Cyber Security

Clarification is called for in the Regulations

As you know, I have written three different posts on cyber security as it relates to Government Contracting in the last few months as this has topic has moved quickly in response to breaches that were taking place.  What is interesting is the comments coming in from industry about clarifications and now the American Bar Association making the same type of clarification needed comments.  Generally, a rule/regulation will have a comment period before it becomes effective.  In this case, the “interim” rule on cyber breaches, what was covered, and how to report (what was mandatory, discretionary, should do, etc.), was effective immediately.  This immediacy may have resulted in clarifications to the rule as goes into effect and the operational aspects of the regulation come into play.  In this regard, short comings of regulations can be seen more clearly when the application of the rule takes effect in the field.  I would expect this set of rules/regulations to have clarifications and will keep you posted.

International Cyber Breach Agreements
In September of this year, China and the US reached a cyber security/breach agreement.  UK and Germany followed shortly thereafter.  Now, four of the five top economies of the world have reached agreements on not engaging in commercially motivated cyber espionage.   It will be interesting to watch as this trend develops and the true teeth of the agreements if breached.

The Yates Memorandum and the Department of Justice

In September of this year, the Yates memorandum was issued by US Assistant Attorney General Sally Yates on Individual Accountability for Corporate Wrongdoing.  Yates issued the Memo to the Antitrust Division, the Environment and Natural Resources Division, the National Security Division, the Tax Division, the Director of the FBI, the Director of the Executive Office for the US and all US attorneys.  The purpose of the memorandum is to have all the offices act in uniformity in holding individuals accountable for corporate misconduct-namely, high level corporate officials.  What may make companies take a step back is the level of disclosure the Government may ask for before taking into account mitigation measures under the sentencing guidelines.  The memo outlines six key steps, some of which are new, that all addressed agencies should take into account before any mitigation should be received by a company.

Tellingly, the memo speaks directly to the difficulty on holding high level corporate officials accountable and focusing on the conduct of the individuals during investigations.  Here are some excerpts from the memo:

  • In large corporations, where responsibility can be diffuse and decisions are made at various levels, it can be difficult to determine if someone possessed the knowledge and criminal intent necessary to establish their guilt beyond a reasonable This is particularly true when determining the culpability of high-level executives,  who may be insulated from the day-to-day activity in which the misconduct occurs.  As a result, investigators often must reconstruct what happened  based on a painstaking review of corporate documents, which can number in the millions, and which may be difficult to collect due to legal restrictions.
  • The measures described in this memo are steps that should be taken in any investigation of corporate Some of these measures are new, while others reflect best practices that are already employed by many federal prosecutors.  Fundamentally, this memo is designed to ensure that all attorneys across the Department are consistent in our best efforts to hold to account the individuals responsible  for illegal corporate conduct.
  • The guidance in this memo reflects six key steps to strengthen our pursuit of individual corporate wrongdoing, some of which reflect policy shifts and each of which is described in greater detail below:
    • (1) in order to qualify for any cooperation credit, corporations must provide to the Department all relevant facts relating to the individuals responsible for the misconduct;
    • (2) criminal and civil corporate investigations should focus on individuals from the inception of the investigation;
    • (3) criminal and civil attorneys handling corporate investigations should be in routine communication with one another;
    • (4) absent extraordinary circumstances or approved departmental  policy, the Department will not release culpable individuals from civil or criminal liability when resolving a matter with a corporation;
    • (5) Department attorneys should not resolve matters with a corporation without a clear plan to resolve related individual cases, and should memorialize any declinations as to individuals in such cases; and
    • (6) civil attorneys should consistently focus on individuals as well as the company and evaluate whether to bring suit against an individual based on considerations beyond that individual’s ability to  pay.