Posted on June 29, 2011 by Greg Jacobs

A Route Forward: Easing Licensing Requirements Under the New STA License Exception

This post was written by Joelle E.K. Laszlo.

The Export Control Reform Initiative currently underway will transform the cumbersome U.S. export controls regime into a streamlined system featuring a single control list, a single licensing agency, a single information technology system, and a single primary enforcement coordination agency. Until that dream of a reality comes true, the Administration’s serial short- and medium- term changes will have to suffice.

The latest is the Strategic Trade Authorization (“STA”) license exception. Effective immediately, License Exception STA allows for the export, reexport, and in-country transfer of specified goods to “low risk” countries. Specifically, under 15 C.F.R. § 740.20(c)(1), licenses will not be required for exports to any of 36 countries of certain sensitive technologies that are subject to control for any of six reasons (national security, chemical or biological weapons, nuclear nonproliferation, regional stability, crime control and/or significant items). The sensitive technologies eligible for License Exception STA include submersible vehicles, radar systems, source code, and high tech cameras.

Under 15 C.F.R. § 740.20(c)(2), a second group of eight destinations is eligible for export, reexport, and transfer (in-country) of a shorter list of less-sensitive technologies. Specifically, under the this part of the STA license exception, technologies controlled only for national security reasons are eligible for export to Albania, Hong Kong, India, Israel, Malta, Singapore, South Africa, and Taiwan.

The STA license exception applies only to goods for which the Export Administration Regulations (“EAR”) already impose the obligation to receive a license before export, reexport, or transfer (in-country). The license exception is not available for items controlled for other reasons like encryption, short supply, surreptitious listening, missile technology, chemical weapons, and human rights reasons. A user of the STA license exception are required to furnish its consignee with the Export Control Classification Number (“ECCN”) of any items shipped under the exception, maintain written records of shipments, and notify the consignee that the shipment is made pursuant to the license exception. Exporters of software source code must follow separate conditions for STA license exception use that include explicitly notifying the end user, in writing, of the restrictions on further release of the software.

The STA license exception is only a first and a small step in the long reformation process to come, and it may not be among the best. Even if the license exception applies to a given shipment, compliance with its conditions will not going be easy – exporters using the exception must keep thorough records, train employees, and possibly modify business practices. Those able to manage the conditions of License Exception STA, however, will also reap its substantial benefits.

Research and drafting assistance for this post was provided by Reed Smith Summer Associate Julya Vekstein.

 

Tags:
Posted on June 24, 2011 by Michael A. Grant

Regulatory Round Up 6.24.11

 

Tags: , , , ,
Posted on June 24, 2011 by Rosanne Kay

A busy week in Europe: Do Not Track, Children's Internet Privacy, Data Breach Notification and Transfers of Passenger Record Data

This post was written by Cynthia O'Donoghue.

Hasn’t it been a busy week in Europe? The regulators seems to be falling over one another in a race to the top of privacy regulation. Targeted are web browsers and ‘do-not-track’ mechanisms, children’s internet privacy, banks, and the U.S.’s request for passenger data.

The European Commissioner Nellie Kroes came close to threatening the advertising industry when speaking at a recent workshop in Brussels. The EU is picking up the baton from the U.S. Federal Trade Commission in calling for a ‘Do Not Track’ standard to be in place by June of 2012. For those web browers who either run or businesses who honour do-not-track, Commissioner Kroes says, “But this is not enough. Citizens need to be sure what exactly companies commit to if they say they honour do not track. … If I don't see a speedy and satisfactory development, I will not hesitate to employ all available means to ensure our citizens' right to privacy."

Continue Reading...
Tags: , , , , ,
Posted on June 23, 2011 by Rosanne Kay

A Supreme Court Win For Free Speech About Medical Options

This post was written by Paul Bond and Joe Metro.

States regulate doctors in issuing prescriptions. The States keep databases that show which doctors prescribe what medicines, for what purposes, and when. That information is valuable to anyone who would seek to locate doctors with certain prescription-writing habits. For example, a database user might seek out doctors to suggest that those doctors try a different drug or combination of drugs as a more effective treatment. Some doctors objected to being contacted with such suggestions, especially by commercial drug manufacturers. As a consequence, several States passed laws banning the purchase and use of prescription-writing records for purposes of commercial outreach to health care professionals. Vermont's law was challenged by, et al., IMS Health, a major provider of information services to the health care industry. The United States Court of Appeals for the Second Circuit, at IMS Health's urging, struck down Vermont's law as imposing an unconstitutional impairment on commercial free speech. Today, in a 6-3 decision, the United States Supreme Court agreed, adopting a position that Reed Smith helped advance.

