Category: Criminal Law

FinCEN Publishes Updated FAQs

Entities terminated in 2024 are required to file Corporate Transparency Act beneficial ownership information reports, as are administratively dissolved entities.

The Financial Crimes Enforcement Network (“FinCEN”) recently published updates to its list of Frequently Asked Questions (“FAQs”) to assist entities in complying with the beneficial ownership reporting requirements of the Corporate Transparency Act (“CTA”).

Principal among these updates was FinCEN’s clarifying requirement that business entities terminated in the year 2024 (whether existing prior to 2024 or formed in 2024) are required to file beneficial ownership information reports (BOIR) under the CTA.

This filing requirement also expressly includes BOIR filings for administratively dissolved entities.

Each of these concepts were the subject of debate as to their applicability under the CTA prior to this FAQ release, with some conjecture that terminating an entity’s existence prior to its BOIR filing deadline would alleviate the need to make a BOIR filing – a position now refuted by FinCEN.

As Polsinelli has consistently advised, the obligation to file under the CTA has accrued for all entities in existence in 2024, only the deadline for filing the BOIR has not yet arrived. Entities are advised to file their BOIR prior to consummating their termination process.

The July 8 FAQs also included clarification on beneficial owner disclosure scenarios involving an entity fully or partially owned by an Indian Tribe.

FinCEN expects to publish further guidance in the future. The updated FAQs can be accessed here.

* * * * *

Several of the updates bear special note:

1. FAQ C. 12. – Reporting Company Status

Do beneficial ownership information reporting requirements apply to companies created or registered before the Corporate Transparency Act was enacted (January 1, 2021)?

FinCEN stated “Yes.” Beneficial ownership information reporting requirements apply to all companies that qualify as “reporting companies”, regardless of when they were created or registered. Companies are not required to report beneficial ownership information to FinCEN if they are exempt or ceased to exist (i.e., are formally terminated with the Secretary of State) as legal entities before January 1, 2024.

2. FAQ C. 13. – Reporting Company Status

Is a company required to report its beneficial ownership information to FinCEN if the company ceased to exist before reporting requirements went into effect on January 1, 2024?

A company is not required to report its beneficial ownership information to FinCEN if it ceased to exist as a legal entity (i.e., was formally terminated with the Secretary of State) before January 1, 2024. This means that the entity entirely completed the process of formally and irrevocably dissolving (i.e., was formally terminated with the Secretary of State). A company that ceased to exist as a legal entity before the beneficial ownership information reporting requirements became effective January 1, 2024, was never subject to the reporting requirements and thus is not required to report its beneficial ownership information to FinCEN.

Although state or Tribal law may vary, a company typically completes the process of formally and irrevocably dissolving by, for example, filing dissolution paperwork with its jurisdiction of creation or registration, receiving written confirmation of dissolution, paying related taxes or fees, ceasing to conduct any business, and winding up its affairs (e.g., fully liquidating itself and closing all bank accounts).

If a reporting company continued to exist as a legal entity for any period of time on or after January 1, 2024 (i.e., did not entirely complete the process of formally and irrevocably dissolving (i.e., terminating) before January 1, 2024), then it is required to report its beneficial ownership information to FinCEN, even if the company had wound up its affairs and ceased conducting business before January 1, 2024.

Similarly, if a reporting company was created or registered on or after January 1, 2024, and subsequently ceased to exist, then it is required to report its beneficial ownership information to FinCEN—even if it ceased to exist before its initial beneficial ownership information report was due.

A company that is administratively dissolved or suspended—because, for example, it failed to pay a filing fee or comply with certain jurisdictional requirements—generally does not cease to exist as a legal entity unless the dissolution or suspension becomes permanent. Until the dissolution becomes permanent, such a company is required to report its beneficial ownership information to FinCEN.

3. FAQ C. 14. – Reporting Company Status

If a reporting company created or registered in 2024 or later winds up its affairs and ceases to exist before its initial BOI report is due to FinCEN, is the company still required to submit that initial report?

FinCEN stated “Yes.” Reporting companies created or registered in 2024 must report their beneficial ownership information to FinCEN within 90 days of receiving actual or public notice of creation or registration. Reporting companies created or registered in 2025 or later must report their beneficial ownership information to FinCEN within 30 days of receiving actual or public notice of creation or registration. These obligations remain applicable to reporting companies that cease to exist as legal entities—meaning wound up their affairs, ceased conducting business, and entirely completed the process of formally and irrevocably dissolving—before their initial beneficial ownership reports are due.

It bears note that, if a reporting company files an initial beneficial ownership information report and then ceases to exist, then there is no requirement for the reporting company to file an additional report with FinCEN noting that the company has ceased to exist.

4. FAQ D. 17. – Beneficial Owner

Who should an entity fully or partially owned by an Indian Tribe report as its beneficial owner(s)?

An Indian Tribe is not an individual, and thus should not be reported as an entity’s beneficial owner, even if it exercises substantial control over an entity or owns or controls 25 percent or more of the entity’s ownership interests. However, entities in which Tribes have ownership interests may still have to report one or more individuals as beneficial owners in certain circumstances.

