The authors would like to thank Nicole Brenner for her contribution to this post.
Trade secrets offer companies an invaluable advantage over competitors, but only if the company maintains secrecy and responds promptly to threats. If a company’s success depends on its trade secrets, the protections in place to maintain those secrets will be scrutinized in the event of any breach. A previous article in this series discussed the legal and practical ways companies can protect themselves from industrial espionage, including the “reasonable measures” companies must take to protect trade secret information. 18 U.S.C. § 1836. But if there is already a perceived loss of trade secrets, then the company must be prepared to defend the systems in place to monitor any traces of unusual or dangerous behavior. Even if a company takes all reasonable measures to keep proprietary information secret, it is difficult to avoid all potential threats. Yet threats to company trade secrets are increasing, especially technology thefts. Frequently, such thefts are perpetuated by a company’s own employees.
Responding to a Potential Threat
Companies with trade secrets must prepare a response plan to limit future threats and minimize damage to the company’s value and reputation. Any response plan must be communicated to all employees, with clear procedures to ensure a quick response following the potential loss of trade secrets. The company must establish management protocols to identify, report and address breaches or inadvertent disclosures of confidential information. An effective response plan will help safeguard confidential information and put a company in a better litigation position, should there be an issue in the future.
Best Practices for a Response Plan
Companies should consider forming a threat management team led by a member of senior management to address any potential issues. Further, employees should be encouraged to report any suspicious activity or suspected threat to trade secrets. Because prompt responses to any perceived loss is imperative, the company must inform employees of reporting pathways and procedures.
Keeping this in mind, company response plans should:
Identify Team Members: Company management should form a team tasked with responding to threats to trade secrets. Each member should have clear roles, responsibilities, and decision-making authority. In forming a response team, company management should use employees with expertise in IT and cyber-security issues.
Reporting Channels: The response plan should articulate clear disclosure policies that explicitly detail how threats will be disclosed internally at the company. The policies should consider identifying confidential channels for employees to use to notify the company of suspicious behavior related to possible threats to company trade secrets. The plan should also emphasize the urgency employees should have in responding to such threats and the need to terminate access of the threat actors as soon as practicable. When a company discovers that there has been a potential trade secret theft, it must act quickly. If the trade secret has been compromised by an outgoing or former employee, the company must ensure that individual’s access to company resources has been terminated.
Investigation: If an individual attempts to steal a company’s trade secret, the company should be mindful of its reporting obligations and consider initiating an investigation to determine the extent of the unauthorized access. If the incident involves a current or former employee, the company may demand that the employee return any stolen materials and refrain from using or disclosing any trade secrets. Investigations may also involve hiring private investigators. For example, in United States v. Krumrei, when a company feared that an employee was providing company trade secrets to a competitor, the company began an investigation and hired a private investigator to approach the defendant, posing as a representative from the competitor. 258 F.3d 535, 537 (6th Cir. 2001). Based on the proprietary information the defendant conveyed in this meeting, his trade secret theft conviction was affirmed, and the evidence was sufficient to establish that he knew his actions were illegal. Id. at 538-539.
Law Enforcement: If unauthorized access could potentially impact national or economic security, the company should also consider contacting law enforcement. Local, state or federal law enforcement may help mitigate ongoing damage and reduce long-term consequences for the company.[1]
Litigation Options: In addition to determining whether law enforcement should be contacted, legal counsel can help determine whether the company has a strong litigation position. As detailed in a previous article, if trade secrets were stolen, a temporary restraining order or preliminary injunction may be warranted.
It should be noted, however, if counsel determines that a preliminary injunction is the best course of action, the company must act quickly or risk being precluded from bringing a claim. Charlesbank Equity Fund II, Ltd. P’ship v. Blinds To Go, Inc., 370 F.3d 151, 163 (1st Cir. 2004) (where the court held that the plaintiff’s “cries of urgency are sharply undercut by its own rather leisurely approach to the question of preliminary injunctive relief. It waited more than a year after the commencement of the action to seek an injunction.”); Alexander & Alexander, Inc. v. Danahy, 21 Mass. App. Ct. 488, 494-95 (1986) (“Unexplained delay in seeking relief for allegedly wrongful conduct may indicate an absence of irreparable harm and may make an injunction based upon that conduct inappropriate.”). Accordingly, should counsel determine that a preliminary injunction is warranted, they should act quickly in pursing the action.
Conclusion
Companies should understand that threat mitigation programs and response plans are essential to deter, detect, and prevent wrongdoers seeking to steal trade secrets and engage in acts of industrial espionage. An effective incident response plan can help address all incidents – both unintentional and intentional – and help safeguard a company’s competitive advantage over others.
