United States: Cybersecurity's Developing Role In FCPA Compliance

This article by partner Ryan Rohlfsen and associates Patrick Reinikainen and Daniel Flaherty was published by Law360 on January 11, 2019.

While much attention has been paid to Deputy Attorney General Rod J. Rosenstein's Nov. 29, 2018, revisions to the Foreign Corrupt Practices Act Corporate Enforcement Policy,1 other remarks by Rosenstein and Principal Deputy Assistant Attorney General John P. Cronan in November suggest that the U.S. Department of Justice may also be adapting FCPA enforcement principles to the area of cybersecurity, to encourage more coordination and collaboration with the private sector. This continues the trend from the DOJ speeches in March, July and September of last year,2 in which the DOJ officials extended FCPA enforcement principles to other contexts, and encouraged open communication through the FCPA opinions procedure. This development in the cyber arena may carry significant implications for a wide range of industries that handle sensitive data, such as the technology, health care, and financial services sectors.

Rosenstein and Responsible Encryption

While not explicitly referencing the FCPA enforcement principles, Rosenstein admonished private industry to recognize its responsibility to assist law enforcement investigating and preventing cybercrime. For example, at the Nov. 28 press conference to announce the unsealing of the indictment against two fugitive Iranian citizens allegedly involved in the "SamSam" ransomware attacks of 2016, Rosenstein described the "challenges posed to law enforcement by encryption." In the SamSam case, the defendants allegedly communicated via "an encrypted computer network designed to facilitate anonymous communication over the internet." Rosenstein made clear that "[t]hese sophisticated technologies pose a real threat to the government's ability to keep people safe and ensure that criminals and terrorists are caught and brought to justice."

The next day, Rosenstein built on his prior remarks, further encouraging collaboration and coordination to root out cybercrime. In the keynote address at Georgetown University Law Center's Cybercrime 2020 Conference, Rosenstein asked "the private sector and academia" to help the DOJ "develop investigative capabilities that keep up with enforcement challenges," such as those identified in the attorney general's Cyber-Digital Task Force July report.3

He focused specifically on criminals' anticipated use of "impenetrable communications platforms." To prevent this "technological anarchy," Rosenstein called on private industry to cease designing "'warrant-proof' encryption." Noting that "[i]t is impossible to employ criminal enforcement tools and other forms of retribution without first identifying the perpetrators," and conceding that the DOJ's "ability to gather electronic evidence increasingly relies on remote communications service providers and device manufacturers," Rosenstein argued that "[t]echnology makers share a duty to comply with the law and to support public safety, not just user privacy." Thus, he encouraged the development of "'responsible encryption,' — effective, secure encryption that resists criminal intrusion but allows lawful access with judicial authorization."

Cronan, the FCPA Policy and the Cyber Arena

Deputy Assistant Attorney General John Cronan bolstered Rosenstein's calls for collaboration and coordination, doubling down and making clear that the DOJ was interested in extending FCPA enforcement principles "to foster similar collaboration between government and industry in the cyber arena." He explained that the DOJ articulated the FCPA Corporate Enforcement Policy because it believes that, with greater transparency into prosecutorial policy, "companies are more likely to in fact engage in that good corporate behavior," like maintaining "effective compliance programs" and "voluntarily disclosing to law enforcement, cooperating, and remediating" any misconduct.

Cronan also revealed that the DOJ is interested in incentivizing similar corporate behavior with respect to cybersecurity, stating that "[a]s in the FCPA context, we appreciate the value of providing guidance in the context of cyber attacks or intrusions in helping companies make informed and rational decisions." As an example of steps taken "[i]n the interest of promoting that collaboration," Cronan identified the Criminal Division's Computer Crime and Intellectual Property Section's "best practices" guidance for preparing for and responding to a cybersecurity incident.4 Like the FCPA enforcement policy, this guidance encourages companies to self-report misconduct, including misconduct by "a company insider."

But rather than addressing how corporate victims of cybercrimes might be compared to corporate violators of the FCPA, and how each might have different incentives to disclose the relevant conduct, Cronan went on to describe the DOJ's and private industry's "critical roles to play in compliance." Instead of providing a detailed analogy, or expressly extending the FCPA enforcement policy, Cronan suggested that the DOJ is specifically interested in "open channels of communication between government and industry" and provided two examples of "ineffective compliance" to illustrate his point.