Justice Kennedy, writing for the majority in Sorrell v. IMS Health, stated that: "Speech in aid of pharmaceutical marketing...is a form of expression protected by the Free Speech Clause of the First Amendment. As a consequence, Vermont’s statute must be subjected to heightened judicial scrutiny. The law cannot satisfy that standard." The Court noted that Vermont's law would allow academics to use of prescriber-identified information to promote generic drug use. However, the same law would block the makers of brand-name drugs from reaching out to doctors in a comparable, high-touch informational campaign. Thus, "the law on its face burdens disfavored speech by disfavored speakers." Lacking a compelling reason for this viewpoint-based discrimination, Vermont's law could not stand.

The dissent, authored by Justice Breyer, called for a more relaxed standard of review to be applied to the challenged State regulations. The dissent argues that the speech in question is commercial; that limits are routinely put on marketing speech especially in connection with health and safety; and moreover, that the States should be afforded great leeway in deciding for what purposes these State-created databases of prescription information are sold and used.

Reed Smith participated in this case to further explain to the Court the public health benefits arising from targeted commercial use of prescription-writing data. Reed Smith's team drafted and filed an amicus brief supporting IMS Health's position. Reed Smith submitted that brief to the Court on behalf of two former United States Secretaries of Health and Human Services (Dr. Louis W. Sullivan and Governor Tommy Thompson) as well as the Healthcare Leadership Council. The decision of the Court today is fully consistent with the positions advanced by these public health experts. Of note, that Court specifically cited to and endorsed the public health benefits of a free flow of information about treatment options. As the Court found: "A consumer’s concern for the free flow of commercial speech often may be far keener than his concern for urgent political dialogue. That reality has great relevance in the fields of medicine and public health, where information can save lives."

Tags: , , , , , ,
Posted on June 21, 2011 by Rosanne Kay

Is the PCI Security Standards Counsel Preparing for Cloudy Weather?

As Companies Approach the January 1, 2012 PCI DSS 2.0 Compliance Deadline, a New Information Supplement Provides Guidance on the Scoping, Controls Necessary and Testing Procedures for Virtual Environments.

This post was written by Paul Bond, Chris Cwalina, Dan Herbst and Amy Mushahwar.

On Tuesday, June 14, the PCI Security Standards Council, the body that administers the Payment Card Industry Data Security Standard (PCI-DSS), released a comprehensive set of guidelines for PCI compliance in virtual card holder data environments. The Council's 39-page guidance document (available at https://www.pcisecuritystandards.org/security_standards/documents.php) describes in detail how each of the 12 PCI security control objectives within logical environments should be applied in a virtual setting. The document – which was over two years in the making – provides clearer guidance regarding how organizations can deploy virtualized environments in a secure fashion.

As background, before virtualization technologies, the standard computing model was one computer to one operating system with that computer’s associated applications and resources. Virtualization technologies enable IT teams to combine or divide computing resources to unify many computing systems into one operating environment or to partition one server into several virtual machines. Virtualization technologies undergird important applications over a wide range of areas such as, virtual test environments, server consolidation, multiple operating system support, system migration, cloud computing and so on. Given the variety of virtualization flavors and applications, the Council in its guidance recognized there is “no one-size-fits-all method or solution to configure virtualized environments[.]”

Continue Reading...
Tags: , , , , , , , ,
Posted on June 20, 2011 by Rosanne Kay

Firm Attorney Amy Mushahwar Interviewed by Nymity

Please click here to read Nymity's interview with firm attorney Amy Mushahwar.  Most business executives, legislators, government officials and regulators all agree that information fluidity is critical to innovation and economic growth. The same group would also agree that without trust, commerce on the Internet would come to a standstill. Trust is built through protection, proper management and privacy of information.

Amy Mushahwar has followed the privacy and protection journey on the Hill for many years. She shares her observations of who is on point for what in 2011 in the Administration, Congress and the various agencies. She also provides us with insight into what might be on the privacy, security and information management agendas of those who are in charge.

Amy is a data privacy, security and management attorney at the law offices of Reed Smith and a former data security technical consultant. Amy assists firm clients with crafting public policy advocacy strategies and building enterprise‐wide regulatory compliance programs from the ground up.

Tags: , , ,
Posted on June 20, 2011 by Rosanne Kay

UK Bribery Act - The SFO fires a warning shot over jurisdiction

This post was written by Simon Hart and Rosanne Kay.

The Director of the Serious Fraud Office (“SFO”) has recently articulated a robust interpretation of the SFO’s jurisdiction under the UK’s Bribery Act 2010, which comes into force on 1 July 2011. In doing so, the Director has challenged the understanding of many companies and their advisors. Whilst the debate may be seen by many as an academic debate for lawyers, the implications could have a significant impact on whether or not particular operations of a global company fall within the reach of the SFO.

The Director made it very clear that, in his view, if a global company had a UK subsidiary, but there was bribery in another part of the global company, the SFO would have jurisdiction under the Bribery Act. This interpretation is in contrast to statements made in the Guidance issued by the Ministry of Justice in March 2011 which indicated that such foreign companies would not themselves be regarded as “carrying on business in the UK” simply by virtue of having a UK subsidiary or a listing on an exchange. (“Carrying on business” is the test for determining whether an entity can be fixed with criminal liability under the corporate offence in the Act.)

