On May 12, 2021, Telefonaktiebolaget LM Ericsson (“Ericsson”) announced that it had reached an agreement to settle a claim by a competitor, Nokia Corporation, for €80 million (approximately $97 million).[1] Although Nokia’s complaint against Ericsson was not filed publicly, and therefore the details of the claim are not known, Ericsson’s announcement stated that “[t]he settlement relates to events that were the subject of a 2019 resolution with the U.S. Department of Justice (DOJ) and U.S. Securities and Exchange Commission (SEC) of investigations into Ericsson’s violations of the U.S. Foreign Corrupt Practices Act (FCPA).”[2] This appears to be a rare instance in which a company that allegedly paid bribes to obtain business from a government entity agreed to compensate a competitor that lost out on the business opportunity as a result of the corrupt conduct, and demonstrates a further, significant risk of follow-on litigation relating to FCPA violations.
Continue Reading Recent Settlement Highlights Risk of Follow-On Litigation Related to FCPA Investigations
Colombian Corporate Regulatory Authority Expands Application of Compliance and Transparency Program Guidelines
The Colombian Corporations Commission (La Superintendencia de Sociedades) (“Superintendencia”) has issued Resolution 100-006261, which requires the overwhelming majority of companies that are supervised by the Superintendencia and engage in international transactions to adopt and implement a compliance program – called a Business Transparency and Ethics program – by April 30, 2021. The program must be designed to prevent and detect violations of anti-bribery laws, in accordance with 2016 guidance.
Continue Reading Colombian Corporate Regulatory Authority Expands Application of Compliance and Transparency Program Guidelines
D.C. District Court Rejects Privilege Claim for Post-Data Breach Forensic Report
Last month, in Guo Wengui v. Clark Hill, PLC, the United States District Court for the District of Columbia granted Plaintiff’s motion to compel production of Defendant’s third-party forensic investigation report following a cybersecurity incident.[1] The court held that the forensic report was not covered by the attorney-client privilege or the work product doctrine, providing a cautionary tale for companies conducting post-breach investigations.
Continue Reading D.C. District Court Rejects Privilege Claim for Post-Data Breach Forensic Report
A Playbook for Corporate DOJ Investigations
Corporate investigations under the Biden Administration’s Department of Justice (“DOJ”) are expected to increase in the coming months. Navigating such investigations can be complex, distracting, and costly, and comes with the risk of prosecution and significant collateral consequences for the company. Recently, Cleary Gottlieb partners and former DOJ prosecutors, Lev Dassin, Jonathan Kolodner, and Rahul
SDNY District Court Rules Foreign Sovereigns Are Not Immune From Criminal Jurisdiction In U.S. Court
On October 1, 2020, the SDNY District Court issued an important ruling in U.S. v. Halkbank, holding that foreign state-owned entities (“SOEs”) can be subject to criminal jurisdiction in the United States.
The Court denied the defendant Turkish state-owned bank’s motion to dismiss an indictment charging it with conspiracy, bank fraud, and money laundering
DOJ Charges Former Uber Executive for Alleged Role in Attempted Cover-Up of 2016 Data Breach
On August 20, 2020, the Department of Justice (“DOJ”) announced that it had charged Joseph Sullivan, the former Chief Security Officer (“CSO”) of Uber Technologies Inc. (“Uber”), with obstruction of justice and misprision of a felony for allegedly attempting to cover up Uber’s 2016 data incident during the course of an investigation by the Federal Trade Commission (“FTC”).
Continue Reading DOJ Charges Former Uber Executive for Alleged Role in Attempted Cover-Up of 2016 Data Breach
OCC Imposes $80 Million Penalty in Connection with Bank Data Breach
In a landmark enforcement action related to a bank data breach, the Office of the Comptroller of the Currency (“OCC”) assessed an $80 million civil monetary penalty and entered into a cease and desist order with the bank subsidiaries of Capital One on August 6, 2020. The actions follow a 2019 cyber-attack against Capital One. The Federal Reserve Board also entered into a cease and desist order with the banks’ parent holding company. The OCC actions represent the first imposition of a significant penalty against a bank in connection with a data breach or an alleged failure to comply with the OCC’s guidelines relating to information security.
Continue Reading OCC Imposes $80 Million Penalty in Connection with Bank Data Breach
Federal Court Compels Production of Data Breach Forensic Investigation Report
On June 25, 2020, a federal district court in the Eastern District of Virginia held that a bank must produce in discovery a report generated by its cybersecurity forensic investigator following a 2019 data breach involving unauthorized access to personal information of customers and individuals who had applied for accounts.[1] Even though the report was produced at the direction of outside counsel, the court rejected arguments that the forensic report is protected from disclosure by the work product doctrine. Instead, the court determined that the report was not produced primarily in anticipation of litigation based on several factors, including the similarity of the report to past business-related work product by the investigator and the bank’s subsequent use and dissemination of the report. This decision raises questions about the scope of work product protection for forensic expert and other similar reports in the context of an internal investigation.
Continue Reading Federal Court Compels Production of Data Breach Forensic Investigation Report
DOJ Updates Guidance Regarding Corporate Compliance Programs
On June 1, 2020, the Criminal Division of the U.S. Department of Justice (the “Department”) released revisions to its guidance regarding the Evaluation of Corporate Compliance Programs, which the Department uses in assessing the “adequacy and effectiveness” of a company’s compliance program in connection with any decision to charge or resolve a criminal investigation, including
CISA Alert: North Korean Cyber Threat Poses Increased Risk for Financial Institutions
On April 15, 2020, the U.S. Departments of State, the Treasury, and Homeland Security, and the Federal Bureau of Investigation issued an advisory alert providing guidance on the North Korean cyber threat and steps to mitigate that threat (the “Alert”).[1] The U.S. Government has repeatedly warned the private sector that North Korea, formally known as the Democratic People’s Republic of Korea (“DPRK”), routinely engages in malicious cyber activities and has specifically targeted financial institutions.
This Alert serves as a reminder, especially during this pandemic as businesses go remote and virtual to an unprecedented degree, that the cyber threat, including from the DPRK, remains a critical risk for all companies. Financial institutions in particular, a traditional target of North Korean cyber activity, should take steps to ensure they are protecting themselves from and responding effectively to malicious cyber intrusions.
Continue Reading CISA Alert: North Korean Cyber Threat Poses Increased Risk for Financial Institutions