Department of Justice Archives - Page 4 of 6

Government Brings First Cryptocurrency Insider Trading Charges

In a series of parallel actions announced on July 21, 2022, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) initiated criminal and civil charges against three defendants in the first cryptocurrency insider trading case.

According to the criminal indictment, DOJ alleges that a former employee of a prominent cryptocurrency exchange used his position at the exchange to obtain confidential information about at least 25 future cryptocurrency listings, then tipped his brother and a friend who traded the digital assets in advance of the listing announcements, realizing gains of approximately $1.5 million. The indictment further alleges that the trio used various means to conceal their trading, and that one defendant attempted to flee the United States when their trading was discovered. The Government charged the three with wire fraud and wire fraud conspiracy. Notably, and like the Government’s recently announced case involving insider trading in nonfungible tokens, criminal prosecutors did not charge the defendants with securities or commodities fraud.

In its press release announcing the charges, US Attorney for the Southern District of New York Damian Williams said: “Today’s charges are a further reminder that Web3 is not a law-free zone. Just last month, I announced the first ever insider trading case involving NFTs, and today I announce the first ever insider trading case involving cryptocurrency markets. Our message with these charges is clear: fraud is fraud is fraud, whether it occurs on the blockchain or on Wall Street. And the Southern District of New York will continue to be relentless in bringing fraudsters to justice, wherever we may find them.”

Based on these facts, the SEC also announced charges against the three men in a civil complaint alleging securities fraud. In order to assert jurisdiction over the matter, the SEC alleges that at least nine of the cryptocurrencies involved in the alleged insider trading were securities, and the compliant traces through the Howey analysis for each. The SEC has not announced charges against the exchange itself, though in the past it has charged at least one cryptocurrency exchange that listed securities tokens for failure to register as a securities exchange. Perhaps coincidentally, on July 21 the exchange involved in the latest DOJ and SEC cases filed a rulemaking petition with the SEC urging it to “propose and adopt rules to govern the regulation of securities that are offered and traded via digitally native methods, including potential rules to identify which digital assets are securities.”

In an unusual move, Commissioner Caroline Pham of the Commodity Futures Trading Commission (CFTC) released a public statement criticizing the charges. Citing the Federalist Papers, Commissioner Pham described the cases as “a striking example of ‘regulation by enforcement.’” She noted that “the SEC’s allegations could have broad implications beyond this single case, underscoring how critical and urgent it is that regulators work together.” Commissioner Pham continued, “Major questions are best addressed through a transparent process that engages the public to develop appropriate policy with expert input—through notice-and-comment rulemaking pursuant to the Administrative Procedure Act.” She concluded by stating that, “Regulatory clarity comes from being out in the open, not in the dark.” The CFTC is not directly involved in either case, and it is atypical for a regulator to chide a sister agency on an enforcement matter in this fashion. On the same day, another CFTC Commissioner, Kristin Johnson, issued her own carefully-worded statement that seemed to support the Government’s actions.

Article By Scott H. Kimpel of Hunton Andrews Kurth

For more criminal law and business crimes legal news, click here to visit the National Law Review.

What the C-Suite and Board Should Know About the New CCO Certification Requirement from DOJ

U.S. Department of Justice (DOJ) Deputy Attorney General Lisa Monaco presented a new policy at a Securities Industry and Financial Markets Association event that requires chief compliance officers (CCO) to certify that compliance programs have been “reasonably designed to prevent anti-corruption violations.”¹ The policy is an outgrowth of a settlement involving US$1 billion in criminal and civil penalties imposed on mining giant, Glencore International AG (Glencore), after it pleaded guilty to bribery and market manipulation charges.² According to Monaco, this new policy is meant to ensure that CCOs stay in the loop on potential company violations and have the necessary resources to prevent financial crime.³ While the expressed intention of this new policy is to empower CCOs, it has raised concerns about potential liability for CCOs.

GLENCORE SETTLEMENT

Glencore is among the largest companies that dominate global trading of oil, fuel, metals, minerals, and food.⁴ In 2018, Glencore was subject to a multi-year investigation by the DOJ for violations of the Foreign Corrupt Practices Act (FCPA) and a commodity price manipulation scheme.⁵ According to admissions and court documents filed in the Southern District of New York, Glencore, acting through its employees and agents, engaged in a scheme for over a decade to pay more than US$100 million to third-party intermediaries in order to secure improper advantages to obtain and retain business with state-owned and state-controlled entities. A significant portion of these payments were used to pay bribes to officials in Nigeria, Cameroon, Ivory Coast, Equatorial Guinea, Brazil, Venezuela, and the Democratic Republic of the Congo.⁶ Glencore resolved the government’s investigations by entering into a plea agreement (Plea Agreement)⁷According to the Plea Agreement, Glencore admitted to one count of conspiracy to violate the FCPA.⁸ Shaun Teichner, the general counsel for the company, told a federal judge in New York that Glencore “knowingly and willingly entered into a conspiracy to violate the Foreign Corrupt Practices Act by making payments to corrupt government officials.”⁹

