Insights

In a recently published Corporate Counsel article, “Conducting Investigations and Discovery in China: What Companies Need to Consider in Preparing for New Policies,” Crowell’s John E. Davis and the Zhong Lun Law Firm’s Gary Gao (Jun Gao) discuss the need for companies with operations and data in China to prepare for increased governmental scrutiny and civil actions, and provide tips for effectively responding to cross-border demands for data in such pressurized circumstances.

On February 18, President Trump issued an Executive Order titled “Ensuring Accountability for All Agencies” that directs independent agencies (as well as Cabinet Departments and their sub-agencies) to route all “proposed and final significant regulatory” and budgetary actions through the White House and the Office of Management and Budget. If implemented to its full extent, this action will significantly strengthen the authority of the White House by weakening the political autonomy of these independent agencies. As an assertion of the President’s inherent powers under Article II of the U.S. Constitution, it also stands to weaken congressional influence over these independent agencies, both through the appropriations and confirmation processes.

While not new, Congressional investigations have certainly been receiving increased press coverage in recent years, raising questions about their scope and potential risk for organizations and individuals. Congressional investigations have some similarities to other law enforcement and regulatory investigations, but are distinct in many respects. This alert will provide guidance about the unique nature of congressional investigations, and how to respond if you are the target of one.

After almost four years of negotiation, European Union negotiators on December 15 reached consensus on the final text of the new EU Data Protection Regulation. The new Regulation will replace the EU's now over 20-year-old Data Protection Directive (95/46/EC) and seek to harmonize privacy legislation among the 28 EU Member States.

On December 7, the European Parliament and the European Council reached a political agreement paving the way for the first European Union-wide legislation on cybersecurity. The new legislation, the Directive on Network and Information Security (known as the "NIS-Directive") was originally proposed by the European Commission in 2013 and aims at ensuring common standards of network and information security in the European Union.

On Tuesday December 1, new amendments to the Federal Rules of Civil Procedure went into effect. These amendments are designed to streamline discovery and notably: (i) introduce a new proportionality standard defining the scope of discovery (replacing the former relevance standard); (ii) require greater specificity when objecting to a discovery request; (iii) speed up litigation with shorter timelines; and (iv) establish sanctions for spoliation of electronically stored information.

In a press release published on its website October 22, the Swiss Data Protection and Information Commissioner (FDPIC) declared the U.S.-Swiss Safe Harbor to be "no longer sufficient" for data transfers to the U.S. In essence, the FDPIC agreed with the European Union (EU) Court of Justice's (ECJ) Safe Harbor decision of October 6, even though Switzerland is not part of the European Union or governed by its courts. Over 4,400 companies had relied on the U.S.-EU Safe Harbor and over 3,400 companies had relied on the U.S.-Swiss Safe Harbor. The U.S.-EU and U.S.-Swiss Safe Harbors were nearly identical but legally distinct vehicles for data transfers.

On October 6, 2015, the European Court of Justice (ECJ) invalidated the U.S.-EU Safe Harbor Framework (Safe Harbor), meaning it is no longer a valid mechanism for data transfers from the European Union (EU) to the U.S. Over 4,400 companies rely on Safe Harbor to lawfully and practically transfer data from the EU to the U.S. The ECJ based its opinion on U.S. national security practices, finding that Safe Harbor "thus enables interference, by United States public authorities, with the fundamental rights of persons, and the Commission decision [finding Safe Harbor adequate] does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference." The effect of this ruling immediately terminates the Safe Harbor program that has been in place for the last 15 years.

On Tuesday, September 8, 2015, an overwhelming majority in the House passed S. 1359, the E-Warranty Act of 2015, which, if enacted, would revise the Magnuson-Moss Warranty Act to allow manufacturers to post consumer product warranties on their websites. The E-Warranty Act would also require the Federal Trade Commission to revise its implementing regulations (16 C.F.R. Part 700) accordingly.

On Monday, the Third Circuit issued its much-awaited decision in FTC v. Wyndham Worldwide et al. and held that the Federal Trade Commission (FTC) has statutory authority under Section 5 of the FTC Act to bring enforcement actions against defendants for allegedly "unfair" data security practices.

Since the economic downturn in 2008, the legal market has been in a constant state of change. Companies are demanding budget predictability, shared risk and reward, improved efficiency, more transparency, and a new way to define value, and law firms have rushed to respond. Firms cannot rely on the billable hour as they once did. This development has led to the rise of Pricing Departments whose job it is to manage value-based billing arrangements, profitability, and legal project management. Law firms and in-house counsel need to understand each type of alternative fee arrangement, its strengths and weaknesses, how to accurately scope and budget an engagement, and how to manage it once it has begun.

