Cybersecurity's Developing Role In FCPA Compliance
This article by partner Ryan Rohlfsen and associates Patrick Reinikainen and Daniel Flaherty was published by Law360 on January 11, 2019.
While much attention has been paid to Deputy Attorney General Rod J. Rosenstein’s Nov. 29, 2018, revisions to the Foreign Corrupt Practices Act Corporate Enforcement Policy,1 other remarks by Rosenstein and Principal Deputy Assistant Attorney General John P. Cronan in November suggest that the U.S. Department of Justice may also be adapting FCPA enforcement principles to the area of cybersecurity, to encourage more coordination and collaboration with the private sector. This continues the trend from the DOJ speeches in March, July and September of last year,2 in which the DOJ officials extended FCPA enforcement principles to other contexts, and encouraged open communication through the FCPA opinions procedure. This development in the cyber arena may carry significant implications for a wide range of industries that handle sensitive data, such as the technology, health care, and financial services sectors.
Rosenstein and Responsible Encryption
While not explicitly referencing the FCPA enforcement principles, Rosenstein admonished private industry to recognize its responsibility to assist law enforcement investigating and preventing cybercrime. For example, at the Nov. 28 press conference to announce the unsealing of the indictment against two fugitive Iranian citizens allegedly involved in the “SamSam” ransomware attacks of 2016, Rosenstein described the “challenges posed to law enforcement by encryption.” In the SamSam case, the defendants allegedly communicated via “an encrypted computer network designed to facilitate anonymous communication over the internet.” Rosenstein made clear that “[t]hese sophisticated technologies pose a real threat to the government’s ability to keep people safe and ensure that criminals and terrorists are caught and brought to justice.”
The next day, Rosenstein built on his prior remarks, further encouraging collaboration and coordination to root out cybercrime. In the keynote address at Georgetown University Law Center’s Cybercrime 2020 Conference, Rosenstein asked “the private sector and academia” to help the DOJ “develop investigative capabilities that keep up with enforcement challenges,” such as those identified in the attorney general’s Cyber-Digital Task Force July report.3
He focused specifically on criminals’ anticipated use of “impenetrable communications platforms.” To prevent this “technological anarchy,” Rosenstein called on private industry to cease designing “‘warrant-proof’ encryption.” Noting that “[i]t is impossible to employ criminal enforcement tools and other forms of retribution without first identifying the perpetrators,” and conceding that the DOJ’s “ability to gather electronic evidence increasingly relies on remote communications service providers and device manufacturers,” Rosenstein argued that “[t]echnology makers share a duty to comply with the law and to support public safety, not just user privacy.” Thus, he encouraged the development of “‘responsible encryption,’ — effective, secure encryption that resists criminal intrusion but allows lawful access with judicial authorization.”
Cronan, the FCPA Policy and the Cyber Arena
Deputy Assistant Attorney General John Cronan bolstered Rosenstein’s calls for collaboration and coordination, doubling down and making clear that the DOJ was interested in extending FCPA enforcement principles “to foster similar collaboration between government and industry in the cyber arena.” He explained that the DOJ articulated the FCPA Corporate Enforcement Policy because it believes that, with greater transparency into prosecutorial policy, “companies are more likely to in fact engage in that good corporate behavior,” like maintaining “effective compliance programs” and “voluntarily disclosing to law enforcement, cooperating, and remediating” any misconduct.
Cronan also revealed that the DOJ is interested in incentivizing similar corporate behavior with respect to cybersecurity, stating that “[a]s in the FCPA context, we appreciate the value of providing guidance in the context of cyber attacks or intrusions in helping companies make informed and rational decisions.” As an example of steps taken “[i]n the interest of promoting that collaboration,” Cronan identified the Criminal Division’s Computer Crime and Intellectual Property Section’s “best practices” guidance for preparing for and responding to a cybersecurity incident.4 Like the FCPA enforcement policy, this guidance encourages companies to self-report misconduct, including misconduct by “a company insider.”
But rather than addressing how corporate victims of cybercrimes might be compared to corporate violators of the FCPA, and how each might have different incentives to disclose the relevant conduct, Cronan went on to describe the DOJ’s and private industry’s “critical roles to play in compliance.” Instead of providing a detailed analogy, or expressly extending the FCPA enforcement policy, Cronan suggested that the DOJ is specifically interested in “open channels of communication between government and industry” and provided two examples of “ineffective compliance” to illustrate his point.