[1]See Christopher Wray, Director, Fed. Bureau of Investigation, The FBI and Corporate Directors: Working Together to Keep Companies Safe from Cyber Crime, (Oct. 1, 2018).
Among the “biting” new sanctions will be a wider ban on the provision of European services to Russia. The list of banned services has not yet been announced, but there are multiple reports circulating that this may include legal services. Watch this space!
Russian Escalation
Since Russia’s incursion into Ukraine began in February, European Union (“EU”) sanctions have targeted hundreds of individuals including, among others, Russian President Vladimir Putin, Foreign Minister Sergey Lavrov, other government officials, oligarchs and other “elites” proximate to Putin, senior military officers, and individuals responsible for disinformation. They have also banned the import into the EU of certain Russian goods; banned the export, sale, supply, or transfer of certain EU goods to Russia; forbidden passage through or over EU territory; imposed new depository and transactional limits, capital markets restrictions, sectoral prohibitions; and excluded Russian and Belarusian banks from the SWIFT international payment system.
The latest sanctions package responds to the recent referenda organized in occupied territories of Ukraine, presumably with a view to their annexation, the mobilization of 300,000 additional militants, and the threatened deployment of nuclear weapons.
“Biting” New Sanctions
The proposed new package includes:
further import bans on Russian products, including fully banning imports of steel and steel products, certain elements used in the jewelry industry such as stones and precious metals, pulp and paper, machinery and appliances, intermediate chemicals, plastics, and cigarettes, that are meant to deprive Moscow of an additional EUR 7 billion euros (USD 6.7 billion) in aggregate revenues;
ban the export to Russia of EU goods and technologies used in aviation and potentially by the Russian military, such as tires and brakes, as well as electrical components including certain electrical components, semiconductors, and chemicals;
in addition to the existing EU plan to ban the seaborne transportation of Russian crude oil into the EU as of December 5, 2022 and February 5 2023, a G7 agreement to introduce a price cap on Russian oil for third countries;
the extension of current restrictions on Crimea, Donetsk and Luhansk to all non-government-controlled areas of Ukraine; and
targeted sanctions (essentially, asset freezes) against individuals and entities involved in the aforementioned referenda, including “proxy Russian authorities” in the four partially occupied regions of Ukraine (Donetsk, Luhansk, Kherson and Zaporizhzhia), propagandists, and more.
Crackdown on Sanctions Circumvention
The proposed new package also includes a focus on sanctions circumvention. The EC insists that it will list individuals or entities that knowingly and intentionally circumvent Russian sanctions. This would apply, for example, to entities that buy goods in the EU and that knowingly and intentionally transship them to Russia through third countries.
EU-based companies harboring any suspicion that their counterparties are devising structures, or concealing information, in order to evade the many sanctions in force against Russia, should consult with lawyers.
Additional Considerations
Finally, the proposed new package includes a prohibition on EU nationals sitting on governing bodies of Russian state-owned enterprises, as well as additional bans on the provision of services from the EU to Russia. While the list of potential services to be banned has not yet been announced, reports suggest that this may include architectural and engineering services, information technology consultancy services, and legal advisory services. If that is the case, any person within the EU, any EU Member State national (whether inside or outside the EU), and any firm incorporated or constituted under the law of an EU Member State, will be prohibited from providing legal services or advice to Russia. This would potentially impact not only EU legal services providers, but also Russian companies that rely on EU group companies for legal support.
At the time of writing, the new measures are merely proposals and are yet to be agreed by the 27 EU Member States. There is a chance that Hungary, an ally of Russia, will push back on the price cap on Russian oil. However, Josep Borrell, the EU’s High Representative for Foreign Affairs and Security Policy, announced unanimity among EU foreign ministers to adopt tough additional measures following Putin’s latest speech, in which he hinted that Russia could resort to nuclear weapons.
On August 8, 2022, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) sanctioned virtual currency mixer Tornado Cash for having laundered more than USD 7 billion worth of virtual currency since its founding in 2019. This includes over USD 455 million worth of stolen virtual currency associated with the Lazarus Group, a “Democratic People’s Republic of Korea (DPRK) state-sponsored hacking group” that is responsible for the largest known virtual currency heist to date.[1] Notably, Tornado Cash is only the second virtual currency mixer that OFAC has sanctioned, following its May 2022 sanctions on Blender.io. These sanctions against two virtual currency mixers within months of each other signal an escalation in OFAC’s focus toward cyber-criminal activity perpetrated through virtual currency related platforms. Some in the digital assets industry, however, feel that OFAC’s actions—sanctioning a piece of computer code rather than specific bad actors—is unconstitutional and subject to legal challenge.
