Wachtell Lipton Discusses White-Collar and Regulatory Enforcement: What Mattered in 2020 and What to Expect in 2021

As we write this memorandum, a new administration is forming in Washington, with new leadership teams being nominated at DOJ, SEC, CFTC and other regulatory and law-enforcement agencies — thus prompting the question of what these changes may portend for white-collar and regulatory enforcement priorities, trends and policies.  Having watched many administrations come and go over the years, our sense is that, in this area at least, continuity tends to prevail over disruption.  That said, we can offer the following educated guesses on what to expect going forward:

  • At DOJ, it is highly likely that the basic framework governing charging decisions involving corporate actors (set forth in the Principles of Federal Prosecution), which requires prosecutors to weigh the seriousness of the offense, the role (if any) of high-level management, the effectiveness of a company’s compliance program at the time of the offense, the extent of cooperation and reporting, remedial measures taken, and potential collateral consequences for innocent stakeholders, will remain firmly in place.
  • Likewise, the policies DOJ has announced over the past few years — including those discouraging federal agencies from “piling on” to a DOJ investigation; requiring companies seeking cooperation credit to provide all known facts concerning the culpability of individuals (while still preserving and protecting applicable privileges and attorney work product); urging caution and care before any outside monitor is imposed; and establishing new, sophisticated criteria for evaluating the design, adequacy, resources and evolution of corporate compliance programs — all will likely remain in force.
  • Enforcement aimed at bringing cases against culpable corporate officers, employees and agents will surely continue unabated.
  • Despite those expected continuities, we think it likely that the new administration will ramp up its focus on accounting fraud, earnings management and the like — areas that received relatively less attention over the past four years — and, in particular, there will be increased focus on suspected frauds associated with responses to the Covid-19 pandemic.
  • We also expect corporate disclosures and practices regarding climate-change risks and mitigation measures, as well as cybersecurity readiness, breaches and responses, to receive greater federal law enforcement attention.
  • Finally, the substantive areas that have drawn sustained focus over the past few years, such as antitrust, market manipulation (including “spoofing” cases), U.S. sanctions, AML and FCPA, will all likely remain high priorities.

The enormous public-health and economic challenges arising from the global Covid-19 pandemic remain with us as we head into 2021, and the observations and recommendations offered in our April 2020 memorandum are certainly as important and relevant now as then.

We hope that one of the hallmark achievements in DOJ policy over the past few years — namely, providing greater transparency and certainty about the requirements necessary to receive corporate cooperation credit, including significant fine reductions and, in appropriate cases, outright declinations of prosecutions — will be preserved by the incoming administration.  If that hope is realized, then having well-designed, pressure-tested and broadly effective compliance programs in place, coupled with active, constructive and substantive cooperation and remediation when problems do arise, should remain the keys to achieving the best possible outcome for any company facing a substantial white-collar inquiry.

While President Biden has nominated Merrick Garland as Attorney General and Gary Gensler as SEC Chairman, as of this writing, neither has been confirmed.  We therefore plan to focus on those and other pending confirmations for key law-enforcement positions, as those developments may signal coming shifts in priorities and policies.  We also expect that if Judge Garland is confirmed, he will work hard to restore the long-honored tradition of DOJ independence from political interference, a salutary principle that the prior administration often failed to respect.

In the sections that follow, we provide our more detailed views on the main developments we saw in 2020 and the likely changes companies can anticipate in 2021:

DOJ Developments

For all the challenges presented by the Covid-19 pandemic, 2020 was nonetheless a year of continuity and headline-grabbing cases for DOJ.  The year saw an $8.3 billion resolution with Purdue Pharma disposing of opioid-crisis-related charges; $3.9 billion and $2.9 billion agreements with Airbus and Goldman Sachs Group, respectively, to resolve FCPA matters; and a $3 billion resolution with Wells Fargo addressing bank employees’ systematic unauthorized opening of customer accounts.  2021 is off to a similarly blockbuster start, with a $2.5 billion case announced in January against Boeing for deception of the Federal Aviation Authority.

