Fraud Section’s 2024 Year in Review Shows Enforcement Uptick
The Fraud Section of the U.S. Department of Justice’s Criminal Division published its Year in Review last month, which showed an uptick for white collar enforcement in foreign corruption, financial and health care fraud. The enforcement affected a range of industries including telecommunications, defense contracting, software services, aviation, consulting, and financial services. Below we highlight the enforcement trends and identify our key takeaways for 2025.
Foreign Corruption
DOJ resolved eight criminal corporate cases and entered into one declination pursuant to its Corporate Enforcement and Voluntary Self-Disclosure Policy (“CEP”). The schemes involved bribery of officials in Latin America, Africa, the Middle East, and South and East Asia and over $1.1 billion on criminal fines and disgorgement. One of the matters included the first coordinated resolution with Ecuador and the third with South Africa. Four trials involving individuals charged with FCPA violations were held this year.
In late 2023, the DOJ created the Criminal Division’s International Corporate Anti-Bribery (“ICAB”) initiative aimed to grow the Department’s foreign law enforcement partnerships. Several prosecutors serve as regional ICAB representatives and DOJ has stated that ICAB members helped bring several of this year’s global FCPA resolutions.
Securities, Commodities & Cryptocurrency Enforcement
DOJ’s Market Integrity and Major Frauds Unit resolved three corporate matters and one CEP declination involving over $200 million in criminal penalties. The unit also charged 75 individuals. The schemes involved alleged abuses of 10b5-1 trading plans, insider trading in the equities and commodities market, the largest cryptocurrency nonfungible-token scheme, and the first cryptocurrency open-market manipulation case.
Federal Procurement & Program Fraud
DOJ’s Market Integrity and Major Frauds Unit also investigated and prosecuted fraud in federal procurement and programs. In 2024, DOJ also reached two corporate resolutions with major defense contractors for defective and fraudulent pricing, diversion of federal program funding, and counterfeit electronic parts used by the U.S. military in sensitive defense applications.
Health Care Fraud
DOJ charged 147 individuals for alleged scheme involving more than $3.26 billion in false and fraudulent claims. The Health Care Fraud Unit currently has strike force teams in 26 cities across the nation. Data analytics continues to be a major investigation predicate. The unit’s Data Analytics Team completed 3,229 data requests and 151 proactive investigative referrals. The schemes involved cardio genetic testing, amniotic wound grafts, controlled substance wholesalers, addiction treatment facilities, misbranded medication, laboratory testing, durable medical equipment, and telemedicine.
According to DOJ, telemedicine fraud schemes have “exploded” over the last five years and the Department has responded with seven nationwide enforcement actions. Pharmaceutical distributors also remain an area of focus with ten executives, sales representative, and brokers charged in October 2024 in four federal districts. DOJ also expanded its Sober Homes initiative to combat fraudulent addiction and rehabilitation schemes that targeted Native Americans in Arizona. The initiative has resulted in the over $1.2 billion in alleged false billings for fraudulent tests and treatments for drug and/or alcohol addiction. The Fraud Section has partnered with the U.S. Attorney’s Office for the District of Arizona in this initiative.
False Claims Act
Although not a criminal statute, the False Claims Act is another tool used to combat federal procurement, federal program, and health care fraud. 2024 was a record year for False Claims Act settlements, which exceeded $2.9 billion. The government and whistleblowers were party to 558 settlements and judgments, the second highest total after last year’s record of 566 recoveries, and whistleblowers filed 979 qui tam lawsuits, the highest number in a single year. Settlements and judgments since 1986 exceed $78 billion.
Takeaways
As we look back at the enforcement trends from 2024, there are several key takeaways to consider for the year ahead:
Data Analytics continues to be a mainstay tool for proactive detection and leads in foreign corruption, health care, and financial fraud enforcement. The Fraud Section’s data analytics team identifies outliers, trends, and patterns in federal health care benefit program billing, market activity against public filing disclosures, and even analyzes data compiled in public sources for foreign corruption matters.
Whistleblower and Voluntary Self-Disclosure Programs appear to be working. We previously wrote about each of these programs here and here. According to DOJ, the programs have resulted in 180 tips on new or existing investigations. Companies should implement a robust internal reporting system that allows employees to report potential misconduct comfortably and confidentially. Effectively responding to internal complaints can deter whistleblowers from bypassing the company’s reporting system and provides the company with a documented response to present to the DOJ if necessary.
Foreign Corruption enforcement will continue to expand its international footprint. 2024 resolutions included companies based in China, Germany, Brazil, Spain, Australia, Switzerland, and South Africa. Look to even more enforcement in 2025 with enhanced tools like the Foreign Extortion Prevention Act, the Criminal Division’s International Corporate Anti-Bribery initiative, and the Administration’s renewed focus on Latin America.
Health Care Fraud enforcement provides an average return on investment of $73.04 per $1 spent and over $3 billion in projected savings. Telemedicine, genetic testing, pharmaceutical distributors, and durable medical equipment will remain areas of enforcement focus.
Cryptocurrency remains in focus as the market continues to be fertile ground of market manipulation and schemes that exploit decentralized finance and automated trading. Enforcement will likely continue to include domestic and international laundering of crypto-fraud proceeds.
A copy of the full Year in Review report may be found here.
Saint Paul, Minnesota Enacts “Wage Theft” Ordinance
Beginning January 1, 2025, the City of St. Paul, Minnesota’s Wage Theft Ordinance went into effect. The Ordinance largely incorporates the State of Minnesota’s existing wage theft legislation. However, similar to the Minneapolis Wage Theft Prevention Ordinance, effective in 2020, the City of St. Paul’s new Ordinance contains additional employer obligations for employers with employees working within the geographic boundaries of the City of St. Paul.
