Our Washington, D.C. office is one of the city's largest and most established law practices, having grown from a single-lawyer enterprise founded in 1904 to an office of about 500 lawyers within a top-ten global firm of 2,500 lawyers.Show more
Tech, Data, Telecoms & Media
California voters have approved the California Privacy Rights Act (CPRA), a new law coming into effect on 1 January 2023 that will significantly amend the California Consumer Privacy Act. The CPRA will, among other things, modify existing consumer rights and create new rights and establish the United States' first dedicated privacy enforcer. Despite never having been reviewed by California's legislature, the CPRA also limits the extent to which its provisions can be amended through future legislation.
Treasury Department issues ransomware guidance in response to significant uptick in ransomware attacksUSA | 09 October 2020
In response to the significant rise in ransomware attacks since the start of the COVID-19 pandemic and just in time for Cybersecurity Awareness Month, the Treasury Department's Financial Crimes Enforcement Network and the Office of Foreign Assets Control recently issued advisories on the potential legal risks of making or facilitating ransomware payments.
The Department of Commerce, the Department of Justice and the Office of the Director of National Intelligence have jointly issued a white paper containing information about privacy protections under the US law for national security access, with a particular focus on the issues raised by the European Court of Justice (ECJ) in its Schrems II decision. The white paper focuses on practical applications of the legal authorities that the ECJ examined and discounts mere 'theoretical possibilities' that are unlikely to occur.
The California attorney general recently issued the final implementing regulations for the California Consumer Privacy Act. The final regulations – which had been under review by the California Office of Administrative Law since 1 June 2020 – include several changes to the previous draft regulations and take effect immediately. Most of the changes relate to grammar, formatting and drafting consistency, but several substantive provisions have been withdrawn entirely for additional consideration.
A recent action by the National Advertising Division (NAD), a self-regulatory arm of the Better Business Bureau, addresses the level of proof necessary to support 'natural' and 'satiety' claims involving competing experts and a variety of scientific data in dispute. Beyond NAD's specific findings, the decision also provides useful insight into how NAD evaluates health benefit and related claims and analyses the corresponding scientific evidence and other substantiation.
The California Privacy Rights Act (CPRA) has received enough valid signatures to appear on the November 2020 ballot. If voters approve the initiative, the CPRA would significantly expand the California Consumer Privacy Act (CCPA), establish the California Privacy Protection Agency, remove the CCPA's cure period and impose a number of General Data Protection Regulation-style obligations on businesses, among other requirements.
Cyber investigations and privilege: court finds that forensic report is not covered by work product doctrineUSA | 19 June 2020
The US District Court for the Eastern District of Virginia recently ordered Capital One to produce a forensic investigation report in multi-district litigation arising out of a cyber incident that Capital One had announced in July 2019. The court found that the report was not protected by the work product doctrine as Capital One had not shown that "but for" the litigation, the report would not have been prepared in substantially the same form.
The National Advertising Division recently announced new procedures to resolve straightforward digital advertising disputes in a matter of weeks. The new procedures – called the SWIFT process – represent a new way for advertisers to enforce against their competitors' (or defend their own) influencer marketing practices. Advertisers that rely heavily on social media influencers should take note.
The California attorney general recently submitted the final text of the California Consumer Privacy Act regulations to the California Office of Administrative Law for approval. Although regulations submitted to the Office of Administrative Law in June 2020 ordinarily would not become effective – if approved – until 1 October 2020, the attorney general has requested an expedited review.
President Trump recently signed the Broadband Deployment Accuracy and Technological Availability Act. The law requires the Federal Communications Commission (FCC) to collect and disseminate more granular data about the availability of broadband service and to establish processes to ensure data accuracy. The legislation comes in response to commentary about the FCC's broadband coverage maps and suggestions regarding the Form 477 data collection process used to create those maps.
During the coronavirus outbreak, many employers around the world are seeking to prioritise the wellbeing and safety of their employees by asking them to work remotely instead of risking exposure while commuting and working in populated office spaces. Organisations must consider increased risks to the security of their networks, systems and data during this time.
