Photo of Rahul Mukhi

Rahul Mukhi’s practice focuses on criminal, securities, and other enforcement and regulatory matters as well as on complex commercial litigation.

On May 2, 2019, the United States District Court for the Southern District of New York issued an important decision delineating the boundaries between conducting a proper internal investigation and acting as an arm of the government.

For the government, the consequences of “outsourcing” an investigation to a company and its counsel could be exclusion

Nearly a decade ago, WikiLeaks ushered in the age of mass leaks.  Since then, corporations, governments, public figures and private entities have increasingly had to reckon with a new reality: that vigilantes, activists, extortionists and even state actors can silently steal and rapidly disseminate proprietary information, including customer data and other sensitive information.  Last month, the Department of Justice (“DOJ”) indicted four individuals based on information first revealed in the “Panama Papers” leak.  This marks a significant milestone in law enforcement’s reliance on evidence based on an unauthorized mass leak of information.  While leaks and hacks are not a novel phenomenon—in 1971, the New York Times published top secret documents on the Vietnam War and, in 1994, a paralegal leaked tobacco industry documents that ultimately cost the industry billions of dollars in litigation and settlement costs—the frequency, scale and ease of dissemination of leaked information today presents a difference not only of degree, but of kind.  The new Panama Papers-based criminal case will likely raise a host of novel legal issues based on legal challenges to the DOJ’s reliance on information illegally obtained by a third party, as well as information that would ordinarily be protected by the attorney-client privilege.  In this memorandum, we discuss the potential issues raised by the prosecution and their implications.
Continue Reading

As discussed in Cleary Gottlieb’s December 21, 2018 Alert Memorandum, on December 18, 2018, the U.S. Court of Appeals for the D.C. Circuit issued an important ruling in In re Grand Jury Subpoena, holding, inter alia, that foreign state-owned corporations are subject to criminal jurisdiction in the United States and upholding Special Counsel

On January 11, the Second Circuit Court of Appeals denied the appeal of Rajat Gupta, who was seeking to undo his insider trading conviction.  Relying on the Second Circuit’s decision in United States v. Newman, Gupta argued that—to satisfy the requirement that Gupta personally benefit from tipping inside information—the Government must show “a quid pro quo – in which [Gupta] receive[d] an ‘objective, consequential . . . gain of a pecuniary or similarly valuable nature.’”[1]  In other words—intangible benefits should not, standing alone, constitute a personal benefit sufficient to uphold a criminal conviction.  The Second Circuit rejected this argument, finding that the Supreme Court’s decisions in Dirks v. SEC and Salman v. United States foreclosed such a narrow definition of “benefit,” opting instead for a test that looked at “varying sets of circumstances”—including those that involve indirect, intangible, and nonquantifiable gains, such as an anticipated quid quo pro that can be inferred from an ongoing, business relationship—to satisfy the “personal benefit” test.[2]  This case is the latest in a line of decisions—in the Supreme Court, as well as the Second and Ninth Circuits—to reject defendants’ arguments for a narrow definition of the “personal benefit” element of insider trading law based on Newman.
Continue Reading

On December 20, 2018, the Financial Industry Regulatory Authority (“FINRA”) released a Report on Selected Cybersecurity Practices for broker-dealer firms.  This report reflects FINRA’s current perspective on the cybersecurity threat landscape based on observations from its examinations of securities firms.  Below we discuss the report’s key observations and contextualize these insights for members of the financial industry.
Continue Reading

On December 18, 2018, the District of Columbia Circuit Court of Appeals issued an important ruling in In re Grand Jury Subpoena, holding that foreign state-owned corporations are subject to criminal jurisdiction in the United States and that the exceptions to sovereign immunity set forth in the Foreign Sovereign Immunities Act (the “FSIA”)[1] apply to criminal as well as to civil cases.[2]  The court also rejected the foreign sovereign entity’s argument that it should be excused from complying with a subpoena because doing so would violate the law of the respondent’s country of incorporation.  Although In re Grand Jury Subpoena arises in the context of enforcing a grand jury subpoena, its language and holding could potentially be extended to criminal prosecutions of a foreign state or state-owned entity.

Continue Reading

On October 16, 2018, the Securities and Exchange Commission released a Report of Investigation that cautioned public companies to consider cyber threats when designing and implementing internal accounting controls.  The report was based on an investigation of nine victims of email cyber-fraud schemes for potentially failing to have adequate internal accounting controls, in violation of the Securities Exchange Act of 1934.  The report highlights the need for companies to reassess their controls in light of the current cybersecurity risk environment.  By describing the remedial steps taken by the investigated companies, it further provides guidance about the key areas that companies should consider when assessing their own policies and procedures.
Continue Reading

On July 11, 2018 the U.S. Department of Justice (“DOJ”), Bureau of Consumer Financial Protection (“CFPB”), the Securities and Exchange Commission (“SEC”) and the Federal Trade Commission (“FTC”) announced the establishment of a new Task Force on Market Integrity and Consumer Fraud (the “Task Force”).[1]  Deputy Attorney General Rod Rosenstein made the announcement on behalf of the Task Force, joined by Acting Director Mick Mulvaney of the CFPB, Chairman Jay Clayton of the SEC and Chairman Joe Simons of the FTC.
Continue Reading

On June 27, 2018, Equifax Inc., the credit reporting agency, agreed to implement stronger data security measures under a consent order with the New York State Department of Financial Services (“NYDFS”) and seven other state banking regulators.[1]  The order imposes detailed duties on Equifax’s Board of Directors in response to criticisms raised by the regulators during an examination of Equifax’s cybersecurity and internal audit functions.  The examination followed the company’s massive 2017 data breach, which exposed sensitive personal information of nearly 148 million customers.  Equifax agreed to the order without admitting or denying any charges of “unsafe or unsound information security practices.”
Continue Reading

On June 22, 2018, the United States Supreme Court decided Carpenter v. United States, in which it held that the government must generally obtain a search warrant supported by probable cause before acquiring more than seven days of historical cell-site location information (“CSLI”) from a service provider. Noting “the deeply revealing nature of CSLI,