Entity Is a Tribal Governmental Authority. An entity is not a reporting company—and thus does not need to report beneficial ownership information at all—if it is a “governmental authority,” meaning an entity that is (1) established under the laws of the United States, an Indian Tribe, a State, or a political subdivision of a State, or under an interstate compact between two or more States, and that (2) exercises governmental authority on behalf of the United States or any such Indian Tribe, State, or political subdivision. This category includes tribally chartered corporations and state-chartered Tribal entities if those corporations or entities exercise governmental authority on a Tribe’s behalf.

Entity’s Ownership Interests Are Controlled or Wholly Owned by a Tribal Governmental Authority. A subsidiary of a Tribal governmental authority is likewise exempt from BOI reporting requirements if its ownership interests are entirely controlled or wholly owned by the Tribal governmental authority.

Entity Is Partially Owned by a Tribe (and Is Not Exempt). A non-exempt entity partially owned by an Indian Tribe should report as beneficial owners all individuals exercising substantial control over it, including individuals who are exercising substantial control on behalf of an Indian Tribe or its governmental authority. The entity should also report any individuals who directly or indirectly own or control at least 25 percent or more of the ownership interests of the reporting company. (However, if any of these individuals own or control these ownership interests exclusively through an exempt entity or a combination of exempt entities, then the reporting company may report the name(s) of the exempt entity or entities in lieu of the individual beneficial owner.)

© Polsinelli PC, Polsinelli LLP in California

The SEC Continues Its War On Crime Victims

More than a decade ago, I expressed concern when the Securities and Exchange Commission charged Koss Corporation and one its CEO, Mr. Koss, with filing materially false financial statements after the corporation had discovered that it had been the victim of employee embezzlement. In the post, I decried the SEC’s decision to punish the victims of crime:

The SEC’s decision to prosecute this case is troubling. Surely, neither Koss Corporation nor Mr. Koss intended or wanted to be the victim of a criminal embezzlement. It is also hard to see how the shareholders’ benefited from the company incurring the legal costs associated with defending and settling the SEC investigation. While the SEC did force the return of bonus compensation, the injunctive relief ordering the company and Mr. Koss not to do this again strikes me as silly. Does it really make sense for the court to order a company not to be the victim of a theft?

I was therefore heartened by the recent statement by Commissioners Hester Peirce and Mark Uyeda on the SEC’s recent settlement of administrative proceeding against R.R. Donnelly & Sons, Co.:

Also concerning is the Commission’s decision to stretch the law to punish a company that was the victim of a cyberattack. While an enforcement action may be warranted in some circumstances, distorting a statutory provision to form the basis for such an action inappropriately amplifies a company’s harm from a cyberattack.

According to the SEC’s press release, R.R. Donnelly & Sons, Co. “cooperated throughout the investigation, including by reporting the cybersecurity incident to staff prior to filing a disclosure of the incident, by providing meaningful cooperation that helped expedite the staff’s investigation, and by voluntarily adopting new cybersecurity technology and controls”. Nonetheless, the SEC thought a just resolution required payment of a $2.125 million civil penalty for transfer to the U.S. Treasury. I remain unconvinced that the expropriation of millions of dollars from a crime victim to the U.S. Treasury protects, much less helps, the shareholders of R.R. Donnelly & Sons, Co.

© 2010-2024 Allen Matkins Leck Gamble Mallory & Natsis LLP
For more news on SEC Punishing Crime Victims, visit the NLR Securities SEC section.

Junk Science or Relevant Evidence: Supreme Court Says Experts May Now Aid in Determining Criminal Intent

In criminal cases, oftentimes the most significant element in dispute is whether the defendant harbored the intent to “knowingly” or “willfully” violate the criminal law at issue. If the defendant denies that he knew what he was doing was illegal, the government must prove beyond a reasonable doubt that the defendant had the required mens rea — or mental state — to violate the law. The government does this by presenting circumstantial evidence that it argues supports a reasonable inference that the defendant had the required mental state to violate the law. And defense lawyers test that evidence largely on cross examination and by presenting counterevidence.

The more complicated the law — think tax, securities, or federal election conduit contribution laws — the riskier it is that a person can be held criminally liable for what seemed like innocent or at least not illegal conduct. In these cases, experts may be called to testify about how a certain industry or regulatory regime is structured or how it operates, and the parties can argue to the jury whether the facts of the case circumstantially prove the reasonable inference that the defendant knowingly or willfully violated a criminal law related to that industry or regulatory regime. But Federal Rule of Evidence 704(b) prohibits an expert from stating an opinion about whether a criminal defendant “did or did not have the mental state or condition that constitutes an element of the crime charged or of a defense. Those matters are for the trier of fact alone.” FRE 704(b) was adopted in response to President Ronald Reagan’s shooter, John Hinkley, being found not guilty by reason of insanity after competing experts offered opinions on the ultimate issue of Hinkley’s sanity. So FRE 704(b) now requires that a jury alone must decide whether the defendant intended to commit a crime. And the answer to this question is often the difference between freedom or years in prison.

In Diaz v. United States, ___ S. Ct. ___, 2024 WL 3056012 (June 20, 2024), the U.S. Supreme Court ruled that FRE 704(b) does not preclude expert testimony about the likelihood that the defendant intended to commit a crime based on the defendant’s membership in a particular group. Diaz was charged with “knowingly” transporting drugs across the U.S.-Mexican border. She argued the “blind mule” defense: she did not know there were drugs in the car, therefore she did not knowingly transport them. The government called as an expert a Homeland Security Investigations Special Agent to testify that “in most circumstances, the driver knows they are hired to take drugs from point A to point B.” The Agent said that drug-trafficking organizations would expose themselves to too much risk by using unknowing couriers. The Agent admitted on cross examination that he was not involved in Diaz’s case, and that drug-trafficking organizations sometimes use unknowing couriers. The jury found Diaz guilty and she was sentenced to 84 months in prison.

