Category Archives: Compliance

Preparing for the California Consumer Privacy Act in an Evolving Privacy Landscape

by David A. Katz, Marshall L. Miller, and Zachary M. David

Just a month after the European Union’s General Data Protection Regulation (GDPR) (PDF: 146 KB) took effect, California enacted the most expansive data privacy law in the United States to date.  The California Consumer Privacy Act (CCPA), which is scheduled to go into effect on January 1, 2020, will impose unprecedented data obligations on companies doing business in California, requiring increased data use transparency and the observance of novel consumer data rights.  Notwithstanding any GDPR compliance fatigue, companies need to take steps to prepare for compliance with the CCPA. 

The CCPA was a hastily crafted legislative package passed to preempt a statewide ballot initiative set to qualify for California’s November 2018 ballot.  The initiative—which promised to be even more far-reaching—was withdrawn by its ballot sponsors ­in exchange for passage of the CCPA.  The statute remains a work in progress, with numerous legislative amendments currently under consideration and implementing regulations from the California Attorney General expected this fall. Continue reading

Teaching Compliance Part III of III

by Veronica Root Martinez

This is the third in a three-part series describing my experience teaching compliance at Notre Dame Law School.

This semester, I have been teaching a new compliance course in Notre Dame’s London Law Program.  Notre Dame Law students have the opportunity to come to London for the semester or year, and one regular faculty member, in addition to the director of our program, is in residence in London each semester.  As you can imagine, many of the courses offered to students have an international focus.  To keep with this norm, I’m teaching a course I’ve entitled Global Compliance Survey. Continue reading

DOJ Updates Guidance on Evaluating Corporate Compliance Programs

by Matthew L. Biben, Kara Brockmeyer, Helen V. Cantwell, Andrew J. Ceresney, Andrew M. Levine, David A. O’Neil, David Sarratt, Jonathan R. Tuttle, Mary Jo White, Bruce E. Yannett, Lisa Zornberg, Ryan M. Kusmin, Jil Simon

On April 30, 2019, Assistant Attorney General Brian Benczkowski announced an updated version of the Evaluation of Corporate Compliance Programs (the “Updated Guidance”).[1] This Updated Guidance supersedes a document of the same name that the Fraud Section of DOJ’s Criminal Division published online in February 2017 without any formal announcement (the “2017 Guidance”). Although not breaking much new ground, we believe the Updated Guidance can serve as a valuable resource for those grappling with how best to design, implement, and monitor an effective corporate compliance program.

In contrast to the 2017 Guidance—which listed dozens of questions to consider in evaluating a compliance program without providing much context—the Updated Guidance employs a more holistic approach. It focuses on three fundamental questions drawn from the Justice Manual:

  • Is the corporation’s compliance program well designed?
  • Is the program implemented effectively?
  • Does the program work in practice?[2]

Continue reading

Teaching Compliance Part II of III

by Veronica Root Martinez

This is the second in a three-part series describing my experience teaching compliance at Notre Dame Law School.

A fair question one might have had about my description of my Corporate Compliance & Ethics course is why I include readings in behavioural ethics and professional responsibility.

With regards to the behavioural ethics component, it is important for students to think through how unethical or noncompliant behaviour occurs.  The behavioural ethics literature makes plain that anyone can fall prey to unethical decision-making.  I like laying this foundation—that anyone can make poor decisions—because students often think that misconduct within firms is committed by a special group of bad actors.  It can be, but it may also be committed by people who “think” there are good reasons that justify their behaviour. Continue reading

Incoming DFS Chief Calls Cyber the “Number One Threat” Facing Industry and Government

by Craig A. Newman and Alejandro H. Cruz

The incoming chief of New York’s top financial services regulator called cybersecurity “the number one threat facing all industries and governments globally” during a speech on Friday, April 12, 2019 at the Association of the Bar of the City of New York.

Linda Lacewell, acting superintendent of the New York State Department of Financial Services (“DFS”), made her remarks at an event focused on insurance regulation and they come at a time when the state’s sweeping cybersecurity regulation — initially implemented more than two years ago — is now in full force. Lacewell, a former federal prosecutor, was nominated in January 2019 by New York Governor Andrew Cuomo to head DFS, which oversees banking and insurance in the state. Lacewell was Cuomo’s chief of staff. Her confirmation has not yet been scheduled. Continue reading

Teaching Compliance Part I of III

by Veronica Root Martinez 

This is the first in what is a three-part series of blog posts describing my experience teaching compliance at Notre Dame Law School.

I first began teaching a compliance course in the fall of 2015.  At the time, there were not many compliance courses being taught within law schools, and I was aware of only one casebook on the subject.  I began, as many professors do, by gathering syllabi from individuals currently teaching the topic.  Most of the syllabi I was able to obtain were of courses taught by practitioners that included significant skills-based components, which, although valuable, was not where I wanted to focus.

