White Collar: Regulators Make the Shift from Carrots to Sticks

There is a global arms race for data and technology, including artificial intelligence, and that has been leading the U.S. government to look at cybersecurity and sanctions through the lens of national security,” says Jennie Wang VonCannon, a partner at Crowell & Moring. “Because of these high stakes, regulators are building more ‘sticks’ rather than ‘carrots’ into enforcement regimes—and making it clear that companies need to take these things very seriously. And more rigorous enforcement generally leads to waves of litigation.”

That shift can be seen in the Justice Department’s launch of its Civil Cyber-Fraud Initiative in October 2021. “For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it,” DOJ Deputy Attorney General Lisa Monaco said at the time. “Well, that changes today.”

That move was followed by the passage of the Cyber Incident Reporting for Critical Infrastructure Act of 2022. This called for companies in 16 critical infrastructure sectors to report ransomware attacks to the Department of Homeland Security within 72 hours. Then, in October 2022, Uber’s chief security officer was convicted on felony charges relating to the cover-up of data breaches. “That was a real shock, because it was the first time the government had prosecuted a company executive for their handling of a breach,” VonCannon says. Another shock came in October 2023, when the SEC sued the SolarWinds software company and its chief security executive for misleading investors about the company’s cybersecurity protocols.

In July 2023, the SEC released its own finalized cybersecurity reporting rules, which among other things require companies to report cyber breaches within four days. “That was important, because the SEC sets the bar for what publicly traded companies need to tell stakeholders,” says VonCannon. The SEC’s rules can be expected to lead to more litigation from the SEC, as well as shareholder class actions. In addition, she adds, “experience has shown that SEC enforcement actions are often followed by DOJ enforcement actions and, ultimately, more litigation.”

Here, being proactive can help companies. The SEC requires reporting on “material aspects” of a breach. “Historical securities case law says materiality is about the total mix of information available to investors,” says VonCannon. “So one strategy is to get more information out before a breach—the controls you have in place, encryption, backups, air-gapped systems that are off the network, and so forth. That way, if there’s a breach, you can take that information into account when determining materiality. Generally speaking, the more security protocols you have in place—and the more you tell investors about them—the better off you will be in terms of avoiding or defending against litigation.”

‘Sanctions are the new FCPA’

Meanwhile, the DOJ has put companies on notice that it is increasing its focus on sanctions violations, which often target the sharing of key technologies with other nations. The DOJ’s Monaco has said repeatedly that “sanctions are the new FCPA [Foreign Corrupt Practices Act],” and the DOJ is putting more resources into sanctions, export controls, and money laundering, as well as collaborating with the Treasury and Commerce departments on investigations. As a result, Monaco has said that sanctions were “once a technical area of concern for select businesses,” but “should now be at the top of every company’s risk compliance chart.”