On January 16, the Commerce Department’s National Institute of Standards and Technology (NIST) released version 1.0 of its Privacy Framework: A Tool for Privacy Through Enterprise Risk Management. The product of a two-year consultation process with private- and public-sector stakeholders, the Privacy Framework sets out a group of voluntary standards and methods to help companies of all sizes in (i) “[t]aking privacy into account as they design and deploy systems, products, and services that affect individuals”; (ii) “[c]ommunicating about their privacy practices”; and (iii) “[e]ncouraging cross-organizational workforce collaboration—for example, among executives, legal, and information technology (IT)” personnel in the “achievement of [privacy] outcomes.” The Framework is thus intended to assist companies in “[b]uilding customers’ trust by supporting ethical decision-making in product and service design or deployment that optimizes beneficial uses of data while minimizing adverse consequences for individuals’ privacy and society as a whole”; “[f]ulfilling current compliance obligations, as well as future-proofing products and services to meet these obligations in a changing technological and policy environment”; and “[f]acilitating communication about privacy practices with individuals, business partners, assessors, and regulators.” Continue reading
Comparing French and U.K. Guidance on Corporate Cooperation to U.S. Practices
by Keith D. Krakaur, Ryan D. Junck, Gary DiBianco, Elizabeth Robertson, Christopher Bolyai, Margot Sève, Vanessa K. McGoldrick, and Molly Brien
On June 27, 2019, the French Financial Prosecutor (“PNF”) and the French Anticorruption Agency (“AFA”) published joint guidelines regarding the legal framework governing French DPAs (“CJIPs”) that address the conditions necessary for companies to be considered for a CJIP, including expectations for cooperation during an investigation (“French CJIP Guidance”).[1] On August 6, 2019, the U.K. Serious Fraud Office (“SFO”) published Corporate Co-operation Guidance (“U.K. Co-operation Guidance”) as part of the SFO Operational Handbook, detailing the steps companies are expected to undertake to obtain cooperation credit.
Both sets of guidance demonstrate further alignment of those jurisdictions’ deferred prosecution agreement (“DPA”) regimes with long-standing practices in the U.S., albeit with some notable areas of divergence. Continue reading
Do Shareholder Lawsuits Deter Insider Trading? Evidence from Universal Demand Laws
by Binay K. Adhikari, Anup Agrawal, and Bina Sharma
Does insider trading regulation actually deter insider trading? This is an unsettled question, on which prior empirical findings have been mixed. One set of studies finds that insider trading regulations have been effective in reducing the frequency and profitability of opportunistic trades,[1] while several other studies cast doubt on the efficacy of regulations.[2] Why do studies disagree on this question? A possible reason is the difficulties inherent in evaluating the effects of regulation on insider trading. These difficulties fall into two main categories: First, most modern insider trading laws in the United States are adopted at the federal level[3] and are designed to affect all firms at the same time. That makes it difficult to tell whether any changes in insider trading are due to the law or some other contemporaneous event. Second, a decrease in insider trading after the passage of a stricter law or an increase in enforcement can either be an effect of such action or simply a return to a more normal level of insider trading after an elevated period that led to the law being passed. Perhaps recognizing these issues, Utpal Bhattacharya concludes his extensive review of the insider trading literature with the verdict, “[w]e need methodologies (such as natural experiments) to evaluate the efficacy of current and future insider trading rules.”[4] Continue reading
Is The Fraud Section Going All In On Commodities Cases?
On May 6, 2010, in what become known as the “Flash Crash,” the Dow fell almost 10% before recovering much of that loss within an hour. Years later, a whistleblower who had analyzed market data (but had no inside knowledge himself) filed a report with the CFTC identifying a market participant in the S&P 500 E-Mini as a major cause of the Flash Crash.[1] The CFTC investigated and identified this actor as Nav Sarao, a trader who had been spoofing the market from the basement of his mother’s flat in suburban London. Determining that this was likely a criminal violation of the new anti-spoofing section of the Commodity Exchange Act (“CEA”),[2] the CFTC brought in the Fraud Section of the U.S. Department of Justice’s (“DOJ’s”) Criminal Division. The Fraud Section (and the CFTC) pursued the investigation with vigor, and in April 2015, Mr. Sarao, whom the British tabloids subsequently nicknamed the “Hound of Hounslow,” was arrested by Scotland Yard. Sarao ultimately pleaded guilty and agreed to cooperate with U.S. authorities. Continue reading
FTC Discusses Management and Board Roles as Core Elements of Revised Data Breach Enforcement Model
by Andrew R. Brownstein, Steven A. Rosenblum, John F. Savarese, Marshall L. Miller, and Jeohn Salone Favors
In a blog post published this week, the Director of the FTC’s Consumer Protection Bureau detailed recent changes to the FTC’s baseline approach to remedial orders in data breach enforcement actions. The changes were spurred in part by a 2018 Court of Appeals decision (PDF: 125 KB) that found an FTC order’s requirement that a company implement “reasonable” data security measures to have been too vague to be enforceable. The FTC has reworked its routine enforcement practice to ensure that remedial data security orders include significantly greater specificity about compliance expectations for companies subject to enforcement action and for third-party assessors engaged to conduct FTC-mandated monitoring and audits of targeted companies’ data security practices.