Employee Notice Information Required
Minnesota state law requires employers to provide detailed information, in writing, to Minnesota employees at the start of their employment and provide written notice of related changes to employees during employment. As of January 1, 2025, pursuant to Ordinance the notice for covered St. Paul employees must contain the following additional information:
The date on which employment is to begin;
A notice of the City of St. Paul’s minimum wage rates and an employee’s entitlement to such rates;
If applicable to the employee, a statement that the sharing of gratuity is voluntary; and
The overtime policy applicable to the employee’s position, if any, including when overtime must be paid and at what rate[s].
Under the Ordinance, employers may provide the information in the notice by reference to an employee handbook, collective bargaining agreement, or similar document, provided the employee is directed to the specific sections in which such information is contained.
In addition to providing the notice to all new hires, employers must provide the notice to all current, covered employees starting January 1, 2025, if the employer has not already provided the information contained in the notice to the employee. Similar to the state notice, the St. Paul notice must be signed by the employee and any change must be provided to the employee in writing before the change takes effect. Per the Ordinance, however, employers must additionally retain a copy of the initial notice as well as any written changes and records of when the employee received the notice(s).
Employers must provide employees with the notice in the language previously used for communication, or in a different language if the employer is aware the employee prefers it, as long as the Department has published notices in that language.
New Notice Poster Requirements
Annually, employers are required to notify employees of their right under the Ordinance. Employers are also required to post a notice of employees’ rights at the workplace/jobsite, in English and any language spoken by employees at the workplace/jobsite. Where the notice cannot be placed at the workplace/jobsite, employers may satisfy their obligations under the Ordinance by providing physical or electronic copies to each employee or posting the notice of rights on a web or app-based platform.
Additionally, employers must include a notice of employee rights in any handbook provided to employees.
Employers should assess their compliance obligations under the Ordinance and revise any existing handbooks and notices accordingly.
New Tariffs on U.S. Imports from Canada, Mexico, and China
UPDATE (as of Feb. 3, 2025, at 10:45 AM ET): President Trump announced on TruthSocial an agreement with President Claudia Sheinbaum of Mexico to “immediately pause the anticipated tariffs for a one-month period during which we will have negotiations.” No similar such agreement has been announced with regard to Canada or China.
On February 1, 2025, President Trump utilized emergency powers to impose 25% tariffs on U.S. imports of goods from Mexico and most goods from Canada, and 10% tariffs on U.S. imports of goods from China and energy resources from Canada, effective Tuesday, February 4th.1 These tariffs are in addition to any other duties, fees or charges applicable to the imported products. Specific U.S. Harmonized Tariff Schedule classifications impacted will be identified in a forthcoming Federal Register notice, but no product exemptions are identified in the February 1st actions. In retaliation for these new actions, also on February 1st, Canadian Prime Minister Justin Trudeau and Mexican President Claudia Sheinbaum announced plans to implement retaliatory trade measures against U.S. exports to those countries.
The February 1st Executive Orders imposed an array of tariffs:
25% tariffs on all goods from Mexico.2
25% tariffs on all goods from Canada, except for “energy resources” from Canada. “Energy resources” will be subject to a 10% tariff. For purposes of these tariffs, “energy resources” from Canada are defined as: “crude oil, natural gas, lease condensates, natural gas liquids, refined petroleum products, uranium, coal, biofuels, geothermal heat, the kinetic movement of flowing water and critical minerals, as defined by 30 U.S.C. 1606 (a)(3).”3
10% tariffs on all goods from China.4
The tariffs are effective Tuesday, February 4, 2025, with respect to all goods entered for consumption or withdrawn from warehouse for consumption, on or after 12:01 AM Eastern Time. There is a limited exception for goods on the water or in the air at the time the tariffs were imposed: goods that were loaded onto a vessel at the port of loading or in transit on the final mode of transport for entry into the United States before 12:01 AM Eastern Time on February 1, 2025, will not be subject to the additional duties if the importer certifies as much to U.S. Customs and Border Protection (CBP) in accordance with forthcoming procedures.
Goods subject to these additional tariffs are ineligible for duty-free treatment under de minimis provisions (19 U.S.C. 1321), consistent with proposed regulations from U.S. Customs and Border Protection exempting other items subject to special duties from de minimis benefits. In addition, no drawback shall be available with respect to the duties imposed by these Orders. Goods subject to these tariffs that are admitted to a Foreign Trade Zone must be admitted in Privileged Foreign Status, as defined in 19 CFR 146.41.
U.S. import tariffs will be implemented through a Federal Register notice to be issued by DHS modifying the Harmonized Tariff Schedule of the United States (HTSUS) as needed “in order to effectuate this order consistent with law[.]”5 The forthcoming notice may identify narrow products or import classifications exempt from the actions, but the Executive Orders do not signal any products or sectors outside of the scope – nor do the Orders direct any agency to establish an exclusion process through which companies could request to be exempt.
The White House Fact Sheet accompanying President Trump’s Executive Orders focuses on the role of China, Canada and Mexico in “the sustained influx of illegal aliens and illicit opioids and other drugs”6 into the United States. The tariffs will remain in place until the President determines that sufficient action has been taken to alleviate the crisis. The Secretary of Homeland Security, in coordination with the Secretary of State, the Attorney General, the Assistant to the President for National Security Affairs and the Assistant to the President for Homeland Security, are tasked with monitoring the situation and informing the President when the governments of the subject countries have taken adequate steps to alleviate the public health crisis through cooperative enforcement actions.
The Executive Orders also reserve the ability of the President to “increase or expand in scope the duties imposed under [each] order” should the countries retaliate against the U.S. in response to this action through import duties on U.S. exports to those countries. Canada and Mexico are both poised to take countermeasures against the U.S. Prime Minister Trudeau announced that Canada would impose 25 percent tariffs on US $107 billion (C $125 billion) worth of U.S. goods, with a portion of those tariffs effective on February 4th, contemporaneous with the effective date of the U.S. tariffs, and the rest phasing in after a 21-day public comment period.7 The initial measures are expected to impact US $20 billion in exports of U.S. beer, wine and bourbon, fruits and fruit juices, vegetables, perfume, clothing, shoes, household appliances, furniture, sports equipment, lumber and plastics.8 A second wave on another US $85 billion of goods would include tariffs on cars and trucks, agricultural products, steel and aluminum and aerospace products.9 Non-tariff measures are also apparently being considered. President Sheinbaum also stated that Mexico would take retaliatory tariff and non-tariff measures.10 Although her statements did not include details, reporting suggests that Mexico’s government is considering “so-called carousel retaliation, which would periodically rotate the U.S. products subject to retaliatory tariffs.”11 China’s reaction was more muted. China’s Ministry of Commerce issued a statement that “the Chinese government would file a complaint with the World Trade Organization and take unspecified ‘corresponding countermeasures to firmly safeguard its own rights and interests.”12
We expect a rapidly changing trade and tariff environment during the duration of the Trump Administration.