First, Cronan discussed a company that allegedly aided and abetted fraudulent payments involving its corrupt agents and customers. The company had entered into a deferred prosecution agreement mandating compliance improvements. However, the company failed to adequately implement those improvements or disclose compliance weaknesses arising from those failures. As a result, the company was forced to extend its deferred prosecution agreement and forfeit $125 million. Cronan also discussed the DOJ investigation into a second company, which had similarly failed to identify fraudulent payments by its agents and had therefore entered into a deferred prosecution agreement for aiding and abetting those crimes, forfeiting $586 million as a result. Cronan characterized both cases as including facts “which were known by the company and which exposed gaping holes in its compliance program as implemented,” but which were neither disclosed nor corrected.
As a point of contrast, Cronan highlighted the importance of recognizing and responding to compliance failures. First, he characterized two recipients of declinations under the FCPA Corporate Enforcement Policy as companies “that have taken meaningful, effective compliance seriously.” Speaking of Insurance Corporation of Barbados Limited and Guralp Systems Limited, Cronan noted each company had senior management involved in alleged misconduct.5 Nonetheless, they received declinations because their “overall efforts to do that right thing,” including cooperation that “enabled the Department to bring charges against culpable individuals,” — a theme reiterated by Rosenstein’s widely publicized FCPA speech the next day.6 Cronan then concluded with remarks about “compliance in the context of mergers and acquisitions.” In doing so, he highlighted “the importance of self-reporting and proactively addressing problems as they arise, whenever they come to light, even if it is after-the-fact.”
Through this contrast, Cronan made clear that “[w]hat matters to us in the Criminal Division — as embodied in the FCPA Corporate Enforcement Policy and the application of its principles outside the FCPA — is both the effectiveness of the [compliance] program in place at the time of the misconduct, as well as how the company responds upon discovering the misconduct in terms of disclosing to law enforcement, cooperating with the government, and taking meaningful remedial measures.”
Potential Implications for Cybersecurity Compliance
When combined with Rosenstein’s discussion of the importance of coordination and collaboration in the cybersecurity arena, Cronan’s remarks with respect to effective compliance programs may have significant implications for a wide range of industries that handle sensitive data, such as the technology, health care and financial services sectors. Although their collective remarks do not reveal a specific adoption of the FCPA Corporate Enforcement Policy’s principles in the cybersecurity arena, there are several takeaways that may affect how companies approach the development and implementation of effective cybersecurity compliance functions moving forward.
Like Corruption, Cybercrime Is a Global Challenge
In the “SamSam” press conference, Rosenstein “call[ed] on all civilized nations to prevent their citizens from using the internet to perpetrate fraud schemes in foreign countries,” and thanked investigators from two United Kingdom and two Canadian agencies. Of course, anti-corruption enforcement and compliance has become a global problem, with frequent cross-border collaboration. Rosenstein and Cronan’s remarks suggest that we might expect the same level of coordination in the realm of cybercrime enforcement and compliance.
Health Care, Financial Services, Technology Companies and Other Carriers of Sensitive Data May Face High Compliance Expectations
While describing the victims of the “SamSam” Ransomware, Rosenstein noted that health care-related entities were targeted because the defendants knew that doing so would cause significant harm. Cronan similarly suggested the companies cited as examples of compliance failures had financial data that created a significant risk for misuse, which was realized by their corrupt agents and customers. These references suggest that the DOJ may hold companies with sensitive data, including those in the health care, financial services and technology sectors, to a high bar, expecting them to prevent, detect, and report their data’s misuse — whether in their capacity as a victim, or as a potential wrongdoer.
Disappearing Messaging Carries Continued Risks
In defining "timely and appropriate remediation," the FCPA Corporate Enforcement Policy requires companies “prohibit employees from using software that generates but does not appropriately retain business records or communications.”7 Now, it seems the DOJ might be looking to compliance departments to take preventative steps before misconduct occurs. For example, Cronan noted “ephemeral and encrypted messaging services” are one of the new technologies “which pose a challenge to traditional investigative methodologies.” While criticizing those engaged in the development of ‘warrant-proof’ encryption, Rosenstein asked private industry to assist law enforcement in preserving and collecting electronic evidence. Together, these remarks suggest that companies permitting ephemeral messaging might, like those designing "warrant-proof" encryption, be deemed to be shirking their duty to support public safety.