Diaz argued that the Agent’s expert testimony violated FRE 704(b)’s proscription of expert’s providing opinions about whether a defendant did or did not have the required state of mind to violate the law. The Court affirmed the Ninth Circuit’s opinion that the Agent’s expert testimony did not violate FRE 704(b) because the expert “did not express an opinion about whether Diaz herself knowingly transported [drugs].” Instead, he testified that “most” drug couriers know they are hired to drive drugs from point A to point B. “That opinion does not necessarily describe Diaz’s mental state. After all, Diaz may or may not be like most drug couriers.” The Court acknowledged that it would have violated Rule 704(b) if the Agent had testified that “all” drug couriers know they are transporting drugs, since Diaz would be included in that drug courier group thus making it an opinion about Diaz’s mental state.

The Court said that FRE 704(b) only proscribes expert opinions “in a criminal case that are about a particular person (‘the defendant’) and a particular ultimate issue (whether the defendant has ‘a mental state or condition’ that is ‘an element of the crime charged or of a defense.’).” Because the Agent “did not give an opinion ‘about whether’ Diaz herself ‘did or did not have a mental state or condition that constitutes an element of the crime charged or of a defense,’ his testimony did not violate Rule 704(b).”

In her concurrence, Justice Ketanji Brown Jackson inferred that “what’s good for the goose is good for the gander” when she wrote that criminal defendants were now free to offer expert testimony “‘on the likelihood’ that the defendant had a particular mental state, ‘based on the defendant’s membership in a particular group.’” For example, “Diaz could have offered expert testimony on the prevalence and characteristics of unknowing drug couriers.” Justice Jackson said that the Diaz opinion will now allow psychiatrists to testify as experts “to tell the jury that when people with schizophrenia as severe as a defendant’s commit acts of violence, it is generally because they do not appreciate the wrongfulness of their conduct.” This would not create a “spectacle of dueling experts on the defendant’s mental state,” Justice Jackson wrote, but instead “could help jurors better understand a defendant’s condition and thereby call into question a mens rea that might otherwise be too easily assumed…given the biases, stereotypes, and uneven knowledge that many people have about mental health conditions.”

Justice Neil Gorsuch wrote a terse dissent that was joined by Justices Sonia Sotomayor and Elena Kagan. The dissent said the Agent’s probabilistic assessment that “most” couriers know they are transporting drugs violated FRE 704(b) because it was a statement “about whether the defendant” had a “mental state . . . that constitutes an element of the crime charged.” The word “about” is defined as “concerning, regarding, with regard to, with reference to; in the matter of.” And according to the dissent, expert testimony about what most drug couriers know was testimony about the likelihood of what Diaz knew. Justice Gorsuch warned of “warring experts” on the issue of a defendant’s intent, which he says will make the criminal justice system less reliable as lawyers may try and find probabilistic expert opinions on intent rather than doing the hard work of gathering circumstantial evidence and arguing about what that evidence reasonably infers about a defendant’s intent.

© 2024 Miller, Canfield, Paddock and Stone PLC

Whistleblower Tax Fraud Lawsuit Against Bitcoin Billionaire Settles for $40 Million

MicroStrategy’s founder is alleged to have falsified tax documents for ten years. The settlement resolves the first whistleblower lawsuit filed under 2021 amendments to the DC False Claims Act.

Key Takeaways
On June 3, the District of Columbia Office of the Attorney General announced the $40 million settlement with Michael Saylor
It is the largest income tax recovery in D.C. history
The settlement, which resolves a qui tam lawsuit filed under the DC False Claims Act, underscores the power of whistleblowers in combatting tax fraud
On June 3, the District of Columbia Office of the Attorney General (OAG) made a landmark announcement. The billionaire founder of MicroStrategy Incorporated, Michael Saylor, settled a tax fraud lawsuit for a staggering $40 million. This case, stemming from a qui tam whistleblower suit filed under the District’s False Claims Act, marks a significant milestone in the fight against tax fraud. The OAG declared this as the largest income tax recovery in D.C. history, underscoring the importance of this case.

The DC False Claims Act
This settlement is not just a victory for the District but also a testament to the power of whistleblowers. Under the 2021 extension of the D.C. False Claims Act, individuals have the power to file qui tam suits against large companies and suspected tax evaders. The 2021 amendments even offer monetary awards to those who report tax cheats. This settlement, the first settlement under these amendments, serves to put would-be tax cheats on notice.

As the District of Columbia expands its arsenal against tax fraud, other states should take note. The DC False Claims Act, now covering tax fraud, has become a powerful tool in the fight against financial misconduct. With the District joining the ranks of Delaware, Florida, Illinois, Indiana, Nevada, New York, and Rhode Island as states where false claims suits may be brought based on tax fraud claims, the fight against tax cheats looks promising.

The Case Against Saylor
In 2021, unnamed whistleblowers filed a lawsuit against Saylor, alleging that he had defrauded the District and failed to pay income taxes from 2014 to 2020. The OAG independently investigated these claims and filed a separate complaint against Saylor. The District’s lawsuit alleged that Saylor claimed to be a resident of Florida and Virginia to avoid paying over $25 million in income taxes. Another suit was filed against MicroStrategy, claiming it falsified records and statements that facilitated Saylor’s tax avoidance scheme.