The new administration will of course bring some changes in policy and enforcement priorities.   For example, just a few days ago, the Acting AG reversed the prior administration’s policy directing federal prosecutors to bring the most serious provable charges and seek the harshest possible sentences, replacing that with a welcome directive that prosecutors should make an individualized assessment taking into account all relevant factors.  While it is difficult to predict the precise trajectory white-collar enforcement will take under the Biden administration, we expect an increase in investigations and prosecutions of corporate misconduct — especially those focused on areas, like accounting fraud, that have received comparatively less attention over the past few years.  Our hope, as noted, is that this increased activity will proceed against a backdrop of adherence to core policies of:  transparency in criteria governing prosecutorial discretion; encouragement of internally driven compliance, detection, and self-reporting; and careful evaluation and rewarding of cooperation.

As we observed in June, new DOJ guidance explains with laudable precision the criteria for evaluating corporate compliance programs.  At the same time, recent dispositions of both criminal and civil cases reflect that DOJ has made good on its 2018 commitment, in the Policy on Selection of Monitors in Criminal Cases, to move away from the old government-imposed monitorships where a corporation’s compliance program is “demonstrated to be effective and appropriately resourced at the time of resolution.”  This welcome shift allows companies to resolve DOJ investigations without expensive and often ill-fitting intrusion into their daily affairs.  But the shift, which we expect will carry through the Biden administration, calls for enhanced responsibility:  companies now know what DOJ expects from compliance programs, and will have little excuse if they fall short of those expectations.

We expect the new administration to continue to emphasize and reward self-reporting and cooperation — an emphasis that predates the prior administration.  Over the past several years, DOJ has published increasingly nuanced guidance recognizing the value of self-reporting and defining what sort of cooperation is expected to secure a declination or a non-prosecution agreement.  For example, in early 2018, DOJ’s Criminal Division announced its intention to apply the Principles of FCPA Corporate Enforcement Policy to white-collar cases of all stripes.  Accordingly, absent aggravating factors, DOJ now favors declining prosecution in cases where companies self-report, cooperate fully, and provide disgorgement and remediation.  Given that this approach is the product of long experience and careful thought, we doubt it will change anytime soon.

As for substantive areas of expected enforcement activity, there will likely be no significant shift in emphasis — except that, as noted, the financial industry is likely to come under greater scrutiny than it has over the past four years.  If that prediction is correct, we should expect to see a proliferation of cases charged under the wire fraud statute, which has proved a useful tool for prosecutors wading into new enforcement waters.  In September 2020, the government won an important trial in United States v. Vorley (N.D. Ill.), persuading a jury that the defendant traders had committed fraud by placing orders they had no intention of executing.  This species of market manipulation, which also formed the basis of a September 2020 DPA requiring JPMorgan to pay $920 million, can be difficult to detect and prosecute.  But the wire fraud statute — under which both Vorley and the JPMorgan case were prosecuted — played a key role, filling gaps left by more specific but narrower laws.  Similarly, in a case we highlighted last year, United States v. Blaszczak, the Second Circuit approved application of the wire fraud statute and a related securities fraud provision of Title 18 to prosecute insider trading in confidential government information — an area of limited prior enforcement activity.  Aspects of the Second Circuit’s ruling will be revisited in light of the Supreme Court’s Kelly v. United States decision, but we expect the government will continue to push the boundaries of the wire fraud statute and its analogs.

Antitrust enforcement, lately an area of particular focus, will likely remain so.  October 2020 saw the Antitrust Division taking on Google — just a few months after having levied price-fixing and bid-rigging charges against pharmaceutical giant Teva Pharmaceuticals.  With the passage of the Criminal Antitrust Anti-Retaliation Act in December 2020, Congress underscored support for antitrust enforcement.  That Act, affording protection to individuals who report antitrust violations, will likely encourage whistleblowing and generate increasing numbers of enforcement matters.

Turning to other potential areas of increased enforcement, we see two:  First, as the global pandemic enters what we all hope is its final phase, there will likely be a growing focus on fraud emerging out of the pandemic, including healthcare fraud generally, misuse of the CARES Act’s Paycheck Protection Program, and false or misleading disclosures about Covid-related effects on business performance and preparedness.  Second, we expect that President Biden’s high-profile initiatives on combating climate change may result in increased enforcement using the criminal penalty provisions of the Clean Air and Clean Water Acts.

