Author: Jonathan J. Rusch

On December 17, the Privacy and Electronic Communications (Amendment) Regulations (2018 Regulations), which the United Kingdom Secretary of State made on November 15, will come into force.   These regulations, which amend the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (2003 Regulations), authorize the Information Commissioner’s Office (ICO) to impose monetary penalties on officers of corporate bodies and Scottish partnerships, in addition to corporate bodies themselves, for nuisance calls and messages.

According to the explanatory note for the 2018 Regulations, under the 2003 Regulations

the Information Commissioner may impose a monetary penalty, under the Data Protection Act 1998 as applied to, and modified by, the 2003 Regulations, for a serious breach of regulations 19 to 24 of the 2003 Regulations. The effect of the amendments made by regulation 2 [of the 2018 Regulations] is to enable the Commissioner to impose such a penalty on an officer of a body corporate or Scottish partnership in addition to the body itself, where such a breach occurs as a result of action, or inaction, by that officer.

The 2018 Regulations revise Schedule 1 of the 2003 Regulations to state that if a monetary penalty notice has been served on a body,

the Commissioner may also serve a monetary penalty notice on an officer of the body if the Commissioner is satisfied that the contravention in respect of which the monetary penalty notice was served on the body—

(a) took place with the consent or connivance of the officer, or

(b) was attributable to any neglect on the part of the officer.

They also define the term “officer” to include (a) in relation to a body corporate, (i) “a director, manager, secretary or other similar officer of the body or any person purporting to act in such capacity”, and (ii) “where the affairs of the body are managed by its members, a member”; and (b) “in relation to a Scottish partnership, a partner or any person purporting to act as a partner.”  Finally, the 2018 Regulations authorize the ICO to impose a civil monetary penalty on an officer of up to £500,000 for a breach of the 2003 Regulations.

Note: The United Kingdom, like other countries, for some time has been trying to cope with the constant flood tide of nuisance calls and messages.  The Financial Conduct Authority recently stated that in the 12 months before September 2018, firms made 2.7 billion unsolicited calls, texts, and emails just for offers to help people make a claim.

The ICO has been making use of its existing nuisance-call authority to impose significant fines on corporate bodies.  It reportedly issued 26 fines totaling more than £3 million to firms, and continued to impose substantial fines in 2018,.  For example:

• August 2018: The ICO imposed a £100,000 fine on a firm that made 75,649 nuisance calls who were registered with the Telephone Preference Service (TPS). The TPS, like the “do-not-call” list in the United States, allows people in the United Kingdom to register if they do not want to receive unsolicited sales or marketing calls.
• October 2018: The ICO imposed a £150,000 fine on a firm that made 63,724 calls over a two-month period from May to July 2017 to people registered with the TPS.
• November 2018: The ICO imposed fines totaling £250,000 on two firms that made nearly 1.73 million direct marketing phone calls to people registered with the Telephone Preference Service (TPS)

These fines, however, have evidently proved insufficient to stem the tide of nuisance calls and messages to United Kingdom residents.  Moreover, media reports have highlighted the fact that nearly one-half of the £17.8 million of nuisance-call fines issued to companies since 2010 has gone unpaid, as company officers evade the fines “by withholding payment, liquidating their companies and starting business again under new names.”  With luck, the ICO may be able to reverse that trend and put paid to the most unscrupulous marketers whose business models are dependent on nuisance calls.

On November 28, CBC reported that during the week of November 19, a major money laundering case that the Public Prosecution Service of Canada (PPSC) was scheduled to take to trial in January 2019 was stayed (i.e., discontinued) at PPSC’s request.  A press release by the Royal Canadian Mounted Police (RCMP) briefly stated that the charges “were stayed for several reasons that materialized during the course of the file; the nature of which will not be discussed in any detail given operational sensitivities.”

Criminal charges in the case had been laid in 2017 against three defendants: Silver International Investments Ltd., a Richmond, British Columbia-based money-transfer business; Caixuan Qin, the director of Silver; and a second individual, Jain Jun Zhu.  All three defendants were charged with five counts that included laundering proceeds of a crime, possession of property obtained by crime, and failing to ascertain the identity of a client.  Government documents alleged

that organized criminals used Silver as an illegal bank to wash drug money. According to the allegations, a network of “private lenders” in Richmond lent cash from Silver to VIP gamblers recruited from China. These high-rollers visited B.C. for gambling junkets, according to these allegations, and received hockey bags full of cash.

