Global Regulatory Enforcement Law Blog : Global Regulatory Enforcement Lawyers & Attorneys: Reed Smith Law Firm: Government Contracts & Compliance

This post was written by John Hines and Amy Mushahwar.

Are you recording credit card magnetic stripe data, CAV2, CVC2, CID, CVV2 or PIN data?

Many businesses record telephone calls for a number of purposes including regulatory compliance and customer service monitoring. For those companies that also take credit card payment information over the phone, please be advised that PCI Security Standards Council issued a clarification regarding call center recordings that has generated a number of calls to our offices, excerpted below.

[i]t is a violation of PCI DSS Requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted.

It is therefore prohibited to use any form of digital audio recording (using formats such as WAV, MP3, etc.) for storing CAV2, CVC2, CVV2 or CID codes after authorization if that data can be queried; recognizing that multiple tools exist that potentially could query a variety of digital recordings.

Where technology exists to prevent recording of these data elements, such technology should be enabled.

If these recordings cannot be data-mined, storage of CAV2, CVC2, CVV2 or CID codes after authorization may be permissible as long as appropriate validation has been performed. This includes the physical and logical protections defined in PCI DSS that must still be applied to these call-recording formats.

This requirement does not supersede local or regional laws that may govern the retention of audio recordings.

Please see the full PCI Security Standards Counsel clarification .

• Email This
• Print
• Comments
• Trackbacks
• Share Link

After reading this article, I will no longer complain while my family gets ready to go out. Unlike the DoD, which spends approximately $31 Billion/year, I’m pretty sure I can't fund a constant state of preparedness.

Howard Sklar does some thinking out loud about the risk/reward for implementing a private sector bribery compliance program under the UK Bribery Act.

Line of the Day (ok -- I know the post is a couple weeks old) goes to Clif Burns at exportlawblog.com: Irish-American musicians can’t go to the Cuban festival because there will be Irish people there (emphasis in original). Thanks OFAC.

Electric car buying … batteries no longer included?

Presenting a new segment I'm calling: It's OK to Laugh.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Daniel Kadar.

A new French law, published on March 30, 2011, allows, among other things, the French Data Protection Authority, the CNIL, to give more publicity to sanctions it imposes.

Prior to this reform, the French data protection authority could only publicize its rulings on its website and on “Légifrance”, the French official website for law. Publication in other media was only possible when a data processor had been sanctioned for having acted in bad faith.

From now on, the CNIL is allowed to order the publication of pronounced sanctions in newspapers and other media, whether or not the data processor involved has acted in bad faith.

This reform took place only two weeks after the CNIL issued a €100.000 fine against GOOGLE in the GOOGLE STREET VIEW case.

At that time, given the absence of bad faith on GOOGLE’s part, the CNIL could only publish the sentence on its website and on “Légifrance”.

We believe this change will significantly increase publicity about the CNIL’s sanctions, thereby dissuading wrongdoing.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Christoper L. Rissetto and Robert Helland.

The Internet has been ablaze over the past 24 hours with reports that the Obama Administration is considering requiring "all entities submitting offers for federal contracts to disclose certain political contributions and expenditures that they have made within two years prior to the submission of their offer". This was first disclosed by Hans A. von Spakovsky, a former Federal Election Commissioner and scholar with the Heritage Foundation. The Public Policy and Infrastructure and Government Contracts Groups offer this analysis of the Administration’s proposal, as it is known so far, and will monitor efforts to implement it as well.

The proposed order requires the following to be disclosed:

(a) All contributions or expenditures to or on behalf of federal candidates, parties or party committees made by the bidding entity, its directors or officers, or any affiliates or subsidiaries within its control; and
(b) Any contributions made to third party entities with the intention or reasonable expectation that parties would use those contributions to make independent expenditure or electioneering communications.