Enforcement priorities in the coming year will necessarily be shaped by the personnel in charge of developing them.  As noted, President Biden has tapped Merrick Garland, Chief Judge of the United States Court of Appeals for the D.C. Circuit, to be Attorney General.  That choice augurs well for a return to apolitical enforcement and independence at DOJ.  For Deputy Attorney General, President Biden has selected the likewise respected Lisa Monaco, former Assistant Attorney General for National Security.  If other high-level positions are filled with similarly seasoned prosecutors, one can reasonably expect to see robust DOJ enforcement move forward in an environment of continuity and integrity.

SEC Developments

While there was an understandable dip in the Enforcement Division’s statistical performance due to Covid-19 disruptions in 2020, the agency’s achievements over the year as a whole were nonetheless significant.  After an initial pause in many investigations, the enforcement staff adapted to working remotely.  Investigative testimony, witness interviews and presentations by defense counsel are now routinely conducted by videoconference.  The pandemic itself was a trigger for a new enforcement focus.  In March and April, for example, the Commission suspended trading in securities of two dozen issuers due to fraudulent Covid-related disclosures, including claims about potential Covid-19 treatments, the manufacture and sale of personal protective equipment and disaster-response capabilities.  Ultimately, more than 150 Covid-related investigations were opened, and we expect many of those to continue into 2021.  While SEC officials have said that the agency will not second-guess well-reasoned and well-documented accounting judgments and estimates, they will nonetheless seek to test that accounting controls are still functioning properly given the adverse effects and challenges imposed by the pandemic.

One apparent side effect of the pandemic has been a sharp increase in incoming leads received by the SEC.  From mid-March through the end of 2020, the SEC’s Market Intelligence Office reviewed approximately 16,000 tips, complaints and referrals — a 71% increase over the same period in 2019.  During that time, the SEC opened 640 new inquiries and investigations, a 7% increase over the same period in 2019.  By contrast, standalone enforcement actions launched in 2020 (excluding follow-on administrative proceedings and delinquent filing cases) numbered only 405, as compared with 526 in 2019 and 490 in 2018.  Case mix stayed largely the same, with securities offerings (32%), investment advisory and investment company issues (21%) and issuer reporting/accounting and auditing (15%) as the largest categories.  Insider trading accounted for 8% of cases brought, in line with historical experience.

The whistleblower program continues to be an important component of the enforcement portfolio, and, here again, the pandemic saw an uptick in activity.  In fiscal 2020, the Office of the Whistleblower received 6,212 reports, by far the largest number of tips received in a single year, and far exceeding the previous high of 5,282 in 2018.  The single largest category of reports involved corporate disclosures and financial statements, consistent with experience since the inception of the program in 2011.  A total of $175 million in whistleblower payments was awarded to 39 individuals in fiscal 2020.  October 2020 saw the largest whistleblower bounty ever — $114 million awarded to a single individual.  Whistleblower rules were amended in September 2020, bringing greater efficiency and signaling that this program is here to stay.

Notable case law and legislative developments in the past year focused on the SEC’s enforcement authority and ability to seek disgorgement remedies.  In Liu v. SEC, the Supreme Court affirmed SEC authority to obtain disgorgement from securities law violators in civil actions, but also (1) raised doubts about the viability of the SEC’s practice in some cases of causing disgorgement funds to be paid to the U.S. Treasury rather than distributed to injured investors; (2) expressed reservations about the SEC’s practice of seeking disgorgement on a joint-and-several liability basis; and (3) found that disgorgement cannot exceed the wrongdoer’s net gains.  Liu thus extended the Court’s skepticism about the Commission’s disgorgement powers, building on its earlier decision in Kokesh v. SEC, which held that disgorgement must be considered a penalty for statute-of-limitations purposes and therefore subject to a five-year limitations period.

