDavid BitkowerTali R. LeinwandSarah F. WeissE.K. McWilliams, and Wade A. Thomson

Last week, a law designed to thwart the use of US shell companies by drug traffickers, terrorists, foreign adversaries, and others seeking to shield the provenance of their funds cleared Congress with bipartisan support. The Senate joined the House in overriding President Donald Trump’s veto of the National Defense Authorization Act for Fiscal Year 2021 (NDAA), which includes a variety of reforms to anti-money laundering (AML) laws.

The key reform requires certain companies to disclose their ultimate owners to the Treasury Department’s Financial Crimes Enforcement Network (FinCEN), making it harder for certain criminals to manipulate shell companies to launder money or evade taxes.[1] Although the law has various loopholes, it enhances the government’s ability to detect and deter the use of shell companies to commit crime.

Continue reading

SEC Risk Alert Highlights Registered Investment Adviser Compliance Deficiencies

by Michael Osnato, Jr., David Blass, Allison Scher Bernbach, Meaghan A. Kelly, Meredith J. Abrams, and Manny M. Halberstam

Last month, the Office of Compliance Inspections and Examinations (“OCIE”) of the U.S. Securities and Exchange Commission (“SEC”) published a Risk Alert (the “Risk Alert”)[1] providing an overview of registered investment adviser compliance issues identified by OCIE related to Rule 206(4)-7 (the “Compliance Rule”) under the Investment Advisers Act of 1940 (the “Advisers Act”).[2]

The Risk Alert identified a number of Compliance Rule deficiencies that OCIE staff observed in its recent adviser exams. One type of deficiency it discusses is failures by advisers to devote adequate resources, such as information technology, staff and training, to their compliance programs. OCIE staff also observed chief compliance officers (“CCOs”) who lacked sufficient authority within the adviser to develop and enforce appropriate policies and procedures. In addition, OCIE staff observed certain deficiencies pertaining to advisers’ annual compliance program reviews.

Continue reading

The Rise of DDoS Ransom Attacks – How to Prevent and Respond

by Luke Dembosky and Avi Gesser

We have recently written about the persistence of the four most common varieties of cyberattacks: RansomwarePhishingBusiness Email Compromises, and Credential Stuffing, as well as the increased regulatory scrutiny that companies face when they fall victim to these attacks. Over the last few months, we have observed an increase in another form of cybersecurity threat: DDoS ransom attacks, where cybercriminals demand a large payment from a company in exchange for not launching a distributed denial-of-service (“DDoS”) attack that is designed to bring down the company’s website. In this post, we discuss the characteristics of these attacks and steps companies can take to prevent and mitigate damage from them.

Continue reading

The Evolving Role of Investor Protection at the PCAOB (Part II of II)

by J. Robert Brown, Jr.

These remarks have been edited for length and are being published in two parts. The following post is Part II of J. Robert Brown, Jr.’s prepared remarks delivered on November 6, 2020 at the 50th World Continuous Auditing & Reporting Symposium. As Mr. Brown noted at the beginning of his remarks, the views he expressed therein are his own and do not necessarily reflect the views of his fellow Board members or the staff of the PCAOB.

Accountability and Public Input

With respect to the PCAOB’s mission, transparency is necessary but not sufficient. Transparency is no guarantee of actual participation. For this to occur, the PCAOB must put in place structures that ensure investors have clear, consistent and recognized avenues for input. In doing so, the PCAOB should ensure that input is sought from underrepresented segments of the investor community.

Continue reading

The Evolving Role of Investor Protection at the PCAOB

by J. Robert Brown, Jr.

These remarks have been edited for length and are being published in two parts. The following post is Part I of J. Robert Brown, Jr.’s prepared remarks delivered on November 6, 2020 at the 50th World Continuous Auditing & Reporting Symposium. As Mr. Brown noted at the beginning of his remarks, the views he expressed therein are his own and do not necessarily reflect the views of his fellow Board members or the staff of the PCAOB.

The concept of continuous auditing is critical to the future of the audit profession. The issue goes to the heart of the relevancy of the audit. I have, in the past, talked about audit relevancy and the risks that, without changes, the profession may confront extinction.[1]

My view was, and still is, that the role of the auditor in providing assurance for information outside of the financial statements should be modernized. This type of disclosure is increasingly used by investors and other participants in the capital markets. Investors rely on non-GAAP measures, key performance indicators, and environmental, social, and governance (ESG) metrics to make investment and voting decisions.

I believe that the Public Company Accounting Oversight Board (PCAOB) is in a good position to lead the discussions on the role, if any, of auditors, in providing assurance on these metrics.

Continue reading

Post-Election Law Privacy Law Prospects

by Jeremy Feigelson, Avi Gesser, Jim Pastore, Frank Colleluori, Mengyi Xu, Jeffrey Cunard, Luke Dembosky, and Tigist Kassahun

California voters have approved the new California Privacy Rights Act (“CPRA”). The margin was 56% – 44% – comfortable, if significantly tighter than pre-election polling that showed CPRA winning in a landslide. That comes on the heels of the California Attorney General’s release of still more proposed amendments to the regulations for the existing California Consumer Privacy Act (“CCPA”). Below we sum up these important changes emerging from Sacramento. We also note some possible Election Day impacts on the privacy law reforms that have been percolating in Washington, D.C.

Continue reading

Key Takeaways From Bank Regulatory Enforcement Actions Against Citi

by Stephen Cutler, Lee Meyerson, Keith Noreika, Adam Cohen, and Spencer Sloan

On October 7, the Office of the Comptroller of the Currency assessed a $400 million civil money penalty against Citibank, N.A. related to deficiencies in enterprise-wide risk management, compliance risk management, data governance and internal controls, and issued a cease and desist order requiring Citibank to take comprehensive corrective actions. Concurrently, the Federal Reserve issued a separate cease and desist order requiring Citibank’s parent, Citigroup Inc., to enhance its firm-wide risk management and internal controls as a result of Citigroup’s failure to adequately remediate “longstanding enterprise-wide risk management and control deficiencies” previously identified by the Federal Reserve in consent orders from 2013 and 2015.

Continue reading

SEC Signals Increased Penalties Post-Liu

by Robert Cohen and Stefani Johnson Myrick

A speech by the Director of Enforcement and several recent insider trading cases signal that the SEC will seek increased penalties in some cases in response to the Supreme Court’s disgorgement decision.

As we explained in our recent Client Memorandum, the Supreme Court in Liu v. Securities and Exchange Commission recently upheld the SEC’s authority to seek disgorgement in district court actions. The Court identified principles that act as limitations on that authority, such as a requirement that the SEC distribute disgorgement to victims. The decision left an open question as to whether the SEC may seek disgorgement when such a distribution is infeasible. 

Continue reading