Protections for whistleblowers from overly expansive non-disclosure agreements (NDAs) aimed at preventing whistleblowers from providing information to law enforcement and regulators have been expanding exponentially in the past year. The Securities and Exchange Commission’s (SEC) enforcement of Rule 21F-17(a) has gained teeth by increasing the monetary sanctions for enforcement. The Commodity Futures Trading Commission (CFTC) took its first enforcement of Regulation 165.19(b) against Trafigura for the use of NDAs meant to silence whistleblowers. The latest agency to take action against overly expansive NDAs is the Consumer Financial Protection Bureau (CFPB), which has announced that their employee protection regulation applies to NDAs that seek to silence whistleblowers.
PCCE to Host Senior DOJ Officials on September 17th to Discuss Newly-Announced Whistleblower Program
On September 17th, 2024, the Program on Corporate Compliance and Enforcement will host U.S. Department of Justice officials Nicole Argentieri and Brent Wible as well as other experts for a discussion on the Department of Justice’s newly-announced whistleblower pilot program.
After PDAAG Argentieri’s remarks, Brent Wible will engage in a moderated fireside chat and will be taking questions from the audience.
Following remarks and the fireside chat, there will be a moderated panel discussion by a panel of experts in corporate enforcement, compliance, and whistleblower programs from both the private sector and government. Panelists include:
- Jane Norberg, Partner, Arnold & Porter LLP
- Preston Pugh, Partner, Crowell & Moring LLP
- Daniel Richman, Paul J. Kellner Professor of Law, Columbia Law School
- Max Rodriquez, Principal and Founder, Law Office of Max Rodriguez
- Andrew Weissman, Professor of Practice, NYU School of Law
The event will be in-person only at NYU School of Law. Check-in will open at 5:30 pm. The program will begin 6 PM in Lipton Hall at 108 W 3rd Street, Lower Level, New York NY 10012. There will be a reception following the event from 8:00 – 8:30 PM.
Pre-registration is required to attend. Click here to register. We expect that 2 credits of NY CLE will be offered for attendees who sign in and out at the venue.
We look forward to seeing you!
Where’s the Beef? Demonstrating “Timely & Appropriate” Remediation
by Jonny Frank, Michele Edwards, and Christopher Hoyle
This article is part 4 in a series on remediation. Read part 1 on Root Cause Analysis here, part 2 on Read Across and Remediation here, and part 3 on Corrective Action Plans here.
Organizations seeking credit for “timely and appropriate” remediation under the DOJ’s Corporate Enforcement Policy (“CEP”) must show they conducted a comprehensive root cause analysis, addressed the root cause findings, and implemented an effective compliance program.[1] Additional guidance on DOJ expectations appears in Criminal Division memos on the evaluation of compliance programs,[2] and the selection of corporate compliance monitors.[3] The SEC has similar expectations.[4]
Building on our discussion of Root Cause Analysis (“RCA”), Similar Misconduct, and Timely and Effective Corrective Action Plans, this article suggests key steps to demonstrate the remediation and compliance program effectiveness to the board, prosecutors, regulators and other stakeholders.
Risks of Cross Border Operations: Chiquita Brands International Found Liable for Financing Terrorism
by Timothy Harkness, Peter Linken, Scott Eisman, and Maylin Meisenheimer
Doing business in conflict zones has always been complicated. Increased litigation has compounded those risks in recent years. A June 2024 federal jury verdict against Chiquita Brands International illustrates the changing legal landscape. The jury in Florida found Chiquita liable for financing Autodefensas Unidas de Colombia (“AUC”), a Colombian paramilitary group, and awarded a bellwether group of plaintiffs $38.3 million in damages. A second bellwether trial against Chiquita is scheduled for later this year, and thousands of related claims against Chiquita remain pending. Although the Chiquita litigation has spanned almost two decades, this jury verdict represents the first liability determination and paves the way for the second bellwether trial and eventual resolution of all pending claims. As each plaintiff was awarded around $2 million, Chiquita could be facing hundreds of millions of dollars in damages as the broader litigation includes vastly more victims.
The Chiquita verdict is a signal to corporations that U.S. courts may be more willing to find them liable for actions that occurred abroad and that plaintiffs may increasingly choose to file these claims in U.S. courts. In Chiquita, the alleged actions took place in Colombia and the claims at issue were brought under Colombian law, but this is just one example among many. In Kaplan v. Lebanese Canadian Bank, for example, the Second Circuit held that the plaintiffs plausibly pleaded that Lebanese Canadian Bank had aided and abetted acts of international terrorism under the Antiterrorism Act (“ATA”) by alleging that the bank had processed transactions in Lebanon for individuals closely affiliated with Hezbollah. As companies weigh the risks of doing business abroad and how best to structure their operations, this verdict should be at the forefront of their minds.
