The Eleventh Circuit Court of Appeals recently vacated a Federal Trade Commission cease-and-desist order that required a medical laboratory company to implement a “reasonably designed” cybersecurity program after customer data on the company’s systems were compromised. LabMD, Inc. v. Federal Trade Commission (PDF: 548 KB). The decision represents a judicial curb on FTC enforcement efforts seeking expansive cease-and-desist orders requiring companies to maintain “reasonable” or “appropriate” data security systems in the wake of cyber incidents. By limiting the FTC to orders that prohibit specific unfair conduct, or that require specific responsive remedial action, this ruling may alter the cyber enforcement landscape and affect the balance between the FTC and companies affected by cyber incidents. Continue reading
Last week, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released an updated Cybersecurity Framework (PDF: 1,038 KB) that revises NIST’s baseline recommendations for the design of cybersecurity risk management programs. In announcing its release, Commerce Secretary Wilbur Ross described the updated Framework as “a must do for all CEOs” and recommended that “every company” adopt the Framework as its “first line of defense.” As with the prior version, the updated NIST Framework provides a useful tool to guide and benchmark company approaches to cybersecurity risk and will impact how regulators evaluate cybersecurity programs and incident responses across sectors. Continue reading
In recent years, companies have heightened their focus on cybersecurity issues, dedicating substantially more resources to mitigating escalating cyber risks. Increasingly, these efforts include purchasing some form of cyber insurance.
Any cyber insurance policy should supplement, rather than replace, a cybersecurity risk mitigation program. While such a policy may be a useful element of a multifaceted strategy, cyber insurance is far from a panacea. First, the size and types of damages resulting from a catastrophic cyber incursion can exceed even significant policy limits. Additionally, cyber insurance coverage is unlikely to extend to reputational losses or intellectual property theft. Moreover, the cyber insurance market is relatively young and policy forms are still evolving. Thus, cyber insurance does not have the same claims history or established understanding of policy terms that can be found in more mature insurance markets. Continue reading
Late last week, the Department of Justice’s Criminal Division announced at an ABA white-collar conference that it has begun using the FCPA Corporate Enforcement Policy (PDF: 51 KB) as “nonbinding guidance” in other areas of white-collar enforcement beyond the FCPA. As a result, absent aggravating factors, DOJ may more frequently decline to prosecute companies that promptly self-disclose misconduct, fully cooperate with DOJ’s investigation, remediate in a complete and timely fashion, and disgorge any ill-gotten gains. As a first example of this approach, the officials pointed to DOJ’s recent decision (PDF: 1,743 KB) to decline charges against Barclays PLC, after the bank agreed to pay back $12.9 million in wrongful profits, following individual charges arising out of a foreign exchange front-running scheme. Continue reading
Yesterday, in keeping with a heightened governmental focus on cybersecurity, as exemplified by the Justice Department’s formation of a new Cyber-Digital Task Force (PDF: 62 KB) earlier this week, the Securities and Exchange Commission announced new guidance on cybersecurity disclosures by public companies (the “Guidance (PDF: 139 KB)”).
Much of the Guidance tracks 2011 interpretive guidance from the SEC’s Division of Corporation Finance and retains a focus on “material” cyber risks and incidents. However, the expanded details and heightened pressure to disclose indicated in the Guidance, along with its issuance by the Commission itself, signal that the SEC expects public companies to consider more detailed disclosure of cyber risks and incidents, and to maintain “comprehensive” policies and procedures in this area. The SEC is also encouraging, though not requiring, forward-leaning approaches, such as with respect to disclosures about the company’s cyber risk management programs and the engagement of the board of directors with management on cybersecurity issues. SEC Chairman Jay Clayton has also directed (PDF: 92 KB) SEC staff to monitor corporate cyber disclosures. Continue reading
In our memo last year, we acknowledged that it was close to impossible to predict the likely impact that the newly elected Trump administration would have on white-collar and regulatory enforcement. (White Collar and Regulatory Enforcement: What to Expect in 2017 (PDF: 240 KB)) Instead, we set out a list of initiatives we urged the new administration to consider, including clarifying standards for when cooperation credit would be given, reducing the use of monitors, and giving greater weight to a company’s pre-existing compliance program when exercising prosecutorial discretion, among other suggestions. While the DOJ under Attorney General Jeff Sessions has, for example, taken some steps toward clarifying the applicable standards for cooperation and increasing incentives to disclose misconduct in the FCPA area, few other policy choices or shifts in approach have been articulated or implemented. Continue reading
In August 2017, the Office of Compliance Inspections and Examinations (“OCIE”) of the Securities and Exchange Commission released the results of its second Cybersecurity Initiative, which examined cybersecurity-related preparedness and implementation efforts by 75 regulated financial entities. The resulting OCIE Risk Alert (PDF: 310 KB) depicts an industry demonstrating 0heightened sensitivity to cyber risks, but also experiencing gaps between policy ambition and day-to-day execution, and confronting growing pains associated with accelerated change, including the introduction of significant new policies and procedures that may lack focus or consistent implementation. While the Risk Alert directly addresses the cybersecurity procedures of broker-dealers, investment advisers, and other SEC-regulated entities, companies in all industries should consider assessing their practices with respect to the issues highlighted by the SEC. Continue reading
In an anticipated and important decision, the Second Circuit Court of Appeals overturned a district court’s order requiring the unsealing of an independent monitor’s report detailing HSBC’s compliance with a deferred prosecution agreement. United States v. HSBC Bank USA, N.A. (PDF: 284 KB) (Nos. 16-308, 16- 353, 16-1068, 16-1094, July 12, 2017). In so doing, the Second Circuit substantially limited a district court’s power to scrutinize DPAs, thereby following a course similarly embraced by the D.C. Circuit (as discussed in our prior memo).
In the district court, Judge Gleeson granted the joint request by DOJ and HSBC to approve the DPA, subject to the Court’s ongoing oversight of the DPA’s implementation pursuant to the Court’s asserted “supervisory authority”—a decision we discussed in our earlier memo (PDF: 21 KB). As part of its oversight, the Court ordered the government to file under seal an independent monitor’s report, which eventually led to a member of the public requesting access to the report. Construing that request as a motion to unseal, the Court granted the motion, finding that the monitor’s report was a “judicial document” subject to the public’s qualified First Amendment right of access. The government and HSBC appealed. Continue reading
As we have observed, in its early days, the Trump Administration has stressed its intention to maintain continuity in white-collar enforcement, including through its recent extension of the FCPA Pilot Program. Consistent with that approach, the first FCPA action under the new administration was a Pilot Program declination, closing an investigation without enforcement action other than disgorgement. Continue reading
Earlier this year, we noted that it was difficult, if not impossible, at that point to predict with confidence how the new administration might change white-collar criminal law enforcement priorities and practices. Three months later, however, some clearer signals are beginning to appear. In a pair of speeches delivered last week, on April 18 and April 20, Acting Principal Deputy Assistant Attorney General Trevor McFadden, a Trump Administration appointee, gave strong indications that the Department of Justice will continue to engage in active white-collar criminal enforcement, without substantial changes in direction from the previous administration. And in a speech yesterday, Attorney General Jeff Sessions promised continued prosecution of corporate fraud and misconduct and strong enforcement of the Foreign Corrupt Practices Act and other anti-corruption laws.
In his more detailed speeches, McFadden rejected what he called the “myth” that DOJ under AG Sessions was not interested in prosecuting white-collar crime. Continue reading