Mr Alderman made it plain that the SFO would be adopting a very wide interpretation of the phrase “carrying on business in the UK”. Mr Alderman has said “What I have said to corporates is that it would be very dangerous for them to use a highly technical interpretation of the law to persuade themselves that they are not within the Bribery Act and that it is permissible for them to carry on using bribery. I have said that they could have a very unpleasant shock…”

Mr Alderman went on to explain “Our view is that if a foreign group has a subsidiary in the UK and in another country and that bribery occurs in that other country then that bribery is within the remit of the SFO.”

Ultimately, the much-debated jurisdictional provisions of the Act will be determined neither by the SFO nor those that the Act purports to cover, but by the English Courts. However, it is clear that the SFO will be looking to promote an anti-corruption agenda by highlighting the risks of engaging in corrupt activities anywhere in the world if the business has any connection with the UK.

To reinforce the message, Mr Alderman has emphasised that surprise arrests of overseas nationals at UK borders could be a possibility if they have engaged in bribery: “You can’t be sure that you won’t be stopped at the airport. We are not going to say, “if you turn up, you will be arrested”. It may or may not happen”.

Mr Alderman has also signalled that the SFO will be interested in prosecuting cases against foreign corporations where there has been bribery that has disadvantaged ethical UK companies. He has suggested that in such a case, there would be a strong UK public interest in bringing that foreign company before the UK courts. Mr Alderman has said that he is keen to test the new law against foreign companies despite the challenges in investigating, prosecuting and punishing a foreign company.

Despite Mr Alderman’s strong words, it remains to be seen whether the SFO will have the resources or the will to investigate and prosecute foreign corporates. Nevertheless, these recent statements highlight the fact that companies can only draw limited comfort from the commentary on jurisdiction in the Ministry of Justice Guidance.

Tags: , , , ,
Posted on June 20, 2011 by Rosanne Kay

UK Banks Need to Get it Right on Data Protection

This post was written by Cynthia O'Donoghue.

The Information Commissioner’s Office (ICO) told attendees of the British Banker’s Association conference today that they need to get it right on data protection.

Banks were reminded that data protection is not only about keeping data secure, it is about ensuring individuals remain in control of data the banks hold about them.

Two years ago the ICO was inundated with complaints about the banks’ failures to provide information about unfair bank charges, and the ICO does not want a repeat.

In light of the recent ruling about the mis-selling of payment protection insurance, the ICO will expect banks to provide customers with timely and full responses to information requests.

The ICO also announced that it has identified the financial sector as a priority area in its draft Information Rights Strategy.

Tags: , , ,
Posted on June 17, 2011 by Greg Jacobs

Elected officials beware: Your vote does not equal free speech

This post was written by Chris Rissetto and Bob Helland.

Across the country, federal, state and local governments have enacted - and strengthened - conflict of interest restrictions on how their elected officials vote as a way to prevent those officials from voting in their own self-interest To those who argue that such a restriction on voting violates his or her First Amendment Right to free speech, the Supreme Court has unanimously said no. In the case of Nevada Commission on Ethics v. Carrigan, 563 U.S. ___(2011), the Court has decided that the First Amendment Rights of a city council member from Sparks, Nevada were not violated when he was censured by the state Commission on Ethics for a vote on a project connected to his campaign manager. This decision continues the trend going on the local, state and federal level to hold government more accountable and serves as a warning for those who serve in government as well as those seeking to do business with it.

Michael Carrigan, a member of the Sparks City Council, was found by the Nevada Commission on Ethics to have violated the Nevada's Ethics in Government Law -- which broadly defines conflicts of interest -- when he voted to approve an application for a hotel/casino project in Sparks that his friend and long-time campaign manager worked for as a paid consultant. The Nevada Supreme Court decided that his First Amendment rights had been violated.

When it comes to the First Amendment, a vote by an elected official is not the same as a vote by a private citizen. In reversing the decision by the Nevada Supreme Court, the Court took care to distinguish the fact that the elected official was acting in his official capacity, in this case by voting. This is not protected speech when it comes to the First Amendment, wrote Justice Scalia, speaking for the majority: "A legislator's vote is the commitment of his apportioned share of the legislature's power to the passage or defeat of a particular proposal. The legislative power thus committed is not personal to the legislator but belongs to the people; the legislator has no personal right to it" (slip opinion at Page 8). Justice Scalia also strongly rejected the argument that a vote represents some form of symbolic speech that merits protection under the First Amendment, questioning how a legislator would indicate, or whether he would even wish to indicate, the symbolic meaning behind his vote.

