Struck by CrowdStrike Outage? Your Business Loss Could Be Covered

Over the last week, organizations around the globe have struggled to bring operations back online following a botched software update from cybersecurity company CrowdStrike. As the dust settles, affected organizations should consider whether they are insured against losses or claims arising from the outage. The Wall Street Journal has already reported that insurers are bracing for claims arising from the outage and that according to one cyber insurance broker “[t]he insurance world was expecting to cover situations like this.” A cyber analytics firm has estimated that insured losses following the outage could reach $1.5 billion.

Your cyber insurance policy may cover losses resulting from the CrowdStrike outage. These policies often include “business interruption” or “contingent business interruption” insurance that protects against disruptions from a covered loss. Business interruption insurance covers losses from disruptions to your own operations. This insurance may cover losses if the outage affected your own computer systems. Contingent business interruption insurance, on the other hand, covers your losses when another entity’s operations are disrupted. This coverage could apply if the outage affected a supplier or cloud service provider that your organization relies on.

Cyber policies often vary in the precise risks they cover. Evaluating potential coverage requires comparing your losses to the policy’s coverage. Cyber policies also include limitations and exclusions on coverage. For example, many cyber policies contain a “waiting period” that requires affected systems to be disrupted for a certain period before the policy provides coverage. These waiting periods can be as short as one hour or as long as several days.

Other commercial insurance policies could also provide coverage depending on the loss or claim and the policy endorsements and exclusions. For example, your organization may have procured liability insurance that protects against third-party claims or litigation. This insurance could protect you from claims made by customers or other businesses related to the outage.

If your operations have been impacted by the CrowdStrike outage, there are a few steps you can take now to maximize your potential insurance recovery.

First, read your policies to determine the available coverage. As you review your policies, pay careful attention to policy limits, endorsements, and exclusions. A policy endorsement may significantly expand policy coverage, even though it is located long after the relevant policy section. Keep in mind that courts generally interpret coverage provisions in a policy generously in favor of an insured and interpret exclusions or limitations narrowly against an insurance company.

Second, track your losses. The outage likely cost your organization lost profits or extra expenses. Common business interruption losses may also include overtime expenses to remedy the outage, expenses to hire third-party consultants or technicians, and penalties arising from the outage’s disruption to your operations. Whatever the nature of your loss, tracking and documenting your loss now will help you secure a full insurance recovery later.

Third, carefully review and comply with your policy’s notice requirements. If you have experienced a loss or a claim, you should immediately notify your insurer. Even if you are only aware of a potential claim, your policy may require you to provide notice to your insurer of the events that could ultimately lead to a claim or loss. Some notice requirements in cyber policies can be quite short. After providing notice, you may receive a coverage response or “reservation of rights” from your insurer. Be cautious in taking any unfavorable response at face value. Particularly in cases of widespread loss, an insurer’s initial coverage evaluation may not accurately reflect the available coverage.

If you are unsure of your policy’s notice obligations or available coverage, or if you suspect your insurer is not affording your organization the coverage that you purchased, coverage counsel can assist your organization in securing coverage. Above all, don’t hesitate to secure the coverage to which you are entitled.

Listen to this post

Relying on Noncompete Clauses May Not Be the Best Defense of Proprietary Data When Employees Depart

Much of the value of many companies often is wrapped up with and measured by their intellectual property (IP) portfolios. Some forms of IP, such as patents, are known by the public. Others derive their value from being hidden from the public. Many companies, for example, have gigabytes of data or “know-how” that may be worth millions, but only to the extent that they remain secret. This article discusses some ways to keep business information confidential when an employee who has had access to that information leaves the company.

Many companies traditionally turned to employment agreements, specifically noncompete clauses, to protect proprietary competitive information. The legality of noncompetes is in question following the Federal Trade Commission’s (FTC’s) ban on them, which is being challenged in court by the U.S. Chamber of Commerce, causing confusion and concerns about protecting information via noncompete agreements. As covered in Wilson Elser’s prior articles* on this subject, the timeline of the FTC rule in question was as follows:

  • The FTC promulgated new rules to take effect in September 2024 banning all noncompete agreements.
  • The U.S. Supreme Court overturned the 40-year-old method of reviewing agency rules (Chevron Deference), throwing all agency rules, including the FTC’s rule on noncompetes, into question.
  • The District Court for the Northern District of Texas preliminarily enjoined the FTC from enforcing its new rule banning noncompetes.

After this flurry of activity, noncompetes are, for now, not banned. But do they offer an effective solution for businesses seeking to protect their proprietary information?

Noncompete Clauses Are Not Always Effective
Vortexa, Inc. v. Cacioppo, a June 2024 case from the District Court for the Southern District of New York, illustrates the limitations of noncompete clauses in employment agreements. That case presents the familiar fact pattern of an employee leaving and going to work for a competitor. With some evidence of the employee’s access to proprietary competitive information in hand (but no evidence of actual misappropriation), the former employer sought a preliminary injunction to prevent the employee from working for the competitor for one year, the term stated in the noncompete clause in the employee’s contract with the former employer. The contract also included common non-disclosure and confidentiality clauses.

Absent evidence of actual misappropriation, the plaintiff employer relied on the “Inevitable Disclosure” doctrine, which assumes that a departing employee will inevitably disclose confidential information when they go work for a competitor. The court refused to apply this doctrine, explaining that inevitable disclosure may substitute for actual evidence of misappropriation only when the information is a trade secret. Here, none of the information about which the former employer was concerned was a trade secret.

The proprietary information that the former employee had was pricing data, marketing strategies and “intricacies of the business.” These types of information do not, in and of themselves, constitute trade secrets. In addition, the information was not afforded trade secret treatment because (1) some of it was ascertainable by the competitor without reference to the first employer’s information; (2) the companies sell different products; (3) some of the information was developed without the expenditure of a good deal of money and effort; (4) some of the information was provided to clients without a non-disclosure agreement; (5) some of the information was shared on company-wide collaboration channels; and (6) “google drive log records show that [the former employee] opened and viewed these documents, which underlines the lack of security protecting this purportedly confidential information.”

Most of these reasons for the information not being accorded trade secret status cannot be changed by any action of the employer. For example, if information can be generated by means independent of the first employer, that information cannot be protected by trade secret law and nothing the first employer can do will change that after the fact. However, any business seeking to protect its valuable competitive information can change the way that it secures, protects and manages access to its competitive information, and this may be enough to ensure that its information is protected by trade secret law.

