Hackers are hard at work trying to steal your information. That is a fact of modern life, whether you are an individual making purchases with your personal credit card or a Fortune 500 company managing many millions of customer records. Indeed, a company that maintains it has not been hacked probably doesn’t realize the full extent of the attacks it faces or how successful hackers may have been already. Moreover, the fallout from successful cybersecurity breaches is not limited to lost information. From 2014 through the second quarter of 2015, companies reported over 2,429 data breaches containing more than 1.25 billion records of personal information, according to a study published by data security firm Gemalto. IBM recently reported that in 2015 the average corporate cost of data breaches reached $154 per record and more than $3.75 million per incident.
Regulators and plaintiff lawyers alike pay increasing attention to data breaches in an environment where the technology and the legal obligations change rapidly. Keeping ahead of both the threats and the evolving laws and regulations is challenging. In the United States alone, the list of interested regulators is expansive and includes the Securities and Exchange Commission, the Federal Trade Commission, the Consumer Financial Protection Bureau, the Federal Communications Commission, and fifty State Attorneys General, each with potentially distinct requirements and agendas. Security breaches reviewed by these authorities have led to a variety of adverse actions against well-established corporations and their directors, including Facebook, Home Depot, and Target. Reasonable safeguards and notice requirements also vary significantly by industry, particularly in healthcare and financial services, as well as by the kind of Personally Identifiable Information (or PII) involved. For companies with a global presence, especially those with European customers, the compliance challenges multiply, as do the accompanying uncertainties.
Despite the highly technical and complex nature of the problem, these issues should be discussed and addressed at the board level. As former Securities Exchange Commissioner Louis A. Aguilar observed at a recent Cyber Risks and the Boardroom Conference: “[E]nsuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities.… [B]oards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.” Because the applicable rules and standards typically require the company to “evaluate and adjust” the security program over time, safeguards that may be state-of-the-art today can become an alleged basis for liability in a changed environment.
Recent rulings and a settlement in FTC v. Wyndham Worldwide Corporation relating to claims for allegedly sloppy security practices demonstrate the growing challenge boards face with cyber risk oversight. In that case, the extended fallout from several relatively small attacks from 2008 to 2010 (affecting approximately 500,000 customer credit cards) has taken more than five years and many millions of dollars in legal fees to resolve. Unsuccessful claims asserted against the company’s directors also demonstrate the real possibility that if directors do not react swiftly and assertively (as the Wyndham directors did), they may face the prospect of personal responsibility for their failures.
In a world where hackers are constantly refining their attacks and reassessing the different vulnerabilities that can be exploited, there simply is no “one size fits all” approach. Nevertheless, the list below identifies issues that directors should consider, as well as some proactive steps to consider:
Add cybersecurity to the list of risks evaluated by the committee of the board that evaluates enterprise risks;
Develop company procedures and a communication plan (sometimes known as a security incident response plan) to be implemented in the event of a data breach;
Add cybersecurity expertise to the board in the form of an experienced director or outside advisors (including experienced counsel);
Create reporting lines from the company’s most senior IT executives, CISO, and in-house counsel responsible for cybersecurity to the company’s directors;
Establish a “tone at the top” that instills a company-wide awareness of security risks;
Consider and explore purchasing cyber insurance to mitigate exposure to risks;
Regularly consult with third-party technical, legal, and training specialists on cyber security and related compliance issues; and
Act promptly if cyberattacks or intrusions occur. Many states have their own prompt notice provisions that must be observed.
While the nature and extent of future attacks is unforeseeable, it is certain that hackers are focused on attacking most companies. All directors therefore must be persistently vigilant in this evolving technical and legal environment.
David R. Owen and Bradley J. Bondi are partners at Cahill Gordon & Reindel LLP. They advise global corporations and financial institutions, boards of directors, audit committees, and officers and directors in significant matters, including those involving cybersecurity, data protection, and regulatory investigations. Travis Scheft, an associate at Cahill, assisted with this article.
The U.S. False Claims Act (FCA) is an anti-fraud statute used to police the conduct of companies that accept federal funds or have payment obligations to the federal government. The government has been hugely successful in pursuing FCA cases, collecting $26.4 billion from 2009-2015, with $5.5 billion and $3.5 billion in 2014 and 2015, respectively. In light of these staggering figures, every company potentially subject to the FCA must be aware of and take steps to minimize its FCA compliance risk.
