Author Archives: Michelle Louise Austin

DOJ Tells Tech Companies to Develop “Responsible Encryption”

by Laura Goodall, Michael Mugmon, and John F. Walsh

On November 29, 2018, in a speech at the Georgetown University Law School, Deputy Attorney General Rod Rosenstein renewed his call for tech companies to build into their products the means for law enforcement to legally access decrypted data, the development of so-called “responsible encryption.”[1] Mr. Rosenstein analogized such encryption to requirements that buildings disable elevators in the event of a fire but still retain firemen’s access, and he beseeched the private sector to work with the government to mitigate the security threats posed by rapid technological advances.

Summary of Mr. Rosenstein’s Address

Detailing the threat of ransomware, Mr. Rosenstein warned that the “malicious use of technology will be more pernicious and pervasive tomorrow than it is today, and even more difficult to combat.” To “forestall those ominous consequences,” he proposed three steps: Continue reading

SEC’s First “Red Flags” Enforcement Case Focuses on Board’s Role

by Craig A. Newman

A little-noticed consent decree entered into by the U.S. Securities and Exchange Commission earlier this year should be setting off alarm bells for financial firms and their boards of directors.

In a cease and desist order against Voya Financial Advisors, the investment advisory unit of Voya Financial, the SEC – for the first time – enforced its “Identity Theft Red Flags Rule” in punishing the firm for allegedly lackluster data security practices. The SEC charged that hackers were able to access sensitive client information including Social Security Numbers, account balances and even details of client investment accounts. The commission called out the company’s board of directors for failing to “administer and oversee” compliance with the rule. Continue reading

New Guidance on the GDPR’s Territorial Scope – Are You Covered?

by Jeremy Feigelson, Jane Shvets, and Robert Maddox

The European Data Protection Board (“EDPB”)—a working group of representatives of the EU data protection authorities—has issued Guidelines (PDF: 255 KB) on the territorial scope of the EU General Data Protection Regulation (“GDPR”), which are open for comment until 18 January 2019. The Guidelines clarify one of the main areas of concern for non-EU companies: when will GDPR reach them?

There are five key takeaways from the Guidelines: Continue reading

New DOJ Policy Revises “Yates Memorandum”

by Michael W. Peregrine and Rebecca Martin

A new Department of Justice policy (the “Policy”) modifies critical elements of the prominent 2015 “Yates Memorandum” on individual accountability. Introduced on November 29 by Deputy Attorney General Rod J. Rosenstein (the “DAG”), the Policy is manifested, in part, by specific revisions to Justice Manual (previously referred to as the U.S. Attorneys’ Manual).

The Policy clarifies the relationship between the scope of a defendant’s disclosures regarding individuals and qualifying for cooperation credit, particularly in the context of civil litigation. In so doing, it also raises critical compliance oversight issues for corporate governance. Continue reading

The Vital Report that Directors are Overlooking

by Stephen Stubben and Kyle Welch

With limited time, corporate directors are accustomed to monitoring firms by using aggregated information that is supplied by firms’ management. Nearly every task conducted by a board of directors involves data curated by employees working for a firm’s CEO. A critical challenge for directors is to be informed of important situations that may have been lost in data aggregation or that may have been selectively not reported. Indeed, this is why firms with stellar directors and high-quality external auditors still have major public debacles. One way a corporate director can obtain unfiltered information regarding a firm’s operations and potential problems within a firm is by reviewing reports made by employees through internal reporting systems (also known as internal whistleblowing systems). The problem with this solution is that there have been differing views and understandings as to how to appropriately manage these systems and interpret these submitted reports—until now. Continue reading

Federal Privacy Legislation Is Coming. Maybe. Here’s What It Might Include

by Avi Gesser, Jon Leibowitz, Mathew Kelly, Joseph Kniaz, and Daniel F. Forester

Momentum is building for federal data privacy legislation, in large part due to the passage of the California Consumer Privacy Act (CCPA) (which goes into effect in 2020) and other states enacting or considering their own consumer privacy laws.  These developments have businesses concerned that they will face a patchwork of inconsistent and onerous state privacy laws, which is currently the case with breach notification.  Many leading tech companies, trade groups, and the U.S. Chamber of Commerce have voiced support for a national privacy law.  On top of these domestic considerations, the EU’s General Data Protection Regulation (“GDPR”), a sweeping privacy law that affects many U.S. companies conducting business in the EU, is also now in effect.  Several legislative proposals have been put forward in Congress, and we are starting to see the broad outlines of a potential law.  But for many of the details, there is still nothing close to a consensus.  Here are some of the issues that will likely be the subject of the most intense debate in the next congressional term: Continue reading

