The NYU Program on Corporate Compliance and Enforcement (PCCE) is pleased to announce that Julie Copeland is PCCE’s new Executive Director.
Author Archives: Sabrina Solow
The Status of DOJ Enforcement of PPP Fraud
A year into his presidency, President Biden’s Department of Justice continues vigorously to prosecute perpetrators of Paycheck Protection Program (PPP) fraud. Biden’s DOJ has not shied away from prosecuting individuals for PPP fraud and in recent months has issued several PPP fraud Press Releases.
German Court Rules Transfer of Personal Data to US-Based Cookie Provider Requires Cross-Border Mechanism Under GDPR, Even if Data Never Leaves EEA
by Camille Vermosen, Alexander Altman, and Jami Mills Vibbert
On December 1, 2021, a Wiesbaden Administrative Court in Germany held that companies may not use a cookie management provider that relies on a US-based service to collect personal data, regardless of whether data leaves the European Economic Area (EEA), without an adequate transfer mechanism. Article 44 of the General Data Protection Regulation (GDPR) prohibits “transfers” of personal data from the EEA to another jurisdiction unless a specific transfer mechanism (set forth in Articles 45 through 48) is in place or a derogation from the prohibition (Article 49) applies. The ruling here assumes that a cross-border “transfer” subject to Article 44 occurs—even if data never actually leaves the EEA—if the recipient of data may formally be subject to data production requests by non-EEA authorities. This reasoning, if adopted outside of the cookie context and by other courts and data protection authorities, could effectively prohibit US-based companies from processing personal data in the EEA without ensuring appropriate transfer mechanisms and additional safeguards are in place.
SEC Cybersecurity Update: Chair Gensler Offers Insight into Upcoming Regulation
by Avi Gesser, Charu Chandrasekhar, Christopher Ford, HJ Brehmer, and Matthew Rametta
On January 24, 2022, SEC Chair Gary Gensler gave a speech on cybersecurity rulemaking to the Annual Securities Regulation Institute, outlining a number of key points he expects the SEC will consider in 2022 and emphasizing the SEC’s “key role” on the federal government’s “Team Cyber.” A number of these proposed changes – including broadening the scope of existing SEC regulations, enhancing SEC requirements for cyber hygiene, and increasing attention to public company disclosures – were among the trends that members of the Debevoise Data Strategy & Security and White Collar & Regulatory Defense practice groups discussed during a November 2021 webcast on the SEC’s Cybersecurity Year in Review, as well as in our prior Data Blog posts (here and here).
Economic Sanctions: Developments and Considerations for Board Members
by Chase D. Kaniecki and Samuel H. Chang
U.S. sanctions policy in the first year of the Biden administration saw both change and continuity. As expected, the administration sought to cooperate with allies to impose multilateral (rather than unilateral) sanctions, focused on human rights abuses and opened the door for a new nuclear deal with Iran. At the same time, the administration continued to focus on virtual currencies and on combating illicit cyber activities relating to ransomware, and clarified (and in some respects expanded) sanctions issued under the Trump administration targeting Chinese companies deemed to be part of the Chinese military-industrial complex.[1]
In 2022, boards of directors should be aware of continued regulatory focus on virtual currencies and ransomware, potential divergences and conflicts across new global sanctions regimes and potential sanctions developments relating to Russia, Iran and China.
Regulatory Risks of the Log4j Vulnerability: FTC Warns Companies to Take Reasonable Steps to Protect Consumer Data
by Luke Dembosky, Avi Gesser, and Michael R. Roberts
Be prepared for increasing scrutiny from the Federal Trade Commission (“FTC”) and other regulators regarding the Log4j vulnerability. The attention of the cybersecurity community has been captured by the recently disclosed critical vulnerability in the widely used, open-source Java logging package, Log4j (CVE-2021-44228), and other subsequently announced related vulnerabilities, which is reportedly being “widely exploited” by attackers and “poses a severe risk,” according to the Cybersecurity & Infrastructure Security Agency (“CISA”) and other technical experts. CISA issued Emergency Directive 22-02 on December 17, 2021, which directs federal civilian executive branch agencies to address Log4j vulnerabilities immediately through patching or other mitigation measures. And now regulators, most notably the FTC, have begun to issue positions on the need for companies and their vendors to remediate the Log4j vulnerability and the enforcement risks that could be presented if a company or its vendors fail to do so.