The US courts of appeals increasingly agree on how to interpret the definition of 'automatic telephone dialling system' under the Telephone Consumer Protection Act. A unanimous Seventh Circuit panel recently refused to revise a putative class action after concluding that the dialling system used did not qualify as an autodialer. Like recent Eleventh Circuit and Third Circuit decisions, the Seventh Circuit held that an autodialer must use a random or sequential number generator to either store or produce numbers.
A recent action by the National Advertising Division (NAD), a self-regulatory arm of the Better Business Bureau, illustrates that advertisers that participate but decline to be bound by an NAD decision can expect to be referred to the Federal Trade Commission (FTC). The NAD recently announced that it had referred advertising claims made by a dietary supplement company to the FTC for further review, following a challenge by the Council for Responsible Nutrition.
The Eleventh Circuit panel recently released a landmark ruling in Glasser v Hilton Grand Vacations Company, LLC. The key issue was how to interpret ambiguous language in the Telephone Consumer Protection Act's (TCPA's) definition of an 'automatic telephone dialling system'. In recent years, imprecise statutory phrasing and the Federal Communication Commission's liberal reading of the legislative history has empowered plaintiffs to assert TCPA claims based on a wide array of calling systems.
Two recent cases highlight the increased False Claims Act risk that cybersecurity compliance poses for government contractors. The first is a cautionary tale for contractors that self-certify that their IT systems provide adequate security for sensitive federal information which they store, process or transmit in performance of a federal contract. The second signals the importance of accurately representing compliance with federal cybersecurity standards when selling IT products or services to the government.
The Washington Privacy Act (WPA) gained significant traction in the legislature in 2019, passing the state Senate almost unanimously, but ultimately failing in the state House of Representatives due to discussions around facial recognition and compliance challenges. State Senator Reuven Carlyle has now released a revised draft of the WPA for 2020. If enacted as drafted, this new version of the WPA would come into effect on 31 July 2021.
The Federal Communications Commission (FCC), in consultation with the Department of Agriculture, has announced the members of the Task Force for Reviewing the Connectivity and Technology Needs of Precision Agriculture in the United States. The task force, an advisory body to the FCC, will investigate the current state of broadband access in agricultural areas and recommend policies and regulatory solutions to the FCC to promote broadband deployment and precision agriculture.
The Department of Defence (DoD) has announced a plan to pilot 5G technologies on four military installations in partnership with private industry and the Federal Communications Commission. The project has been heralded as an opportunity for the DoD to work with industry and collaborate across federal agencies to advance the Trump administration's policy of maintaining the United States' global leadership in 5G.
California Governor Gavin Newsom recently signed the Consumer Call Protection Act 2019 to address the rise in deceptive robocalls and protect consumers from fraudulent calls. The act requires telecoms service providers to implement secure telephony identity revisited (STIR) and secure handling of asserted information using tokens (SHAKEN) protocols by 1 January 2021 and is the latest in a series of ongoing efforts to promote STIR/SHAKEN or similar call authentication frameworks.
New York Governor Andrew Cuomo recently signed into law a pair of bills establishing new requirements for businesses that process certain personal information relating to New York residents. The changes include expanding the scope of information covered by New York's data breach notification law. Businesses maintaining the private information of New York residents will now be required to develop reasonable safeguards within their organisation as part of a new reasonable security requirement.
The California attorney general recently released proposed regulations to implement certain provisions of the California Consumer Privacy Act (CCPA). The attorney general also released a notice of proposed rulemaking and an initial statement of reasons that provide drafting insights and outline considerations that will likely continue to guide the rulemaking process. The proposed regulations provide clarifications for businesses and consumers in five key CCPA areas, including privacy notice requirements.
In a legislative environment charitably described as challenging, the fact that the Senate recently passed cybersecurity legislation by unanimous consent is noteworthy and highlights the bipartisan nature of this issue. The bill requires the newly-formed Department of Homeland Security teams to provide assistance to public and private entities, on request, to prepare for and respond to cyber-related incidents, including (among other things) restoring services after a cyber incident.
The California legislature recently debated several amendments to the California Consumer Privacy Act, eventually passing five bills which now await the governor's signature. Collectively, these bills do not provide the sweeping changes sought by businesses. Instead, the amendments make minor tweaks and postpone for one year some of the more challenging requirements. The passed bills address a range of topics, including providing for a partial, temporary one-year exception for applicant and employee data.
