Nearly a decade ago, WikiLeaks ushered in the age of mass leaks. Since then, corporations, governments, public figures and private entities have increasingly had to reckon with a new reality: that vigilantes, activists, extortionists and even state actors can silently steal and rapidly disseminate proprietary information, including customer data and other sensitive information. Last month, the Department of Justice (“DOJ”) indicted four individuals based on information first revealed in the “Panama Papers” leak. This marks a significant milestone in law enforcement’s reliance on evidence based on an unauthorized mass leak of information. While leaks and hacks are not a novel phenomenon—in 1971, the New York Times published top secret documents on the Vietnam War and, in 1994, a paralegal leaked tobacco industry documents that ultimately cost the industry billions of dollars in litigation and settlement costs—the frequency, scale and ease of dissemination of leaked information today presents a difference not only of degree, but of kind. The new Panama Papers-based criminal case will likely raise a host of novel legal issues based on legal challenges to the DOJ’s reliance on information illegally obtained by a third party, as well as information that would ordinarily be protected by the attorney-client privilege. In this memorandum, we discuss the potential issues raised by the prosecution and their implications. Continue Reading U.S. Criminal Prosecution Based on Panama Papers Hack Raises Novel Legal Issues
Rahul Mukhi’s practice focuses on criminal, securities, and other enforcement and regulatory matters as well as on complex commercial litigation.
As discussed in Cleary Gottlieb’s December 21, 2018 Alert Memorandum, on December 18, 2018, the U.S. Court of Appeals for the D.C. Circuit issued an important ruling in In re Grand Jury Subpoena, holding, inter alia, that foreign state-owned corporations are subject to criminal jurisdiction in the United States and upholding Special Counsel Mueller’s authority to serve and enforce a grand jury subpoena on a sovereign entity.
The foreign state-owned corporation subsequently sought a stay of enforcement of the contempt order from the Supreme Court, which Chief Justice Roberts granted. This Alert Memorandum focuses on two key developments that took place on January 8, 2019. First, the Supreme Court, voting as a whole, lifted the administrative stay previously entered by Chief Justice Roberts. Second, the D.C. Circuit Court issued its full, albeit partially redacted, opinion, which provides additional reasoning for the panel’s decision, seeks to reconcile any purported conflict with rulings issued by other Circuit Courts on the legal question at hand, and focuses on the state owned nature of the entity involved.
Please click here to read the full Alert Memorandum.
On January 11, the Second Circuit Court of Appeals denied the appeal of Rajat Gupta, who was seeking to undo his insider trading conviction. Relying on the Second Circuit’s decision in United States v. Newman, Gupta argued that—to satisfy the requirement that Gupta personally benefit from tipping inside information—the Government must show “a quid pro quo – in which [Gupta] receive[d] an ‘objective, consequential . . . gain of a pecuniary or similarly valuable nature.’” In other words—intangible benefits should not, standing alone, constitute a personal benefit sufficient to uphold a criminal conviction. The Second Circuit rejected this argument, finding that the Supreme Court’s decisions in Dirks v. SEC and Salman v. United States foreclosed such a narrow definition of “benefit,” opting instead for a test that looked at “varying sets of circumstances”—including those that involve indirect, intangible, and nonquantifiable gains, such as an anticipated quid quo pro that can be inferred from an ongoing, business relationship—to satisfy the “personal benefit” test. This case is the latest in a line of decisions—in the Supreme Court, as well as the Second and Ninth Circuits—to reject defendants’ arguments for a narrow definition of the “personal benefit” element of insider trading law based on Newman. Continue Reading Second Circuit Denies Gupta Appeal of Insider Trading Conviction—Continuing to Give Broad Meaning to “Personal Benefit” Requirement
On December 20, 2018, the Financial Industry Regulatory Authority (“FINRA”) released a Report on Selected Cybersecurity Practices for broker-dealer firms. This report reflects FINRA’s current perspective on the cybersecurity threat landscape based on observations from its examinations of securities firms. Below we discuss the report’s key observations and contextualize these insights for members of the financial industry. Continue Reading FINRA Provides Updated Cybersecurity Guidance to Broker-Dealer Firms
On December 18, 2018, the District of Columbia Circuit Court of Appeals issued an important ruling in In re Grand Jury Subpoena, holding that foreign state-owned corporations are subject to criminal jurisdiction in the United States and that the exceptions to sovereign immunity set forth in the Foreign Sovereign Immunities Act (the “FSIA”) apply to criminal as well as to civil cases. The court also rejected the foreign sovereign entity’s argument that it should be excused from complying with a subpoena because doing so would violate the law of the respondent’s country of incorporation. Although In re Grand Jury Subpoena arises in the context of enforcing a grand jury subpoena, its language and holding could potentially be extended to criminal prosecutions of a foreign state or state-owned entity.
