Where’s the Beef? Demonstrating “Timely & Appropriate” Remediation

by Jonny Frank, Michele Edwards, and Christopher Hoyle

photos of the authors

Left to right: Jonny Frank, Michele Edwards and Christopher Hoyle. Photos courtesy of StoneTurn Group, LLP.

This article is part 4 in a series on remediation. Read part 1 on Root Cause Analysis here, part 2 on Read Across and Remediation here, and part 3 on Corrective Action Plans here.

Organizations seeking credit for “timely and appropriate” remediation under the DOJ’s Corporate Enforcement Policy (“CEP”) must show they conducted a comprehensive root cause analysis, addressed the root cause findings, and implemented an effective compliance program.[1] Additional guidance on DOJ expectations appears in Criminal Division memos on the evaluation of compliance programs,[2] and the selection of corporate compliance monitors.[3] The SEC has similar expectations.[4]

Building on our discussion of Root Cause Analysis (“RCA”), Similar Misconduct, and Timely and Effective Corrective Action Plans, this article suggests key steps to demonstrate the remediation and compliance program effectiveness to the board, prosecutors, regulators and other stakeholders.   

Continue reading

Risks of Cross Border Operations: Chiquita Brands International Found Liable for Financing Terrorism

by Timothy Harkness, Peter Linken, Scott Eisman, and Maylin Meisenheimer

photos of the authors

From left to right: Timothy Harkness, Peter Linken, Scott Eisman and Maylin Meisenheimer (Photos courtesy of Freshfields Bruckhaus Deringer LLP)

Doing business in conflict zones has always been complicated. Increased litigation has compounded those risks in recent years. A June 2024 federal jury verdict against Chiquita Brands International illustrates the changing legal landscape. The jury in Florida found Chiquita liable for financing Autodefensas Unidas de Colombia (“AUC”), a Colombian paramilitary group, and awarded a bellwether group of plaintiffs $38.3 million in damages. A second bellwether trial against Chiquita is scheduled for later this year, and thousands of related claims against Chiquita remain pending. Although the Chiquita litigation has spanned almost two decades, this jury verdict represents the first liability determination and paves the way for the second bellwether trial and eventual resolution of all pending claims. As each plaintiff was awarded around $2 million, Chiquita could be facing hundreds of millions of dollars in damages as the broader litigation includes vastly more victims.

The Chiquita verdict is a signal to corporations that U.S. courts may be more willing to find them liable for actions that occurred abroad and that plaintiffs may increasingly choose to file these claims in U.S. courts. In Chiquita, the alleged actions took place in Colombia and the claims at issue were brought under Colombian law, but this is just one example among many. In Kaplan v. Lebanese Canadian Bank, for example, the Second Circuit held that the plaintiffs plausibly pleaded that Lebanese Canadian Bank had aided and abetted acts of international terrorism under the Antiterrorism Act (“ATA”) by alleging that the bank had processed transactions in Lebanon for individuals closely affiliated with Hezbollah. As companies weigh the risks of doing business abroad and how best to structure their operations, this verdict should be at the forefront of their minds.

Continue reading

DOJ Launches New Whistleblower Incentive Program

by Kevin ChambersTerra ReynoldsDouglas K. Yatter, and Lilia B. Vazova

Photos of authors.

From left to right: Kevin Chambers, Terra Reynolds, Douglas K. Yatter, and Lilia B. Vazova. (Photos courtesy of Latham & Watkins LLP)

DOJ’s pilot program aims to fill gaps in existing federal whistleblower programs and incentivize prompt corporate self-disclosure alongside individual whistleblower tips.

Following the March 2024 announcement of its intention to introduce a new corporate whistleblower incentive program, on August 1, 2024, the Department of Justice (DOJ) launched a three-year pilot program for rewarding whistleblowers who alert DOJ to significant corporate misconduct. DOJ’s new program, modeled after whistleblower programs run by the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), and the Financial Crimes Enforcement Network (FinCEN), may generate a significant number of tips about potential misconduct and adds an important new dimension for companies’ compliance measures and handling of investigations.

Continue reading

The EU AI Act is Officially Passed – What We Know and What’s Still Unclear

by Avi Gesser, Matt KellyRobert Maddox, and Martha Hirst 

Photos of authors.

From left to right: Avi Gesser, Matt Kelly, Robert Maddox, and Martha Hirst. (Photos courtesy of Debevoise & Plimpton LLP)

The EU AI Act (the “Act”) has made it through the EU’s legislative process and has passed into law; it will come into effect on 1 August 2024. Most of the substantive requirements will come into force two years later, from 1 August 2026, with the main exception being “Prohibited” AI systems, which will be banned from 1 February 2025.

Despite initial expectations of a sweeping and all-encompassing regulation, the final version of the Act reveals a narrower scope than some initially anticipated.

Continue reading

The Supreme Court’s Business Docket: October Term 2023 in Review

by John F. Savarese, Kevin S. Schwartz, Noah B. Yavitz, Adam L. Goodman, and Akua Abu

Photos of the authors

Left to right: John F. Savarese, Kevin S. Schwartz, Noah B. Yavitz, Adam L. Goodman, and Akua F. Abu. (Photos courtesy of the authors)

In early July, the Supreme Court concluded its most consequential Term in years, with a flood of decisions on contentious issues ranging from abortion access to the regulation of social media companies and gun possession to presidential immunity. The Court’s business docket was no less active. While the Consumer Financial Protection Bureau narrowly survived a constitutional challenge to its funding mechanism, the Court’s conservative majority elsewhere struck body blows to the administrative state—including the long-anticipated reversal of the Chevron doctrine of judicial deference to agency interpretation of ambiguous statutes. Beyond this headline-grabbing showstopper, the Court issued a string of commercially significant decisions, affecting bankruptcy, arbitration, securities, and employment law. We summarize below the key business decisions from this Term and flag a few key cases to watch in the coming Term.

