The Federal Trade Commission has announced the annual adjustment to notification thresholds that determine whether proposed transactions may trigger a filing obligation under the Hart-Scott-Rodino Antitrust Improvements Act of 1976, as amended. The revised thresholds will apply to all transactions that will close on or after February 27, 2020.


Under the updated thresholds, the lowest “size of transaction” notification threshold for any non-exempt acquisitions of voting securities, assets, or non-corporate interests will increase from USD 90 million to USD 94 million. For transactions valued above USD 94 million but below USD 376 million, an HSR filing may be triggered only if the below described “size of person” test is satisfied. Non-exempt transactions valued above USD 376 million will trigger an HSR filing obligation irrespective of the size of the parties involved.

The HSR Act “size of person” threshold, when applicable, generally will be satisfied if one party to the transaction has annual net sales or total assets of USD 188 million or more and the other party has USD 18.8 million or more in annual net sales or total assets. In each case, the operative “party” is the ultimate parent entity of the party to the potentially notifiable transaction.

The HSR Act filing amounts remain the same, but the relevant transaction values triggering the higher fee amounts have correspondingly increased.

  • USD 45,000 for transactions valued above USD 94 million but less than USD 188 million
  • USD 125,000 for transactions valued at USD 188 million or more but less than USD 940.1 million, and
  • USD 280,000 for transactions valued at USD 940.1 million or more.

Compliance with the HSR Act is imperative. The FTC previously announced the annual increase of the maximum civil penalty available for HSR Act violations from USD 42,530 to USD 43,280 per day. This new maximum penalty may be imposed for any enforcement action taken on or after 14 January 2020 even if the underlying violation preceded that date.

The Federal Register notice announcing the new HSR Act notification and filing-fee thresholds can be found here. The Federal Register notice on the increase to the maximum civil penalty is available here.

The post US: Federal Trade Commission Adjusts Hart-Scott-Rodino Premerger Notification and Filing-fee Thresholds appeared first on Global Compliance News.


View presentation

At the recent roundtable discussion, “SEC Regulatory and Enforcement Trends: How to Prepare for the SEC in 2020,” held at the Baker McKenzie Chicago office, our North America Financial Regulation & Enforcement team talked about what to expect from the Staff in 2020.

Drawing from their collective SEC regulatory and enforcement expertise and experience, the team focused on recent SEC releases, proposals and guidance concerning various topics, including:

  • conflicts of interest
  • proposed advertising and solicitation rules
  • Regulation Best Interest and cybersecurity
  • how best to prepare for expected SEC regulatory, examination and enforcement initiatives in the current environment
  • various state securities standards of care regulatory initiatives

The post US: SEC Regulatory and Enforcement Trends: How to Prepare for the SEC in 2020 appeared first on Global Compliance News.


On December 20, 2019, the Treasury and IRS released proposed regulations1 implementing the Tax Cuts and Jobs Act’s changes to section 162(m)’s $1,000,00 limit on the deductibility of “covered employee” compensation.2 In key part, the TCJA3 eliminated the exception from section 162(m) for performance-based compensation and expanded the covered employees and publicly held corporations subject to section 162(m). The Proposed Regulations build on this initial expansion of the 162(m) limit, dramatically increasing the extent to which the compensation of current and former executives will be non-deductible and introducing significant complexity into the identification and tracking of an ever-expanding pool of covered employees. In this summary, we address some of the most significant changes that taxpayers should note:

The particularly broad interpretation of the “predecessors” whose covered employees become covered employees of a publicly held corporation and its impact in corporate transactions.

  • The expansive definition of the “publicly held corporations” subject to 162(m) and elimination of the IPO transition period for newly public companies.
  • The new application of the 162(m) deduction limit to compensation paid by partnerships.
  • The ability to modify certain arrangements in view of the new 162(m) rules without violating section 409A, which may require action by December 31, 2020.
  • Clarifications of the grandfathering rule, including the impact of clawbacks and vesting acceleration and the treatment of severance.