On October 16, 2018, the Securities and Exchange Commission released a Report of Investigation that cautioned public companies to consider cyber threats when designing and implementing internal accounting controls. The report was based on an investigation of nine victims of email cyber-fraud schemes for potentially failing to have adequate internal accounting controls, in violation of the Securities Exchange Act of 1934. The report highlights the need for companies to reassess their controls in light of the current cybersecurity risk environment. By describing the remedial steps taken by the investigated companies, it further provides guidance about the key areas that companies should consider when assessing their own policies and procedures. Continue Reading SEC Investigative Report Urges Public Companies to Guard Against Cyber Threats When Implementing Internal Accounting Controls
On July 11, 2018 the U.S. Department of Justice (“DOJ”), Bureau of Consumer Financial Protection (“CFPB”), the Securities and Exchange Commission (“SEC”) and the Federal Trade Commission (“FTC”) announced the establishment of a new Task Force on Market Integrity and Consumer Fraud (the “Task Force”). Deputy Attorney General Rod Rosenstein made the announcement on behalf of the Task Force, joined by Acting Director Mick Mulvaney of the CFPB, Chairman Jay Clayton of the SEC and Chairman Joe Simons of the FTC. Continue Reading DOJ Announces New Inter-Agency Task Force on Market Integrity and Consumer Fraud
On June 27, 2018, Equifax Inc., the credit reporting agency, agreed to implement stronger data security measures under a consent order with the New York State Department of Financial Services (“NYDFS”) and seven other state banking regulators. The order imposes detailed duties on Equifax’s Board of Directors in response to criticisms raised by the regulators during an examination of Equifax’s cybersecurity and internal audit functions. The examination followed the company’s massive 2017 data breach, which exposed sensitive personal information of nearly 148 million customers. Equifax agreed to the order without admitting or denying any charges of “unsafe or unsound information security practices.” Continue Reading State Regulators Reach Settlement With Equifax in Connection With Massive Data Breach
On June 22, 2018, the United States Supreme Court decided Carpenter v. United States, in which it held that the government must generally obtain a search warrant supported by probable cause before acquiring more than seven days of historical cell-site location information (“CSLI”) from a service provider. Noting “the deeply revealing nature of CSLI, its depth, breadth, and comprehensive reach, and the inescapable and automatic nature of its collection,” the Court held that an individual “maintains a legitimate expectation of privacy in the record of his physical movements captured through CSLI” that warrants Fourth Amendment protection. While the Court sought to construe its decision narrowly, the reasoning of the majority and Justice Gorsuch in his dissent raise significant questions about whether and to what extent individuals may have a reasonable expectation of privacy or possessory interest in other sensitive personal data held by third parties beyond the CSLI at issue in Carpenter.
Please click here to read the full alert memorandum.
On May 29, 2018, the U.S. Supreme Court issued an unanimous opinion in Lagos v. United States. Lagos presented the issue of whether costs incurred during and as a result of a corporate victim’s investigation (rather than a governmental investigation) must be reimbursed by a criminal defendant under the Mandatory Victims Restitution Act (“MVRA”). Resolving a circuit split, the Court narrowly held that restitution under the MVRA “does not cover the costs of a private investigation” commenced by a corporate victim on its own initiative and not at the Government’s invitation or request.
The Court’s decision is notable for rejecting the Government’s broad interpretation of the MVRA and for recognizing the “practical fact” that such a broad interpretation would invite “significant administrative burdens.” But the opinion is also notable for what it does not decide. The Court’s opinion expressly leaves unaddressed the question of whether professional costs incurred during a private investigation performed at the Government’s request would be covered by the MVRA.
Please click here to read the full alert memorandum.