On June 15, 2022, the District Court for the Southern District of New York dealt a blow to former Citigroup Inc. (Citi) trader Rohan Ramchandani in his malicious prosecution lawsuit against his former employer.[1] Magistrate Judge Stewart D. Aaron denied Ramchandani’s motion to compel Citi to produce attorney notes of DOJ meetings and other

Companies that operate in more than one jurisdiction that are either carrying out an internal investigation or are subject to a criminal or regulatory investigation by U.S. law enforcement agencies will almost certainly need to consider the legality of trans-Atlantic data transfers.  Under European law, in particular, companies falling short in compliance with data protection laws could face fines of up to the higher of €20 million or 4% of annual global turnover.

With the introduction, in 2018, of the General Data Protection Regulation (“GDPR”) which generally prohibits (with some exceptions) the transfer of EU-based personal data outside of the European Economic Area (“EEA”) and other legislation, the overhaul of the EU data protection framework often leaves companies under investigation by U.S. law enforcement with tough decisions to make between complying with their obligations – or their wish – to meet U.S. prosecutors’ demands and abiding by relevant data protection laws.  In particular, some EU-based companies have found themselves at the receiving end of U.S. prosecutors’ requests or subpoenas for documents, in circumstances where compliance with them could potentially risk hefty domestic fines for breaching data protection laws.  There may also be other considerations to be borne in mind, such as relevant bank secrecy laws and common law rights to privacy, where a failure to comply with the relevant law could result in criminal sanctions including imprisonment.

Developments in U.S. and U.K. law, however, have introduced a framework for the legal cross-border transfer of data via cooperation between international authorities.  In addition to ensuring compliance with the GDPR and other privacy obligations in conducting data transfers,  U.S.- and U.K.-based communication service providers (“CSPs”)[1] should familiarize themselves with the recently signed U.K.-U.S. Bilateral Data Access Agreement (the “Agreement”).  The Agreement facilitates the objectives of the U.S. Clarifying Lawful Overseas Use of Data Act (the “CLOUD Act”) and the U.K. Crime (Overseas Production Orders) Act 2019 (the “COPOA”).  According to a communication by U.S. Attorney General William Barr to Congress earlier this year, the Agreement was scheduled to become effective on July 8, 2020, but there has been no official announcement from either the U.S. or U.K. governments on the status of the Agreement.  Indeed, earlier this month, the U.K. government anticipated that the Agreement would “come[] into use later this year[.]”  We discuss the implications of these developments and considerations for U.S.- and U.K.-based companies needing to transfer personal data[2] across the Atlantic to facilitate investigations.Continue Reading Data Transfer Considerations in Investigations

Institutions of Higher Education are increasingly finding themselves in the crosshairs of high-profile criminal enforcement efforts. Recent headlines have highlighted a number of investigations and prosecutions that have achieved literal celebrity status:

  • The indictments and convictions of wealthy parents of college applicants in the Varsity Blues investigation, who are alleged to have paid bribes in

Securities litigation and enforcement activity often surge in times of crisis. Indeed, bedrock federal securities regulations were borne out of an extended crisis: the stock market crash of 1929 and the decade-long Great Depression that followed.

COVID-19 has already set off a wave of securities litigation. These private lawsuits and putative class actions have been based on allegedly misleading statements in securities filings and public statements. But issues surrounding proof in the COVID-19 era, including demonstrating the “price impact” of alleged misrepresentations for purposes of reliance and loss causation, limit the viability of these claims.

As public companies anticipate the next wave of securities activity they should expect limitations on private lawsuits to prompt the Securities and Exchange Commission (SEC) to ramp up civil enforcement. The Department of Justice (DOJ) may even launch related criminal investigations in high-profile cases.

We discuss below recent COVID-19-related securities litigation and enforcement trends, special issues with reliance and loss causation, and best practices to avoid the expected onslaught of SEC enforcement and DOJ investigations.Continue Reading Securities Enforcement Activity in the COVID-19 Era: A Backstop to Private Securities Litigation