Category Archives: Enforcement Policy

FTC’s Cybersecurity Remedial Authority Limited

by David A. Katz, Marshall L. Miller, and Jonathan Siegel

The Eleventh Circuit Court of Appeals recently vacated a Federal Trade Commission cease-and-desist order that required a medical laboratory company to implement a “reasonably designed” cybersecurity program after customer data on the company’s systems were compromised.  LabMD, Inc. v. Federal Trade Commission.  The decision represents a judicial curb on FTC enforcement efforts seeking expansive cease-and-desist orders requiring companies to maintain “reasonable” or “appropriate” data security systems in the wake of cyber incidents. By limiting the FTC to orders that prohibit specific unfair conduct, or that require specific responsive remedial action, this ruling may alter the cyber enforcement landscape and affect the balance between the FTC and companies affected by cyber incidents. Continue reading

“Economic Growth, Regulatory Relief, and Consumer Protection Act” is Enacted

by Samuel R. Woodall III, Mitchell S. Eitel, Michael T. Escue, C. Andrew Gerlach, Camille L. Orme, Benjamin H. Weiner, and Michael A. Wiseman


Earlier today, President Trump signed into law the “Economic Growth, Regulatory Relief, and Consumer Protection Act,”[1] which provides certain limited amendments to the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”), as well as certain targeted modifications to other post-financial crisis regulatory requirements.  In addition, the legislation establishes new consumer protections and amends various securities- and investment company-related requirements.  The legislation, which enjoyed substantial bipartisan support, was adopted on May 22, 2018, in the U.S. House of Representatives, by a vote of 258 to 159, and in the U.S. Senate, by a vote of 67 to 31, on March 14, 2018.

The legislation preserves the fundamental elements of the post-Dodd-Frank regulatory framework, but it includes modifications that will result in some meaningful regulatory relief for smaller and certain regional banking organizations. Continue reading

DOJ Calls Foul On Duplicative Corporate Penalties

by Pablo Quiñones

Corporate misconduct allegations often result in investigations by multiple agencies, including foreign, federal, state, and local authorities.  Without proper coordination, companies risk being hit with duplicative penalties for the same misconduct.  Duplicative corporate penalties can be avoided, but coordinating a corporate resolution with multiple authorities is hard to navigate. 

Within the United States, federal prosecutors often have overlapping jurisdiction with other federal criminal and civil prosecutors, federal and state regulators, and local prosecutors.  In international investigations, federal prosecutors also have to cooperate with foreign authorities with overlapping jurisdiction.  All of these players can have a legitimate interest in protecting the public from economic crimes.  Regulatory competition, however, often leads government authorities to want to take the lead over other authorities.   Other times, government authorities jump from the sidelines onto the field of play when a corporate resolution is near and refuse to leave the field without a share of the penalties.  A coordinated resolution is difficult to achieve in either case.  In the end, the overlapping jurisdiction and regulatory competition can either lead to (1) each authority “piling on” their share of penalties or (2) a coordinated resolution that identifies the collective harm caused by the company’s misconduct, the appropriate penalties for that harm, and the fair allocation of the penalties among the interested government players. Continue reading

Extending the “Failure to Prevent” Model of Corporate Criminal Liability in the UK

by Liz Campbell

Prosecuting corporate criminality is not straightforward. As a result of these difficulties, the UK Parliament is turning to an indirect form of corporate criminal liability: the Bribery Act 2010 introduced the corporate offence of failure to prevent bribery (FtPB), and this provision has been emulated with respect to the failure to prevent the facilitation of tax evasion in the Criminal Finances Act 2017.  

In brief, a relevant commercial organisation (C) is guilty of FtPB if a person associated with C bribes another person with the intention of obtaining or retaining business or an advantage for C.  An ‘associated’ person is an individual or body who ‘performs services’ for or on behalf of the organisation, and this definition was framed broadly intentionally.[1]  Crucially, the corporate entity can rely on the section 7(2) defence that it had “adequate procedures” in place designed to prevent persons associated with it from bribing. Continue reading