Congress reacted to Liu and Kokesh by amending the Securities Exchange Act of 1934 in January 2021, as part of the National Defense Authorization Act.  These amendments authorize the SEC to obtain “disgorgement . . . of any unjust enrichment by the person who received such unjust enrichment” in federal court actions, thus confirming by statute the SEC’s previously implied authority to pursue this remedy.  The amendments also set a 10-year limitations period for disgorgement in cases of fraud, including for violations of Section 10(b) of the Exchange Act, while maintaining a five-year period for non-scienter based claims.  The amendments separately establish a 10-year period for equitable remedies such as injunctions, bars, suspensions, or cease-and-desist orders.  While Congress has now reversed Kokesh, at least in part, the amendments do not directly address whether and to what extent the SEC’s disgorgement remedy remains subject to the various equitable limitations raised in Liu.  As a result, while these amendments have expanded SEC authority in certain respects, the precise boundaries of the disgorgement remedy will continue to be tested in future cases.

In her valedictory message, outgoing Enforcement Director Stephanie Avakian commented, “Every time there is a transition it seems we hear about shifting sands and predictions of a change in enforcement focus.  I’ve come to learn that is all noise.  Inside the Division, we keep our focus and hew to our mission.”  Still, every new administration brings its own areas of emphasis and own approach to deploying the Commission’s enforcement arsenal.  Many predict that President Biden’s nominee to head the SEC, Gary Gensler, will bring a more aggressive approach to enforcement if he is confirmed.  We think it too early to make that prediction.  Mr. Gensler is a highly experienced financial regulator, and we’re confident his deep experience has taught him that a superficially more “aggressive” approach does not necessarily yield a more effective or just enforcement program.

In particular in this regard, we hope three distinctive features of recent SEC enforcement practice will be preserved and extended by the incoming administration:

  • Acknowledging Valuable Corporate Cooperation. Over the past two years, the Commission made laudable efforts to demonstrate through its resolution of cases that good cooperators receive tangible benefits.  For example, in each of its two most recent annual reports, the Enforcement Division singled out settlements in which the Commission determined not to seek any civil money penalty against a company in recognition of exemplary cooperation.  We hope the new administration recognizes that such resolutions are not examples of “weak” enforcement, but rather are a savvy way of incentivizing future cooperation by convincing corporate decision-makers that they really will benefit.  A related tool, also embraced by the Commission of late, is explaining in detail why a specific company’s cooperation earned credit, thus providing guideposts for future cooperators.  In BMW, for example, the company provided the enforcement staff with access to evidence located offshore, making witnesses from abroad available for interviews and producing documents from outside the U.S., and was recognized in the settlement with the Commission for those exemplary efforts.
  • Careful Evaluation of Individual Responsibility. Holding individuals responsible for wrongdoing in corporate settings is likewise sure to continue, as it should. But we hope the new administration will strive to maintain an enforcement program that is not only tough but fair.  In the wake of the last financial crisis, amid widespread cries to hold individuals responsible, an aggressive SEC brought a range of cases:  many, of course, were appropriate and successful, but there also were a number of flimsy cases that resulted in defense verdicts at trial, mid-litigation dismissals by the Commission of its own complaint or slap-on-the-wrist settlements.  We trust that the lessons from the post-2008 era continue to resonate for the Commission, and that it will refrain from overreaching when charging individuals.
  • Efficiency in Investigations. Finally, we hope the enforcement staff will carry into the post-pandemic enforcement arena some of the efficiencies that have allowed them to function so effectively under Covid-related constraints.  These include early focusing of the issues under investigation and paring down witness lists.  These techniques have worked.  Even after Covid-related restrictions ease, the staff should remain open to streamlining investigations, thereby reducing the time and resources devoted to peripheral avenues of inquiry.

State Attorneys General

Just as we predicted four years ago, state attorneys general ramped up their enforcement efforts during the past administration, including in areas historically dominated by federal regulators.  With the Biden administration signaling different priorities, especially as to climate change, we expect state AGs will continue to flex their independent regulatory muscle, while perhaps looking to focus on different regulatory areas of less interest to the new federal administration.

Pending investigations and enforcement actions are of course likely to continue — and there remain many high-profile cases to watch in 2021.  In particular, the past year has featured bullish state AG efforts in the areas of antitrust.  This past December, a coalition of 46 states filed a large antitrust suit against Facebook alleging the company engaged in anticompetitive acquisitions.  Likewise, Google faces a multitude of antitrust suits brought by various combinations of state AGs, including one brought in combination with DOJ.  Given the apparent bipartisan interest in these kinds of cases, we expect to see sustained focus on the technology sector by state AGs going forward.  By contrast, state AGs appear to be moving toward negotiated resolutions in many large cases against pharmaceutical manufacturers and distributors that were prompted by the opioid crisis.  With proposed settlements in the tens of billions of dollars, at least those cases aimed at major corporations could well start to wrap up this year.