[1] Imposing Duties to Address the Flow of Illicit Drugs across Our Northern Border, Exec. Order (Feb. 1, 2025) (“Canada EO”), available at https://www.whitehouse.gov/presidential-actions/2025/02/imposing-duties-to-address-the-flow-of-illicit-drugs-across-our-national-border/; Imposing Duties to Address the Situation at Our Southern Border, Exec. Order (Feb. 1, 2025) (“Mexico EO”), available at https://www.whitehouse.gov/presidential-actions/2025/02/imposing-duties-to-address-the-situation-at-our-southern-border/; Imposing Duties to Address the Synthetic Opioid Supply Chain in the People’s Republic of China, Exec. Order (Feb. 1, 2025) (“China EO”), available at https://www.whitehouse.gov/presidential-actions/2025/02/imposing-duties-to-address-the-synthetic-opioid-supply-chain-in-the-peoples-republic-of-china/.
[2] See Mexico EO at Sec. 2(a).
[3] See Canada EO at Sec. 2(a)-(b).
[4] See China EO at Sec. 2(a).
[5] See Canada EO at Sec. 2(e); see also Mexico EO at Sec. 2(d); China EO at Sec. 2(d).
[6] The White House, Fact Sheet: President Donald J. Trump Imposes Tariffs on Imports from Canada, Mexico and China (Feb. 1, 2025), available at https://www.whitehouse.gov/fact-sheets/2025/02/fact-sheet-president-donald-j-trump-imposes-tariffs-on-imports-from-canada-mexico-and-china/.
[7] Department of Finance Canada: Government of Canada announces next steps in its response plan to unjustified U.S. tariffs (Feb. 2, 2025), available at https://www.canada.ca/en/department-finance/news/2025/02/government-of-canada-announces-next-steps-in-its-response-plan-to-unjustified-us-tariffs.html.
[8] Department of Finance Canada: List of products from the United States subject to 25 per cent tariffs effective February 4, 2025 (Feb. 2, 2025), available at https://www.canada.ca/en/department-finance/news/2025/02/list-of-products-from-the-united-states-subject-to-25-per-cent-tariffs-effective-february-4-2025.html.
[9] Department of Finance Canada: Canada’s response to U.S. tariffs on Canadian goods (Feb. 2, 2025), available at https://www.canada.ca/en/department-finance/programs/international-trade-finance-policy/canadas-response-us-tariffs.html.
[10] President Claudia Sheinbaum Pardo (@Claudiashein), X (Feb. 1, 2025, 8:07 PM), available at https://x.com/claudiashein/status/1885857655094415528?s=46.
[11] Santiago Pérez, Vipal Monga and Anthony Harrup, Canada, Mexico Want America to Feel the Pain of Tariffs Too, The Wall Street Journal (Feb. 2, 2025), available at https://www.wsj.com/economy/trade/canada-mexico-want-america-to-feel-the-pain-of-tariffs-too-f8119ccd (subscription required).
[12] Zia Weise, China to Retaliate after Trump Fires First Salvo in Trade War, Politico (Feb. 2, 2025), available at https://www.politico.eu/article/china-vows-retaliation-after-donald-trump-likely-trade-war-tariffs-chinese-imports/ (quoting the statement of China’s Ministry of Commerce from the Ministry’s website, available at https://www.mofcom.gov.cn/xwfb/xwfyrth/art/2025/art_a4a4f6e20b034cc78d506731007f1c1f.html).
Legal Precedents Offer Novel Ways for Federal Employee Whistleblowers to Fight Retaliation
The system of anti-retaliation protections for federal employees who blow the whistle or speak out about their agency’s conduct is infamously weak. Under the Whistleblower Protection Act (WPA) and other laws, federal employees seeking relief for an adverse action taken against them for whistleblowing must rely on the Merit Systems Protection Board (MSPB). This quasi-judicial entity is plagued by delays and threatened by politicization.
However, there are several potentially effective but under-utilized legal precedents that can permit federal employees facing retaliation to obtain relief in federal court and not solely rely on the WPA for relief. These precedents have been established by the U.S. Courts of Appeal for the District of Columbia and Fourth Circuits, and offer novel ways to have cases heard in federal court or otherwise bolster retaliation complaints. By utilizing these methods, federal employees can feel more confident and in control, knowing they have better chances of gaining meaningful relief if they face retaliation for whistleblowing, oppose discrimination, prevent the violation of their privacy, and enforce their rights to engage in outside First Amendment protected speech.
First Amendment Rights for Federal Employees
The landmark 1995 case Sanjour v. EPA upheld the First Amendment rights of federal employees to criticize the government in activities outside their employment. This created a legal precedent that provides a strong shield for federal employees to make First Amendment challenges to agency regulations stifling whistleblowing when made outside of work. The case permits federal employees at the GS-15 level or below (higher level federal workers were not discussed in the decision, as the applicant for relief was at the GS-15 level) to seek pre-enforcement injunctive relief if a rule or regulation (which would include an Executive Order) has an improper chilling effect on First Amendment protected speech of an employee’s outside speaking or writing.
William Sanjour was the branch chief of the Hazardous Waste Management Division within the EPA who challenged rules written by the Federal Office of Government Ethics that restricted EPA workers’ rights to speak to environmental community groups.