What Businesses Should Do to Protect Their Proprietary Competitive Information
Generally, proprietary competitive information can be protected as a trade secret by operation of law or via contract. In many cases, the “boots and suspenders” approach is best – the information should be protected both by contract and by meeting the requirements for protection under trade secret law. As described, a contract alone is sometimes ineffective, so information that derives its value from not being generally known to the public should also be treated in such a manner that the courts would see it as being a trade secret.

Specifically, for something to qualify for trade secret protection under federal and state statues and common law, it must be securely kept and carefully protected from disclosure. Some easy ways to protect information are to (1) restrict access to folders on a company’s internal computer systems, (2) physically lock rooms that contain hard copies and (3) have computers lock automatically when not accessed for set time periods. Protecting information via noncompete, confidentiality and non-disclosure contractual obligations is another way to ensure that information remains secret, such that it is protected under trade secret law. Internal policies on how information may be shared with third parties, such as clients, also are helpful evidence of trade secret treatment. In addition, the business may consider maintaining records on the time, effort and monetary expenditures required to develop proprietary information, which should allow the business to demonstrate that making such information freely available to a competitor is fundamentally unfair.

In some cases, information protected as a trade secret may be the most valuable IP that a company owns. But the value can easily be lost if the company does not properly secure the information. Different scenarios call for different methods of security, and a good rule of thumb to protect information from disclosure by a departing employee is to protect this information both by contract and as a trade secret.

The first step for any business is to think through their overall data protection strategy and consult with experienced intellectual property counsel to put appropriate protections in place.

Federal Agencies Have Placed a Heightened Priority on Whistleblowers and Speedy Cooperation

As new areas of the law emerge, driven in part by technology and the free flow of information, federal agencies are becoming more aggressive with a tried and true carrot-and-stick approach to law and regulatory enforcement.

In a recent PLI panel on government enforcement priorities in May 2024, Brent Wible, Chief Counselor, Office of the Assistant Attorney General, Department of Justice (DOJ or Department); Daniel Gitner, Chief of the Criminal Division, US Attorney’s Office for the Southern District of New York (SDNY or the Office); and Antonia Apps, Director of the New York Regional Office of the Securities and Exchange Commission (SEC or Commission) shared their thoughts, priorities and practices in 2024 enforcement and beyond.

All of the government lawyers stressed that the DOJ and enforcement agencies are open and are actively encouraging whistleblowers with new incentives and programs. To that end, Mr. Gitner from the SDNY stated very directly that corporations need to understand that there is a “need for speed” in corporate self-disclosures. Otherwise, whistleblowers will be closing the door to the benefits of corporate self-disclosures. Put differently, enforcement agencies do not want a corporation to complete lengthy internal investigations before reporting.

A uniform theme and stance taken by all is that whistleblowers are valuable, and bounties will be paid in cash or in deferred prosecution agreements or possibly both. Whistleblowers must be protected. Internal and external whistleblowers should be encouraged.
This article focuses on three whistleblower initiatives—(i) the SEC’s Whistleblower Program, (ii) the SDNY Whistleblower Pilot Program and (iii) DOJ’s Pilot Whistleblower Program for voluntary self-disclosure—and how those programs may impact a corporation’s response to whistleblowers, internal investigations, and disclosures.

SEC 21F WHISTLEBLOWER PROGRAM

Since its inception more than a decade ago, the SEC’s Whistleblower Program is widely viewed as successfully incentivizing whistleblower reports of violations of the securities laws. In its 2023 fiscal year, the SEC received more than 18,000 tips from whistleblowers and issued the most awards to whistleblowers ever in one year, totaling nearly US$600 million. That year, the Commission also issued its largest ever award of US$279 million to a single whistleblower.1

What is the SEC’s Whistleblower Program?

Section 21F of the Securities Exchange Act of 1934, codified as part of the Dodd-Frank Wall Street Reform and Consumer Protection Act, requires the SEC to pay awards to whistleblowers who provide information to the SEC about violations of federal securities laws.2 Accordingly, the SEC has issued a series of rulemakings implementing Section 21F to create its whistleblower program. To qualify as a whistleblower, an individual must voluntarily provide the SEC with original information in writing about a possible violation of federal securities law that has occurred, is ongoing, or is about to occur.3 To qualify for an award, this information must lead to a successful enforcement action with monetary sanctions totaling more than US$1 million.4

“Original” information means that it cannot be found in publicly available sources and is not already known by the Commission, but is instead the product of the whistleblower’s independent knowledge or analysis.5 A submission is “voluntary” if the whistleblower provides it to the SEC before receiving a regulatory request or demand for information relating to the same subject matter. Therefore, a submission of information that is made in response to a request, inquiry, or demand by the SEC, the Public Company Accounting Oversight Board, a self-regulatory organization (such as the Financial Industry Regulatory Authority), or a separate federal or state governmental body does not qualify as a voluntary submission.6 Additionally, a submission that is required under a legal or contractual duty to the Commission is not considered voluntary and is thus ineligible for an award.7

The SEC’s whistleblower rules also include anti-retaliation protections intended to ensure that the incentives provided to whistleblowers for reporting are not outweighed by a fear of reprisal from their employer. Under Rule 21F-17, companies are prohibited from interfering with or impeding a whistleblower’s communications to the SEC about a possible violation of the securities laws, including through enforcement or threatened enforcement of a confidentiality agreement that may be read to prevent whistleblower communications with the SEC.8

The SEC is taking violations of Rule 21F-17 seriously and has increased enforcement activity in this area over the last two years. The Commission brought a number of actions, with significant civil penalties, focused on corporate agreements containing confidentiality language that, according to the SEC, does not provide an express exception for whistleblower communications. The enforcement actions extend to different types of companies, including publicly traded companies, privately held companies, broker-dealers and investment advisers, and to a variety of forms of agreements with employees and customers alike.9

