Author Archives: Joseph P Facciponti

CPPA Proposed Rulemaking Package Part 1 – Cybersecurity Audits

by Avi Gesser, Matt Kelly, Johanna N. Skrzypczyk, H. Jacqueline Brehmer, Ned Terrace, Mengyi Xu, and Amer Mneimneh

Top: Avi Gesser, Matt Kelly, and Johanna N. Skrzypczyk,. Bottom: H. Jacqueline Brehmer, Ned Terrace, and Mengyi Xu. (Photos courtesy of Debevoise & Plimpton LLP)

Key Takeaways

On November 22, 2024, the California Privacy Protection Agency (CPPA) launched a formal public comment period on its draft regulations addressing annual cybersecurity audits and other privacy obligations under the California Consumer Privacy Act (CCPA).
These proposed rules aim to establish robust standards for thorough and independent cybersecurity audits, delineating both procedural and substantive requirements for businesses processing personal information.
In this update, we provide an overview of the new cybersecurity audit provisions, including key thresholds for applicability, detailed audit expectations, and the evolving regulatory landscape shaping cybersecurity compliance.

Continue reading →

TD Bank Pleads Guilty to Bank Secrecy Act and Money Laundering Conspiracy Violations and Agrees to Pay More Than $3.09 Billion in Criminal and Civil Penalties for “Systemic Breakdown” in Compliance Policies, Procedures, and Processes

by Jonathan J. Rusch

Photo courtesy of the author

In any corporate compliance program, chief compliance officers must be mindful that their programs are not guaranteed to maintain consistent levels of funding from year to year. Factors such as expanding or contracting business operations, declining business conditions, or external events such as recessions or COVID may require various year-to-year adjustments in a compliance program’s staffing levels and internal controls operations.[1]

Even so, it is essential that senior management in any company or financial institution recognize and accept the fact that at all times, the compliance programs in their enterprise must be adequately resourced and empowered to function effectively.[2] What a company’s senior leadership may not do, under any circumstances, is to make decisions that, over time, systematically starve critical compliance programs of resources essential to the effectiveness of those programs.

Continue reading →

Major Takeaways from the CFTC Whistleblower Program’s 2024 Annual Report

by Andrew Feller and Geoff Schweller

Andrew Feller and Geoff Schweller (photos courtesy of Kohn, Kohn & Colapinto, LLP)

On November 15, the U.S. Commodity Futures Trading Commission (CFTC) released its annual report on its Whistleblower Program and Customer Education Initiatives for the 2024 fiscal year. Since it was established in 2010, the CFTC Whistleblower Program, which offers anonymous reporting channels and monetary awards to commodities whistleblowers, has grown into a critical piece of the CFTC’s enforcement arsenal.

The report details what was a record year for the CFTC Whistleblower Program, with the highest-ever number of both whistleblower tips and award applications received and the most award orders issued in a single fiscal year. Ironically, however, due to its growth and success, the program faces a funding crisis threatening to undermine the program.

Continue reading →

Cryptoasset Developments: Prospects for Legal Clarity

by Kevin S. Schwartz, David M. Adlerstein, Samantha M. Altschuler, and Sabina M. Beleuz Neagu

Left to Right: Kevin S. Schwartz, David M. Adlerstein, Samantha M. Altschuler, and Sabina M. Beleuz Neagu (photos courtesy of Wachtell, Lipton, Rosen & Katz)

A resilient cryptoasset industry is emerging from weathering years of headwinds — from edicts prohibiting the banking of the industry, to an SEC leadership bent on aggressive regulation-by-enforcement in lieu of transparent rulemaking. Looking ahead, tailwinds abound: Bitcoin and Ether exchange-traded products, approved just this year, already have over $150 billion in assets under management. Leading financial institutions have announced plans to tokenize substantial new funds on public blockchains. And tens of millions of Americans own cryptoassets, as use cases continue to proliferate — from payments for goods and services, both on- and off-blockchain; to decentralized financial (DeFi) platforms; to the authentication of content provenance (an essential need amidst AI’s rapid development). With a new Administration and Congress in the offing, there are at last prospects for regulatory clarity in an arena long clouded by uncertainty.

Continue reading →

An Update on SEC Cybersecurity Reporting

by Scott Kimpel

Photo courtesy of Hunton Andrews Kurth LLP

As we approach the one-year anniversary of the effective date of the U.S. Securities and Exchange Commission (“SEC”) reporting rules on Form 8-K for material cybersecurity incidents, we provide a high-level overview of the last year’s developments.