What's next? The Court's decision upholding Nevada's Ethics in Government Law as constitutional supports the many conflicts of interests restrictions on elected officials that are in place across the country. However, an opening may remain to challenge part of Nevada's law: that which bans activity affected by an elected officials "commitment in a private capacity to the interests of others" Nev. Rev. Stat. Section 281A.420. Justice Kennedy, in his concurring opinion, noted that this might be too broad a category and could encompass an elected official's relationship with supporters, many of who might reasonably expect the official to vote a certain way on a matter. Kennedy writes that "the possibility that Carrigan was censured because he was thought to be beholden to a person who helped him win an election raises constitutional concerns of the first magnitude" (slip opinion at Page 4). This question was not brought up before the Court however and therefore not considered in its decision. But governments should consider Justice Kennedy's opinion as a warning when writing and enforcing their conflicts of interest restrictions. Defining a conflict of interest as broadly as Nevada may have future constitutional concerns.

Tags: , ,
Posted on June 14, 2011 by Greg Jacobs

Supreme Court's Bright Line Test Narrowly Limits Primary Securities Fraud Liability

This post was written by Amy J. Greer.

In Janus Capital Group, Inc. v. First Derivative Traders, 564 U.S. ___ (2011), the United States Supreme Court reversed a decision of the United States Court of Appeals for the Fourth Circuit, largely resolving a disagreement among the lower federal courts regarding the level of involvement required to expose defendants to primary liability for a securities fraud violation. The Court held that primary liability can attach to a material misstatement or omission only if the defendant had “ultimate authority” over its making or, perhaps, if it was publicly attributed to him. As a result, primary liability is no longer a risk for professionals who only prepare or contribute information to the public statement of another, absent explicit public attribution. Professionals who work on public filings and offering documents are breathing a heavy sigh of relief today.  To read more click here.

 

Tags:
Posted on June 10, 2011 by Rosanne Kay

Case for National Breach Notification Standard - Federal Action to Follow?

This post was written by Paul Bond, Amy Mushahwar and Fred Lah.

On June 9, 2011, Citigroup confirmed that its online banking platform Citi Account Online had suffered a data breach involving the names, credit card numbers, addresses, and email details of approximately 200,000 customers.  While Citi has already notified the Office of the Comptroller of the Currency in accordance with FDIC Guidance, financial institutions responding to a breach must also comply with the breach notification laws of the individual states.

Citi is just the latest victim in a recent string of hacking attacks, with major companies like Sony, Epsilon, Michael's Stores, Apple, and Google having suffered recent (and in some cases widely-publicized) breaches of their own. When a company suffers a data breach, they will often be faced with the complex task of complying with a multitude of different state laws providing divergent standards of breach notification. States often differ in how they define what type of personal information triggers notification, how long a company has to send notifications, and whether notifications must be sent to third parties (e.g., government agencies or consumer reporting agencies). Navigating the sea of 47 different state laws can be quite challenging for companies confronted with the task.

Continue Reading...
Tags: , , ,
Posted on June 10, 2011 by Rosanne Kay

European Commission announces new initiatives to tackle corruption

This post was written by George Hoare.

On 6 June 2011, the European Commission (EC) outlined measures to tackle the problem of corruption within the European Union (EU). According to figures quoted in the press release, four out of five EU citizens regard corruption as a major problem in their Member State, with corruption estimated to cost the EU economy €120 billion per year.

The most significant of the new initiatives is the establishment of the EU Anti-Corruption Report (the Report). The Report will be issued by the EC every two years, starting in 2013, and is intended to give a clear picture of anti-corruption efforts and achievements within the EU, as well as pointing out failures and vulnerabilities across the 27 Member States. It is hoped that the Report will stimulate peer learning and exchange of best practices between Member States.

Further initiatives to tackle corruption are expected over the coming years. These include: proposals for modernising rules for confiscating criminal assets; an action plan for how to improve the gathering of crime statistics; and a strategy to improve criminal financial investigations in Member States. In parallel, the EU will put greater emphasis on anti-corruption considerations in its relevant policies. These initiatives are part of a wider agenda to protect Europe’s licit economy, as set out in the EU Internal Security in Action presented by the EC in November 2010.

According to Cecilia Malmström, European Commissioner for Home Affairs, implementation of anti-corruption legislation among Member States is “very uneven”. She considers that there is “not enough determination amongst politicians and decision-makers” to fight corruption and the Report is designed to generate the political will to tackle the problems associated with corruption.
 

Tags: , , , ,
Posted on June 9, 2011 by Greg Jacobs

More than a Pass-Through?: DCAA to Evaluate whether Contractors and Subcontractors "Add Value"

This post was written by Stephanie E. Giese.

Contractors for the U.S. Department of Defense, as well as the civilian agencies should expect to start seeing the Defense Contract Audit Agency (“DCAA”) recommend disallowance of certain contract costs on grounds that a contractor or subcontractor fails to “add value” when it subcontracts out more than 70% of its work under a federal government contract. As a result of new DCAA guidance, now such contractors and subcontractors may be required to provide evidence of “adding value” to DCAA during forward pricing rate proposal audits, incurred cost audits, and audits of final vouchers.