DOJ Launches New Whistleblower Incentive Program
by Kevin Chambers, Terra Reynolds, Douglas K. Yatter, and Lilia B. Vazova
DOJ’s pilot program aims to fill gaps in existing federal whistleblower programs and incentivize prompt corporate self-disclosure alongside individual whistleblower tips.
Following the March 2024 announcement of its intention to introduce a new corporate whistleblower incentive program, on August 1, 2024, the Department of Justice (DOJ) launched a three-year pilot program for rewarding whistleblowers who alert DOJ to significant corporate misconduct. DOJ’s new program, modeled after whistleblower programs run by the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), and the Financial Crimes Enforcement Network (FinCEN), may generate a significant number of tips about potential misconduct and adds an important new dimension for companies’ compliance measures and handling of investigations.
The EU AI Act is Officially Passed – What We Know and What’s Still Unclear
by Avi Gesser, Matt Kelly, Robert Maddox, and Martha Hirst
The EU AI Act (the “Act”) has made it through the EU’s legislative process and has passed into law; it will come into effect on 1 August 2024. Most of the substantive requirements will come into force two years later, from 1 August 2026, with the main exception being “Prohibited” AI systems, which will be banned from 1 February 2025.
Despite initial expectations of a sweeping and all-encompassing regulation, the final version of the Act reveals a narrower scope than some initially anticipated.
The Supreme Court’s Business Docket: October Term 2023 in Review
by John F. Savarese, Kevin S. Schwartz, Noah B. Yavitz, Adam L. Goodman, and Akua Abu
In early July, the Supreme Court concluded its most consequential Term in years, with a flood of decisions on contentious issues ranging from abortion access to the regulation of social media companies and gun possession to presidential immunity. The Court’s business docket was no less active. While the Consumer Financial Protection Bureau narrowly survived a constitutional challenge to its funding mechanism, the Court’s conservative majority elsewhere struck body blows to the administrative state—including the long-anticipated reversal of the Chevron doctrine of judicial deference to agency interpretation of ambiguous statutes. Beyond this headline-grabbing showstopper, the Court issued a string of commercially significant decisions, affecting bankruptcy, arbitration, securities, and employment law. We summarize below the key business decisions from this Term and flag a few key cases to watch in the coming Term.
SEC Releases New Guidance on Material Cybersecurity Incident Disclosure
by Eric T. Juergens, Erez Liebermann, Benjamin R. Pedersen, Paul M. Rodel, Anna Moody, Kelly Donoghue, and John Jacob
On June 24, 2024, the staff of the Division of Corporation Finance of the Securities and Exchange Commission (the “SEC”) released five new Compliance & Disclosure Interpretations (“C&DIs”) relating to the disclosure of material cybersecurity incidents under Item 1.05 of Form 8-K. A summary of the updates is below, followed by the full text of the new C&DIs. While the fact patterns underlying the new C&DIs focus on ransomware, issuers should consider the guidance generally in analyzing disclosure obligations for cybersecurity events.
Cyber Experts React to Court Decision in the SEC’s SolarWinds Enforcement Action
Editor’s Note: PCCE has been watching the developments in the SEC’s enforcement action against SolarWinds and its CISO over allegedly misleading disclosures and controls failures related to the compromise of its Orion product by putative Russian hackers. In this post, cybersecurity experts and lawyers discuss the recent decision by U.S. District Judge Paul Engelmayer to dismiss most of the SEC’s claims in the case.
FinCEN Requires Reporting From Dissolved Companies
by Matthew Bisanz, Adam D. Kanter, Brad A. Resnikoff, and Marcella Barganz
On July 8, 2024, the Financial Crimes Enforcement Network (“FinCEN”) issued interpretive guidance explaining that the beneficial ownership information (“BOI”) reporting requirement applies to certain legal entities that have been dissolved or otherwise ceased to exist after January 1, 2024. This new guidance dramatically expands the reporting requirement under the Corporate Transparency Act (“CTA”) and raises significant issues regarding compliance and liability for noncompliance.
The new guidance is effective immediately. Persons who own or manage entities that will dissolve in 2024, or have already dissolved this year—or which were not dissolved irrevocably—should review the guidance to determine their reporting obligations.