English High Court Considers Status of Internal Investigation Interview Notes

by Karolos Seeger, Andrew Lee, and Robin Lööf

In R (AL) v Serious Fraud Office,[1] the English High Court considered the SFO’s obligations to individuals prosecuted following the deferred prosecution agreement (“DPA”) in July 2016 with a company anonymised as “XYZ Ltd”. The Court’s decision is likely to force the SFO to adopt a much more aggressive approach in relation to company counsel’s notes of interviews conducted during a company’s internal investigation. In particular, when those interview notes are potentially relevant to the defences of individuals being prosecuted, this judgment is likely to lead to the SFO putting further pressure on companies to produce the notes, through court proceedings if necessary. We analyse these and other issues covered by the judgment below. Continue reading

NIST Releases an Updated Version of its Cybersecurity Framework

by Sabastian V. NilesMarshall L. Miller, and Jeohn Salone Favors

Last week, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released an updated Cybersecurity Framework that revises NIST’s baseline recommendations for the design of cybersecurity risk management programs.  In announcing its release, Commerce Secretary Wilbur Ross described the updated Framework as “a must do for all CEOs” and recommended that “every company” adopt the Framework as its “first line of defense.”  As with the prior version, the updated NIST Framework provides a useful tool to guide and benchmark company approaches to cybersecurity risk and will impact how regulators evaluate cybersecurity programs and incident responses across sectors. Continue reading

The Rule of Law and the Responsible Corporate Officer Doctrine after Quality Egg

by Jason Driscoll
This post is the second part of a two-part post by the author.


In my previous post (DeCoster v. United States: Testing the Limits of the Responsible Corporate Officer Doctrine), I discussed how the Food and Drug Administration (“FDA”) and the Department of Justice (“DOJ”) have revived the Responsible Corporate Officer (“RCO”) doctrine in an attempt to increase compliance with the Federal Food, Drug, and Cosmetic Act (“FDCA”). In light of the incarcerative sentences in the Quality Egg case, I addressed the DOJ’s new strategy of seeking enhanced sanctions in RCO cases. In United States v. Quality Egg, LLC,[1] the government brought FDCA Section 333(a)(1) misdemeanor food adulteration cases against two corporate officers—Jack and Peter DeCoster—ultimately securing three-month prison sentences premised largely on the RCO doctrine.[2] On appeal, the DeCosters argued that the incarcerative sentences violated due process absent evidence of mens rea or actus reus.[3] The Eighth Circuit affirmed the sentences, however, holding that a three-month strict liability prison sentence was “relatively light” doing “no grave damage” to an offender’s reputation.[4] A petition for a writ of certiorari followed, inviting the Supreme Court to review the doctrine for the first time since 1975, but was denied. Continue reading

DOJ Memorandum Addressing Agency Guidance

by Matthew L. Biben, Courtney M. Dankworth, Mark P. Goodman, Maura Kathleen Monaghan, Jacob W. Stahl and Eric Silverberg

On January 25, the Department of Justice (the “DOJ”) released a memorandum by former Associate Attorney General Rachel Brand (the “Brand Memo”) prohibiting the DOJ from relying on noncompliance with other agencies’ guidance documents as evidence of a defendant’s violation of applicable law. While the Brand Memo is arguably only a restatement of the established principle that agency guidance is nonbinding, it may nevertheless have important implications for cases brought by the DOJ under the False Claims Act (the “FCA”) and other enforcement actions.


The Brand Memo prohibits the DOJ from using “its enforcement authority to effectively convert agency guidance documents into binding rules” by using a party’s noncompliance with other agencies’ “guidance documents as a basis for proving violations of applicable law” in affirmative civil enforcement (“ACE”) cases. It also applies to both “future ACE actions brought by the Department, as well as (wherever practicable) to those matters pending as of the date of this memorandum.”

The Brand Memo follows a directive from Attorney General Sessions, dated November 16, 2017, prohibiting all DOJ sections from issuing “guidance documents that purport to create rights or obligations binding on persons or entities outside the Executive Branch.”[1] This directive required the DOJ to refrain from using its own guidance documents to “coerc[e]” persons to take or avoid taking actions beyond what is required by statutes or regulations. These memos highlight the DOJ’s increased skepticism of “rulemaking by guidance.”

It should be noted that the Brand Memo permits the DOJ to rely upon agency guidance to paraphrase or explain statutes and regulations, and to prove that a party had knowledge of a particular statute or regulation. It does not elaborate on these scenarios. The breadth of the carve-outs poses a risk that the exceptions will swallow the rule. However, in light of the Trump administration’s disapproval of the use of guidance documents, it is unlikely that these exceptions will be widely invoked.


Implications for FCA Actions Brought by the DOJ

The Brand Memo is likely to reduce, if not eliminate, the circumstances in which the DOJ brings FCA actions predicated on failures to comply with agency guidance documents. Instead, the DOJ will be confined to proving violations based on the text of the applicable statutes or regulations. This development will be particularly relevant in certain industries

  • In the life sciences sector, where DOJ attorneys often rely on guidance issued by the Department of Health and Human Services’ Office of the Inspector General and Food and Drug Administration.
  • In the healthcare sector, where DOJ attorneys often rely on the Centers for Medicare & Medicaid Services’ Medicare Benefit Policy Manual.
  • In the mortgage sector, where DOJ attorneys often rely on provisions of the HUD Handbook or on Mortgagee Letters issued by the Department of Housing and Urban Development.

In light of the Brand Memo, the DOJ may no longer be able to argue that defendants’ reimbursement submissions were false because the defendants were not in compliance with the applicable standards set forth in agency guidance.

Many FCA cases also turn on whether or not any alleged false statements were material. In Universal Health Services v. United States ex rel. Escobar,[2] the Supreme Court held that FCA plaintiffs must satisfy a “rigorous” materiality standard, i.e., that the government would not have provided reimbursement had it known about the alleged false statement. In light of the Brand Memo, the DOJ may no longer be able to rely on agency guidance to establish the importance to an agency decision of a defendant’s misrepresentation. It therefore may be more difficult in some circumstances for the DOJ to satisfy Escobar’s heightened materiality requirement.

A few examples highlight the circumstances in which the DOJ relied on agency guidance in the past but might not be able to do so in the future in light of the Brand Memo:

  • In 2012, the DOJ brought an FCA action against Life Care Centers of America, a large skilled nursing home operator. The DOJ alleged that the defendant engaged in a scheme to increase revenue by placing as many patients as possible in the highest reimbursement category for skilled rehabilitation therapy even though such therapy was often not medically reasonable and necessary. The complaint relied on the Medicare Benefit Policy Manual, which is an agency guidance document, to explain what types of skilled rehabilitation therapy are appropriate. This matter ultimately settled in 2016 for $145 million.[3]
  • Last year, the DOJ announced the settlement of an FCA action against Residential Home Funding Corporation, an entity that originates residential mortgages. The DOJ alleged that the defendant made false statements in order to participate in a government program under which it had the authority to endorse mortgages for Federal Housing Administration insurance (meaning that the federal government would cover losses on loans that defaulted). The DOJ’s allegations were premised in part on the defendant’s failure to follow requirements set forth in the Department of Housing and Urban Development Handbooks, which are agency guidance documents. This matter was settled for $1.67 million.[4]

The Brand Memo also casts doubt on the DOJ’s ability to rely on the Auer deference, a well-known but often-challenged doctrine providing that courts should defer to an agency’s interpretation of its own regulations, as set forth in that agency’s own guidance documents, unless the agency’s interpretation is clearly erroneous.[5]

Implications for FCA Actions Brought by Relators

FCA actions can be brought by relators, private individuals who allege misconduct related to false claims for government reimbursement or other government benefits. If the DOJ declines to intervene in an action brought by a relator, the relator can elect to proceed alone. While the Brand Memo technically applies only to actions led by the DOJ, it has potentially significant implications for actions prosecuted by relators as well.

The Brand Memo was issued shortly after a leaked internal memorandum by Michael Granston, the Director of the DOJ Civil Division’s Fraud Section, which outlined the circumstances in which DOJ attorneys should seek early dismissal of FCA actions (the “Granston Memo”).[6] The Granston Memo described the substantial increase in actions led by relators alone and argued that the DOJ should consider invoking its statutory authority to seek early dismissal of such cases when they impose significant burdens on the DOJ. For example, each of these cases still must be actively monitored by the DOJ, and the rulings issued in such cases may create precedents that negatively impact the DOJ’s ability to litigate its own FCA cases. To the extent that a case brought by a relator acting alone relies on agency guidance, FCA defendants can now use the Brand Memo to argue to the DOJ that the case should be dismissed because the reliance on guidance documents is improper. Even if the DOJ does not elect to try and dismiss a case, the Brand Memo gives FCA defendants ammunition to argue that relators who stand in the shoes of the DOJ should not be permitted to rely on agency guidance.