The FCA imposes liability on companies and individuals that submit “false claims” for payment to the government. Originally termed “Lincoln’s Law,” the FCA was enacted during the Civil War to bring to justice suppliers who sold fraudulent goods to the Union Army. Its modern incarnation has expanded beyond its defense contracting roots to become a leviathan statute with the ability to reach a vast number of companies and organizations.
The FCA imposes a broad spectrum of liability. “Claims” may be direct or indirect. In addition to a classic “claim”—i.e., an invoice for services rendered—the FCA also applies to, for example, pharmaceutical companies receiving funds through research grants and oil companies paying royalties. Indeed, any entity participating in a government program that provides funding, including Medicare, the Small Business Administration, or even the Federal Emergency Management Association, is subject to the FCA.
While a violation occurs only if the claim is “false,” falsity is a concept given wide latitudes under the FCA. A claim could be “false” if it incorrectly states the amount owed, mischaracterizes services rendered, or in at least some jurisdictions—even if the claim is entirely accurate on its face—the submitter was not in perfect compliance with an applicable contract term, statute, or regulation, and a plaintiff convinces a court that this lack of compliance could have affected the government’s decision to pay that claim.
Penalties for violating the FCA are severe, including triple damages and up to $11,000 penalties per false claim. These high penalties push this civil statute into the quasi-criminal realm. This means that in an industry where invoicing occurs based on discrete transactions, the penalties alone could be harsh even if the actual “false claim” is relatively small. FCA cases are also expensive to defend, and carry additional risks of reputational impact and even suspension or debarment from doing business with the government. Companies often choose to settle these cases for high amounts rather than risk an unfavorable verdict. In 2014, Countrywide Financial Corp. and Bank of America paid $1 billion to settle an FCA case, rather than litigate to measured damages and penalties.
The FCA is a bounty statute, allowing private citizens to bring suit on behalf of the government in exchange for a “bounty” for bringing the case to the government. The potential rewards for turning in a whistleblower create a strong incentive for current and former employees to run to the government with any perceived violations rather than reporting the concern to management. In 2015 alone, FCA whistleblowers received over $590 million.
There are some affirmative steps that a board can take to protect against FCA liability:
Review the company’s business operations with management to identify “claims” subject to potential FCA enforcement and ensure that these actions are periodically reviewed to prevent and detect potential FCA violations;
Maintain a publicized, anonymous and confidential fraud reporting hotline for employees and third parties;
Investigate reports of fraud-related conduct through counsel to establish and maintain attorney-client privilege over the investigation;
Ensure hotline reporters are informed about the company’s attention to their concerns, validating their efforts while only sharing non-privileged information so as to protect the privilege;
Be aware of whistleblower protection laws, especially the FCA’s prohibition of retaliating against employees;
Upon learning of potential FCA liability, consider whether the company has any obligation to report this to any government agency;
Ensure that the company has a compliance professional and/or experienced FCA counsel who periodically assesses the company’s potential liability and advises the Board about this complex and evolving statute.
Tirzah Lollar is a partner and Kathleen Neace is an associate in the Washington, D.C. office of Vinson & Elkins LLP.
The Foreign Corrupt Practices Act (FCPA) prohibits bribery of foreign public officials in order to obtain or retain business. While management primarily oversees the company’s compliance with the FCPA, directors also play an important role in overseeing these risks. According to a 2012 FCPA resource guide by the Securities and Exchange Commission (SEC) and Department of Justice (DOJ), “compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” That view by the two primary enforcing bodies of the FCPA has predominated recent enforcement actions.
The government’s resource guide lists the “hallmarks” of an effective anti-corruption compliance program, and recent FCPA cases demonstrate that the government expects companies to actively adopt these hallmarks. FCPA compliance issues are so important to the DOJ that it recently retained a compliance specialist to assist in evaluating the effectiveness of companies’ programs. Below is a brief summary of the hallmarks that directors and officers should consider when building FCPA compliance programs,
High-level commitment According to the SEC and DOJ, “compliance with the FCPA and ethical rules must start at the top.” Consistent with the agreements in recent DOJ actions, including those against Alstom S.A., IAP Worldwide Services, and Louis Berger International, directors and senior management should provide “strong, explicit, and visible support and commitment” to the company’s policy against violations of the anti-corruption laws and the company’s compliance code. In practice, that means actively reviewing the compliance program, devoting sufficient resources to the FCPA, following up on red flags, and disciplining wrongdoers for noncompliance.
