Cyberattackers’ Attempts to Exploit World Health Organization More Than Double

On March 23, Reuters reported that during March, cyberattackers attempted to hack into the World Health Organization (WHO), which has been playing a leading role in informing people about the coronavirus pandemic.  According to Reuters, cybersecurity expert Alexander Urbelis noticed around March 13 that a group of hackers that he had been following “activated a malicious site mimicking the WHO’s internal email system.”

The WHO’s Chief Information Security Officer, Flavio Aggio, told Reuters that the hackers’ identity was unclear and their effort unsuccessful.  He also stated that “[t]here has been a big increase in targeting of the WHO and other cybersecurity incidents.  There are no hard numbers, but such compromise attempts against us and the use of (WHO) impersonations to target others have more than doubled.”

In addition to cyberattackers’ likely interest in personal identifying information, Costin Raiu, head of global research and analysis at Kaspersky Labs, identified strategic intelligence as another motive for the WHO attacks.  In his words, “At times like this, any information about cures or tests or vaccines relating to coronavirus would be priceless and the priority of any intelligence organization of an affected country.”

Note: Chief Information Security Officer (CISO) teams should pass on this information promptly to all of their enterprise’s employees, whether working in corporate offices or from home.  In particular, they need to remind employees (including senior executives) that they should never respond to any unsolicited emails or texts that purport to come from the WHO or other government agencies offering information about the coronavirus, and should report any such emails received through their enterprise’s email system through the appropriate enterprise channels.

In addition, CISO teams should remind employees that if they are interested in obtaining coronavirus-related information from government agency websites, they should use only their personal computers to access trusted search engines and verify that the sites in which they are interested are legitimate official sites.  All public- and private-sector employees need to recognize that there are cyberattackers who have no compunctions about exploiting the public’s fear and confusion about the coronavirus, as the WHO itself put it in a recent public advisory, “to steal money or sensitive information.”

TRACE Issues 2019 Global Enforcement Report

On March 19, the anti-bribery business association and training provider TRACE issued its 2019 Global Enforcement Report.  The Report characterized 2019 as “a relatively slow year for enforcement actions in transnational bribery cases.”

The Report’s principal findings included the following:

  • The numbers of enforcement actions in cases involving bribery of foreign officials decreased for both the United States (19 percent, from 21 to 17) and non-U.S. jurisdictions (45 percent, from 11 to 6) (pp. 3, 8).
  • The United States had by far the highest number of investigations concerning bribery of foreign officials (121), followed by the United Kingdom (46), Germany (27), Switzerland (20), and France (16) (p. 6). As of the end of 2019, Brazil was conducting the most investigations concerning alleged bribery of domestic officials by foreign companies (32), followed by India (17) and China (14) (p. 13).
  • Companies in the extractive industries had the highest number of U.S. investigations concerning bribery of domestic and foreign officials (24, constituting approximately 19 percent of all U.S. investigations), followed by financial services (20, constituting 16 percent) and manufacturers/service providers (15, constituting 12 percent) (p. 20).
  • Companies in the extractive industries had the highest number of non-U.S. investigations concerning bribery of foreign and domestic officials (95, of which 49 were investigations involving foreign officials and 46 investigations involving domestic officials). Engineering/construction companies had a total of 83 non-U.S. investigations, and aerospace/defense/security companies a total of 72 non-U.S. investigations (p. 18).
  • Among countries of bribe recipients in investigations concerning bribery by U.S.-headquartered companies, China has the highest number (27), followed by Brazil (19) and India (11) (p. 16).
  • Since 1977, China also had the highest prevalence of alleged bribery by foreign companies. Chinese officials were the alleged recipients of bribes in more than 110 different enforcement events (p. 15).

Note: The Report correctly states that “the resulting enforcement levels were not out of line with historical trends of anti-bribery enforcement” (p. 3).  That means, among other things, that while multinational cooperation in foreign-bribery investigations and enforcement actions continued through 2019, since 1977 the United States has continued to outpace other countries in the number of enforcement actions concerning bribery of foreign officials (279), with the United Kingdom and the Netherlands a distant second and third (42 and 14, respectively) (p. 7).

At this point in the coronavirus pandemic, it is highly likely that many countries, including the United States, will be forced to slow the pace and productivity of their anti-corruption enforcement programs through the remainder of 2020.  Whether participants in ongoing foreign-bribery schemes will be similarly constricted in their maintenance of those schemes remains to be seen.

Hong Kong Court Rejects Legal and Constitutional Challenges to Securities and Futures Commission Investigative Powers

On February 14, in To Man Choy Jacky v. Securities and Futures Commission, the Hong Kong Court of First Instance (Court) rejected a set of legal and constitutional challenges to the authority of the Hong Kong Securities and Futures Commission (SFC) to obtain and execute search warrants, to seize various digital devices pursuant to those warrants, and to require individuals to provide to the SFC the passwords to their email accounts or digital devices.