Tornado Cash, the “Virtual Currency Mixer”
Tornado Cash, which operates on the Ethereum blockchain, provides mixing or tumbling services to users of cryptocurrencies.[2] A “mixer,” also known as a “laundry service” or “tumbler,” is a tool or service that allows users to send virtual currency anonymously.[3] A mixer works by obscuring a transaction on the blockchain by sending the transaction through a “complex, semi-random series of dummy transactions”[4] and by comingling one payment with others, such that it becomes unclear to whom funds are being directed and extremely difficult to trace funds back to an original source.
Tornado Cash mixes transactions using a zero-knowledge proof algorithm.[5] A zero-knowledge proof algorithm is a system where the user withdrawing the currency proves to the “verifier” (i.e., Tornado Cash’s smart contract tool) that a particular statement is true without having to provide any other information.[6] The verifier automatically checks the proof provided by the user and processes a withdrawal if the proof is valid. This process results in anonymous records on the blockchain and maximizes confidentiality in cryptocurrency transactions.[7]
The anonymity Tornado Cash provides users is purportedly for privacy, however the mixer appears to have been commonly misused by bad actors for illicit purposes. In addition to its misuse by the Lazarus Group, which once stole USD 620 million in Ethereum from Ronin Network’s Sky Mavis, the maker of the Axie Infinity blockchain game, Tornado Cash was also used to launder over USD 96 million worth of virtual currency connected to the Harmony Bridge Heist in June 2022 and USD 7.8 million worth of virtual currency in the Nomad Heist in August 2022.
OFAC Sanctions against Tornado Cash
Pursuant to Executive Order 13694, as amended, OFAC sanctioned Tornado Cash for facilitating the laundering of proceeds of cybercrimes, which caused “a significant threat to the national security, foreign policy, or economic health or financial stability of the United States” and “a significant misappropriation of funds or economic resources.”[8]
The sanctions block all property and interests in property of Tornado Cash in the U.S. or held by U.S. persons. All property and interests in property must be reported to OFAC. The sanctions also block entities that are owned fifty percent or more by a blocked person, whether ownership is direct or indirect. Additionally, all transactions by U.S. persons and transactions within the U.S. involving Tornado Cash are prohibited. In effect, OFAC has banned all Americans from using Tornado Cash.
FAQ 1076 explains what activity is prohibited under the sanctions.[10] Specifically, “engaging in any transaction with Tornado Cash or its blocked property or interests in property” is prohibited under the sanctions.[11] Additionally, transactions with certain virtual currency wallet addresses associated with Tornado Cash that are listed on OFAC’s Specially Designated National and Blocked Persons List (the SDN List) are prohibited. However, using or interacting with open-source code that does not involve a prohibited transaction is still permissible. U.S. persons may “copy […] the open-source code and mak[e] it available online for others to view, as well as discuss […], teach […] about, or includ[e] open-source code in written publications,” and access the Tornado Cash website archives.[12] OFAC’s clarification on this point is useful to virtual currency developers, issuers, and users because Tornado Cash operates on Ethereum blockchain, which is publicly available.
FAQ 1077 answers the question whether U.S. persons can “engage in transactions involving identified Tornado Cash virtual currency wallet addresses absent a specific license from OFAC” with a resounding no.[13] OFAC instructs that U.S. persons cannot engage in a transaction with Tornado Cash or one of its virtual currency wallet addresses without violating sanctions, unless the transaction is exempt or authorized by OFAC.