The Impact of these Rules on the Contracting Community Will be Significant. If implemented, these disclosure requirements would have a broad impact both in terms of what needs to be disclosed and who needs to disclose it They would apply, for example, to any entity seeking to do business with the federal government. So those seeking to contract with the federal government would have to put a compliance system in place – as part of putting together its bid – in order to keep track of the contributions and expenditures made. Also, the proposed disclosure requirements would reach far into the bidding entity, to include affiliates or subsidiaries under its control. For an entity with many subsidies, this would not only mean creating an effective compliance system but enabling the coordination within that system among many pieces and players, in order for effective disclosure. Finally, they would apply not only to political contributions to candidates and political parties but also to contributions made to a third party that spends money for advertisements advocating the election or defeat of a candidate for federal office. So, for example, if an officer of a bidding entity also belongs to an organization that runs ads calling for the defeat of a candidate, then he or she must disclose dues any other payments made to that organization, in the context of the bidding entity seeking the federal contract. That goes beyond any requirement in place today and in real terms means that those entities which run these advertisements could see the disclosure of those behind them.

Many legal issues are likely raised by an Executive Order that would be issued with this content. Among these issues are: (1) constitutional, third party, and other statutory rights that might be disturbed by compliance with the requirements of the Executive Order; (2) whether such an Executive Order exceeds the President's authority; and, (3) potential third party liability that might be incurred by implementation activities of covered entities (e.g., employment disputes), among others.

This proposed executive order is clearly a response to the Supreme Court’s decision in Citizens United v. FEC, which reverses decades of statutory and case law that prohibit corporations from using their general treasuries to fund independent political advertising supporting or opposing candidates for local, state or federal office.  And those on the right clearly consider it to be drafted in favor of organizations favoring the Democratic Party. van Spakovsky, for example, notes “federal employee unions that negotiate contracts for their members worth many times the value of some government contracts are not affected by this order. Neither are the recipients of hundreds of millions of dollars of federal grants”. We would note that this is a proposal only and the final details of the Executive Order are still not in place.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Kathyleen A. O’Brien.

On April 6, 2011, California State Senator Alan Lowenthal (D-Longbeach) introduced a version of “do-not-track” legislation in the form of SB 761. An initial hearing will be held by the California Senate Judiciary Committee on April 26.

The bill largely follows the current “do-not-track” framework being proposed by U.S. Rep. Jackie Speier (D-CA) and others in Congress. Many, including Sen. Lowenthal, see the California bill as a way to spur action on the national level. Although privacy is largely viewed as a bipartisan issue, Lowenthal is hoping that because the Democrats control the California governorship and legislature, the process of passing a “do-not-track” bill will be quicker and smoother on the state level. Interestingly, the effort is attracting at least some bipartisan support with Judiciary Committee member Sen. Tom Harman (R-Huntington Beach) expressing interest in tackling the issue of online tracking. Ultimately, passage of the bill would, once again, put California out in front on online consumer protection issues much like its “do-not-call” and data breach laws have in the past.

The bill requires the Attorney General, in consultation with the California Office of Privacy Protection, to adopt regulations that would require companies doing business in California that collect, use, or store online data regarding consumers to provide those consumers with a way to opt out of such practices. Additionally, the bill would grant the Attorney General power to impose regulations that may, among other things, require companies to provide consumers with access to their personal data, and a clear and easy to understand data retention and security policy. As a nod to the business community, the Attorney General would have the power to create exemptions for commonly accepted business practices.

Any company that willfully fails to comply with the adopted regulations would be liable to consumers in a civil action with statutory damages, which would range from $100 to $1,000. The proposed bill could include punitive damages also, as determined by the court, as well as costs and reasonable attorney’s fees.

Research for this post was conducted by Legal Intern Noah Cherry.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

After months of deliberations, Senators McCain and Kerry introduced a comprehensive privacy bill entitled, the Commercial Privacy Bill of Rights Act of 2011 (the Act). Released in a press conference held by McCain and Kerry yesterday, the bill establishes a baseline framework for the privacy, security and management of personal information.

We have provided a summary of the bill’s definitions and key provisions (which contemplates five FTC rulemakings), all of which might change once the bill is debated within the Senate. To learn more, please see our recent client alert.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Matthew Stone.

On 30 March 2011, the Serious Fraud Office (SFO) and the Director of Public Prosecutions published their joint guidance for prosecutors (the Guidance) for offences under the UK's new Bribery Act, which comes into force on 1 July 2011. This coincides with the publication of the final guidance issued by the Department of Justice on the adequate procedures defence to the s. 7 corporate offence of failing to prevent bribery.  Bribery Act 2010 - Adequate Procedures Guidance.

