Welcome to Compliance Hot Spots, where we’re highlighting news and trends on compliance, enforcement and government affairs. I love the feedback I’ve been getting—thank you—and please keep it coming. What’s on your plate? What are you telling clients? We’ve got some observations below on the FTC’s big loss on a data-privacy order, and check out some of the early observations on the DOJ’s once-secret advisory opinions on the Foreign Agents Registration Act. Scroll to see who got the work in some big new cases. Some links below might require a registration or subscription. Contact me at email@example.com or 202-828-0315, or follow me on Twitter @cryanbarber.
FTC Zapped on Data Privacy. What’s the Reach?
Hardly a month into their time together, newly minted Federal Trade Commission members have a big problem—all thanks to a small medical testing company that turned into a big headache for the agency.
You’ve probably seen the ruling: The now-defunct LabMD prevailed against the FTC in the U.S. Court of Appeals for the Eleventh Circuit, which tossed out an order requiring the company to adopt “sweeping” data-protection measures. The court did not rule on LabMD’s larger challenge to the FTC’s authority to regulate data security, instead finding that the agency’s order requiring cybersecurity reforms was unenforceable because it lacked specificity. Read the decision here—and here’s a link to my post at NLJ.
Sounds narrow, right? Not exactly. What the Eleventh Circuit objected to was the vagueness of the FTC’s order, which, as the court put it, “mandates a complete overhaul of LabMD’s data-security program and says precious little about how this is to be accomplished.”
That’s a problem for the FTC. “Comprehensive” data security programs similar to the one at issue in the LabMD case have been a fixture of FTC enforcement actions over cybersecurity. Many companies subject to those settlement terms could be tempted now to question whether their own FTC orders are enforceable.
“While the ruling is limited to a single cease and desist order, it raises serious questions about the FTC’s authority to bring enforcement actions predicated on reasonable data security without providing a better sense of the particular security measures it has in mind,” Wiley Rein‘s Scott Delacourt said in an email.
The FTC could challenge the decision, asking the full Eleventh Circuit to take a second look. At least for now, the agency has said only that it is evaluating possible “next steps.”
But there’s more. The Eleventh Circuit said the FTC must show that an allegedly unfair practice, such as failing to secure consumer information, was unconstitutional or violated a specific statute or common law principle.
That could create a hurdle for the FTC if it wants to pursue an enforcement action against Equifax Inc., the credit reporting agency that is under FTC investigation over a breach last year that compromised the personal information of nearly 150 million consumers—almost half the U.S. population.
“This decision is a gift to Equifax; to the extent the FTC is investigating them they should be turning handsprings,” said Ropes & Gray partner Doug Meal, who represented LabMD.
Compliance Roundup: FARA Advisory Opinions
The U.S. Justice Department has rolled out a series of memos showing guidance about when law firms and foreign entities need to disclose advocacy work under the Foreign Agents Registration Act. Read the advisory opinions here, and catch my story here about why these disclosures matter.
Covington & Burling‘s Robert Kelner, a political law specialist, told me in my report at NLJ looking at the takeaways from the memos: “In general, I would say this is not quite the Rosetta Stone for interpreting DOJ’s position on FARA that some might have hoped for,” he said. “The opinions cover a lot of ground but they do it in some cases at a fairly high level of generality, and that’s partly because we can’t see the requests they’re responding to and the correspondence that led up to the final opinion. So the opinions in some cases give us less than a complete picture.”
Some other stories that caught my eye….
➤➤ Focusing the board on the heart of ethics and compliance issues: A new report from the ethics and compliance consultancy LRN Corp. “highlights a widespread perception that boards of directors are largely ineffective in their oversight of ethics and compliance,” my colleague Sue Reisinger reports at Corporate Counsel. The LRN report was based on 26 in-depth interviews with current or former chief ethics and compliance officers of large companies.
➤➤ “Virtual currency investor complaints to the Consumer Financial Protection Bureau have reached an all-time high,” Bloomberg BNA reports. Between January and March, there were 832 complaints to the CFPB. In all of 2017, consumers made 814 complaints.
➤➤ The tie-up between the Financial Services Roundtable and the Clearing House Association “has dredged up long-standing fissures over how to improve the industry’s image and rebuild its political standing,” Bloomberg reports. The report said three titans—Goldman Sachs Group Inc., Morgan Stanley and Credit Suisse Group AG—were being blocked from inclusion in the new trade association.
➤➤ What should antitrust lawyers and in-house counsel expect from the U.S. Justice Department’s evaluation of antitrust compliance review? James McGinnis at Sheppard Mullin raises these questions here. The focus: remarks from Andrew Finch, a top DOJ antitrust enforcer. “Just last month, enforcers from three different continents joined us at the Division as part of a public roundtable on corporate antitrust compliance, representing a range of views and experiences in encouraging effective corporate compliance programs,” Finch said in prepared remarks in May. “In light of the discussions and feedback from the roundtable, we are re-evaluating our policy regarding corporate compliance efforts. That includes carefully examining our policy regarding pre-existing corporate compliance efforts, and what role they should have in our decision making.”