Glencore expects to pay about US$1 billion to U.S. authorities, after accounting for credits and offsets payable to other jurisdictions and agencies, and about US$40 million to Brazil.¹⁰ A related payment by Glencore to the United Kingdom will be finalized after a hearing next month.¹¹

The Plea Agreement requires that Glencore, among other things: (1) implement two independent compliance monitors, one in the United States and one abroad, to prevent the reoccurrence of crimes; (2) retain a compliance monitor for three years; and (3) have its chief executive officer (CEO) and CCO submit a document certifying to the DOJ’s fraud section that the company has met its compliance obligations (the CCO Certification Requirement or the Certification).¹²

WHY THE CCO CERTIFICATION REQUIREMENT HAS RAISED CONCERNS

The CCO Certification Requirement has raised concerns in the compliance space over potential increases in CCO liability.¹³ Specifically, compliance officials worry that this policy transfers corporate liability into potential individual liability for the CCO. The Certification form asks the CEO and CCO to certify that the compliance program has been “reasonably designed” to prevent future anti-corruption violations.¹⁴ Critics worry that these new certifications may discourage CCOs from taking jobs at companies that are or may be parties to agreements with the DOJ.¹⁵

The DOJ stated that liability will depend on the facts and circumstances of the case but that the new policy is not aimed at going after CEOs or CCOs.¹⁶ Assistant Attorney General Kenneth A. Polite Jr. stated, “if there is a knowing misrepresentation on the part of the CEO or CCO, then that could certainly result in some form of personal liability.”¹⁷ Depending on the circumstances, the DOJ may consider it a breach of the corporation’s obligations under the Plea Agreement if there is either a misrepresentation in one of these certifications or a failure to provide the same.¹⁸ Polite added that “the certification memorializes the company’s commitment to take its compliance obligations seriously.”¹⁹

Critics question how realistic the CCO Certification Requirement is for large, multinational companies.²⁰ They also question the due diligence required to actually ensure that compliance programs are “reasonably designed,” especially for companies operating in over 50 countries. Would it be realistic to expect a CCO or CEO to keep tabs on compliance across their company with that level of specificity?²¹

WHAT THE C SUITE AND BOARD SHOULD CONSIDER MOVING FORWARD

The questions to consider are: (1) where will the expressed policy lead? And (2) how do we best prepare for the Certification?

The DOJ has specifically stated its intention to “prosecute the individuals who commit and profit from corporate malfeasance.”²² Regardless of Monaco’s comments, the Certification appears to create potential for an extension of that policy.

The fact of the policy gives rise to a number of subsidiary questions. Is the Certification, which targets foreign corrupt practices, a harbinger for other such certifications in areas such as health care fraud, defense contractor fraud, money laundering, etc.? And is DOJ gearing toward providing its prosecutors with more tools for individual culpability at the highest corporate levels consistent with its expressed policy?

Moving forward, in-house counsel should work with the CEO and CCO to consider areas of corporate business practices that are specifically subject to compliance programs. They should develop practices including auditing, tracking, training, and reviewing to ensure the programs are “reasonably designed” to prevent future wrongdoing. Further, they should be sure to document their corporate business practices. Obviously, these programs become much more complex when operations include foreign jurisdictions and foreign laws with respect to matters such as privacy and employee rights.

Although this process may not be new to protect corporations from criminal charges, the newly-announced policy will certainly focus the spotlight on CEOs and CCOs in the FCPA context and arguably beyond.

FOOTNOTES

¹Al Barbarino, DOJ Defends New CCO Certifications Amid Industry Worry, LAW360 (May 26, 2022), https://www.law360.com/whitecollar/articles/1496108/doj-defends-new-cco-….

²Id.

³ Id.

⁴ Chris Strohm, Chris Dolmetsch & Jack Farchy, Glencore Pleads Guilty to Decade of Bribery and Manipulation, BLOOMBERG (May 24, 2022), https://www.bloomberg.com/news/articles/2022-05-24/glencore-to-appear-in-us-uk-courts-over-resolutions-of-probes.

⁵ Id.

