Tag: compliance

Recent Federal Strike Force Prosecutions Serve as Warning to U.S. Manufacturers and Other Exporters

The recent enforcement activities of the newest federal strike force serve as a warning to U.S. manufacturers and other businesses involved in the export of products that the government is doubling down on prosecuting trade violations. The expressed mission of the multi-agency Disruptive Technology Strike Force (Strike Force) is “to counter efforts by hostile nation states to illicitly acquire sensitive U.S. technology to advance their authoritarian regimes and facilitate human rights abuses.” The latest Strike Force criminal indictments focus on technology such as:

  • Aerospace and defense source code,
  • Aircraft components,
  • Microelectronic components used in unmanned aerial vehicles (UAVs),
  • Laser welding machinery.

There is every reason to expect that the Department of Justice’s (DOJ) future targets will extend beyond the kind of individual defendants who have been the focus of the 24 criminal indictments to date and include legitimate companies whose compliance program deficiencies allow the illicit exports to occur. Ensuring that a company’s trade compliance program meets or exceeds the expressed standards of the DOJ and the Department of Commerce (DOC) is now more essential than ever.

Compliance Keys

  • Exposure Risk for Manufacturers and Distributors. The export-diversion schemes prosecuted to date share a common element—a bad actor sought to exploit innocent U.S. manufacturers and distributors by misrepresenting their identity and end-use plans or by seeking to compromise the manufacturer’s computer systems. As U.S. export controls (particularly those aimed at Russia and China) have expanded over the past several years, schemes like those alleged in these indictments have proliferated. Failing to be alert for the warning signs of such schemes may expose a company to becoming a victim of sanctions evaders or, worse, an enforcement target for ignoring red flags. The Export Administration Regulations prohibit companies from engaging in a transaction with the knowledge that a violation has occurred or will occur. “Knowledge” is not limited to actual knowledge; it can also be inferred from turning a blind eye to red flags in a transaction. As a result, having personnel trained to identify and respond appropriately to red flags suggesting that diversion could be occurring can be crucial to avoiding export violations.
  • Precautions to Detect and Prevent Imposter Schemes.
    • First, a written risk-based export control compliance plan can be a valuable aid in detecting diversion schemes and other illicit behavior. Such plans detail procedures employees must follow for conducting diligence on new and existing customers and transactions, evaluating when export licenses are required for a transaction, and detecting and responding to red flags. They provide clear guidance on when and how to escalate potential issues. Such a compliance plan gives employees the tools to help them identify when their company may be facing a diversion scheme and how to respond appropriately before a transaction is executed.
    • Second, companies can emphasize conducting “know your customer” (KYC) diligence on transactions. The importance of such diligence is heightened when new customers are involved, when business with an existing company is expanding to new products, or to involve new product destinations. The DOC has published extensive guidance on KYC diligence (often in conjunction with other U.S. government agencies and with enforcement authorities in allied countries). This week, the DOC and export control authorities from the other G7 countries issued new guidance that identifies items most likely to be the subject of diversion efforts by Russia, lists common red flags suggesting potential export control and sanctions evasion in a transaction, and suggests some diligence best practices to prevent diversion and evasion. This new guidance echoes similar guidance issued by U.S. and allied government agencies over the last two years for detecting diversion schemes in the current environment of export controls and sanctions regarding Russia and China. (For example, our summary of the joint guidance issued last year by export-control authorities in the United States, the United Kingdom, Canada, Australia, and New Zealand addressing 45 types of goods at high risk for diversion and recommended KYC diligence steps can be found here.) Companies should be tracking and incorporating, as appropriate, these guidance updates
    • Third, companies can be knowledgeable about the potential uses of their products and technology. This knowledge informs when and where a company may face diversion risk. Products and technology with permissible uses could be a target for diversion where they can be used for purposes the U.S. government restricts. For example, in one of the recent Strike Force cases, U.S. v. Postovoy, the alleged diversion scheme targeted a company whose microelectronic components could be used in drones and UAVs. Keeping U.S.-origin components out of such vehicles used by Russia in the war with Ukraine has been a major U.S. export control policy priority. Similarly, in another Strike Force case, U.S. v. Teslenko, the alleged diversion scheme targeted a company whose laser welders had applications that could aid Russia’s nuclear weapons program. Knowing the market for illicit uses for a company’s products and technology helps a company tailor its compliance efforts by identifying what products may be attractive to bad actors and what specific red flags may be of most concern regarding the company’s products and technology.
  • Cybersecurity Vigilance to Prevent Technology Theft. Another case announced alongside the Strike Force cases, U.S. v. Wei, is a reminder that U.S. manufacturers of sensitive technology face a multifront effort by foreign malign actors to gain access to that technology. In addition to ensuring up-to-date export controls and sanctions compliance programs, U.S. manufacturers should consider measures to protect their technology from misappropriation through cyber intrusion by implementing appropriate processes and tools to prevent and detect such activity by these actors. These processes and tools can include:
    • Regularly sharing cyber hygiene tips and training on current phishing schemes and conducting phishing tests to increase employee awareness of these risks,
    • Maintaining system hygiene by regularly scanning systems for vulnerabilities and unauthorized accounts, monitoring access logs for suspicious activity, and prohibiting automatic email forwarding to external addresses to prevent data leakage,
    • Installing a secure email gateway to filter out spam, malware, and phishing attempts and employing email authentication techniques (e.g., SPF, DKIM, and DMARC),
    • Tracking and monitoring all endpoints and mobile devices to detect suspicious activities and regularly auditing access logs to identify violations or attempted violations of access policies, and
    • Restricting administrative and privileged account access to minimize potential damage and limiting remote access to critical data and functions.

The Indictments

The six most recent indictments relating to the Strike Force’s efforts confirm that export control and sanctions compliance, particularly concerning Russia, China, and Iran, is a significant enforcement priority for the DOJ and other government agencies. As one Strike Force member stated, the DOJ, “through the work of the Strike Force, will continue to do all [it] can to prevent advanced technologies from falling into the hands of our adversaries and protect our national security.” These indictments and a related indictment announced simultaneously highlight the risks of manufacturers and distributors falling victim to schemes like those alleged in the indictments or becoming the focus of enforcement efforts for committing export control violations.

U.S. v. Postovoy. A Russian citizen living in the United States was indicted for conspiring to violate the Export Control Reform Act (ECRA), to smuggle, launder money, and defraud the United States. After Russia invaded Ukraine, the individual used a series of companies he owned around the world to obtain and unlawfully export microelectronic components that could be used in drones and UAVs from the United States to Russia. The individual concealed and misstated end-user and destination information in communications with U.S.-based distributors.

U.S. v. Song. A Chinese national was indicted for wire fraud and aggravated identity theft in connection with attempts to obtain software and source code from the National Aeronautics and Space Administration (NASA), research universities, and private companies. Over several years, the individual “spear phished” individuals at NASA, the Air Force, Navy, Army, and Federal Aviation Administration; research universities; and aerospace companies in an attempt to obtain code to which the individual suspected the victims had access. At all relevant times, the individual, who assumed the identities of persons known to the victims, was an employee of a Chinese state-owned aerospace and defense contractor.

U.S. v. Teslenko. A U.S. resident and a Russian national were indicted for smuggling and conspiracy to violate the ECRA, smuggle, and defraud the United States. For approximately six years, the individuals exported laser welding machines from one’s employer in the United States to a Russian company involved in Russia’s nuclear weapons program. The individuals falsified export documentation to conceal the end user.

