Author Archives: Judy Jiang

FTC Announces New Enforcement Initiative Targeting Deceptive AI Practices

by Robert A. Cohen, James W. Haldin, Daniel S. Kahn, Maude Paquin, and Michael Scheinkman

Photos of the authors

Left to right: Robert A. Cohen, James W. Haldin, Daniel S. Kahn, Maude Paquin, and Michael Scheinkman (Photos courtesy of Davis Polk & Wardwell LLP)

The Federal Trade Commission launched Operation AI Comply, announcing enforcement actions against five companies for alleged deception regarding artificial intelligence.  The FTC’s actions mark the latest U.S. scrutiny of AI-related misconduct. 

Background

On September 25, 2024, as part of a new enforcement “sweep” called Operation AI Comply, the FTC announced enforcement actions against five companies that allegedly used artificial intelligence (AI) to “supercharge deceptive or unfair conduct that harms consumers.”  According to the FTC, these cases showcase how “hype surrounding AI” is used to “lure consumers into bogus schemes” and to provide AI-based tools that themselves can be used to deceive consumers.  In announcing the actions, FTC Chair Lina Khan stated that “[t]he FTC’s enforcement actions make clear that there is no AI exemption from the laws on the books.”

Continue reading

Avoid Kicking the Hornet’s Nest: A Fresh Look at How to Anticipate, Avoid, and Respond to BIS Administrative Subpoenas (Part 2)

by Brent Carlson and Michael Huneke

Photos of authors.

Brent Carlson and Michael Huneke (photos courtesy of authors)

In Part 2 we pick up where we left off in Part 1 to continue our discussion of how best to avoid an administrative subpoena. We then discuss how best to respond, if and when they cannot be avoided, and conclude with some practical guidance.

Avoid:  How to Dissuade BIS from Resorting to Administrative Subpoenas (Continued)

Prepare well for outreach visits

Companies should prepare for outreach visits. Persons who will be meeting or speaking with OEE agents should be well prepared to do so with an eye toward and an awareness of the implications of the information and representations they are providing to BIS. Any and all information that company representatives provide to BIS representatives is fair game for future enforcement and for sharing with other U.S. agencies.

Continue reading

Avoid Kicking the Hornet’s Nest: A Fresh Look at How to Anticipate, Avoid, and Respond to BIS Administrative Subpoenas (Part 1)

by Brent Carlson and Michael Huneke

Photos of authors.

Brent Carlson and Michael Huneke (photos courtesy of authors)

Anticipating, avoiding, and responding to administrative subpoenas pose the next in a long line of challenges facing U.S. companies and their legal and compliance teams as the new wave of export controls enforcement unfolds.

The Department of Commerce’s Bureau of Industry & Security (“BIS”) has primed the corporate enforcement engine[1] through (1) public guidance identifying “red flags” indicating a “high probability” of diversion in violation of U.S. export controls, (2) successful criminal prosecutions in partnership with the U.S. Department of Justice (“DOJ”) in the Disruptive Technology Strike Force of intermediaries facilitating diversion,[2] and (3) “supplier list” and “red flag” letters warning companies of the risks of diversion posed by certain counterparties.[3]

Continue reading

Summer Takeaways in SEC Enforcement

by John F. Savarese and 

Photos of authors.

Left to Right: John F. Savarese, Wayne M. Carlin and David B. Anders (Photos courtesy of Wachtell, Lipton, Rosen & Katz)

With the Labor Day holiday now behind us, it is a good time to review the SEC’s active enforcement docket and to look ahead to likely areas of continuing enforcement attention as we head into the fall.  The record over the past few months reflects a continuing emphasis on certain major program areas, along with progress on a new enforcement initiative:

Whistleblower Awards.  The whistleblower program continues to be a tremendous source of investigative leads for the enforcement staff.  In July and August alone, the SEC announced bounty payments to six whistleblowers totaling $196 million.  These announcements included an award of $82 million to a single individual who provided information that led to the opening of an investigation.  In addition, two separate whistleblowers received awards of $37 million each in connection with different matters.

Continue reading

Dutch Data Protection Authority Imposes a Fine of 290 Million Euros on Uber

by Sarah Pearce and Ashley Webber

Photos of authors.

Left to right: Sarah Pearce and Ashley Webber (Photos courtesy of the Hunton Andrews Kurth LLP)

On August 26, 2024, the Dutch Data Protection Authority (the “Dutch DPA”), as lead supervisory authority, announced that it had imposed a fine of 290 million euros ($324 million) on Uber.  The fine related to violations of the international transfer requirements under the EU General Data Protection Regulation (the “GDPR”). 

The Dutch DPA launched an investigation into Uber following complaints from more than 170 French Uber drivers to the French human rights interest group the Ligue des droits de l’Homme, which subsequently submitted a complaint to the French Data Protection Authority (the “CNIL”).  The CNIL then forwarded the complaints to the Dutch DPA as lead supervisory authority for Uber.