For example, a gaming company paid US$35 million to settle claims that it had violated the whistleblower protection rule by requiring former employees to execute separation agreements that obligated them to notify the company of any request for information received from the Commission, in addition to compliance failures regarding workplace complaints.10 In January 2024, the SEC settled the largest ever standalone Rule 21F-17 case, imposing US$18 million in civil penalties against a dually registered investment adviser and broker dealer for allegedly requiring clients to sign a confidential release agreement—without expressly allowing for direct communications to regulators regarding potential securities law violations—in order to receive certain credit or settlement payments.11 In another case involving US$10 million in civil penalties, the Commission charged a registered investment adviser with a standalone violation of Rule 21F-17 based on employment agreements that contained a confidentiality clause prohibiting external disclosure of confidential company information, without a carve-out for voluntary communications with the SEC concerning possible violations of the securities laws.12 As recently stated by the co-chief of the SEC Enforcement Division’s Asset Management Unit, “Investors, whether retail or otherwise, must be free to report complaints to the SEC without any interference. Those drafting or using confidentiality agreements need to ensure that they do not include provisions that impede potential whistleblowers.”13

SDNY WHISTLEBLOWER PILOT PROGRAM

In February 2024, the SDNY launched a whistleblower pilot program. The purpose of the program is to encourage early and voluntary self-disclosure of criminal conduct by individual participants.14 The program is applicable to disclosures of conduct committed by public or private companies, exchanges, financial institutions, investment advisers, or investment funds involving fraud or corporate control failure or affecting market integrity, or criminal conduct involving state or local bribery or fraud relating to federal, state, or local funds.15 In exchange for a qualifying self-disclosure, the Office will enter into a non-prosecution agreement with the whistleblower.16

Given that a non-prosecution agreement is promised, the SDNY has identified factors to determine whether a whistleblower qualifies for a discretionary non prosecution agreement. The most salient include: whether and to what extent the misconduct is unknown to either SDNY or the DOJ; whether the information is disclosed voluntarily to SDNY and not in response to an inquiry or obligation to report misconduct; whether the whistleblower provides substantial assistance in the investigation and prosecution of culpable individuals, and in the investigation and prosecution of the disclosed conduct; whether the whistleblower truthfully and completely discloses all criminal conduct they participated in and are aware of; whether the whistleblower is a chief executive officer or chief financial officer of a public or private company, who is not eligible for the pilot program; and the adequacy of noncriminal sanctions, such as remedies imposed by civil regulators.

Mr. Gitner said the defense bar is coming around to a non-prosecution carrot for individuals involved in wrongdoing within the corporation. Mr. Gitner said that SDNY seeks early discussions, and the pilot program seems to be driving toward that goal.

DOJ PILOT PROGRAM ON VOLUNTARY SELF-DISCLOSURES FOR INDIVIDUALS

In March 2024, the DOJ announced an upcoming program to reward whistleblowers who report corporate crimes. The new program seeks to bolster existing whistleblower programs established by the SEC (discussed above), the Commodities Future Trading Commission (CFTC), the Internal Revenue Service, and the Financial Crimes Enforcement Network.17 Accordingly, the program will offer rewards to whistleblowers who provide information on misconduct that is not under the jurisdiction of those agencies. In particular, the Department is interested in criminal abuses of the US financial system, foreign corruption cases outside of the SEC’s jurisdiction, and domestic corruption cases. In order to qualify, an individual must provide original, nonpublic, and truthful information that assists the Department in uncovering “significant corporate or financial misconduct” and is previously unknown to the agency.18 Like the SEC and CFTC, the Department does not plan to provide awards for information that is submitted under a preexisting duty or in response to an inquiry.19 Access to the program is only available where existing programs or qui tam actions do not exist. Additionally, the whistleblower in this program cannot be involved in the criminal activity itself. After compensation to victims, the whistleblower will receive a portion of the resulting forfeiture as a reward.20

Interestingly, however, it appears the Department may be moving away from offering monetary awards to whistleblowers. In April 2024, the Department introduced a pilot program that tracks with the SDNY and offers mandatory non prosecution agreements to individuals who provide information on corporate misconduct.21 Under the program, an individual must voluntarily self-disclose original information to the Criminal Division about criminal misconduct that is not previously known to the Department. The information must be “truthful and complete,” meaning it must include all known information relating to the misconduct, including the individual’s own culpability. In particular, the Department seeks information on violations by financial institutions; violations related to market integrity committed by financial institutions, investment advisers, investment funds, or public or private companies; foreign corruption and bribery violations by public or private companies; violations relating to health care fraud or illegal health care kickbacks; fraud or deception against the United States in connection with federally funded contracting; and bribery or kickbacks to domestic public officials by public or private companies. The whistleblower also cannot be a chief executive officer, chief financial officer, or those equivalents of a public or private company; or an elected or appointed foreign government or domestic government official; nor can the whistleblower have a previous felony conviction or a conviction of any kind involving fraud or dishonesty. Irrespective of this program, the Department still has the discretion of offering a non-prosecutorial agreement to individuals who may not meet the above criteria in full, subject to Justice Manual and Criminal Division procedures.22

TAKEAWAYS

The takeaways here for corporate in-house legal departments are:

  • Federal agencies are incentivizing whistleblowers with cash and non-prosecution agreements. It is clear that wrongdoers and witnesses now more than ever have several whistleblower programs from which to choose. As a result, corporations must become more vigilant at detecting wrongdoing and effectively utilizing internal reporting systems. Careful consideration of an early self-disclosure to the appropriate agency may also be warranted. Internal investigations will take a heightened priority to aid the c-suite and board on disclosure decisions.
  • Not only is protecting whistleblowers a priority but encouraging whistleblowers through heightened compliance programs, updated hotlines or other internal reporting programs should be considered. You may also wish to consider offering financial incentives for timely reporting to the corporation’s internal reporting program. All of which will benefit the company in any government disclosure.
  • The enforcement risk for companies under the SEC’s whistleblower rules is real and potentially significant, including with respect to day-to-day business activities (such as entering into client or employee confidentiality agreements) that may not otherwise be recognized as creating regulatory exposure. Companies may wish to revisit their standard contracts and compliance materials to ensure that any confidentiality provisions align with Rule 21F-17.

We acknowledge the contributions to this publication from our summer associate Minu Nagashunmugam.

https://www.sec.gov/newsroom/enforcement-results-fy23.

https://www.sec.gov/about/offices/owb/reg-21f.pdf, p. 2.

https://www.sec.gov/about/offices/owb/reg-21f.pdf, p. 2.

https://www.sec.gov/about/offices/owb/reg-21f.pdf, p. 3.