The new Guidance addresses a number of issues:

• Two-stage test for prosecutors – As with other criminal offences, prosecutions for bribery under the new Act need to pass the two-stage test in the Code for Crown Prosecutors  - i) the evidential stage and ii) the public interest stage.

If a prosecutor does not have sufficient evidence to make a conviction more likely than not, prosecutors should not go on to consider whether a prosecution is in the public interest, no matter how serious or sensitive the case is.

• Public interest considerations – In determining whether a prosecution is in the public interest, prosecutors should take into account a number of factors set out in the Guidance which tend either in favour or against prosecution. These factors differ depending on the offence in the Act in respect of which prosecution may be brought. They include, among other factors: 

○  whether conviction is likely to result in a substantial sentence
○  whether the suspect was in a position of authority or trust; and
○  whether there was an element of corruption of the victim in the way the offence was committed.

In respect of the Corporate Offence, the SFO's Guidance on Corporate prosecutions will be considered. This Guidance sets out further factors likely to weigh in favour of prosecuting a company which include:

○  whether the company has a history of similar conduct;
○  whether the conduct is part of the established business practices of the company
○  whether the company has already been the subject of warnings or sanctions; and
○  whether the company's reporting was slow or concealed the full extent of the offending conduct.

Prosecutors are also entitled to consider whether conviction of company personnel for a minor offence under the Act would have a disproportionate effect on the company by leading to the company's debarment from public contracts.

• “Financial or other advantage” – The general "active" and "passive" bribery offences and the offence of bribing a foreign public official all refer to a "financial or other advantage". This term is not defined in the Act. The Guidance states that the term "advantage" should be understood in its ordinary everyday meaning.

• Strict Liability Corporate Offence of failing to prevent bribery – The Guidance makes clear that the Corporate Offence does not require prior prosecution of the associate person although there needs to be sufficient evidence to prove bribery by the associate person to the normal criminal standard.

For corporates seeking to avail themselves of the adequate procedures defence, they will need to establish the defence on the balance of probabilities. The Guidance makes clear that a single instance of bribery does not necessarily mean that an organisation’s procedures are inadequate. The actions of an employee may be wilfully contrary to very robust corporate contractual requirements, instructions or guidance.

• Hospitality – The Guidance makes clear that hospitality which is not excessive or disproportionate and which is made in good faith is unlikely to attract the attention of the prosecutors. The more lavish the hospitality or expenditure, the greater the inference that it is intended to encourage or reward improper performance of a function or activity. Lavishness is just one factor that may be taken into account in determining whether an offence has been committed.

• Facilitation Payments – Unlike the US Foreign Corrupt Practices Act, the UK Bribery Act has no carve-out for facilitation or grease payments and this point is reiterated in the Guidance.

The Guidance stresses that all cases under the new Bribery Act should be considered on their own merits, but given the likely importance of precedents - particularly for prosecutions under the Corporate Offence - lawyers will be watching closely to see how prosecutors and the courts apply the new law in practice after 1 July 2011.

• Email This
• Print
• Comments (2)
• Trackbacks
• Share Link

This post was written by Christoper L. Rissetto and Robert Helland.

Late Friday evening, with only minutes remaining before a partial shutdown of the federal government, the White House, Senate Democrats and House Republicans came to an agreement on spending and policy decisions necessary to fund the federal government for the remaining six months of Fiscal Year 2011. In the end, $38.5 billion was cut from the discretionary side of the budget, i.e. spending for programs whose spending levels are not mandated by federal law such as Social Security and Medicare. While more detail will be made available in the next days and weeks about where the budget knife will fall, we know that programs at the Departments of Labor, Education and Health and Human services will be cut by $13 billion. $18 billion will come from cuts in programs considered to be "unnecessary" by the Department of Defense. The remainder will be spread across agencies ranging from State to Housing and Urban Development. In addition, some, but not all of the policy riders sought by Republicans were included, such as restrictions on the District of Columbia spending its own funds to provide abortions and requirements and the reauthorization of a program to continue a school voucher program in the District.

The compromise agreement took a lot of effort, however the work on this agreement will seem slight in comparison to the decisions needed to be made 1) on the next federal budget, for Fiscal Year 2012; and 2) on the upcoming increase needed on the federal debt ceiling. A more grueling battle in both areas is expected, with cuts in both discretionary and mandatory spending to be under consideration. We will see more detail on the President's plan when the Obama Administration makes its own budget request of Congress this week, in response to a plan already put out by House Republicans that will cut $5 trillion over ten years.