FAQ 1078 addresses whether OFAC’s reporting obligations apply to “dusting” transactions that occurred in the wake of the sanctions.[14] “Dusting” is the practice of sending users unsolicited, nominal amounts of virtual currency. After the sanctions were announced, over six-hundred addresses received 0.01 ETH (USD 19.25) as part of a dust attack.[15] FAQ 1078 explains that OFAC’s reporting obligations do apply to such transactions, but the agency will not prioritize enforcement against delayed receipt of initial and subsequent blocking reports absent another “sanctions nexus.”[16]
FAQ 1079 pertains to completing transactions or withdrawals that were initiated, but not completed, before the sanctions went into effect on August 8, 2022.[17] OFAC instructs U.S. persons or persons conducting transactions within the U.S., who would like to complete or withdrawal their transactions, to apply for a specific license from OFAC. FAQ 1079 provides additional guidance on how to obtain a specific license and notes that OFAC will “have a favorable licensing policy towards such applications” so long as the transaction is not otherwise sanctionable.[18]
Legal Challenges to the Sanctioning of Computer Code
After the sanctions were announced, industry groups and privacy advocates “reacted with fury,”expressing concerns that the sanctions would limit access to tools that preserve necessary confidentiality in virtual currency transactions.[19] Industry groups have also raised legal concerns over the sanctions. For example, Coinbase, which operates a virtual currency exchange platform, is funding a lawsuit brought by six of its investors to remove Tornado Cash smart contracts from the sanctions list.[20] The plaintiffs in the lawsuit allege that the U.S. Department of the Treasury acted outside its authority by sanctioning “an entire technology instead of specific individuals,” where such technology has legitimate applications and protects privacy.[21] In a tweet, Neeraj Agrawal, the Communications Director for Coin Center, a virtual currency advocacy group, signaled that the group may challenge the sanctions on First Amendment grounds.[22]
Developments in Virtual Currency Regulation
Despite the pushback by virtual currency industry professionals, OFAC will likely increase its sanctions against virtual currency related platforms while the Biden Administration develops strategies and policies to deal with virtual currency and other digital assets.[23] On September 16, 2022, the White House released its Comprehensive Framework for Responsible Development of Digital Assets, pursuant to President Joe Biden’s March 9, 2022, Executive Order.[24] A significant portion of the framework is dedicated to countering illicit finance in virtual currency and digital assets. In the framework, the Biden Administration explained that it will, among other things: (i) ask Congress to enact legislation addressing money-laundering and countering the financing of terrorism in digital assets; (ii) continue to monitor the development of the digital assets sector and its associated illicit financing risks; (iii) instruct departments and agencies to “continue to expose and disrupt illicit actors and address the abuse of digital assets”; and (iv) direct the U.S. Department of the Treasury to enhance dialogue with the private sector to ensure understanding of existing obligations and illicit financing risks associated with digital assets.[25]
The U.S. Department of Justice (the “DoJ”) has already responded to the Executive Order, announcing the expansion of DoJ’s enforcement capabilities through the establishment of a national network of more than 150 subject matter expert prosecutors dedicated to investigating and prosecuting criminal activity involving digital assets. This will necessarily augment DoJ’s existing capacity and expertise and very likely foreshadows increased tenacity and sophistication on DoJ’s part in the future pursuit of criminal prosecutions in the digital assets space. Please see our detailed analysis here. The U.S. Department of the Treasury has also responded to the Executive Order.[26]
Additional Considerations
The regulatory framework for digital assets is still evolving and far from settled. As noted by the New York State Department of Financial Services, it is important for entities that use virtual currencies to create risk-based policies, processes, and procedures to ensure that they do not engage in transactions with sanctioned individuals or entities.[27] In particular, companies that engage in virtual currency should: (1) augment Know Your Customer (KYC)-related processes by using compliance tools that obtain certain identifying information that ties directly to the pseudonymous blockchain ledger data (such as the location of a wallet address on a specific exchange); and (2) conduct transaction monitoring and sanctions screening of blockchain ledger activity.[28]
[3] Financial Action Task Force, Virtual Currencies: Key Definitions and Potential AML/CFT Risks 6 (June 2014), https://www.fatf-gafi.org/media/fatf/documents/reports/Virtual-currency-key-definitions-and-potential-aml-cft-risks.pdf (defining mixer as “a type of anonymizer that obscures the chain of transactions on the blockchain by linking all transactions in the same bitcoin address and sending them together in a way that makes them look as if they were sent from another address.”) (hereinafter “Virtual Currencies”); Dept. of Justice, Report of the Attorney General’s Cyber Digital Task Force (Oct. 2020), https://www.justice.gov/archives/ag/page/file/1326061/download (defining mixer and tumblers as “entities that attempt to obfuscate the source or owner of particular units of cryptocurrency by mixing the cryptocurrency of several users prior to delivery of the units to their ultimate destination.”)
[7]Id.; see also Virtual Currencies, supra note 4, at 6.
[8] Treasury Press Release, supra note 1; see Exec. Order No. 13,694, 3 C.F.R. 18077 (2015), amended by Exec. Order No. 13,757, 3 C.F.R. 1 (2017); Treasury Press Release (“Tornado is being designated pursuant to E.O. 13694, as amended, for having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, a cyber-enabled activity originating from, or directed by persons located, in whole or in substantial part, outside the United States that is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that has the purpose or effect of causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.”)