5https://www.sec.gov/about/offices/owb/reg-21f.pdf, p. 5.

https://www.sec.gov/about/offices/owb/reg-21f.pdf, p. 5.

https://www.sec.gov/about/offices/owb/reg-21f.pdf, p. 5.

https://www.sec.gov/about/offices/owb/reg-21f.pdf, p. 28.

The SEC’s Office of the Whistleblower has stated that violations of Rule 21F-17 may be triggered by “internal policies, procedures, and guidance, such as codes of conduct, compliance manuals, training materials, and other such documents.” SEC, Whistleblower Protections (last updated July 1, 2024) https://www.sec.gov/enforcement-litigation/whistleblower-program/whistleblower-protections#anti-retaliation.

10 https://news.bloomberglaw.com/securities-law/sec-biggest-whistleblower-penalty-signals-broad-protection-focus?context=search&index=11

11 In re JP Morgan Sec. LLC, File No. 3-21829 (Jan. 16, 2024), https://www.sec.gov/files/litigation/admin/2024/34-99344.pdf.

12 In re D.E. Shaw & Co., L.P., File No. 3-21775 (Sept. 29, 2023), https://www.sec.gov/files/litigation/admin/2013/34-70396.pdf.

13 SEC Press Release (Jan. 16, 2024), https://www.sec.gov/newsroom/press-releases/2024-7.

14 https://www.justice.gov/d9/2024-05/sdny_wb_policy_effective_2-13-24.pdf

15 https://www.justice.gov/d9/2024-05/sdny_wb_policy_effective_2-13-24.pdf

16 https://www.justice.gov/d9/2024-05/sdny_wb_policy_effective_2-13-24.pdf

17 https://www.justice.gov/opa/speech/acting-assistant-attorney-general-nicole-m-argentieri-delivers-keynote-speech-american

18 https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-monaco-delivers-keynote-remarks-american-bar-associations

19 https://www.justice.gov/criminal/media/1347991/dl?inline

20https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-monaco-delivers-keynote-remarks-american-bar-associations

21https://www.justice.gov/criminal/media/1347991/dl?inline

22 https://www.justice.gov/criminal/media/1347991/dl?inline

Listen to this post

FinCEN Publishes Updated FAQs

Entities terminated in 2024 are required to file Corporate Transparency Act beneficial ownership information reports, as are administratively dissolved entities.

The Financial Crimes Enforcement Network (“FinCEN”) recently published updates to its list of Frequently Asked Questions (“FAQs”) to assist entities in complying with the beneficial ownership reporting requirements of the Corporate Transparency Act (“CTA”).

Principal among these updates was FinCEN’s clarifying requirement that business entities terminated in the year 2024 (whether existing prior to 2024 or formed in 2024) are required to file beneficial ownership information reports (BOIR) under the CTA.

This filing requirement also expressly includes BOIR filings for administratively dissolved entities.

Each of these concepts were the subject of debate as to their applicability under the CTA prior to this FAQ release, with some conjecture that terminating an entity’s existence prior to its BOIR filing deadline would alleviate the need to make a BOIR filing – a position now refuted by FinCEN.

As Polsinelli has consistently advised, the obligation to file under the CTA has accrued for all entities in existence in 2024, only the deadline for filing the BOIR has not yet arrived. Entities are advised to file their BOIR prior to consummating their termination process.

The July 8 FAQs also included clarification on beneficial owner disclosure scenarios involving an entity fully or partially owned by an Indian Tribe.

FinCEN expects to publish further guidance in the future. The updated FAQs can be accessed here.

* * * * *

Several of the updates bear special note:

1. FAQ C. 12. – Reporting Company Status

Do beneficial ownership information reporting requirements apply to companies created or registered before the Corporate Transparency Act was enacted (January 1, 2021)?

FinCEN stated “Yes.” Beneficial ownership information reporting requirements apply to all companies that qualify as “reporting companies”, regardless of when they were created or registered. Companies are not required to report beneficial ownership information to FinCEN if they are exempt or ceased to exist (i.e., are formally terminated with the Secretary of State) as legal entities before January 1, 2024.

2. FAQ C. 13. – Reporting Company Status

Is a company required to report its beneficial ownership information to FinCEN if the company ceased to exist before reporting requirements went into effect on January 1, 2024?

A company is not required to report its beneficial ownership information to FinCEN if it ceased to exist as a legal entity (i.e., was formally terminated with the Secretary of State) before January 1, 2024. This means that the entity entirely completed the process of formally and irrevocably dissolving (i.e., was formally terminated with the Secretary of State). A company that ceased to exist as a legal entity before the beneficial ownership information reporting requirements became effective January 1, 2024, was never subject to the reporting requirements and thus is not required to report its beneficial ownership information to FinCEN.

Although state or Tribal law may vary, a company typically completes the process of formally and irrevocably dissolving by, for example, filing dissolution paperwork with its jurisdiction of creation or registration, receiving written confirmation of dissolution, paying related taxes or fees, ceasing to conduct any business, and winding up its affairs (e.g., fully liquidating itself and closing all bank accounts).

If a reporting company continued to exist as a legal entity for any period of time on or after January 1, 2024 (i.e., did not entirely complete the process of formally and irrevocably dissolving (i.e., terminating) before January 1, 2024), then it is required to report its beneficial ownership information to FinCEN, even if the company had wound up its affairs and ceased conducting business before January 1, 2024.

Similarly, if a reporting company was created or registered on or after January 1, 2024, and subsequently ceased to exist, then it is required to report its beneficial ownership information to FinCEN—even if it ceased to exist before its initial beneficial ownership information report was due.

A company that is administratively dissolved or suspended—because, for example, it failed to pay a filing fee or comply with certain jurisdictional requirements—generally does not cease to exist as a legal entity unless the dissolution or suspension becomes permanent. Until the dissolution becomes permanent, such a company is required to report its beneficial ownership information to FinCEN.

3. FAQ C. 14. – Reporting Company Status

If a reporting company created or registered in 2024 or later winds up its affairs and ceases to exist before its initial BOI report is due to FinCEN, is the company still required to submit that initial report?

FinCEN stated “Yes.” Reporting companies created or registered in 2024 must report their beneficial ownership information to FinCEN within 90 days of receiving actual or public notice of creation or registration. Reporting companies created or registered in 2025 or later must report their beneficial ownership information to FinCEN within 30 days of receiving actual or public notice of creation or registration. These obligations remain applicable to reporting companies that cease to exist as legal entities—meaning wound up their affairs, ceased conducting business, and entirely completed the process of formally and irrevocably dissolving—before their initial beneficial ownership reports are due.