Background on SEC Reporting Rules

Under the SEC’s rules, Item 1.05 of Form 8-K generally requires public companies in the United States to disclose material cybersecurity incidents within four business days of determining that the incident is material. The disclosure must contain the nature, scope and timing of the incident and the impact or reasonably likely impact of the incident on the company, its financial condition and its results of operations. For these purposes, SEC rules define “cybersecurity incident” to include “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”

Continue reading →

AI Judgment Rule(s)

by Katja Langenbucher

Photo courtesy of author

In an upcoming paper, I explore whether the use of AI to enhance decision-making brings about radical change for legal doctrine or, by contrast, is just another new tool. The essay submits that we must rethink the law’s implicit assumption that (and how) humans make the decisions that corporate law regulates. If there is movement in implicit assumptions about how people make decisions, legal rules need review.

Decision-making is the cornerstone of corporate life and of keen interest to a variety of scholarly disciplines. They range from rational-actor theories over behavioral approaches to neuro-economics and psychology. The law has its own theories on decision-making. Many are normative and specify decision procedures and outcomes. In addition, the law rests on implicit theories of decision-making: A legal rule will look different if, for instance, it assumes either that decision-making follows optimal choice patterns or that heuristics and biases guide human decisions.

Continue reading →

U.S. Authorities Charge Adani Defendants with Integrity Washing

by Kevin E. Davis

Photo courtesy of NYU

Gautam Adani is the founder of one of India’s largest conglomerates and ranks among the country’s prominent business people. He and his nephew Sagar Adani are learning the hard way that, in the U.S. legal system, the coverup can be treated just about as severely as the crime.

The Department of Justice and the Securities and Exchange Commission have accused the Adani defendants of collaborating with executives of a U.S.-listed Mauritian company called Azure Power Global Ltd. in a massive bribery scheme. The conspirators allegedly paid over USD 250 million in bribes to officials in the governments of several Indian states. The bribes were to induce the officials to purchase power that would be supplied by Adani Green Energy Ltd., an Indian company controlled by the Adani defendants, as well Azure.

Continue reading →

Protecting Consumers’ Location Data: Key Takeaways from Four Recent Cases

by Bhavna Changrani

Photo courtesy of the author

Since the start of this year, the FTC has announced four groundbreaking cases addressing issues with how businesses collect and, in some cases misuse, people’s location data. If your business collects, buys, sells, or uses location data, take a minute to read about the FTC’s most recent enforcement actions against data brokers and aggregators — Mobilewalla, Gravy/Venntel, InMarket, and X-Mode/Outlogic — and consider these takeaways:

Continue reading →

SEC Acting Director of Enforcement Delivers Remarks at PCCE’s Fall Conference

On November 22, 2024, the NYU Law Program on Corporate Compliance and Enforcement (PCCE) hosted a conference titled “New Directions in Corporate and Individual Enforcement.” At the conference, Sanjay Wadhwa, Acting Director of Enforcement, Securities and Exchange Commission (SEC), delivered remarks on the SEC’s enforcement priorities and enforcement policy, which are reprinted below and available on the SEC’s website here. After his remarks, Wadhwa participated in a fireside chat with PCCE’s Executive Director, Joseph Facciponti.

Good afternoon. Thank you to the Program on Corporate Compliance and Enforcement for the opportunity to speak to you all.

Continue reading →

DOJ Announces Changes to Corporate Enforcement Policy at PCCE’s Fall Conference

On November 22, 2024, the NYU Law Program on Corporate Compliance and Enforcement (PCCE) hosted a conference titled “New Directions in Corporate and Individual Enforcement.” At the conference, Nicole Argentieri, Principal Deputy Assistant Attorney General, Criminal Division, U.S. Department of Justice (DOJ), delivered remarks on DOJ’s corporate enforcement policies, including recent policy changes. A note on DOJ’s blog regarding these changes is reprinted below and is available here. More resources on DOJ’s corporate enforcement policies are available here.

Courtesy of Principal Deputy Assistant Attorney General Nicole M. Argentieri

A crucial element of the Justice Department’s fight against white collar crime is transparency — being clear about what we at the department are doing and why. As someone who has spent significant time as a defense lawyer, I know from personal experience how important it is to be able to explain to your client — whether that client is an individual or a board of directors at a publicly traded company — what is happening in an investigation, how the government might view their actions, and the risks and the benefits of proceeding in a certain way.

Continue reading →