Welcome to Compliance Hot Spots, our briefing on compliance, enforcement and government affairs. Another week has come with another story of a company’s security lapse—this time, a flaw that exposed the profile data of Google+ (RIP) users. So what better time to look at the Federal Trade Commission turning up the heat in its push for expanded authority to assess fines in data privacy cases? Fines can hurt, after all. A Democratic commissioner, Rebecca Slaughter, recently addressed the current gaps in the FTC’s authority and the deterrent power of fines.
➤➤ As always thanks for reading—and please do send feedback. I appreciate hearing from you about what’s on your plate—observations, trends, new clients. I’m at email@example.com and 202-828-0315, or follow me on Twitter @cryanbarber.
Would you like to receive Compliance Hot Spots as an email? Sign up here for a trial.
With a sweeping, newly-enacted data security rule, the European Union has emerged as the top cop on the consumer privacy beat. Its authority to levy fines of 20 million euros—or, alternatively, 4 percent of a company’s global annual revenue—amounts to a big stick.
In the United States, the Federal Trade Commission is speaking softly by comparison. The FTC currently lacks the authority to assess civil penalties in data privacy cases unless a company violates the terms of a settlement. But the new slate of commissioners—perhaps envious of the new power afforded to their European peers—are speaking up more and more to make the case for giving the FTC broader authority to assess fines in data privacy cases.
The latest pitch came from Commissioner Rebecca Slaughter. Appearing at the Privacy and Security Forum in Washington, Slaughter (at left) said Friday that the FTC wields a “much smaller stick” than its European counterparts—“and that is genuinely a problem for encouraging compliance.” Seated beside Willem Debeuckelaere, president of the Belgian Data Protection Authority, Slaughter spoke of the power of penalties, particularly ones as steep as what is possible under Europe’s General Data Protection Regulation.
“I actually don’t think that Europe is sitting around threatening 4 percent to everybody or being necessarily unfair or disproportionate about that. I think it is what is incentivizing companies to say we really, really do want to get this right and act in good faith to make that happen,” Slaughter said. “From an enforcement perspective, I think you’re going to see more compliance with that stick than the one we have.”
Slaughter suggested giving the FTC added rule-making authority. When the FTC has that power, she said, “we can provide clear guidance to companies—clearer guidance about compliance and what we expect.”
“And when we have rules out there, a violation of the rule creates civil penalty liability. So I think there’s a mechanism to do it, i just think there are a lot of gaps in where our law covers it right now. And so my No. 1 wish list [item] would be to fill in those gaps.”
Her comments echoed remarks FTC Chairman Joseph Simons gave to a House subcommittee in July, when he addressed the limits of the main statute enforced by the agency—Section 5 of the FTC Act, which does not allow for civil penalties. “In my view, we need more authority,” Simons said, pushing for data security legislation that would give the FTC the “ability to seek civil penalties to effectively deter unlawful conduct.”
Compliance Reading: Bharara Task Force | SEC Dusts Off Cyber Tool
>> The Bharara Task Force on Insider Trading is launched. “The shoddy state of American insider-trading law affects everyone,” former U.S. attorney Preet Bharara(above) and current SEC member Robert Jackson Jr. write in a New York Times op-ed. “Prosecutors and regulators are stuck enforcing laws that are ill-suited to 21st century misconduct. Lawyers struggle to tell their clients what they can and cannot do within the bounds of the law. And ordinary Americans are left asking whether financial markets are stacked in favor of those who skirt the rules. Our law should leave no doubt about the answer to that question.” Bharara and Jackson said eight former regulators, prosecutors and judges will comprise the task force.
>> An SEC cease-and-desist order against Voya Financial Advisors Inc. last month includes enforcement of the “identity theft red flags rule,” which had never been previously used, according to Craig Newman, a partner and chair of the data security practice at Patterson Belknap Webb & Tyler. Newman writes at The New York Times: “The SEC’s action should set off alarm bells for every financial firm and board of directors under the agency’s watch. Most companies are not in compliance with the rule and, given the agency’s increased focus on cybersecurity, they should move quickly to address any issues.” Voya, represented by general counsel John Longwell, did not admit or deny the charges. My colleague MP McQueen in New York has more on the settlement here.
>> In 2016, the student loan collector Navient was nearing a settlement with the Consumer Financial Protection Bureau to resolve a three-year investigation. Then Donald Trump was elected president. The CFPB ended up suing shortly before Trump’s inauguration and, by all appearances, has since aggressively litigated the case in a Scranton, Pennsylvania, federal court. But with the Trump-appointed leadership signaling a softer enforcement approach, more state attorneys general have jumped into the fray and filed their own actions against Navient. [New York Times]
>> ZTE Corp., the Chinese telecom giant, will be getting to know its compliance monitor even better. A federal judge in Dallas recently extended by two years the term of James Stanton, the monitor he hand-picked to ensure ZTE’s compliance with U.S. export laws. The order was accepted and signed by ZTE’s new president, Xu Ziyang, and its new chief legal officer, Shen Nau, as well as by its outside counsel, J. Evans Rice III of Hogan Lovells in Washington, and Michael Gibson, managing partner of Burleson, Pate & Gibson in Dallas. [Corporate Counsel]
>> The Barclays CEO’s effort to unmask a whistleblower didn’t reflect well on the bank’s compliance program. After a number of high-profile departures from the compliance team, the Barclays is now overhauling its in-house department tasked with overseeing investment bankers. A pair of headhunters told Financial News they had knowledge of other banks making compliance cuts in the UK as part of their efforts to prepare for Brexit.
Who Got the Work
>> Elon Musk’s Twitter account is turning into his worst enemy. First, in a settlementwith the Securities and Exchange Commission, he agrees to relinquish the Tesla chairmanship over a tweet in which he claimed to have secured funding to take the electric car company private. Then, he insults the SEC, calling it the “Shortseller Enrichment Commission.” A day after that post, Williams & Connolly chairman Dane Butswinkas entered an appearance in the court where Musk settled allegations over an earlier tweet—the one in which he claimed he had secured funding to take the electric car company private. Steven Farina, chairman of the Williams & Connolly’s accounting malpractice and securities litigation and enforcement practice groups, also entered an appearance in Manhattan federal court. [Bloomberg]
>> David Schertler of Washington’s Schertler & Onorato helped real estate developer Todd Elliott Hitt resolve fraud allegations brought by the SEC. The commission accused Hitt of skimming investor funds that were supposed to be used for purchasing an office building near a planned commuter rail station on the Washington Metro’s silver line. Hitt’s assets were frozen as part of the SEC settlement, which also bars him from offering or selling interests in real estate development companies.
Notable Moves and New Hires
>> Peter Hyun, a former chief counsel to California Sen. Dianne Feinstein, has joined Wiley Rein as a partner in Washington. Hyun will work out of Wiley Rein’s white-collar defense and government investigations practice. In an interview with the National Law Journal, Hyun said he expects the House of Representatives to flip to Democratic control—a swing in power that will lead to an uptick in congressional investigations.
>> Lyft has hired former Obama administration transportation secretary Anthony Foxx as the ride-hailing company’s new policy chief. Foxx will help the company “navigate new regulatory roadblocks across the U.S.” Bloomberg reports.