It bears note that, if a reporting company files an initial beneficial ownership information report and then ceases to exist, then there is no requirement for the reporting company to file an additional report with FinCEN noting that the company has ceased to exist.

4. FAQ D. 17. – Beneficial Owner

Who should an entity fully or partially owned by an Indian Tribe report as its beneficial owner(s)?

An Indian Tribe is not an individual, and thus should not be reported as an entity’s beneficial owner, even if it exercises substantial control over an entity or owns or controls 25 percent or more of the entity’s ownership interests. However, entities in which Tribes have ownership interests may still have to report one or more individuals as beneficial owners in certain circumstances.

Entity Is a Tribal Governmental Authority. An entity is not a reporting company—and thus does not need to report beneficial ownership information at all—if it is a “governmental authority,” meaning an entity that is (1) established under the laws of the United States, an Indian Tribe, a State, or a political subdivision of a State, or under an interstate compact between two or more States, and that (2) exercises governmental authority on behalf of the United States or any such Indian Tribe, State, or political subdivision. This category includes tribally chartered corporations and state-chartered Tribal entities if those corporations or entities exercise governmental authority on a Tribe’s behalf.

Entity’s Ownership Interests Are Controlled or Wholly Owned by a Tribal Governmental Authority. A subsidiary of a Tribal governmental authority is likewise exempt from BOI reporting requirements if its ownership interests are entirely controlled or wholly owned by the Tribal governmental authority.

Entity Is Partially Owned by a Tribe (and Is Not Exempt). A non-exempt entity partially owned by an Indian Tribe should report as beneficial owners all individuals exercising substantial control over it, including individuals who are exercising substantial control on behalf of an Indian Tribe or its governmental authority. The entity should also report any individuals who directly or indirectly own or control at least 25 percent or more of the ownership interests of the reporting company. (However, if any of these individuals own or control these ownership interests exclusively through an exempt entity or a combination of exempt entities, then the reporting company may report the name(s) of the exempt entity or entities in lieu of the individual beneficial owner.)

The New Cross-Cultural Playbook for Global Arbitration

Cross-cultural differences and the misunderstandings that often arise from them play a powerful role in how businesses build relationships and conduct their commercial and legal affairs. At a time of expansive growth in transnational business, trade, and investment, a lack of knowledge about local culture, values, and customs in business and legal dealings are leading to ever more complex and tense international legal disputes.

As lawyers and arbitrators, it is critical to foster a deeper understanding of how cultural and emotional factors along with behavioral tendencies impact business decisions and the practice of arbitration worldwide. Addressing these issues in the context of business-to-business (B2B) relationships, a recent report by the International Chamber of Commerce, Jus Connect, and McCann Truth Central found that a new set of principles—based on emotional intelligence, cultural awareness, and cultural fluency—is required to create a cross-cultural playbook for arbitration and re-imagining dispute outcomes.

Global leaders surveyed said that arbitration is still the preferred way to resolve cross-border disputes over litigation. If a contract fails, 60% prefer arbitration to legal proceedings in a court. Overall, arbitration has increased significantly over the past decade, reaching an estimated $80 billion in 2022. Some 37,000 new cases were registered between 2018 and 2022, an increase of nearly 30% between 2013 and 2017. While this represents a mere fraction of the $121 trillion in international trade in 2022, arbitration is growing twice as fast as global trade as clients recognize the speed, efficiency, transparency, and flexibility it offers to resolve disputes compared to traditional litigation.

Cultural Miscues

In my travels as President of the ICC International Court of Arbitration, I have heard countless stories about the influence of cross-cultural differences on business and legal affairs, including arbitration. And with good reason: every country has unique and often contrasting attitudes about dispute resolution and misunderstanding them can add layers of difficulty during legal proceedings for both general counsel and arbitration lawyers.

Based on extensive interviews and quantitative data, the ICC report divides cultural attitudes and approaches into four generalized categories and suggests which countries fit into each one. The Innovative Explorer, for example, including France and Saudi Arabia, seeks collaboration and co-creation, looks for emotional chemistry, and tends to stretch goals. For their part, India and Nigeria can be seen as a Strategic Balancer, eager for collaboration and co-creation, along with emotional chemistry, and ready to stretch goals.

Brazil and Mexico are among the countries regarded as a Decisive Custodians, in that they tend to value structure and contracts as part of a more direct, yet discrete approach and in addition, prefer working with senior partners. Finally, as the name indicates, the Pragmatic Realist—including the U.K. and Switzerland—takes a reasoned and practical approach, with an appreciation for clear expectations meeting agendas, and giving parties a second chance.

These attitudes are reflected in the different approaches that countries have toward contracts. Some want a clear scope, set in stone. Others put more focus on outcomes and fluidity in delivery. For instance, while Mexico and Brazil prefer structured approaches in contract agreements, India and Saudi Arabia are open to collaboration and co-creation in a scope of work. France and China prefer to stretch sometimes-unrealistic goals, but India and Nigeria, want realistic and achievable ones.

Chameleon U.S.

Digging deeper into the analysis shows that in some ways, the U.S. has a lot in common with Brazil and China when considering the role of hierarchy and discretion in a business situation. If someone in business makes a mistake, Americans prefer to promptly resolve disputes, even if a party might get offended and are also unlikely to copy their boss on an email.

These categories help explain many business decisions and actions and can guide teams to recognize and overcome cultural differences. But they don’t always tell the whole story: cultural nuances add even more complexity to cross-border business and legal dealings.

The U.S., for example, can be described as a chameleon or shapeshifter that doesn’t always neatly fit any descriptor. In my experience, U.S. business representatives will typically revise their approach depending on what the customer or counterparty needs. This flexibility is likely due to the presence of diverse and multicultural U.S. business teams compared to some other countries. As one senior arbitrator said in the report, “In the U.S., the common denominator is understanding what the customer needs.”

