2022 Year-end False Claims Act Update

by Jonathan Phillips, Winston Chan, John Partridge, James Zelenay,Reid Rector, Michael Dziuban, Chelsea Knudson, Blair Watler, John Turquet Bravard, Ben Gibson, Julien Jabari, Wynne Leahy, Jose Madrid, Nick Perry, Kelsey Stimson, Adrienne Tarver, and Chumma Tum

Top row left to right: Jonathan Phillips, Winston Chan, John Partridge, James Zelenay Middle row left to right: Chelsea Knudson, Michael Dziuban, Blair Watler, Julien Jabari Bottom row left to right: Ben Gibson, Reid Rector, Nick Perry, John Turquet Bravard

A dull year is rare when it comes to the False Claims Act (FCA), but this last year was exceptional by any standard. In the last twelve months, the Supreme Court decided to take up two different issues under the FCA, while the Department of Justice (DOJ) announced, yet again, billions in recoveries and nearly a thousand new FCA cases, a new record.

DOJ’s $2.2 billion in recoveries during FY 2022 marked the fourteenth straight year where recoveries exceeded $2 billion, dating back to 2008. But even more notable than the dollar amount was the sheer volume of FCA activity. DOJ obtained its recoveries from the second-highest number of settlements in history, and there were more new FCA matters initiated in FY 2022 than in any prior year, meaning the pipeline of FCA lawsuits is very full.

Continue reading →

PCCE Welcomes Two New Members of Its Board of Advisors

The NYU School of Law Program on Corporate Compliance and Enforcement (PCCE) is delighted to announce that Maria Douvas and Michael Ferrara, two former federal prosecutors with vast experience in compliance and enforcement matters, have joined PCCE’s Board of Advisors.

Photos of the new advisory board members

From left to right: Maria Douvas and Mike Ferrara

Continue reading →

Beyond Howey: How the SEC’s Reach Over Digital Assets Extends Further Than Just Initial Coin Offerings

by Ijeoma Okoli

Ijeoma Okoli

On January 12, 2023, the U.S. Securities and Exchange Commission (the “SEC”) unveiled charges against two large, well-known participants in the crypto sector, Gemini Trust Company, LLC (“Gemini”) and Genesis Global Capital, LLC (“Genesis”) and accused them of engaging in a multi-billion dollar unregistered offer and sale of securities to retail investors in the form of Gemini Earn, a crypto lending program, between February 2021 and November 2022.[1] The SEC’s action came three months after both firms paused customer withdrawals, effectively trapping funds of retail and institutional investors alike with no indication as to whether customers will ever be able to recoup their funds. A few days after the SEC unveiled charges against Gemini and Genesis, Genesis filed for bankruptcy under Chapter 11 of the United States Bankruptcy Code,[2] effectively ending a once lucrative form of capital raising in the crypto sector as other major competitors had already either run into bankruptcy trouble themselves in 2022 and/or had been previously subject to SEC enforcement actions.

Continue reading →

Your Vendor’s Been Hacked. Is Your Company’s Data at Risk?

by Kristy J. Greenberg

Kristy J. Greenberg

The “Target hack” was a bit of a misnomer.

During the 2013 holiday shopping season, a hacker known as “Profile 958” stole the credit and debit card information of more than 110 million of Target’s customers. But Target was not the entry point. Instead, Profile 958 attacked Fazio Mechanical Services (“Fazio”), a Pittsburgh-based HVAC company. Fazio had provided refrigeration services to Target and obtained access to Target’s systems for electronic billing.

That was Profile 958’s way into a major Fortune 50 corporation – through a privately-held heating company with about 125 employees.

Continue reading →

Does Your Company Need a ChatGPT Policy? Probably.

by Megan Bannigan, Avi Gesser, Henry Lebowitz, Anna Gressel, Michael R. Roberts, Melissa Muse, Benjamin Leb, Jarrett Lewis, Lex Gaillard, and ChatGPT

Top row left to right: Megan Bannigan, Avi Gesser, Henry Lebowitz, and Anna Gressel
Bottom row left to right: Michael R. Roberts, Melissa Muse, Benjamin Leb, and Jarrett Lewis

ChatGPT is an AI language model developed by OpenAI that was released to the public in November 2022 and already has millions of users. While most people were initially using the publicly available version of ChatGPT for personal tasks (e.g., generating recipes, poems, workout routines, etc.) many have started to use it for work-related projects. In this Debevoise Data Blog post, we discuss how people are using ChatGPT at their jobs, what are the associated risks, and what policies companies should consider implementing to reduce those risks.

Continue reading →

DOJ and FinCEN Take Coordinated Action Against Bitzlato Cryptocurrency Exchange and Its Owner

by Jessica S. Carey, John P. Carlin, Roberto J. Gonzalez, David Kessler, and Simona Xu.

From left to right: Jessica S. Carey, John P. Carlin, Roberto J. Gonzalez, David Kessler, and Simona Xu.