1. Expansion of Covered Employees has a Significant Impact in Corporate Transactions

The Proposed Regulations confirm the guidance in Notice 2018-684 that the covered employees of a publicly held corporation include:

  • Its Principal Executive Officer and Principal Financial Officer at any time during a tax year,
  • Its three other most highly compensated executive officers for the tax year, regardless of whether the officer’s compensation is subject to disclosure for the last completed fiscal year under SEC rules or whether the officer is employed at the end of the tax year, and
  • Anyone who was a covered employee of the corporation or a predecessor for any tax year beginning after December 31, 2016.

The above rules generally apply for tax years ending on or after September 10, 2018, except with respect to two items not addressed by Notice 2018-68, both of which are addressed in the Proposed Regulations in a manner unfavorable to taxpayers.

First, the Proposed Regulations state that a company with a fiscal year and tax year which do not align (e.g., in the case of a short tax year due to a corporate transaction) must determine its three most highly compensated officers for the tax year based on the SEC summary compensation table rules, even if the corporation is not preparing a summary compensation table for the tax year. This rule applies to tax years beginning on or after December 20, 2019, i.e., effective for the 2020 calendar year in the case of calendar year taxpayers.

Second, the Proposed Regulations take what appears to be the broadest possible approach to the “predecessor” issue. Under this approach, a publicly held corporation’s covered employees will include the covered employees of any of the following “predecessor” entities, if such individuals perform services – whether as an employee or nonemployee – for the publicly held corporation:

Transaction Predecessor
Merger/Reorg. A publicly held target corporation that is acquired or is the transferor in a corporate reorganization under section 368(a)(1).
Spin-off A publicly held distributing corporation in a spin-off, to the extent that its covered employees commence services with the publicly held spun-off corporation within 12 months before or after the spin-off. (Such employees also remain covered employees of the distributing corporation.)
Stock-deal A publicly held target that, in a stock acquisition, becomes a member of a publicly held affiliated group (under newly expanded affiliated group rules).
Asset deal A publicly held target of which at least 80% of the operating assets are acquired over a period of 12 months, to the extent that its covered employees commence services with the publicly held acquirer within 12 months before or after the asset deal.
Private – Public Transition An acquired privately held corporation, if it was previously public and the acquisition occurs before the 3-year anniversary of the due date for the acquired private corporation’s federal tax return for the last tax year for which it was public.

The regulations also capture predecessors of predecessors, so any of the above predecessors of corporations that become part of a publicly held corporation’s affiliated group under section 162(m) are also covered employees of the publicly held corporation. The predecessor rule is proposed to apply to corporate transactions for which all events necessary for the transaction occur on or after the date of publication of the final rule in the federal register, or in the case of a private – public transition, to a private company that becomes public again on or after publication of the final rule. Until the final regulations are effective, taxpayers may rely on the definition of predecessor in the proposed rules or on a reasonable good faith interpretation of the term “predecessor.” However, the preamble states that it would not be a reasonable good faith interpretation to exclude as a predecessor a publicly held target corporation of which (i) the stock or assets are acquired in a transaction to which section 381(a) applies or (ii) at least 80% of the total voting power, and at least 80% of the total value of, the stock is acquired. Given the limited deference given to regulation preambles, and the fact that the Treasury could easily have interpreted a predecessor to include only an alter ego of the public company, taxpayers who acquire a public company before the effective date of the final regulations have a difficult decision as to how they reasonably interpret the statute before the final regulations become effective.

With these statutory interpretations, the Proposed Regulations introduce significant complexity to identifying and tracking the individuals who are permanently treated as covered employees. This is especially true in the context of corporate transactions, likely resulting in an ever-increasing amount of required diligence. Publicly held corporations that acquire predecessor corporations will have to maintain a full inventory of all individuals who were covered employees of each such predecessor (or of any predecessors to those predecessors) for any tax year after 2016. Given the complexities that arise and the fact that the Treasury has chosen the broadest possible approach to defining a predecessor, taxpayers and their trade organizations should consider commenting on this aspect of the Proposed Regulations in hopes of obtaining a more taxpayer favorable definition of the term predecessor, as well as a more lenient effective date.

