The U.S. Securities and Exchange Commission’s focus on cybersecurity continues in its most recent effort to modernize financial privacy rules and emphasize transparency between SEC-regulated entities who suffer from a cyber breach and the individuals impacted by the breach. The SEC’s latest proposals focus on registrants including broker-dealers, investment advisors, and investment companies, and seek to impose cyberbreach disclosure requirements similar to those the SEC previously proposed for public companies.

On March 15, 2023, the SEC proposed amendments to current data privacy rules that would require covered firms to adopt written policies and procedures for incident response programs. Under the proposed amendments, such policies and procedures must address unauthorized access to or use of customer information, including procedures for providing timely notification to individuals affected by an incident involving sensitive customer information with details about the incident and information designed to help affected individuals respond appropriately. The proposed changes would come through amendments to rules under Regulation S-P.

Regulation S-P currently requires covered registrants to notify customers about how they use their financial information, but it does not require them to notify customers about breaches. The proposed amendments would also ensure that breaches are properly identified, and that sensitive customer data is monitored to determine whether it was accessed.

In announcing the proposed amendments, Chairman Gensler explained that investors would benefit from a financial privacy rule “more modern than the AOL era.”

Continue Reading Highlighting Enforcement Focus on Cybersecurity, SEC Proposes New Disclosure & Incident Response Rules

On March 2, 2023, U.S. Department of Justice Deputy Attorney General (DAG) Lisa Monaco once again delivered groundbreaking remarks at the American Bar Association National Institute on White Collar Crime, this time heralding a new era of corporate enforcement aimed at addressing U.S. national security priorities.  Last spring, as U.S. sanctions against Russia rolled out, DAG Monaco described sanctions as “the new FCPA (Foreign Corrupt Practices Act”)” in terms of DOJ priorities, sending shockwaves through the world of corporate compliance.  Since then, DOJ has borne that promise out largely through an aggressive campaign, championed by Task Force KleptoCapture, as we have previously written about, resulting in a large number of criminal cases targeting individual defendants. 

In this most recent announcement, DAG Monaco set a new tone: announcing that enforcement of national security-related violations—most notably sanctions evasion and export control violations—against corporations would be among the top priorities of the DOJ.  Later in the day, Matthew Axelrod, Assistant Secretary for Export Enforcement within the Department of Commerce, Bureau of Industry and Security (BIS), drove home that point, emphasizing that companies should no longer view export control and sanctions violations as “technical violations,” but would be well advised to view them as enterprise risks given the prioritization these issues are receiving within the various government enforcement agencies, including the DOJ.  Further highlighting this new landscape, the Department of Treasury Office of Foreign Assets Control (OFAC) spoke at the ABA White Collar Conference for the first-time ever on March 2 and the DOJ, BIS and OFAC issued their first-of-its kind joint compliance guidance the same day, relating to third party-intermediary risks. 

It was a day filled with sea-changing announcements for sanctions and export control enforcement, but the takeaway was simple: Sanctions and export controls really are the new FCPA in terms of corporate enforcement priorities and related compliance expectations.  The Money Laundering and Asset Recovery Section (MLARS) has already begun conducting sanctions- and export-related investigations.

Continue Reading DOJ to Prioritize Enforcement of Sanctions and Export Control Violations Against Corporations

On December 16, 2022, U.S. Attorney General Merrick Garland issued a memorandum (the Garland memo) to all federal prosecutors, reflecting a significant new policy regarding charging, pleas, and sentencing in federal criminal cases. The Garland memo replaces prior U.S. Department of Justice (DOJ) policy and applies to all federal criminal prosecutions initiated on or after January 17, 2023.

Under the new DOJ policy, federal prosecutors making charging decisions must consider whether the consequences of those charges for sentencing would yield a result that “is proportional to the seriousness of the defendant’s conduct, and . . . achieves such purposes of the criminal law as punishment, protection of the public, specific and general deterrence, and rehabilitation.”  The new policy makes clear that the goal of any prosecution is a sanction that is “sufficient, but not greater than necessary” to satisfy these considerations.  The Garland memo further provides that prosecutors should not file charges, or threaten to do so, simply to exert leverage to induce a plea.

The Garland memo reflects a continued departure from the prior administration’s policy, which provided that federal prosecutors “should charge and pursue the most serious, readily provable offense.”  The prior policy was revoked in January 2021 by then-acting U.S. Attorney General Monty Wilkinson.

The Garland memo, in short, appears to be embracing a policy of prosecutorial lenity, and could prove to be a useful tool going forward for the defense bar in plea negotiations and at sentencing.

Continue Reading Garland Memo, Emphasizing Prosecutorial Lenity, Reflects Significant DOJ Policy Shift

The Supreme Court of the United States will decide an issue impacting charging decisions in criminal cases involving technology and where those cases are tried. Specifically, the Supreme Court will decide whether criminal defendants may be retried after they are convicted in the wrong “venue,” i.e., the location where the trial took place. This constitutional venue requirement—and the Supreme Court’s ultimate decision on the remedy for violating it—will influence future cases involving technology, where defendants, victims, servers, and resources used to commit the crime are often in different states or even nations.

In the case at issue, the defendant allegedly hacked into a company’s website, obtained certain trade secrets, and offered to sell those trade secrets through various posts on social media. As with many crimes involving technology today, numerous locations were involved: the defendant remained entirely within the Southern District of Alabama, the victim-company was in the Northern District of Florida, and the victim-company’s hacked servers were in the Middle District of Florida. But where to conduct the trial? Based on the location of the victim-company’s headquarters, the government decided (incorrectly) to indict the defendant in the Northern District of Florida, on three counts: violation of the Computer Fraud and Abuse Act, theft of trade secrets, and extortion. At the end of trial, the jury convicted the defendant of the latter two counts.