OFAC Reaches Settlement with Cobham Holdings, Inc. for Violations Resulting from Deficient Screening Software

by H. Christopher Boehning, Jessica S. Carey, Michael E. Gertzman, Roberto J. Gonzalez, Brad S. Karp, Richard S. Elliott, Rachel M. Fiorill, and Karen R. King

On November 27, 2018, the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) announced a nearly $90,000 settlement agreement with Virginia-based Cobham Holdings, Inc. (“Cobham”), a global provider of technology and services in aviation, electronics, communications, and defense, on behalf of its former subsidiary, Aeroflex/Metelics, Inc. (“Metelics”).[1] The settlement involves three shipments of goods through distributors in Canada and Russia to an entity that did not appear on OFAC’s Specially Designated Nationals and Blocked Persons List (the “SDN List”), but was blocked under OFAC’s “50% rule” because it was 51% owned by a company sanctioned under the Russia/Ukraine sanctions program. This is the second OFAC action of which we are aware that has relied on the 50% rule.  The apparent violations appear to have been caused by Metelics’s (and Cobham’s) reliance on deficient third-party screening software.

While difficult to predict, OFAC’s decision to pursue this action—involving only three shipments, a violation of the 50 percent rule, and where the root cause of the apparent violations is attributable to deficient sanctions screening software—may signal a raising of OFAC’s compliance expectations, consistent with Treasury Under Secretary Sigal Mandelker’s warning in a recent speech that private sector companies “must do more to make sure [their] compliance systems are airtight.”[2]

Below, we describe the settlement, OFAC’s penalty calculation, and several lessons learned. Continue reading

New Supervisory Rating System for Large Banking Organizations

by Sullivan & Cromwell LLP

Federal Reserve Establishes a New Rating System for the Supervision of Large Financial Institutions

Summary

On November 2, the Board of Governors of the Federal Reserve System (the “FRB”) issued a final rule (the “Final Rule”) that establishes a new rating system for the supervision of large financial institutions (“LFIs”). The LFI rating system applies to all bank holding companies with total consolidated assets of $100 billion or more; all non-insurance, non-commercial savings and loan holding companies with total consolidated assets of $100 billion or more; and all U.S. intermediate holding companies of foreign banking organizations with total consolidated assets of $50 billion or more.[1] The LFI rating system is designed to align with the FRB’s existing supervisory program for LFIs,[2] enhance the clarity and consistency of supervisory assessments, and provide greater transparency regarding the consequences of a given rating. For LFIs, the new rating system replaces the RFI/C(D) rating system currently used by the FRB for holding companies of all sizes.[3] Continue reading

France Boosts Tax Fraud Prosecution

by Antoine F. Kirry, Frederick T. Davis, Eric Bérengier, Alexandre Bisch, Robin Lööf, Aymeric D. Dumoulin, Alice Stosskopf, Fanny Gauthier, and Line Chataud

On October 23, 2018, the French Parliament enacted a law aimed at combatting fraud (the “Law”).[1] The most innovative provisions of the Law change key procedural aspects of tax law enforcement, which is likely to result in an increased number of criminal tax fraud prosecutions against both individuals and legal entities. The Law also addresses customs and social security frauds.

Tax Fraud Prosecution: Open the Floodgates Continue reading

Getting Comfortable with Collective Knowledge

by Mihailis E. Diamantis

Doctrines for attributing knowledge to corporations seem to be stuck between doing far too little and the risk of doing far too much.  Respondeat superior forces plaintiffs and prosecutors to find a single corporate employee with all the relevant knowledge.[1]  This means corporations automatically win against knowledge-based allegations when, as will predictably happen, knowledge is dispersed across corporate personnel.  The familiar solution is to introduce some way to aggregate knowledge.  But the doctrine that does just that—the collective knowledge doctrine—has met with widespread skepticism.[2]  The worry is that the collective knowledge doctrine treats corporations as knowing too much by triggering knowledge-based penalties for mere negligence in maintaining lines of communication.[3]  As a result, few courts have adopted the collective knowledge doctrine since it was introduced more than thirty years ago.[4]

If judges and scholars are ever going to get comfortable with moving beyond respondeat superior, they need to think hard about the informational logic of the collective knowledge doctrine.  As I argue in a working paper, The Corporation and the Epistemologist,[5] that logic is poorly understood.  Discussions vacillate without warning between two versions of the doctrine: one of which is entirely toothless, the other of which is worryingly permissive.  Once these two versions are distinguished, the search for a happy compromise can begin. Continue reading