2. Expansion of “Public” Companies subject to 162(m) and Elimination of IPO Transition Rule

The Proposed Regulations confirm that a “publicly held corporation” is a corporation (i) with any class of securities (including debt) that is required to be registered under Section 12 of the Exchange Act5 or (ii) that is required to file reports under Section 15(d) of the Exchange Act (even if not listed on any exchange). However, the Proposed Regulations expand the application of 162(m) to public partnerships that are treated as corporations under section 7704, companies that own publicly held disregarded entities and S corporations that own publicly held QSubs. The rules also expand the existing rules on affiliated groups, including to capture privately-held companies with a publicly held subsidiary.

The Proposed Regulations also confirm that foreign private issuers that meet the requirements of a “publicly held corporation” will be subject to 162(m). However, recognizing that foreign private issuers are not generally required to disclose executive compensation under the SEC’s disclosure rules, the IRS requests comments on whether it should design a safe harbor for such issuers to determine their three most highly compensated executive officers.

In one piece of good news, the Proposed Regulations clarify that the determination of a publicly held corporation is made as of the last day of the corporation’s taxable year, which means that companies whose filing obligation or registration is suspended as of such date are not subject to 162(m).

However, in less good news, the Proposed Regulations provide that a company that becomes publicly held after December 20, 2019 will immediately become subject to the section 162(m) limit, eliminating prior transition relief that generally afforded such companies more than three years of exemption from the 162(m) limit.

3. Expansion of Remuneration subject to 162(m), including Amounts Paid by Partnerships

The TCJA and Notice 2018-68 punted on the question of the application of the deduction limit to compensation paid by a partnership to a publicly held corporate partner’s executives, commonly occurring in the so-called “UP-C” or “UPREIT” partnership structure. However, the Proposed Regulations address this issue head-on. The Proposed Regulations clarify that the publicly held corporation must take into account its distributive share of the partnership’s deduction for compensation expense paid to the publicly held corporation’s covered employee and aggregate that distributive share and the corporation’s otherwise allowable deduction for compensation paid directly to that employee in determining the amount allowable to the corporation as a deduction for compensation under section 162(m).

For example, assume a publicly held Corporation T and a privately held Corporation S form a general partnership and, for 2021, a covered employee of Corporation T performs services for the partnership and receives $800,000 from the partnership for those services, $400,000 of which is allocated to Corporation T. Corporation T’s $400,000 share of the partnership’s deduction for the compensation expense is aggregated with Corporation T’s deduction for compensation paid directly to the covered employee by Corporation T, if any, in determining the amount allowable as a deduction to Corporation T for compensation paid to such covered employee for Corporation T’s taxable year 2021. Notably, the result is the same whether the covered employee performs services for the partnership as a common law employee, an independent contractor, or a partner, and whether the payment is a payment under section 707(a) or a guaranteed payment under section 707(c).

As this is a dramatic departure from the prior application of the 162(m) rules to compensation paid by partnerships, the Proposed Regulations provide transition relief for current compensation arrangements. Accordingly, the rule with respect to compensation paid by a partnership will apply to any deduction for compensation that is otherwise allowable for a taxable year ending on or after December 20, 2019 but will not apply to compensation paid pursuant to a written binding contract in effect on December 20, 2019 that is not materially modified after that date. Of course, this transition relief is subject to all the interpretive issues that have arisen with respect to the TCJA grandfather rule.

4. Coordination with Section 409A

The preamble to the Proposed Regulations indicates that the regulations under section 409A governing nonqualified deferred compensation arrangements will be modified in light of the changes to section 162(m). As a result, there may be planning opportunities that companies may wish to consider that would require action by December 31, 2020.

As background, a payment of compensation may be delayed past the originally designated payment date without violating section 409A to the extent the service recipient reasonably anticipates that, if the payment were made as scheduled, the service recipient’s deduction with respect to such payment would not be permitted due to the application of section 162(m).