Small Behavior, Big Impact

Mapping the world by culture rather than geographic positioning offers valuable insights that can improve cultural fluency and ensure that geography alone does not influence expectations and approaches. The report showed how small behaviors point to larger cultural priorities. Teams from France and Saudi Arabia don’t necessarily need an agenda to attend a meeting, but those from India and Nigeria would usually prefer a detailed agenda. Acknowledging these cultural differences, however small and seemingly inconsequential, provides a framework for anticipating and resolving friction and helping teams adapt.

One of the most interesting aspects of the study is that business teams and leaders say they want lawyers involved earlier in the B2B process—and more deeply integrated into the journey—with a focus on win-win outcomes. This is consistent with the changing role of in-house counsel, particularly in the U.S., where in house counsel work more closely with business teams to develop strategy and structure the deal. Given the growing complexity of today’s global regulatory environment, business teams can no longer negotiate the deal first and then bring the terms to the in-house team to document.

While the study focused on cultural differences, it also found a commonality across cultures: a growing preference for non-legal dispute resolution. Some 77% favored an amicable, interest-based resolution—through internal or contract review, or direct negotiations between legal teams—compared to 52% favoring a rights-based resolution using arbitration or legal proceedings in a court. Only about one-third chose a so-called power-based resolution, such as a canceled contract, a report to a regulator, a post on social media, or a leak to the press.

Key Truths

Understanding the diverse world of business culture reveals several truths about B2B relationships. One is that emotion and culture have a significant impact on business—perhaps more than many realize—because the B2B journey comprises the human experience. Contrary to the commonly held perceptions that B2B interactions are largely transactional or purely functional, and free of emotions, the report found that they are emotionally charged, from initial engagement with parties and contracts to long-term partnerships.

I have experienced this firsthand when representing a multinational company in a very complex arbitration involving the calculation of damages. I needed to prepare the CEO for cross-examination. Yet his analysis was not entirely data-driven decision-making: emotions were also a big part of his thinking. When describing his approach and his meeting with his CEO counterpart, he just kept telling me, “This is so emotional.”

Another truth is that by effectively navigating cultural differences and overcoming communication barriers, we can improve business relationships. In this context, business attitudes toward particulars such as contracts and meeting styles reflect cultural priorities and offer relevant cultural cues. At first, these may appear to be minor details but unveil deeper cultural attitudes concerning hierarchy, orderliness, adaptability, and creativity.

When I was in China earlier this year, I was surprised by the number of back-channel conversations that took place to determine how many people we could bring to a meeting and the level of seniority so that the Chinese delegation would have the same. There were also discussions about attire—including whether men should wear a tie—so that nobody would feel out of place.

Cross-Cultural Playbook

With these truths in mind, a new cross-cultural playbook for global arbitration should include the following actions. First, integrate legal teams as early as possible into the process and keep them engaged via partnerships with business teams. Train teams to understand emotional intelligence and be more culturally aware so they can become more adept at relationship building and managing shifting emotions during the B2B journey. Ensure teams can interpret subtle behavioral and cultural cues to make informed decisions and improve communications. Equally important, prioritize direct negotiation channels for dispute resolution, reserving legal action for failed negotiations.

More than ever, we must emphasize the role of emotion and human interaction in business and how important it is in building trust: the report noted that half of all B2B disputes are likely caused by the breakdown of human interaction rather than solely by contractual issues. With heightened sensitivity to cultural differences, we can better understand the complexities of the B2B journey, minimize business and legal disputes, and successfully apply these truths to resolving conflicts through arbitration.

SBA Eliminates Self-Certification for SDVOSBs

The U.S. Small Business Administration (SBA) recently issued a direct final rule that eliminates self-certification for service-disabled veteran-owned small businesses (SDVOSBs). The SBA’s final rule — which implements a provision in the National Defense Authorization Act for Fiscal Year 2024 (NDAA 2024) — is effective August 5, 2024.

Background

  • To be awarded an SDVOSB set-aside or sole source contract, firms must be certified by SBA through the Veteran Small Business Certification (VetCert) Program.
  • Currently, firms that do not seek SDVOSB set-aside or sole source contracts but that meet the VetCert Program eligibility requirements may self-certify their SDVOSB status, receive prime contract or subcontract awards that are not SDVOSB set-aside or sole source contracts, and be counted toward an agency’s SDVOSB small business goals or a prime contractor’s subcontracting goal for SDVOSB awards.
  • Section 864 of the NDAA 2024 amends the SDVOSB requirements so that, effective October 1, 2024, each prime contract award and subcontract award counted for the purpose of meeting the goals for participation by SDVOSBs in procurement contracts for federal agencies or federal prime contractors shall be entered into with firms certified by VetCert under Section 36 of the Small Business Act (15 U.S.C. 657f).
  • Section 864 also creates a grace period so that firms that file an application for certification with SBA by December 22, 2024, may continue to self-certify for such federal government contracts and subcontracts until the SBA makes a final decision.
  • SDVOSBs that do not file an application for certification with SBA by December 22, 2024, or are not certified by SBA’s VetCert program and do not file an application by the deadline, will not be eligible to self-certify for such federal government contracts or subcontracts after December 22, 2024.
  • To implement the statutory language of Section 864 of the NDAA 2024, SBA is amending parts 125 and 128 of its regulations.

Listen to this post

The Privacy Patchwork: Beyond US State “Comprehensive” Laws

We’ve cautioned before about the danger of thinking only about US state “comprehensive” laws when looking to legal privacy and data security obligations in the United States. We’ve also mentioned that the US has a patchwork of privacy laws. That patchwork is found to a certain extent outside of the US as well. What laws exist in the patchwork that relate to a company’s activities?

There are laws that apply when companies host websites, including the most well-known, the California Privacy Protection Act (CalOPPA). It has been in effect since July 2004, thus predating COPPA by 14 years. Then there are laws the apply if a company is collecting and using biometric identifiers, like Illinois’ Biometric Information Privacy Act.

Companies are subject to specific laws both in the US and elsewhere when engaging in digital communications. These laws include the US federal laws TCPA and TCFAPA, as well as CAN-SPAM. Digital communication laws exist in countries as wide ranging as Australia, Canada, Morocco, and many others. Then we have laws that apply when collecting information during a credit card transaction, like the Song Beverly Credit Card Act (California).

Putting It Into Practice: When assessing your company’s obligations under privacy and data security laws, keep activity specific privacy laws in mind. Depending on what you are doing, and in what jurisdictions, you may have more obligations to address than simply those found in comprehensive privacy laws.