The New York governor recently signed into law a pair of bills establishing new requirements for businesses that process certain personal information relating to New York residents. The changes include expanding the scope of information covered by New York's data breach notification law and defining 'breaches' to include incidents involving unauthorised access to covered information, even where the information is not acquired.
In a long-awaited decision, the Supreme Court was expected to provide greater clarity on the extent to which litigants can challenge the Federal Communications Commission's Telephone Consumer Protection Act interpretations in private litigation. However, instead of deciding that issue, the court vacated the Fourth Circuit's ruling and remanded the case for further development.
Senate Bill 220 was recently signed into law, making Nevada the first state to join California in granting consumers the right to opt out of the sale of their personal information. However, the new privacy law is significantly narrower than the California Consumer Privacy Act (CCPA). For example, it applies only to online activities, defines 'consumer' and 'sale' more narrowly and includes broad exceptions for financial institutions subject to the Gramm-Leach-Bliley Act.
Federal Communications Commission (FCC) Chair Ajit Pai recently announced plans to open a rulemaking proceeding to take a fresh look at the 5.9GHz band. In this new proceeding, the FCC will consider whether and how to allow sharing in the 5.9GHz band between dedicated short-range communication, gigabit Wi-Fi and cellular vehicle-to-everything technologies.
Several legislative proposals seeking to amend the California Consumer Privacy Act are moving forward following a recent hearing before the California Assembly's Committee on Privacy and Consumer Protection in which the bills were approved. The bills will advance to the assembly's Appropriations Committee before being voted on by the full assembly and potentially advancing to the California State Senate for consideration.
In 2018 California passed the California Consumer Privacy Act (CCPA), which seeks to give consumers additional safeguards regarding their personal information. The CCPA will become effective in January 2020 and may impact companies in the education sector, including large education technology companies. Regulated educational entities should be wary of the CCPA's key requirements, including the deletion of consumers' personal information on request.
One IoTa of consensus: bipartisan legislation to improve cybersecurity for internet-connected devicesUSA | 17 May 2019
Congress recently introduced a bipartisan proposal to enhance cybersecurity for the network of internet-connected devices, commonly known as the Internet of Things (IoT). The IoT Cybersecurity Improvement Act 2019 aims to establish baseline cybersecurity standards for IoT devices. It would also impose limits on the types of IoT device that the US government can purchase.
The Federal Trade Commission recently issued notices seeking public comment on proposed amendments to the regulations implementing the Gramm-Leach-Bliley Act, commonly known as the Safeguards Rule and the Privacy Rule. The proposed changes to the Safeguards Rule add a number of more detailed security requirements, whereas the proposed changes to the Privacy Rule focus on technical changes to align the rule with changes in law over the past decade.
The Federal Trade Commission (FTC) recently announced that it had settled with the operators of a video social networking app for a record civil penalty of $5.7 million under the Children's Online Privacy Protection Act. This action was notable not just for the penalty's size, but also because of the joint statement by two democratic commissioners that future FTC enforcement should seek to hold corporate officers and directors accountable for violations of consumer protection law.
The fallout from the recent cyber-attack against Sony Picture Entertainment has reinvigorated a debate about whether and when the US government should take responsibility for protecting private companies from cyber-attacks. It remains unclear whether the United States will use its prosecutorial powers to combat these types of cyber-attack or whether its responses will be robust enough to deter future cyber-attackers.
White Collar Crime
The Biden administration has hit the ground running, issuing a flurry of executive orders, actions and memoranda with sweeping implications affecting a wide range of key issues. Companies should look internally and evaluate risks with particular consideration for administration priorities. This risk assessment can help to inform updates to compliance protocols. This article discusses where the administration is likely to focus its civil and criminal enforcement efforts in the months and years ahead.
This article examines the World Bank Group's (WBG's) recently published third Sanctions System Annual Report FY2020, which covers 1 July 2019 to 30 June 2020. The report provides a detailed look at the recent activities of the three units of the WBG's sanctions system: the Integrity Vice Presidency (INT), the Office of Suspension of Debarment and the Sanctions Board. It also provides important insight into INT's priorities for fiscal year 2021.