U.S. v. Goodarzi. A dual U.S. and Iranian citizen was charged with smuggling UAV components to Iran from the United States. For four years, the individual obtained U.S.-originated parts and either transshipped them, typically through the United Arab Emirates or transported them in his own checked luggage during trips to Iran. The individual had acknowledged in numerous emails with U.S. suppliers that the parts could not be transferred to Iran because of sanctions. The individual also lacked the proper export license to send these items to a sanctioned country like Iran.

U.S. v. Nader. A dual U.S. and Iranian citizen was indicted for violating U.S. economic sanctions and other federal laws in connection with procuring U.S.-originated aircraft components for Iran’s armed forces. Customers in Iran placed orders with the individual, who, in turn, directly or through others, contacted U.S. companies for the components. The individual falsely identified himself or his U.S.-based company as the end user of the components. The individual attempted to export the components, including transshipment to Iran, on several occasions; however, DOC agents detained each export.

U.S. v. Wei. In addition to the above criminal cases brought through the work of the Strike Force, the DOJ announced the indictment of a Chinese national on charges of fraud, conspiracy, computer intrusion, and aggravated identity theft for unlawfully accessing the computer network of a U.S. telecommunications company. The individual—a member of the People’s Liberation Army—and co-conspirators accessed the company’s systems in 2017 and stole documents relating to communications devices, product development, testing plans, internal product evaluations, and competitive intelligence. The individual attempted to install malicious software to maintain access to the company’s systems; his access continued for approximately three months.

Copyright © 2024 Robinson & Cole LLP. All rights reserved.
For more news on Export Regulations, visit the NLR Antitrust, Trade, & Regulation

Triggers That Require Reporting Companies to File Updated Beneficial Ownership Interest Reports

On January 1, 2024, Congress enacted the Corporate Transparency Act (the “CTA”) as part of the Anti-Money Laundering Act of 2020 and its annual National Defense Authorization Act. Every entity that meets the definition of a “reporting company” under the CTA and does not qualify for an exemption must file a beneficial ownership information report (a “BOI Report”) with the US Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”). Reporting companies include any entity that is created by the filing of a document with a secretary of state or any similar office under the law of a state or Indian tribe (this includes corporations, LLCs, and limited partnerships).

In most circumstances, a reporting company only has to file an initial BOI Report to comply with the CTA’s reporting requirements. However, when the required information reported by an individual or reporting company changes after a BOI Report has been filed or when either discovers that the reported information is inaccurate, the individual or reporting company must update or correct the reporting information.

Deadline: If an updated BOI Report is required, the reporting company has 30 calendar days after the change to file an updated report.

What triggers an updated BOI Report? There is no materiality threshold as to what warrants an updated report. According to FinCEN, any change to the required information about the reporting company or its beneficial owners in its BOI Report triggers a responsibility to file an updated BOI Report.

Some examples that trigger an updated BOI Report:

  • Any change to the information reported for the reporting company, such as registering a new DBA, new principal place of business, or change in legal name.
  • A change in the beneficial owners exercising substantial control over the reporting company, such as a new CEO, a sale (whether as a result of a new equity issuance or transfer of equity) that changes who meets the ownership interest threshold of 25%, or the death of a beneficial owner listed in the BOI Report.
  • Any change to any listed beneficial owner’s name, address, or unique identifying number provided in a BOI report.
  • Any other change to existing ownership information that was previously listed in the BOI Report.

Below is a reminder of the information report on the BOI report:

  • (1) For a reporting company, any change to the following information triggers an updated report:
    • Full legal name;
    • Any trade or “doing business as” name;
    • A complete current address (cannot be a post office box);
    • The state, territory, possession, tribal or foreign jurisdiction of formation; and
      TIN.
  • (2) For the beneficial owners and company applicants, any change to the following information triggers an updated report:
    • Full legal name of the individual;
    • Date of the birth of the individual;
    • A complete current address;
    • A unique identifying number and the issuing jurisdiction from one of the following non-expired documents; and
    • An image of the document.

It is important to note that if a beneficial owner or company applicant has a FinCEN ID and any change is made to the required information for either individual, then such individuals are responsible for updating their information with FinCEN directly. This is not the responsibility of the reporting company

© 2024 Winstead PC.

Digging for Trouble: The Double-Edged Sword of Decisions to Report Misconduct

On May 10, 2024, Romy Andrianarisoa, former Chief of Staff to the President of Madagascar, was convicted for soliciting bribes from Gemfields Group Ltd (Gemfields), a UK-based mining company specializing in rubies and emeralds. Andrianarisoa, along with her associate Philippe Tabuteau, was charged after requesting significant sums of money and a five percent equity stake in a mining venture in exchange for facilitating exclusive mining rights in Madagascar.

The investigation, spearheaded by the UK’s National Crime Agency (NCA), began when Gemfields reported their suspicions of corruption. Using covert surveillance, the NCA recorded Andrianarisoa and Tabuteau requesting 250,000 Swiss Francs (approximately £215,000) and a five percent equity stake, potentially worth around £4 million, as payments for their services. Gemfields supported the investigation and prosecution throughout.

During the investigation, six covertly recorded audio clips were released, suggesting Andrianarisoa had significant influence over Madagascar’s leadership and her expectation of substantial financial rewards. The arrests in August 2023 and subsequent trial at Southwark Crown Court culminated in prison sentences of three and a half years for Andrianarisoa and two years and three months for Tabuteau.

Comment

Gemfields has, quite rightly, been praised for reporting this conduct to the NCA and supporting their investigation and prosecution. In doing so, they made a strong ethical decision and went above and beyond their legal obligations: there is no legal requirement on Gemfields to report solicitations of this kind.

Such a decision will also have been difficult. Reporting misconduct and supporting the investigation is likely to have exposed Gemfields to significant risk and costs:

  • First, in order to meet their obligations as prosecutors, put together the best case, and comply with disclosure requirements, the NCA likely required Gemfields employees to attend interviews and provide documents. These activities require significant legal support and can be very costly both in time and money.
  • Secondly, such disclosures and interviews might identify unrelated matters of interest to the NCA. It is not uncommon in these cases for corporates reporting misconduct to become the subject of unrelated allegations of misconduct and separate investigations themselves.
  • Furthermore, to the extent that Gemfields supported the covert surveillance aspects of the NCA’s investigation, there may have been significant safety risks to both the employees participating, and unrelated employees in Madagascar. Such risks can be extremely difficult to mitigate.
  • Finally, the willingness to publicly and voluntarily report Andrianarisoa is likely to have created a chilling effect on Gemfields’ ability to do legitimate business in Madagascar and elsewhere. Potential partners may be dissuaded from working with Gemfields for fear of being dragged into similar investigations whether warranted or not.

Organisations in these situations face difficult decisions. Many will, quite rightly, want to be good corporate citizens, but in doing so, must recognise the potential costs and risks to their business and, ultimately, their obligations to shareholders and owners. In circumstances where there is no obligation to report, the safest option may be to walk away and carefully record the decision to do so. No doubt, Gemfields carefully considered these risks prior to reporting Andrianarisoa’s misconduct.

Businesses facing similar challenges should:

  • Ensure they understand their legal obligations. Generally, there is no obligation to report a crime. However, particularly for companies and firms operating in the financial services or other regulated sectors, this is not universally the case.
  • Carefully consider the risks and benefits associated with any decision to report another’s misconduct, including not only financial costs, but time and safety costs too.
  • Develop a compliance programme that assists and educates teams on how to correctly identify misconduct, escalate appropriately, and decide whether to report.
© 2024 Bracewell LLP
For more news on Reporting Global Misconduct, visit the NLR Criminal Law & Business Crimes section.