⁶ News Release, U.S. Dep’t of Just., Office of Pub. Affs., Glencore Entered Guilty Pleas to Foreign Bribery and Market Manipulation Schemes, (May 24, 2022), https://www.justice.gov/opa/pr/glencore-entered-guilty-pleas-foreign-bribery-and-market-manipulation-schemes.

⁷ Id.

⁸ Id.

⁹Strohm, supra note 4.

¹⁰ Id.

¹¹ Id.

¹² Id.

¹³Barbarino, supra note 1.

¹⁴ Id.

¹⁵ Id.

¹⁶ Id.

¹⁷ Id.

¹⁸ Id.

¹⁹ Id.

²⁰ Id.

²¹ Id.

²² News Release, U.S. Dep’t of Just., Attorney General Merrick B. Garland Delivers Remarks Announcing Glencore Guilty Pleas in Connection with Foreign Bribery and Market Manipulation Schemes (May 24, 2022), https://www.justice.gov/opa/speech/attorney-general-merrick-b-garland-delivers-remarks-announcing-glencore-guilty-pleas.

Article By Mark A. Rush and Nadia J. Brooks of K&L Gates

For more corporate law legal news, click here to visit the National Law Review.

Update: In Opioid Liability Ruling for Doctors, SCOTUS Deals Blow to DOJ

On June 27, 2022, the United States Supreme Court ruled that doctors who act in subjective good faith in prescribing controlled substances to their patients cannot be convicted under the Controlled Substance Act (“CSA”). The Court’s decision will have broad implications for physicians and patients alike. Practitioners who sincerely and honestly believe – even if mistakenly – that their prescriptions are within the usual course of professional practice will be shielded from criminal liability.

The ruling stemmed from the convictions of Dr. Xiulu Ruan and Dr. Shakeel Kahn for unlawfully prescribing opioid painkillers. At their trials, the district courts rejected any consideration of good faith and instructed the members of the jury that the doctors could be convicted if they prescribed opioids outside the recognized standards of medical practice. The Tenth and Eleventh Circuits affirmed the instructions. Drs. Ruan and Kahn were sentenced to 21 and 25 years in prison, respectively.

The Court vacated the decisions of the courts of appeals and sent the cases back for further review.

The question before the court concerned the state of mind that the Government must prove to convict a doctor of violating the CSA. Justice Breyer framed the issue: “To prove that a doctor’s dispensation of drugs via prescription falls within the statute’s prohibition and outside the authorization exception, is it sufficient for the Government to prove that a prescription was in fact not authorized, or must the Government prove that the doctor knew or intended that the prescription was unauthorized?”

The doctors urged the Court to adopt a subjective good-faith standard that would protect practitioners from criminal prosecution if they sincerely and honestly believed their prescriptions were within the usual course of professional practice. The Government argued for an objective, good-faith standard based on the hypothetical “reasonable” doctor. The Court took it one step further.

Justice Breyer delivered the opinion of the Court. He said that for purposes of a criminal conviction under the CSA, “the Government must prove beyond a reasonable doubt that the defendant knowingly or intentionally acted in an unauthorized manner.” To hold otherwise “would turn a defendant’s criminal liability on the mental state of a hypothetical ‘reasonable’ doctor” and “reduce culpability on the all-important element of the crime to negligence,” he explained. The Court has “long been reluctant to infer that a negligence standard was intended in criminal statutes,” wrote Justice Breyer.

Justice Samuel Alito wrote a concurring opinion, which Justice Clarence Thomas joined and Justice Amy Coney Barrett joined in part. Although Justice Alito would vacate the judgments below and remand for further proceedings, he would hold that the “except as authorized” clause of the CSA creates an affirmative defense that defendant doctors must prove by a preponderance of the evidence.

The Court’s decision will protect patient access to prescriptions written in good faith. However, for the government, the Court’s decision means prosecutors face an uphill battle in charging, much less convicting, physicians under the CSA. Indeed, the Court’s decision may have a chilling effect on the recent surge in DOJ prosecutions of medical practitioners and pain clinics.

Article By Lindsay K. Gerdes and Madeline R. Pinto of Dinsmore & Shohl LLP

For more litigation legal news, click here to visit the National Law Review.

DOJ Limits Application of Computer Fraud and Abuse Act, Providing Clarity for Ethical Hackers and Employees Paying Bills at Work Alike

On May 19, 2022, the Department of Justice announced it would not charge good-faith hackers who expose weaknesses in computer systems with violating the Computer Fraud and Abuse Act (CFAA or Act), 18 U.S.C. § 1030. Congress enacted the CFAA in 1986 to promote computer privacy and cybersecurity and amended the Act several times, most recently in 2008. However, the evolving cybersecurity landscape has left courts and commentators troubled by potential applications of the CFAA to circumstances unrelated to the CFAA’s original purpose, including prosecution of so-called “white hat” hackers. The new charging policy, which became effective immediately, seeks to advance the CFAA’s original purpose by clarifying when and how federal prosecutors are authorized to bring charges under the Act.

