Category Archives: National Security

It May Not Be Worth the Paper (or Pixel) It’s Written On (Part 2): A Fresh Look at Common Responses to Bolster Export Controls Compliance Programs as BIS Primes the Corporate Enforcement Engine

by Brent Carlson and Michael Huneke

Photos of the authors

Brent Carlson and Michael Huneke (photos courtesy of authors)

Amid reports of continued export controls diversion[1] to entities in locations including China, Russia, Iran, and North Korea, the U.S. Commerce Department’s Bureau of Industry and Security (“BIS”) has been priming the corporate enforcement engine.[2] This dynamic increases challenges for in-house legal and compliance teams to respond to BIS’ latest moves and bolster compliance program effectiveness. In this new environment, the greatest compliance risks revolve around explaining and defending relationships with distributors and resellers in the face of allegations and reports of product diversion or other “red flags” indicating the same—a task made more nuanced under the “high probability” standard of “knowledge” recently highlighted by BIS in new guidance issued on July 10, 2024 (the “July 10 BIS Guidance”).[3]

In Part 1 we previously discussed the practice of using letters of assurance—and the problems of relying solely upon them without resolving related red flags—to bolster export controls compliance programs in response to the new BIS enforcement playbook.[4] In Part 2 we now examine other common responses based on legacy approaches to export controls and why they are ineffective—and even detrimental—in today’s new and evolving enforcement environment.

Continue reading

DOD’s CMMC 2.0 Program Takes Step Forward with Release of Contract Rule Proposal

by Beth Burgin Waller and Patrick J. Austin

Photos of authors.

Beth Burgin Waller and Patrick J. Austin (photos courtesy of Woods Rogers Vandeventer Black PLC)

The United States Department of Defense (DoD) took another big step on the path to instituting its highly anticipated Cybersecurity Maturity Model Certification 2.0 program (CMMC 2.0). Once finalized, CMMC 2.0 will establish and govern cybersecurity standards for defense contractors and subcontractors.

On August 15, 2024, DoD submitted a proposed rule that would implement CMMC 2.0 in the Defense Federal Acquisition Regulation Supplement (DFARS). The proposed DFARS rule effectively supplements DoD’s proposed rule published in December 2023 by providing guidance to contracting officers, setting forth a standard contract clause to be used in all contracts covered by the CMMC 2.0 program, DFARS 252.204-7021, and setting forth a standard solicitation provision that must be used solicitations for contracts covered by the CMMC 2.0 program, DFARS 252.204-7YYY (number to be added when the rule is finalized).

There is a 60-day comment period for the DFARS proposed rule, meaning individuals have until October 15, 2024, to provide public feedback on the proposal.

Continue reading

Risks of Cross Border Operations: Chiquita Brands International Found Liable for Financing Terrorism

by Timothy Harkness, Peter Linken, Scott Eisman, and Maylin Meisenheimer

photos of the authors

From left to right: Timothy Harkness, Peter Linken, Scott Eisman and Maylin Meisenheimer (Photos courtesy of Freshfields Bruckhaus Deringer LLP)

Doing business in conflict zones has always been complicated. Increased litigation has compounded those risks in recent years. A June 2024 federal jury verdict against Chiquita Brands International illustrates the changing legal landscape. The jury in Florida found Chiquita liable for financing Autodefensas Unidas de Colombia (“AUC”), a Colombian paramilitary group, and awarded a bellwether group of plaintiffs $38.3 million in damages. A second bellwether trial against Chiquita is scheduled for later this year, and thousands of related claims against Chiquita remain pending. Although the Chiquita litigation has spanned almost two decades, this jury verdict represents the first liability determination and paves the way for the second bellwether trial and eventual resolution of all pending claims. As each plaintiff was awarded around $2 million, Chiquita could be facing hundreds of millions of dollars in damages as the broader litigation includes vastly more victims.

