Photo of Rahul Mukhi

Rahul Mukhi’s practice focuses on criminal, securities, and other enforcement and regulatory matters as well as on complex commercial litigation.

On October 16, 2018, the Securities and Exchange Commission released a Report of Investigation that cautioned public companies to consider cyber threats when designing and implementing internal accounting controls.  The report was based on an investigation of nine victims of email cyber-fraud schemes for potentially failing to have adequate internal accounting controls, in violation of the Securities Exchange Act of 1934.  The report highlights the need for companies to reassess their controls in light of the current cybersecurity risk environment.  By describing the remedial steps taken by the investigated companies, it further provides guidance about the key areas that companies should consider when assessing their own policies and procedures. Continue Reading SEC Investigative Report Urges Public Companies to Guard Against Cyber Threats When Implementing Internal Accounting Controls

On July 11, 2018 the U.S. Department of Justice (“DOJ”), Bureau of Consumer Financial Protection (“CFPB”), the Securities and Exchange Commission (“SEC”) and the Federal Trade Commission (“FTC”) announced the establishment of a new Task Force on Market Integrity and Consumer Fraud (the “Task Force”).[1]  Deputy Attorney General Rod Rosenstein made the announcement on behalf of the Task Force, joined by Acting Director Mick Mulvaney of the CFPB, Chairman Jay Clayton of the SEC and Chairman Joe Simons of the FTC. Continue Reading DOJ Announces New Inter-Agency Task Force on Market Integrity and Consumer Fraud

On June 27, 2018, Equifax Inc., the credit reporting agency, agreed to implement stronger data security measures under a consent order with the New York State Department of Financial Services (“NYDFS”) and seven other state banking regulators.[1]  The order imposes detailed duties on Equifax’s Board of Directors in response to criticisms raised by the regulators during an examination of Equifax’s cybersecurity and internal audit functions.  The examination followed the company’s massive 2017 data breach, which exposed sensitive personal information of nearly 148 million customers.  Equifax agreed to the order without admitting or denying any charges of “unsafe or unsound information security practices.” Continue Reading State Regulators Reach Settlement With Equifax in Connection With Massive Data Breach

On June 22, 2018, the United States Supreme Court decided Carpenter v. United States, in which it held that the government must generally obtain a search warrant supported by probable cause before acquiring more than seven days of historical cell-site location information (“CSLI”) from a service provider. Noting “the deeply revealing nature of CSLI, its depth, breadth, and comprehensive reach, and the inescapable and automatic nature of its collection,” the Court held that an individual “maintains a legitimate expectation of privacy in the record of his physical movements captured through CSLI” that warrants Fourth Amendment protection. While the Court sought to construe its decision narrowly, the reasoning of the majority and Justice Gorsuch in his dissent raise significant questions about whether and to what extent individuals may have a reasonable expectation of privacy or possessory interest in other sensitive personal data held by third parties beyond the CSLI at issue in Carpenter.

Please click here to read the full alert memorandum.

On May 29, 2018, the U.S. Supreme Court issued an unanimous opinion in Lagos v. United States. Lagos presented the issue of whether costs incurred during and as a result of a corporate victim’s investigation (rather than a governmental investigation) must be reimbursed by a criminal defendant under the Mandatory Victims Restitution Act (“MVRA”). Resolving a circuit split, the Court narrowly held that restitution under the MVRA “does not cover the costs of a private investigation” commenced by a corporate victim on its own initiative and not at the Government’s invitation or request.

The Court’s decision is notable for rejecting the Government’s broad interpretation of the MVRA and for recognizing the “practical fact” that such a broad interpretation would invite “significant administrative burdens.” But the opinion is also notable for what it does not decide. The Court’s opinion expressly leaves unaddressed the question of whether professional costs incurred during a private investigation performed at the Government’s request would be covered by the MVRA.

Please click here to read the full alert memorandum.

On April 24, 2018, Altaba, formerly known as Yahoo, entered into a settlement with the Securities and Exchange Commission (the “SEC”), pursuant to which Altaba agreed to pay $35 million to resolve allegations that Yahoo violated federal securities laws in connection with the disclosure of the 2014 data breach of its user database.  The case represents the first time a public company has been charged by the SEC for failing to adequately disclose a cyber breach, an area that is expected to face continued heightened scrutiny as enforcement authorities and the public are increasingly focused on the actions taken by companies in response to such incidents.  Altaba’s settlement with the SEC, coming on the heels of its agreement to pay $80 million to civil class action plaintiffs alleging similar disclosure violations, underscores the increasing potential legal exposure for companies based on failing to properly disclose cybersecurity risks and incidents.

Please click here to read the full alert memorandum.

On April 18, 2018, the U.S. Supreme Court heard oral argument in Lagos v. United States.  Lagos presents the important issue of whether a corporate victim’s professional costs—such as investigatory and legal expenses—incurred as a result of a criminal defendant’s offense conduct must be reimbursed under the Mandatory Victims Restitution Act.