Because the EPA had warned Sanjour that his acceptance of a cost reimbursement for travelling to North Carolina to give a speech critical of EPA policies concerning waste incineration was in violation of a regulation and could result in adverse action, Sanjour could challenge the “chilling effect” on speech of the government’s rule. The D.C. Circuit upheld the constitutional challenge to a regulation that had a chilling effect on First Amendment protected speech.
If he had waited until he was subjected to retaliation he would have been required to use the WPA to remedy the adverse action. But because Sanjour was challenging an unconstitutional chilling effect of a government regulation, he could obtain injunctive relief directly in federal court and avoid the long delays and other problems when pursuing a case before the presidentially appointed MSPB.
The key precedent established in Sanjour v. EPA, by the U.S. Court of Appeals for the District of Columbia Circuit, was that the Court could issue a nationwide injunction preventing the implementation of the regulation because of its chilling effect on the First Amendment right of employees to criticize the federal government. The court recognized that federal employee speech to the public on matters of “public concern” was protected under the First Amendment, and served a critical role in alerting the public to vital issues:
“The regulations challenged here throttle a great deal of speech in the name of curbing government employees’ improper enrichment from their public office. Upon careful review, however, we do not think that the government has carried its burden to demonstrate that the regulations advance that interest in a manner justifying the significant burden imposed on First Amendment rights.”
The precedent in Sanjour v. EPA means that federal employees who plan on making public statements (outside speaking or writing on matters of public concern) can seek a federal court injunction preventing future retaliation based on their First Amendment rights, if they have a reasonable basis to believe that their government employer would take adverse action against them if they made the public disclosures or violated the regulation. Significantly, First Amendment protected speech should cover criticisms of government policy. Policy disagreements alone may not even be covered under the WPA.
The Sanjour case covers outside speaking and writing, not workplace activities. It affirms a federal employee’s right to engage in conduct such as TV interviews, writing op-eds, and speaking before public interest groups, even if the speech engaged in is highly critical of the government or their government-employer. However, employees would have to give a disclaimer making sure that the public understood they were speaking in their private capacity, and the employee could not release confidential information.
Mixed Cases Combining Title VII Discrimination with Whistleblower Retaliation
Precedent established by two landmark federal employee whistleblower retaliation cases holds that federal employees may have their WPA retaliation case heard in federal court in instances where it is a “mixed case” that also involves discrimination or retaliation under Title VII of the Civil Rights Act. The scope of retaliation covered under Title VII is broader than the coverage under the WPA, and by combining both claims a federal employee can significantly increase both their procedural and substantive rights.
Specifically, when an employee is a member of a protected class (Title VII covers race, religion, sex, national origin, among other classes) it is often hard to distinguish whether retaliation originates from their membership in a protected class, their filing complaints of retaliation under Title VII, or their filing complaints of retaliation covered by the WPA. There is often significant overlap in these types of cases.
While federal employees’ retaliation cases under the WPA are forced to remain with the MSPB, under the Civil Service Reform Act, discrimination cases (and cases of retaliation based on protected activities or whistleblowing covered under Title VII) may be removed to federal court if the MSPB does not issue a final ruling within 120 days.
Dr. Duane Bonds was a top researcher at the National Institutes of Health on sickle cell disease who blew the whistle on the unauthorized cloning of participants’ cells. Dr. Bonds faced retaliation for blowing the whistle, including sex discrimination, harassment in the workplace, and eventual termination.
In 2011, the United States Court of Appeals for the Fourth Circuit ruled in Bonds v. Leavitt that Dr. Bonds’ retaliation and discrimination complaint must be considered a “mixed case” and heard together. Under the Civil Service Reform Act, the court allowed Dr. Bonds to pursue her mixed discrimination and retaliation case before a federal court, and she was not required to continue to pursue her WPA case before the MSPB.
In its ruling in Bonds v. Leavitt, the Fourth Circuit cited an earlier D.C. Circuit ruling in Ikossi v. Department of Navy, which similarly allowed a female whistleblower to pursue a “mixed case” alleging both retaliation and discrimination in federal court. Kiki Ikossi was retaliated against after filing complaints to the Navy Research Lab HR Office for workplace gender discrimination in the early 2000s.
The Bonds and Ikossi decisions are controlling precedent in both the District of Columbia and Fourth Circuit judicial circuits. Thus, these precedents would be binding of federal courts in the District of Columbia, Maryland, and Virginia.
The precedents in Bonds v. Leavitt and Ikossi v. Department of Navy mean that federal employees who face discrimination in addition to retaliation may combine their complaints and pursue their case in federal court if the MSPB delays a ruling (which is the norm given its backlog of cases). However, the rules permitting a mixed case are complex, and require employees to identify their invocation of that right when filing an initial complaint. By carefully following the complex timing and filing requirements mandated under both the WPA and Title VII an employee can have his or her whistleblower case can be heard in federal court, and avoid many of the problems associated with cases pending before the MSPB.
Privacy Act Rights for Federal Employees
Linda Tripp is most famous for her role in the impeachment of President Clinton. However, her retaliation case established a strong precedent protecting federal employees under the Privacy Act. Tripp successfully challenged the Department of Defense when it illegally released confidential information from her security clearance file.
The illegally released file was an act of retaliation for her role in presidential impeachment proceedings. However, Tripp did not seek relief under the WPA. Instead, she was able to bring a Privacy Act complaint before a federal court. The Privacy Act covers requests for information concerning yourself, and federal employees are covered under the law with the same rights as other non-government employees. The Privacy Act prevents federal agencies from collecting or maintaining information based on an individual’s First Amendment activities, it prevents the improper disclosure of information to various persons, including any personal information a government employee or manager may provide to individuals outside of the federal government.
The Privacy Act requires the federal government to provide applicants access to all government records related to the applicant that are not restricted from access under very specific exemptions. Once obtaining the documents a the requestor can request correction of any inaccurate information, or inclusion into a file of the requestor’s statement as to why the documents are not accurate. It requires agencies to maintain a record of who they share information with. The law prohibits improper leaks of information. Moreover, of particular interest to whistleblowers, the law prohibits the government from maintaining records related to any person’s First Amendment protected activities.