When the United States began grappling with COVID-19 in March 2020, the US Securities and Exchange Commission (SEC) Division of Enforcement acted swiftly to make clear to market participants that it was ramping up its efforts to identify and prevent fraud in the wake of the pandemic. Approximately seven months later, statistics released by the SEC bear this out.
Individual prosecutions under the Foreign Corrupt Practices Act (FCPA) have markedly increased over the past five years. This increase in case law will help to better define local, regional and international enforcement. In addition, more FCPA case law shedding clarity on open issues will be a boon to lawyers, judges and scholars seeking to understand the contours of a complex statute – the elucidation of which has previously been almost the sole province of enforcers.
The US Department of Justice (DOJ) has updated its guidance on the Evaluation of Corporate Compliance Programmes, providing increased clarity on some of the key questions that prosecutors ask in assessing the adequacy of corporate compliance programmes when making charging, sentencing and plea and settlement decisions. The guidance helps companies to proactively create or enhance their compliance programmes and effectively advocate before the DOJ in criminal investigations.
The resignation of former Operation Car Wash judge and world-renowned anti-corruption crusader Sergio Moro as minister of justice and public safety has sent shockwaves throughout Brazil's political class. Easily the Bolsonaro administration's most recognised and admired cabinet member, Moro's departure via a televised press conference, where he accused the president of trying to interfere in ongoing investigations involving his family members, was likely not how he had envisioned his tenure ending.
The US Department of Justice (DOJ) has issued a new guidance memorandum entitled "Evaluating a Business Organisation's Inability to Pay a Criminal Fine or Criminal Monetary Penalty". This memorandum aims to provide greater clarity, transparency and uniformity as to how the DOJ's Criminal Division evaluates companies' claims that they cannot pay a proposed criminal fine or monetary penalty.
A court has expressed concern with the government's "routine outsourcing" of investigations to the targets of those investigations seeking cooperation credit. The court noted the corporate target's "uniquely coercive position" over its employees, who may also be potential targets of the investigation. The decision may profoundly affect the structure and scope of cooperation agreements between the government and the corporate targets of criminal investigations.
Updated DOJ guidance underscores importance of implementing truly effective corporate compliance programmesUSA | 13 May 2019
The Department of Justice (DOJ) recently confirmed the importance of implementing a robust compliance programme that is not only well designed, but also adaptable and able to function effectively. The DOJ's latest guidance makes clear that companies have a strong incentive to maintain an effective compliance programme. Most importantly, these programmes must be fully implemented, account for the structure and scope of a company's business and actually operate effectively.
Throughout 2018 the Department of Justice (DOJ) continued to ring the clarion call for cooperation and sought to provide some certainty, consistency and coordination regarding the incentives offered to companies that provide voluntary disclosures. In particular, the DOJ centralised its guidance memoranda into what is now known as the Justice Manual. The DOJ's goals were to identify redundancies, clarify ambiguities, eliminate surplus language and update the manual to reflect current law and practice.
Government attorneys now have additional discretion in False Claims Act civil cases to award cooperation credit to a corporation that meaningfully assists the investigation without necessarily identifying every individual person outside of senior management involved in the alleged misconduct. The new policy reflects the reality of modern corporate investigations and encourages realistic cooperation efforts without compromising the Department of Justice's policy of holding individuals accountable.
After the election of President Donald Trump, many observers wondered whether the US Department of Justice (DOJ) would change the way in which it enforces the Foreign Corrupt Practices Act. As the halfway point of Trump's first term in office approaches, it seems that the DOJ has not made any dramatic changes to the enforcement philosophy followed during prior administrations.
When a legal team needs to find the facts behind fraud and corruption allegations in a government investigation, technology can drive substantial new efficiencies. By filtering and evaluating vast amounts of information, artificial intelligence can effectively sort text messages, audio files, emails and other unstructured data into manageable groups; identify potential relationships between parties accused of fraud or corruption; and recognise patterns of frequency or timing, which may support a client's defence.
Compliance officers often report to the legal department or are staffed with qualified lawyers, making it difficult to distinguish when the compliance officer is serving in a legal capacity, rather than a compliance one. However, drawing a clear distinction between these functions, conducting internal investigations under the direction of counsel and making the legal purpose of communications or documents clear will make the best possible record to show that documents should be protected by privilege.