In February 2011, DCAA published guidance regarding auditing compliance with FAR 52.215-23, Limitations on Pass-Through Charges. FAR 52.215-23 is a clause that applies to prime contractors and subcontractors at all tiers with cost reimbursement contracts that exceed the simplified acquisition threshold. For DoD contractors and subcontractors FAR 52.215-23 applies not only to cost reimbursement contracts, but also fixed-price contracts, except those for commercial items or those awarded with adequate price competition. For example, DCAA may disallow a contractor's indirect costs and fee on work performed by a subcontractor if the subcontractor is performing 70% of the total cost of the work under the contractor's prime contract. In this case, DCAA may disallow the prime contractor's indirect costs and fee related to the subcontract if the prime contractor is not successful in proving its subcontract management functions "add value" to the performance of its government contract. The same rule applies to a subcontractor who subcontracts 70% of the work under its subcontracts to lower-tier subcontractors. In other words, the federal government does not want to pay a government contractor for indirect costs and fee associated with managing a subcontractor (in addition to the subcontractor’s indirect costs and fee) if the subcontractor is actually doing most (more than 70%) of the work, unless such a contractor can show it “adds value”.

Determining whether a contractor complies with the FAR 52.215-23 clause is going to be very subjective based on the definition of “added value” in the clause. “Added value” means “that the Contractor performs subcontract management functions that the Contracting Officer determines are a benefit to the Government (e.g., processing orders of parts or services, maintaining inventory, reducing delivery lead times, managing multiple sources for contract requirements, coordinating deliveries, performing quality assurance functions).”

Contractors and subcontractors should look for this FAR 52.215-23 clause in their solicitations and contracts with the government and be prepared to comply with it. Compliance includes, but is not limited to preparing evidence for DCAA to show that its subcontract management function "adds value", as well as flowing the same requirements down to suppliers.
 

Tags: , , , ,
Posted on June 9, 2011 by Rosanne Kay

UK's Serious Fraud Office survives - but for how long?

This post was written by Simon D. Hart.

After months of speculation, and rumoured turf wars within the UK government, it has today been confirmed that the UK’s Serious Fraud Office (“SFO”) will not be broken up and will remain independent of the new National Crime Agency (“NCA”). The SFO will retain both its investigative and prosecution powers in relation to major economic fraud and corruption. Crucially for the SFO, this means it retains control of investigations and prosecutions under the new Bribery Act 2010 which comes into force on 1 July.

There had been considerable speculation that the SFO would be broken up with its investigative powers being folded into the new NCA and its prosecution powers being passed to the existing Crown Prosecution Service. Richard Alderman, the director of the SFO, had been arguing strongly that the way to tackle serious fraud and advance the anti-corruption agenda was for there to continue to be a single, specialised unit which had both investigative and prosecution powers. He appears to have won that battle – but perhaps not the war. The sting in the tail of today’s announcement is that the government has left open the prospect of the future of the SFO being reviewed one year after the NCA becomes operational in 2013.

The recent uncertainty over the future of the SFO has given rise to the departures of a significant number of senior personnel from the organisation. Whilst today’s announcement means the SFO will survive in its current form for now, the fact that it may only be a stay of execution is unlikely to assist the SFO in recruiting the investigators and prosecutors it now needs to deal with complex and high value fraud and corruption.
 

Tags: , , , , , ,
Posted on June 7, 2011 by Greg Jacobs

Unanimous Supreme Court Appears to Hand Investors Big Wins, But Opinions Offer Defendants More Than Rulings Might First Reveal

This post was written by Amy J. Greer.

The Supreme Court issued two opinions this term that could dramatically alter the landscape of securities fraud litigation. In Matrixx Initiatives, Inc., et al. v. Siracusano, 563 U.S. ____ (2011), the Court unanimously held that a claim for securities fraud against a drug company may be stated if the company intentionally or with deliberate recklessness fails to disclose adverse drug reactions, regardless of whether those reactions are statistically significant. In another unanimous decision, Erica P. John Fund, Inc. v. Halliburton Co., 563 U.S. ____ (2011), the Court rejected the Fifth Circuit’s stringent requirement that plaintiffs relying on a fraud-on-the-market theory need also prove loss causation at the class-certification stage. While at first blush these decisions would appear to be clear victories for investor-plaintiffs, analysis reveals the more likely outcome of these new cases will be to make the initial pleading and class certification aspects of securities fraud litigation more critical than ever, encouraging the parties to engage experts and undertake extensive discovery even at those early stages of a lawsuit.  Click here to read more.
 

Tags:
Posted on June 7, 2011 by Rosanne Kay

Problems With Passwords, Part I: What Tennessee Did and Did Not Address

This post was written by Paul Bond and Chris Cwalina.

The theft of services has always been illegal in Tennessee. However, consumers in Tennessee, like those across the country, routinely share their passwords to online subscription-based services like Netflix, Rhapsody, Pandora, and Hulu. The Tennessee General Assembly has addressed this issue by amending the State’s theft of services statute. The newly-revised statute makes it a criminal act to help anyone obtain a service to which he or she is not entitled, including “entertainment subscription service[s]”. The revision has been signed by the Governor, and is immediately effective. See a copy of the enacted law (attached) as well as Legislative commentary.