DOJ to Decline Prosecution of Good-Faith Security Research

The new policy exempts activity of white-hat hackers and states that “the government should decline prosecution if available evidence shows the defendant’s conduct consisted of, and the defendant intended, good-faith security research.” The policy defines “good-faith security research” as “accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”

In practice, this policy appears to provide, for example, protection from federal charges for the type of ethical hacking a St. Louis Post-Dispatch reporter performed in 2021. The reporter uncovered security flaws in a Missouri state website that exposed the Social Security numbers of over 100,000 teachers and other school employees. The Missouri governor’s office initiated an investigation into the reporter’s conduct for unauthorized computer access. While the DOJ’s policy would not affect prosecutions under state law, it would preclude federal prosecution for the conduct if determined to be good-faith security research.

The new policy also promises protection from prosecution for certain arguably common but contractually prohibited online conduct, including “[e]mbellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service.” Such activities resemble the facts of Van Buren v. United States, No. 19-783, which the Supreme Court decided in June 2021. In Van Buren, the 6-3 majority rejected the government’s broad interpretation of the CFAA’s prohibition on “unauthorized access” and held that a police officer who looked up license plate information on a law-enforcement database for personal use—in violation of his employer’s policy but without circumventing any access controls—did not violate the CFAA. The DOJ did not cite Van Buren as the basis for the new policy. Nor did the DOJ identify any another impetus for the change.

To Achieve More Consistent Application of Policy, All Federal Prosecutors Must Consult with Main Justice Before Bringing CFAA Charges

In addition to exempting good-faith security research from prosecution, the new policy specifies the steps for charging violations of the CFAA. To help distinguish between actual good-faith security research and pretextual claims of such research that mask a hacker’s malintent, federal prosecutors must consult with the Computer Crime and Intellectual Property Section (CCIPS) before bringing any charges. If CCIPS recommends declining charges, prosecutors must inform the Office of the Deputy Attorney General (DAG) and may need to obtain approval from the DAG before initiating charges.

Article By Kyle R. Freeny, Linda Ricci, Jena M. Valdetero, and Brittany M. Fisher of Greenberg Traurig, LLP

For more data privacy and cybersecurity legal news, click here to visit the National Law Review.

EEOC and the DOJ Issue Guidance for Employers Using AI Tools to Assess Job Applicants and Employees

Employers are more frequently relying on the use of Artificial Intelligence (“AI”) tools to automate employment decision-making, such as software that can review resumes and “chatbots” that interview and screen job applicants. We have previously blogged about the legal risks attendant to the use of such technologies, including here and here.

On May 12, 2022, the Equal Employment Opportunity Commission (“EEOC”) issued long-awaited guidance on the use of such AI tools (the “Guidance”), examining how employers can seek to prevent AI-related disability discrimination. More specifically, the Guidance identifies a number of ways in which employment-related use of AI can, even unintentionally, violate the Americans with Disabilities Act (“ADA”), including if:

(i) “[t]he employer does not provide a ‘reasonable accommodation’ that is necessary for a job applicant or employee to be rated fairly and accurately by” the AI;
(ii) “[t]he employer relies on an algorithmic decision-making tool that intentionally or unintentionally ‘screens out’ an individual with a disability, even though that individual is able to do the job with a reasonable accommodation”; or
(iii) “[t]he employer adopts an [AI] tool for use with its job applicants or employees that violates the ADA’s restrictions on disability-related inquiries and medical examinations.”

The Guidance further states that “[i]n many cases” employers are liable under the ADA for use of AI even if the tools are designed and administered by a separate vendor, noting that “employers may be held responsible for the actions of their agents . . . if the employer has given them authority to act on [its] behalf.”

