In a decision with significant implications for international trade and cross-border data flows, the EU’s highest court – the Court of Justice of the European Union (“CJEU”) ruled on 16 July 2020 that a key legal mechanism (called the EU-US Privacy Shield program) used to enable transfers of personal data from the European Union (“EU”) was invalid, while also potentially requiring additional protections to be implemented when another key transfer mechanism (called Standard Contractual Clauses) is used. The case – Data Protection Commissioner v. Facebook Ireland, Max Schrems (“Schrems II”) – considered the validity of the EU-US Privacy Shield (“Privacy Shield”) program (a privacy certification made available for US organizations through an agreement between the European Commission and the US government) and Standard Contractual Clauses (“SCC”) (a form of international data transfer agreement made available for use by the European Commission).
On May 18, 2020, the Financial Crimes Enforcement Network (FinCEN), as part of its COVID-19-related response, issued a Notice Related to the Coronavirus Disease 2019 (COVID-19) reminding financial institutions of certain Bank Secrecy Act (BSA) obligations and pertinent information regarding reporting COVID-19-related criminal and suspicious activity (the Notice). Contemporaneously, FinCEN issued an Advisory on Medical Scams Related to the Coronavirus Disease 2019 (COVID-19) (the Advisory).
In light of the Notice and Advisory, firms should (a) continue to comply with their BSA obligations; (b) include COVID-19 detail only when that detail relates to the reported suspicious activity; (c) review policies and procedures to notify and to provide COVID-19 information to government agencies, including verification of the requesting agency; (d) review the Advisory red flags related to medical scams; and (e) consider revising policies and procedures as appropriate.
COVID-19-related frauds are a special emphasis for law enforcement and regulatory agencies, so failing to detect and report those issues could be viewed as a significant flaw in a firm’s anti-money laundering (AML) program.
The U.S. Departments of State, the Treasury and Homeland Security and the Federal Bureau of Investigation issued a joint advisory (the Advisory) on April 15, 2020, discussing the threat to the international community posed by cyberattacks linked to the Democratic People’s Republic of Korea (North Korea), in particular highlighting concerns for the financial services sector. North Korea has been subjected to comprehensive international sanctions implemented to pressure its government to denuclearize. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has implemented additional unilateral sanctions in response to other North Korean activities, including cyberattacks, human rights violations and money laundering. In addition to broad prohibitions on trade with North Korea, U.S. sanctions bar domestic financial institutions from conducting or facilitating any significant transaction in connection with trade with North Korea or on behalf of any person whose property has been blocked under executive orders imposing sanctions on North Korea. Foreign financial institutions risk secondary sanctions for engaging in the same. (more…)
On January 31, 2020, the Department of Defense released its latest version of the Cybersecurity Maturity Model Certification (“CMMC”) for defense contractors. Under the CMMC plan, DOD contractors will be required to obtain a cybersecurity rating from Level 1 through Level 5. Self-certification will not be permitted. Given the significant investment of industry resources the CMMC may require, the DOD eased some concerns by announcing that it would roll out the CMMC program out in stages. A new Defense federal Acquisition Regulation Supplement (“DFARS”) clause is expected in the spring of 2020, and CMMC requirements are anticipated to be included in certain limited Requests for Information released starting June 2020. Ultimately, all DOD contracts will include a minimum cybersecurity requirement by 2026. (more…)
On January 13, 2020, the U.S. Department of the Treasury (Treasury) issued final and interim regulations implementing the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), which expands the jurisdiction of the Committee on Foreign Investment in the United States (CFIUS) to review foreign investments and mitigate any potential national security concerns. While the final regulations largely track the proposed regulations issued on September 17, 2019, Treasury has made refinements and added several clarifying examples. See Sidley’s previous Update on the proposed regulations.
Following the structure of the proposed regulations, the final regulations were issued in two parts: one part covers investments in real estate, available here, while the other covers certain other investments in U.S. businesses, available here. Treasury simultaneously released a number of frequently asked questions on the proposed regulations, available here, and a fact sheet, available here.
The final CFIUS regulations will go into effect on February 13, 2020.
On June 20, 2019, the Federal Energy Regulatory Commission (“FERC”) approved a North American Electric Reliability Corp. (“NERC”) petition to adopt Reliability Standard CIP-008-6 to strengthen the reporting requirements for attempts to compromise the operation of the United States’ bulk electric system. The prior Critical Infrastructure Protection (“CIP”) Reliability Standards only required reporting where an incident compromised or disrupted one or more reliability tasks. The new standard applies to all registered entities subject to the CIP Reliability Standards.
On May 15, 2019, President Donald Trump signed an executive order (EO) declaring a “national emergency” related to certain threats against information and communications technology and services (ICTS) in the United States and authorizing the Department of Commerce to block transactions that involve ICTS with a “foreign adversary.” The EO provides for the possibility of a licensing regime that could allow transactions that would otherwise be blocked. The EO is available here.
The EO itself does not mention any particular countries or companies that would be subject to its prohibitions. However, the EO is widely reported to be aimed at China. Indeed, tensions between the United States and China have intensified over the past week, after negotiations between the two governments to resolve their trade dispute stalled.
On January 25, 2019, the North American Electric Reliability Corporation (“NERC”) asked the Federal Energy Regulatory Commission (“FERC”) to approve a settlement issuing a record $10 million fine against an unidentified utility resulting from violations of critical infrastructure protection standards (“CIP”) occurring mostly between 2015 and 2018 (referred to hereafter as the “Settlement Agreement”). Although none of the violations resulted in any reported outages, NERC concluded that the cumulative effect of the violations posed a serious risk to the reliability of the bulk U.S. power grid because “many of the violations involved long durations, multiple instances of noncompliance, and repeated failures to implement physical and cyber security protections.” Settlement Agreement at 12.
The U.S. Department of Commerce, Bureau of Industry and Security (BIS) has published an advance notice of proposed rulemaking (ANPRM) initiating a 30-day public comment process regarding export controls for certain emerging technologies. The notice launches the implementation of a key provision of the Export Control Reform Act of 2018 (ECRA), part of the National Defense Authorization Act for fiscal year 2019 (NDAA). In the ECRA, Congress authorized BIS to establish controls on the export, reexport and transfer (in country) of “emerging and foundational technologies.” The ANPRM, including a list of the 14 proposed representative technology categories and subcategories subject to review, can be found here. Our prior updates on the NDAA and ECRA can be found here.
A string of Governmental announcements have increasingly sounded the alarm about the growing cybersecurity threat facing the energy sector. Among other things, these reports have announced that state-sponsored cyber actors have successfully gained access to the control rooms of utilities. The hackers, one of the reports notes, could have used such access to cause blackouts.