While the measure was widely reported as making it illegal to share passwords to online services, in fact the word “password” is not used in the revision. Tennessee’s measure is neutral as to the technology used. Whether access to the online entertainment service is based on passwords or tokens or biometric data, now or in the future, paying customers cannot legally share their path to access with non-subscriber friends and family.

The Tennessee measure addresses only the tip of the iceberg when it comes to password sharing (hereafter, a term meant to include all sharing of methods of access online). A person stealing Netflix Instant access is no different from a cable thief, or a thief of physical goods. That much should be uncontroversial. The real, unanswered question is to what extent customers should be allowed to share passwords with third parties for purposes, not of theft, but of agency. More and more, consumers are entrusting third parties with the account numbers and passwords issued to them by their banks, credit card companies, retirement plans, and other holders of consumer accounts and lines of credit. This password-sharing may be for purposes of storing all passwords in one central location (like LastPass), or for purposes of having an agent retrieve financial information from multiple accounts to compile one snapshot for the consumer (like Mint.com or CashEdge), or even to have an agent arrange for automated bill payment. Consumers provide their account passwords to these third parties, who generally have not been vetted or approved by the companies issuing the password and holding the consumer account. The Tennessee statute does not address this circumstance. The next part of our Problems with Passwords series will deal with the privacy and competitive intelligence risks posed by the widespread (and growing) consumer practice of password sharing with third parties for purposes of agency.

Tags: , , , , ,
Posted on June 7, 2011 by Greg Jacobs

Same Stuff, Different Way: New ITAR Rules on Transfers to Dual and Third-Country Nationals Move U.S. Companies into Oversight Role, but Don't Lighten the Compliance Load

This post was written by Joelle E.K. Laszlo.

A relaxation of export controls is not very relaxing when all it really does is shift the majority of the compliance burden from one party to another. But it appears that that will be the result of recent amendments to the International Traffic in Arms Regulations (“ITAR”) regarding transfers of unclassified technical data and defense articles to dual and third-country nationals employed by approved end-users. Under the new rules, U.S. companies will no longer have the responsibility to collect and submit to the State Department’s Directorate of Defense Trade Controls (“DDTC”) certain biographical information about the employees of their foreign business partners, in order to ensure there will be no diversion of unclassified defense articles or controlled technical data to unauthorized countries or entities. Instead, the bulk of anti-diversion tasks will fall to the foreign business partners. Since the U.S. companies in these arrangements will remain responsible for everyone’s ITAR compliance, however, their new role may be one of strenuous oversight of their business partners’ anti-diversion measures.

Under DDTC’s current policy, a U.S. company seeking authorization under the ITAR via a Technical Assistance Agreement or a Manufacturing License Agreement for the transfer of unclassified defense articles and/or technical data to a foreign business partner has typically been required to collect and provide the nationality and country of birth of each of the business partner’s dual- and third-country national employees who will have access to the transferred defense articles, and submit this information with the associated agreement application. (A dual national is a citizen or national of the country of his employer and of another country, neither of which is the United States. A third-country national is a citizen or national of neither the United States nor the country of his employer.) The collection of employee personal data is not required if every individual who will have access to the transferred articles is a national of a NATO or European Union member country, Australia, Japan, New Zealand, or Switzerland. In order to qualify under this exemption, however, the transfer to any national of one of the named countries must take place entirely within the physical territory of the country, or the United States, and the foreign business partner that employs the national must be a signatory to the agreement under which the transfer is made, or must have executed a Non Disclosure Agreement. As noted by commenters to the new rules, the personal data collection required for any proposed transfer of defense articles that doesn’t meet the precise specifications of the exemption imposes a significant administrative burden on U.S. companies, and potentially violates foreign data privacy, labor, and “human rights” laws.

The new rules add an exemption to the current policy, that will permit transfers of unclassified defense articles and technical data to dual and third-country national employees of a foreign business partner (including any corporate or governmental entity or international organization, whether the partner is an end-user, consignee, or sub-licensee) without prior DDTC authorization (and the personal data collection pursuant thereto), provided four conditions are met:

  • First, any dual or third-country nationals who will have access to the transferred articles or technical data must be either (a) “permanently and directly employed” by the foreign business partner, or (b) “in a long term contractual relationship” with the business partner and meet certain other employment criteria detailed in the exemption;
  • Second, the transfer must take place entirely within the physical territory of the country where the business partner is located or operates;
  • Third, the transfer must be within the scope of an approved export license or other export authorization (or a license exemption); and
  • Fourth, the foreign business partner “must have effective procedures to prevent diversion” of the transferred articles.