The Guidance also identifies various best practices for employers, including:

Announcing generally that employees and applicants subject to an AI tool may request reasonable accommodations and providing instructions as to how to ask for accommodations.
Providing information about the AI tool, how it works, and what it is used for to the employees and applicants subjected to it. For example, an employer that uses keystroke-monitoring software may choose to disclose this software as part of new employees’ onboarding and explain that it is intended to measure employee productivity.
If the software was developed by a third party, asking the vendor whether: (i) the AI software was developed to accommodate people with disabilities, and if so, how; (ii) there are alternative formats available for disabled individuals; and (iii) the AI software asks questions likely to elicit medical or disability-related information.
If an employer is developing its own software, engaging experts to analyze the algorithm for potential biases at different steps of the development process, such as a psychologist if the tool is intended to test cognitive traits.
Only using AI tools that measure, directly, traits that are actually necessary for performing the job’s duties.
Additionally, it is always a best practice to train staff, especially supervisors and managers, how to recognize requests for reasonable accommodations and to respond promptly and effectively to those requests. If the AI tool is used by a third party on the employer’s behalf, that third party’s staff should also be trained to recognize requests for reasonable accommodation and forward them promptly to the employer.

Finally, also on May 12^th, the U.S. Department of Justice (“DOJ”) released its own guidance on AI tools’ potential for inadvertent disability discrimination in the employment context. The DOJ guidance is largely in accord with the EEOC Guidance.

Employers utilizing AI tools should carefully audit them to ensure that this technology is not creating discriminatory outcomes. Likewise, employers must remain closely apprised of any new developments from the EEOC and local, state, and federal legislatures and agencies as the trend toward regulation continues.

Article By Joseph C O’Keefe and Edward C. Young of Proskauer Rose LLP

For more labor and employment legal news, click here to visit the National Law Review.

Calling All Whistleblowers: Department of Justice Launches Office of Environmental Justice

Last week, the United States Attorney General announced the creation of the Office of Environmental Justice (OEJ) within the Department of Justice. The OEJ will manage DOJ’s environmental justice projects and “serve as the central hub for our efforts to advance our comprehensive environmental justice enforcement strategy” and address the “harm caused by environmental crime, pollution, and climate change.”

In his speech, Attorney General Merrick B. Garland remarked that OEJ will “prioritize the cases that will have the greatest impact on the communities most overburdened by environmental harm” in partnership with the Civil Rights Division, Office for Access to Justice, Office of Tribal Justice, and United States Attorneys’ Offices.
Whistleblowers take note: violations of environmental laws (Clean Air Act, Clean Water Act) can be a basis for a False Claims Act case.

In 2019, the DOJ settled a case against a domestic producer of Omega-3 fish oil supplements, fishmeal, and fish solubles for livestock and aquaculture feed. The producer allegedly falsely certified compliance with federal environmental laws on a loan application. Under the terms of the settlement, the fish oil producer paid $1 million. A former employee blew the whistle on their employer’s fishy business and was rewarded $200,000 as part of a qui tam lawsuit.

False certification of environmental law compliance harms taxpayers, workers, residents, and the environment for generations. The Assistant Attorney General of the DOJ’s Civil Division said about the case, “Companies will face appropriate consequences if they misrepresent their eligibility to participate in federal programs and divert resources from those who should receive federal support.” It’s up to employees of manufacturers, contractors, construction companies, power plants, and others who receive government funds to report environmentally hazardous misconduct, so that, as the U.S. Attorney said, “Businessmen and companies that lie to get their hands on taxpayer money will be held accountable for their actions.”

Article By Eva Gunasekera and Renée Brooker of Tycko & Zavareei LLP

For more whistleblower legal news, click here to visit the National Law Review.

The DOJ Throws Cold Water on the Frosties NFT Founders

The U.S. Attorney’s Office for the Southern District of New York recently charged two individuals for allegedly participating in a scheme to defraud purchasers of “Frosties” non-fungible tokens (or “NFTs”) out of over $1 million. The two-count complaint charges Ethan Nguyen (aka “Frostie”) and Andre Llacuna (aka “heyandre”) with conspiracy to commit wire fraud in violation of 18 U.S.C. § 1349 and conspiracy to commit money laundering in violation of 18 U.S.C. § 1956. Each charge carries a maximum sentence of 20 years in prison.

The Defendants marketed “Frosties” as the entry point to a broader online community consisting of games, reward programs, and other benefits. In January 2022, their “Frosties” pre-sale raised approximately $1.1 million.

In a so-called “rug pull,” Frostie and heyandre transferred the funds raised through the pre-sale to a series of separate cryptocurrency wallets, eliminated Frosties’ online presence, and took down its website. The transaction, which was publicly recorded and viewable on the blockchain, triggered investors to sell Frosties at a considerable discount. Frostie and heyandre then allegedly proceeded to move the funds through a series of transactions intended to obfuscate the source and increase anonymity. The charges came as the Defendants were preparing for the March 26 pre-sale of their next NFT project, “Embers,” which law enforcement alleges would likely have followed the same course as “Frosties.”