Companies would be advised to at least monitor the budget activities, and to lobby for needed clarifications and amendment. Significant budget policies, possibly including the structuring of the tax code and other key program directions, are certain to be debated and revised.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Debra H. Dermody, Gavin Eastgate, and Michelle Mantine.

On March 31, 2011, the Federal Trade Commission (FTC) and Department of Justice (DOJ) issued a joint proposed Statement of Enforcement Policy to explain how the agencies intend to enforce U.S. antitrust laws with respect to Accountable Care Organizations (ACOs) - groups of health care providers that will be collaborating under the Patient Protection and Affordable Care Act. The proposed Statement is intended to ensure that health care providers have the guidance they need to form ACOs that comply with the federal antitrust laws. The proposed Statement explains: 1) which combinations of providers are affected; 2) when the FTC and DOJ will apply particular antitrust analyses to those ACOs; 3) an antitrust “safety zone” for certain ACOs; 4) the Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS)-mandated antitrust review process for certain other ACOs; and 5) options for ACOs to gain additional antitrust clarity if they fall outside the “safety zone” but below the CMS-mandated antitrust threshold. As set forth in the proposed Statement, the FTC and DOJ will evaluate applicants that meet CMS eligibility criteria for the Shared Savings Program based on the ACO’s share of services in each participant’s Primary Service Area (PSA). CMS has further clarified the eligibility criteria through its proposed regulations.

The FTC and DOJ are accepting public comment from health care providers, payers, consumers, antitrust practitioners, and others on the proposed Statement of Enforcement Policy through May 31, 2011. If you have any questions regarding the proposed Statement or would like assistance in preparing public comments to submit to the agencies, please contact one of the authors.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Leslie A. Monahan.

What happens when a bid proposal is sent via e-mail prior to the submission deadline but not by the proper party until after the submission deadline has passed? Turns out, the answer depends on whether the Government Accountability Office (“GAO”) or the Court of Federal Claims (“COFC”) is reviewing the matter.

A government contractor dealing with a late bid may still have its bid considered by the contracting officer, even if not received on the submission deadline, if it meets one of the three exceptions listed under FAR 52.215-4(c)(3)(ii)(A). The “Electronic Commerce” exception applies if the proposal was submitted electronically and “received at the initial point of entry to the Government infrastructure” by 5:00 pm the day prior to the submission deadline. The “Government Control” exception applies when there is “acceptable evidence” to establish that the offeror’s e-mail proposal “was received at the Government installation designated for receipt of offers and was under the Government's control prior to the time set for receipt of offers.” The “Only Proposal” exception applies if the late bid is the only proposal received.

When determining bid protest for late submissions, GAO has consistently held that the “Government Control” exception does not apply to e-mail proposals. In Matter of: Sea Box, Inc. (PDF), a government contractor submitted its proposal by e-mail 11 minutes before the deadline. However, it took several minutes for the proposal to be transmitted from the original point of entry to the final electronic destination. When the email finally reached the intended recipient, it was past the deadline. GAO states since electronic delivery methods already had the “Electronic Commerce” exception, it would not make the “Government Control” exception broad enough to include electronic transmittals and provide two alternative means to determine whether late electronic transmitted proposals may be accepted.

However, the Court of Federal Claim recently reached an explicitly different result than GAO. In Watterson Construction Company V. United States (PDF), a bidder’s proposal arrived four minutes late to the Contracting Officer’s email inbox due to an unexplained "mail storm" at the Army Corps of Engineers e-mail server. When notified that its bid was deemed “ineligible for award” due because it was late, the bidder filed a protest. Unlike the GAO, the COFC held that the “Government Control” exception applies to electronic deliveries. So, if a contractor previously thought it was out-of-luck under GAO precedent, it may still be able to save its proposal at the COFC.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Nick Tyler.

In a recent speech, Viviane Reding, the EU Commissioner with responsibility for European Union data protection policy identified ‘four pillars’ upon which the privacy rights of EU citizens “need to be built” so that individuals’ have more control over their personal data in today’s online world.

