Before You Press Send: Protecting Privilege and Complying With Limitations on Data Dissemination When Responding to an Investigative Request

by Cleary Gottlieb Steen & Hamilton LLP

One critical issue to consider in responding to an investigative request is whether by producing the requested data, the company will be waiving a privilege or violating legal confidentiality obligations, including data privacy restrictions.  To avoid inadvertently waiving protections over the company’s information or violating any legal restrictions on the production, companies should consider whether any of the following are implicated by the information requested by the authority: Continue reading

#MeToo Legal Developments: No Signs of Slowing

by Jade R. Lambert and Abigail N. Bortnick

Anyone who has not heard of the #MeToo movement may well be living under a rock.  A national conversation around workplace sexual misconduct took off in October 2017 following publication of allegations against Harvey Weinstein.  Since then, countless high-profile allegations of workplace sexual misconduct have been publicized.   

In 2018, an unprecedented volume of new legislation was proposed and enacted, expanding legal protections relating to workplace sexual misconduct, and requiring that companies improve their internal policies and practices relating to it.  In an article earlier this year (PDF: 417 KB), we detailed many of these new laws.  For example, some states expanded the population of protected individuals by either broadening the definition of “employee” or by lowering the number of employees required to trigger an organization’s obligations.  Other states passed laws eliminating confidentiality requirements and mandatory arbitration provisions in settlement agreements arising from sexual misconduct allegations.  And quite a few laws imposed new sexual harassment prevention training requirements.  New York City and State now require annual trainings by all employers, regardless of the size of the organization.  New York City has provided a training module on its website that can be used to satisfy the legal requirement.  Continue reading

Anti-Corruption Enforcement in Mexico:  A Possible Turning Point?

by Andrew M. Levine, Kara Brockmeyer, and Marisa R. Taney

In recent years, anti-corruption enforcement has become increasingly globalized.  New anti-corruption laws have proliferated, along with deepening commitments to enforcing such laws.  Sometimes, like in Brazil, active enforcement has followed promptly after the adoption of new laws.  Other times, as in the case of Mexico, the journey from enactment to enforcement has proven more challenging. 

Amidst much fanfare, Mexico adopted its new National Anti-Corruption System in mid-2016.  Many hoped Mexico would seize the opportunity and shortly thereafter pursue significant anti-corruption enforcement.  But key posts within the anti-corruption system remained unfilled, and no significant enforcement ensued. Continue reading

The Rise of Deepfake Audio Means It’s Time to Revisit Business Email Compromise Scams and Ways to Reduce Risk

by Avi Gesser, Clara Y. Kim, and Thomas Harris-Warrick (The Crypsis Group)

We first wrote about Business Email Compromise (“BEC”) scams in 2015.  Over the last four years, these attacks have continued unabated.  According to the FBI (PDF: 1.77 MB), in just the last year alone, there were over 20,000 reported BEC scams, with adjusted losses of over $1.2 billion.  One reason this threat persists is that cybercriminals have used increasingly sophisticated methods to trick companies into wiring money to them instead of the legitimate payee.

Indeed, in a twist on traditional BEC scams, a fraudster recently used an AI-based software to mimic the voice of a CEO on the phone, successfully tricking another executive into sending money to a supplier.  The AI was sophisticated enough that it was able to recreate the slight German accent of the CEO such that the executive thought he recognized his CEO’s voice.  With the rise of AI and deepfakes, BEC scams may get harder to detect, so it is worth revisiting the measures companies should consider employing to reduce those risks. Continue reading

New York’s Shield Act and Related Cybersecurity Requirements

by Maria T. Vullo

Data privacy is a hot topic.  The media seemingly reports on a data breach virtually every day.  Cybersecurity is often referenced as the most significant threat that our country faces.  Indeed, nation states target governments and businesses in order to obtain information and gain leverage in a war that involves a different type of weapon.  At the same time, consumers increasingly are becoming concerned about the use of their private data by businesses that have obtained their information through financial transactions and online purchases.  The big technology companies are facing investigations based on their use, and sale, of private information.  Although there have been a number of highly-publicized data breaches over the last few years, the Equifax data breach, reported in September 2017, attracted significant attention because of the company’s utter failure to employ cybersecurity safeguards and its lack of an incident response plan, which led to legislative hearings, governmental investigations, and private class actions.

With this backdrop, we have seen a proliferation of legislative actions to address data privacy concerns.  The European Union had acted early, with the passage of the General Data Protection Regulation (“GDPR”).[1]   In the U.S., although several proposed statutes have been introduced in Congress, the federal government continues to be plagued by political differences, and thus the states appropriately are responding with new laws to protect their residents.  Last year, California passed the California Consumer Privacy Act (“CCPA”), a particularly broad statute that imposes stringent standards and provides a private right of action for California consumers against companies that have experienced a data breach of their personal information.[2]  Other states followed, including New Jersey and Oregon.  Most recently, New York has joined these other states in enacting data privacy laws to protect the private information of New York residents.[3] Continue reading

The Problem of Algorithmic Corporate Misconduct

by Mihailis E. Diamantis

Technology will soon force broad changes in how we conceive of corporate liability.  The law’s doctrines for evaluating corporate misconduct date from a time when human beings ran corporations.  Today, breakthroughs in artificial intelligence and big data allow automated systems to make many business decisions like which loans to approve,[1] how high to set prices,[2] and when to trade stock. [3]  As corporate operations become increasingly automated, algorithms will come to replace employees as the leading cause of corporate harm.  The law is not equipped for this development.  Rooted in an antiquated paradigm, the law presently identifies corporate misconduct with employee misconduct.  If it continues to do so, the inevitable march of technological progress will increasingly immunize corporations from most civil and criminal liability. Continue reading

Planning for a Gathering Storm: Ransomware Preparation and Response

By Marshall L. Miller and Adam Sowlati

Ransomware attacks render an organization’s Information Technology systems inoperable or its data inaccessible, unless and until a ransom is paid. According to the FBI, since 2016, an average of 4,000 ransomware attacks have occurred daily, causing over $1 billion in damages annually. And ransomware is reportedly (PDF: 281 KB) growing in sophistication and increasingly targeting organizations. For example, 23 municipalities in Texas were struck last week in a coordinated attack. Companies would be well served by engaging in advance ransomware preparation.

Before an attack, companies should consider prophylactic preparatory steps, such as implementing reliable processes that back up IT systems and critical data to reduce ransomware exposure, securing cyber liability insurance to cover costs associated with significant ransomware incidents, and implementing incident response plans that include effective elevation procedures and account for the unique challenges of a ransomware attack. Fostering pre-attack relationships with law enforcement can also pay dividends, providing swift access to resources, intelligence, and experience to assist investigation and remediation. Continue reading

UK Serious Fraud Office Publishes Corporate Co-operation Guidance

By Stephen Pollard, Christopher David, Lloyd Firth, and Leila Gaafar

On 6 August 2019, the UK Serious Fraud Office (‘SFO’) published Corporate Co-operation Guidance (‘Guidance’)[1].  This Guidance is designed to assist companies considering whether to self-report corporate wrongdoing to the SFO and, if so, how to achieve maximum co-operation credit to help avoid prosecution, or be offered the opportunity to enter into a Deferred Prosecution Agreement (‘DPA’).  In doing so, it clarifies the SFO’s position on various key investigative themes, including: data gathering and production; the company’s dealings with individual witnesses and suspects; and the implications of asserting legal professional privilege (‘Privilege’) over witness accounts obtained during an internal investigation. Continue reading