Tag Archives: Marshall L. Miller

The 2020 FCPA Resource Guide Update: A Window into Today’s Enforcement of the FCPA

by Marshall L. Miller, Sean Hecker, Jenna M. Dabbs, and Ana Frischtak

The Foreign Corrupt Practices Act (PDF: 93 KB) is unique among U.S. criminal statutes in many ways—not least of which is the degree to which its primary enforcers, the Department of Justice and the Securities and Exchange Commission, provide legal and policy guidance as to its scope and application, primarily through the Resource Guide to the U.S. Foreign Corrupt Practices Act (the “Guide (PDF: 3.83 MB)”). On Friday, July 3, DOJ and the SEC issued a Second Edition of this key compendium, providing insight into the government’s continually developing approach to enforcing this far-reaching statute.

The eight years since the Guide’s initial publication in 2012 have witnessed critical developments in FCPA case law, enforcement policy, and DOJ and SEC practice, with the new edition of the Guide reflecting those developments. And while the Second Edition does not contain unexpected new pronouncements, it provides practitioners with a window into DOJ and SEC thinking, including their approaches to thorny enforcement challenges and recurring fact patterns.

Continue reading

FTC Discusses Management and Board Roles as Core Elements of Revised Data Breach Enforcement Model

by Andrew R. Brownstein, Steven A. Rosenblum, John F. Savarese, Marshall L. Miller, and Jeohn Salone Favors

In a blog post published this week, the Director of the FTC’s Consumer Protection Bureau detailed recent changes to the FTC’s baseline approach to remedial orders in data breach enforcement actions.  The changes were spurred in part by a 2018 Court of Appeals decision (PDF: 125 KB) that found an FTC order’s requirement that a company implement “reasonable” data security measures to have been too vague to be enforceable.  The FTC has reworked its routine enforcement practice to ensure that remedial data security orders include significantly greater specificity about compliance expectations for companies subject to enforcement action and for third-party assessors engaged to conduct FTC-mandated monitoring and audits of targeted companies’ data security practices.

Continue reading

Planning for a Gathering Storm: Ransomware Preparation and Response

By Marshall L. Miller and Adam Sowlati

Ransomware attacks render an organization’s Information Technology systems inoperable or its data inaccessible, unless and until a ransom is paid. According to the FBI, since 2016, an average of 4,000 ransomware attacks have occurred daily, causing over $1 billion in damages annually. And ransomware is reportedly (PDF: 281 KB) growing in sophistication and increasingly targeting organizations. For example, 23 municipalities in Texas were struck last week in a coordinated attack. Companies would be well served by engaging in advance ransomware preparation.

Before an attack, companies should consider prophylactic preparatory steps, such as implementing reliable processes that back up IT systems and critical data to reduce ransomware exposure, securing cyber liability insurance to cover costs associated with significant ransomware incidents, and implementing incident response plans that include effective elevation procedures and account for the unique challenges of a ransomware attack. Fostering pre-attack relationships with law enforcement can also pay dividends, providing swift access to resources, intelligence, and experience to assist investigation and remediation. Continue reading

Preparing for the California Consumer Privacy Act in an Evolving Privacy Landscape

by David A. Katz, Marshall L. Miller, and Zachary M. David

Just a month after the European Union’s General Data Protection Regulation (GDPR) (PDF: 146 KB) took effect, California enacted the most expansive data privacy law in the United States to date.  The California Consumer Privacy Act (CCPA), which is scheduled to go into effect on January 1, 2020, will impose unprecedented data obligations on companies doing business in California, requiring increased data use transparency and the observance of novel consumer data rights.  Notwithstanding any GDPR compliance fatigue, companies need to take steps to prepare for compliance with the CCPA. 

The CCPA was a hastily crafted legislative package passed to preempt a statewide ballot initiative set to qualify for California’s November 2018 ballot.  The initiative—which promised to be even more far-reaching—was withdrawn by its ballot sponsors ­in exchange for passage of the CCPA.  The statute remains a work in progress, with numerous legislative amendments currently under consideration and implementing regulations from the California Attorney General expected this fall. Continue reading

State-Level Actors on the Frontlines of U.S. Cybersecurity and Data Privacy Regulation and Enforcement

by John F. Savarese, Marshall L. Miller, and Jeohn Salone Favors

While the General Data Protection Regulation (GDPR) significantly expanded the powers of European national data protection authorities in 2018, legislative and enforcement developments in the United States over the last year showcased the growing role and importance of state attorneys general and other state regulators in the realm of cybersecurity and data privacy.