The Double-Edged Impact of AI Compliance Algorithms on Whistleblowing

As the implementation of Artificial Intelligence (AI) compliance and fraud detection algorithms within corporations and financial institutions continues to grow, it is crucial to consider how this technology has a twofold effect.

It’s a classic double-edged technology: in the right hands it can help detect fraud and bolster compliance, but in the wrong it can snuff out would-be-whistleblowers and weaken accountability mechanisms. Employees should assume it is being used in a wide range of ways.

Algorithms are already pervasive in our legal and governmental systems: the Securities and Exchange Commission, a champion of whistleblowers, employs these very compliance algorithms to detect trading misconduct and determine whether a legal violation has taken place.

There are two major downsides to the implementation of compliance algorithms that experts foresee: institutions avoiding culpability and tracking whistleblowers. AI can uncover fraud but cannot guarantee the proper reporting of it. This same technology can be used against employees to monitor and detect signs of whistleblowing.

Strengths of AI Compliance Systems:

AI excels at analyzing vast amounts of data to identify fraudulent transactions and patterns that might escape human detection, allowing institutions to quickly and efficiently spot misconduct that would otherwise remain undetected.

AI compliance algorithms are promised to operate as follows:

  • Real-time Detection: AI can analyze vast amounts of data, including financial transactions, communication logs, and travel records, in real-time. This allows for immediate identification of anomalies that might indicate fraudulent activity.
  • Pattern Recognition: AI excels at finding hidden patterns, analyzing spending habits, communication patterns, and connections between seemingly unrelated entities to flag potential conflicts of interest, unusual transactions, or suspicious interactions.
  • Efficiency and Automation: AI can automate data collection and analysis, leading to quicker identification and investigation of potential fraud cases.

Yuktesh Kashyap, associate Vice President of data science at Sigmoid explains on TechTarget that AI allows financial institutions, for example, to “streamline compliance processes and improve productivity. Thanks to its ability to process massive data logs and deliver meaningful insights, AI can give financial institutions a competitive advantage with real-time updates for simpler compliance management… AI technologies greatly reduce workloads and dramatically cut costs for financial institutions by enabling compliance to be more efficient and effective. These institutions can then achieve more than just compliance with the law by actually creating value with increased profits.”

Due Diligence and Human Oversight

Stephen M. Kohn, founding partner of Kohn, Kohn & Colapinto LLP, argues that AI compliance algorithms will be an ineffective tool that allow institutions to escape liability. He worries that corporations and financial institutions will implement AI systems and evade enforcement action by calling it due diligence.

“Companies want to use AI software to show the government that they are complying reasonably. Corporations and financial institutions will tell the government that they use sophisticated algorithms, and it did not detect all that money laundering, so you should not sanction us because we did due diligence.” He insists that the U.S. Government should not allow these algorithms to be used as a regulatory benchmark.

Legal scholar Sonia Katyal writes in her piece “Democracy & Distrust in an Era of Artificial Intelligence” that “While automation lowers the cost of decision making, it also raises significant due process concerns, involving a lack of notice and the opportunity to challenge the decision.”

While AI can be used as a powerful tool for identifying fraud, there is still no method for it to contact authorities with its discoveries. Compliance personnel are still required to blow the whistle, given societies standard due process. These algorithms should be used in conjunction with human judgment to determine compliance or lack thereof. Due process is needed so that individuals can understand the reasoning behind algorithmic determinations.

The Double-Edged Sword

Darrell West, Senior Fellow at Brookings Institute’s Center for Technology Innovation and Douglas Dillon Chair in Governmental Studies warns about the dangerous ways these same algorithms can be used to find whistleblowers and silence them.

Nowadays most office jobs (whether remote or in person) conduct operations fully online. Employees are required to use company computers and networks to do their jobs. Data generated by each employee passes through these devices and networks. Meaning, your privacy rights are questionable.

Because of this, whistleblowing will get much harder – organizations can employ the technology they initially implemented to catch fraud to instead catch whistleblowers. They can monitor employees via the capabilities built into our everyday tech: cameras, emails, keystroke detectors, online activity logs, what is downloaded, and more. West urges people to operate under the assumption that employers are monitoring their online activity.

These techniques have been implemented in the workplace for years, but AI automates tracking mechanisms. AI gives organizations more systematic tools to detect internal problems.

West explains, “All organizations are sensitive to a disgruntled employee who might take information outside the organization, especially if somebody’s dealing with confidential information, budget information or other types of financial information. It is just easy for organizations to monitor that because they can mine emails. They can analyze text messages; they can see who you are calling. Companies could have keystroke detectors and see what you are typing. Since many of us are doing our jobs in Microsoft Teams meetings and other video conferencing, there is a camera that records and transcribes information.”

If a company is defining a whistleblower as a problem, they can monitor this very information and look for keywords that would indicate somebody is engaging in whistleblowing.

With AI, companies can monitor specific employees they might find problematic (such as a whistleblower) and all the information they produce, including the keywords that might indicate fraud. Creators of these algorithms promise that soon their products will be able to detect all sorts of patterns and feelings, such as emotion and sentiment.

AI cannot determine whether somebody is a whistleblower, but it can flag unusual patterns and refer those patterns to compliance analysts. AI then becomes a tool to monitor what is going on within the organization, making it difficult for whistleblowers to go unnoticed. The risk of being caught by internal compliance software will be much greater.

“The only way people could report under these technological systems would be to go offline, using their personal devices or burner phones. But it is difficult to operate whistleblowing this way and makes it difficult to transmit confidential information. A whistleblower must, at some point, download information. Since you will be doing that on a company network, and that is easily detected these days.”

But the question of what becomes of the whistleblower is based on whether the compliance officers operate in support of the company or the public interest – they will have an extraordinary amount of information about the company and the whistleblower.

Risks for whistleblowers have gone up as AI has evolved because it is harder for them to collect and report information on fraud and compliance without being discovered by the organization.

West describes how organizations do not have a choice whether or not to use AI anymore: “All of the major companies are building it into their products. Google, Microsoft, Apple, and so on. A company does not even have to decide to use it: it is already being used. It’s a question of whether they avail themselves of the results of what’s already in their programs.”

“There probably are many companies that are not set up to use all the information that is at their disposal because it does take a little bit of expertise to understand data analytics. But this is just a short-term barrier, like organizations are going to solve that problem quickly.”