The Double-Edged Impact of AI Compliance Algorithms on Whistleblowing

As the implementation of Artificial Intelligence (AI) compliance and fraud detection algorithms within corporations and financial institutions continues to grow, it is crucial to consider how this technology has a twofold effect.

It’s a classic double-edged technology: in the right hands it can help detect fraud and bolster compliance, but in the wrong it can snuff out would-be-whistleblowers and weaken accountability mechanisms. Employees should assume it is being used in a wide range of ways.

Algorithms are already pervasive in our legal and governmental systems: the Securities and Exchange Commission, a champion of whistleblowers, employs these very compliance algorithms to detect trading misconduct and determine whether a legal violation has taken place.

There are two major downsides to the implementation of compliance algorithms that experts foresee: institutions avoiding culpability and tracking whistleblowers. AI can uncover fraud but cannot guarantee the proper reporting of it. This same technology can be used against employees to monitor and detect signs of whistleblowing.

Strengths of AI Compliance Systems:

AI excels at analyzing vast amounts of data to identify fraudulent transactions and patterns that might escape human detection, allowing institutions to quickly and efficiently spot misconduct that would otherwise remain undetected.

AI compliance algorithms are promised to operate as follows:

  • Real-time Detection: AI can analyze vast amounts of data, including financial transactions, communication logs, and travel records, in real-time. This allows for immediate identification of anomalies that might indicate fraudulent activity.
  • Pattern Recognition: AI excels at finding hidden patterns, analyzing spending habits, communication patterns, and connections between seemingly unrelated entities to flag potential conflicts of interest, unusual transactions, or suspicious interactions.
  • Efficiency and Automation: AI can automate data collection and analysis, leading to quicker identification and investigation of potential fraud cases.

Yuktesh Kashyap, associate Vice President of data science at Sigmoid explains on TechTarget that AI allows financial institutions, for example, to “streamline compliance processes and improve productivity. Thanks to its ability to process massive data logs and deliver meaningful insights, AI can give financial institutions a competitive advantage with real-time updates for simpler compliance management… AI technologies greatly reduce workloads and dramatically cut costs for financial institutions by enabling compliance to be more efficient and effective. These institutions can then achieve more than just compliance with the law by actually creating value with increased profits.”

Due Diligence and Human Oversight

Stephen M. Kohn, founding partner of Kohn, Kohn & Colapinto LLP, argues that AI compliance algorithms will be an ineffective tool that allow institutions to escape liability. He worries that corporations and financial institutions will implement AI systems and evade enforcement action by calling it due diligence.

“Companies want to use AI software to show the government that they are complying reasonably. Corporations and financial institutions will tell the government that they use sophisticated algorithms, and it did not detect all that money laundering, so you should not sanction us because we did due diligence.” He insists that the U.S. Government should not allow these algorithms to be used as a regulatory benchmark.

Legal scholar Sonia Katyal writes in her piece “Democracy & Distrust in an Era of Artificial Intelligence” that “While automation lowers the cost of decision making, it also raises significant due process concerns, involving a lack of notice and the opportunity to challenge the decision.”

While AI can be used as a powerful tool for identifying fraud, there is still no method for it to contact authorities with its discoveries. Compliance personnel are still required to blow the whistle, given societies standard due process. These algorithms should be used in conjunction with human judgment to determine compliance or lack thereof. Due process is needed so that individuals can understand the reasoning behind algorithmic determinations.

The Double-Edged Sword

Darrell West, Senior Fellow at Brookings Institute’s Center for Technology Innovation and Douglas Dillon Chair in Governmental Studies warns about the dangerous ways these same algorithms can be used to find whistleblowers and silence them.

Nowadays most office jobs (whether remote or in person) conduct operations fully online. Employees are required to use company computers and networks to do their jobs. Data generated by each employee passes through these devices and networks. Meaning, your privacy rights are questionable.

Because of this, whistleblowing will get much harder – organizations can employ the technology they initially implemented to catch fraud to instead catch whistleblowers. They can monitor employees via the capabilities built into our everyday tech: cameras, emails, keystroke detectors, online activity logs, what is downloaded, and more. West urges people to operate under the assumption that employers are monitoring their online activity.

These techniques have been implemented in the workplace for years, but AI automates tracking mechanisms. AI gives organizations more systematic tools to detect internal problems.

West explains, “All organizations are sensitive to a disgruntled employee who might take information outside the organization, especially if somebody’s dealing with confidential information, budget information or other types of financial information. It is just easy for organizations to monitor that because they can mine emails. They can analyze text messages; they can see who you are calling. Companies could have keystroke detectors and see what you are typing. Since many of us are doing our jobs in Microsoft Teams meetings and other video conferencing, there is a camera that records and transcribes information.”

If a company is defining a whistleblower as a problem, they can monitor this very information and look for keywords that would indicate somebody is engaging in whistleblowing.

With AI, companies can monitor specific employees they might find problematic (such as a whistleblower) and all the information they produce, including the keywords that might indicate fraud. Creators of these algorithms promise that soon their products will be able to detect all sorts of patterns and feelings, such as emotion and sentiment.

AI cannot determine whether somebody is a whistleblower, but it can flag unusual patterns and refer those patterns to compliance analysts. AI then becomes a tool to monitor what is going on within the organization, making it difficult for whistleblowers to go unnoticed. The risk of being caught by internal compliance software will be much greater.

“The only way people could report under these technological systems would be to go offline, using their personal devices or burner phones. But it is difficult to operate whistleblowing this way and makes it difficult to transmit confidential information. A whistleblower must, at some point, download information. Since you will be doing that on a company network, and that is easily detected these days.”

But the question of what becomes of the whistleblower is based on whether the compliance officers operate in support of the company or the public interest – they will have an extraordinary amount of information about the company and the whistleblower.

Risks for whistleblowers have gone up as AI has evolved because it is harder for them to collect and report information on fraud and compliance without being discovered by the organization.

West describes how organizations do not have a choice whether or not to use AI anymore: “All of the major companies are building it into their products. Google, Microsoft, Apple, and so on. A company does not even have to decide to use it: it is already being used. It’s a question of whether they avail themselves of the results of what’s already in their programs.”

“There probably are many companies that are not set up to use all the information that is at their disposal because it does take a little bit of expertise to understand data analytics. But this is just a short-term barrier, like organizations are going to solve that problem quickly.”

West recommends that organizations should just be a lot more transparent about their use of these tools. They should inform their employees what kind of information they are using, how they are monitoring employees, and what kind of software they use. Are they using detection? Software of any sort? Are they monitoring keystrokes?

Employees should want to know how long information is being stored. Organizations might legitimately use this technology for fraud detection, which might be a good argument to collect information, but it does not mean they should keep that information for five years. Once they have used the information and determined whether employees are committing fraud, there is no reason to keep it. Companies are largely not transparent about length of storage and what is done with this data and once it is used.

West believes that currently, most companies are not actually informing employees of how their information is being kept and how the new digital tools are being utilized.

The Importance of Whistleblower Programs:

The ability of AI algorithms to track whistleblowers poses a real risk to regulatory compliance given the massive importance of whistleblower programs in the United States’ enforcement of corporate crime.

The whistleblower programs at the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) respond to individuals who voluntarily report original information about fraud or misconduct.