[21] Armstrong, supra note 20 (“While Treasury is allowed to sanction people (along with their property), Congress never gave it the power to sanction open source software.”); see Compl. at 1-3, Van Loon v. U.S. Dept. of Treas., No. 6:22-cv-00920 (W.D. Tex. Sept. 8, 2022).
We recently shared an alert covering The National Defense Authorization Act for Fiscal Year 2021 (NDAA), which became law on January 1, 2021. The NDAA included significant reforms to the U.S. anti-money laundering and countering the financing of terrorism regime. Division F of the NDAA consists of the Anti-Money Laundering Act of 2020, which includes the Corporate Transparency Act (CTA). Congress enacted the CTA to establish uniform beneficial ownership information reporting requirements to improve transparency for national security, intelligence, and law enforcement agencies in their efforts to detect and prevent money laundering and terrorist financing.
On September 29, 2022, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued regulations regarding the beneficial ownership reporting requirements. The final rulemaking is effective January 1, 2024. Reporting companies created or registered before January 1, 2024, will have one year (until January 1, 2025) to file their initial reports, while reporting companies created or registered after January 1, 2024, will have 30 days after creation or registration to file their initial reports.
This year has brought remarkable change around the globe – including new administrations, changing regulatory approaches, conflicts, and rapidly evolving global sanctions. Staying on top of how these changes impact businesses, individuals and sovereign entities is a challenge that Squire Patton Boggs’ Government Investigations & White Collar team is dedicated to helping our clients manage. Our new blog provides timely content about how to navigate the global investigations, compliance, and enforcement landscape strategically and effectively.
Please continue to visit Global Investigations & Compliance Review, where you will find the most recent information and insights related to investigations, sanctions, compliance, and anticorruption.
As 2022 comes to a close, is it possible to predict a trend for corporate and white-collar enforcement by the U.S. Department of Justice in 2023? Yes: enforcement will increase in 2023, and it will increase yet more in 2024. Understanding the Department as a dispersed, human institution that responds to incentives explains why.
U.S. Attorney General Merrick B. Garland and Deputy Attorney General Lisa O. Monaco, along with a host of other officials in leadership, have been explicit that they are prioritizing the investigation and prosecution of financial and corporate malfeasance. Early this year, for example, AG Garland told the ABA Institute on White Collar Crime that he “had seen the Justice Department’s interest in prosecuting corporate crime wax and wane over time. Today, it is waxing again.” His remarks complemented and reinforced those of DAG Monaco in the fall of 2021, when she delivered the keynote address at the ABA’s 36th National Institute on White Collar Crime and announced the Biden administrations intention “to better combat corporate crime.”
In addition to remarks like these, in October 2021 the DAG issued one memorandum and, in September 2022, a second memorandum, announcing revisions to corporate criminal enforcement policies, which apply very nearly across the entire Department and include significant policy changes that favor stronger corporate enforcement. As we’ve discussed, these changes may be meaningful for certain existing investigations and prosecutions.
Arguably more important than the actual policy changes themselves is their symbolism. What they’re saying is, we’re very serious about going after financial and corporate crime. One audience for that message is the private sector, which the Department is explicitly urging to invest in compliance. But another important audience for that message is the prosecutors within DOJ.
More than anything else, this express talk of prioritizing corporate criminal enforcement, coupled with internal DOJ policy changes that signify seriousness of purpose, will lead to more and more investigations and cases. Understanding that DOJ is a human institution—and a generally decentralized one at that—explains why that is.
The Department has many prosecutors working for its litigating divisions in Washington, D.C., and many more spread throughout the 94 U.S. Attorney’s Offices across the country and in U.S. territories. Each one possesses significant day-to-day discretion regarding the cases on which to focus and, for many, which matters presented by agents warrant encouragement in further investigation. Particularly in the context of white-collar enforcement, many investigations require prosecutors and agents working closely together, since they often involve significant legal process, as well as investigative decisions that could have important prosecutorial ramifications (such as, when and which suspected conspirators to approach, and in which order).
Department leadership encouraging focus on these kinds of cases will lead prosecutors to devote more energy and attention to such matters than to others. And that has a direct effect on how agents conduct investigations because, separate and apart from the priorities that each law enforcement agency develops on its own, an under-appreciated motivating factor for investigations is the knowledge that the work put in will eventually pay off in the form of a motivated and engaged prosecutor who seeks to further the investigation and ultimately bring charges.