On January 18, 2023, federal authorities in Miami arrested Anatoly Legkdymov, founder and majority owner of Bitzlato Ltd, a peer-to-peer, global cryptocurrency exchange registered in Hong Kong. Bitzlato had processed approximately $4.58 billion worth of cryptocurrency transactions since May 3, 2018.[1] Legkdymov was charged by a complaint in the Eastern District of New York (“EDNY”) with knowingly conducting a money transmitting business that transmitted illicit funds for ransomware actors in Russia and failing to implement an effective anti-money-laundering (“AML”) program. On the same day, the U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) issued an order pursuant to Section 9714(a) of the Combating Russian Money Laundering Act[2] — the first one of its kind — identifying Bitzlato as a “primary money laundering concern” and prohibiting U.S. financial institutions from transacting with Bitzlato, effective on February 1, 2023 (the “Bitzlato Order”).[3] Concurrently, law enforcement authorities in Europe shut down Bitzlato’s digital platform, hosted on servers in France, seized $19.5 million of its cryptocurrency assets and arrested four more Bitzlato executives in Cyprus and Spain.[4]

Continue reading →

Does the Foreign Sovereign Immunities Act bar prosecution of sovereign owned enterprises? The Supreme Court’s disposition of this thorny issue may create mischief

by Frederick T. Davis

Fred Davis

Sovereign Owned Enterprises, or “SOEs,” are commercially active businesses that are owned by foreign governments. A UN agency estimates that they account for about ten percent of global economic activity. As they become increasingly active in international business in competition with privately owned or publicly traded companies, they risk prosecution if their activities violate criminal laws. On January 17, 2023, the Supreme Court heard oral argument on a case that presented a radical possibility: that SOEs are immune from any prosecution in the United States. The case is complex, and the issues pending before the Court consequential. No clear outcome emerged from the briefing and argument, and the most likely alternative dispositions could lead to untoward results.

Continue reading →

The Arrival of 2023 U.S. State Privacy Laws – Part 2: Colorado Update

by Avi Gesser, Johanna Skrzypczyk, Michael R. Roberts, Alessandra G. Masciandaro, and Ned Terrace

The figure provides photos of the authors

From left to right: Avi Gesser, Johanna Skrzypczyk, Michael R. Roberts, and Alessandra G. Masciandaro

On February 1, 2023, the Colorado Attorney General (“COAG”) held a public hearing as part of its rulemaking process for the Colorado Privacy Act (“ColoPA”). Ahead of the hearing, the COAG released its third draft of proposed rules (“proposed rules”) for the ColoPA. Here in Part 2 of our 2023 U.S. State Privacy Laws series, we review key components of the proposed rules and takeaways from the public hearing. Part 1 of this Data Blog series discussed recent developments in the rulemaking for the California Privacy Rights Act.

This post addresses the timeline for COAG rulemaking and the current proposed rules relating to (1) new responsibilities for controllers related to consumer rights, (2) privacy notices, (3) universal opt-out mechanisms, (4) consent for processing sensitive data, (5) biometric data, (6) data minimization, (7) data protection assessments, and (8) profiling. Companies subject to ColoPA should review their practices to ensure compliance before ColoPA’s July 1, 2023 effective date.

Continue reading →

California AG Announces Investigative Sweep of Mobile Applications for CCPA Compliance

by Kirk Nahra, Ali Jessani, and Genesis Ruano

From left to right: Kirk Nahra and Ali Jessani

In a press release on January 27, 2023, California Attorney General (“California AG”) Rob Bonta announced an investigative sweep focused on mobile applications’ compliance under the California Consumer Privacy Act (CCPA), particularly with respect to effective processing of opt-out provisions. Attorney General Bonta noted that his office “is working tirelessly to make sure that businesses recognize and process consumers’ opt-out requests,” reaffirming the office’s commitment to enforcement of CCPA opt-out provisions. To date, the California AG has sent investigative letters to businesses in the retail, travel, and food service industries, which control mobile apps that allegedly have failed to comply with the CCPA.

This press release from the California AG’s office comes at a time when the CCPA has recently been amended (and expanded) by the California Privacy Rights Act (CPRA) and when the California AG shares concurrent enforcement authority over the new law with the newly formed California Privacy Protection Agency (CPPA). The CPPA has been in the process of developing and finalizing rules for the CPRA, and neither the CPPA nor the California AG’s office can enforce the new provisions of the CPRA until July 1, 2023 (and only then for violations that occur after that date). Still, businesses should be aware that the CCPA is still in effect until that time and that the California AG is actively enforcing the law.

We have summarized key provisions from the press release and outlined potential compliance steps for businesses to consider as part of their CCPA/CPRA compliance programs. We are happy to answer any specific questions you may have.

Continue reading →

NYDFS Monitorships: Is There an Emerging Trend?

by Matthew L. Levine

Matthew L. Levine

In 2012, the New York State Department of Financial Services (DFS) made a regulatory splash when it imposed a two-year monitorship on Standard Chartered Bank as part of an enforcement action.[1] One commentator noted that the DFS settlement with Standard Chartered had “upended the regulatory dynamics of the international banking world” with this “staggering” resolution.[2]

Following the Standard Chartered matter, between 2012 and 2018, the agency imposed more than a dozen monitorships on large regulated entities.[3] One by one these monitorships were wound down, and most concluded by 2019 or 2020, having achieved remedial or investigative purposes. (One exception was an expiring monitorship imposed on Deutsche Bank for anti-money laundering compliance failures, which was extended twice, once in 2017 and again in 2019.)[4]

Notably, over the last year, DFS has imposed or threatened to institute a monitor in several enforcement actions, as a result of the agency’s view that the subject entities had permitted development of serious compliance deficiencies. This occurrence has led to speculation that monitorships are once again becoming a regular feature of DFS settlements. A closer look at these enforcement actions suggests that conclusion is, for now, tentative.

Continue reading →