If a tip leads to a successful enforcement action, the whistleblowers are entitled to 10-30% of the recovered funds. These programs have created clear anti-retaliation protections and strong financial incentives for reporting securities and commodities fraud.

Established in 2010 under the Dodd-Frank Act, these programs have been integral to enforcement. The SEC reports that whistleblower tips have led to over $6 billion in sanctions while the CFTC states that almost a third of its investigations stem from whistleblower disclosures.

Whistleblower programs, with robust protections for those who speak out, remain essential for exposing fraud and holding organizations accountable. This ensures that detected fraud is not only identified, but also reported and addressed, protecting taxpayer money, and promoting ethical business practices.

If AI algorithms are used to track down whistleblowers, their implementation would hinder these programs. Companies will undoubtedly retaliate against employees they suspect of blowing the whistle, creating a massive chilling effect where potential whistleblowers would not act out of fear of detection.

Already being employed in our institutions, experts believe these AI-driven compliance systems must have independent oversight for transparency’s sake. The software must also be designed to adhere to due process standards.

Copyright Kohn, Kohn & Colapinto, LLP 2024. All Rights Reserved.
For more news on AI Compliance and Whistleblowing, visit the NLR Communications, Media & Internet section.

Cybersecurity Crunch: Building Strong Data Security Programs with Limited Resources – Insights from Tech and Financial Services Sectors

In today’s digital age, cybersecurity has become a paramount concern for executives navigating the complexities of their corporate ecosystems. With resources often limited and the ever-present threat of cyberattacks, establishing clear priorities is essential to safeguarding company assets.

Building the right team of security experts is a critical step in this process, ensuring that the organization is well-equipped to fend off potential threats. Equally important is securing buy-in from all stakeholders, as a unified approach to cybersecurity fosters a robust defense mechanism across all levels of the company.Digit

This insider’s look at cybersecurity will delve into the strategic imperatives for companies aiming to protect their digital frontiers effectively.

Where Do You Start on Cybersecurity?
Resources are limited, and pressures on corporate security teams are growing, both from internal stakeholders and outside threats. But resources to do the job aren’t. So how can companies protect themselves in real world environment, where finances, employee time, and other resources are finite?

“You really have to understand what your company is in the business of doing,” Wilson said. “Every business will have different needs. Their risk tolerances will be different.”

“You really have to understand what your company is in the business of doing. Every business will have different needs. Their risk tolerances will be different.”

BRIAN WILSON, CHIEF INFORMATION SECURITY OFFICER, SAS
For example, Tuttle said in the manufacturing sector, digital assets and data have become increasingly important in recent years. The physical product no longer is the end-all, be-all of the company’s success.

For cybersecurity professionals, this new reality leads to challenges and tough choices. Having a perfect cybersecurity system isn’t possible—not for a company doing business in a modern, digital world. Tuttle said, “If we’re going to enable this business to grow, we’re going to have to be forward-thinking.”

That means setting priorities for cybersecurity. Inskeep, who previously worked in cybersecurity for one of the world’s largest financial services institutions, said multi-factor authentication and controlling access is a good starting point, particularly against phishing and ransomware attacks. Also, he said companies need good back-up systems that enable them to recover lost data as well as robust incident response plans.

“Bad things are going to happen,” Wilson said. “You need to have logs and SIEMs to tell a story.”

Tuttle said one challenge in implementing an incident response plan is engaging team members who aren’t on the front lines of cybersecurity. “They need to know how to escalate quickly, because they are likely to be the first ones to see something that isn’t right,” she said. “They need to be thinking, ‘What should I be looking for and what’s my response?’”

“They need to know how to escalate quickly, because they are likely to be the first ones to see something that isn’t right. They need to be thinking, ‘What should I be looking for and what’s my response?’”

LISA TUTTLE, CHIEF INFORMATION SECURITY OFFICER, SPX TECHNOLOGIES
Wilson said tabletop exercises and security awareness training “are a good feedback loop to have to make sure you’re including the right people. They have to know what to do when something bad happens.”

Building a Security Team
Hiring and maintaining good people in a harrowing field can be a challenge. Companies should leverage their external and internal networks to find data privacy and cybersecurity team members.

Wilson said SAS uses an intern program to help ensure they have trained professionals already in-house. He also said a company’s Help Desk can be a good source of talent.

Remote work also allows companies to cast a wider net for hiring employees. The challenge becomes keeping remote workers engaged, and companies should consider how they can make these far-flung team members feel part of the team.

Inskeep said burnout is a problem in the cybersecurity field. “It’s a job that can feel overwhelming sometimes,” he said. “Interacting with people and protecting them from that burnout has become more critical than ever.”

“It’s a job that can feel overwhelming sometimes. Interacting with people and protecting them from that burnout has become more critical than ever.”

TODD INSKEEP, FOUNDER AND CYBERSECURITY ADVISOR, INCOVATE SOLUTIONS
Weighing Levels of Compliance
The first step, Claypoole said, is understanding the compliance obligations the company faces. These obligations include both regulatory requirements (which are tightening) as well as contract terms from customers.

“For a business, that can be scary, because your business may be agreeing to contract terms with customers and they aren’t asking you about the security requirements in those contracts,” Wilson said.

The panel also noted that “compliance” and “security” aren’t the same thing. Compliance is a minimum set of standards that must be met, while security is a more wide-reaching goal.

But company leaders must realize they can’t have a perfect cybersecurity system, even if they could afford it. It’s important to identify priorities—including which operations are the most important to the company and which would be most disruptive if they went offline.

Wilson noted that global privacy regulations are increasing and becoming stricter every year. In addition, federal officials have taken criminal action against CSOs in recent years.

“Everybody’s radar is kind of up,” Tuttle said. The increasingly compliance pressure also means it’s important for cybersecurity teams to work collaboratively with other departments, rather than making key decisions in a vacuum. Inskeep said such decisions need to be carefully documented as well.

“If you get to a place where you are being investigated, you need your own lawyer,” Claypoole said.

“If you get to a place where you are being investigated, you need your own lawyer.”

TED CLAYPOOLE, PARTNER, WOMBLE BOND DICKINSON
Cyberinsurance is another consideration for data privacy teams, but it can help Chief Security Officers make the case for more resources (both financial and work hours). Inskeep said cyberinsurance questions also can help companies identify areas of risks and where they need to prioritize their efforts. Such priorities can change, and he said companies need to have a committee or some other mechanism to regularly review and update cybersecurity priorities.

Wilson said one positive change he’s seen is that top executives now understand the importance of cybersecurity and are more willing to include cybersecurity team members in the up-front decision-making process.

Bringing in Outside Expertise
Consultants and vendors can be helpful to a cybersecurity team, particularly for smaller teams. Companies can move certain functions to third-party consultants, allowing their own teams to focus on core priorities.

“If we don’t have that internal expertise, that’s a situation where we’d call in third-party resources,” Wilson said.

Bringing in outside professionals also can help a company keep up with new trends and new technologies.

Ultimately, a proactive and well-coordinated cybersecurity strategy is indispensable for safeguarding the digital landscape of modern enterprises. With an ever-evolving threat landscape, companies must be agile in their approach and continuously review and update their security measures. At the core of any effective cybersecurity plan is a comprehensive risk management framework that identifies potential vulnerabilities and outlines steps to mitigate their impact. This framework should also include incident response protocols to minimize the damage in case of a cyberattack.

In addition to technology and processes, the human element is crucial in cybersecurity. Employees must be educated on how to spot potential threats, such as phishing emails or suspicious links, and know what steps to take if they encounter them.

