One of the Securities and Exchange Commission’s core enforcement powers may soon be overhauled or even scrapped entirely. For fifty years the SEC has sought “disgorgement” of the proceeds of unlawful activity as one of its main remedies in federal court, even though there is no explicit statutory authority for doing so. On March 3, 2020, the Supreme Court will hear oral argument in Charles C. Liu and Xin Wang v. SEC, No. 18-1501, in which the Justices have agreed to consider whether courts can order disgorgement as an “equitable remedy” for a violation of the securities laws. This post discusses the case’s legal backdrop, some of the ways the Court could decide it, and some of its potential consequences. Continue reading
Author Archives: Felix Zhang
Proposed Modifications to CCPA Regulations—Top Takeaways
by Jeffrey P. Cunard, Luke Dembosky, Jeremy Feigelson, Avi Gesser, Jim Pastore, Javier Alvarez-Oviedo, Jeremy C. Beutler, H Jacqueline Brehmer, Christopher S. Ford, and Kate Saba
On Friday evening, February 7, the California Attorney General released a new round of proposed changes to the draft regulations implementing the California Consumer Privacy Act. Some thoughts to help guide interested parties through the AG’s dense 32-page release (PDF: 1.25 MB), which redlines the proposed modifications against the prior draft regulations:
Guidance on “Personal Information”
The draft proposes to clarify the definition of “personal information,” which turns on whether the information can be associated or linked with a particular consumer or household. It then provides an example: “[I]f a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information.’” Continue reading
SEC Office of Compliance Inspections and Examinations (OCIE) Issues Observations on Cybersecurity and Resiliency Practices
by Greg D. Andres, Robert A. Cohen, Neil H. MacBride, Annette L. Nazareth, Margaret E. Tahyar, Leor Landa, Michael S. Hong, Matthew J. Bacal, Daniel F. Forester, and Matthew A. Kelly
The SEC Office of Compliance Inspections and Examinations (OCIE) recently published observations (PDF: 854 KB) related to cybersecurity and operational resiliency practices observed in its examinations. OCIE reiterated its continued focus on cybersecurity issues, citing eight risk alerts related to cybersecurity it has published over the last few years.[1] OCIE conducts examinations for compliance with Regulation S-P and S-ID, which apply to broker-dealers and investment advisers, and Regulation SCI, which applies to exchanges and other SCI entities. The publication provides important guidance to regulated entities about the likely subjects of SEC exams, the expectations of its examiners, and the subjects of potential enforcement referrals. Continue reading
National Institute of Standards and Technology Releases Privacy Framework To Help Companies Address Privacy Risks
On January 16, the Commerce Department’s National Institute of Standards and Technology (NIST) released version 1.0 of its Privacy Framework: A Tool for Privacy Through Enterprise Risk Management. The product of a two-year consultation process with private- and public-sector stakeholders, the Privacy Framework sets out a group of voluntary standards and methods to help companies of all sizes in (i) “[t]aking privacy into account as they design and deploy systems, products, and services that affect individuals”; (ii) “[c]ommunicating about their privacy practices”; and (iii) “[e]ncouraging cross-organizational workforce collaboration—for example, among executives, legal, and information technology (IT)” personnel in the “achievement of [privacy] outcomes.” The Framework is thus intended to assist companies in “[b]uilding customers’ trust by supporting ethical decision-making in product and service design or deployment that optimizes beneficial uses of data while minimizing adverse consequences for individuals’ privacy and society as a whole”; “[f]ulfilling current compliance obligations, as well as future-proofing products and services to meet these obligations in a changing technological and policy environment”; and “[f]acilitating communication about privacy practices with individuals, business partners, assessors, and regulators.” Continue reading
Comparing French and U.K. Guidance on Corporate Cooperation to U.S. Practices
by Keith D. Krakaur, Ryan D. Junck, Gary DiBianco, Elizabeth Robertson, Christopher Bolyai, Margot Sève, Vanessa K. McGoldrick, and Molly Brien
On June 27, 2019, the French Financial Prosecutor (“PNF”) and the French Anticorruption Agency (“AFA”) published joint guidelines regarding the legal framework governing French DPAs (“CJIPs”) that address the conditions necessary for companies to be considered for a CJIP, including expectations for cooperation during an investigation (“French CJIP Guidance”).[1] On August 6, 2019, the U.K. Serious Fraud Office (“SFO”) published Corporate Co-operation Guidance (“U.K. Co-operation Guidance”) as part of the SFO Operational Handbook, detailing the steps companies are expected to undertake to obtain cooperation credit.