The law provides all persons, including federal employees, the right to file a lawsuit in federal court to obtain access to their files and seek damages for the actual harm caused by any leaks or violations of the law. A court can also order an agency to correct information in government files that are inaccurate and prevent agencies from maintaining information in violation of law. Persons who filed successful Privacy Act complaints are entitled to attorney fees and costs related to their lawsuit.
Thus, the Privacy Act offers numerous potential avenues for a whistleblower to use those provisions to obtain protection, information, and relief. For example, as in the Tripp case, when the federal government leaked information covered under the Privacy Act to discredit her, Tripp successfully pursued a Privacy Act for damages and fees. She could attack the illegal retaliation caused by the leak of information through the Privacy Act, and avoid the many limitations of the WPA.
Conclusion
For decades, attempts to reform the WPA and give federal employees the right to have whistleblower retaliation cases heard in federal courts have stalled. Over the years, however, legal challenges to retaliation that avoid the limits of the WPA have produced strong precedents allowing specific federal employees to pursue cases in federal courts as long as they strictly follow the correct technical procedures required under each of the specific law or Constitutional provision.
Federal employee whistleblowers are essential to rooting out fraud, abuse, and misconduct throughout the government. Leveraging these strong legal precedents, which can supplement remedies offered under the WPA, can offer critical avenues to protect federal employees from retaliation and ensure they receive the proper relief when it occurs.
Useful Resources
Government Webpages:
Overview Of Federal Sector EEO Complaint Process
U.S. Office of Special Counsel
U.S. Merit Systems Protection Board
Privacy Act of 1974
Financial Abuse and the Need for Better Financial Services Regulation
In December 2024 the Parliamentary Joint Committee on Corporations and Financial Services (the Committee) published a Report following an inquiry into how well the existing financial services regulatory framework is protecting against financial abuse. The Report highlighted a range of regulatory gaps and considered how financial institutions could better mitigate the risk of financial abuse.
Privacy
Inquiry submissions revealed that existing privacy laws prevent financial institutions from appropriately identifying, responding to and reporting financial abuse. Institutions are currently required to obtain explicit consent from customers before recording any sensitive information in their accounts. This prevents financial institutions from proactively documenting or flagging actual or suspected financial abuse thereby creating a barrier to the provision of appropriate support. It was therefore recommended that privacy legislation be revised to better allow financial institutions to respond to financial abuse cases.
Sector-Specific Reform
While it was recognised that financial institutions were making progress in the implementation of measures to identify and respond to financial abuse, the Committee highlighted the need for reform across all three sectors. The table below outlines some of the key recommendations for each sector.
Key Takeaways
The Committee’s Report has shed greater light on the urgent need to improve the existing regulatory framework to allow financial institutions to explicitly address the widespread risk of financial abuse arising in relation to financial services. To prepare for potential reform, financial institutions should consider the Committee’s recommendations and seek to proactively improve internal mechanisms designed to identify and respond to financial abuse.
*For information on ‘conduct of others’ clauses see our previous alert on general insurance policies.
Tamsyn Sharpe also contributed to this article.
Data Privacy Insights Part 2: The Most Common Types of Data Breaches Businesses Face
As part of Data Privacy Awareness Week, Ward and Smith is spotlighting the most common types of data breaches that businesses encounter.
In Part 1, we explored the industries most vulnerable to cyberattacks, highlighting the specific sectors frequently targeted by cybercriminals. In Part 2, we dive into the most common types of data breaches businesses face and offer actionable strategies to safeguard your organization. By understanding these threats, businesses can take the first step toward mitigating risks and protecting themselves from the costly and damaging consequences of cybersecurity incidents.
Human Error
Human error is at the core of many cybersecurity incidents. According to Infosec, 74% of breaches involve some sort of human element, making education and preventative measures critical.
Phishing Attacks
One of the most common manifestations of human error is phishing. Cybercriminals exploit trust and naivety through deceptive emails that mimic legitimate communications. These emails often trick employees into revealing sensitive information like login credentials or financial data. Businesses can reduce this risk by prioritizing comprehensive employee training to recognize and report phishing attempts.
Stolen Credentials
Closely linked to phishing is the issue of stolen credentials. Weak or reused passwords create openings for hackers to exploit. When an employee’s credentials are compromised, unauthorized access to company systems becomes a reality. Implementing strong password policies and multi-factor authentication (MFA) can significantly reduce this threat.
Ransomware
Ransomware represents an escalation of credential theft and phishing. These attacks encrypt vital business data and demand payment for its release, often causing operational paralysis. They frequently begin with malicious links or attachments. To combat this, businesses should invest in regular data backups and advanced endpoint protection tools.
Insider Threats
While external threats dominate headlines, insider threats—whether intentional or accidental—remain a critical concern. Employees can inadvertently leak data or intentionally sabotage systems. Mitigating this risk requires strong access controls, continuous monitoring, and fostering a culture of accountability.
Misconfigured Systems
Beyond human actions, misconfigured systems represent a technical vulnerability often stemming from human oversight. Improper security settings or cloud storage configurations can expose sensitive data to unauthorized users. Regular audits and vulnerability assessments are essential to identify and fix these issues.
Social Engineering
Building further on human vulnerabilities, social engineering attacks involve manipulation tactics such as impersonation of IT staff or executives. These tactics are designed to extract confidential information or gain unauthorized access to secure systems. Consistent training helps employees detect and resist these threats.
Physical Security Breaches
Cybersecurity measures are incomplete without addressing physical security. The theft or loss of devices like laptops, smartphones, or external drives can lead to unauthorized data access. Encrypting devices and enabling remote wipe capabilities can minimize the impact of such incidents.
Data Loss from Third-Party Vendors
Even with strong internal controls, businesses often depend on third-party vendors, which can introduce additional risks. Ensuring that vendors adhere to stringent data protection standards and conducting thorough due diligence are key steps to minimizing these v
How Businesses Can Protect Themselves
To combat these threats, businesses should adopt a proactive approach to data security:
Employee Training: Regular training sessions ensure employees can identify and respond to potential threats effectively.