Continue reading

SEC Releases New Guidance on Material Cybersecurity Incident Disclosure

by Eric T. JuergensErez LiebermannBenjamin R. Pedersen, Paul M. Rodel, Anna Moody, Kelly Donoghue, and John Jacob

Photos of authors.

Top left to right: Eric T. Juergens, Erez Liebermann, Benjamin R. Pedersen, and Paul M. Rodel. Bottom left to right: Anna Moody, Kelly Donoghue, and John Jacob. (Photos courtesy of Debevoise & Plimpton LLP)

On June 24, 2024, the staff of the Division of Corporation Finance of the Securities and Exchange Commission (the “SEC”) released five new Compliance & Disclosure Interpretations (“C&DIs”) relating to the disclosure of material cybersecurity incidents under Item 1.05 of Form 8-K. A summary of the updates is below, followed by the full text of the new C&DIs.  While the fact patterns underlying the new C&DIs focus on ransomware, issuers should consider the guidance generally in analyzing disclosure obligations for cybersecurity events.

Continue reading

Cyber Experts React to Court Decision in the SEC’s SolarWinds Enforcement Action

Editor’s Note: PCCE has been watching the developments in the SEC’s enforcement action against SolarWinds and its CISO over allegedly misleading disclosures and controls failures related to the compromise of its Orion product by putative Russian hackers. In this post, cybersecurity experts and lawyers discuss the recent decision by U.S. District Judge Paul Engelmayer to dismiss most of the SEC’s claims in the case.

Photos of the authors

Top left to right: Randal Milch, Judy Titera, James Haldin, and Alan Wilson. Bottom left to right: Matthew Beville, Elizabeth Roper, and Jerome Tomas. (Photos courtesy of authors)

Continue reading

FinCEN Requires Reporting From Dissolved Companies

by Matthew Bisanz, Adam D. Kanter, Brad A. Resnikoff, and Marcella Barganz

Photos of the authors.

From left to right: Matthew Bisanz, Adam D. Kanter, Brad A. Resnikoff, and Marcella Barganz. (Photos courtesy of Mayer Brown LLP)

On July 8, 2024, the Financial Crimes Enforcement Network (“FinCEN”) issued interpretive guidance explaining that the beneficial ownership information (“BOI”) reporting requirement applies to certain legal entities that have been dissolved or otherwise ceased to exist after January 1, 2024. This new guidance dramatically expands the reporting requirement under the Corporate Transparency Act (“CTA”) and raises significant issues regarding compliance and liability for noncompliance.

The new guidance is effective immediately. Persons who own or manage entities that will dissolve in 2024, or have already dissolved this year—or which were not dissolved irrevocably—should review the guidance to determine their reporting obligations.

Continue reading

It May Not Be Worth the Paper (or Pixel) It’s Written On (Part 1): A Fresh Look at Letters of Assurance Used to Bolster Sanctions and Export Controls Compliance

by Brent Carlson and Michael Huneke

photos of the authors

Left to right: Brent Carlson and Michael Huneke (Photos courtesy of the authors)

“The world has changed. And we must change with it.” So stated Assistant Secretary of Commerce for Export Enforcement Matt Axelrod at a recent summit in California.[1] This simple statement reflects the increasingly complex challenges companies now face in navigating export controls and sanctions in a world driven by new geopolitical realities.

These challenges call into questions past assumptions about compliance programs. The foundation of a robust compliance program starts with the reliability of the inputs relied upon to make informed, risk-based decisions. In the halcyon days of the post-Cold War era, export controls took on an administrative character. In that environment, certifications from counterparties—themselves the targets of the due diligence—were taken largely at face value. Yet today passive reliance, without more, carries profound risks because export controls and sanctions enforcement has already become more of a white-collar corporate enforcement environment driven by Russia’s continued ability to secure U.S.-brand microelectronics (both legacy and new production). Certifications alone accordingly may not be worth the paper they are written on—or the pixels of which they are made—especially when other data includes “red flags” that cast doubt on certifications’ veracity.

Continue reading

Treasury’s Report on AI (Part 2) – Managing AI-Specific Cybersecurity Risks in the Financial Sector

by Avi Gesser, Erez Liebermann, Matt Kelly, Jackie Dorward, and Joshua A. Goland

Photos of authors.

Top: Avi Gesser, Erez Liebermann, and Matt Kelly. Bottom: Jackie Dorward and Joshua A. Goland (Photos courtesy of Debevoise & Plimpton LLP)

This is the second post in the two-part Debevoise Data Blog series covering the U.S. Treasury Department’s report on Managing Artificial Intelligence-Specific Cybersecurity Risks in the Financial Services Sector (the “Report”).

In Part 1, we addressed the Report’s coverage of the state of AI regulation and best practices recommendations for AI risk management and governance. In Part 2, we review the Report’s assessment of AI-enhanced cybersecurity risks, as well as the risks of attacks against AI systems, and offer guidance on how financial institutions can respond to both types of risks.

Continue reading