➤➤ Bloomberg reports on a new OCC report about deceptive practices in the banking sector: “Wells Fargo & Co.’s practice of creating fake customer accounts, while not confined to the San Francisco-based lender, doesn’t signal a wider issue for the financial industry, a U.S. regulator concluded after examining more than 40 large and mid-sized banks.” American Banker has more here.
Who Got the Work
>> “Lobbyists for Walmart Inc. and other retailers are joining forces with companies that process payments in the latest battle over the $90 billion that U.S. merchants pay banks annually to process credit and debit-card charges,” according to Bloomberg. “We want a seat at the table,” Doug Kantor, a Steptoe & Johnson LLP lobbyist who is leading the new group, said. “We are not looking to start another fight but if that’s what happens, then that’s what happens.” Kantor’s lobbying clients, according to U.S. Senate disclosures, include the National Retail Federation, National Association of Convenience Stores and Coalition for Responsible Cybersecurity.
>> Davis Polk & Wardwell‘s Paul Mishkin represented the brokerage Merrill Lynch in a $15 million settlement with U.S. securities enforcers. The agency said Merrill Lynch was settling claims that it misled consumers into overpaying for residential mortgage backed securities, according to a report at Corporate Counsel. The SEC’s investigation was conducted by Melissa Lessenberry, Thomas Silverstein, and Kelly Rock. Read the SEC’s order here.
>> Amazon.com has hired a team from Akin Gump Strauss Hauer & Feld to lobby on “legislation related to information infrastructure and data technology.” The Akin Gump team is Ed Pagano, Ryan Thompson and Vic Fazio.
>> ZTE Corp. has agreed to embed a team of U.S.-appointed “compliance coordinators” as part of a wide-ranging agreement with U.S. regulators amid a sanctions dispute. The compliance coordinators, reviewing ZTE’s compliance with export laws, will answer to the U.S. government for 10 years. A Corporate Counsel report said it wasn’t immediately clear how the appointment of the coordinators affects the U.S. corporate monitor already in place at ZTE. Dallas lawyer James Stanton was appointed as monitor by U.S. District Judge Ed Kinkeade, who oversaw the plea deal in the Northern District of Texas. Stanton began his duties last July. A team from Hogan Lovells had entered appearances in the federal criminal case in Texas, and the firm recently lobbied for ZTE over the sanctions dispute with U.S. officials.
>> Lawyers at Robbins Arroyo and Robbins Geller Rudman & Dowd are suing Ripple Labs Inc. in California state court claiming the fintech company’s XRP digital tokens, or “Ripples,” should be registered as securities under the state’s Corporations Code. My colleague Ross Todd reports that the new suit seeks to certify a class of all California XRP purchasers and comes as Ripple’s lawyers at Skadden, Arps, Slate, Meagher & Flom and Debevoise & Plimpton—including former SEC Chair Mary Jo White—last week removed a previously filed securities suit against the company to federal court.
>> U.S. District Judge Edward G. Smith of the Eastern District of Pennsylvania denied Medtronic’s request for summary judgment in a False Claims Act Case. The decision keeps alive government claims that the medical device manufacturer paid kickbacks to doctors. Smith pointed to hazy law on what constitutes an “original source” of fraud allegations under the False Claims Act. Medtronic’s counsel is James Dowden of Ropes & Gray.
Comings (and One Going): New Hires & Promotions
- Mary Beth Buchanan, a former federal prosecutor and Bryan Cave Leighton Paisner partner, has landed in a general counsel role at Kraken, a cryptocurrency exchange operator. Buchanan was a President George W. Bush-appointed former U.S. attorney in Pittsburgh from 2001 to 2009.
- Commercial insurer CNA named Garrett Williams as chief compliance officer. Williams had spent 20 years at State Farm, where he led the insurance company’s enterprise compliance and ethics department.
- Bao Nguyen and Ted Dowd were named deputy chief counsels at the Office of the Comptroller of the Currency. They join Charles Steele as deputy chief counsels in OCC’s office of the chief counsel. OCC said it is recruiting a permanent chief counsel to succeed Karen Solomon, who is retiring at the end of August. Nguyen, who will serve as principal deputy chief counsel, formerly was senior counsel in the legal division of the Board of Governors of the Federal Reserve System. Dowd will supervise the OCC’s legislative and regulatory activities and oversees the securities and corporate practices divisions.
If you missed it, the Wall Street Journal recently profiled Joseph Otting, head of OCC. “It has really been a breath of fresh air to have you here,” Rob Nichols, president of American Bankers Association, said in April.
- Howard Plotkin, the New York-based U.S. compliance chief at Royal Bank of Canada, has left the company, according to Bloomberg. The report said Plotkin was at least the third executive to leave in the past two months. David Lang, RBC’s global chief compliance officer, was handling Plotkin’s duties while a search was underway for a successor.