Robust Policies: Develop and enforce data protection policies tailored to your organization’s needs.
Incident Response Plans: Have a comprehensive plan in place to respond to breaches swiftly and minimize damage.
Legal Guidance: Work with legal experts to ensure compliance with data privacy regulations and to create enforceable contracts with third-party vendors.
Data breaches can have devastating consequences, but with the right measures, your organization can stay ahead of these threats.
Report Concludes SEC’s Whistleblower Program is a Resounding Success and Essential to Investor Protection
Success of the SEC Whistleblower Program
Benjamin Schiffrin, Director of Securities Policy at Better Markets, published a report titled The SEC’s Whistleblower Program Is Key to Protecting the Economy and Main Street Americans’ Wallets, which concludes that the SEC whistleblower program “has benefited investors by allowing the SEC to pursue enforcement actions resulting in more than $6 billion in monetary sanctions” and identify misconduct that the SEC might not otherwise uncover.
The report identifies additional indications of the success of the SEC whistleblower program:
Whistleblower disclosures result in the return of funds to harmed investors.
In FY 2024, the SEC received approximately 24,980 whistleblower submissions, and whistleblowers have filed over 100,000 disclosures since the inception of the program.
Taxpayers benefit from this critical enforcement tool without having to pay awards from appropriated funds. The awards are paid from the monetary sanctions that the SEC recovers from fraudsters.
Whistleblower confidentiality is a cornerstone of the SEC whistleblower program. Permitting whistleblowers to report anonymously through counsel protects whistleblowers from retaliation and “protects the ensuing investigation by preventing a company from learning that the SEC knows about the misconduct and possibly destroying evidence.”
SEC Whistleblower Program Key to Investor Protection
The report finds that the SEC is already underfunded and lacks the resources necessary to monitor the increasingly complex capital markets and “protect investors from potential misconduct at 33,000 regulated entities, 8,300 reporting companies, and 56,000 private funds.” If Congress forces the SEC to downsize the Division of Enforcement, the SEC would need more help in holding fraudsters accountable and therefore whistleblowers will continue to play a vital role in assisting the government in identifying and prosecuting misconduct. The violations that whistleblowers report to the SEC primarily concern manipulation, offering fraud, corporate disclosures, and crypto fraud.
Suggestions to Improve the SEC Whistleblower Program
Better Markets makes two suggestions to improve the SEC whistleblower program:
Do a Better Job of Communicating with Whistleblowers: “Many whistleblowers receive confirmation that the SEC received their tip and then never hear from the agency again. This makes it difficult for whistleblowers to know how to proceed . . . Communicating with whistleblowers is especially important because it can take years for the SEC to receive a tip, investigate, bring an action, obtain sanctions, and issue an award.”
Provide More Information to Enable the SEC to Understand the Benefits of the Whistleblower Program: “[T]he whistleblower program would benefit from the public’s greater understanding of the assistance that whistleblowers provide . . . and the value to the public of the whistleblower having identified the relevant misconduct.”
FCC Responds to Cybersecurity Threats with CALEA Ruling
Earlier this month, in the waning days of Jessica Rosenworcel’s tenure as Chair of the Democrat-led FCC, the FCC released a Declaratory Ruling concluding that Section 105 of the Communications Assistance for Law Enforcement Act (CALEA) requires telecommunications carriers to secure their networks from unlawful access and interception of communications. Effectively, the FCC determined that CALEA can serve as a hook for additional rules addressing emergent cybersecurity issues.
The Commission also adopted a Notice of Proposed Rulemaking (NPRM) that would apply cybersecurity and supply chain risk management obligations to a broader set of providers.
Commissioners Carr and Simington dissented from the Declaratory Ruling and NPRM. While Chairman Carr frequently references cybersecurity threats, particularly those stemming from state-sponsored actors in the People’s Republic of China (PRC), it is unclear whether the new GOP-led FCC will allow the Declaratory Ruling and NPRM to stand or will pursue another course of action.
Background. Enacted in 1994, CALEA requires telecommunications carriers and manufacturers of telecommunications equipment to ensure that law enforcement agencies have necessary surveillance capabilities of telecommunications equipment, facilities, and services. Notably, under the “substantial replacement” provision of CALEA, the FCC has interpreted the term “telecommunications carrier” for purposes of CALEA to include facilities-based broadband Internet access service (BIAS) and interconnected VoIP providers. [1]
Declaratory Ruling. Previously, the FCC found that Section 105 of CALEA requires telecommunications carriers to avoid the risk that suppliers of untrusted equipment will illegally intercept or surveil a carrier’s switching premises without its knowledge.[2] In the Declaratory Ruling, the Commission imposed an affirmative duty on “telecommunications carriers” (again, including BIAS and iVoIP providers) to secure their networks, and clarified that telecommunications carriers’ responsibilities under CALEA extend to their equipment as well as network management practices.
The FCC concluded that carriers are obligated to prevent interception of communications or access to call-identifying information by any means other than pursuant to a lawful authorization with the affirmative intervention of an officer of the carrier acting in accordance with FCC rules. In adopting the Declaratory Ruling, the Commission puts carriers on notice that all incidents of unauthorized interception of communications and access to call-identifying information amount to a violation of the carrier’s obligations under CALEA.
Within this context, the FCC concluded that Congress has authorized the Commission to adopt rules requiring telecommunications carriers to take steps to secure their networks.
Notice of Proposed Rulemaking. In its NPRM, the FCC proposes to apply cybersecurity requirements to a broad set of service providers, including facilities-based fixed and mobile BIAS providers, cable systems, wireline video systems, wireline communications providers, satellite communications providers, commercial mobile radio providers, covered 911 and 988 service providers, and international section 214 authorization holders, among others (Covered Providers).
