Category Archives: Corporate Compliance

English Litigation Privilege in Internal Investigations: Not Quite Dead Yet?

by Kelly Hagedorn

Following the decisions in The RBS Rights Issue Litigation[1] and Serious Fraud Office v Eurasian Natural Resources Corporation Limited[2] (“ENRC”), it was thought that the prospect of claiming legal professional privilege in English proceedings over interview memoranda generated during internal investigations was slim (see our client alert on those two cases here).  However, a recent decision of the English High Court in Bilta (UK) Limited and Others v (1) Royal Bank of Scotland Plc (2) Mercuria Energy Europe Trading Limited[3] (“Bilta”) has refused the disclosure of interview memoranda on the basis of litigation privilege, providing a glimmer of hope for corporates who seek to protect such documents from disclosure. Continue reading

Section 7 of the United Kingdom Bribery Act 2010 and the “Fair Warning Principle”

by Jonathan J. Rusch

As governments around the world watch the rising tide of public sentiment and law enforcement actions against corruption,[1] some are looking to the United Kingdom Bribery Act 2010 (the “Act”) as a model for crafting their own criminal sanctions, including with regard to corporate criminal liability.[2]  Section 7 of the Act, which is captioned, “Failure of commercial organization to prevent bribery,” defines the offense in just 45 words:

A relevant commercial organisation (“C”) is guilty of an offence under this section if a person (“A”) associated with C bribes another person intending—

(a) to obtain or retain business for C, or

(b) to obtain or retain an advantage in the conduct of business for C.[3]

Unless the company, as an affirmative defense, can “prove that [it] had in place adequate procedures designed to prevent persons associated with [it] from undertaking such conduct,”[4] it faces a criminal fine without statutory limit.[5] Continue reading

Deliberate Data Breaches: Consequences for Companies Just Got Even Tougher

by Kelly Hagedorn, Tracey Lattimer, Emily Bruemmer, and Jennifer Yun

In today’s world, data breaches are a regular occurrence.  The size and scale varies, and they have different causes, but those matters are irrelevant if you are a data subject affected – you just want the situation resolved and compensation for any losses you suffer.  Who should be responsible for those breaches?  Where a company has not taken sufficient steps to safeguard personal data, the answer is obvious.  But what about where a rogue employee leaks personal data with the deliberate intention of harming his employer?  The English High Court has recently decided that even in that instance, the employer is liable to data subjects.  Although there is no specific case on this point, we believe that a similar outcome would be reached in an action under US law. Continue reading

The New DOJ FCPA Corporate Enforcement Policy Highlights the Continued Importance of Anti-Corruption Compliance

by Lisa Vicens, Jonathan Kolodner, and Eric Boettcher

In a significant development for companies relating to the Foreign Corrupt Practices Act (FCPA), in late November the U.S. Department of Justice (DOJ) announced a new FCPA Corporate Enforcement Policy (the Enforcement Policy).

The Enforcement Policy[1] is designed to encourage companies to voluntarily disclose misconduct by providing greater transparency concerning the amount of credit the DOJ will give to companies that self-report, fully cooperate and appropriately remediate misconduct. Notably, in announcing the Enforcement Policy, the DOJ highlighted the continued critical role that anti-corruption compliance programs play in its evaluation of eligibility under the Enforcement Policy. Continue reading

Global Anti-Bribery Year-in-Review: 2017 Developments and Predictions for 2018

by Kimberly A. Parker, Jay Holtmeier, Erin G.H. Sloane, Lillian Howard Potter, Tetyana V. Gaponenko, Victoria J. Lee, and Roger M. Witten

This past year marked the 40th anniversary of the U.S. Foreign Corrupt Practices Act (“FCPA”).  Since its enactment in 1977, the U.S. Department of Justice (the “DOJ”) has brought approximately 300 FCPA enforcement actions, while the U.S. Securities and Exchange Commission (the “SEC”) has brought approximately 200 cases.[1]  This anniversary year, the first year of the Trump administration, demonstrated that the FCPA continues to be a powerful tool in combating corruption abroad and encouraging compliance at global companies.