West recommends that organizations should just be a lot more transparent about their use of these tools. They should inform their employees what kind of information they are using, how they are monitoring employees, and what kind of software they use. Are they using detection? Software of any sort? Are they monitoring keystrokes?

Employees should want to know how long information is being stored. Organizations might legitimately use this technology for fraud detection, which might be a good argument to collect information, but it does not mean they should keep that information for five years. Once they have used the information and determined whether employees are committing fraud, there is no reason to keep it. Companies are largely not transparent about length of storage and what is done with this data and once it is used.

West believes that currently, most companies are not actually informing employees of how their information is being kept and how the new digital tools are being utilized.

The Importance of Whistleblower Programs:

The ability of AI algorithms to track whistleblowers poses a real risk to regulatory compliance given the massive importance of whistleblower programs in the United States’ enforcement of corporate crime.

The whistleblower programs at the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) respond to individuals who voluntarily report original information about fraud or misconduct.

If a tip leads to a successful enforcement action, the whistleblowers are entitled to 10-30% of the recovered funds. These programs have created clear anti-retaliation protections and strong financial incentives for reporting securities and commodities fraud.

Established in 2010 under the Dodd-Frank Act, these programs have been integral to enforcement. The SEC reports that whistleblower tips have led to over $6 billion in sanctions while the CFTC states that almost a third of its investigations stem from whistleblower disclosures.

Whistleblower programs, with robust protections for those who speak out, remain essential for exposing fraud and holding organizations accountable. This ensures that detected fraud is not only identified, but also reported and addressed, protecting taxpayer money, and promoting ethical business practices.

If AI algorithms are used to track down whistleblowers, their implementation would hinder these programs. Companies will undoubtedly retaliate against employees they suspect of blowing the whistle, creating a massive chilling effect where potential whistleblowers would not act out of fear of detection.

Already being employed in our institutions, experts believe these AI-driven compliance systems must have independent oversight for transparency’s sake. The software must also be designed to adhere to due process standards.

For more news on AI Compliance and Whistleblowing, visit the NLR Communications, Media & Internet section.

White House Publishes Steps to Protect Workers from the Risks of AI

Last year the White House weighed in on the use of artificial intelligence (AI) in businesses.

Since the executive order, several government entities including the Department of Labor have released guidance on the use of AI.

And now the White House published principles to protect workers when AI is used in the workplace.

The principles apply to both the development and deployment of AI systems. These principles include:

  • Awareness – Workers should be informed of and have input in the design, development, testing, training, and use of AI systems in the workplace.
  • Ethical development – AI systems should be designed, developed, and trained in a way to protect workers.
  • Governance and Oversight – Organizations should have clear governance systems and oversight for AI systems.
  • Transparency – Employers should be transparent with workers and job seekers about AI systems being used.
  • Compliance with existing workplace laws – AI systems should not violate or undermine worker’s rights including the right to organize, health and safety rights, and other worker protections.
  • Enabling – AI systems should assist and improve worker’s job quality.
  • Supportive during transition – Employers support workers during job transitions related to AI.
  • Privacy and Security of Data – Worker’s data collected, used, or created by AI systems should be limited in scope and used to support legitimate business aims.

Five Compliance Best Practices for … Conducting a Risk Assessment

As an accompaniment to our biweekly series on “What Every Multinational Should Know About” various international trade, enforcement, and compliance topics, we are introducing a second series of quick-hit pieces on compliance best practices. Give us two minutes, and we will give you five suggested compliance best practices that will benefit your international regulatory compliance program.

Conducting an international risk assessment is crucial for identifying and mitigating potential risks associated with conducting business operations in foreign countries and complying with the expansive application of U.S. law. Because compliance is essentially an exercise in identifying, mitigating, and managing risk, the starting point for any international compliance program is to conduct a risk assessment. If your company has not done one within the last two years, then your organization probably should be putting one in motion.

Here are five compliance checks that are important to consider when conducting a risk assessment:

  1. Understand Business Operations: A good starting point is to gain a thorough understanding of the organization’s business operations, including products, services, markets, supply chains, distribution channels, and key stakeholders. You should pay special attention to new risk areas, including newly acquired companies and divisions, expansions into new countries, and new distribution patterns. Identifying the business profile of the organization, and how it raises systemic risks, is the starting point of developing the risk profile of the company.
  2. Conduct Country- and Industry-Specific Risk Factors: Analyze the political, economic, legal, and regulatory landscape of each country where the organization operates or plans to operate. Consider factors such as political stability, corruption levels, regulatory environment, and cultural differences. You should also understand which countries also raise indirect risks, such as for the transshipment of goods to sanctioned countries. You also should evaluate industry-specific risks and trends that may impact your company’s risk profile, such as the history of recent enforcement actions.
  3. Gather Risk-Related Data and Information: You should gather relevant data and information from internal and external sources to inform the risk-assessment process. Relevant examples include internal documentation, industry publications, reports of recent enforcement actions, and areas where government regulators are stressing compliance, such as the recent focus on supply chain factors. Use risk-assessment tools and methodologies to systematically evaluate and prioritize risks, such as risk matrices, risk heat maps, scenario analysis, and probability-impact assessments. (The Foley anticorruption, economic sanctions, and forced labor heat maps are found here.)
  4. Engage Stakeholders: Engage key stakeholders throughout the risk-assessment process to gather insights, perspectives, and feedback. Consult with local employees and business partners to gain feedback on compliance issues that are likely to arise while also seeking their aid in disseminating the eventual compliance dictates, internal controls, and other compliance measures that your organization ends up implementing or updating.
  5. Document Findings and Develop Risk-Mitigation Strategies: Document the findings of the risk assessment, including identified risks, their potential impact and likelihood, and recommended mitigation strategies. Ensure that documentation is clear, concise, and actionable. Use the documented findings to develop risk-mitigation strategies and action plans to address identified risks effectively while prioritizing mitigation efforts based on risk severity, urgency, and feasibility of implementation.

Most importantly, you should recognize that assessing and addressing risk is an ongoing process. You should ensure your organization has established processes for the ongoing monitoring and review of risks to track changes in the risk landscape and evaluate the effectiveness of mitigation measures. Further, at least once every two years, most multinational organizations should be updating their risk assessment periodically to reflect evolving risks and business conditions as well as changing regulations and regulator enforcement priorities.