This case consolidated five separate applications for judicial review.  It stemmed from two ongoing SFC investigations concerning (1) a Hong Kong Exchange-listed company, Aeso Holdings Ltd (“Aeso”) and its 2017 listing and (2i) bond placements by two other Hong Kong Exchange-listed companies, Skyfame Realty (Holdings) Ltd (“Skyfame”) and China Agri-Products Exchange Ltd (“China Agri”).

The Court itself deemed the background facts of the investigations to be “of some considerable complexity.”  In brief, the Aeso investigation involved a sustained dispute between two groups of Aeso shareholders and allegations of fraud and market manipulation.  The China Agri investigation stemmed from an SFC inspection of a firm that had placed private bonds for Skyfame, which led to concerns that the placing scheme and the related bond program might constitute securities fraud under the Hong Kong Securities Fraud Ordinance (Ordinance).

Because the Aeso Investigation and the Skyfame/China Agri Investigation involved common parties, the SFC conducted a joint operation based on warrants that magistrates issued in each investigation.   In the course of the joint operation, SFC representatives –

  • Found digital devices (including mobile phones, tablets and/or computers) belonging to applicants in the CFI case (Applicants);
  • Conducted keyword searches to check for relevant materials when no password was required to access certain devices, and when Applicants voluntarily unlocked the digital devices, “looked for relevant materials by using keyword searches or by scrolling through the contents to look for relevant materials”;
  • Based on the above-mentioned searches, were able “to identify materials contained in emails, contact lists and messaging applications that were relevant, or believed to be relevant, to the SFC’s investigations”;
  • Requested the Applicants to provide printouts of the relevant materials or login names/passwords to the email accounts or digital devices to enable the SFC to access the same, but Applicants either declined to do so outright “(in some instances by asserting legal professional privilege), or used various excuses not to provide the same;”
  • In one case in which an Applicant asserted legal professional privilege, “suggested that the relevant emails and attachments thereto could be printed out and kept under seal for the time being pending the resolution of the legal professional privilege claim,” but the Applicant rejected the claim;
  • Decided “to seize various digital devices belonging to the Applicants”; and
  • Issued notices under the Ordinance that required the Applicants “to provide the login names and/or passwords to various email accounts or digital devices.”

In its decision, the Court rejected the Applicants’ arguments that the decisions to seize and retain the Applicants’ digital devices and to issue the notices requiring provision of the login names and/or passwords were ultra vires, unlawful or unconstitutional.  With regard to seizure of such devices, the Court held that the SFC was “clearly and amply empower[ed]” to do so:

In order that the SFC can effectively discharge its investigative functions in relating to dealings or transactions in the securities and futures markets, it is obviously essential that the SFC has the power to seize and retain digital devices containing evidence of, or relating to, the relevant dealings or transactions.

With regard to retention of the devices, the Court held “that there can be no valid complaint about the continued retention of the digital devices if the decisions to seize them were lawful in the first place,” which the Court had previously found to be the case.

With regard to the notices, the Court took note of

the practical reality that information, documents and records are nowadays mostly kept in digital or electronic forms and stored in (inter alia) email accounts and digital devices which (i) would almost inevitably contain large amounts of personal or private, but irrelevant, materials, and (ii) are often also protected by specific login names/IDs and passwords.

It found that the Ordinance empowered the SFC “to require the Applicants to provide means of access to email accounts and digital devices which contain, or are likely to contain, information relevant to its investigations even though the email accounts and digital devices would likely also contain other personal or private materials which are not relevant to the SFC’s investigations.”  It also characterized the safeguards that the SFC offered to protect the Applicants’ privacy as “a practical and reasonable compromise of the conflicting interests of the SFC and the Applicants.”

With regard to the warrants themselves, the Court held that they satisfied the five requirements for such warrants under the Ordinance:

  • “the magistrate’s satisfaction on information laid on oath by an employee of the SFC of the relevant matter was stated”;
  • “(2) the persons authorized to execute the warrant (namely, each and all employees of the SFC, amongst others) were specified”;
  • “(3) the premises authorized to be entered and searched were identified”;
  • “(4) the authorization given to the specified persons to search for, seize and remove any record or document which such persons had reasonable cause to believe might be required to be produced under Part VIII of the [Ordinance] was stated”; and
  • “(5) the validity period of the warrant was given.”

It also found that nothing in section 191(1) of the Ordinance “require[s] a warrant issued under that section to state the relevant offence or misconduct in respect of which the warrant was applied for and granted,” and that even if such a requirement could be found, the warrants in the present case specified the grounds on which records and documents might be required to be produced under the Ordinance.