The Commission proposes that Covered Providers would be obligated to create and implement cybersecurity and supply chain risk management plans. The plans would identify the cyber risks the carrier faces, as well as how the carrier plans to mitigate such risks. Covered Providers would also need to describe their organization’s resources and processes to ensure confidentiality, integrity, and availability of its systems and services. The plans would require annual certification and be submitted in the Network Outage Reporting System (NORS).
[1] Telecommunications carrier includes:
A person or entity engaged in the transmission or switching of wire or electronic communications as a common carrier for hire; A person or entity engaged in providing commercial mobile service . . . ; A person or entity that the Commission has found is engaged in providing wire or electronic communication switching or transmission service such that the service is a replacement for a substantial portion of the local telephone exchange service and that it is in the public interest to deem such a person or entity to be a telecommunications carrier for purposes of CALEA.
47 CFR § 1.20002(e).
[2] Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs; Huawei Designation; ZTE Designation, WC Docket No. 18-89; PS Docket Nos. 19-351 and 19-352, Report and Order, Further Notice of Proposed Rulemaking, and Order, 34 FCC Rcd 11423, 11436-37, para. 35 (2019).
CISA + FBI Issue Joint Advisory on Threat Actors Chaining Ivanti Vulnerabilities
On January 22, 2025, the Federal Bureau of Investigation (FBI) and the Cybersecurity & Infrastructure Security Agency (CISA) issued a joint advisory related to previous vulnerabilities in the Ivanti Cloud Service Appliance, including an administrative bypass, a SQL injection, and remote code execution vulnerabilities – previously listed as CVE-2024-8963, CVE-2024-9379, CVE-2024-8190 and CVE-2024-9380.
The alert advises that “threat actors chained the listed vulnerabilities to gain initial access, conduct remote code execution (RCE), obtain credentials, and implant webshells on victim networks. The actors’ primary exploit paths were two vulnerability chains… In one confirmed compromise, the actors moved laterally to two servers.”
According to CISA:
“CISA and FBI strongly encourage network administrators to upgrade to the latest supported version of Ivanti CSA. Network defenders are encouraged to hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory. Credentials and sensitive data stored within the affected Ivanti appliances should be considered compromised. Organizations should collect and analyze logs and artifacts for malicious activity and apply the incident response recommendations within this advisory.”
Privacy Tip #429 – Threat Actors Continue to Use QR Codes For Fraudulent Purposes
We have repeatedly warned our readers about malicious QR codes and their use by threat actors.
Threat actors are now using these codes to disguise packages as gifts. Upon opening the package, recipients find a note with instructions to scan a QR code to identify the sender. The code launches a website that asks for credentials to get more information about the “gift” and provides instructions for returns. The website could also ask for credit card or personal information.
It has become such a problem that the Federal Trade Commission (FTC) has issued a scam alert.
According to the FTC:
“If you scanned the QR code and entered your credentials, like your username and password, into a website, change your password right away. Create a strong password that is hard to guess, and turn on two-factor authentication.
If you’re concerned someone has your personal information, get your free credit report at AnnualCreditReport.com. Look for signs that someone is using your information, like accounts in your name you don’t recognize. (You can get a free credit report every week.)
Also review your credit card bills and bank account statements and look for transactions you didn’t make. And consider taking other steps to protect your identity, like freezing your credit or putting a fraud alert on your credit report.
If you think someone stole your identity, report it, and get a personal recovery plan at IdentityTheft.gov.”
Looking Beyond FedRAMP – Lessons from the U.S. Treasury Cybersecurity Incident
In the ever-evolving world of cybersecurity, even organizations that meet stringent security standards can be victims of sophisticated cyberattacks. A notable example of this is the December 8, 2024 cybersecurity incident involving the U.S. Department of the Treasury and its third-party cloud service provider, BeyondTrust. This incident underscores some critical lessons for entities (both government agencies and private sector) that rely on third-party cloud service providers (“CSPs”).
The Incident
In a December 30, 2024 letter, Treasury Officials notified lawmakers of a “major incident” in which Chinese state-sponsored hackers stole Treasury documents. The letter explained that on December 8, 2024, the Treasury Department was notified by BeyondTrust, a CSP responsible for providing remote technical support to Treasury Departmental Offices (“DO”), that a threat actor had gained unauthorized access to a key used by BeyondTrust to secure its cloud service. With the stolen key, the threat actor was able to bypass security protocols to remotely access specific Treasury DO workstations, potentially exposing unclassified documents maintained by the users of those systems.
Interestingly, BeyondTrust holds a security authorization under the Federal Risk and Authorization Management Program (“FedRAMP”). FedRAMP is a government program designed to ensure that CSPs meet rigorous security requirements for the handling of federal data and includes similarly rigorous continuous monitoring and reporting requirements. BeyondTrust’s authorization indicates that it met these requirements.
However, this breach illustrates a critical point: meeting government security requirements does not guarantee invincibility to security incidents. Cybersecurity threats are constantly evolving, and no system—no matter how secure it may seem at a particular moment—can be completely free from risk. Companies must be continuously vigilant and proactive, even organizations that have been cleared through rigorous government-imposed security standards like FedRAMP.
Key Takeaways for Organizations Relying on Third-Party CSPs
Government Security Standards Are Not a Guarantee Against Breaches: While government security certifications such as FedRAMP provide an important benchmark for evaluating third-party vendors, they should not be seen as a one-and-done solution. Security threats are dynamic and evolve rapidly, meaning that entities must remain vigilant and continuously evaluate and update their security protocols. This particular incident serves as an important reminder that security is a continual process, not a final checkbox.
Thorough Vetting of Third-Party Providers Is Essential: The Treasury Department incident is also a reminder of the importance of thorough, ongoing vetting of third-party CSPs. Simply confirming a CSP’s compliance with FedRAMP (or other security standards) should not be the end of the due diligence process. Entities must assess whether their third-party providers have robust security measures in place, including continuous monitoring, rapid incident response protocols, and regular updates to their security infrastructure. This is especially important when the service provider holds access to critical systems or sensitive data.