Given expected enforcement priorities for the federal government, there are a few areas where states will likely work cooperatively with federal agencies, including on financial and consumer fraud.  Among other things, we anticipate that state AGs will work closely with the CFPB on a host of consumer protection issues including predatory lending and fraud allegations stemming from the ongoing pandemic.

As we have noted before, state AG investigations can be challenging to navigate.  Often, states team up to create multistate groups investigating a given issue.  Yet the diverse and sometimes competing imperatives for each state can make it difficult to reach a global resolution.  And, unsurprisingly, the enforcement priorities for each state AG will be a function of the political environment in his or her state.

FCPA Enforcement  

FCPA enforcement continued apace in 2020.  DOJ and SEC each resolved eight corporate FCPA investigations (four of which were joint resolutions involving the same companies).  The DOJ resolutions involved six DPAs (one of which also involved a subsidiary guilty plea) and two plea agreements, while the SEC resolutions were all by settled administrative proceedings.  Although the total number of resolutions was on the lower end for recent years, the financial penalties were not.  Indeed, by many metrics 2020 was a blockbuster year, with DOJ and SEC imposing a total of some $6.5 billion in fines, disgorgement and interest which, after offsets for amounts paid to foreign and other U.S. enforcement authorities, resulted in recovery of some $2.78 billion.  Resolutions included two of the largest ever: $3.9 billion with Airbus S.A. arising out of a bribery scheme to sell aircraft to governmental entities in China and other countries, as well as disclosure violations in connection with sales or export of defense articles and services to foreign armed forces under the Arms Export Control Act, and $2.9 billion with Goldman Sachs related to the 1MDB scandal.

While those numbers are certainly eye-catching, the real story is that the corporate FCPA resolutions in 2020 extended a number of long-term trends in corporate criminal enforcement generally, and FCPA enforcement in particular:

  • Broad Scope of FCPA Risk. FCPA resolutions in 2020 involved a wide range of industries — including healthcare, aerospace, financial services, energy, consumer products and industrials — and a similarly wide range of countries and regions, including Latin America, Europe, Africa and Asia.  FCPA risk exists for any company doing business in any country considered higher risk for corruption and where there is a significant intersection of business with foreign officials.
  • Fewer Monitors. None of the 2020 DOJ/SEC corporate resolutions involved a monitor, marking a change from recent years.  As discussed above, this is consistent with DOJ’s movement generally over the past few years away from monitorships and toward reliance on enhanced internal compliance programs.  In two of last year’s DPAs, DOJ noted that the settling company had remedied an inadequate FCPA compliance program by the time of the resolution and thus no monitor was required.
  • International Coordination/Cooperation. The Airbus case involved parallel anti-corruption resolutions with the National Financial Prosecutor in France and the Serious Fraud Office in the U.K., which collectively leveled penalties totaling more than $3 billion, with some $1.8 billion credited by DOJ.  Indeed, DOJ emphasized that the French and U.K. authorities had “significantly stronger” interests and jurisdictional connections in the matter, and that Airbus would be subject to oversight by French authorities — a factor that may have supported DOJ’s determination not to impose a monitor in the case.  The Goldman Sachs resolution likewise involved separate parallel resolutions with enforcement authorities in the U.K., Singapore, Hong Kong and Malaysia, as well as assistance from other foreign authorities, including Switzerland, France and Luxembourg.
  • Domestic Coordination/Cooperation. Increasingly, corporate FCPA enforcement involves cooperation and coordination among DOJ/SEC and other U.S. enforcement authorities.  The Goldman Sachs resolution, for example, included coordinated settlements with the Federal Reserve and New York State Department of Financial Services, each of which levied the financial penalties.  Vitol Inc.’s DPA represented the first coordinated anti-corruption resolution with the CFTC, thus making good on that agency’s March 2019 pledge to pursue cases involving foreign corruption that violates the Commodity Exchange Act.
  • Relevance of Other Regulatory Regimes. FCPA-related misconduct may trigger issues under other regulatory regimes or expose other conduct that raises such issues.  As noted, the Airbus resolution involved violations under the Arms Export Control Act and related regulations, which accounted for almost $300 million in penalties.  The CFTC’s resolution with Vitol likewise involved CEA charges and related penalties for market manipulation conduct not covered by the DOJ FCPA resolution.
  • Anti-Piling-On Policy. Extending an established trend, many of the 2020 corporate FCPA resolutions included credit for amounts paid to foreign and other U.S. enforcement authorities involved in parallel resolutions.  Among the rare exceptions to this trend was Beam Suntory, involving bribes paid to Indian governmental officials, where credit for a related SEC settlement in 2018 was denied due to the company’s significant delay in reaching a timely resolution and its failure to accept responsibility for several years.
  • DOJ Inability-to-Pay Policy. The Sargeant Marine resolution illustrates the impact of DOJ’s 2019 policy addressing cases where a company demonstrates an inability to pay.  There, DOJ discounted the fine level by 80% from the agreed-upon fine level, which itself included an initial 25% discount, because a larger fine “would substantially jeopardize the continued viability of the company.”
  • Continued Issuance of Declinations. In World Acceptance Corp. last year, DOJ issued yet another public declination, bringing to 14 the total number of formal declinations issued since DOJ implemented its FCPA Pilot Program.  Several other companies reported that previously disclosed DOJ and/or SEC FCPA inquiries were closed without issuance of a formal DOJ declination letter or SEC resolution.