On top of this basic framework of re-orienting priorities across a dispersed network of agents and prosecutors through statements and supportive policy changes, the other direct way to increase investigative and prosecutorial productivity is to increase specifically dedicated resources. Here, the Department has focused hiring and requests for additional resources the last two years on agents and prosecutors to target financial and anti-corruption efforts. Further complementing this shift in priorities are a number of specific initiatives—targeting Covid fraud, kleptocracy, cryptocurrency, and cyber-fraud enforcement, for example—that will also generate white-collar cases.
Most investigations of alleged fraud or corruption take several years. As more agents and prosecutors across the country devote their attention to such matters, the total number of such investigations will continue to increase year over year. The current Administration, moreover, has confirmed only about half of its U.S. Attorneys. The installation of more U.S. Attorneys will replicate, on a local level, the national shift toward increased corporate enforcement.
With the cold and flu season underway and COVID-19 still ever-present, it is a good time to take stock of the potential risks that come with working remotely. Following the lifting of pandemic restrictions allowing offices to open back up, many companies continued to offer work from home or hybrid arrangements. It is important for companies to continue monitoring adherence to the policies and procedures designed to accommodate the new working models.
The most obvious risk associated with such arrangement is related to IT security and the exposure created by unsecure IT environments. Remote employees are particularly vulnerable to inadvertent disclosure of data or cyber attacks from working at home (e.g., shared family computers and unsecure home networks) or through the use of public wireless networks (e.g., unsecured public networks such as coffee shops, airports, and hotels). Employees may also be taking part in confidential meetings from public spaces and inadvertently disclosing confidential information to anyone within earshot.
With more employees taking company documents home to work on or on the road as they travel, it is becoming increasingly difficult to track the location of records in the event of an investigation, litigation request, document retention/destruction event, or audit. Employees may also be keeping sensitive company information in a non-secure manner, such as leaving documents out openly (i.e., not stored away) in a home office that may be shared with family members or even through sending sensitive company information through personal devices (i.e., not properly encrypted). As companies transitioned to remote work models, government regulators have increased focus on the use of unofficial channels of communication, particularly in heavily regulated industries which require companies to honor their recordkeeping and books-and-records obligations. The SEC has recently targeted companies for violating record keeping provisions for using off-channel communications on personal devices to discuss business matters. (See here and here.)
Open reporting is another risk area affected by remote and hybrid working arrangements. According to consultant Gartner, Inc.’s June 2022 report, the rate of compliance reporting has dropped by 30% from before the pandemic and overall, remote employees have observed 11% less misconduct than their in-office peers. While Gartner’s report did note that this was partly driven by a large fall in observed misconduct around travel, gifts, and entertainment, it is important to keep in mind, however, the lack of interaction with colleagues clearly impacted what is arguably the most important compliance mechanism to monitor adherence to the company’s business conduct principles and ethical standards.
Keeping these risks in mind, it is important for companies to ensure relevant policies, such as protection of corporate assets and data security policies, are updated to reflect the new working environments. Training and communication programs should also be updated to incorporate the new standards. Companies should take this time as an opportunity to reinforce compliance messaging around employee obligations to report misconduct and to remind employees that there is zero tolerance of retaliation for reports made in good faith.
On March 1, 2023, the Department of Justice (“DOJ”) and the Securities and Exchange Commission (“SEC”) demonstrated continued interest in investigating insider trading by company executives who possess material non-public information when they unsealed an indictment and filed a civil complaint, respectively, in the Central District of California. Though a Rule 10b5-1 plan—an investment device that allows a corporate insider to set up an investment plan for buying or selling company stock without violating insider trading laws—is intended as a safe harbor, the existence of any such plan cannot be an affirmative defense if the executive possesses material non-public information at the time the plan is implemented.
The indictment[1] and complaint[2] against Terren Peizer allege that Mr. Peizer set up a Rule 10b5-1 plan to sell shares of Ontrak, Inc., the company he founded and where he served as Executive Chairman. At the time the plan was established, there was no requirement for a formal “cooling-off” period before transacting, but industry best practices suggested a 30-day period was sufficient to avoid the appearance of any impropriety. The government alleges that Mr. Peizer knew that one of Ontrak’s major customers was contemplating terminating its contract, and directed the sale of more than $20 million of Ontrak shares between May and August 2021 while in possession of this material non-public information. This concerted action by the DOJ and SEC is significant as it is the first time an executive has been charged for insider trading based on misuse of a Rule 10b5-1 plan.