First, Cronan discussed a company that allegedly aided and abetted fraudulent payments involving its corrupt agents and customers. The company had entered into a deferred prosecution agreement mandating compliance improvements. However, the company failed to adequately implement those improvements or disclose compliance weaknesses arising from those failures. As a result, the company was forced to extend its deferred prosecution agreement and forfeit $125 million. Cronan also discussed the DOJ investigation into a second company, which had similarly failed to identify fraudulent payments by its agents and had therefore entered into a deferred prosecution agreement for aiding and abetting those crimes, forfeiting $586 million as a result. Cronan characterized both cases as including facts "which were known by the company and which exposed gaping holes in its compliance program as implemented," but which were neither disclosed nor corrected.

As a point of contrast, Cronan highlighted the importance of recognizing and responding to compliance failures. First, he characterized two recipients of declinations under the FCPA Corporate Enforcement Policy as companies "that have taken meaningful, effective compliance seriously." Speaking of Insurance Corporation of Barbados Limited and Guralp Systems Limited, Cronan noted each company had senior management involved in alleged misconduct.5 Nonetheless, they received declinations because their "overall efforts to do that right thing," including cooperation that "enabled the Department to bring charges against culpable individuals," — a theme reiterated by Rosenstein's widely publicized FCPA speech the next day.6 Cronan then concluded with remarks about "compliance in the context of mergers and acquisitions." In doing so, he highlighted "the importance of self-reporting and proactively addressing problems as they arise, whenever they come to light, even if it is after-the-fact."

Through this contrast, Cronan made clear that "[w]hat matters to us in the Criminal Division — as embodied in the FCPA Corporate Enforcement Policy and the application of its principles outside the FCPA — is both the effectiveness of the [compliance] program in place at the time of the misconduct, as well as how the company responds upon discovering the misconduct in terms of disclosing to law enforcement, cooperating with the government, and taking meaningful remedial measures."

Potential Implications for Cybersecurity Compliance

When combined with Rosenstein's discussion of the importance of coordination and collaboration in the cybersecurity arena, Cronan's remarks with respect to effective compliance programs may have significant implications for a wide range of industries that handle sensitive data, such as the technology, health care and financial services sectors. Although their collective remarks do not reveal a specific adoption of the FCPA Corporate Enforcement Policy's principles in the cybersecurity arena, there are several takeaways that may affect how companies approach the development and implementation of effective cybersecurity compliance functions moving forward.

Like Corruption, Cybercrime Is a Global Challenge

In the "SamSam" press conference, Rosenstein "call[ed] on all civilized nations to prevent their citizens from using the internet to perpetrate fraud schemes in foreign countries," and thanked investigators from two United Kingdom and two Canadian agencies. Of course, anti-corruption enforcement and compliance has become a global problem, with frequent cross-border collaboration. Rosenstein and Cronan's remarks suggest that we might expect the same level of coordination in the realm of cybercrime enforcement and compliance.

Health Care, Financial Services, Technology Companies and Other

C arriers of Sensitive Data May Face High Compliance Expectations

While describing the victims of the "SamSam" Ransomware, Rosenstein noted that health care-related entities were targeted because the defendants knew that doing so would cause significant harm. Cronan similarly suggested the companies cited as examples of compliance failures had financial data that created a significant risk for misuse, which was realized by their corrupt agents and customers. These references suggest that the DOJ may hold companies with sensitive data, including those in the health care, financial services and technology sectors, to a high bar, expecting them to prevent, detect, and report their data's misuse — whether in their capacity as a victim, or as a potential wrongdoer.

Disappearing Messaging Carries Continued Risks

In defining "timely and appropriate remediation," the FCPA Corporate Enforcement Policy requires companies "prohibit[] employees from using software that generates but does not appropriately retain business records or communications."7 Now, it seems the DOJ might be looking to compliance departments to take preventative steps before misconduct occurs. For example, Cronan noted "ephemeral and encrypted messaging services" are one of the new technologies "which pose a challenge to traditional investigative methodologies." While criticizing those engaged in the development of 'warrant-proof' encryption, Rosenstein asked private industry to assist law enforcement in preserving and collecting electronic evidence. Together, these remarks suggest that companies permitting ephemeral messaging might, like those designing "warrant-proof" encryption, be deemed to be shirking their duty to support public safety.