Commentators are predicting dramatically increased FCPA enforcement efforts under the new administration.  Cases and statistics over many years and administrations, however, suggest that FCPA enforcement has been a largely apolitical and constant feature of the U.S. enforcement landscape — as reflected, for example, in the joint issuance by DOJ and SEC last year of an updated version of the same FCPA Resource Guide first issued by the Obama administration in 2012.  We see no dramatic change on the horizon.

Anti-Money Laundering Developments

At the close of 2020, Congress enacted the Anti-Money Laundering Act as part of the National Defense Authorization Act.  AMLA represents the most comprehensive overhaul of federal anti-money laundering regulation since the PATRIOT Act in 2001.  Among its many provisions, AMLA:

  • codifies the current risk-based approach to AML-related due diligence by financial institutions, and authorizes Treasury to establish national AML priorities that financial institutions must incorporate into their compliance programs;
  • provides for congressional oversight of Bank Secrecy Act enforcement, requiring the Attorney General to submit annual reports to Congress on DPAs and NPAs resolving BSA investigations;
  • adopts new penalties for BSA-related violations, including (1) increased penalties for repeat offenders; (2) claw-back of bonuses for employees of a financial institution involved in a BSA violation; and (3) prohibiting individuals who commit an “egregious” violation from sitting on the board of a U.S. financial institution for 10 years;
  • brings certain virtual currency businesses within BSA regulation;
  • enhances federal subpoena power to obtain records of “any account” held by a foreign bank that maintains a U.S. correspondent bank account, “including records maintained outside of the United States” in connection with certain types of investigations, and empowers U.S. authorities to require U.S. correspondent banks to terminate account relationships with non-compliant foreign banks;
  • bolsters the BSA whistleblower program by providing for awards of up to 30% in cases where the government secures monetary sanctions of more than $1 million, and authorizing referrals to the Department of Labor of allegations of retaliation against whistleblowers; and
  • imposes new reporting requirements, in an effort to combat concealment of funds movement through “shell” and other small companies, on certain U.S. companies and foreign companies registered to do business in the U.S. to report (and update) beneficial ownership information to FinCEN, which will maintain a non-public database available to law-enforcement agencies and financial institutions.

As part of this same legislative package, the Kleptocracy Asset Recovery Rewards Act was passed to supplement FCPA enforcement by enhancing U.S. authorities’ ability to identify and recover U.S.-located assets linked to foreign corruption.  The Act creates a three-year whistleblower pilot program run by Treasury offering awards of up to $5 million to those who provide information leading to the restraint, seizure, forfeiture or repatriation of stolen assets held in accounts maintained with a U.S. financial institution or that come within the U.S. or within the possession or control of a U.S. person.  Congress established a $25 million-per-year budget for the program, with an option for Treasury to seek higher amounts, and Treasury must obtain DOJ approval before paying a reward in cases involving federal criminal jurisdiction.