Implications for Use by Defendants to Establish Compliance

The Brand Memo does not preclude defendants from using agency guidance documents to establish that they complied with applicable standards set forth in agency documents. At the very least, proof of compliance with standards described in agency guidance should negate allegations that the defendant was acting with knowledge of wrongdoing.[7]

Implications for Criminal Cases and Administrative Enforcement Actions

Even though the Brand Memo applies only to ACE actions brought by the DOJ Civil Division, its logic extends to other contexts as well. The underlying principle that “guidance documents cannot create binding requirements that do not already exist by statute or regulation” should apply equally to actions brought by the DOJ Criminal Division and to enforcement actions brought by other agencies. Whether that happens remains to be seen.


Companies should not use the Brand Memo as a justification for disregarding agency guidance. That said, the Brand Memo may be helpful to companies that are currently facing FCA actions predicated on agency guidance. In such cases, the Brand Memo may provide FCA defendants with leverage to secure a relatively favorable resolution. In future cases, defendants should be able to invoke the Brand Memo to dissuade the DOJ and private relators from bringing actions arising from noncompliance with standards set forth in agency guidance.

[1] “Memorandum for All Components: Prohibition of Improper Guidance Documents,” from Attorney General Jefferson B. Sessions III, November 16, 2017, available at

[2] 136 S. Ct. 1989 (2016).

[3] “Life Care Centers of America, Inc. Agrees to Pay $145 Million to Resolve False Claims Act Allegations Relating to the Provision of Medically Unnecessary Rehabilitation Care,” October 24, 2016, available at

[4] “Acting Manhattan U.S. Attorney Settles Civil Mortgage Fraud Lawsuit Against Residential Home Funding Corp.,” September 28, 2017, available at

[5] Auer v. Robbins, 519 U.S. 452, 461 (1997).

[6] “Factors for Evaluating the Dismissal Pursuant to 31 U.S.C. 3730(c)(2)(A),” from Director of Commercial Litigation Branch, Fraud Section Michael D. Granston, January 10, 2018, available at For additional information, please consult our recent client update, titled “DOJ Creates Potential Openings for Early Dismissal of False Claims Act Suits,” available at

[7] See, e.g., United States ex rel. Walker v. R&F Prop. of Lake Cnty, Inc., 433 F.3d 1349, 1356–58 (11th Cir. 2005).

Matthew L. Biben, Courtney M. Dankworth, Mark P. Goodman and Maura Kathleen Monaghan are partners; Jacob W. Stahl is a counsel; and Eric Silverberg is an associate at Debevoise & Plimpton LLP.

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.

DOJ Applies Principles of FCPA Corporate Enforcement Policy in Other White-Collar Investigations, Increasing Opportunity for Corporate Declinations

by John F. Savarese, Ralph M. Levene, Wayne M. Carlin, David B. Anders, Marshall L. Miller, and Jonathan Siegel

Late last week, the Department of Justice’s Criminal Division announced at an ABA white-collar conference that it has begun using the FCPA Corporate Enforcement Policy as “nonbinding guidance” in other areas of white-collar enforcement beyond the FCPA.  As a result, absent aggravating factors, DOJ may more frequently decline to prosecute companies that promptly self-disclose misconduct, fully cooperate with DOJ’s investigation, remediate in a complete and timely fashion, and disgorge any ill-gotten gains.  As a first example of this approach, the officials pointed to DOJ’s recent decision to decline charges against Barclays PLC, after the bank agreed to pay back $12.9 million in wrongful profits, following individual charges arising out of a foreign exchange front-running scheme. Continue reading

Section 7 of the United Kingdom Bribery Act 2010 and the “Fair Warning Principle”

by Jonathan J. Rusch

As governments around the world watch the rising tide of public sentiment and law enforcement actions against corruption,[1] some are looking to the United Kingdom Bribery Act 2010 (the “Act”) as a model for crafting their own criminal sanctions, including with regard to corporate criminal liability.[2]  Section 7 of the Act, which is captioned, “Failure of commercial organization to prevent bribery,” defines the offense in just 45 words:

A relevant commercial organisation (“C”) is guilty of an offence under this section if a person (“A”) associated with C bribes another person intending—

(a) to obtain or retain business for C, or

(b) to obtain or retain an advantage in the conduct of business for C.[3]

Unless the company, as an affirmative defense, can “prove that [it] had in place adequate procedures designed to prevent persons associated with [it] from undertaking such conduct,”[4] it faces a criminal fine without statutory limit.[5] Continue reading