Mining companies, like most owners and operators of the nation's critical infrastructure, are becoming increasingly vulnerable to cyber-attacks as they streamline operations by automating more equipment and running facilities and assets from hundreds of miles away with the aid of sophisticated technology. Necessary reliance on industrial automation and control systems to monitor and control physical processes and proprietary data and other sensitive information and networks puts companies at risk. As recent incidents demonstrate, threat actors, including nation states and so-called political "hacktivists," are becoming increasingly sophisticated. What's more, disgruntled or careless employees or business partners are better able to disrupt a company's systems and networks. Rising concerns about these evolving risks and threats have prompted the Executive Branch and various government entities to consider legislation, develop voluntary standards, encourage cyber information sharing, and issue guidance on cybersecurity best practices and mitigation tools. These standards and guidance, including cybersecurity guidance issued by the Securities and Exchange Commission's Division of Corporation Finance in 2011, often trigger disclosure obligations and may result in litigation. 

On January 13, 2015, President Obama announced several legislative proposals to increase cyber threat information sharing, to create a consistent national data breach notification law, and to modernize cybercrime enforcement. Additional Executive Action is also expected over the next few months. Immediate reactions to the proposed legislation have been mixed, but if all three proposals are enacted, a significant change to existing U.S. privacy and cybersecurity law is expected.

On October 2, 2014, the FDA released a set of guidelines designed to improve the cybersecurity of medical devices and to combat increasing vulnerability to cyber-attacks. Compliance with the guidelines, although not mandatory, is strongly recommended to protect not only patients, but also manufacturers, facilities, and providers. In drafting the guidelines, the FDA was careful to consider the particular sensitivities involved in the regulation of instruments designed for health care. Overly strict regulations may run the risk of inhibiting a device's functional capabilities – a distinct concern in the case of devices intended for emergency response. Conversely, if regulations are not strict enough, there is an increased risk of potential cyber incidents that could result in patient harm such as illness, injury, or even death.

On September 30, 2014, California Governor Jerry Brown signed into law Assembly Bill 1710, which contains a new set of personal information protections that affect all businesses that "own, license, or maintain personal information about Californians." In what may become a precedent for other jurisdictions, the law includes the nation's first mandatory state requirement for breached entities to offer breach mitigation services – including credit monitoring – to all affected individuals. Further, the law includes new restrictions on the sale of social security numbers (SSNs). These amendments to the existing California Civil Code Sections 1798.81.5, 1798.82, and 1798.85 will take effect on January 1, 2015.

As companies and individuals move away from storing information on their own computers into the cloud, concerns about the privacy of personal data in the hands of third party providers are steadily increasing. Recently, the U.S. District Court for the Southern District of New York held that an internet service provider (ISP) can be compelled to produce personal information located outside of the U.S. for purposes of a criminal investigation. If adopted by other courts, this decision would broaden the power of law enforcement agencies to obtain information stored on third-party servers, both domestically and abroad. It also raises significant questions about the constitutional limits on the U.S. government's ability to collect information from ISPs.

With the increased importance of e-discovery in litigation and investigations, many federal district courts and government agencies have enacted specific rules, forms, or other guidance addressing the discovery of electronically stored information (ESI) and governing the conduct of practitioners as it relates to ESI. To help you keep informed of these rules, regulations, and guidelines as you litigate, Crowell & Moring's E-Discovery and Information Management group has compiled a collection of websites for rules, forms, and guidelines -- from both federal courts and government agencies -- by jurisdiction and/or agency. 

A recent court ruling illustrates the significant value of Federal Rule of Evidence 502 for preserving privilege in a cost-effective and expedient manner. In Chevron v. Weinberg Group, Misc. Action No. 11-409 (D.D.C.), Magistrate Judge John Facciola entered a Rule 502(d) order that allows the defendant to knowingly produce purportedly privileged materials without waiving any privileges applicable to those materials. In entering the order, the court expressed dismay that the defendant had "just now discovered Rule 502(d), the use of which may have prevented the protracted litigation and discovery battles that have plagued this case for the past two years."

The U.S. District Court for the District of New Mexico recently upheld a Magistrate Judge's recommendation for sanctions against the government for failing to preserve electronically stored information (ESI) in a False Claims Act case, ordering the government to produce certain privileged materials and to pay costs associated with the motion for sanctions.

While spoliation sanctions are increasingly common in civil litigation, it is rare for such conduct to be charged as criminal obstruction of justice. But in an indictment unveiled last week, the Department of Justice did just that. In a trade secrets theft case, DOJ charged the defendant, Kolon Industries, Inc., with obstruction of justice, in addition to conspiracy and trade-secret-theft counts, as a result of conduct undertaken in a private civil case.