Rule 10b5-1 plans cannot provide corporate executives and employees with an affirmative defense against insider trading liability if they possess material non-public information at the time the plan is created.[3] Any such plan must establish a pre-set trading schedule for the sale or purchase of a specific number of shares at specific times, dates, and prices. Corporate executives and employees must create the plan before they are aware of any material non-public information, and the plan is then executed by a third-party administrator without any further input from the insider.
In December 2022, the SEC announced changes to Rule 10b5-1 to enhance investor protections against insider trading. Some of the amendments include:
adopting cooling-off periods for persons other than issuers before trading can commence under a Rule 10b5-1 plan
adding a condition that all persons entering into a Rule 10b5-1 plan must act in good faith with respect to the plan
requiring directors and officers to include representations in their plans certifying at the time of the adoption of a new or modified Rule 10b5-1 plan that: (1) they are not aware of any material nonpublic information about the issuer or its securities; and (2) they are adopting the plan in good faith and not as part of a plan or scheme to evade the prohibitions of Rule 10b-5.[4]
Notably, the amendments limit the ability to rely on the affirmative defense for a single-trade plan to one single-trade plan per 12-month period. Given the new disclosure requirements and the restrictions on the availability of the affirmative defense, companies should be aware of the government’s increased interest in protecting the interest of investors.
Earlier this month, the Supreme Court of the United States decidedDubin v. United States, No. 22-10, 2023 WL 3872518, at *1 (U.S. June 8, 2023), in favor of the defendant. Justice Sonia Sotomayor wrote the opinion for the Court, which held that 18 U.S.C. § 1028A(a)(1), aggravated identity theft, is violated only when the misuse of another person’s means of identification is at the crux of what makes the underlying offense criminal.[1]
Defendant David Dubin was convicted of healthcare fraud after over-charging Medicaid for teenagers seeking mental health testing at emergency centers in Texas. Dubin falsely claimed the employees performing the testing were licensed psychologists who command a higher rate from Medicaid. However, the employees were only licensed psychological associates. Because the falsified bills also included the patient’s Medicaid reimbursement number, Dubin was also charged with aggravated identity theft, which carries a two-year mandatory minimum consecutive sentence, and he was convicted of this charge as well.
The district court sentenced Dubin for both healthcare fraud and aggravated identity theft, and the Fifth Circuit affirmed the judgment. The Supreme Court granted certiorari to resolve the circuit split between the Fifth Circuit and other Circuits, including the Fourth, Ninth, and Sixth Circuits, which had limited the application of the aggravated identity theft statute.[2] Specifically, the Supreme Court set out to address whether a person commits aggravated identity theft whenever the person mentions, or includes, someone else’s name while committing a predicate offense.
The government argued that an aggravated identity theft occurred simply because Dubin used his patients’ identities when committing the fraud. On this view, any knowing use of someone else’s identification in the course of the predicate offense constituted an aggravated identity theft. Conversely, Dubin argued that the statute would be implicated in a healthcare fraud case like his where the defendant misrepresented who received a service. In his case, the fraudulent claims related to how or when a service was performed. Accordingly, Dubin posited that merely including the real patient’s Medicaid reimbursement number on his fraudulent bills was too remote to constitute aggravated identity theft.
The Supreme Court’s opinion placed great emphasis on statutory interpretation. Concluding that the text of the statute called for a narrow interpretation, Justice Sotomayor wrote, “identity theft is committed when a defendant uses the means of identification itself to defraud or deceive.” Dubin, 2023 WL 3872518, at *8. Justice Sotomayor’s opinion emphasized that the use of the identification must be at the crux of the underlying criminal offense. Otherwise, any fraudulent conduct that included other people’s identification could be construed as aggravated identity theft. Justice Sotomayor’s opinion used the canon of construction noscitur a sociis, which posits that ambiguous words can be determined by considering the context and associations of nearby words. After interpreting the statute and considering Dubin’s conduct, the Supreme Court unanimously concluded he did not commit aggravated identity theft.
The broader implications of the Dubin ruling are straightforward. With the Supreme Court’s decision, aggravated identity theft as set forth in 18 U.S.C. § 1028A(a)(1) can apply only when the actual use of the identity is the focus of the criminal activity, and not ancillary to the underlying actions. The decision resolves a circuit split—and is another example this Term of the Supreme Court construing a criminal statute more narrowly than the position advocated by the Department of Justice.
[1] “Whoever, during and in relation to any felony violation enumerated in subsection (c), knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person shall, in addition to the punishment provided for such felony, be sentenced to a term of imprisonment of 2 years.” 18 U.S.C. § 1028A(a)(1).