On appeal, the U.S. Court of Appeals for the Eleventh Circuit held that for the trade-secrets conviction “venue was not proper in the Northern District of Florida because [the defendant] never committed any essential conduct in that location.” To remedy this violation, the court had two options: (1) vacate the conviction, allowing the defendant to be retried in a (supposedly) proper forum, or (2) acquit the defendant of his conviction in the improper forum, which would bar his retrial in another forum under the U.S. Constitution’s Double Jeopardy Clause that prohibits giving “the government . . . a second chance at prosecution.” The 11th Circuit chose the first option, endorsing a remedy that effectively allows the government, when it chooses the wrong venue, to retry a defendant in  the correct venue.

Continue Reading Venue Misstep Shows Complexity of Prosecuting Cybercrime: Supreme Court to Weigh In

On November 28, 2022, the Council of the European Union (EU) gave final approval to implement the EU Corporate Sustainability Reporting Directive (CSRD), ushering in a new, expanded environmental, social, and corporate governance (ESG) disclosure regime for many companies with a connection to Europe. In 2025, the CSRD will require many companies to file reports disclosing certain information for the 2024 fiscal year. Companies should review the CSRD disclosure requirements now to understand the scope of their obligations.  

Continue Reading The ESG Disclosure Wave: Final Approval for the EU’s Corporate Sustainability Reporting Directive

It should come as no surprise that much of the recent 2022 ACI Foreign Corrupt Practices Act (“FCPA”) conference centered around Department of Justice (DOJ) Deputy Attorney General Lisa Monaco’s September 15, 2022 memorandum (the “revised Monaco memo”) concerning updates to the DOJ’s corporate criminal enforcement policies.  Among other things, that memo directs components of DOJ to provide further guidance on (1) corporate compensation structures that promote compliance, (2) corporate use of personal devices and third-party applications, and (3) voluntary self-disclosure by corporations. Although attendees were hoping to receive that further guidance at the FCPA conference, the government stated only that it would be forthcoming. 

Of the three topics expected to be further clarified, many multi-national entities that have previously resolved FCPA or other regulatory violations are eagerly awaiting further guidance on voluntary self-disclosure and, in particular, whether recidivism is an aggravating factor that puts a guilty plea back on the table of possible outcomes for a corporation that otherwise voluntarily self-discloses, cooperates, and remediates. 

Continue Reading Is Corporate Recidivism an Aggravating Factor that Undermines the Potential Benefit of Voluntary Self-Disclosure to DOJ?  Time Will Tell.

The U.S. Department of Justice (DOJ) recently released new guidance announcing several policy changes to further strengthen and clarify its approach to prosecuting corporate crime. The guidance, released through a memorandum by Deputy Attorney General Lisa Monaco (the Monaco Memo), instructs prosecutors about factors to consider when evaluating corporate cooperation and compliance programs in the context of potential criminal resolutions.

Notably, the Monaco Memo advises that “prosecutors should consider whether the corporation has implemented effective policies and procedures governing the use of personal devices and third-party messaging platforms to ensure that business-related electronic data and communications are preserved.” This guidance is applicable to all third-party text and social media messaging platforms, and it is especially significant given the recent proliferation of business use of ephemeral messaging applications that provide an option to have messages automatically disappear from a recipient’s conversation history.

Companies would be wise to promptly review their business communications policies and procedures, in light of both possible DOJ oversight, as well as emerging privacy, security, and employment law scrutiny.

Continue Reading Recent DOJ Guidance on Personal Devices and Third-Party Messaging Applications Applies to Any Company DOJ May Scrutinize

Just this week, the Securities and Exchange Commission announced its enforcement results from fiscal year 2022. The Commission recovered a record $6.4 billion in penalties and disgorgement from companies and individuals. The announcement touted the 760 total enforcement actions in FY 2022—a nine percent increase from the year before—and summarized areas of innovation and growth within the Enforcement Division. Two such areas are familiar refrains that are worth highlighting: (1) the SEC leveraging its investigative process—emphasizing its use of data analytics—to identify suspicious activity; and (2) its penalties against “gatekeepers” (i.e., individuals and companies who owe a heightened duty of trust and responsibility to clients and investors).

Continue Reading Play it again, SEC: Two Familiar Refrains from the FY 2022 Enforcement Results

On October 18, 2022, the Department of Justice (DOJ) announced a guilty plea by Lafarge, S.A., a French building materials company, and its Syria-based subsidiary, for providing material support to designated Foreign Terrorist Organizations. The case represents the first criminal prosecution of a company for providing material support to terrorism and demonstrates that the agency is putting teeth behind its recent pronouncements that that it will prioritize national security-related investigations.

Last year, the DOJ announced that one of the agency’s top priorities was fighting corporate crime, with an enhanced focus on national security issues.  As Deputy Attorney General Lisa Monaco explained, “[c]orporate crime has an increasing national security dimension — from the new role of sanctions and export control cases to cyber vulnerabilities that open companies up to foreign attacks.” In September 2022, the DOJ updated its enforcement guidance, notably confirming that misconduct posing a grave threat to national security will be an aggravating factor in deciding whether to take enforcement action in corporate criminal matters. The Lafarge case and other recent enforcement actions highlight the DOJ’s commitment to these principles and portend heightened focus on prosecuting corporations whose compliance and oversight missteps result in threats to U.S. national security.

Continue Reading DOJ Continues to Prioritize National Security-Related Cases with First Corporate Terrorism Support Prosecution