Compliance and Cybersecurity Departments Should Be Adequately Staffed to Assist in Government Investigations
As part of his Georgetown address, after noting that the DOJ’s “ability to gather electronic evidence increasingly relies on remote communications service providers and device manufacturers,” Rosenstein noted that some private companies “chronically understaff their offices that respond to legal process from law enforcement.” Cronan explained that other companies, like Insurance Corporation of Barbados Limited and Guralp Systems Limited, would be rewarded for assisting the DOJ in its investigation of culpable individuals. Maintaining adequate investigatory resources across compliance and cybersecurity departments to assist government investigations thus appears to be critically important in the DOJ’s view.
Adequate Policies and Procedures Should Account for Misconduct by Third Parties
Cronan described compliance failures at two companies that, in part, were a failure to detect, prevent, and correct misuse of its money transfer system by customers, not agents, of the company. In his Georgetown address, Rosenstein reiterated the notion that technological developments might be misused by criminal groups, and called on private industry to help protect public safety. These comments suggest that compliance programs should be aimed at preventing and deterring criminal incidents, full stop — not just the criminal liability of the company and its employees. Doing so would therefore ostensibly include accounting for potential misconduct by third parties, including consumers of a company’s products or services.
As the DOJ looks to expand on the success of the FCPA Corporate Enforcement Policy to incentivize good corporate conduct in other contexts, it may also attempt to further encourage private industry to collaborate and coordinate with law enforcement. In the cyber arena, those efforts have already begun. While companies await further transparency into the policies guiding the exercise of prosecutorial discretion in this context, they should begin considering the implications of the DOJ’s efforts when designing compliance programs.
1 Deputy Attorney General Rod J. Rosenstein Delivers Remarks at the American Conference Institute's 35th International Conference on the Foreign Corrupt Practices Act (https://www.justice.gov/opa/speech/deputy-attorney-general-rod-j-rosenstein-delivers-remarks-american-conference-institute-0); See also DOJ Deputy Attorney General Outlines Key Policy Revisions Focusing on Individual Accountability, Softening Yates Memo (https://www.ropesgray.com/en/newsroom/alerts/2018/11/DOJ-Deputy-Attorney-General-Outlines-Key-Policy-Revisions-Focusing-on-Individual-Accountability).
2 DOJ Expands Leniency Beyond FCPA, Lets Barclays Off (https://www.law360.com/articles/1017798/doj-expands-leniency-beyond-fcpa-lets-barclays-off); Deputy Assistant Attorney General Matthew S. Miner Remarks at the American Conference Institute 9th Global Forum on Anti-Corruption Compliance in High Risk Markets (https://www.justice.gov/opa/pr/deputy-assistant-attorney-general-matthew-s-miner-remarks-american-conference-institute-9th); Deputy Assistant Attorney General Matthew S. Miner of the Justice Department’s Criminal Division Delivers Remarks at the 5th Annual GIR New York Live Event (https://www.justice.gov/opa/speech/deputy-assistant-attorney-general-matthew-s-miner-justice-department-s-criminal-division); See also DOJ Commentary Underscores the Importance of Pre-Acquisition Diligence (https://www.ropesgray.com/en/newsroom/alerts/2018/08/DOJ-Commentary-Underscores-the-Importance-of-Pre-Acquisition-Diligence).
3 Report of the Attorney General’s Cyber Digital Task Force (https://www.justice.gov/ag/page/file/1076696/download)
4 Reporting Intellectual Property Crime: A Guide for Victims of Copyright Infringement, Trademark Counterfeiting, and Trade Secret Theft (https://www.justice.gov/criminal-ccips/file/891011/download).
5 Insurance Corporation of Barbados Limited Declination (https://www.justice.gov/criminal-fraud/page/file/1089626/download); Guralp Systems Limited Declination (https://www.justice.gov/criminal-fraud/page/file/1088621/download)
6 See sources cited supra note 1.
7 USAM § 9-47.120(3)(c).