Below are six key take-aways regarding FCPA enforcement in 2017: Continue reading

Creating a Culture of Compliance

by Michael C. Neus

Many constituents have a vested interest in determining a firm’s culture of compliance:  regulators, investors, prospective employees, among others.  Investment advisers registered with the Securities and Exchange Commission must demonstrate their compliance culture during periodic examinations by the Office of Compliance, Inspection and Examinations.  Current and former SEC examination staff often state that the primary indicator of a healthy compliance culture is the “tone from the top.”  There are a number of steps that a firm can take to demonstrate that top management fosters an effective compliance culture. Continue reading

Ditching Deterrence: Preventing Crime by Reforming Corporations Rather than Fining Them

by Mihailis E. Diamantis

“Corporate criminal law . . . operates firmly in a deterrence mode.”[1]  The ultimate goal of that deterrence is prevention.  But recent evidence suggests that deterrence—and in particular, the corporate fine (the favorite tool of deterrence theorists)[2]—is not particularly good at the job.[3]  For a host of structural and practical reasons, corporate fines do not influence corporate behavior as we might have hoped.  In a forthcoming article, Clockwork Corporations: A Character Theory of Corporate Punishment, I propose abolishing the corporate fine and offer an alternative framework for structuring corporate punishment.[4]  The proposal expands on a strategy prosecutors already employ, albeit imperfectly, as part of corporate deferred prosecution agreements: mandating corporate reform.[5]  On this new approach, such government-directed reform would be the exclusive means of corporate punishment, and judges and judge-appointed monitors, rather than prosecutors, would be in the driver’s seat.  This “character” theory of punishing corporations could beat deterrence theory at its own game by preventing more corporate crime. Continue reading

Securities Fraud Class Action Suits following Cyber Breaches: The Trickle Before the Wave

by Michael S. Flynn, Avi Gesser, Joseph A. Hall, Edmund Polubinski III, Neal A. Potischman, Brian S. Weinstein, Peter Starr and Jessica L. Turner

Overview

Large-scale data breaches can give rise to a host of legal problems for the breached entity, ranging from consumer class action litigation to congressional inquiries and state attorneys general investigations.  Increasingly, issuers are also facing the specter of federal securities fraud litigation.[1]

The existence of securities fraud litigation following a cyber breach is, to some extent, not surprising.  Lawyer-driven securities litigation often follows stock price declines, even declines that are ostensibly unrelated to any prior public disclosure by an issuer.  Until recently, significant declines in stock price following disclosures of cyber breaches were rare.  But that is changing.  The recent securities fraud class actions brought against Yahoo! and Equifax demonstrate this point; in both of those cases, significant stock price declines followed the disclosure of the breach.  Similar cases can be expected whenever stock price declines follow cyber breach disclosures.  Continue reading

The General Data Protection Regulation: A Primer for U.S.-Based Organizations That Handle EU Personal Data

by Caroline Krass, Jason N. Kleinwaks, Ahmed Baladi, and Emmanuelle Bartoli

The General Data Protection Regulation (GDPR), a new European Union data privacy and protection regime, has already entered into force and is slated to become effective on May 25, 2018.  Designed to provide greater protections to the personal data of individuals located in the EU, the GDPR imposes a host of new obligations on both “controllers” and “processors” of such data.  Additionally, the GDPR calls for large penalties when companies fail to comply with these new obligations.  While many U.S. companies have already begun the process of bringing themselves into compliance, the GDPR has such a long reach that it may encompass a large subset of U.S. organizations that would not ordinarily expect to be subject to European data privacy laws.  Smaller organizations or those that deal with a relatively small amount of data originating in the EU may be especially likely to be caught off-guard.  Such organizations must take immediate steps to assess whether they are subject to the new GDPR and to bring themselves into compliance.

In this article, we begin by laying out the global scope of the GDPR and describing which organizations may be required to comply.  Next, we explain the obligations that the GDPR imposes on controllers and processors, as well as the stringent restrictions placed on cross-border data transfers to countries outside of the EU.  We then provide an overview of the various compliance mechanisms and penalties the GDPR includes, and potential deviations in the implementation of the GDPR that might be seen in particular EU member states.  Finally, we conclude with practical advice for organizations transitioning to the new regime. Continue reading

Roadmap to an Effective Annual Review

by Michael C. Neus

As the year ends, SEC registered investment advisers to private funds start considering how to assess their firm’s compliance culture.  The Advisers Act of 1940 requires a formal annual review of the adequacy of “written policies and procedures reasonably designed to prevent violation of securities laws.”[1]  In other words, every year Chief Compliance Officers ask themselves how they can actually demonstrate their effectiveness.

Rather than viewing this process as a comprehensive narrative report identifying all deficiencies, perhaps a more useful construct is to think of the annual review as a way of collating and assessing activity throughout the year.  Paradoxically, assembling information used throughout the year makes the process easier than attempting a comprehensive one-shot evaluation.[2]   Effective annual reviews are more like a movie than a photograph. Continue reading