Officials allege these loans allowed wealthy gamblers to get money in Canada, bypassing China’s tight-capital export controls, and pay back the loan through underground banks in China. The VIPs were able to buy betting chips with street-cash $20 bills, mostly at Richmond’s River Rock Casino, and later cash out with $100 bills more suitable for investment in B.C., an audit by B.C.’s gaming enforcement policy branch alleges.

The stay of the case is clearly a setback for Canadian law enforcement’s efforts against money laundering, particularly “Operation E-Pirate,” the investigation that the RCMP had been conducting since 2015 into money laundering in British Columbia.  There is no doubt that money laundering through casinos in British Columbia’s Lower Mainland (i.e., the area in and around Vancouver) has reached grave proportions over multiple years.  A 2018 report, which British Columbia Attorney General David Eby commissioned, stated that for many years, “certain Lower Mainland casinos unwittingly served as launderomats for the proceeds of organized crime.”

The stay does not appear to have imperiled Operation E-Pirate overall.  A statement by Federal Minister of Border Security and Organized Crime Reduction Bill Blair that “[w]e cannot comment further on an ongoing investigation” may indicate that E-Pirate will continue.  On the other hand, the RCMP reportedly stated that it “is reviewing the file to understand ‘its activities which contributed to this stay,” to incorporate relevant lessons and prevent this from happening in the future.”  That statement clearly suggests that the PPSC found it necessary to drop the Silver/Qin/Zhu case because of critical flaws in investigative procedures.  If that proves to be the case, as the United Kingdom Serious Fraud Office found in 2012 when it found it necessary to drop a case fatally flawed by a seriously mishandled investigation, it may take some time to repair the damage to the PPSC’s and RCMP’s reputations.

On November 30, Marriott International announced that it had learned from an internal investigation in September 2018 that “an unauthorized party” had obtained unauthorized access to the guest reservation database of Starwood Resorts, which Marriott had acquired in 2016.  That unauthorized party apparently obtained information on

up to approximately 500 million guests who made a reservation at a Starwood property. For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).

For compliance officers responsible for cybersecurity, the most troublesome fact that Marriott disclosed should not be the magnitude of this breach (though that is certainly breathtaking), but its statement that it “learned during the investigation that there had been unauthorized access to the Starwood network since 2014.”  While Marriott reported that it is supporting law enforcement efforts, “working with leading security experts to improve,” and offering various information resources and support for persons who may be affected by the breach, cybersecurity experts quickly responded that Starwood should have detected the breach years earlier – not least because Starwood had suffered a different, smaller breach in 2015, not long after Marriott had announced the deal to acquire Starwood.

That response has a substantial measure of truth, but does not delve deeply enough.  In fact, even at this early stage of post-breach activity, there are several lessons that other companies can learn from Marriott’s situation.

First, there are at least three periods of time since the 2015 acquisition announcement at which Starwood, Marriott, or both companies should have discovered some indications of the 2014 breach:

• Pre-Acquisition Due Diligence: Knowing that Starwood had suffered the 2015 breach, both Marriott and Starwood had ample opportunity, during the pre-acquisition phase, to review the state of Starwood’s cybersecurity measures and determine whether any significant instances of unauthorized access had taken place. It is no overstatement to say that cybersecurity is a critical component of pre-acquisition due diligence.
• Post-Acquisition Due Diligence and Integration: If not done pre-acquisition, Marriott had ample opportunity, in the course of integrating Starwood and Marriott resources, to do a similar due diligence review and check for existing data breaches or other critical cyber vulnerabilities.
• Post-Integration: Even in the post-integration phase, before Marriott’s and Starwood’s rewards programs merged in August 2018, Marriott had additional time to conduct proactive cybersecurity reviews relating to Starwood’s data resources.