Given that amounts that might previously have quickly become deductible under the former 162(m) (e.g., after termination of employment) now might never become so deductible (due to the new “once a covered employee, always a covered employee” rule), the preamble to the Proposed Regulations indicates that the section 409A regulations will be amended to permit companies to (i) delay scheduled payment of grandfathered amounts to qualify for deduction under section 162(m), without delaying payment of non-grandfathered amounts; and (ii) amend deferred compensation arrangements to eliminate provisions requiring the company to delay payments on account of the deduction limitation under section 162(m), provided the amendment is made by December 31, 2020. Further, the foregoing should not result in a violation of section 409A or a material modification that would negatively impact the grandfathered status of the compensation arrangement.

5. Confirmation and Clarification of Grandfathering Rules

Under the TCJA’s grandfathering rule, the new 162(m) rules do not apply to remuneration provided pursuant to a written binding contract in effect on November 2, 2017 which is not modified in any material respect after that date. To determine whether a written binding contract exists, taxpayers still need to apply the same ambiguous standard as to whether the corporation was obligated to pay the amounts under applicable law. However, in noteworthy clarifications, the Proposed Regulations confirm that:

  • The presence of a clawback provision will not prevent an arrangement from being grandfathered as a written binding contract provided that the corporation’s right to recoup the compensation is based on the occurrence of conditions that are objectively outside the corporation’s control (e.g., detrimental conduct on the part of an executive).
  • Acceleration of the vesting of equity awards or other unvested compensation is not considered a material modification that would cause the loss of any applicable grandfathering. (However, the regulations are silent on whether the extension of the term of an option is a material modification.)
  • In determining whether severance is grandfathered, each component of the severance formula must be analyzed separately to determine the amount of severance that is grandfathered. So if a severance payment is based on salary plus discretionary bonus, it is only the amount of the bonus that is required to be paid as of November 2, 2017 based on a prior exercise of discretion that could be grandfathered. Further, if severance includes a base salary-based payment, an increase in base salary that is more than a reasonable cost of living increase causes the loss of grandfathering for the entire severance amount.

Because the Proposed Regulations adopt the prior guidance in Notice 2018-68 on grandfathering and material modifications, these aspects of the regulations apply for tax years ending on or after September 10, 2018.

Closing Remarks

Given the unanticipated breadth of many aspects of the Proposed Regulations, taxpayers should consider whether to comment on areas of concern. Any such comments are due to the IRS by February 18, 2020.

1 REG–122180–18.
2 Section references are to sections of the Internal Revenue Code of 1986, as amended, unless otherwise stated.
3References to the TCJA mean the Tax Cuts and Jobs Act of 2017.
4 Notice 2018-68, issued on August 21, 2018, provided initial IRS and Treasury guidance on the changes made to section 162(m) by the TJCA, including the grandfather rule.
5“Exchange Act” means the Securities Exchange Act of 1934, as amended. 

The post US: Proposed Regulations Dramatically Expand Limit on Deductibility of Executive Compensation appeared first on Global Compliance News.


FRISCO, TEXAS, January 31 – The formation of the Cybersecurity Maturity Model Certification Accreditation Body (CMMC AB) in partnership with the Department of Defense (DoD) is a landmark achievement and the next logical step in bringing the CMMC to reality with this release.

HITRUST has been actively involved with the DoD and in related industry efforts to finalize the CMMC standard and the associated CMMC Accreditation Body (AB). Leveraging our twelve years of experience as a leader in delivering the highest quality assurance reports, developing our framework, assurance program, academy, assessor network, assessment infrastructure and related programs, HITRUST has made and continues to make valuable contributions and share key insights with the DoD and the CMMC AB in order to help them determine how best to go about accrediting auditors, delivering training, and issuing certifications.

While the CMMC program is being brought to market, HITRUST customers can rest easy knowing that for every component of the CMMC program contemplated by the DoD, HITRUST has a program or service to support those seeking CMMC. The HITRUST CSF already integrates with and contains mappings to the baseline standards upon which the CMMC framework is based (i.e., NIST SP 80-53, DFARS/NIST SP 800-171, and FedRAMP) enabling organizations to understand the controls requirements and identify any gaps.

As the DoD and CMMC AB move forward with developing and implementing the requirements of the CMMC, HITRUST will be at the forefront, continuing to participate as a subject matter expert and thought leader while helping simplify the road to CMMC for organizations of all sizes, across all industries. HITRUST is poised and pleased to continue to share knowledge, technology and working solutions for securing the defense industrial base from industrial property theft, data breaches and compromises to national security intelligence.