Key Takeaways:
What are the biggest risk areas and how do you minimize those risks?
Know your external cyber footprint. This is what attackers see and will target.
Align with your team, your peers, and your executive staff.
Prioritize implementing multi-factor authentication and controlling access to protect against common threats like phishing and ransomware.
Develop reliable backup systems and robust incident response plans to recover lost data and respond quickly to cyber incidents.
Engage team members who are not on the front lines of cybersecurity to ensure quick identification and escalation of potential threats.
Conduct tabletop exercises and security awareness training regularly.
Leverage intern programs and help desk personnel to build a strong cybersecurity team internally.
Explore remote work options to widen the talent pool for hiring cybersecurity professionals, while keeping remote workers engaged and integrated.
Balance regulatory compliance with overall security goals, understanding that compliance is just a minimum standard.

Copyright © 2024 Womble Bond Dickinson (US) LLP All Rights Reserved.

by: Theodore F. Claypoole of Womble Bond Dickinson (US) LLP

For more on Cybersecurity, visit the Communications Media Internet section.

Paperless Power: Exploring the Legal Landscape of E-Signatures and eNotes

In an era characterized by rapid technological advancements and the profound shift towards remote work, the traditional concept of signing documents with pen and paper has evolved. Electronic signatures, or e-signatures, have emerged as a convenient and efficient alternative, promising to streamline processes, reduce paperwork, and enhance accessibility. Organizations are increasingly embracing e-signatures for a wide range of transactions, prompting a closer examination of their legal validity.

WHAT IS AN “E-SIGNATURE”?

An e-signature encompasses any electronic sound, symbol, or process associated with a record and executed with the intent to sign. These can range from scanned images of handwritten signatures to digital representations generated by specialized software.

GOVERNING LAW:

The governing law for e-signatures in the United States includes both state-specific laws, like those based on the Uniform Electronic Transactions Act (UETA), and the federal ESIGN. ESIGN applies to interstate and foreign transactions, harmonizing electronic transactions across state lines. Many states, including Massachusetts, have adopted UETA, reinforcing the legal standing of e-signatures within their jurisdictions (MUETA).

VALIDITY AND REQUIREMENTS:

Generally, e-signatures are legally binding in the Commonwealth of Massachusetts. However, certain documents like wills, adoption papers, and divorce decrees are excluded from the scope of ESIGN and MUETA to safeguard consumer rights and maintain traditional legal practices.

The following components must be present for e-signatures to be fully protected and upheld under ESIGN and MUETA:

  • Intent: each party intended to execute the document;
  • Consent: there must be express or implied consent from the parties to do business electronically (under MUETA, consumer consent disclosures may also be required). In addition, signers should also have the option to opt-out;
  • Association: the e-signature must be “associated” with the document it is intended to authenticate; and
  • Record Retention: records of the transaction and e-signature must be retained electronically.

Meeting these requirements ensures that e-signatures have the same legal validity and enforceability as traditional handwritten, wet-ink signatures in Massachusetts.

ENFORCEABILITY OF E-NOTES AND CONCERNS FOR FINANCIAL INSTITUTIONS:

An eNote is an electronically created, signed, and stored promissory note. It differs from scanned signatures on paper or PDF copies. Governed by Article 3 of the Uniform Commercial Code (UCC), eNotes are considered negotiable instruments and therefore require special treatment. ESIGN provides a framework for their use, emphasizing the concept of a “transferable record.” This electronic record, meeting UCC standards, grants the same legal rights as a traditional paper note to the person in “control.” The objective of “control” is for there to be a single authoritative copy of the promissory note that is unique, identifiable, and unalterable. Therefore, proving authenticity and lender control over eNotes can be complex.

In Massachusetts, specific foreclosure laws require the presentation of the original note. Thus lenders should be cautious with eNotes, as possessing an original, physical note greatly reduces enforceability risks.

Further, financial institutions often face heightened scrutiny when using e-signatures due to the sensitive nature of financial transactions and the potential risks involved to ensure security, compliance, and consumer protection.

RECORDABLE DOCUMENTS:

E-signatures have become widely accepted for recording purposes, including in real estate transactions, due to their convenience and efficiency. The implementation of e-signatures for recording has been facilitated and standardized by legislation such as the Uniform Real Property Electronic Recording Act (URPERA). While URPERA offers a comprehensive framework for electronic recording, its adoption varies from state to state. In Massachusetts, URPERA has not yet been formally adopted, leaving recording procedures subject to individual county regulations.

BEST PRACTICES:

Despite the legal recognition of e-signatures under both ESIGN and MUETA, to ensure compliance, organizations should adopt the following best practices:

  1. Obtain Consent: Obtain (and retain) affirmative consent from parties to conduct transactions electronically.
  2. AssociationEstablish a clear and direct connection between an electronic signature and the electronic record it is intended to authenticate.
    • Embedding: One common method of meeting the association requirement is embedding e-signatures directly within electronic documents.
    • Metadata and Audit Trails: Another method is using metadata and audit trails. Metadata contains signature details like signing date, time, signer identity, and transaction specifics. Audit trails chronicle all document actions, reinforcing the link between signatures and records.
  3. Ensure the Integrity of Electronic Records
    • Authenticity and Integrity: Use secure methods to authenticate the identity of signatories and ensure the integrity of the electronic records. This can include digital signatures, encryption, and secure access controls.
    • Single Authoritative Copy: For transferable records (eNotes), ensure that there is a single authoritative copy that is unique, identifiable, and unalterable except through authorized actions.
  4. Maintain Accessibility and Retainability: Ensure that electronic records are retained in a format that is accessible and readable for the required retention period. This includes being able to accurately reproduce the record in its original form.
  5. Security Measures: Implement robust cybersecurity measures to protect against unauthorized access, alteration, or destruction of electronic records. This includes using firewalls, encryption, and secure user authentication methods.
  6. Provide Consumer Protections: Ensure that consumers have the option to receive paper records and can withdraw their consent to electronic records at any time.
  7. Legal and Regulatory Updates: Keep abreast of any updates or changes in the legal and regulatory landscape regarding electronic transactions and records. Adjust policies and practices accordingly to remain compliant.

CONCLUSION:

While e-signatures offer significant benefits for modern commerce, including efficiency and convenience, their adoption requires careful consideration, especially regarding legal and regulatory compliance. By adhering to best practices and remaining vigilant, businesses and individuals can leverage e-signatures effectively in today’s digital economy.

© 2024 SHERIN AND LODGEN LLP
For more news on Financial Institution Legal Compliance, visit the NLR Financial Institutions & Banking section.

Five Compliance Best Practices for … Conducting a Risk Assessment

As an accompaniment to our biweekly series on “What Every Multinational Should Know About” various international trade, enforcement, and compliance topics, we are introducing a second series of quick-hit pieces on compliance best practices. Give us two minutes, and we will give you five suggested compliance best practices that will benefit your international regulatory compliance program.

Conducting an international risk assessment is crucial for identifying and mitigating potential risks associated with conducting business operations in foreign countries and complying with the expansive application of U.S. law. Because compliance is essentially an exercise in identifying, mitigating, and managing risk, the starting point for any international compliance program is to conduct a risk assessment. If your company has not done one within the last two years, then your organization probably should be putting one in motion.