Policies and procedures The company’s policies and procedures should describe responsibilities for anti-corruption compliance; detail proper internal controls, auditing practices, and documentation policies; and set forth disciplinary procedures. In particular, the company should have a financial and accounting system, including internal controls, reasonably designed to fairly and accurately maintain the company’s books and records. Directors may satisfy their responsibilities by periodically reviewing internal controls and responding to any shortcomings, devoting sufficient resources to compliance and internal audit, and responding to compliance benchmarking against peer companies, among other options.
Periodic risk-based review To keep pace with changes within the business, companies should review annually the foreign corruption risks they face and regularly benchmark their compliance function against industry standards, with the goal of ensuring that the compliance program is properly suited to the company’s risk. The review should be conducted with the assistance of outside counsel, as necessary. The board should request and expect a briefing on such a review from the chief compliance officer or general counsel at least annually.
Proper oversight and independence At least one executive, often the chief compliance officer, should have the responsibility for oversight and implementation of the company’s anti-corruption program. This person should be given appropriate resources (including personnel and a travel budget) and have a direct reporting line to the company’s governing authority, usually the audit committee.
Training and guidance In 2012, Morgan Stanley appropriately avoided an FCPA enforcement action due in large part to a robust compliance program that trained employees on FCPA issues and required annual employee certifications of compliance. Accordingly, companies should conduct periodic training of employees at home and abroad, and insist on regular certification of compliance with policies and procedures. Companies also should establish channels of communication to allow personnel to seek advice and guidance on compliance issues.
Internal reporting and investigation The SEC and DOJ stress the importance of an anonymous hotline for employees and vendors to report suspected misconduct without fear of retaliation. The hotline should be actively monitored by appropriate compliance personnel, and suspected violations should be investigated promptly by management, and, when appropriate, by the audit committee.
Enforcement and discipline Providing incentives for compliance and disincentives (i.e., discipline) for non-compliance with anti-corruption policies and procedures are essential components of FCPA compliance. The company’s incentives and discipline should be clearly articulated and should be applied reliably, promptly, and consistently to all company personnel. The board should have an active role in disciplining any senior managers who have violated anti-corruption policies.
Third-party relationships According to the SEC and DOJ, third parties are commonly used to conceal bribes, so the company should conduct periodic due diligence on third-party service providers and vendors. As part of that diligence, the company should inform third parties of the company’s compliance program and require compliance. While written assurances from third parties of their compliance with the company’s FCPA policies and procedures may be useful, they are not substitutes for the company’s own periodic due diligence.
Mergers and acquisitions Newly merged or acquired companies often pose the most FCPA risk, and acquirers are responsible for any illegal activity that occurs following the acquisition. Accordingly, the company should conduct thorough pre- and post-acquisition FCPA diligence and take prompt steps to ensure that newly-acquired entities are fully compliant on a going forward basis, including by training the new employees on FCPA compliance. Acquiring companies also should incorporate FCPA compliance into the internal audits of new companies and divisions.
Monitoring and testing Companies should seek to improve their compliance programs by periodically testing their internal controls for potential weaknesses and risks in view of relevant developments and evolving industry standards. For example, in the DOJ’s landmark plea agreement with Alstom in December 2014, the DOJ required Alstom to conduct “appropriate reviews of its existing internal controls, policies, and procedures” and adopt or modify its controls to ensure it maintains fair and accurate books and records and a rigorous anti-corruption program.
David N. Kelley, who previously served as U.S. Attorney for the Southern District of New York, and Bradley J. Bondi, who previously served in senior positions at the SEC, are partners with Cahill Gordon & Reindel LLP. They advise financial institutions and global corporations, boards of directors, audit committees, and officers and directors of publicly-held companies in significant corporate and securities matters, including those involving the FCPA. Michael D. Wheatley, a litigation associate at Cahill, assisted with this article.