This fourth condition is the one shifts the compliance burden, and there are two ways that it may be met. First, the foreign business partner will be considered to have “effective procedures to prevent diversion” if it has a security clearance for its employees issued by the government of the country in which it operates. Alternatively, a business partner lacking such a clearance must (a) have in place an active “technology security/clearance plan” that includes a process to screen employees for “substantive contacts” with restricted countries and (b) maintain a Non Disclosure Agreement with any employee to whom the defense article is to be transferred. The business partner must keep records of its screening activities for five years, and provide details of its plan and records to DDTC upon request “for civil and criminal law enforcement purposes.”
While the provision equating the foreign business partner’s holding of a general security clearance with “effective procedures to prevent diversion” arguably should lessen the compliance burden for all parties, it also has distinctly limited applicability. Otherwise, the new rules impose a substantial burden on business partners to develop comprehensive plans for employee screening with virtually no guidance about what will make those plans “effective” to prevent diversion. Though the new rules put forward seven kinds of activities constituting “substantive contacts” for which dual and third-country national employees should be screened, the seventh is the very broad “acts otherwise indicating a risk of diversion.” Thus absent further guidance from DDTC, foreign business partners will have to devise their screening plans largely from scratch, and in light of the same data privacy, labor, and “human rights” laws that make compliance with the current policy difficult. Given that they will be held wholly responsible if something goes wrong, U.S. companies will not only want a say in the development of those screening plans, but will have to devise some means of monitoring to ensure that the plans are being followed, and that they are being “effective.” As a result, U.S. companies that wish to take advantage of the new exemption and still meet the obligations of anti-diversion compliance, will also be required to shoulder some of the burdens risk analysis and anti-diversion enforcement.

The new rules will take effect on August 15, 2011. In the meantime, we’ll be watching State closely in anticipation of further guidance.

Research assistance for this post was provided by former Reed Smith Intern Henry R. Barnes.


 

Tags:
Posted on June 6, 2011 by Greg Jacobs

At Least One Big Fish Enters the Murky Regulatory Waters of Social Media

This post was written by Amy J. Greer.

While some have suggested that Morgan Stanley's announcement this week that it will permit its financial advisors to take some tentative first steps into the world of social media is nothing but a big yawn, given how fraught the social media world is with potential regulatory land mines, in context, these apparent "baby steps" start to look more like giant leaps.  For more information on Morgan Stanley's splash into Social Media click here.

 

Tags:
Posted on June 3, 2011 by Rosanne Kay

Prepare Now and Protect Your Cookie Jar (or those cookies may crumble)!

This post was written by Cynthia O'Donoghue and Nick Tyler.

Now that the revised rules on cookies and consent are in force in the UK, there have been two developments that we want to bring to the attention of clients by way of an update of our earlier Client Alert:

  • In an 'open letter on the UK's implementation of Article 5(3) of the e-Privacy Directive on cookies' dated 24 May 2011 (the 'DCMS letter'), the UK Department for Culture, Media and Sport (DCMS), in consultation with the UK Information Commissioner's Office (ICO), clarified how the Amended Regulations should be interpreted and implemented, following legal issues raised by industry stakeholders.
  • The ICO issued further guidance on how it will enforce the new cookie regime on 25 May 2011.

While the ICO guidance was anticipated, the DCMS letter was not. In our latest Client Alert we provide a summary of the key aspects of both these developments.

The UK is one of only a few EU countries to have implemented the revised e-Privacy Directive, and we shall be keeping a close eye on developments over the coming months to see whether the UK 'recipe' for revised cookie rules is followed elsewhere.

Tags: , , , ,
Posted on June 3, 2011 by Greg Jacobs

FAPIIS Flap-is: Transparency Advocates Hate It Now, Contractors Likely to Hate It Later

This post was written by Lorraine M. Campos, Melissa E. Beras and Joelle E.K. Laszlo.

t has been called “a steaming pile,” posited as “the worst government website . . . ever seen,” and emblazoned with two giant red thumbs pointed downward. And those were the reviews of its proponents. Just a handful of weeks after much of its content it became publicly available, the Federal Awardee Performance and Integrity Information System (“FAPIIS”) looks like a database only a mother could love. That is not to say, however, that FAPIIS can be ignored. As its content and its navigability improve, FAPIIS could become a formidable obstacle for contractors seeking to demonstrate their responsibility to do business with the Federal government. Contractors should become familiar with FAPIIS now, to be positioned, if necessary, to mount a good defense later.

As a quick recap, FAPIIS consolidates information from existing Federal databases, including the Excluded Parties List System, the Past Performance Information Retrieval System (“PPIRS”), and the Contractor Performance Assessment Reporting System (“CPARS”), and also accepts inputs from contracting officers and contractors (via the Central Contractor Registration database) on an ongoing basis. In the latter category, as of April 22, any contractor with more than $10 million in active contracts and grants that is bidding on a Federal contract over $500,000 is required to report any finding or admission of its fault in a criminal, civil, or administrative proceeding in the preceding five years. The contractor is further required to certify that the information provided is “current, accurate, and complete as of the date of the submission,” and to provide updates on a semi-annual basis. These details, along with Government-supplied data posted since April 15 about contractor terminations for default; suspension, debarment, and other penalties; non-responsibility determinations; defective pricing determinations; and contract-related criminal, civil, and administrative proceedings and their outcomes are now publicly available through FAPIIS.