With few Foreign Corrupt Practices Act (FCPA) corruption investigations resolved under the Trump administration's watch, it is too early to weigh up how the administration will affect enforcement or settlements in the long term. On its face, the new FCPA Corporate Enforcement Policy signals a more business-friendly approach by removing the spectre of a monitor in many situations and by committing to a presumption of a declination in certain circumstances.
Companies now have even greater incentives to have strong, meaningful Foreign Corrupt Practices Act compliance programmes. When the deputy attorney general recently announced the new enforcement policy that will guide the US Department of Justice, he made it clear that the government wants to create incentives for companies to police themselves when it comes to bribery and corruption.
DOJ announces one of largest False Claims Act recoveries concerning government small-business programmesUSA | 02 October 2017
Two recent cases before the Department of Justice (DOJ) have sent a signal that the DOJ may become more proactive in combating small-business contracting fraud. These cases underscore the importance of ensuring that small-business eligibility representations are accurate, as the penalties for misrepresentation can be severe.
For energy, mining and resources companies, the cost of corruption – and getting caught – is real. Energy and mining companies, along with other resources companies, remain a major focus of bribery and corruption investigations worldwide. The government wields a potent weapon against bribery and corruption in the form of the Foreign Corrupt Practices Act.
In the past, compliance and remediation in the context of healthcare investigations were typically seen as afterthoughts. However, compliance efforts are now being more closely scrutinised by prosecutors. The Department of Justice recently issued an 11-part series of questions styled as guidance on corporate compliance programmes. Interestingly, it is a series of questions, not a series of answers. Companies are going to have to work the answers out themselves with their compliance departments and counsel.
In recent years, US and Western European military spending has decreased as military spending in other parts of the world has risen. As a result, aerospace, defence and government services companies increasingly rely on sales to foreign governments to grow business revenue and are thus at a more significant risk of investigation for violations of the Foreign Corrupt Practices Act.
To undergo a Foreign Corrupt Practices Act investigation entails significant risk. Since 2008 at least 10 corporations have agreed to pay more than $300 million in penalties to resolve such investigations. Defence costs associated with a global bribery or corruption investigation can also run into the millions before any penalties are assessed. A number of developments that emerged during 2016 will have broad implications for the coming year.
As the Senate prepares to confirm Senator Jeff Sessions as the new attorney general and to consider nominations for other high-level positions in the Justice Department, there are many questions – and few answers – about how the new leadership in the Justice Department will approach the prosecution of white collar crime during the Trump administration.
The Department of Justice (DOJ) recently announced a landmark resolution concerning violations of the Foreign Corrupt Practices Act. The DOJ and the Securities and Exchange Commission entered into a $413 million settlement with one of the world's largest hedge funds. This settlement indicates that the DOJ intends to enforce the act strictly with little regard for the industry involved or the financial consequences.
Since January 2009, the government has recovered more than $30 billion through False Claims Act cases, more than half of which was recovered from cases involving alleged fraud against federal healthcare programmes. False Claims Act cases are now more complex, lucrative and healthcare focused than ever – a far cry from the act's humble beginnings as a solution to the problem of fraudulent sales to the military during the American Civil War.
To understand how the government will regulate companies in the future, it is important to understand the problems it is currently trying to solve. In its efforts to enforce the Foreign Corrupt Practices Act, the US Justice Department faces a particularly difficult problem: how to incentivise companies to volunteer information about their own illegal conduct while retaining its ability to punish those companies for breaking the law.
With the publication of the Yates Memorandum, the Department of Justice has reinforced its focus on seeking accountability from individuals. Employees may thus be at greater risk from corporate investigations, particularly with respect to their work emails and other documents, and company counsel may receive more requests from individual counsel regarding the production of employees' documents.
The Yates Memorandum announced a new US Department of Justice (DOJ) policy that focuses DOJ attorneys on pursuing the individuals responsible for corporate wrongdoing. In considering the practical effects of the new policy, a question arises about the potential for it to increase the pressure on companies to provide legally privileged information to the DOJ in hopes of receiving cooperation credit.
The Department of Justice's (DOJ) Yates Memorandum aims to hold individuals, not just corporations, accountable for corporate misconduct, in response to criticism that it fails to punish executives who precipitate wrongdoing. However, it remains to be seen whether the policy will advance the DOJ's law enforcement interests or hinder them, as there may be unintended consequences for companies, employees and the DOJ itself.