Compliance and Cybersecurity Departments Should Be Adequately Staffed to Assist in Government Investigations

As part of his Georgetown address, after noting that the DOJ's "ability to gather electronic evidence increasingly relies on remote communications service providers and device manufacturers," Rosenstein noted that some private companies "chronically understaff their offices that respond to legal process from law enforcement." Cronan explained that other companies, like Insurance Corporation of Barbados Limited and Guralp Systems Limited, would be rewarded for assisting the DOJ in its investigation of culpable individuals. Maintaining adequate investigatory resources across compliance and cybersecurity departments to assist government investigations thus appears to be critically important in the DOJ's view.

Adequate Policies and Procedures Should Account for Misconduct by Third Parties

Cronan described compliance failures at two companies that, in part, were a failure to detect, prevent, and correct misuse of its money transfer system by customers, not agents, of the company. In his Georgetown address, Rosenstein reiterated the notion that technological developments might be misused by criminal groups, and called on private industry to help protect public safety. These comments suggest that compliance programs should be aimed at preventing and deterring criminal incidents, full stop ¬¬— not just the criminal liability of the company and its employees. Doing so would therefore ostensibly include accounting for potential misconduct by third parties, including consumers of a company's products or services.

Conclusion

As the DOJ looks to expand on the success of the FCPA Corporate Enforcement Policy to incentivize good corporate conduct in other contexts, it may also attempt to further encourage private industry to collaborate and coordinate with law enforcement. In the cyber arena, those efforts have already begun. While companies await further transparency into the policies guiding the exercise of prosecutorial discretion in this context, they should begin considering the implications of the DOJ's efforts when designing compliance programs.

Footnotes

1 Deputy Attorney General Rod J. Rosenstein Delivers Remarks at the American Conference Institute's 35th International Conference on the Foreign Corrupt Practices Act (https://www.justice.gov/opa/speech/deputy-attorney-general-rod-j-rosenstein-delivers-remarks-american-conference-institute-0); See also DOJ Deputy Attorney General Outlines Key Policy Revisions Focusing on Individual Accountability, Softening Yates Memo ( https://www.ropesgray.com/en/newsroom/alerts/2018/11/DOJ-Deputy-Attorney-General-Outlines-Key-Policy-Revisions-Focusing-on-Individual-Accountability).

2 DOJ Expands Leniency Beyond FCPA, Lets Barclays Off (https://www.law360.com/articles/1017798/doj-expands-leniency-beyond-fcpa-lets-barclays-off); Deputy Assistant Attorney General Matthew S. Miner Remarks at the American Conference Institute 9th Global Forum on Anti-Corruption Compliance in High Risk Markets (https://www.justice.gov/opa/pr/deputy-assistant-attorney-general-matthew-s-miner-remarks-american-conference-institute-9th); Deputy Assistant Attorney General Matthew S. Miner of the Justice Department's Criminal Division Delivers Remarks at the 5th Annual GIR New York Live Event (https://www.justice.gov/opa/speech/deputy-assistant-attorney-general-matthew-s-miner-justice-department-s-criminal-division); See also DOJ Commentary Underscores the Importance of Pre-Acquisition Diligence ( https://www.ropesgray.com/en/newsroom/alerts/2018/08/DOJ-Commentary-Underscores-the-Importance-of-Pre-Acquisition-Diligence).

3 Report of the Attorney General's Cyber Digital Task Force (https://www.justice.gov/ag/page/file/1076696/download)

4 Reporting Intellectual Property Crime: A Guide for Victims of Copyright Infringement, Trademark Counterfeiting, and Trade Secret Theft (https://www.justice.gov/criminal-ccips/file/891011/download).

5 Insurance Corporation of Barbados Limited Declination (https://www.justice.gov/criminal-fraud/page/file/1089626/download); Guralp Systems Limited Declination (https://www.justice.gov/criminal-fraud/page/file/1088621/download)

6 See sources cited supra note 1.

7 USAM § 9-47.120(3)(c).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions