On June 25, 2020, a federal district court in the Eastern District of Virginia held that a bank must produce in discovery a report generated by its cybersecurity forensic investigator following a 2019 data breach involving unauthorized access to personal information of customers and individuals who had applied for accounts.[1]  Even though the report was produced at the direction of outside counsel, the court rejected arguments that the forensic report is protected from disclosure by the work product doctrine.  Instead, the court determined that the report was not produced primarily in anticipation of litigation based on several factors, including the similarity of the report to past business-related work product by the investigator and the bank’s subsequent use and dissemination of the report.  This decision raises questions about the scope of work product protection for forensic expert and other similar reports in the context of an internal investigation. Continue Reading Federal Court Compels Production of Data Breach Forensic Investigation Report

Cleary Gottlieb and Tiantong & Partners 天同律师事务所 continue their collaboration to produce joint analyses regarding some of the current U.S. regulatory challenges for Chinese companies.  This fourth analysis is based on a case study of U.S. sanctions imposed against China Ocean Shipping Company (COSCO), one of the world’s largest shipping companies, and considers sanctions risk mitigation for Chinese companies.

A copy of the case study is available here, with a Chinese translation available here.

On June 22, 2020, the Supreme Court held in Liu v. SEC that the Securities and Exchange Commission (“SEC”) may seek, and courts have the power to grant, disgorgement as an equitable remedy for violations of the securities laws. However, the Court also placed potentially important limitations on disgorgement, holding that—to qualify as an equitable remedy and thus be allowable—disgorgement awards must accord with certain traditional equitable principles. While the Court left it to the lower courts to determine whether SEC disgorgement requests are in fact equitable on a case-by-case basis, it articulated guideposts calling into question the SEC’s ability to obtain disgorgement that (1) exceeds a wrongdoer’s net profits, (2) is not distributed back to victims, and (3) is awarded against multiple defendants on a joint-and-several basis. Although the Liu decision preserves the SEC’s ability to seek disgorgement—a central tenet of the SEC’s enforcement program—it imposes a number of line-drawing questions on lower courts to consider. Depending on how the case law develops, these issues may serve both to increase the SEC’s burden in making out disgorgement claims and to reduce the total dollar amounts of disgorgement awards the SEC is able to obtain, perhaps significantly.

Please click here to read the full alert memorandum.

On June 1, 2020, the Criminal Division of the U.S. Department of Justice (the “Department”) released revisions to its guidance regarding the Evaluation of Corporate Compliance Programs, which the Department uses in assessing the “adequacy and effectiveness” of a company’s compliance program in connection with any decision to charge or resolve a criminal investigation, including whether to impose a monitor or other compliance program obligations. The revised Guidance, while largely consistent with the April 2019 update, highlights the Department’s focus on how companies are assessing and updating their compliance programs. The recent updates are more thematic rather than structural and continue the prior version’s emphasis on incorporating “lessons learned” into a compliance program, continuously assessing and improving it, and using data to track and enhance the program’s operations. The revised Guidance also highlights the continued importance of training employees and, in the M&A context, of integrating a target into the acquiring company’s compliance framework.

Please click here to read the full alert memorandum.

Cleary Gottlieb and Tiantong & Partners 天同律师事务所 continue their collaboration to produce joint analyses regarding some of the current U.S. regulatory challenges for Chinese companies.  In light of renewed interest in China on the topic of U.S. long-arm jurisdiction, this third analysis reviews lessons learned on civil personal jurisdiction from cases involving the Bank of China and analyzes when Chinese banks may be required to comply with U.S. third-party discovery orders.

A copy of the case study is available here, with a Chinese translation available here.

On May 7, 2020, the Supreme Court unanimously held in Kelly v. United States that the “Bridgegate” political retribution scheme did not violate the wire fraud or federal-program fraud statutes. Although the government proved that the defendants devised and facilitated the closing of multiple lanes of the George Washington Bridge in September 2013, resulting in days of traffic gridlock, the Court reasoned that the charged conduct was an exercise of regulatory power that did not concern a property interest, and any implementation costs associated with the traffic lane realignment, although government property, were a byproduct of the scheme rather than its object. Because the defendants’ scheme did not have property as its object, as the federal fraud statutes require, the Court overturned their convictions. The Kelly decision is yet another chapter in a line of cases in recent years in which the Court has pushed back against what it found to be prosecutorial overreach in criminalizing conduct that, while unscrupulous, nonetheless does not violate federal fraud laws.

Please click here to read the full alert memorandum.

On April 20, OFAC issued COVID-related guidance indicating that it encourages those subject to its jurisdiction to contact the OFAC staff if they believe they will have difficulty meeting OFAC deadlines (whether reporting deadlines, responses to administrative subpoenas, or other matters).  OFAC also encouraged electronic submission of any communications.  In our experience, OFAC is still functioning at a relatively high level, remote operations notwithstanding, but the staff has also been flexible in responding to the challenges all institutions face.  As OFAC’s guidance and our own experience underline, open communication with the staff is very important. Continue Reading OFAC Issues Guidance on COVID’s Impact on Compliance and Enforcement

On April 15, 2020, the U.S. Departments of State, the Treasury, and Homeland Security, and the Federal Bureau of Investigation issued an advisory alert providing guidance on the North Korean cyber threat and steps to mitigate that threat (the “Alert”).[1]  The U.S. Government has repeatedly warned the private sector that North Korea, formally known as the Democratic People’s Republic of Korea (“DPRK”), routinely engages in malicious cyber activities and has specifically targeted financial institutions.

This Alert serves as a reminder, especially during this pandemic as businesses go remote and virtual to an unprecedented degree, that the cyber threat, including from the DPRK, remains a critical risk for all companies.  Financial institutions in particular, a traditional target of North Korean cyber activity, should take steps to ensure they are protecting themselves from and responding effectively to malicious cyber intrusions. Continue Reading CISA Alert: North Korean Cyber Threat Poses Increased Risk for Financial Institutions

On March 24, the Commodity Futures Trading Commission (“CFTC”) released its Final Interpretive Guidance on Actual Delivery for Digital Assets (“Final Interpretation”), addressing longstanding questions regarding which digital asset transactions could be deemed “retail commodity transactions” under the Commodity Exchange Act (“CEA”).  The Final Interpretation comes two years after the CFTC issued proposed interpretive guidance (“Proposed Interpretation”). Continue Reading CFTC Issues Final Interpretive Guidance on Actual Delivery for Digital Assets

On April 3, 2020, the SEC’s Chief Accountant, Sagar Teotia, issued a Statement on the Importance of High-Quality Financial Reporting in Light of the Significant Impacts of COVID-19 (the “OCA Statement”).  The OCA Statement emphasizes that while the SEC Office of the Chief Accountant (“OCA”) appreciates the challenging environment that companies and their auditors face in attempting to comply with their financial reporting obligations due to COVID-19[1], and will not second-guess their reasonable judgments, OCA expects financial reporting to continue to “provide investors with high-quality financial information.”  The OCA Statement also reaffirms OCA’s views on the importance of gatekeepers by pointing out the critical need for auditor independence in this uncertain economic environment.  In addition to this general theme, the OCA Statement contains several notable points that will have implications for companies in the current situation, both in preparing their financial statements, and in taking steps to mitigate litigation and enforcement risk. Continue Reading SEC Chief Accountant Weighs in on Accounting Issues During the COVID-19 Outbreak