The SEC’s Enforcement Network
What do the Hampshire Constabulary, Texas Railroad Commission, City of Chicago, and the FBI have in common? One answer is that the U.S. Securities and Exchange Commission thanked each of them for assisting the agency in a securities enforcement action. My article, Enforcement Networks, takes advantage of this routine practice to develop a novel approach to quantifying how networks of domestic and international agencies coordinate in civil enforcement. It maps agency coordination through more than 20 years of SEC acknowledgments. Continue reading
The Risks of Fraudulent CCPA Access Requests – Guidance from a $10.7 Million GDPR Fine for Poor Customer Authentication
by Avi Gesser, Daniel Forester, Will Schildknecht, Jennifer Leather, and Dr. Carolin Raspé (Hengeler Mueller)
Both the General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”) require companies to respond to customer data access requests. But how do you know that the person making the request is actually who they say they are? As we have previously noted on Davis Polk’s Cyber Blog, significant amounts of personal information are publicly available as a result of major data breaches, and that stolen data can be used to make fraudulent access requests. So, how can a company avoid turning a good-faith effort to comply with its GDPR or CCPA access rights obligations into a privacy violation by unknowingly providing the personal information of customer X to someone pretending to be customer X? A recent GDPR enforcement action in Germany, as well as guidance from German and California regulators, shows that companies must exercise diligence in making sure that they have properly authenticated the data subject who is making the access request. Continue reading
DOJ Announces Revised Export Control and Sanctions Enforcement Policy for Companies, Including Financial Institutions
by H. Christopher Boehning, Jessica S. Carey, Christopher D. Frey, Michael E. Gertzman, Roberto J. Gonzalez, Brad S. Karp, Mark F. Mendelsohn, Richard S. Elliott, Karen R. King, and Anand Sithian
On December 13, the U.S. Department of Justice’s (“DOJ”) National Security Division (“NSD”) announced a new policy designed to encourage business organizations to make voluntary self-disclosures (“VSDs”) to the DOJ in connection with potentially willful export control and economic sanctions violations (the “Revised VSD Policy”).[1] The policy, which only applies to voluntary self-disclosures to NSD’s Counterintelligence and Export Control Section (“CES”), revises a 2016 DOJ policy on the same topic. As the policy notes, in the export control and sanctions context, criminal violations require proof of willfulness, defined as knowledge that the conduct violated the law.[2] Continue reading
What the Last Year of Cyber Enforcement Tells Us About the FTC’s Compliance Expectations
by Avi Gesser and Molly O’Malley Clarke
With 2019 coming to a close, we wanted to take a look at what can be learned from the FTC’s cybersecurity enforcement actions this year. As we have previously noted, the FTC came under criticism last year in the LabMD decision for not providing companies with sufficient clarity as to what it expects in terms of their cybersecurity measures. So we thought it would be helpful to see if the FTC’s cybersecurity settlements in 2019 provide any guidance for what the FTC believes companies should (and should not) be doing to protect consumer data. Continue reading
The EPPO and International Co-Operation –– New Kid on the Block
by Karolos Seeger, Jane Shvets, Robin Lööf, Alma M. Mozetič, Martha Hirst, Antoine Kirry, Alexandre Bisch, Ariane Fleuriot, Dr. Thomas Schürrle, Dr. Friedrich Popp, Dr. Oliver Krauß
The European Public Prosecutor’s Office (“EPPO”) is a new European Union body responsible for investigating and prosecuting criminal offences affecting the EU’s financial interests in 22 of its 28 Member States.[1] The EPPO is expected to begin investigations in November 2020.
Fraud against the financial interests of the EU is an international phenomenon: in 2018, the European Anti-Fraud Office (“OLAF”) concluded 84 investigations into the use of EU funds, 37 of which concerned countries outside the EU.[2] In this part of our series of analyses of the EPPO[3] we, therefore, consider the framework for the EPPO’s future international co-operation. This includes dealings with enforcement authorities in non-participating EU Member States as well as the rest of the world.