UK Financial Conduct Authority Imposes £264.8 Million Criminal Penalty on National Westminster Bank for Serious Anti-Money Laundering Violations
For the better part of a decade, the Financial Conduct Authority (FCA) has operated as the United Kingdom’s leading regulator of the financial services industry.[1] Like financial regulators in various other countries, it wields considerable civil and administrative authority in carrying out its missions to protect consumers, maintain stability in the financial sector, and oversee competition in that sector.
Unlike many financial regulators, however, the FCA also has the power to initiate criminal proceedings against individuals and corporate entities for a wide range of criminal offences in England, Wales, and Northern Ireland.[2] Since its creation in 2013, the FCA has brought criminal prosecutions against a number of individuals.[3] Until 2021, however, it had never done so against any firm.
On December 13, 2021, the FCA announced that a major United Kingdom bank, National Westminster Bank Plc (NatWest), had been sentenced to a fine of £264,772,619.95, based on NatWest’s prior guilty plea to three violations of the United Kingdom Money Laundering Regulations.[4] Because this case is the first of its kind for FCA criminal enforcement in general, and for FCA anti-money laundering (AML) enforcement in particular, this post will discuss key elements of the NatWest resolution.
New York City Enacts Law Restricting Use of Artificial Intelligence in Employment Decisions
by Danielle J. Moss, Harris M. Mufson, Gabrielle Levin, and Meika Freeman
Effective January 1, 2023, New York City employers will be restricted from using artificial intelligence machine-learning products in hiring and promotion decisions. In advance of the effective date, employers who already rely upon these AI products may want to begin preparing to ensure that their use comports with the new law’s vetting and notice requirements.
The new law governs employers’ use of “automated employment decision tools,” defined as “any computational process, derived from machine learning, statistical modeling, data analytics, or artificial intelligence, that issues simplified output, including a score, classification, or recommendation, that is used to substantially assist or replace discretionary decision making for making employment decisions that impact natural persons.”
Assistant Attorney General Talks About DOJ Criminal Division Priorities, Where Resources Are Going
by Valarie Hays and Michael Kim Krouse
The Assistant Attorney General (AAG) for the Criminal Division, Kenneth Polite, Jr.—who previously held positions as a US Attorney, law firm partner, and in-house counsel—was interviewed Wednesday, December 1, at the American Conference Institute’s Foreign Corrupt Practices Act (FCPA) conference.
Here are some key takeaways from the wide-ranging discussion:
Banking Regulators Finalize 36-Hour Data Breach Notification Rule
by Luke Dembosky, Avi Gesser, Satish Kini, Gregory Lyons, Johanna Skrzypczyk, Christopher Ford, Alex Mogul, and Erik Rubinstein
On November 18, 2021, federal banking regulators published a Final Rule that imposes new notification requirements on banking organizations for certain cybersecurity incidents.
Most significantly, the Final Rule requires that banking organizations notify their primary federal regulator within 36 hours after experiencing a material or potentially material cybersecurity event.
The Final Rule will go into effect on April 1, 2022, with a required compliance date of May 1, 2022.
The regulators – the Federal Deposit Insurance Corporation (“FDIC”), the Office of the Comptroller of the Currency (“OCC”) and the Federal Reserve Board (“FRB”) (together the “Agencies”) – first published a proposed rule about ten months ago, which we covered on the Data Blog. Much of the proposed rule was carried over into the Final Rule, but there are a few key differences, which we identify below.