The District’s allegations against Saylor paint a picture of a lavish lifestyle. Saylor is accused of unlawfully withholding tens of millions in tax revenue by claiming to live in a lower tax jurisdiction to avoid paying D.C. income taxes. The OAG’s investigation revealed that Saylor owned a 7,000-square-foot luxury penthouse overlooking the Potomac Waterfront and docked multiple yachts in the Washington Harbor. He purchased three luxury condominium units at 3030 K Street NW to combine into his current residence and a penthouse unit at the Eden Condominiums, 2360 Champlain St. NW. The Attorney General compiled several posts from Saylor’s Facebook, in which he boasted about the view from his D.C. residence.

Whistleblower Tax Fraud Lawsuit Against Bitcoin Billionaire Settles For $40 Million

Furthermore, the OAG found evidence that Saylor purchased a house in Miami Beach, obtained a Florida driver’s license, registered to vote in Florida, and falsely listed his residence on MicroStrategy W-2 forms. Attorney General Brian L. Schwalb stated, “Saylor openly bragged about his tax-evasion scheme, encouraging his friends to follow his example and contending that anyone who paid taxes to the District was stupid.”

The lawsuits allege that records from Saylor’s security detail provide Saylor’s physical location and travel from 2015 to 2020 and show that across six years, Saylor spent 449 days in Florida and 1,397 days in the District. Saylor allegedly directed MicroStrategy employees to aid his scheme to avoid paying District income taxes. The District claims that for the last ten years, MicroStrategy has falsely reported its income tax exemption on Saylor’s wages, claiming he was tax-exempt due to his residential status.

Saylor agreed to pay the District $40 million to resolve the allegations against him and MicroStrategy.

A copy of the settlement can be found here.

Copyright Kohn, Kohn & Colapinto, LLP 2024. All Rights Reserved.

by: Whistleblower Law at Kohn Kohn Colapinto of Kohn, Kohn & Colapinto

For more on Whistleblowers, visit the NLR Criminal Law / Business Crimes section.

Acting U.S. Attorney Levy Forecasts False Claims Act COVID Cases Targeting Private Lenders Of CARES Act Loans That Failed In Their Obligation To Safeguard Government Funds

Acting U.S. Attorney Joshua Levy discussed the enforcement priorities for the Massachusetts U.S. Attorney’s Office (USAO) during a Q&A session on May 29, 2024, and made clear that the historical focus of the office remains the top priority: detecting and combating health care fraud, waste, and abuse. In particular, both Levy and Chief of the USAO’s Civil Division, Abraham George, have recently indicated that the government will pursue large dollar COVID fraud cases both criminally and civilly. As we have discussed previously, we expect False Claims Act (FCA) COVID cases to materialize in the coming years as the government zeroes in on wrongdoers via enhanced data analytics and AI tools as well as via traditional investigative methods and the forthcoming Whistleblower Rewards Program.

Recent COVID FinTech Lender, Kabbage, $120 MM False Claims Act Settlement

The recent Kabbage settlement is illustrative of the types of COVID cases the office is looking to bring pursuant to the FCA. Acting U.S. Attorney Levy discussed the settlement, publicized in May, with now-bankrupt online lender, Kabbage Inc. Kabbage allegedly knowingly processed and submitted thousands of false claims for Paycheck Protection Program (PPP) loan forgiveness, loan guarantees, and processing fees. The PPP – a loan program for small businesses created via the Coronavirus Aid, Relief, and Economic Security (CARES) Act – was administered the federal Small Business Administration (SBA). The CARES Act authorized private lenders to approve PPP loans for eligible borrowers who could later seek forgiveness for the loans if borrowers used the loans for eligible expenses, including employee payroll.

Among other things, participating PPP lenders were obligated to 1) confirm borrowers’ average monthly payroll costs by PPP loan documentation; and 2) follow applicable Bank Secrecy Act/Anti-Money Laundering (BSA/AML) requirements. SBA guaranteed any unforgiven or defaulted PPP loans as long as the private lender adhered to PPP requirements.

Private lenders received a fixed fee calculated as a percentage of the loan amount. Here, U.S. Attorney Levy’s office alleged that Kabbage awarded inflated and fraudulent loans to maximize its profits, then sold its assets and left the remaining company financially depleted, leading to bankruptcy. Kabbage was allegedly aware of the following errors as of April 2020, failed to correct them, and continued to make improper loan disbursements after learning of the issues:

  1. double-counting state and local taxes paid by employees when calculating gross wages;
  2. failing to exclude annual compensation above $100,000 per employee; and
  3. improperly calculating employee leave and severance payments.

Kabbage also allegedly failed to implement appropriate fraud controls to comply with the PPP, BSA, and AML by knowingly:

  1. removing underwriting steps to facilitate processing a high volume of loan applications and maximizing loan processing fees;
  2. setting substandard fraud check thresholds;
  3. relying on automated tools that were inadequate in identifying fraud;
  4. devoting insufficient personnel to conduct fraud reviews;
  5. discouraging its fraud reviewers from requesting information from borrowers to substantiate their loan requests; and
  6. submitting to the SBA thousands of dubious PPP loan applications that were fraudulent or highly suspicious.

