Background

On August 20, 2020, the Department of Justice (“DOJ”) announced that it had charged Joseph Sullivan, the former Chief Security Officer (“CSO”) of Uber Technologies Inc. (“Uber”), with obstruction of justice and misprision of a felony for allegedly attempting to cover up Uber’s 2016 data incident during the course of an investigation by the Federal Trade Commission (“FTC”).  While the DOJ and federal law enforcement have generally treated corporate hacking targets as victims in connection with data breaches, the charges against Sullivan reinforce that they will actively pursue any violations of federal law that are committed by entities or individuals during the course of responding to such incidents. Continue Reading DOJ Charges Former Uber Executive for Alleged Role in Attempted Cover-Up of 2016 Data Breach

On August 21, the Financial Crimes Enforcement Network, together with the federal banking agencies, released a statement to clarify banks’ customer due diligence obligations for politically exposed persons. The Statement affirms that (i) there is no regulatory requirement, and no supervisory expectation, for banks’ Bank Secrecy Act / anti-money laundering programs to include “unique, additional due diligence steps” for customers who are PEPs and (ii) there is no regulatory requirement for banks to screen customers and their beneficial owners for PEPs.  Instead, the Statement confirms that PEP customers should be subject to the same risk-based approach to CDD that applies to any other customer, but that PEP status (and screening for PEPs) may be a factor in developing a customer risk profile and assessing money laundering risk.  It also reminds banks of the continued U.S. national security and law enforcement interest in detecting and combatting public corruption and other criminality involving PEPs.

Please click here to read the full alert memorandum.

In a landmark enforcement action related to a bank data breach, the Office of the Comptroller of the Currency (“OCC”) assessed an $80 million civil monetary penalty and entered into a cease and desist order with the bank subsidiaries of Capital One on August 6, 2020.  The actions follow a 2019 cyber-attack against Capital One.  The Federal Reserve Board also entered into a cease and desist order with the banks’ parent holding company.  The OCC actions represent the first imposition of a significant penalty against a bank in connection with a data breach or an alleged failure to comply with the OCC’s guidelines relating to information security. Continue Reading OCC Imposes $80 Million Penalty in Connection with Bank Data Breach

On July 30, 2020, Italian Legislative Decree no. 75 went into effect, introducing amendments to the Italian Criminal Code and a new set of criminal offences in the context of corporate liability under Legislative Decree no. 231 of June 8, 2001, among which a number of tax crimes.

Please click here to read the full alert memorandum.

On June 25, 2020, a federal district court in the Eastern District of Virginia held that a bank must produce in discovery a report generated by its cybersecurity forensic investigator following a 2019 data breach involving unauthorized access to personal information of customers and individuals who had applied for accounts.[1]  Even though the report was produced at the direction of outside counsel, the court rejected arguments that the forensic report is protected from disclosure by the work product doctrine.  Instead, the court determined that the report was not produced primarily in anticipation of litigation based on several factors, including the similarity of the report to past business-related work product by the investigator and the bank’s subsequent use and dissemination of the report.  This decision raises questions about the scope of work product protection for forensic expert and other similar reports in the context of an internal investigation. Continue Reading Federal Court Compels Production of Data Breach Forensic Investigation Report

Cleary Gottlieb and Tiantong & Partners 天同律师事务所 continue their collaboration to produce joint analyses regarding some of the current U.S. regulatory challenges for Chinese companies.  This fourth analysis is based on a case study of U.S. sanctions imposed against China Ocean Shipping Company (COSCO), one of the world’s largest shipping companies, and considers sanctions risk mitigation for Chinese companies.

A copy of the case study is available here, with a Chinese translation available here.

On June 22, 2020, the Supreme Court held in Liu v. SEC that the Securities and Exchange Commission (“SEC”) may seek, and courts have the power to grant, disgorgement as an equitable remedy for violations of the securities laws. However, the Court also placed potentially important limitations on disgorgement, holding that—to qualify as an equitable remedy and thus be allowable—disgorgement awards must accord with certain traditional equitable principles. While the Court left it to the lower courts to determine whether SEC disgorgement requests are in fact equitable on a case-by-case basis, it articulated guideposts calling into question the SEC’s ability to obtain disgorgement that (1) exceeds a wrongdoer’s net profits, (2) is not distributed back to victims, and (3) is awarded against multiple defendants on a joint-and-several basis. Although the Liu decision preserves the SEC’s ability to seek disgorgement—a central tenet of the SEC’s enforcement program—it imposes a number of line-drawing questions on lower courts to consider. Depending on how the case law develops, these issues may serve both to increase the SEC’s burden in making out disgorgement claims and to reduce the total dollar amounts of disgorgement awards the SEC is able to obtain, perhaps significantly.

Please click here to read the full alert memorandum.

On June 1, 2020, the Criminal Division of the U.S. Department of Justice (the “Department”) released revisions to its guidance regarding the Evaluation of Corporate Compliance Programs, which the Department uses in assessing the “adequacy and effectiveness” of a company’s compliance program in connection with any decision to charge or resolve a criminal investigation, including whether to impose a monitor or other compliance program obligations. The revised Guidance, while largely consistent with the April 2019 update, highlights the Department’s focus on how companies are assessing and updating their compliance programs. The recent updates are more thematic rather than structural and continue the prior version’s emphasis on incorporating “lessons learned” into a compliance program, continuously assessing and improving it, and using data to track and enhance the program’s operations. The revised Guidance also highlights the continued importance of training employees and, in the M&A context, of integrating a target into the acquiring company’s compliance framework.

Please click here to read the full alert memorandum.

Cleary Gottlieb and Tiantong & Partners 天同律师事务所 continue their collaboration to produce joint analyses regarding some of the current U.S. regulatory challenges for Chinese companies.  In light of renewed interest in China on the topic of U.S. long-arm jurisdiction, this third analysis reviews lessons learned on civil personal jurisdiction from cases involving the Bank of China and analyzes when Chinese banks may be required to comply with U.S. third-party discovery orders.

A copy of the case study is available here, with a Chinese translation available here.

On May 7, 2020, the Supreme Court unanimously held in Kelly v. United States that the “Bridgegate” political retribution scheme did not violate the wire fraud or federal-program fraud statutes. Although the government proved that the defendants devised and facilitated the closing of multiple lanes of the George Washington Bridge in September 2013, resulting in days of traffic gridlock, the Court reasoned that the charged conduct was an exercise of regulatory power that did not concern a property interest, and any implementation costs associated with the traffic lane realignment, although government property, were a byproduct of the scheme rather than its object. Because the defendants’ scheme did not have property as its object, as the federal fraud statutes require, the Court overturned their convictions. The Kelly decision is yet another chapter in a line of cases in recent years in which the Court has pushed back against what it found to be prosecutorial overreach in criminalizing conduct that, while unscrupulous, nonetheless does not violate federal fraud laws.

Please click here to read the full alert memorandum.