Continue reading

DOD’s CMMC 2.0 Program Takes Step Forward with Release of Contract Rule Proposal

by Beth Burgin Waller and Patrick J. Austin

Photos of authors.

Beth Burgin Waller and Patrick J. Austin (photos courtesy of Woods Rogers Vandeventer Black PLC)

The United States Department of Defense (DoD) took another big step on the path to instituting its highly anticipated Cybersecurity Maturity Model Certification 2.0 program (CMMC 2.0). Once finalized, CMMC 2.0 will establish and govern cybersecurity standards for defense contractors and subcontractors.

On August 15, 2024, DoD submitted a proposed rule that would implement CMMC 2.0 in the Defense Federal Acquisition Regulation Supplement (DFARS). The proposed DFARS rule effectively supplements DoD’s proposed rule published in December 2023 by providing guidance to contracting officers, setting forth a standard contract clause to be used in all contracts covered by the CMMC 2.0 program, DFARS 252.204-7021, and setting forth a standard solicitation provision that must be used solicitations for contracts covered by the CMMC 2.0 program, DFARS 252.204-7YYY (number to be added when the rule is finalized).

There is a 60-day comment period for the DFARS proposed rule, meaning individuals have until October 15, 2024, to provide public feedback on the proposal.

Continue reading

DOJ Launches New Whistleblower Incentive Program

by Kevin ChambersTerra ReynoldsDouglas K. Yatter, and Lilia B. Vazova

Photos of authors.

From left to right: Kevin Chambers, Terra Reynolds, Douglas K. Yatter, and Lilia B. Vazova. (Photos courtesy of Latham & Watkins LLP)

DOJ’s pilot program aims to fill gaps in existing federal whistleblower programs and incentivize prompt corporate self-disclosure alongside individual whistleblower tips.

Following the March 2024 announcement of its intention to introduce a new corporate whistleblower incentive program, on August 1, 2024, the Department of Justice (DOJ) launched a three-year pilot program for rewarding whistleblowers who alert DOJ to significant corporate misconduct. DOJ’s new program, modeled after whistleblower programs run by the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), and the Financial Crimes Enforcement Network (FinCEN), may generate a significant number of tips about potential misconduct and adds an important new dimension for companies’ compliance measures and handling of investigations.

Continue reading

The EU AI Act is Officially Passed – What We Know and What’s Still Unclear

by Avi Gesser, Matt KellyRobert Maddox, and Martha Hirst 

Photos of authors.

From left to right: Avi Gesser, Matt Kelly, Robert Maddox, and Martha Hirst. (Photos courtesy of Debevoise & Plimpton LLP)

The EU AI Act (the “Act”) has made it through the EU’s legislative process and has passed into law; it will come into effect on 1 August 2024. Most of the substantive requirements will come into force two years later, from 1 August 2026, with the main exception being “Prohibited” AI systems, which will be banned from 1 February 2025.

Despite initial expectations of a sweeping and all-encompassing regulation, the final version of the Act reveals a narrower scope than some initially anticipated.

Continue reading

SEC Releases New Guidance on Material Cybersecurity Incident Disclosure

by Eric T. JuergensErez LiebermannBenjamin R. Pedersen, Paul M. Rodel, Anna Moody, Kelly Donoghue, and John Jacob

Photos of authors.

Top left to right: Eric T. Juergens, Erez Liebermann, Benjamin R. Pedersen, and Paul M. Rodel. Bottom left to right: Anna Moody, Kelly Donoghue, and John Jacob. (Photos courtesy of Debevoise & Plimpton LLP)

On June 24, 2024, the staff of the Division of Corporation Finance of the Securities and Exchange Commission (the “SEC”) released five new Compliance & Disclosure Interpretations (“C&DIs”) relating to the disclosure of material cybersecurity incidents under Item 1.05 of Form 8-K. A summary of the updates is below, followed by the full text of the new C&DIs.  While the fact patterns underlying the new C&DIs focus on ransomware, issuers should consider the guidance generally in analyzing disclosure obligations for cybersecurity events.

Continue reading

FinCEN Requires Reporting From Dissolved Companies

by Matthew Bisanz, Adam D. Kanter, Brad A. Resnikoff, and Marcella Barganz

Photos of the authors.

From left to right: Matthew Bisanz, Adam D. Kanter, Brad A. Resnikoff, and Marcella Barganz. (Photos courtesy of Mayer Brown LLP)

On July 8, 2024, the Financial Crimes Enforcement Network (“FinCEN”) issued interpretive guidance explaining that the beneficial ownership information (“BOI”) reporting requirement applies to certain legal entities that have been dissolved or otherwise ceased to exist after January 1, 2024. This new guidance dramatically expands the reporting requirement under the Corporate Transparency Act (“CTA”) and raises significant issues regarding compliance and liability for noncompliance.

The new guidance is effective immediately. Persons who own or manage entities that will dissolve in 2024, or have already dissolved this year—or which were not dissolved irrevocably—should review the guidance to determine their reporting obligations.

Continue reading