In 2018, California passed a data privacy law akin to the GDPR and enacted legislation addressing internet-based bot activity and security of devices connected to the Internet of Things.  With passage of legislation in Alabama in March 2018, all 50 states now have data breach notification laws, with requirements as to notification content, timing, and recipients varying across jurisdictions.  And prescriptive cybersecurity regulations promulgated by New York State’s Department of Financial Services continued to take effect in rolling fashion.  Absent preemptive legislation at the federal level, where proposals are stalled in Congress, we can expect data protection and privacy laws and regulations to proliferate at the state level, as state legislatures and regulators vie for the mantle of lead cybersecurity enforcer. Continue reading

DOJ Extends FCPA Corporate Enforcement Policy Principles to Non-FCPA Misconduct Discovered in the M&A Context

by John F. Savarese, Ralph M. Levene, David B. Anders, Marshall L. Miller, and Daniel H. Rosenblum

In an important speech, Deputy Assistant Attorney General Matthew Miner of the Department of Justice’s Criminal Division announced on Thursday that DOJ will “look to” the principles of the FCPA Corporate Enforcement Policy (PDF: 50.6 KB) in evaluating “other types of potential wrongdoing, not just FCPA violations” that are uncovered in connection with mergers and acquisitions.  As a result, when an acquiring company identifies misconduct through pre-transaction due diligence or post-transaction integration, and then self-reports the relevant conduct, DOJ is now more likely to decline to prosecute if the company fully cooperates, remediates in a complete and timely fashion, and disgorges any ill-gotten gains. Continue reading

FTC’s Cybersecurity Remedial Authority Limited

by David A. Katz, Marshall L. Miller, and Jonathan Siegel

The Eleventh Circuit Court of Appeals recently vacated a Federal Trade Commission cease-and-desist order that required a medical laboratory company to implement a “reasonably designed” cybersecurity program after customer data on the company’s systems were compromised.  LabMD, Inc. v. Federal Trade Commission (PDF: 548 KB).  The decision represents a judicial curb on FTC enforcement efforts seeking expansive cease-and-desist orders requiring companies to maintain “reasonable” or “appropriate” data security systems in the wake of cyber incidents. By limiting the FTC to orders that prohibit specific unfair conduct, or that require specific responsive remedial action, this ruling may alter the cyber enforcement landscape and affect the balance between the FTC and companies affected by cyber incidents. Continue reading

NIST Releases an Updated Version of its Cybersecurity Framework

by Sabastian V. NilesMarshall L. Miller, and Jeohn Salone Favors

Last week, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released an updated Cybersecurity Framework (PDF: 1,038 KB) that revises NIST’s baseline recommendations for the design of cybersecurity risk management programs.  In announcing its release, Commerce Secretary Wilbur Ross described the updated Framework as “a must do for all CEOs” and recommended that “every company” adopt the Framework as its “first line of defense.”  As with the prior version, the updated NIST Framework provides a useful tool to guide and benchmark company approaches to cybersecurity risk and will impact how regulators evaluate cybersecurity programs and incident responses across sectors. Continue reading

Maximizing Value and Avoiding Pitfalls when Purchasing Cyber Insurance

by Ian Boczko, Marshall L. Miller, and Timothy C. Sprague

In recent years, companies have heightened their focus on cybersecurity issues, dedicating substantially more resources to mitigating escalating cyber risks.  Increasingly, these efforts include purchasing some form of cyber insurance.   

Any cyber insurance policy should supplement, rather than replace, a cybersecurity risk mitigation program.  While such a policy may be a useful element of a multifaceted strategy, cyber insurance is far from a panacea.  First, the size and types of damages resulting from a catastrophic cyber incursion can exceed even significant policy limits.  Additionally, cyber insurance coverage is unlikely to extend to reputational losses or intellectual property theft.  Moreover, the cyber insurance market is relatively young and policy forms are still evolving.  Thus, cyber insurance does not have the same claims history or established understanding of policy terms that can be found in more mature insurance markets.    Continue reading

DOJ Applies Principles of FCPA Corporate Enforcement Policy in Other White-Collar Investigations, Increasing Opportunity for Corporate Declinations

by John F. Savarese, Ralph M. Levene, Wayne M. Carlin, David B. Anders, Marshall L. Miller, and Jonathan Siegel

Late last week, the Department of Justice’s Criminal Division announced at an ABA white-collar conference that it has begun using the FCPA Corporate Enforcement Policy (PDF: 51 KB) as “nonbinding guidance” in other areas of white-collar enforcement beyond the FCPA.  As a result, absent aggravating factors, DOJ may more frequently decline to prosecute companies that promptly self-disclose misconduct, fully cooperate with DOJ’s investigation, remediate in a complete and timely fashion, and disgorge any ill-gotten gains.  As a first example of this approach, the officials pointed to DOJ’s recent decision (PDF: 1,743 KB) to decline charges against Barclays PLC, after the bank agreed to pay back $12.9 million in wrongful profits, following individual charges arising out of a foreign exchange front-running scheme. Continue reading