The settlement, which will result in the U.S. securing up to $120 million pursuant to bankruptcy proceedings, resolves qui tam complaints brought by two separate whistleblowers: an accountant who submitted PPP loan applications to multiple lenders and a former analyst in Kabbage’s collection department.

Predictions for Future COVID Fraud Enforcement

Acting U.S. Attorney Levy’s comments make clear that we can expect to see FCA COVID cases targeting private lenders of CARES Act loans that failed in their obligation to safeguard government funds. To date, COVID fraud prosecution has largely targeted “low-hanging fruit” criminal cases, such as those involving submission of false information to obtain COVID relief funding that the recipient spends on luxury items. We discussed in April that the COVID Fraud Enforcement Task Force (CFETF) and a bipartisan group of Senators had, via a report and draft legislation, pleaded with Congress to increase funding to prosecute COVID fraud. Investigations such as those involving Kabbage require a large investment of resources and, as U.S. Attorney Levy commented, his office must prioritize large-dollar COVID fraud cases most likely to result in specific and general fraud deterrence.

As we have written previously, the government is playing a long game tracking COVID fraud. The Justice Department’s CFETF reported in April that to date, the DOJ had seized or forfeited $1.4 billion in stolen relief funds as well as bringing criminal charges against 3,500 defendants and 400 civil settlements. With a ten-year statute of limitations and increasingly more accurate data analytics tools, we expect the DOJ will continue to identify and recover misappropriated funds from large and lower dollar fraudsters. So long as COVID fraud enforcement remains a well-funded priority of the government, we anticipate a steady stream of FCA COVID settlements involving lenders and borrowers. The government is casting a wide net to recoup the nearly $300 billion in COVID fraud estimates. We will continue to monitor and report on developments.

©1994-2024 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.
For more on COVID, visit the NLR Coronavirus News section.

Mandatory Cybersecurity Incident Reporting: The Dawn of a New Era for Businesses

A significant shift in cybersecurity compliance is on the horizon, and businesses need to prepare. Starting in 2024, organizations will face new requirements to report cybersecurity incidents and ransomware payments to the federal government. This change stems from the U.S. Department of Homeland Security’s (DHS) Cybersecurity Infrastructure and Security Agency (CISA) issuing a Notice of Proposed Rulemaking (NPRM) on April 4, 2024. This notice aims to enforce the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Essentially, this means that “covered entities” must report specific cyber incidents and ransom payments to CISA within defined timeframes.

Background

Back in March 2022, President Joe Biden signed CIRCIA into law. This was a big step towards improving America’s cybersecurity. The law requires CISA to create and enforce regulations mandating that covered entities report cyber incidents and ransom payments. The goal is to help CISA quickly assist victims, analyze trends across different sectors, and share crucial information with network defenders to prevent other potential attacks.

The proposed rule is open for public comments until July 3, 2024. After this period, CISA has 18 months to finalize the rule, with an expected implementation date around October 4, 2025. The rule should be effective in early 2026. This document provides an overview of the NPRM, highlighting its key points from the detailed Federal Register notice.

Cyber Incident Reporting Initiatives

CIRCIA includes several key requirements for mandatory cyber incident reporting:

  • Cyber Incident Reporting Requirements – CIRCIA mandates that CISA develop regulations requiring covered entities to report any covered cyber incidents within 72 hours from the time the entity reasonably believes the incident occurred.
  • Federal Incident Report Sharing – Any federal entity receiving a report on a cyber incident after the final rule’s effective date must share that report with CISA within 24 hours. CISA will also need to make information received under CIRCIA available to certain federal agencies within the same timeframe.
  • Cyber Incident Reporting Council – The Department of Homeland Security (DHS) must establish and chair an intergovernmental Cyber Incident Reporting Council to coordinate, deconflict, and harmonize federal incident reporting requirements.

Ransomware Initiatives

CIRCIA also authorizes or mandates several initiatives to combat ransomware:

  • Ransom Payment Reporting Requirements – CISA must develop regulations requiring covered entities to report to CISA within 24 hours of making any ransom payments due to a ransomware attack. These reports must be shared with federal agencies similarly to cyber incident reports.
  • Ransomware Vulnerability Warning Pilot Program – CISA must establish a pilot program to identify systems vulnerable to ransomware attacks and may notify the owners of these systems.
  • Joint Ransomware Task Force – CISA has announced the launch of the Joint Ransomware Task Force to build on existing efforts to coordinate a nationwide campaign against ransomware attacks. This task force will work closely with the Federal Bureau of Investigation and the Office of the National Cyber Director.

Scope of Applicability

The regulation targets many “covered entities” within critical infrastructure sectors. CISA clarifies that “covered entities” encompass more than just owners and operators of critical infrastructure systems and assets. Entities actively participating in these sectors might be considered “in the sector,” even if they are not critical infrastructure themselves. Entities uncertain about their status are encouraged to contact CISA.

Critical Infrastructure Sectors

CISA’s interpretation includes entities within one of the 16 sectors defined by Presidential Policy Directive 21 (PPD 21). These sectors include Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear Reactors, Materials, and Waste, Transportation Systems, Water and Wastewater Systems.