To learn more about how HITRUST integrates with CMMC visit https://hitrustalliance.net/cybersecurity-maturity-model-certification/.

To learn more about HITRUST Approach visit: https://hitrustalliance.net/the-hitrust-approach/

The post HITRUST Statement on Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) appeared first on HITRUST.


Ken Vander Wal Retiring; Jeremy Huval Named as New Chief Compliance Officer

FRISCO, TX, January 27, 2020 – HITRUST, a leading data protection standards development and certification organization, announced today that Jeremy Huval was promoted to Chief Compliance Officer, effective January 15, 2020. Huval served as Vice President of Compliance and Internal Audit for HITRUST since 2019 and will succeed Ken Vander Wal, who retired on January 1, 2020, after a successful ten-year career with the Company.

The promotion of Huval to the CCO role was a logical choice following the successful implementation of an enhanced quality monitoring and reporting initiative and successful launch of the Certified HITRUST Quality Professional (CHQP) course in 2019 that he and Vander Wal developed.

“It has been a privilege to work with a man of Ken’s intellect and insight in pursuit of the highest quality standards for organizations achieving the HITRUST CSF® Certification,” said Jeremy Huval. “Ken’s tremendous leadership advanced a comprehensive approach to reporting and assessing information risk, and compliance is more than just a framework, but a complete program tailored to an organization’s ecosystem. He leaves a strong legacy that I intend to build upon with continued innovation and a commitment to excellence for HITRUST.”

In September 2019, Vander Wal was voted by the Board to Chair the newly formed Quality Assurance Subcommittee, which provides additional governance and oversight of the HITRUST CSF Assurance Program. Vander Wal served as HITRUST’s Chief Compliance Officer since 2009. Under his leadership, the HITRUST CSF became recognized as an industry standard for the protection of healthcare data—the equivalent of the “Good Housekeeping Seal” of approval.

Vander Wal’s notable accomplishments include establishment of a formal review and approval process for creating authorized third-party assessors; enhancements to the HITRUST CSF Assurance program to ensure consistency, quality, and rely-ability™; collaboration with the AICPA to have the CSF framework recognized as acceptable criteria for SOC 2® + HITRUST CSF reports; and the launch of an interactive and highly successful customer hotline for users to anonymously report issues, concerns and suggestions to the CSF.

“My time at HITRUST has been an incredible journey, and I am humbled to know that my work has contributed to HITRUST’s mission of improving global security standards,” explained Vander Wal. “This is the perfect time to transition to the next generation knowing that the best is yet to come under Jeremy’s capable leadership. I look forward to continuing my involvement with HITRUST as Chair of the Board Quality Assurance Subcommittee and supporting the governance and oversight for our Assurance Program.”

“On behalf of HITRUST and the Board, I would like to express my appreciation to Ken for his invaluable leadership, drive, and focus, ensuring the integrity of our Assurance Program over the past ten years,” said Daniel Nutkis, CEO and Chairman of the Board. “Under Ken’s leadership, HITRUST has helped thousands of businesses transform their security protocols and processes while strengthening the Company’s standing as a global leader in a dynamic industry. Our company and leadership team has never been stronger, and we look forward to a seamless transition.”

Nutkis continued, “I am pleased to promote Jeremy to this new role and am confident that Jeremy’s keen understanding and knowledge of our business and commitment to delivering on the unique approach of the HITRUST Assurance Program will greatly contribute to the Company’s next level of success.”

Before his promotion, Huval served as the Vice President of Compliance and Internal Audit for HITRUST. His responsibilities included overseeing the integrity of the HITRUST CSF Assurance Program and leading an internal consulting and assurance function aimed at improving internal operations and controls within the organization. Huval has been an integral part of several initiatives since joining HITRUST that include automation of all reports issued and quality-check routines in Q&A processes; and implementation of new internal metrics to continuously monitor the quality and effectiveness of the CSF Assurance Program.