Both sets of guidance demonstrate further alignment of those jurisdictions’ deferred prosecution agreement (“DPA”) regimes with long-standing practices in the U.S., albeit with some notable areas of divergence. Continue reading
FTC Discusses Management and Board Roles as Core Elements of Revised Data Breach Enforcement Model
by Andrew R. Brownstein, Steven A. Rosenblum, John F. Savarese, Marshall L. Miller, and Jeohn Salone Favors
In a blog post published this week, the Director of the FTC’s Consumer Protection Bureau detailed recent changes to the FTC’s baseline approach to remedial orders in data breach enforcement actions. The changes were spurred in part by a 2018 Court of Appeals decision (PDF: 125 KB) that found an FTC order’s requirement that a company implement “reasonable” data security measures to have been too vague to be enforceable. The FTC has reworked its routine enforcement practice to ensure that remedial data security orders include significantly greater specificity about compliance expectations for companies subject to enforcement action and for third-party assessors engaged to conduct FTC-mandated monitoring and audits of targeted companies’ data security practices.
Key Takeaways from the CFIUS Annual Report to Congress Covering Calendar Years 2016 and 2017
by Peter Thomas, Abram Ellis, George Wang, and Mick Tuesley
Introduction
On November 22, 2019, the Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”) released its Annual Report to Congress, which includes trends and data on the number and types of transactions reported to the Committee during the 2016 and 2017 calendar years, the most recent years for which this data has been made available. CFIUS is an inter-agency committee with the statutory mandate to review certain foreign investment into the United States for national security concerns. The data and trends included in the Report provide key insights into the Committee’s review process. While the passage of the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”) has made significant changes to CFIUS’s jurisdiction and the CFIUS review process since the period covered by the report, the Committee’s report still offers important insights and trends regarding the countries and industry sectors involved in transactions notified to CFIUS. Continue reading
For Those Seeking to Rival the United States at Corporate Criminal Enforcement: What You Should Know About the U.S. System’s Distinctive Roots
by Jennifer Arlen and Samuel W. Buell
The United States leads the rest of the world in successful corporate criminal enforcement actions against large multi-national firms, collecting enormous penalties and occupying center stage in the global enforcement arena. U.S. dominance draws its horsepower from two sources. The first, of course, is an extremely broad and easy-to-apply corporate liability rule, in the form of the respondeat superior doctrine. Under this rule, corporations are liable for all crimes committed by their employees in the scope of employment with some intent to benefit the firm. The second is the power granted to prosecutors to negotiate and settle cases, most often through deferred and non-prosecution agreements (DPAs and NPAs), by agreeing to reduce sanctions and to refrain from seeking conviction of firms that either discover and report crimes by their employees or fully cooperate by providing enforcers with the evidence needed to prove such offenses. Thus was born a system in which private business bears much of the cost of public enforcement, and in which—resource constraints aside—prosecutors are better able to police offenses committed in the uniquely opaque and complex setting of the large business firm.
This now familiar story oversimplifies how the U.S. system has enabled prosecutors to be so successful pursuing criminal cases against large corporations. An additional set of doctrines is vital to the success of the U.S. system of corporate criminal enforcement. Enforcement authorities cannot succeed without the ability to investigate complex corporate crimes by obtaining witness testimony, documents, and data. U.S. prosecutors have benefited greatly from their ability to shift the locus of investigation from the public to the private sector because, in the United States, in contrast to many other countries, a variety of laws—such as those governing self-incrimination, employee rights, legal privileges, and data privacy—enable private investigators to collect, and then provide to the government, evidence that government investigators could not so readily obtain themselves. Continue reading
DOJ Clarifies Corporate Enforcement Policy
by Greg D. Andres, Martine M. Beamon, Angela T. Burgess, Tatiana R. Martins, Robert A. Cohen, Neil H. MacBride, Paul J. Nathanson, Linda Chatman Thomsen, Kenneth L. Wainstein, and Patrick S. Sinclair
On November 20, 2019, the Department of Justice (“DOJ”) modified its Corporate Enforcement Policy to clarify what level of disclosure is expected from companies in the early stages of an investigation. In short, the Policy reaffirms that companies should disclose known information—and the individuals involved—at the outset of investigations, while recognizing companies may not yet know all the relevant facts or individuals at that time.
The Corporate Enforcement Policy, first introduced as a pilot program concerning FCPA-related investigations in April 2016 and formalized in November 2017 by then–Deputy Attorney General Rod Rosenstein, offers incentives to companies that voluntarily disclose misconduct, timely remediate, and cooperate fully with the DOJ. Absent certain aggravating circumstances, a company following these steps can receive a declination assuming it fully disgorges any associated profits.[1] In March 2018, DOJ extended the Corporate Enforcement Policy beyond FCPA violations as nonbinding guidance concerning any corporate investigation. Since the Policy was introduced, DOJ has issued thirteen public FCPA declinations under its terms.[2]
SEED Findings on the SEC Enforcement Actions Against Public Companies and Their Subsidiaries in Fiscal Year 2019
by Anat Carmy-Wiechman, Giovanni Patti, and Peter Robau
As the second fiscal year of Chairman Jay Clayton’s tenure at the SEC ends, a look at the Commission’s enforcement actions against public companies and their subsidiaries may help to understand the new enforcement priorities at the SEC. In a new report (PDF: 995 KB), the NYU Pollack Center for Law & Business, in collaboration with Cornerstone Research, investigated recent trends in enforcement via the Securities Enforcement Empirical Database (SEED). Below, we highlight some of the key findings. Continue reading