Covered Entities

CISA aims to include small businesses that own and operate critical infrastructure by setting additional sector-based criteria. The proposed rule applies to organizations falling into one of two categories:

  1. Entities operating within critical infrastructure sectors, except small businesses
  2. Entities in critical infrastructure sectors that meet sector-based criteria, even if they are small businesses

Size-Based Criteria

The size-based criteria use Small Business Administration (SBA) standards, which vary by industry and are based on annual revenue and number of employees. Entities in critical infrastructure sectors exceeding these thresholds are “covered entities.” The SBA standards are updated periodically, so organizations must stay informed about the current thresholds applicable to their industry.

Sector-Based Criteria

The sector-based criteria target essential entities within a sector, regardless of size, based on the potential consequences of disruption. The proposed rule outlines specific criteria for nearly all 16 critical infrastructure sectors. For instance, in the information technology sector, the criteria include:

  • Entities providing IT services for the federal government
  • Entities developing, licensing, or maintaining critical software
  • Manufacturers, vendors, or integrators of operational technology hardware or software
  • Entities involved in election-related information and communications technology

In the healthcare and public health sector, the criteria include:

  • Hospitals with 100 or more beds
  • Critical access hospitals
  • Manufacturers of certain drugs or medical devices

Covered Cyber Incidents

Covered entities must report “covered cyber incidents,” which include significant loss of confidentiality, integrity, or availability of an information system, serious impacts on operational system safety and resiliency, disruption of business or industrial operations, and unauthorized access due to third-party service provider compromises or supply chain breaches.

Significant Incidents

This definition covers substantial cyber incidents regardless of their cause, such as third-party compromises, denial-of-service attacks, and vulnerabilities in open-source code. However, threats or activities responding to owner/operator requests are not included. Substantial incidents include encryption of core systems, exploitation causing extended downtime, and ransomware attacks on industrial control systems.

Reporting Requirements

Covered entities must report cyber incidents to CISA within 72 hours of reasonably believing an incident has occurred. Reports must be submitted via a web-based “CIRCIA Incident Reporting Form” on CISA’s website and include extensive details about the incident and ransom payments.

Report Types and Timelines

  • Covered Cyber Incident Reports within 72 hours of identifying an incident
  • Ransom Payment Reports due to a ransomware attack within 24 hours of payment
  • Joint Covered Cyber Incident and Ransom Payment Reports within 72 hours for ransom payment incidents
  • Supplemental Reports within 24 hours if new information or additional payments arise

Entities must retain data used for reports for at least two years. They can authorize a third party to submit reports on their behalf but remain responsible for compliance.

Exemptions for Similar Reporting

Covered entities may be exempt from CIRCIA reporting if they have already reported to another federal agency, provided an agreement exists between CISA and that agency. This agreement must ensure the reporting requirements are substantially similar, and the agency must share information with CISA. Federal agencies that report to CISA under the Federal Information Security Modernization Act (FISMA) are exempt from CIRCIA reporting.

These agreements are still being developed. Entities reporting to other federal agencies should stay informed about their progress to understand how they will impact their reporting obligations under CIRCIA.

Enforcement and Penalties

The CISA director can make a request for information (RFI) if an entity fails to submit a required report. Non-compliance can lead to civil action or court orders, including penalties such as disbarment and restrictions on future government contracts. False statements in reports may result in criminal penalties.

Information Protection

CIRCIA protects reports and RFI responses, including immunity from enforcement actions based solely on report submissions and protections against legal discovery and use in proceedings. Reports are exempt from Freedom of Information Act (FOIA) disclosures, and entities can designate reports as “commercial, financial, and proprietary information.” Information can be shared with federal agencies for cybersecurity purposes or specific threats.

Business Takeaways

Although the rule will not be effective until late 2025, companies should begin preparing now. Entities should review the proposed rule to determine if they qualify as covered entities and understand the reporting requirements, then adjust their security programs and incident response plans accordingly. Creating a regulatory notification chart can help track various incident reporting obligations. Proactive measures and potential formal comments on the proposed rule can aid in compliance once the rules are finalized.

These steps are designed to guide companies in preparing for CIRCIA, though each company must assess its own needs and procedures within its specific operational, business, and regulatory context.

Listen to this post

© 2024 Bradley Arant Boult Cummings LLP
For more on Cybersecurity, visit the NLR Communications, Media & Internet section.

DOJ Confirms Moving Marijuana to Schedule III; Sidesteps Anticipated Impact on State Cannabis Markets

On May 16, 2024, the Department of Justice (DOJ) initiated the formal rulemaking process to move marijuana to Schedule III of the Controlled Substances Act. The DOJ’s notice of proposed rulemaking unfortunately sidesteps the hard questions about the impact of rescheduling on the existing state adult-use and medical cannabis markets.

Summary of Content

The 92-page notice of proposed rulemaking primarily summarizes and comments on last year’s recommendations by the Department of Health and Human Services to reschedule marijuana, as well as related legal concerns such as compliance with international treaty obligation. The DOJ emphasizes that if marijuana is transferred to Schedule III, “the manufacture, distribution, dispensing, and possession of marijuana would also remain subject to applicable criminal prohibitions under the CSA [Controlled Substances Act],” and that marijuana would remain subject to applicable provisions of the Food Drug and Cosmetic Act.

With respect to the critical question of impact on the cannabis markets, however, the DOJ is silent and merely states that it is “seeking comment on the practical consequences of rescheduling marijuana.”