To learn more about the HITRUST CSF Assurance Program visit: https://hitrustalliance.net/csf-assurance/

To learn more about the Certified HITRUST Quality Professional (CHQP) Course visit: https://hitrustalliance.net/hitrust-academy/certified-hitrust-quality-professional-chqp-course/

The post HITRUST® Chief Compliance Officer Retires; Successor Named appeared first on HITRUST.


On 26 November 2019, the US Department of Commerce (Commerce) issued a highly anticipated proposed rule with proposed regulations (Proposed Regulations) to implement Executive Order 13873, “Securing the Information and Communications Technology and Services Supply Chain” (Executive Order 13873).

Executive Order 13873 gives the Secretary of Commerce (Secretary) sweeping, unprecedented authority to prevent or modify transactions involving information and communications technology and services (ICTS) originating in countries designated as “foreign adversaries” which pose an undue risk to critical infrastructure or the digital economy in the United States, or an unacceptable risk to US national security or the safety of United States persons. All industries are potentially affected by the Proposed Regulations, whether directly or indirectly, which allow for case-by-case reviews of transactions at the Secretary’s discretion. Any transaction that is ongoing as of, or was initiated on or after, 15 May 2019, can be reviewed and there is no mechanism by which a company may seek to clear transactions in advance.

A summary of the background and the Proposed Regulations is provided below:

I. Covered Transactions

On May 15, 2019, President Trump issued Executive Order 13873, which grants the Secretary the authority to prohibit or condition certain transactions involving ICTS designed, developed, manufactured, or supplied by persons owned, controlled, or directed by a foreign adversary. Our previous blog post regarding Executive Order 13873 can be read here.

Consistent with Executive Order 13873, the Proposed Regulations are sweeping in nature. Under the Proposed Regulations, the Secretary will consider the following five prongs in determining whether a transaction is covered by Executive Order 13873 and whether or not to permit the transaction:

  1. The transaction is conducted by any person subject to the jurisdiction of the United States or involves property subject to the jurisdiction of the United States;
  2. The transaction involves any property in which any foreign country or a national thereof has an interest (including through an interest in a contract for the provision of the technology or service);
  3. The transaction was initiated, is pending, or will be completed after 15 May 2019, regardless of when any contract applicable to the transaction was entered into, dated, or signed or when any license, permit, or authorization applicable to such transaction was granted (Transactions involving certain ongoing activities, including but not limited to managed services, software updates, or repairs, constitute transactions that “will be completed” on or after 15 May 2019 even if a contract was entered into prior to 15 May 2019);
  4. The transaction involves ICTS designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary; and
  5. The transaction: (i) poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States; (ii) poses an undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the digital economy of the United States; or (iii) otherwise poses an unacceptable risk to the national security of the United States or the security and safety of United States persons.

In determining whether a transaction involves ICTS designed, developed, manufactured, or supplied, by persons “owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary,” Commerce will consider a number of factors, including:

  • the laws and practices of the foreign adversary; and
  • equity interest, access rights, seats on a board of directors or other governing body, contractual arrangements, voting rights, and control over design plans, operations, hiring decisions, or business plan development.

The following are key defined terms in the Proposed Regulations:

  • Foreign adversary means any foreign government or foreign non-government person determined by the Secretary to have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons for the purposes of Executive Order 13783. The Proposed Regulations do not specify which parties are “foreign adversaries,” but state that this is a matter reserved for executive branch discretion.
  • ICTS means any hardware, software, or other product or service primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means, including through transmission, storage, or display. This is a broad definition, which would appear to cover virtually all hardware/commodities, software, technology, or services associated with the telecommunications and communications sectors.
  • Transaction means any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service. Use of the term “transaction” in this part includes a class of transactions. “Dealing in, or use” is not further defined.

II. The Proposed Review Process & Penalities

The Proposed Regulations establish a regime for the Secretary to engage in a case-by-case, fact-specific analysis of certain transactions involving ICTS, with a goal of targeting transactions that must be prohibited or mitigated without inadvertently barring less risky transactions or precluding innovation or access to technology in the United States. There is no process to clear any transactions in advance. In fact, the Proposed Regulations state that no advisory opinion or declaratory ruling will be issued with respect to any particular transaction.