The recency of the information available through FAPIIS is responsible for some of the criticism about its usefulness, and this should only improve with time. But at a recent open colloquium about FAPIIS, certain other downsides to the database emerged, without similarly clear solutions. For example, currently when past performance information is posted by a Government official to a contractor’s record in CPARS, the contractor is notified and receives thirty days to review and comment on the information before it is transferred to PPIRS. (A contractor that wishes to comment on a past performance review after the thirty-day period must do so through PPIRS.) The contractor’s comments are ultimately to be posted in FAPIIS along with the Government’s review, though it appears uncertainties remain about how much space (in characters) a contractor will have for its defense, how easily contractor comments may be located in FAPIIS, and even how quickly and thoroughly a contractor must comment in order to preserve the ability to protest the loss of a contract because of its negative reviews in FAPIIS. What is clear, however, is that FAPIIS imposes a duty on every contractor to pay close attention to its past performance reviews, and to have a plan for commenting on those that may be detrimental to future contracting opportunities.

What that duty is exactly and the advisable dimensions of a response plan will probably take shape as FAPIIS does. In the interest of providing greater structure to the database, the Office of Management and Budget will soon publish a final rule setting forth standardized past performance evaluation factors and procedures for their reporting. Governmentwide training for contracting officers in the entry and use of FAPIIS data is also reportedly in the works. And for now, anyone who conducts a search in FAPIIS is presented with a pop-up window meant to remind contracting officers that “use of the information in [FAPIIS] should not result in de facto debarment.” … On further thought, one can only hope that the FAPIIS training comes sooner rather than later.
 

Tags: , , , ,
Posted on June 2, 2011 by Greg Jacobs

Decision Do-Over? Future Uncertain for Virginia Decision Expanding Reach of Citizens United

This post was written by Lorraine M. Campos, Christopher L. Rissetto, and Melissa E. Beras.

Just as the 2012 political races are heating up and taking shape, Judge James Cacheris of the District Court for the Eastern District of Virginia expanded the reach of Citizens United v. FEC, 130 U.S. 876 (2010), by rendering unconstitutional limits on corporate contributions to federal candidates. In the opinion, filed May 26, 2011, Judge Cacheris dismissed one of seven charges filed against Virginia businessmen William P. Danielczyk, Jr. and Eugene R. Biagi (together “Defendants”).

Mr. Danielczyk, Chairman of Galen Capital Group, LLC, and Galen Capital Corporation (together “Galen”) and Mr. Biagi, an executive at Galen, are accused of illegally soliciting and reimbursing contributions to Hillary Clinton’s 2006 Senate Campaign and 2008 Presidential Campaign. Specifically, federal prosecutors contend that Mr. Danielczyk and Mr. Biagi subverted federal campaign contribution limits by soliciting employees of their financial firm to make campaign donations to two fund-raisers hosted by Mr. Danielczyk and then reimbursing the employees with company money. According to the Wall Street Journal, Mr. Danielczyk and approximately a dozen of his employees and their spouses, some of whom were Republicans, allegedly gave about $100,000 to Mrs. Clinton’s 2008 Presidential Campaign alone.

Federal prosecutors argued the Defendants’ actions violated, among other laws, section 441b(a) of the Federal Election Campaign Act (FECA), which bans direct corporate contributions to campaigns for federal office. Alternatively, Defendants maintained that under Citizens United, such a ban violated the First Amendment and thus the count should be dismissed.  In Citizens United, the Supreme Court found another provision of the FECA, the independent expenditure ban, was unconstitutional as the Court held there was no distinction between an individual and a corporation with respect to political speech and thus the First Amendment did not allow political speech restrictions based on a speaker’s corporate identity.

Ruling that the logic employed in Citizens United was “inescapable” in the case before it, the Danielczyk court reasoned if an individual can make direct contributions within FECA’s limits, a corporation cannot be banned from doing the same.

Nevertheless, the trajectory of the Danielczyk decision seems uncertain. The Danielczyk court acknowledged that the U.S. District Court for the District of Minnesota disagreed with this outcome in Minnesota Citizens Concerned for Life, Inc. v. Swanson, 741 F. Supp. 2d 1115 (D. Minn. 2010), where that court found the Citizens United holding was limited to corporate independent expenditures and was not a repudiation of the limitation on direct contributions to candidates. The case has already been criticized for ignoring another Supreme Court decision, Federal Election Commission v. Beaumont, 539 U.S. 146 (2003), which upheld the ban on direct corporation contributions to federal candidates and was not specifically overturned in Citizens United. Furthermore, on Tuesday, May 31, 2011, Judge Cacheris ordered prosecutors and defense lawyers to submit additional briefs by Wednesday, June 1, 2011 on whether he should reconsider his ruling. A hearing is scheduled for Friday, June 3, 2011.
 

Tags: , , , , , ,