In a landmark enforcement action related to a bank data breach, the Office of the Comptroller of the Currency (“OCC”) assessed an $80 million civil monetary penalty and entered into a cease and desist order with the bank subsidiaries of Capital One on August 6, 2020.  The actions follow a 2019 cyber-attack against Capital One.  The Federal Reserve Board also entered into a cease and desist order with the banks’ parent holding company.  The OCC actions represent the first imposition of a significant penalty against a bank in connection with a data breach or an alleged failure to comply with the OCC’s guidelines relating to information security.
Continue Reading OCC Imposes $80 Million Penalty in Connection with Bank Data Breach

On June 25, 2020, a federal district court in the Eastern District of Virginia held that a bank must produce in discovery a report generated by its cybersecurity forensic investigator following a 2019 data breach involving unauthorized access to personal information of customers and individuals who had applied for accounts.[1]  Even though the report was produced at the direction of outside counsel, the court rejected arguments that the forensic report is protected from disclosure by the work product doctrine.  Instead, the court determined that the report was not produced primarily in anticipation of litigation based on several factors, including the similarity of the report to past business-related work product by the investigator and the bank’s subsequent use and dissemination of the report.  This decision raises questions about the scope of work product protection for forensic expert and other similar reports in the context of an internal investigation.
Continue Reading Federal Court Compels Production of Data Breach Forensic Investigation Report

On June 22, 2020, the Supreme Court held in Liu v. SEC that the Securities and Exchange Commission (“SEC”) may seek, and courts have the power to grant, disgorgement as an equitable remedy for violations of the securities laws. However, the Court also placed potentially important limitations on disgorgement, holding that—to qualify as an equitable

On April 20, OFAC issued COVID-related guidance indicating that it encourages those subject to its jurisdiction to contact the OFAC staff if they believe they will have difficulty meeting OFAC deadlines (whether reporting deadlines, responses to administrative subpoenas, or other matters).  OFAC also encouraged electronic submission of any communications.  In our experience, OFAC is still functioning at a relatively high level, remote operations notwithstanding, but the staff has also been flexible in responding to the challenges all institutions face.  As OFAC’s guidance and our own experience underline, open communication with the staff is very important.
Continue Reading OFAC Issues Guidance on COVID’s Impact on Compliance and Enforcement

On April 3, 2020, the SEC’s Chief Accountant, Sagar Teotia, issued a Statement on the Importance of High-Quality Financial Reporting in Light of the Significant Impacts of COVID-19 (the “OCA Statement”).  The OCA Statement emphasizes that while the SEC Office of the Chief Accountant (“OCA”) appreciates the challenging environment that companies and their auditors face in attempting to comply with their financial reporting obligations due to COVID-19[1], and will not second-guess their reasonable judgments, OCA expects financial reporting to continue to “provide investors with high-quality financial information.”  The OCA Statement also reaffirms OCA’s views on the importance of gatekeepers by pointing out the critical need for auditor independence in this uncertain economic environment.  In addition to this general theme, the OCA Statement contains several notable points that will have implications for companies in the current situation, both in preparing their financial statements, and in taking steps to mitigate litigation and enforcement risk.
Continue Reading SEC Chief Accountant Weighs in on Accounting Issues During the COVID-19 Outbreak

As the COVID-19 pandemic continues to rapidly unfold, with breathtaking effects on everyday life barely imaginable just weeks ago, enforcement agencies have responded with pronouncements prioritizing investigations into COVID-19-related frauds and have proceeded with some significant non-COVID-19 law enforcement actions likely planned before the full impact of the pandemic could have been predicted.  At the same time, enforcement agencies are having to respond to the same practical challenges and constraints that the rest of society and other large organizations around the world face.  They, like the rest of us, are facing severe travel restrictions, learning to work remotely, and dealing with colleagues and family members who are sick from the virus.  Over the coming weeks and months, enforcement agencies will be managing the COVID-19-focused enforcement priorities and moving forward with their existing matters, while they deal with the practical realities and uncertainties presented by the pandemic.
Continue Reading Law Enforcement Priorities and Practicalities During the COVID-19 Pandemic

On March 20, 2020, news outlets reported that four U.S. Senators sold millions of dollars in stock following classified briefings to the Senate on the threat of a COVID-19 outbreak.  Three days later, the Co-Directors of the Securities and Exchange Commission’s (“SEC”) Division of Enforcement, Stephanie Avakian and Steven Peikin, issued a statement reminding market participants of their obligations with respect to material non-public information (“MNPI”) and of the SEC’s commitment to protecting investors from fraud and ensuring market integrity.[1]
Continue Reading Insider Trading Risk During the COVID-19 Outbreak

Update:  On March 25, the SEC issued a new order that supersedes the original order discussed below. The new order (1) extends the time period for the relief from April 30 to June 30 and implies that future extensions may be possible, and (2) removes the conditions that an adviser provide a brief description of why it could not meet the deadline and the estimated date by which it expects to file the relevant Form or deliver its Brochure.  Our blog post regarding the original order is below.
Continue Reading SEC Provides Relief to Investment Advisers From Form ADV and Form PF Obligations due to Coronavirus

The UK’s Competition and Markets Authority (CMA) is strengthening its approach to merger control as it prepares for its new status as a global enforcer with expanded jurisdiction.

Following the UK’s departure from the EU on 31 January 2020, the UK entered a transition period due to end on 31 December 2020.  EU competition law

On January 27, 2020, the U.S. Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) issued examination observations related to cybersecurity and operational resiliency practices (“Examination Observations”). The observations highlight a set of best practices by market participants in the following areas:  (1) governance and risk management, (2) access rights and controls, (3) data loss prevention, (4) mobile security, (5) incident response and resiliency, (6) vendor management and (7) training and awareness.  Cybersecurity has been a key priority for OCIE since 2012.  Since then, it has published eight cybersecurity-related risk alerts, including an April 2019 alert addressing mobile security. OCIE has perennially included cybersecurity practices as part of its examination priorities (“Examination Priorities”) and listed all but mobile security as “particular focus areas” in the “information security” priority for 2020
Continue Reading OCIE Cybersecurity and Resiliency Observations and Best Practices