The Chiquita verdict is a signal to corporations that U.S. courts may be more willing to find them liable for actions that occurred abroad and that plaintiffs may increasingly choose to file these claims in U.S. courts. In Chiquita, the alleged actions took place in Colombia and the claims at issue were brought under Colombian law, but this is just one example among many. In Kaplan v. Lebanese Canadian Bank, for example, the Second Circuit held that the plaintiffs plausibly pleaded that Lebanese Canadian Bank had aided and abetted acts of international terrorism under the Antiterrorism Act (“ATA”) by alleging that the bank had processed transactions in Lebanon for individuals closely affiliated with Hezbollah. As companies weigh the risks of doing business abroad and how best to structure their operations, this verdict should be at the forefront of their minds.

Continue reading

DOJ National Security Division Issues First-Ever Declination Under Enforcement Policy

by Satish M. Kini, David A. O’Neil, Jane Shvets, Rick Sofield, Douglas S. Zolkind, Carter Burwell, Connor R. Crowley, and Hillary Hubley

Photos of the authors

Top left to right: Satish M. Kini, David A. O’Neil, Jane Shvets, and Rick Sofield. Bottom left to right: Douglas S. Zolkind, Carter Burwell, Connor R. Crowley, and Hillary Hubley. (Photos courtesy of Debevoise & Plimpton LLP)

Key Takeaways

  • Even in criminal national security matters, early self-reporting, remediation and cooperation can enable companies to avoid prosecution and penalties.
  • Federal enforcement agencies are continuing to collaborate in investigating and prosecuting criminal cases at the intersection of national security and corporate crime.
  • Multinational corporations and academic institutions should be aware of the risk of outsiders fraudulently affiliating themselves with legitimate institutions to skirt export control laws.

Continue reading

BIS Primes the Corporate Enforcement Engine: A Fresh Look at What Recent BIS Actions & Statements Mean and a Proposed Framework for How U.S. Companies Can Best Prepare

by Brent Carlson and Michael Huneke 

Photos of the authors.

From left to right: Brent Carlson and Michael Huneke (Photos courtesy of authors)

The risk of corporate criminal enforcement actions for export controls evasion or diversion is significantly increasing. Recent actions and statements by the Department of Commerce’s Bureau of Industry & Security (“BIS”) suggest that, beyond saber-rattling, BIS is deliberately priming the corporate enforcement engine with the fuel for an enforcement wave that will follow the Foreign Corrupt Practices Act (“FCPA”) “playbook” that the U.S. Department of Justice (“DOJ”) has successfully deployed for the last two decades.

The fuel comes in the form of official, multiagency guidance documents and other actions that describe circumstances indicating a “high probability” of misconduct, which as we have previously written is a freestanding basis for enforcement actions under both the FCPA and the Export Administration Regulations (“EAR”).[1] Such agency actions by BIS notably include the issuance to U.S. companies of lists of counterparties under cover of what BIS officials describe as “red flag” letters. Since our prior analysis,[2] BIS has reemphasized the significance of such letters and underscored the importance of how U.S. companies respond.

Continue reading

Biden National Security Memorandum Bolsters CISA Role for Cybersecurity Oversight in Critical Infrastructure

by Beth Burgin Waller and Patrick J. Austin

Photos of authors

Beth Burgin Waller and Patrick J. Austin (photos courtesy of Woods Rogers Vandeventer Black PLC)

The Biden Administration recently rolled out a new critical infrastructure memorandum, titled National Security Memorandum on Critical Infrastructure Security and Resilience (NSM-22) which is intended to set forth the role of the federal government, including responsibilities for specific federal agencies, in protecting U.S. critical infrastructure.

NSM-22 serves to supplant PPD-21, formally known as the Presidential Policy Directive — Critical Infrastructure Security and Resilience (pdf). PPD-21, a memorandum issued during the Obama Administration, designated 16 critical infrastructure sectors that will be subject to additional oversight through the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Pursuant to CIRCIA, entities operating in critical infrastructure sectors will be obligated to report “covered cyber incidents” within 72 hours of the entity developing a reasonable belief that a cyber incident occurred. In addition, critical infrastructure entities must report ransom payments within 24 hours after a payment is made. CIRCIA delegated rulemaking authority to the Cybersecurity and Infrastructure Security Agency (CISA). We wrote about CISA’s proposed rule containing cyber incident reporting requirements in a recent article.