Note:  This decision is a significant victory for the SFC in several respects.   The Court not only generally affirmed the general constitutionality and legality of the SFC’s investigative powers, but approved the SFC’s broad construction of the Ordinance’s language in the exercise of those powers.  In addition, the Court’s endorsement of the SFC’s authority to require provision of login names and passwords will undoubtedly encourage the SFC to do so in other investigations in which digital devices may contain relevant information.

United Kingdom Competition and Markets Authority Imposes £3.4 Million in Fines on Pharma Firms for Anticompetitive Conduct

On March 4, the United Kingdom Competition and Markets Authority (CMA) announced that, after an investigation into the supply of antidepressant drug nortriptyline, it had imposed fines totaling £3.4 million in fines on four pharmaceutical companies for two violations of United Kingdom competition law.

One of the violations involved market-sharing between King Pharmaceuticals Ltd and Auden Mckenzie (Pharma Division) Ltd.  According to the CMA, those two firms “shared out between them the supply of nortriptyline to a large pharmaceutical wholesaler.”  From September 2014 to May 2015, the two companies agreed that King would supply only 25mg tablets and Auden Mckenzie only 10mg tablets. The two firms also colluded to fix quantities and prices.

The CMA stated that both King and Auden Mckenzie admitted violating the competition law.  It imposed a £1,882,238 fine on Accord-UK Ltd, which has taken control of Auden Mckenzie’s nortriptyline business after the market-sharing ended, and a £75,573 fine on King.  Accord-UK and Auden Mckenzie also agreed to make a £1 million payment to the United Kingdom National Health Service (NHS) in connection with the case — only the second time that the CMA “has secured a payment to the NHS following one of its pharmaceutical investigations.”

The other violation involved King, Lexon (UK) Ltd, and Alissa Healthcare Research Ltd “illegally sharing commercially sensitive information, to try to keep nortriptyline prices up.”  The CMA said that between 2015 and 2017, when the cost of nortriptyline was falling, the three suppliers “exchanged information about prices, the volumes they were supplying, and Alissa’s plans to enter the market.”

The CMA fined Lexon, which did not admit to violating the competition law, a total of £1,220,383.  By contrast, it fined King and Alissa £75,573 and £174,912 respectively, because they both admitted in September 2019 to violating the competition law.

In addition to the corporate fines and payment to the NHS, the CMA “secured the disqualification” of Dr. Philip Hallwood, a director at King and the sole director of consultancy firm Praze.”  It reported that “Praze conducted King’s corporate and commercial services during the illegal activity and took part in this alongside King.”  After both King and Praze admitted to their involvement in the violation, Dr. Hallwood “signed a legally binding undertaking which disqualifies him as director of both companies,” meaning that he cannot be involved in the management of any UK company for seven years.  As the CMA explained,

Under the Company Directors Disqualification Act, the CMA has the power to apply to the court to disqualify a director from holding company directorships or performing certain roles in relation to a company for a specified period, if a company which he or she is a director of has breached competition law. The Act also allows the CMA to accept a disqualification undertaking from a director instead of bringing proceedings, which has the same legal effect as a disqualification order.

The CMA pointedly concluded that it “is also considering the possible disqualification of other directors.”

Note: Antitrust and competition compliance officers at United Kingdom companies should inform senior executives of these CMA penalties, to remind them that price-fixing and bid-rigging are not the only types of core anticompetitive conduct that can attract the attention of enforcement authorities.  They should also include these cases in their competition-law training materials.

Dubai Police Make First Arrest in 6,000-Ton Rice Trading Fraud Scheme

In July 2019, Gulf News reported on an apparent multimillion-dollar fraud involving the disappearance of some 6,000 tons of rice that Indian exporters had shipped into Dubai.  According to Gulf News, the 6,000 tons of rice disappeared – as did the company in whose name the rice was ordered and its ostensible representatives, whose checks (at least some of which were postdated) for the rice purchases, the warehouse from which the rice disappeared, and airline tickets bounced due to insufficient funds — without a trace.  At that time, the Dubai Public Prosecutor ordered police in the Jebel Ali district of Dubai to investigate possible fraud by six men and two companies, including a Dubai money exchange, in the case.

On March 6, Dubai authorities reportedly made their first arrest in the case.  The individual, a 52-year-old Indian national, was released on bail two days later.  It is not clear whether the conditions of that individual’s bail prohibit him from leaving Dubai while the investigation proceeds.

Note:  This initial report may be heartening to the 20 or more Indian rice exporters who were victimized by the fraud.  It nonetheless underscores the need for exporters in general to pay attention to indicia of trading fraud schemes, which have plagued the United Arab Emirates for some time. As the Indian Consulate in Dubai tweeted after the arrest, “Indian traders especially those in rice should take due precautions specially on terms and mode of payment [Ed. – postdated checks] to avoid such situations.”