Instead, I decided to tackle teaching the course in a manner that I hoped would allow students to think through the different roles they might play within compliance efforts, followed by a few classes dedicated to specific compliance areas in an attempt to allow students to better understand how their role might look in practice.  To do so, I draw on enforcement, compliance, behavioural ethics, and professional responsibility materials.  Each class session has one dedicated case study to help students understand the concept being presented. Continue reading

DOJ Updates FCPA Corporate Enforcement Policy

By Jonathan S. Kolodner, Lisa Vicens, and Lorena Michelen

In a recent speech at the annual ABA White Collar Crime Conference in New Orleans, Assistant Attorney General Brian Benczkowski of the Criminal Division of the Department of Justice (“DOJ”) announced certain changes to the FCPA Corporate Enforcement Policy (“the Enforcement Policy” or “Policy”) to address issues that the DOJ had identified since its implementation.[1]  These and other recent updates have since been codified in a revised Enforcement Policy in the Justice Manual.[2] 

The Enforcement Policy, first announced by the DOJ in November 2017, was initially applicable only to violations of the FCPA, but was subsequently extended to all white collar matters handled by the Criminal Division.[3]  The Policy was designed to encourage companies to voluntary self-disclose misconduct by providing more transparency as to the credit a company could receive for self-reporting and fully cooperating with the DOJ.  Among other things, the Enforcement Policy provides a presumption that the DOJ will decline to prosecute companies that meet the DOJ’s requirement of “voluntary self-disclosure,” “full cooperation,” and “timely and appropriate remediation,” absent “aggravating circumstances” – i.e. relating to the seriousness or frequency of the violation.  For more information on the Enforcement Policy, read our blog post explaining it

The most significant recent changes to the Enforcement Policy include eliminating the prohibition on a company’s usage of ephemeral instant messaging applications to receive full credit for “timely and appropriate remediation.”  Additionally, the modified Enforcement Policy (1) now makes clear that one requirement of cooperation, de-confliction of witness interviews, should not interfere with a company’s internal investigation; (2) confirms based on an earlier announcement, that the Policy applies in the context of a merger and acquisition (“M&A”), if an acquiring company discovers and self-discloses misconduct in a target; and (3) implements a change announced months before by the Deputy Attorney General that a company only needed to provide information about individuals “substantially involved” in the offense.  These changes are discussed in greater detail below. Continue reading

OFAC Takes Enforcement Action Against U.S. Parent Company for its Recently Acquired Chinese Subsidiary’s Iran Sanctions Violations

by Brad S. Karp, H. Christopher Boehning, Jessica S. Carey, Christopher D. Frey, Michael E. Gertzman, Roberto J. Gonzalez, Richard S. Elliott, Rachel M. Fiorill, Karen R. King, Joshua R. Thompson

Enforcement Action Shows the Importance of Pre-Acquisition Sanctions Due Diligence and Post-Acquisition Sanctions Compliance Enhancements

On March 27, 2019, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) announced a $1,869,144 settlement agreement with Connecticut-based Stanley Black & Decker, Inc. (“Stanley Black & Decker”), a manufacturer of industrial tools and household hardware, regarding 23 apparent violations of OFAC’s Iran sanctions regulations.[1] OFAC determined that Stanley Black & Decker’s Chinese subsidiary, Jiangsu Guoqiang Tools Co. Ltd. (“GQ”), knowingly provided power tools and spare parts to Iranian end-users.[2] According to OFAC, GQ’s shipments were made via third-party intermediaries, located in the United Arab Emirates and China, with the knowledge that the products were ultimately destined for Iran.[3]  Under U.S. law, non-U.S. companies owned or controlled by U.S. companies are required to adhere to Iran sanctions as if they were U.S. persons.  The settlement,  along with the Kollmorgen Corporation (“Kollmorgen”) settlement in February 2019, signals the Trump Administration’s willingness to hold U.S. parent companies liable for their subsidiaries’ Iran sanctions violations, which is an area that, prior to this year, had seen little enforcement activity to date. Continue reading

In Precedent-Setting Case, Two Senior Corporate Executives Indicted for Failure to Report Under the Consumer Product Safety Act

by Jonathan J. Rusch

On March 29, the U.S. Department of Justice announced that on March 28, a federal grand jury in the Central District of California indicted two senior corporate executives with two corporations on multiple counts for their roles in a scheme involving defective and dangerous dehumidifiers made in China.  Simon Chu and Charley Loh, who served respectively as part owners, chief administrative officer, and chief executive officer of the same two corporations in California, were charged with (1) conspiracy (a) to commit wire fraud, (b) to fail to furnish information under the Consumer Product Safety Act (CPSA), and (c) to defraud the U.S. Consumer Product Safety Commission (CPSC); (2) wire fraud; and (3) failure to furnish information under the CPSA.  The Department indicated this was the first time that any individual had been criminally charged for failure to report under the CPSA. Continue reading

Cyber Monitoring Employees Part 2 – Insider Threats Continue After Employees Leave

By

We recently wrote about companies monitoring employees to reduce cybersecurity risks.  Those insider threat risks do not end when employees leave the company.  Sensitive company data in the hands of a disgruntled former employee is obviously a potential risk, but so is unauthorized access to confidential company information by a former employee acting in good faith.  Companies must therefore take steps to protect their data from walking out the door with exiting employees. Continue reading