By way of explanation, the DOJ offers:

“DOJ recognizes this action may have unique economic impacts. As stated above, marijuana is subject to a number of State laws that have allowed a multibillion dollar industry to develop. DOJ acknowledges that there may be large impacts related to Federal taxes and research and development investment for the pharmaceutical industry, among other things. DOJ is specifically soliciting comments on the economic impact of this proposed rule. DOJ will revise this section at the final rules stage if warranted after consideration of any comments received.” (Emphasis added.)

Robust Public Comments Expected

For an industry that has been eagerly awaiting to hear how the DOJ will approach rules that address the interplay between existing state cannabis laws and the complex web of federal laws around Schedule III drugs, the DOJ’s notice is disappointing and may not bode well for a smooth rulemaking process. DOJ will accept public comments for 60 days once the notice of proposed rulemaking has been published in the Federal Register. We can expect robust commentary from cannabis businesses, state regulators, trade organizations and ancillary industries.

Regardless of the outcome of the final rulemaking, it seems apparent that clarity through congressional action is needed more than ever.

Justice Department has Opportunity to Revolutionize its Enforcement Efforts with Whistleblower Program

Over the past few decades, modern whistleblower award programs have radically altered the ability of numerous U.S. agencies to crack down on white-collar crime. This year, the Department of Justice (DOJ) may be joining their ranks, if it incorporates the key elements of successful whistleblower programs into the program it is developing.

On March 7, the Deputy Attorney General Lisa Monaco announced that the DOJ was launching a “90-day policy sprint” to develop “a DOJ-run whistleblower rewards program.” According to Monaco, the DOJ has taken note of the successes of the U.S.’s whistleblower award programs, such as those run by the Securities and Exchange Commission (SEC) and Internal Revenue Service (IRS), noting that they “have proven indispensable.”

Monaco understood that the SEC and IRS programs have been so successful because they “encourage individuals to report misconduct” by “rewarding whistleblowers.” But how any award program is administered is the key to whether or not the program will work. There is a nearly 50-year history of what rules need to be implemented to transform these programs into highly effective law enforcement tools. The Justice Department needs to follow these well defined rules.

The key element of all successful whistleblower award programs is very simple: If a whistleblower meets all of the requirements set forth by the government for compensation the awards must be mandatory and based on a percentage of the sanctions collected thanks to the whistleblower. A qualified whistleblower cannot be left out in the cold. Denying qualified whistleblowers compensation will destroy the trust necessary for a whistleblower program to work.

It is not the possibility of money that incentives individuals to report misconduct but the promise of money. Blowing the whistle is an immense risk and individuals are only compelled to take such a risk when there is real guarantee of an award.

This dynamic has been laid clear in recent legislative history. There is a long track record of whistleblower laws and programs failing when awards are discretionary and then becoming immensely successful once awards are made mandatory.

For example, under the 1943 version of the False Claims Act awards to whistleblowers were fully discretionary. After decades of ineffectiveness, in 1986, Congress amended the law to set a mandate that qualified whistleblowers receive awards of 15-30% of the proceeds collected by the government in the action connected with their disclosure.

The 1986 Senate Report explained why Congress was amending the law:

“The new percentages . . . create a guarantee that relators [i.e., whistleblowers] will receive at least some portion of the award if the litigation proves successful. Hearing witnesses who themselves had exposed fraud in Government contracting, expressed concern that current law fails to offer any security, financial or otherwise, to persons considering publicly exposing fraud.

“If a potential plaintiff reads the present statute and understands that in a successful case the court may arbitrarily decide to award only a tiny fraction of the proceeds to the person who brought the action, the potential plaintiff may decide it is too risky to proceed in the face of a totally unpredictable recovery.”

In the nearly four decades since awards were made mandatory, the False Claims Act has established itself as America’s premier anti-fraud law. The government has recovered over $75 billions of taxpayer money from fraudsters, the vast majority from whistleblower initiated cases based directly on the 1986 amendments making awards mandatory.

Similar transformations occurred at both the IRS and SEC where ineffective discretionary award laws were replaced by laws which mandated that qualified whistleblowers receive a set percentage of the funds collected thanks to their whistleblowing. Since these reforms, the whistleblower programs have revolutionized these agencies’ enforcement efforts, leading directly to billions of dollars in sanctions and creating a massive deterrent effect on corporate wrongdoing.

Most recently, Congress reaffirmed the importance of mandatory whistleblower awards when it reformed the anti-money laundering whistleblower law. The original version of the law, which passed in January 2021, had no set minimum amount for awards, meaning that they were fully discretionary. After the AML Whistleblower Program struggled to take off, Congress listened to the feedback from whistleblower advocates and passed the AML Whistleblower Improvement Act to mandate that qualified money laundering whistleblowers are awarded.

Monaco states that the DOJ has long had the discretionary authority to pay whistleblower awards to individuals who report information leading to civil or criminal forfeitures and has “used this authority here and there — but never as part of a targeted program.”

The most important step in turning an underutilized and ineffective whistleblower award law into an “indispensable” whistleblower award program has been made clear over the past decades. Qualified whistleblowers must be guaranteed an award based on a percentage of the sanctions collected in connection with their disclosure.

By administering its whistleblower program in a way that mandates award payments, the DOJ would go a long way towards creating a whistleblower program which revolutionizes its ability to fight crime. The Justice Department has taken the most important first step – recognizing the importance of whistleblowers in reporting frauds. It now must follow through during its “90-day sprint,” making sure reforming the management of the Asset Forfeiture Fund works in practice. Whistleblowers who risk their jobs and careers need real, enforceable justice.