Continue reading

New U.S. Law Extends Statute of Limitations for Sanctions Violations and Enhances Regulatory and Enforcement Focus on National Security Priorities

by Anthony Lewis, Eric Kadel Jr., Sharon Cohen Levin, Craig Jones, Adam Szubin, Amanda Houle, and Bailey Springer

Photos of the authors

Top: Anthony Lewis, Eric Kadel Jr., and Sharon Cohen Levin
Bottom: Craig Jones, Adam Szubin, and Amanda Houle
(Photos courtesy of Sullivan & Cromwell LLP)

Statute Doubles the Statute of Limitations for Sanctions Violations, Expands the Scope of Sanctions Programs, and Focuses on China’s Technology Procurement, Iranian Petroleum Trafficking, and Fentanyl Production

Summary

On April 24, President Biden signed into law H.R. 815, a sweeping national security legislative package that—in addition to providing foreign aid funding for Ukraine, Israel, and Taiwan—includes the 21st Century Peace Through Strength Act, which contains a number of provisions implementing the Biden administration’s national security priorities. As summarized below, provisions of the Act align with U.S. authorities’ continued focus on China and emphasis on sanctions enforcement. In particular, the Act:

  • Doubles the statute of limitations for civil and criminal violations of U.S. sanctions programs from five to 10 years—raising questions about retroactive application of the statute and whether authorities will amend current rules on corporate record-keeping practices;
  • Requires additional agency reports to Congress, reflecting a focus on U.S. investments in, and supply-chain contributions to, the development of sensitive technologies used by China—a topic that has likewise been the recent focus of the Department of Justice and the Department of Commerce;
  • Targets the Chinese government’s alleged evasion of U.S. sanctions on Iranian petroleum products and involvement in related financial transactions by directing the imposition of sanctions; and
  • Directs the President to impose sanctions aimed at curbing China’s alleged involvement in fentanyl trafficking and calls for forthcoming guidance for financial institutions in filing related SARs.

Continue reading

A Whole New National Security Ballgame: Key Practical Takeaways for Export Control Compliance from the 2024 BIS Update Conference

by Brent Carlson and Michael Huneke

Photos of the authors.

From left to right: Brent Carlson and Michael Huneke (Photos courtesy of authors)

On March 27–29, 2024, the U.S. Department of Commerce’s Bureau of Industry & Security (“BIS”) hosted an Update Conference on Export Controls & Policy. The event was a major outreach effort by the U.S. government. Nearly 100 BIS and other U.S. agency officials engaged with 1,200 attendees over three days.

As was appropriate for an event coinciding with Opening Day of the U.S. Major League Baseball season, BIS officials emphasized that they—and those they regulate—are playing a whole new national security ballgame. This theme ran through every topic. It also drives the key practical takeaways that we highlight below for in-house compliance professionals assessing evasion and diversion risks and responding to reports of the same—particularly reports that some U.S. companies recently received directly from the U.S. government. Continue reading

Executive Order Prohibits Transfer of Sensitive Personal Data to “Countries of Concern”

by Patrick J. Austin and John Pilch

Photos of authors

From the left to right: Patrick J. Austin and John Pilch

On February 28, 2024, U.S. President Joe Biden issued Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (EO), which authorizes the U.S. Attorney General to restrict large-scale transfers of personal data to “countries of concern.” The “countries of concern” identified in the EO include China (along with Hong Kong and Macau), Russia, Iran, North Korea, Cuba and Venezuela, according to a summary issued by the White House.

Continue reading

Monitoring What Matters: A Fresh Look Proposal to Government and Industry for How Post-Resolution Oversight Can Best Deny Hostile Actors the Means to Cause Deadly Harm

by Brent Carlson and Michael Huneke

Photos of the authors.

From left to right: Brent Carlson and Michael Huneke (Photos courtesy of authors)

U.S. economic sanctions and export controls serve a wide range of national security interests. When hostile actors rely on U.S.-designed or -manufactured components in weapons used in fatal attacks on U.S. and coalition military personnel and civilian populations, there is an acute need to quickly identify the illicit trade flows and stop those components from reaching the battlefield. Continue reading