The court’s decision will impact a company’s considerations when deciding whether and how to conduct an internal investigation, particularly when the corporation is the potential victim of a crime.

Please click here to read the full alert memorandum.

In an indictment unsealed on March 23, 2018, the Department of Justice (DOJ) brought criminal charges against nine Iranian nationals affiliated with the Mabna Institute in Iran, alleging computer intrusion, fraud, and aggravated identity theft.[1]  Prosecutors charged the defendants with conspiring to steal a massive amount of intellectual property from universities, private companies, and government institutions worldwide, obtaining more than 31 terabytes of data.  The defendants allegedly acted on behalf of the Islamic Revolutionary Guard Corps (IRGC), which is an arm of the Iranian government whose responsibilities include foreign operations and intelligence gathering.  In addition to the announced charges, the nine defendants and the Mabna Institute were also designated for sanctions by the Treasury Department, Office of Foreign Asset Control, pursuant to Executive Order 13694 “Blocking the Property of certain Persons Engaging in Significant Malicious Cyber-Enabled Activities.”[2] Continue Reading Department of Justice Indicts Iranian Hackers, Revealing Significant Data Breach and Targeting of Intellectual Property of Private Companies and Educational Institutions

The SEC has recently signaled an increased concern with the offerings and marketing of Initial Coin Offerings (“ICOs”),[1] which should be of interest to companies and institutions involved with ICOs.  On November 1, 2017, the SEC Division of Enforcement and Office of Compliance Inspections and Examinations (“OCIE”) jointly issued a public statement warning celebrities and other influencers promoting Initial Coin Offerings (“ICOs”) about potential violations of a host of federal securities laws, including the anti-touting and anti-fraud provisions of the federal securities laws.  Specifically, the public statement noted that endorsements may be unlawful if they do not “disclose the nature, source, and amount of any compensation paid, directly or indirectly . . . in exchange for the endorsement.,” and that endorsers may also face liability for potential violations of the anti-fraud provisions, for participation in an unregistered securities offering, and for acting as unregistered brokers.  The public statement also noted that investment decisions should not be based solely on an endorsement and cautioned that “celebrity endorsement may appear unbiased, but instead be part of a paid promotion.”  The public statement follows an investigative report issued by the Division of Enforcement on July 25, 2017, which announced that blockchain technology-based coins or tokens sold in an ICO may be a form of security under the Securities Act of 1933 and the Securities Exchange Act of 1934.

The SEC’s announcement follows recent endorsements of such ICOs by celebrities such as Floyd Mayweather, DJ Khaled, Paris Hilton and Jamie Foxx, who each used their social media platforms to promote ICOs in the past months.  According to an article published byThe New York Times five days before the SEC’s public announcement, celebrity endorsements have helped raise $3.2 billion in ICOs this year, which is a 3,000 percent increase over the total amount raised in ICOs last year.

In its statement, the SEC said it “will continue to focus on these types of promotions to protect investors and to ensure compliance with the securities laws.”  Additionally, the SEC Office of Investor Education and Advocacy posted an Investor Alert on their website the same day cautioning against investment decisions based on endorsements from celebrities and encouraging investors to report any possible securities fraud to the SEC.  These recent pronouncements indicate a dovetailing of recent areas of focus for the SEC’s enforcement program—new technologies that expand the scope and ease of securities offerings with increased efforts to focus enforcement resources on areas having the potential to harm retail investors.

Following the SEC’s public statement and Investor Alert signaling increased attention on ICOs,  the SEC announced that it had filed charges against PlexCorps and two of its principals based on an alleged ICO fraud.  PlexCorps had raised up to $15 million in an ICO this year by promising a 13-fold profit in less than one month.  The company has been charged with violating anti-fraud provisions and the registration provision of the federal securities laws. These charges are the first filed by the SEC’s Cyber Unit, which was created in September 2017.  Robert Cohen, the Chief of the Cyber Unit, stated “[t]his first Cyber Unit case hits all the characteristics of a full-fledged cyber scam and is exactly the kind of misconduct the unit will be pursuing.” To read more about this case, please see our previous article.

[1] ICOs are fundraising mechanisms, similar to crowdfunding, in which companies create and sell new virtual currency, in the form of blockchain-based coins or tokens.

On October 27, 2017, the Hong Kong Securities and Futures Commission (“SFC”) issued Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading (the “Guidelines”),1 a set of baseline cybersecurity requirements that all persons licensed or registered with the SFC and engaged in internet trading will be required to implement. The Hong Kong Monetary Authority (“HKMA”) simultaneously issued a circular to CEOs of Registered Institutions requiring them to apply the Guidelines.

The new guidelines should be viewed as requirements for securities and futures dealers and asset managers registered with the SFC and banks supervised by the HKMA (which include a number of foreign banks that operate branches in Hong Kong). For e-commerce firms and other companies that do business in or have connections to Hong Kong, the new guidelines should additionally be viewed as relevant guidance for best practices in cybersecurity.

Click here, to continue reading.