Here are five compliance checks that are important to consider when conducting a risk assessment:

  1. Understand Business Operations: A good starting point is to gain a thorough understanding of the organization’s business operations, including products, services, markets, supply chains, distribution channels, and key stakeholders. You should pay special attention to new risk areas, including newly acquired companies and divisions, expansions into new countries, and new distribution patterns. Identifying the business profile of the organization, and how it raises systemic risks, is the starting point of developing the risk profile of the company.
  2. Conduct Country- and Industry-Specific Risk Factors: Analyze the political, economic, legal, and regulatory landscape of each country where the organization operates or plans to operate. Consider factors such as political stability, corruption levels, regulatory environment, and cultural differences. You should also understand which countries also raise indirect risks, such as for the transshipment of goods to sanctioned countries. You also should evaluate industry-specific risks and trends that may impact your company’s risk profile, such as the history of recent enforcement actions.
  3. Gather Risk-Related Data and Information: You should gather relevant data and information from internal and external sources to inform the risk-assessment process. Relevant examples include internal documentation, industry publications, reports of recent enforcement actions, and areas where government regulators are stressing compliance, such as the recent focus on supply chain factors. Use risk-assessment tools and methodologies to systematically evaluate and prioritize risks, such as risk matrices, risk heat maps, scenario analysis, and probability-impact assessments. (The Foley anticorruption, economic sanctions, and forced labor heat maps are found here.)
  4. Engage Stakeholders: Engage key stakeholders throughout the risk-assessment process to gather insights, perspectives, and feedback. Consult with local employees and business partners to gain feedback on compliance issues that are likely to arise while also seeking their aid in disseminating the eventual compliance dictates, internal controls, and other compliance measures that your organization ends up implementing or updating.
  5. Document Findings and Develop Risk-Mitigation Strategies: Document the findings of the risk assessment, including identified risks, their potential impact and likelihood, and recommended mitigation strategies. Ensure that documentation is clear, concise, and actionable. Use the documented findings to develop risk-mitigation strategies and action plans to address identified risks effectively while prioritizing mitigation efforts based on risk severity, urgency, and feasibility of implementation.

Most importantly, you should recognize that assessing and addressing risk is an ongoing process. You should ensure your organization has established processes for the ongoing monitoring and review of risks to track changes in the risk landscape and evaluate the effectiveness of mitigation measures. Further, at least once every two years, most multinational organizations should be updating their risk assessment periodically to reflect evolving risks and business conditions as well as changing regulations and regulator enforcement priorities.

© 2024 Foley & Lardner LLP
For more on Risk Assessments, visit the NRL Corporate & Business Organizations section.

Buying, Selling, and Investing in Telehealth Companies: Navigating Structural and Compliance Issues

A multi-part series highlighting the unique health regulatory aspects of Telemedicine mergers and acquisitions, and financing transactions

Investors in the telehealth space and buyers and sellers of telehealth companies need to account for a set of health regulatory considerations that are unique to deals in this sector. As all parties to potential telehealth transactions analyze their long term role in the telehealth marketplace, two of the central issues to any transaction are compliance and structure – both in terms of structuring the telehealth transaction itself and due diligence issues that arise related to a target’s structure.

The COVID-19 pandemic, combined with strained health care staffing and provider availability, have accelerated the growth of the telehealth, and start-ups and traditional health systems alike are competing for access to patient populations in the telehealth space. However, as we adjust to life with COVID-19 as the norm, the expiration of the federal Public Health Emergency (PHE) looms, and the national economy contracts, we expect that the remainder of 2022 and into 2023 will see consolidation as the telehealth market begins to saturate and the long-term viability of certain platforms are tested. Telehealth companies, health systems, pharma companies and investors are all in potential positions to take advantage of this consolidation in a ripening M&A sector (while startups in the telehealth space continue to seek venture and institutional capital).

This is the first post in a series highlighting the unique health regulatory aspects of telehealth transactions. Future installments of this series are expected to cover licensure and regulatory approvals, compliance / clinical delivery models, and future market developments.

Telehealth Transaction Structure Considerations

The structure of any given telehealth transaction will largely depend on the business of the telehealth organization at play, but also will depend on the acquirer / investor. Regardless of whether a party is buying, selling or investing in a telehealth company, structuring the transaction appropriately will be important for all parties involved. While a standard stock purchase, asset purchase or merger may make sense for many of these transactions, we have also seen a proliferation of, affiliation arrangements, joint ventures (JV), alliances and partnerships.  These varieties of affiliation transactions can be a good choice for health systems that are not necessarily looking to manage or develop an existing platform, but instead are looking to leverage their patient populations and resources to partner with an existing technology platform. An affiliation or JV is more popular for telehealth companies operating purely as a technology platform (with no core business involving clinical services being provided). For parties in the traditional healthcare provider sector that provide clinical services, an affiliation or JV, which is easier to unwind or terminate than a traditional M&A transaction, can allow the parties to “test the waters” in a new, combined business venture. The affiliation or JV can take a variety of forms, including technology licensing agreements; the creation of a new entity to house the telehealth mission, which then has contractual arrangements with the both the JV parties; and exclusivity arrangements relating to use of the technology and access to patient populations.

While an affiliation or JV offers flexibility, can minimize the need for a large upfront investment, and can be an attractive alternative to a more permanent purchase or sale, there can be increased regulatory risk. Entrepreneurs, investors, and providers considering any such arrangement should bear in mind that in the wake of the COVID-19 pandemic and proliferation of telehealth, the Office of Inspector General of the Department of Health and Human Services (HHS-OIG) has expressed a heightened interest in investigating so called “telefraud” and recently issued a special fraud alert regarding suspect arrangements, discussed in this prior post. Further, the OIG’s guidance on contractual joint ventures that would run afoul of the federal Anti-Kickback Statute (AKS) should be front of mind and parties should strive to structure any affiliation or JV in a manner that meets or approximates an AKS safe harbor.

Target Telehealth Company Structure Compliance

Where telehealth companies are providing clinical services, and are not purely technology platforms, structuring and transaction diligence should focus on whether the target is operating in compliance with corporate practice of medicine (CPOM) laws. The CPOM doctrine is intended to maintain the independence of physician decision-making and reduce a “profits over people” mentality, and prevent physician employment by a lay-owned corporation unless an exception applies. Most states that have adopted CPOM impose similar restrictions on other types of clinical professionals, such as nurses, physical therapists, social workers, and psychologists. Telehealth companies often attempt to utilize a so-called “friendly PC” structure to comply with CPOM, whereby an investor-owned management services organization (“MSO”) affiliates with a physician-owned professional corporation (or other type of professional entity) (a “PC”) through a series of contractual agreements that foster a close working relationship between the MSO, PC, and PC owner and whereby the MSO provides management services, and sometimes start-up financing. The overall arrangement is intended to allow the MSO to handle the management side of the PC’s operations without impeding the professional judgment of the PC or the medical practice of its physicians and the PC owner.

CPOM Compliance Considerations and Diligence for Telehealth Companies

A sophisticated buyer will want to confirm that the target’s friendly PC structure is not only formally established, but is also operationalized properly and in a manner that minimizes fraud and abuse risk. If CPOM compliance gaps are identified in diligence this may, at worst, tank the deal and, at best, cause unexpected delays in the transaction timeline, as restructuring may be required or advisable. The buyer may also request additional deal concessions, such as a purchase price reduction and special indemnification coverage (with potentially a higher liability limit and an escrow as security). Accordingly, a telehealth company anticipating a sale or fund raise would be well served to engage in a self-audit to identify any CPOM compliance issues and undertake necessary corrective actions prior to the commencement of a transaction process.