Second, the fact that Marriott apparently first discovered in September 2018 that unauthorized access to the Starwood database had begun in 2014 suggests that there were additional critical gaps in the cybersecurity programs of both companies.  In the September 2018 version of its publication “Best Practices for Victim Response and Reporting of Cyber Incidents,”  the U.S. Department of Justice’s Cybersecurity Unit identified a number of best practices which organizations should adopt before a cyber intrusion or attack occurs.  Two of those are:

• “Identify Your ‘Crown Jewels’.” The “Best Practices” document states that “[b]efore formulating a cyber incident response plan, an organization should first determine which of its data, assets, and services warrants the greatest protection. Prioritizing the protection of an organization’s “crown jewels” and assessing how to manage the risk associated with protecting them are important first steps toward preventing the type of catastrophic harm that can result from a cyber incident.”  The apparent lack of ongoing or periodic internal cybersecurity reviews for breaches, however, is strongly suggestive that Starwood did not recognize or designate its customers’ personal data as “crown jewels,” let alone prioritize their protection.
• “Educate Senior Management about the Threat.” The document also states that “an organization’s senior management, board of trustees, and any other governing body responsible for making resource decisions and setting priorities should be aware of how cyber threats can disrupt an organization, compromise its products, impair customer confidence and relations, and otherwise cause costly damage.”  The failure to discover this breach at any time before September 2018, unfortunately, suggests that between 2015 and 2018, Starwood and Marriott senior management either were not sufficiently educated about the risks of cyber attacks and the need to dedicate appropriate resources to cyber defense, or were informed but disregarded or downplayed the information.

Much remains to be learned about the pre-September 2018 state of Marriott’s and Starwood’s cybersecurity programs.  It is not too soon, however, for companies to use the known facts about this latest breach, and inferences therefrom, as a benchmark for the basic condition of their own cybersecurity programs, and as an opportunity to remind senior management about the potentially catastrophic consequences of failure to maintain robust cyber defenses.

On November 30, two actions in the U.S. District Court for the District of Columbia indicate that the U.S. Department of Justice has been actively pursuing a troubling dimension of the extensive efforts by Malaysian billionaire Jho Low to evade prosecution for his role in the 1MDB scandal.  Not content with allegedly conspiring to bribe Malaysian and Abu Dhabian government officials to obtain and retain business and conspiring to launder the proceedings of that conduct, and fleeing Malaysia for Hong Kong, Macau, and parts unknown, the filing indicate that Low sought to use laundered funds to support lobbying efforts in the United States to influence the Department’s investigations of him.

First, the U.S. Department of Justice announced the filing of a civil forfeiture action, seeking to recover more than $73 million in funds that the Department stated were connected with billions of dollars embezzled from 1MDB that Low and others allegedly conspired to launder.  The Department also alleged, consistent with the indictment returned against Low and another individual last month, that Low and others paid hundreds of millions of dollars in foreign-official bribes.   The forfeiture complaint alleged that Prakazrel (“Pras”) Michel, a noted rapper and record producer – with the assistance of George Higginbotham, a senior Justice Department congressional affairs specialist until August 2018  — opened multiple bank accounts at U.S. financial institutions in 2017 to receive tens of millions of dollars in funds from overseas accounts controlled by Low.

The purpose of those funds was “to pay individuals to lobby high-level U.S. government officials to influence, inter alia, an ongoing U.S. Department of Justice (DOJ) criminal investigation of JHO LOW and related civil forfeiture proceedings over numerous of JHO LOW’s assets.”  In opening these accounts, Michel and Higginbotham allegedly made false and misleading statements to U.S. financial institutions that housed the accounts in order to mislead these institutions about the source of the funds and to obscure Low’s involvement in these transactions.

Second, Higginbotham entered a plea of guilty to one count of conspiracy to make false statements to a bank, relating to his helping to facilitate the transfer of tens of millions of dollars for Low’s lobbying campaign.  Higginbotham admitted “that the foreign principal behind the lobbying campaign was alleged to be the primary architect of the 1MDB scheme,” and

that another purpose of the lobbying campaign was an attempt to persuade high-level U.S. government officials to have a separate foreign national, who was residing in the United States on a temporary visa at the time, removed from the United States and sent back to his country of origin.

Finally, he also admitted that in order to conceal Low’s identity he conspired to make false statements to U.S. financial institutions concerning the source and purpose of the funds, and that he worked “on various fake loan and consulting documents in order to deceive banks and other regulators about the true source and purpose of the money.”