The US Department of Justice recently announced a formal policy that provides for the vigorous prosecution of culpable individuals who are responsible for corporate wrongdoing, which is consistent with shifting trends in prosecution. An increased effort to prosecute high-ranking executives would result in significant changes to how investigations affect companies and how companies respond to investigations.
The recent Supreme Court decision in Kellogg Brown clarifies that the Wartime Suspension of Limitations Act will not toll the statute of limitations for civil claims during times of war or the authorisation of military force. This reverses the trend that had permitted the use of the act in civil False Claims Act matters and protects defendants from indefinite tolling in civil matters.
There are many subtle ways in which a law-abiding citizen can commit a federal felony under US law in a matter of minutes. The pressures of life can put people in situations where they take morally questionable actions that are prohibited by federal criminal law leading to criminal penalties. The average citizen should thus realise how broad US criminal law can be and how it can be applied to him or her.
Although the government has added new players to its line-up, the game seems to be the same in the world of Foreign Corruption Practices Act enforcement, as the Department of Justice (DOJ) and the Securities and Exchange Commission continued to push for strong enforcement in 2014. As in 2013, the DOJ continued to emphasise the importance of corporate compliance and cooperation with investigators.
The Supreme Court has steadily restricted the recovery available to civil litigants for conduct that occurred outside the United States and prosecutors have continued to push for the broad application of criminal laws to extraterritorial conduct, particularly in white collar criminal cases. Courts have only just begun to grapple with how to analyse whether a criminal statute applies extraterritorially.
The application of the fugitive disentitlement doctrine is an important issue that warrants Supreme Court review. It is an issue of fundamental fairness for both non-US citizens and the US Department of Justice. Both sides have reasonable and forceful arguments to make, and the future of the doctrine will have very real consequences for the US government and private citizens around the world.
The Delaware Supreme Court has issued a decision that may affect how US corporations conduct investigations and communicate with their attorneys. The decision adopted the fiduciary exception to attorney-client privilege, which allows shareholders access to a company's privileged communications when there is "good cause" to believe that management may have breached a fiduciary duty to the shareholders.
While companies can breathe a sigh of relief following the District of Columbia Circuit Court's recent unanimous ruling in In Re Kellogg Brown & Root, Inc, overturning the district court's decision in US, ex rel Barko v Halliburton Co, companies should take some precautions to reduce the risk of disclosure of privileged materials generated during internal investigations.
The US District Court for the District of Columbia recently issued an opinion that has the potential to disrupt the manner in which companies conduct compliance investigations, particularly in regulated sectors such as the defence industry. Although there are certain flaws in the court's reasoning, this decision – if widely adopted – could cause significant disruption in existing corporate compliance and investigation programmes.
An archaic World War II statute designed to give the federal government extra time to prosecute crimes during times of war has recently reared its head in the context of False Claims Act qui tam actions for the first time in over 50 years. The dramatic and far-reaching consequences of such a tolling of the limitations period for False Claims Act lawsuits have brought renewed attention to this peculiar statute.
The Foreign Corrupt Practices Act remained a key issue in 2013. The number of cases commenced under the act by the Department of Justice and the Securities and Exchange Commission was slightly above pace from the previous year, providing evidence of the agencies' continued commitment to aggressive pursuit of Foreign Corrupt Practices Act cases.
In December 2013 the Second Circuit issued a key decision that restricts the prosecution of cases where the US government aims to use routine payments within the limitations period to indict offences that should be time barred. In United States v Grimm the government charged three individuals with antitrust conspiracies more than five years after contracts were awarded.
It has been over two years since the US Securities and Exchange Commission (SEC) began operating its whistleblower programme, but substantial questions linger over its effectiveness and transparency. Only four whistleblower awards have been made in the programme's history and the SEC has not disclosed many details about those awards to the public. So has the programme been worth it?
Two New York judges and now a federal jury are making the Financial Institutions Reform Enforcement and Recovery Act required re-reading for banking attorneys. In recent opinions, the judges endorsed the claims filed under the act – a 1989 reform law now being applied by the Department of Justice to the aftermath of the late 2007 and 2008 meltdown in the housing and secondary mortgage market and other financial markets.