Reforming EU data protection is Commissioner Reding’s “top legislative priority” and the new proposals are expected this summer.

The ‘four pillars’ are:

• The right to be forgotten,
• Transparency,
• Privacy by default, and
• Protection regardless of geographic location.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

• Regular readers of the Round Up (that’s a mouthful) know that we are big fans of the FCPA Professor and his blog of the same name. What you may not know is that he is an actual professor at Butler. While no one here in Round Up headquarters has a horse left in the tournament, we are still amazed at how unproductive March has been. We don’t want to get him in trouble, so keep this between us, but apparently at least one Butler faithful has been able to focus on something other than basketball.
• In case you were wondering what dictators are good for …
• I remember the first time my father gave me the keys to the family car. "Wear your seat belt, drive slowly, and don't leave the car running. It could slip out of park and roll away." Well, I didn't wear my seatbelt until they started making cars with the constant beeping, I didn't slow down until they put up more speed cameras than I could keep track of, and I'll keep the engine warm until we run out of oil. What's that you say? We only have 50 years of oil left? Oh, sorry.
• 1 in 3 DoD weapons programs have cost overruns of as much as 50%; 0 in 3 people are surprised.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Amy J. Greer.

At the recent SEC Speaks conference, the recounting of a particular SEC Enforcement action caught my attention and I thought it particularly worthy of note, since most of us who practice in this area believe – with pretty good reason and a whole lot of evidence – that the SEC’s Enforcement Division moves like, well, that tortoise. Usually getting to a finish line, of sorts, but it takes a while. Often a really long while . . . with a lot of meandering.

So, needless to say, Daniel M. Hawke, who heads the Division’s Market Abuse Unit and leads the Philadelphia Regional Office, proudly recounted the much more “hare”-like freezing of $1.1 million in assets of two Spain-based traders, accused of insider trading in connection with PotashCorp’s announcement that it had received and rejected an unsolicited offer from BHP Billiton plc, within 72 hours of that announcement. That’s right: on August 17, 2010, PotashCorp publicly announced the spurned offer, and on August 20, 2010, the SEC’s Enforcement Division obtained a signed order freezing the traders’ assets in the Northern District of Illinois.

And, actually, it’s even better than that. Let’s recount the geography here. The traders are both in Madrid, Spain, trading options through US-based Interactive Brokers, LLC accounts, and all of the trading at issue took place on the Chicago Board of Options Exchange. Potash Corp. is based in Saskatchewan, Canada, and its stock is traded on the New York and Toronto stock exchanges and its options are traded on the CBOE. BHP is based in Melbourne, Australia. SEC staff on the case were located in Chicago, New York, and Philadelphia.

Real time enforcement – that is, taking action shortly after the conduct actually occurred – has been a matter of discussion for a long time at the SEC. Of course, in these types of circumstances, when money is at risk of being moved out of the country and out of the SEC’s ready reach, the timing is even more imperative. But given all of the moving parts here, especially the geographic issues, gathering sufficient evidence to get the freeze order in just 72 hours of the announcement, and within about a week of the trading (all of which occurred between August 12 and 16), just goes to show how quickly the agency can move in the right cases. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Christopher G. Cwalina, Amy S. Mushahwar, and Frederick Lah.

Google, Inc. agreed to a proposed consent order over charges that it used deceptive tactics and violated its privacy promises to consumers when it launched its social network, Google Buzz. The Agency alleged in its Complaint that Google's information practices violated Section 5 of the FTC Act.

As background, in February 2010, Google launched Buzz, a social networking service within Gmail, its web-based email product. Google used the information of Gmail users, including first and last name and email contacts, to populate the social network. Gmail users were, in many instances, automatically set up with “followers” (people that followed the user or people that the user followed). According to the FTC's Complaint, even if a user did not enroll in Buzz, the user's information was shared in a number of ways (e.g., a user who did not enroll in Buzz could still be followed by other Gmail users who enrolled in Buzz). The FTC also alleges that the setup process for Gmail users who enrolled in Buzz did not adequately communicate that certain previously private information would be shared publicly by default. Further, the FTC alleges that certain personal information of Gmail users was shared without consumers' permission through Buzz (e.g., some information was searchable on the Internet and could be indexed by Internet search engines).

• Email This
• Print
• Comments
• Trackbacks
• Share Link