In a public statement announcing the arrests, the DOJ explained how the emerging NFT market is a risk-laden environment that has attracted the attention of scam artists. Representatives from each of the federal agencies that participated in the investigation cautioned the public and put other potential fraudsters on notice of the government’s watchful eye towards cryptocurrency malfeasance.

This investigation comes on the heels of the FBI’s announcement last month of the Virtual Asset Exploitation Unit, a special task force dedicated to blockchain analysis and virtual asset seizure. The prosecution of the Defendants in this matter continues aggressive efforts by federal agencies to reign in bad actors participating in the cryptocurrency/digital assets/blockchain space.

Article By Matthew G. Lindenbaum, Robert L. Lindholm, and Daniel Curran of Nelson Mullins

For more crypto and cybersecurity legal news, click here to visit the National Law Review.

WW International to Pay $1.5 Million Civil Penalty for Alleged COPPA Violations

In 2014, with childhood obesity on the rise in the United States, tech company Kurbo, Ltd. (Kurbo) marketed a free app for kids that, according to the company, was “designed to help kids and teens ages 8-17 reach a healthier weight.” When WW International (WW) (formerly Weight Watchers) acquired Kurbo in 2018, the app was rebranded “Kurbo by WW,” and WW continued to market the app to children as young as eight. But according to the Federal Trade Commission (FTC), Kurbo’s privacy practices were not exactly child-friendly, even if its app was. The FTC’s complaint, filed by the Department of Justice (DOJ) last month, claims that WW’s notice, data collection, and data retention practices violated the Children’s Online Privacy Protection Act Rule (COPPA Rule). WW and Kurbo, under a stipulated order, agreed to pay a $1.5 million civil penalty in addition to complying with a range of injunctive provisions. These provisions include, but are not limited to, deleting all personal information of children whose parents did not provide verifiable parental consent in a specified timeframe, and deleting “Affected Work Product” (defined in the order to include any models or algorithms developed in whole or in part using children’s personal information collected through the Kurbo Program).

Complaint Background

The COPPA Rule applies to any operator of a commercial website or online service directed to children that collects, uses, and/or discloses personal information from children and to any operator of a commercial website or online service that has actual knowledge that it collects, uses, and/or discloses personal information from children. Operators must notify parents and obtain their consent before collecting, using, or disclosing personal information from children under 13.

The complaint states that children enrolled in the Kurbo app by signing up through the app or having a parent do it on their behalf. Once on Kurbo, users could enter personal information such as height, weight, and age, and the app then tracked their weight, food consumption, and exercise. However, the FTC alleges that Kurbo’s age gate was porous, requiring no verification process to establish that children who affirmed they were over 13 were the age they claimed to be or that users asserting they were parents were indeed parents. In fact, the complaint alleges that the registration area featured a “tip-off” screen that gave visitors just two choices for registration: the “I’m a parent” option or the “I’m at least 13” option. Visitors saw the legend, “Per U.S. law, a child under 13 must sign up through a parent” on the registration page featuring these choices. In fact, thousands of users who indicated that they were at least 13 were younger and were able to change their information and falsify their real age. Users who lied about their age or who falsely claimed to be parents were able to continue to use the app. In 2020, after a warning from the FTC, Kurbo implemented a registration screen that removed the legend and the “at least 13” option. However, the new process failed to provide verification measures to establish that users claiming to be parents were indeed parents.

Kurbo’s notice of data collection and data retention practices also fell short. The COPPA Rule requires an operator to “post a prominent and clearly labeled link to an online notice of its information practices with regard to children on the home or landing page or screen of its Web site or online service, and, at each area of the Web site or online service where personal information is collected from children.” But beginning in November 2019, Kurbo’s notice at registration was buried in a list of hyperlinks that parents were not required to click through, and the notice failed to list all the categories of information the app collected from children. Further, Kurbo did not comply with the COPPA Rule’s mandate to keep children’s personal information only as long as reasonably necessary for the purpose it was collected and then to delete it. Instead, the company held on to personal information indefinitely unless parents specifically requested its removal.

Stipulated Order

In addition to imposing a $1.5 million civil penalty, the order, which was approved by the court on March 3, 2022, requires WW and Kurbo to:

Refrain from disclosing, using, or benefitting from children’s personal information collected in violation of the COPPA Rule;
Delete all personal information Kurbo collected in violation of the COPPA Rule within 30 days;
Provide a written statement to the FTC that details Kurbo’s process for providing notice and seeking verifiable parental consent;
Destroy all affected work product derived from improperly collecting children’s personal information and confirm to the FTC that deletion has been carried out;
Delete all children’s personal information collected within one year of the user’s last activity on the app; and
Create and follow a retention schedule that states the purpose for which children’s personal information is collected, the specific business need for retaining such information, and criteria for deletion, including a set timeframe no longer than one year.