[2]Compare United States v. Abdelshafi, 592 F.3d 602, 606-610 (4th Cir. 2010), with United States v. Hong, 938 F.3d 1040, 1051 (9th Cir. 2019), and United States v. Medlock, 792 F.3d 700, 707 (6th Cir. 2015).
The Wolfsberg Group, an association of thirteen global banks which develops frameworks and guidance for the management of financial crime risks, particularly with respect to KYC, AML, and CFT policies, recently released a set of frequently asked questions on negative news screening and other forms of adverse information searches.
Negative news screening can assist financial institutions in performing customer due diligence, as well as evaluating transactions or activities that are unusual or potentially suspicious. The Financial Action Task Force (FATF), an inter-governmental money laundering and terrorist financing watchdog, recommends that banks, as part of a risk-based approach, include verifiable adverse media searches as part of enhanced due diligence measures.[1] Similarly, while the Bank Secrecy Act does not require negative news screening, U.S. regulators have encouraged banks, as appropriate, to consider negative news.[2] The FFIEC BSA/AML Manual, for example, notes that banks should “establish policies and procedures for determining whether and/or when, on the basis of risk, obtaining and reviewing additional customer information, for example through negative media search programs, would be appropriate.” The Manual continues that the results of negative news screening can help a bank determine when it is appropriate to review a customer relationship.
Recognizing that there is no single, universally agreed approach to negative news screening, the Wolfsberg Group developed its recent guidance to help financial institutions manage their financial crime risks. The guidance is separate from politically exposed persons or sanctions screening, both of which are traditionally list-based. For the purposes of the guidance, the Wolfsberg Group defined “negative news” as “‘information available in the public domain which FIs [financial institutions] would consider relevant to the management of Financial Crime risk.”
Importance of Credible and Relevant Sources
The guidance notes that the value that a bank is able to extract from negative news screening is “correlated to the availability of information and the credibility of the media source in the public domain.” The guidance recommends that a bank may want to establish specific media sources, considering the credibility of the source and the coverage of adverse information within a specific geographical area: “The credibility of the media source will be a key factor in determining whether it should be used in [negative news screening]. For example, factors such as the completeness, accuracy and coverage of the source should be considered.” The guidance suggests that banks consider conducting an assessment on the sources used in its negative news screening – if the bank uses an external party or vendor to provide the media sources, “it is recommended that the [bank] understands the evaluation of reliability performed by the vendor and the controls they have in place to mitigate the risk of unreliable sources influencing the screening process.” The guidance provides a detailed list of what the Wolfsberg Group views as characteristics of reputable sources, including media type, content (e.g., material subject to editorial oversight versus social media), and geographical context (e.g., publications considered as politically neutral).
Similarly, a bank should ensure that negative news is relevant to financial crime – speeding fines and public disorder offenses, for example, would not be relevant for assessing financial crime risk.
You’ve Identified Negative News – Now What?
The Guidance recommends that banks have in place a framework to investigate negative news results in a timely and consistent manner. For example, a bank may choose to have a tier-based investigation approach: “e.g., an initial operational level undertaking high volumes of alert investigations against an agreed set of matching/discounting rules and procedures. Subsequent levels may be utilised where alerts cannot be discounted, or positive matches are identified, and due to the subjective nature of [negative news screening] outputs, require specialist subject matter expertise and input.”
As FinCEN and other federal regulators noted in 2021 guidance, a financial institution is not required to file a suspicious action report based solely on negative news. Rather, “[a]s with other identified unusual or potentially suspicious activity, financial institutions should comply with applicable regulatory requirements and follow their established policies, procedures, and processes to determine the extent to which it investigates and evaluates negative news, in conjunction with its review of transactions occurring by, at, or through the institution, to determine if a SAR filing is required.”
[1]See FATF, Guidance for a Risk-Based Approach: The Banking Sector (Oct. 2014).
[2]See FinCEN, Answers to Frequently Asked Questions Regarding Suspicious Activity Reporting and Other Anti-Money Laundering Considerations (Jan. 19, 2021) (“[CDD] regulations … do not categorically require the performance of media searches or particular screenings. However, in certain circumstances, a financial institution might assess, on the basis of risk, that a customer presents a higher risk profile and, accordingly, collect more information (such as media searches) to better understand the customer relationship. Such information also assists a financial institution in determining when transactions are potentially suspicious.”); FinCEN, Frequently Asked Questions Regarding Customer Due Diligence (CDD) Requirements for Covered Financial Institutions (Aug. 3, 2020) (“The CDD Rule does not categorically require … the performance of media searches or particular screenings.”).