Note: Although the Wall Street Journal first disclosed the existence and general dimensions of these lobbying efforts in March 2018, these filings indicate more specifically the extent to which those efforts were intertwined with Low’s broader array of alleged federal crimes.  The Justice Department has sought to dispel potential concern that those efforts had any effect on the Department or its investigations.  In the forfeiture complaint, the Department stated categorically that “HIGGINBOTHAM, who was employed at DOJ in a non-lawyer position, was not involved in any way in the DOJ’s investigation of JHO LOW and failed to influence any aspect of DOJ’s investigation of 1MDB and JHO LOW.”  Still, many current and former Justice Department officials and employees must be dismayed, even angered, that any Justice Department employee would consider it appropriate to assist a known target of civil and criminal investigations by the Department in attempting to use political influence to interfere with the pursuit of those investigations.

As for Michel, the Department to date has not announced any civil or criminal charges against him personally pertaining to 1MDB or Low.  Nonetheless, Higginbotham’s plea and the forfeiture complaint – which includes allegations such as “MICHEL knew that JHO LOW was toxic to U.S. banks and that U.S. banks did not want to deal with him or accept JHO LOW’s funds” – provide reasons to believe that Michel, like Low, at the least may be losing his equanimity.

On October 31, in Lee v. Securities and Futures Commission, the Hong Kong Special Administrative Region Court of Final Appeal decided that Section 300 of the Securities and Futures Ordinance (SFO), which broadly applies to securities fraud, applies to insider dealing in shares that were not listed on the Hong Kong Stock Exchange but were listed on the Taiwan Stock Exchange, provided that substantial activities constituting the crime occurred within Hong Kong.

Section 300 of the SFO states that a person

shall not, directly or indirectly, in a transaction involving securities, futures contracts or leveraged foreign exchange trading—

(a) employ any device, scheme or artifice with intent to defraud or deceive; or

(b) engage in any act, practice or course of business which is fraudulent or deceptive, or would operate as a fraud or deception.

In 2006, four persons engaged in an insider dealing scheme involving shares of Hsinchu International Bank, whose shares were listed on the Taiwan Stock Exchange and were being acquired by Standard Chartered Bank. “Betty”, a solicitor in an international law firm, “Eric,” a solicitor in another international law firm, and “Patsy” and “Stella,” two sisters of Eric, pooled more than HK$6.3 million to buy Hsinchu shares, before the tender offer was made public, through a Hong Kong-based securities firm account that Patsy had opened for the purpose of trading in shares listed in Taiwan. (All names used are the English names that the Court used in its judgments.)  Once the tender offer was made public, Patsy accepted the tender on their Hsinchu shares, making an aggregate profit of nearly HK$2.7 million.  In a civil proceeding by the Hong Kong Securities and Futures Commission (SFC), a judge found that Betty, Eric, and Patsy had contravened section 300 by engaging in their scheme and that Stella had been involved in the others’ contravention of section 300.

In his judgment, Justice Robert Tang found that the term “transaction” in section 300 “has a wide meaning” and covers the defendants’ scheme.  Although subsection 291(5) of the SFO, which specifically prohibits insider dealing, uses definitions of “listed securities” and “listed corporation” that makes that subsection inapplicable to shares listed on the Taiwan Exchange, Justice Tang wrote, the term “securities” in section 300

is defined in wide terms and . . . is not confined to shares listed in Hong Kong. It can cover shares not listed in a recognized stock exchange.  I think it would be in keeping with the purpose of the SFO and Hong Kong’s position as an international financial center, that provided “substantial activities constituting the crime” occurred within Hong Kong, s[ection] 300 should cover the insider dealing in shares listed in Taiwan. I have no doubt that substantial activities constituting the complaint under s[ection] 300 occurred in Hong Kong. (Footnotes omitted)

Note: While one law firm has opined that the outcome in was “widely anticipated,” the breadth of the Court’s construction of section 300 is certainly greater than the SFC could have expected.  In the light of the holdings on the breadth of key terms in section 300, and on the reach of section 300 beyond shares listed in Hong Kong even to “shares not listed in a recognized stock exchange,” it will not be surprising if the SFC makes increasing use of that section to pursue a broad array of insider dealing cases.  As the Court did not list or describe the types of activities that could constitute “substantial activities . . . “occurr[ing] in Hong Kong,” the SFC will need to proceed cautiously in developing insider-dealing cases involving shares listed outside Hong Kong.