Implications of the Order

Following the U.S. Supreme Court’s decision in AMG Capital Management, LLC v. Federal Trade Commission, which halted the FTC’s ability to use its Section 13(b) authority to seek monetary penalties for violations of the FTC Act, the FTC has been pushing Congress to grant it greater enforcement powers. In the meantime, the FTC has used other enforcement tools, including the recent resurrection of the agency’s long-dormant Penalty Offense Authority under Section 5(m)(1)(B) of the FTC Act and a renewed willingness to use algorithmic disgorgement (which the FTC first applied in the 2019 Cambridge Analytica case).

Algorithmic disgorgement involves “requir[ing] violators to disgorge not only the ill-gotten data, but also the benefits—here, the algorithms—generated from that data,” as then-Acting FTC Chair Rebecca Kelly Slaughter stated in a speech last year. This order appears to be the first time algorithmic disgorgement was applied by the Commission in an enforcement action under COPPA.

Children’s privacy issues continue to attract the attention of the FTC and lawmakers at both federal and state levels. Companies that collect children’s personal information should be careful to ensure that their privacy policies and practices fully conform to the COPPA Rule.

Article By Sheila A. Millar and Tracy P. Marshall of Keller and Heckman LLP

For more privacy and cybersecurity legal news, click here to visit the National Law Review.

DOJ Aggressively Targeting PPP Loan Recipients for Fraud: What Businesses Need to Know

More than five million businesses applied for emergency loans under the Paycheck Protection Program (PPP), and with a hurried implementation that prevented a full diligence process, it’s not surprising the program became a target for fraud. The government is now aggressively conducting investigations, employing both criminal and civil enforcement actions. On the civil lawsuit front, companies that received PPP loans should be aware of actions brought under the False Claims Act (FCA) and the Financial Institutions Reform, Recovery and Enforcement Act (FIRREA). This advisory details some of the key points of these enforcement tools and what the government looks for when prosecuting fraudulent conduct.

How will PPP Loan Fraud Enforcement Under the FCA Work?

A company can be liable under the FCA if it knowingly presents a false or fraudulent claim for payment or approval to the government or uses a falsified record in the course of making a false claim. 31 U.S.C. § 3729(a)(1)(A), (B). The FCA allows the government to recover up to three times the amount of the damages caused by the false claims in addition to financial penalties of not less than (as adjusted for inflation) $12,537, and not more than $25,076 for each claim.

The FCA can be enforced by individuals through qui tam lawsuits. This means a private individual, known as a relator, can file a lawsuit on behalf of the government. When a qui tam case is filed, it remains confidential (under seal) while the government reviews the claim and decides whether to intervene in the case. If the lawsuit is successful, the relator is entitled to a portion of the reward.

The False Claims Act has been used to pursue fraud claims in connection with PPP loan applications. Any company that participated in the PPP by applying for a loan should retain documentation justifying all statements made on the loan application and evidencing how any funds obtained through the loans were utilized.

How will PPP Loan Fraud Enforcement Under FIRREA Work?

The government is also utilizing FIRREA in response to fraudulent conduct related to PPP loans. FIRREA is a “hybrid” statute, predicating civil liability on the government’s ability to prove criminal violations. The statute allows the government to recover penalties against a person who violates specifically enumerated criminal statutes such as bank fraud, making false statements to a bank, or mail or wire fraud “affecting a federally insured financial institution.” 12 U.S.C. §1833a.

To establish liability under FIRREA, the government does not have to prove any additional element beyond the violation of that offense and that the violation “affect[ed] a federally insured financial institution.” The government has invoked FIRREA in the context of PPP loan fraud by stating the fraud related to obtaining the loan falls under one or more of the predicate offenses set forth in the statute.

What Factors Determine PPP Loan Fraud Penalties Under FIRREA?

While the assessment of a penalty is mandatory under FIRREA, the amount of the penalty is left to the discretion of the court but may not exceed $1.1 million per offense. There is an exception to this maximum penalty, however, if the person against which the action is brought profited from the violation by more than $1.1 million. FIRREA then allows the government to collect the entire amount gained by the perpetrator through the fraud. The actual amount of the penalty is determined by the court after weighing several factors including:

The good or bad faith of the defendant and the degree of his/her knowledge of wrongdoing;
The injury to the public, and whether the defendant’s conduct created substantial loss or the risk of substantial loss to other persons;
The egregiousness of the violation;
The isolated or repeated nature of the violation;
The defendant’s financial condition and ability to pay;
The criminal fine that could be levied for this conduct;
The amount the defendant sought to profit through his fraud;
The penalty range available under FIRREA; and
The appropriateness of the amount considering the relevant factors.

