Posts

Showing posts with the label US DOJ

Court Decision Provides Guidance on Preserving Privilege in Cyber Incident Response

The U.S. Court of Appeals for the Sixth Circuit’s (Sixth Circuit)  decision  in  In re FirstEnergy Corporation  provides important guidance on how companies can preserve attorney–client privilege and the attorney work product doctrine during internal investigations – guidance that translates directly to cybersecurity incident response investigations.  The Sixth Circuit confirmed that internal investigations led by outside counsel, where legal advice is rendered and such investigation is undertaken because of real or reasonably anticipated legal exposure, remain protected under attorney-client privilege and attorney work product doctrine, as applicable, even when the findings later inform business or operational decisions. For companies facing increasingly frequent and complex cyber incidents with subsequent class action lawsuits, the Sixth Circuit decision offers a clear message: engage outside counsel early, ensure such counsel leads any cybersecurity investiga...

How Founders and Private Companies Can Mitigate Risks of a Government Investigation

Government investigations can be costly. A simple subpoena for documents could entail collecting hundreds of thousands of documents from your email servers and personal devices, hiring attorneys to review and produce documents, and sitting for hours of interviews with government investigators. And if that investigation uncovers evidence of violations, the consequences could include significant penalties for a company and its principals. Private companies are not immune from these risks. The anti-fraud provisions of federal securities laws apply to private companies, and the US Securities and Exchange Commission (SEC) has not shied away from pursuing private companies (as well as their officers and directors) for alleged fraud. The US Department of Justice (DOJ) also closely scrutinizes startups and their founders. And because of the relatively long statute of limitations for securities fraud (five years for SEC civil enforcement and six years for DOJ criminal prosecution), statements m...

Recent DOJ Settlements Highlight Risks for Subcontractors Handling Sensitive Government Information

On September 30, the U.S. Department of Justice (DOJ) announced an $875,000 settlement with a university over failures to comply with the data security obligations in certain contracts with the Air Force and the Defense Advanced Research Projects Agency (DARPA) . This announcement, along with several other recent settlement announcements by the DOJ and its  Civil-Cyber Fraud Initiative , highlights the contract compliance risks for government contractors and subcontractors who handle sensitive government information and yet fail to comply with the federal government’s cybersecurity requirements.   The university’s case and several like it involve compliance with the requirements of  DFARS 252.204-7012  (Safeguarding Covered Defense Information and Cyber Incident Reporting). This DFARS clause is a federal regulation that establishes minimum standards for how defense contractors and subcontractors must protect sensitive government information and report cybersecur...

Why should you have a compliance program? The Legal Case

In a prior edition we discussed the Business Case for having a Compliance and Ethics  (“C&E”) program.  Here we review the Legal Case.  The legal case for having an effective C&E program is often what causes companies to initiate C&E programs. The are several pieces to this. Legal requirements In certain risk areas and/or industries the C&E elements may be legally required. Where C&E elements are mandated, not having them can itself be a legal violation, with a range of penalties, including disruptive and expensive investigations, fines, and even prison. These requirements can be highly detailed, such as those seen in the finance sector dealing with risks like anti-money laundering.  There are also requirements related to specific risks that apply across all industries, such as required harassment training.  In the US, for example, this may be imposed at the state or municipal level.  Mandated programs can seem to those in government as...

DOJ Criminal Division Head Details White-Collar Enforcement Priorities and Related Policy Revisions

Image
  On June 10, the head of the US Department of Justice’s (DOJ) Criminal Division, Matthew R. Galeotti, gave a speech before the American Conference Institute (ACI) outlining the DOJ’s white-collar enforcement priorities. Galeotti’s remarks follow the DOJ’s recent revisions to the Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP).   Read our previous alert about the CEP  here .   Galeotti emphasized that if defense counsel representing companies under investigation “do the right thing, report potential crimes, root out misconduct, cooperate with the [DOJ], and help the company remediate ,” then the company will receive “significant benefits.” He highlighted three key points: Companies that “voluntarily self-report, cooperate, and remediate” fraud and other white-collar offenses will receive a declination — not just a “presumption” of declination — unless there are aggravating factors . Galeotti said that he would personally scrutinize ...