Below are nine key questions with respect to CPOM compliance and related fraud and abuse issues that a buyer/investor in a telehealth transaction should examine carefully (and that the target should be prepared to answer):

  1. Does target have a PC that is properly incorporated or foreign qualified in all states where clinical services are provided (based on the location of the patient)?
  2. Does the PC owner (and any directors and officers of the PC, to the extent different from the PC owner) have a medical license in all states where the PC conducts business (to the extent in-state licensure is required)? To the extent the PC has multiple physician owners and directors/officers, are all such individuals licensed as required under applicable state law?
  3. Does the PC(s) have its own federal employer identification number, bank account (including double lockbox arrangement if enrolled in federal healthcare programs), and Medicare/Medicaid enrollments?
  4. Does the PC owner exercise meaningful oversight and control over the governance and clinical activities of the PC? Does the PC owner have background and expertise relevant to the business (e.g., a cardiologist would not have appropriate experience to be the PC owner of a PC that provides telemental health services)?
  5. Are the physicians and other professionals providing clinical services for the business employed or contracted through a PC (rather than the MSO)? Employment or independent contractor agreements should be reviewed, as well as W-2s, and payroll accounts.
  6. Is the PC properly contracted with customers (to the extent services are provided on a B2B basis) and payors?
  7. Do the contractual agreements between the MSO and PC respect the independent clinical judgment of the PC owner and PC physicians and otherwise comply with state CPOM laws.
  8. Do the financial arrangements between the MSO, PC, and PC owner comply with AKS, the federal Stark Law, and corollary state laws and fee-splitting prohibitions, to the extent applicable?
  9. Is the PC owner or any other physician performing clinical services for the PC an equity holder in the MSO? If so, are these equity interests tied to volume/value of referrals to the PC or MSO (i.e., if the MSO provides ancillary services such as lab or prescription drugs) or could equity interests be construed as an improper incentive to generate healthcare business (e.g., warrants that can only be exercised upon attainment of certain volume)?

Telehealth companies considering a sale or financing transaction, and potential buyers and investors, would be well served to spend time on the front end of a potential transaction assessing the above issues to determine potential risk areas that could impact deal terms or necessitate any friendly PC structuring.

Article By Hannah E. Zaitlin, Mitchell D. Lindstrom, David S. Sanders, and Natasha Allen of Foley & Lardner LLP

For more health law legal news, click here to visit the National Law Review.

© 2022 Foley & Lardner LLP

NAVEX Report Reveals Increase in Whistleblower Retaliation and Reporting of Misconduct

NAVEX’s 2022 Risk & Compliance Hotline & Incident Management Benchmark Report reveals an increase in internal reporting about misconduct and an increase in allegations of retaliation.  The analysis of data from 3,470 organizations that received more than 1.37 million individual reports identified the following trends (see the full report for a discussion of additional trends and analysis of the data):

  • “More actual allegations of misconduct, rather than inquiries about policies or possible misconduct. Ninety percent of all reports in 2021 were allegations of misconduct, up from 86 percent last year and hitting an all-time high since our first benchmark report more than ten years ago.”

  • “Reports about retaliation, harassment and discrimination jumped – especially retaliation. In 2021, reports of retaliation nearly doubled . . . Taken altogether, these findings suggest employees are more attuned to workplace civility issues. That would fit with external trends such as more talk about systemic racism, income inequality and political divisions; as well as increasing protection for whistleblowers and employees’ awareness of  those protections.”

  • “Substantiation rates continue to edge upward. Overall substantiation rates rose from 42 percent in 2020 to 43 percent in 2021, and up from 36 percent a decade ago. The reports substantiated most often were data privacy concerns (63 percent), environmental issues (59 percent), and confidential and proprietary information (54 percent). The reports substantiated least often were about retaliation (24 percent).”

  • “The substantiation rate for reports of retaliation also went up slightly, from 23 percent in 2020 to  24 percent in 2021 – the highest substantiation rate seen since 2016. While steady, this substantiation rate is significantly below the overall median case substantiation rate of 43 percent in 2021. These cases, though difficult to prove, warrant attention.”

  • “Reports of harassment exceeded levels from the height of the #MeToo movement.”

Corporate Whistleblower Protections

Whistleblower retaliation remains all too prevalent.  A September 14, 2022 Bloomberg article titled Whistleblower retaliation remains all too prevalent discusses how “choosing to be a whistle-blower can also be a lonely, risky road” and identifies many deterrents to speaking up – “[t]hey may be afraid of litigation, ruining their reputations, losing security clearances or facing jail time.”

Fortunately, federal and state laws afford corporate whistleblowers remedies to combat retaliation, and whistleblower reward laws incentivize whistleblowers to take the considerable risks entailed in reporting fraud and other wrongdoing to the government.  For example, the

SEC Whistleblower Program offers awards to eligible whistleblowers who provide original information that leads to successful SEC enforcement actions with total monetary sanctions exceeding $1 million. A whistleblower may receive an award of between 10% and 30% of the total monetary sanctions collected in actions brought by the SEC and in related actions brought by other regulatory or law enforcement authorities. The SEC Whistleblower Program allows whistleblowers to submit tips anonymously if represented by an attorney in connection with their tip.

What is Whistleblower Retaliation?

Whistleblower retaliation laws prohibit a broad range of retaliatory actions against whistleblowers, including any act that would dissuade a worker from engaging in protected whistleblowing.  Examples of actionable whistleblower retaliation include:

  • Terminating a whistleblower;

  • Constructively discharging a whistleblower;

  • Demoting a whistleblower;

  • Suspending a whistleblower;

  • Harassing a whistleblower or subjecting the whistleblower to a hostile work environment;

  • Reassigning a whistleblower to a position with significantly different responsibilities;

  • Issuing a performance evaluation or performance improvement plan that supplies the necessary foundation for the eventual termination of the whistleblower’s employment, or a written warning or counseling session that is considered discipline by policy or practice and is routinely used as the first step in a progressive discipline policy;

  • Placing the whistleblower on administrative leave;

  • Threatening to take an adverse action against a whistleblower;

  • Subjecting a whistleblower to a retaliatory investigation or retaliatory surveillance;

  • Suing a whistleblower for the purpose of retaliating against the whistleblower;

  • Outing a whistleblower;

  • Intimidating a whistleblower;

  • Initiating a law enforcement investigation or facilitating an employee’s detention by U.S. ICE after the employee reported a serious injury; or

  • Discriminating against a whistleblower in the terms and conditions of employment because of whistleblowing.

The DOL Administrative Review Board has emphasized that statutory language prohibiting discrimination “in any way” must be broadly construed and therefore a whistleblower need not prove that a retaliatory act had a tangible impact on an employee’s terms and conditions of employment.

What Damages Can a Whistleblower Recover in a Whistleblower Retaliation Case?

Whistleblower retaliation can exact a serious toll, including lost pay and benefits, reputational harm, and emotional distress.  Indeed, whistleblower retaliation can derail a career and deprive the whistleblower of millions of dollars in lost future earnings.

Whistleblowers should be rewarded for doing the right thing, but all too often they suffer retaliation and find themselves marginalized and ostracized.  Federal and state whistleblower laws provide several remedies to compensate whistleblowers that have suffered retaliation, including:

  • back pay (lost wages and benefits);

  • emotional distress damages;

  • damages for reputational harm;

  • reinstatement or front pay in lieu thereof;

  • lost future earnings; and

  • punitive damages.