Collaboration and Transparency Are Critical in the Event of a Breach: BeyondTrust’s prompt notification to the Treasury Department highlights the importance of transparency and communication between service providers and their clients when an incident occurs. Quick and clear communication can help mitigate the damage from a breach and allow organizations to respond more effectively. It also underscores the importance of ensuring that third-party vendors have comprehensive and well-practiced incident response protocols in place.
Conclusion
The recent breach of the Treasury Department’s technical support systems, facilitated by a compromised security key from BeyondTrust, serves as an important reminder of the ever-present risks in the cybersecurity supply chain. While third-party CSPs, such as BeyondTrust, may meet rigorous government standards, such actions reduce, but do not eliminate, risk.
Organizations must recognize that cybersecurity is not static, and the reliance on third-party providers necessitates thorough, ongoing risk assessments and proactive security measures. As cyber threats continue to evolve, so too must the strategies used to safeguard sensitive systems and data. Vetting CSPs should be a continuous process, and security should always be viewed as a shared responsibility between organizations and their third-party vendors.
Data, Deals, and Diplomacy, Part III: DOJ Issues National Security Final Rule with New Data Compliance Obligations for Transactions Involving Countries of Concern
On January 8, 2025, the Department of Justice (“DOJ”) published its final rule addressing Executive Order (E.O.) 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” With the final rule, the DOJ National Security Division’s Foreign Investment Review Section (“FIRS”) defines prohibited and restricted data transactions, and outlines trusted data flows for companies with overseas operations involving countries of concern, including IT infrastructure. The general effect of the rule is to close “front door” access to bulk sensitive personal data on U.S. persons and certain U.S.-government-related data. Until now—or rather, April 8, 2025, when the majority of the rule becomes effective—nefarious actors could procure sensitive data through legitimate business transactions.
We discussed the development of the new regulation in previous blogs (here and here), and the contours of the final rule are largely unchanged from the proposed rule. In this blog, we focus on some key clarifications and updates in the final rule. Then, we turn to what this final rule means for companies with operations in countries of concern and the questions every company with overseas IT infrastructure should be asking to know if these regulations might apply to them.
1. Updates in the Final Rule
There were no big surprises with the final rule, and it remains largely unchanged from the proposed rule. For the uninitiated, the rule prohibits or restricts a subset of covered transactions by U.S. persons involving covered data with covered persons.[1] The definitions of what is covered remain the same—even the bulk thresholds are the same as the proposed rule. However, below we highlight some of the key developments hidden among the minor clarifications and conforming edits.
1.1. Effective Date and Delayed Compliance Date. The rule sets an effective date of April 8, 2025 for every component of the rule except for specified compliance obligations. Those obligations, which include the due diligence and audit requirements from Subpart J and the reporting and recordkeeping requirements of Subpart K, do not require implementation until October 6, 2025. Those delayed compliance obligations do not encompass the security requirements required for restricted transactions and thus cybersecurity requirements established by CISA should be in place before engaging in any restricted transaction after April 8, 2025.
1.2. Expanded Government-Related Location Data List. The final rule substantially expands the Government-Related Location Data List from the 8 locations in the proposed rule to 736 locations in the final rule. These additional locations consist of commonly known Department of Defense sites and installations, such as bases, camps, posts, stations, yards, centers, or homeport facilities for any ship, ranges, and training areas in the United States and its territories. In its discussion of this list, DOJ acknowledges that it plans to provide this list in a format that would be easy for developers to access and implement (e.g., .csv, .json).
1.3. New definition of human ‘omic data. The final rule creates a new sub-definition of “human genomic data” for “human ‘omic data,” which includes human epigenomic data, human proteomic data, and human transcriptomic data. Those three data categories have a bulk threshold of data on more than 1,000 U.S. persons.[2] These new definitions will have an impact on clinical and predictive research, particularly those implementing AI within their research.
2. Effects of the Regulation
As Assistant Attorney General Matthew Olsen said last year, this regulation is built like sanctions and export controls and is expected to have “real teeth.” Any U.S. company with operations in the identified countries of concern, particularly with overseas IT infrastructure, will need to have a conversation about whether this regulation will affect their business. Companies need to know and understand the following:
What data the company has or collects that might constitute sensitive personal data and/or Government-related data as defined in the regulations;
What business relationships and transactions allow access to the data;
Who internally has access to the data; and
What security measures are in place to protect that data.
For companies impacted by this regulation, those companies will also need to understand how this regulation operates differently from other DOJ regulations and data privacy regulations. Here, DOJ has availed itself of IEEPA penalties, and this regulation operates more like sanctions and export controls. This means the regulation is very compliance-focused as opposed to using case-by-case approaches like CFIUS or Team Telecom. While corporate compliance is a key component of DOJ strategy, as we have seen with the Civil Cyber Fraud Initiative, DOJ is not shying away from enforcement. Further, the FIRS has developed the skillset and prosecutorial experience for reviewing corporate compliance programs. All to say, companies should take the April 8 and October 6, 2025 deadlines seriously.
Finally, companies should understand how this regulation operates differently from other data-related regulations. Chiefly, this is not a privacy regulation; it is a national security regulation. For that reason, the focus is not on the collection of data, but rather on the subsequent sale and/or accessibility of that data. Also, the scope of what is covered data is more limited than what companies may come to expect with state privacy laws. Rather than capture all personally identifiable information (PII), this regulation is concerned with sensitive information. That is to say, information that could be exploitable. However, because the data captured by the regulation is a national security concern, there is no consent exemption, meaning companies cannot have customers opt-out of the regulation’s protection.
While the programmatic compliance requirements (i.e., due diligence, auditing, reporting and recordkeeping) are not required until Q4 of this year, the effective date, and beginning of potential enforcement, is right around the corner on April 8. Additionally, companies will still need to implement the CISA security requirements by April 8 if they intend to continue with restricted transactions. Still, companies should not delay in beginning to build out and implement their compliance programs.
FOOTNOTES
[1] For more details, see our Data, Deal, and Diplomacy, Part II blog.
[2] Human genomic data’s bulk threshold remains the same at more than 100 U.S. persons.
Part one and part two of this series.