We expect AML enforcement to be an important priority going forward, aided by these new statutory tools.  U.S. financial institutions and other affected companies should carefully consider the new regulatory measures in connection with the periodic review of the effectiveness of their AML and related compliance programs.

Cybersecurity Developments

Over the past year, the regulatory environment governing cybersecurity has grown ever more complex, with the ongoing pandemic adding new dimensions to the cyber challenges facing companies across the country.  Our observation last year — noting that a patchwork of sometimes inconsistent federal and state data-privacy and cybersecurity requirements has made compliance enormously challenging — remains true and, unfortunately, those challenges may increase as 2021 unfolds.

Confronting cyber-hacking and ransomware attacks will likely be at the top of the federal government’s agenda, and even companies victimized by cybercrime face compliance and enforcement risks.  In October, Treasury’s Office of Foreign Assets Control explained that paying or facilitating the payment of ransom to cyber-hackers can in some circumstances expose companies to charges of sanctions law violations.  In an apparent effort to soften this harsh rule, OFAC also made clear that a company’s “self-initiated, timely, and complete report of a ransomware attack to law enforcement” would be a significant mitigating factor in the determination of enforcement outcomes.  Relatedly, in late January 2021, FBI Director Christopher Wray publicly encouraged companies to work with law enforcement to identify cybersecurity threats to better coordinate responses once a threat has manifested.

Also at the federal level, the FTC remained highly active in the data privacy space in 2020.  While it secured several high-profile settlements — including district court approval this past April of a $5 billion settlement with Facebook first announced in 2019 — the agency’s authority to pursue such settlements may be curtailed in 2021.  Just a few weeks ago, the Supreme Court heard argument in AMG Capital Management v. Federal Trade Commission, a case centered on the FTC’s authority to seek monetary relief under Section 13(b) of the Federal Trade Commission Act.  An adverse ruling could substantially limit the agency’s ability to seek monetary relief.  The FTC nonetheless remains motivated to further develop data-privacy law.  In December, for example, it issued orders under Section 6(b) to Amazon, Facebook, Twitter, YouTube and other social media and video-streaming companies seeking information on data collection, content algorithms, and targeted advertising.  These orders are likely a harbinger of enhanced focus on those topics, either through enforcement actions, rule-making or legislative proposals.

And, in the absence of comprehensive data-privacy legislation at the federal level, states have announced varying standards in this area.  California’s Consumer Privacy Act became effective in January 2020, with further requirements arriving when the California Privacy Rights and Enforcement Act goes into full effect on January 1, 2023.  Beyond imposing a variety of personal information protections, the CPRA created a new state agency, the California Privacy Protection Agency, to enforce California’s novel privacy regime.  New York, too, had a watershed year in cybersecurity regulation.  This past summer, DFS announced its first enforcement action under the agency’s cybersecurity rules, signaling that it will likely increase its cyber-enforcement efforts in the coming year.

The upshot for companies is that devoting the necessary resources to cybersecurity compliance in order to keep pace with the ever-evolving regulatory environment remains mission critical.


Even as a new administration is taking shape, the advice we’ve offered in past years remains fully relevant:  well-managed companies and attentive boards of directors would be wise to continue investing in the design, implementation, and periodic evaluation of a robust compliance program tailored to the company’s business activities and regulatory and legal risks, as those evolve over time.  As we recently affirmed, our experience teaches that effective compliance programs provide the surest foundation for preventing misconduct from arising in the first place or nipping potential legal and compliance issues in the bud before they blossom into a full-blown corporate crisis.  And should misconduct occur, an effective compliance program that enables early detection and timely remediation will best position a company to achieve a more favorable resolution at the close of any resulting investigation.

This post comes to us from Wachtell, Lipton, Rosen & Katz. It is based on the firm’s memorandum, “White-Collar and Regulatory Enforcement: What Mattered in 2020 and What to Expect in 2021,” dated February 2, 2021.