The government favors utilizing FIRREA penalties to pursue fraud claims for several reasons. The statute of limitations provided in 12 U.S.C. §1833a(h) is 10 years, which is much longer than most civil statutes of limitations. The standard of proof required to impose penalties is preponderance of the evidence, rather than the higher “beyond a reasonable doubt” standard that must be met in a criminal prosecution.

Checklist for PPP Loan Recipients

A company that applied for COVID relief funds, such as PPP loans, should ensure they satisfy the eligibility requirements for obtaining the loan, confirm false statements were not made during the application, and review the rules set forth by the SBA for applying for PPP. The government has shown it is willing to pursue remedies under the FCA and FIRREA for fraudulent statements made regarding a PPP loan application.

Article By Ronald G. DeWaard, Gary J. Mouw, and Gage M. Selvius of Varnum LLP

For more white collar crime and business fraud legal news, click here to visit the National Law Review.

DOJ Policy Review of SEPs May Have Big Implications for Company Environmental Settlements

The U.S. Department of Justice (DOJ) is in the midst of a comprehensive policy review regarding the use of Supplemental Environmental Projects (SEPs) in settlements of environmental enforcement actions. This review could potentially have far-reaching implications for companies that seek to settle such actions brought by either the federal government, or in the case of a citizen suit, a non-governmental organization (NGO). It remains to be seen if the ongoing SEP policy review will result in additional limits on the use of SEPs in settlement, thus limiting the flexibility in achieving penalty mitigation that has been a hallmark of environmental enforcement case resolutions for nearly three decades.

SEPs have been popular among both governmental and non-governmental defendants in enforcement cases for nearly thirty years. SEPs allow settling parties to mitigate a portion of a civil penalty in exchange for performance of environmentally beneficial projects. Under long standing SEP policy, settling parties can receive up to a maximum of 80 percent credit towards mitigation of a portion of a civil penalty for funds expended in performance of SEPs. This policy has proven popular in local communities that benefit from the projects, and these benefits are something that is beyond what is required to achieve compliance with the law. In the early 1990s, SEPs tended to be the exception to the norm of environmental enforcement settlements. But during the later 1990s, SEPs became quite common – even typical.

It is possible that the current ongoing review of SEP policy could result in greater scrutiny of use of SEPs in settlements with companies. Further restrictions on the use of SEPs could take many forms, including limitations on the funds expended, greater scrutiny of the nexus of the SEP to the underlying violations, and even potential elimination of the use of SEPs altogether. Typically, settling parties would much prefer including a SEP as part of a settlement, rather than simply paying all of its out-of-pocket costs as a civil penalty, so further restrictions or elimination of SEPs altogether would not be a positive development for the regulated community.

It is clear that the current administration takes a much more skeptical view of the appropriateness of SEPs than any prior administration. This past August, Assistant Attorney General for the Environment and Natural Resources Division (ENRD) Jeffrey Clark issued a memorandum to all ENRD Section Chiefs outlining new limits on the use of SEPs. Under the new policy, the use of SEPs is prohibited in settlements involving state and local governments, which gives less flexibility to both state and local governments as well as DOJ enforcement attorneys in determining appropriate resolution of enforcement cases.

This latest SEP policy memorandum builds on last November’s memorandum from the Attorney General outlining policies and procedure for civil consent decrees and settlements with state and local governments. This November memorandum included a directive that consent decrees “must not be used to achieve general policy goals or to extract greater or different relief from than could be obtained through agency enforcement authority or by litigation the matter to judgment.” Part of the intent of the outlined policy was to ensure accountability of state and local governments as to their policy goals.

Building on this in reference to SEPs, Clark stated “A clearer example of a form of relief that falls within the prohibition in the November 2018 Policy is difficult to imagine.” Clark left open the possibility of limited case-by-case exceptions to the broader policy of the prohibition, under certain limited conditions, pending his further overall review of SEP policies. But Clark further stated that even if certain limitations are satisfied, “there is no guarantee that I will recommend approval . . . “of including a SEP as part of a settlement with a state or local government.”

ARTICLE BY Francis X. Lyons of Schiff Hardin LLP.

For more Supplemental Environmental Project issues, see the National Law Review Environmental, Energy & Resources law page.

Tag: Department of Justice

Government Brings First Cryptocurrency Insider Trading Charges

Like this: