Government Investigations

On April 5, 2016, the Fraud Section of the Criminal Division of the Department of Justice (“DOJ”) released an Enforcement Plan and Guidance (the “Plan”) regarding the Foreign Corrupt Practices Act (“FCPA”). The Plan contains three components designed to enhance the DOJ’s ability to detect and prosecute violations of the FCPA:  (1) a substantial increase in law enforcement resources; (2) increased coordination with foreign jurisdictions; and (3) implementation of a pilot program (the “Pilot Program”) offering substantial cooperation credit to companies that meet certain specified standards for “(1) voluntary self-disclosure of criminality, (2) full cooperation, and (3) remediation.”

One of the enumerated requirements for companies to achieve “full cooperation” (and thus earn maximum cooperation credit) under the Pilot Program is that companies must effectuate “[d]islcosure of overseas documents, the location in which such documents were found, and who found the documents.” This requirement comes with an exception for situations in which “such disclosure is impossible due to foreign law, including but not limited to foreign data privacy laws.”  The requirement and exception are followed by a note stating that:

Where a company claims that disclosure is prohibited, the burden is on the company to establish the prohibition. Moreover, a company should work diligently to identify all available legal bases to provide such documents.

Thus, companies seeking to avail themselves of the cooperation credit offered under the Pilot Program may find themselves trying to strike a delicate balance between compliance with foreign data privacy laws, such as those in the European Union that restrict the transfer of personal data, and compliance with the DOJ’s “full cooperation” requirement.
Continue Reading

Finger wagging

Over the last several years, financial technology (“FinTech”) companies have captured the attention of the marketplace with innovative financial products and processes. Now FinTech companies are capturing the attention of the Consumer Financial Protection Bureau (“CFPB”). Two recent actions by the CFPB within the last fourteen days make clear that FinTech companies can expect some of the same regulatory burdens as faced by Federal Deposit Insurance Corporation (“FDIC”) insured banks. In the first action, the CFPB assessed a civil money penalty against a FinTech company for data security deficiencies, the first-ever such action brought by the CFPB. In the second action, the CFPB announced to the public that it would begin accepting consumer complaints regarding online marketplace lenders.

Data Security Protections

On March 2, 2016, the CFPB and Dwolla, Inc., an Iowa-based online peer-to-peer payment system provider (“Dwolla”), entered into a Consent Order that imposed the CFPB’s first-ever civil money penalty for data security violations under the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (the “Dodd-Frank Act”).

In the Consent Order, the CFPB alleged that Dwolla made misrepresentations relating to Dwolla’s data security practices that otherwise constituted deceptive acts and practices likely to cause substantial consumer harm, in violation of the Dodd-Frank Act. Specifically, the CFPB alleged that between 2010 and 2014, Dwolla advertised falsely on its website that all its payment transactions were “safe and secure,” and that its data security processes and protections “met or exceeded” industry standards. The CFPB claimed that Dwolla failed to employ reasonable and appropriate measures to protect sensitive consumer data from unauthorized access by failing to:

  • adopt and implement data security policies and procedures reasonable and appropriate for the organization;
  • use appropriate measures to identify reasonably foreseeable security risks;
  • ensure that employees who had access to consumer information receive adequate training and guidance about security risks;
  • use encryption technologies to properly safeguard sensitive consumer information (at rest and in transit); and
  • practice secure software development, particularly with regard to consumer facing applications developed at an affiliated website.


Continue Reading

In a February 19th speech at the annual SEC Speaks conference, Stephanie Avakian, Deputy Director of the SEC’s Division of Enforcement, explained what the SEC expects of entities that experience a cyber intrusion and how the SEC decides whether to investigate such entities.

With respect to responding to cyber intrusion, the SEC’s stated expectations are high level and axiomatic. Entities are expected to (1) assess the situation, (2) address the problem and (3) minimize the damage. Ms. Avakian emphasized the importance of quickly involving authorities such as the FBI or Department of Homeland Security.

Ms. Avakian also expressed awareness of the practical impediments to self-reporting cyber intrusions to the SEC. Specifically, entities may be hesitant to do so for fear of triggering an investigation and enforcement action regarding their policies/procedures and implementation thereof. To assuage this concern, Ms. Avakian noted that the SEC’s goals in the cybersecurity area are to prevent hacking, protect customer data and ensure the smooth operation of America’s financial system. In other words, the SEC—at least from a priority standpoint—is on the same side as the entities that may fall prey to a cyber intrusion. In the case of registrants, when investigating cyber intrusions the SEC will focus on whether a registrant had policies and procedures reasonably designed to protect customer data and related remediation action plans. In the case of public companies, the SEC is not looking to second-guess good-faith decisions regarding data privacy, and would likely not bring an enforcement action against a cyber intrusion victim absent a “significant” disclosure issue. Ms. Avakian also pointed out that entities who self-disclose cyber intrusions will be rewarded with cooperation credit.  
Continue Reading

As originally published on February 5, 2016 in Law360.

Let’s say you’re the general counsel for a manufacturing company that builds armored transport vehicles for sale to the U.S. military. One of your vehicles recently exploded in use, injuring several military personnel. The U.S. Department of Justice is investigating the cause of the explosion and believes that your company skipped over certain required steps in product safety testing as part of an effort to meet contractual sales deadlines, and that members of the company’s senior management team may be criminally responsible because they knew about the corner-cutting and condoned it.

You must develop a plan to investigate the potential causes for the explosion, including a thorough review of the company’s product safety testing procedures. Should you task your internal risk management team with learning all the facts? Should you hire outside counsel to conduct the investigation? What information developed in the investigation will you recommend disclosing to the DOJ? What if critical information discovered in the investigation is protected by the attorney-client privilege? Will you recommend withholding the information or waiving the privilege as part of your cooperation with the government?
Continue Reading