Copyright Kohn, Kohn & Colapinto, LLP 2024. All Rights Reserved.
For more news on DOJ Whistleblower Programs, visit the NLR Criminal Law / Business Crimes section.

Is the SEC’s Shadow Trading Win Proof That There is a Federal Common Law of Crime After All?

Last week, the U.S. Securities and Exchange Commission‘s Director of Enforcement celebrated a jury verdict in its insider trading case against Matthew Panuwat:

As we’ve said all along, there was nothing novel about this matter, and the jury agreed: this was insider trading, pure and simple. Defendant used highly confidential information about an impending announcement of the acquisition of biopharmaceutical company Medivation, Inc., the company where he worked, by Pfizer Inc. to trade ahead of the news for his own enrichment. Rather than buying the securities of Medivation, however, Panuwat used his employer’s confidential information to acquire a large stake in call options of another comparable public company, Incyte Corporation, whose share price increased materially on the important news.”

I disagree, many have described the SEC’s theory of shadow trading as “novel”. More importantly, you won’t find it in Section 10(b) or Rule 10b-5, the ostensible bases for insider trading prosecutions. I have long decried the “make it up as you go along” aspect of insider trading jurisprudence:

Notably, Rule 10b-5 itself doesn’t explicitly mention insider trading. It would be more than a half century before the SEC finally adopted a rule, Rule 10b5-1 defining just one element of insider trading – when a purchase or sale constitutes trading “on the basis of” material non public information. It is no surprise then that federal courts have struggled to define who can be guilty of insider trading and why. The result is that the crime of insider trading has a decidedly “make it up as you go along” quality. Individuals don’t know where the lines are until the courts draw them and then convict. Consequently, people have gone to prison even as courts have adopted the theories for their convictions. The fact that the U.S. Supreme Court is still defining the crime more than seven decades after Mr. Freeman cobbled together Rule 10b-5 suggests that the definition of insider trading has been too inchoate to support criminal convictions. However “well tuned to an animating principle” a theory might be, I simply don’t think due process exists when a crime is only defined after a conviction.

If Congress truly believes that insider trading should be a crime, it should define the exact elements of the crime rather than leave it to the courts to make up the rules as they send people to prison. The California legislature has in fact done just that in Corporations Code Section 25402. For more on Section 25402, see my article, California’s Unique Approach to Insider Trading Regulation, 17 Insights 21 (July 2003).

Why Bassam Salman Should Not Have Been Convicted.

The willingness of federal courts to send people to prison based on a crime that isn’t expressed, much less defined, in any federal statute is at odds with the principle that only the people’s elected representatives in the legislature are authorized to make an act a crime. United States v. Hudson, 7 Cranch 32, 34, 11 U.S. 32, 3 L.Ed. 259 (1812). While the SEC’s case against Mr. Panuwat was civil, I expect that this novel theory will soon be applied in a criminal prosecution.

© 2010-2024 Allen Matkins Leck Gamble Mallory & Natsis LLP
For more news on SEC Insider Trading Cases, visit the NLR Securities & SEC section.

Department of Justice Ramps Up Investigations of Private Clubs that Received PPP Loans

As Varnum’s government investigations team has previously discussed, (link) the COVID-era Paycheck Protection Program (PPP) resulted in millions of businesses receiving emergency loans. The PPP’s hurried implementation, coupled with confusion among recipients over eligibility requirements, created an environment ripe for both fraud and the issuance of loans to ineligible recipients. Over the past few years, the Department of Justice (DOJ) has focused on fraud by among other things, opening civil investigations under the False Claims Act and bringing criminal charges against PPP loan recipients who misused loan proceeds on luxury items. But recently, the DOJ has shifted its focus to a new category of PPP recipients: social clubs that may have been technically ineligible for the loans they received.

The opportunity for improper loans to social clubs comes about because of a technical wrinkle in how Congress wrote the American Rescue Plan Act of 2021. In this Act, Congress made social clubs (i.e. golf clubs, tennis clubs, yacht clubs) organized under 26 U.S.C. § 501(c)(7) eligible for PPP loans. However, Congress incorporated an agency regulation that prohibited loans to “private clubs and businesses which limited the numbers of memberships for reasons other than capacity.” The result is that social clubs that limit their number of members for any reason besides capacity were technically ineligible for PPP loans.

In recent months, the DOJ has issued Civil Investigation Demands (CIDs) to clubs that it believes might not have been eligible for PPP loans. These CIDs are demands for documents and interrogatory answers and often relate to employment records, income statements, the membership admission process, prospective members’ applications, the club’s governance, and membership information. CIDs are expansive and the government can use the club’s answer in future civil or criminal proceedings.

Given the DOJ’s new focus, clubs should review their PPP paperwork now and consult with an attorney to determine whether their loan was properly issued. If the clubs find technical violations, proactively approaching the government through counsel may be beneficial. If a club receives a CID, it should immediately contact an attorney to begin preparing the appropriate response.

© 2024 Varnum LLP
by: Ronald G. DeWaardRegan A. GibsonGary J. MouwNeil E. Youngdahl of Varnum LLP

For more news on Paycheck Protection Program Fraud Enforcement, visit the NLR Criminal Law / Business Crimes section.