Combating Whistleblower Retaliation: How to Maximize Your Recovery

Whistleblower protection laws can provide a potent remedy, but before bringing a retaliation claim, it is crucial to assess the options under federal and state law and develop a strategy to achieve the optimal recovery.  Key issues to consider include the scope of protected whistleblowing, the burden of proof, the damages that a prevailing whistleblower can recover, the forum where the claim would be litigated, and the impact of the retaliation claim on a whistleblower rewards claim.

Scope of Protected Whistleblowing

There is no federal statute that provides general protection to corporate whistleblowers.  Instead, federal whistleblower protection laws protect specific types of disclosures, such as disclosures of securities fraud, tax fraud, procurement fraud, or consumer financial protection fraud.  The main sources of federal protection for corporate whistleblowers include the whistleblower protection provisions of the following:

  • The False Claims Act (FCA) — protecting disclosures about fraud directed toward the government, including actions taken in furtherance of a qui tam action and efforts to stop a violation of the FCA;

  • The Defense Contractor Whistleblower Protection Act (DCWPA) — protecting whistleblowing about gross mismanagement of a federal contract or grant; a gross waste of federal funds; an abuse of authority relating to a federal contract or grant or a substantial and specific danger to public health or safety, or a violation of law, rule, or regulation related to a federal contract;

  • The Sarbanes-Oxley Act (SOX) — protecting disclosures about mail fraud, wire fraud, bank fraud, securities fraud, a violation of any SEC rule, or shareholder fraud;

  • The Dodd-Frank Act (DFA) — protecting whistleblowing to the SEC about potential violations of federal securities laws;

  • The Taxpayer First Act (TFA) — protecting disclosures about tax fraud or tax underpayment;

  • The Consumer Financial Protection Act (CFPA) — protecting disclosures concerning violations of Consumer Financial Protection Bureau rules or federal laws regulating unfair, deceptive, or abusive practices in the provision of consumer financial products or services; and

  • The Anti-Money Laundering Act (AMLA) — protecting disclosures about violations of the Bank Secrecy Act.

While most of these anti-retaliation laws protect internal disclosures (e.g., reporting to a supervisor), whistleblower protection under the DFA is predicated on a showing that the whistleblower disclosed a potential violation of federal securities law to the SEC prior to suffering an adverse action.

State law may also provide a remedy, including the anti-retaliation provisions in state FCAs.  And approximately 42 states recognize a common law wrongful discharge tort action (a public policy exception to at-will employment), which generally protects refusal to engage in illegal activity and the exercise of a statutory right.

Burden of Proof

To maximize the likelihood of winning a case (or at least getting the case before a jury), it is useful to select a remedy with a favorable causation standard (the level of proof required to link the protected whistleblowing to the adverse employment action).  SOX has a favorable “contributing factor” causation standard, i.e., the whistleblower prevails by proving that their protected whistleblowing affected in any way the employer’s decision to take an adverse action.  In contrast, the FCA and DFA require the whistleblower to prove “but for” causation, i.e., the adverse action would not have happened “but for” the protected whistleblowing (albeit there is no need to prove that it was the sole factor).

Damages and Remedies in Whistleblower Retaliation Cases

Variations in the remedies available to whistleblowers under federal anti-retaliation laws may warrant bringing more than one claim.  For example, the DCWPA authorizes an award of back pay (the value of lost pay and benefits), and the FCA authorizes an award of double back pay.  If the whistleblower’s disclosures are protected under both statutes, then the whistleblower should bring both claims.

While a prevailing whistleblower can recover back pay under both the DFA and SOX (double back pay under the former and single back pay under the latter), the DFA does not authorize special damages, i.e., damages for emotional distress and reputational harm.  In contrast, SOX authorizes uncapped compensatory damages.  Therefore, a whistleblower protected under both statutes should bring the SOX claim within the much shorter SOX statute of limitations (180 days) to recover both double back pay and special damages.

State law may also provide a remedy, and if the whistleblower can pursue both a statutory remedy and a wrongful discharge tort, the latter may offer the opportunity to seek punitive damages.

Forum Selection and Administrative Exhaustion

When selecting the optimal remedy to combat retaliation, a whistleblower should consider the forum where the claim would be tried and determine whether the claim must initially be investigated by a federal agency before the whistleblower can litigate the claim.  SOX provides an unequivocal exemption from mandatory arbitration, but Dodd-Frank claims are subject to arbitration.  Accordingly, a whistleblower protected both by SOX and Dodd-Frank should file a SOX claim within the 180-day statute of limitations to preserve the option to try the case before a jury.

Several of the corporate whistleblower protection laws require that the whistleblower file the claim initially at a federal agency and permit the agency to investigate the claim before the whistleblower can litigate the claim.  This is called administrative exhaustion, and failure to comply with that requirement can waive the claim.  In contrast, the FCA and DFA do not require administrative exhaustion.

Impact of Whistleblower Retaliation Claim on Whistleblower Rewards Claim

Another important consideration is the potential impact of a retaliation case on a qui tam or whistleblower rewards case.  Filing an FCA retaliation claim while a qui tam suit is under seal poses some risk of violating the seal, which could bar the whistleblower from recovering a relator share.  Therefore, counsel should consider filing the FCA retaliation claim under seal along with the qui tam suit.

Further, whistleblowers pursuing rewards claims at federal agencies (e.g., SEC or IRS whistleblower claims) while simultaneously pursuing related retaliation claims (e.g., a SOX or TFA claim) should assess the potential impact of the retaliation claim and the potential discoverability of submissions to the SEC or IRS on the rewards claim(s).

Although the patchwork of whistleblower protection laws fails to protect disclosures about certain forms of fraud, there are important pockets of protection.  To effectively combat retaliation, whistleblowers should avail themselves of all appropriate remedies.

Article By Jason Zuckerman and Matthew Stock of Zuckerman Law

For more criminal law / business crimes legal news, click here to visit the National Law Review.

© 2022 Zuckerman Law

Children’s Advertising Rules Apply in the Metaverse Too, CARU Says

CARU, the Children’s Advertising Review Unit of BBB National programs, issued a compliance warning last week reminding industry that the self-regulating body on children’s advertising and privacy intends to enforce its advertising guidelines in the metaverse, just like in the real world.

CARU’s August 23 compliance warning puts companies on notice of what perhaps should have been obvious: its guidelines for advertising to children apply in the metaverse, too. The warning heavily analogizes the metaverse, augmented reality (AR) and virtual reality (VR) worlds to other digital spaces like smartphone apps and online videos. CARU emphasizes the need to:

  • avoid blurring the lines between advertising and non-advertising content;
  • clearly disclose the use of brand-sponsored avatar influencers;
  • avoid manipulative tactics that induce children to view or interact with ads or to make in-game purchases; and
  • use clear, understandable, easily noticeable and prominent disclosures, repeated if necessary to ensure children notice and understand them.

The metaverse is a new area of focus for CARU and BBB National Programs: two recent posts, Know the Rules: How to Be Age Appropriate in the Metaverse and Advertising And Privacy: The Rules Of The Road For The Metaverse, emphasize the need to make sure advertising is truthful, non-deceptive and clearly identifiable as advertising, especially in brand-sponsored worlds. CARU recommends that advertisers and operators anticipate and stay aware of how their child audiences interact with the metaverse experience, including how, when and where ads will be shown to them and how influencers will engage in the space.

Article By Phyllis H. Marcus and Samuel J. Thomas of Hunton Andrews Kurth

For more communications, media, and internet legal news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.