Further, the Secretary has declined to identify classes of transactions or technologies that are subject to prohibition or are excluded from prohibition. As mentioned above, the Secretary conducts the review on a case-by-case basis. The Secretary, however, has reserved the right to issue class exclusion or inclusion determinations and related guidance in the future.

1. Initiation of Review

The Secretary may commence a review of a transaction in one of three ways: (i) at the Secretary’s discretion; (ii) upon the written request of other Government department, agency, governmental body, or the Federal Acquisition Security Council; or (iii) based on information submitted to the Secretary by credible private parties.

The Proposed Regulations do not provide for any time bars for review, which means that any transaction conducted post-15 May 2019 could be reviewed. Parties will only find out that a review has been initiated when they receive a preliminary determination.

2. Commerce’s Review Procedure

Commerce’s proposed review framework and its timeline are as follows:

  • The Secretary provides a preliminary determination in the form of a written notice to the parties to a transaction that the aforementioned criteria have been met and the basis thereof.
  • Within 30 days after receipt of the notice, the party may submit an opposition to the preliminary determination and supporting information or information on proposed mitigation measures. The Secretary can, but is not required to, grant an extension of time.
  • Within 30 days of receipt of such information, the Secretary will then issue a final determination describing whether the transaction is prohibited, not prohibited, or an otherwise prohibited transaction is permitted pursuant to the adoption of mitigation measures (and a description of the mitigation measures adopted). A summary of the Secretary’s final determination will be made public on https://www.commerce.gov/issues/ict-supply-chain and in the Federal Register.

3. Penalties

Any determination to either prohibit a transaction or permit an otherwise prohibited transaction based on mitigation measures will also provide a clear statement of the penalties that parties will face if they fail to comply fully with either the prohibition or the mitigation measures.

  • Any person who violates any determination, regulation, prohibition, or other action issued under the Proposed Regulations or makes false or misleading representation to Commerce may be liable for a civil penalty up to $302,584 per violation, adjusted for inflation, or an amount that is twice the value of the relevant transaction.
  • Any person who violates a material provision of a mitigation measure or a material condition imposed under the Proposed Regulations may be liable for a civil penalty up to $302,584 per violation, adjusted for inflation, or the value of the relevant transaction. Any penalty assessed because of such violation will be separate from any damages sought pursuant to a mitigation measure.

A determination to impose penalties under either of the above situations will be made by the Secretary with a written notice to the penalized party. Within 15 days of receipt of notice of a penalty, the penalized party may submit a petition for reconsideration to the Secretary, including a defense, justification, or explanation for the penalized conduct. The Proposed Regulations do not address whether an extension of time can be granted for the petition. The Secretary will review the petition and issue a final decision within 30 days of receipt of the petition.The actual amount of the penalty assessed for a violation shall be based on the nature of the violation.

III. Request for Comment

Commerce invites comments on all aspects of the Proposed Regulations except for the determination of a “foreign adversary,” which is a matter reserved for executive branch discretion. Specifically, Commerce requests public comments on questions including:

  • Are there instances where the Secretary should consider categorical exclusions or exempt certain classes of persons whose use of ICTS can never violate Executive Order 13873?
  • Are there transactions involving types or classes of ICTS where the transaction could present an undue or unacceptable risk but that risk could be reliably and adequately mitigated? What form can such mitigation measures take?
  • If mitigation measures are adopted for a transaction, how should the Secretary ensure that parties consistently execute and comply with the agreed-upon mitigation measures? How best could Secretary make sure the mitigation measures are not obsolete?
  • How should the definition of “transaction” (in particular, the terms “dealing in” and “use”) be interpreted?

If you wish to submit a comment to Commerce or have any questions, please contact any member of our Outbound Trade Compliance team. Comments must be submitted to Commerce on or before 27 December 2019. The authors acknowledge the assistance of Iris Zhang in the preparation of this client alert.

The post United States Commerce Proposes Rules re Securing the Information and Communications Technology and Services Supply Chain; Comments Due on or Before December 27 appeared first on Global Compliance News.


On December 2, 2019, the US Trade Representative (USTR) published a report concluding France’s Digital Services Tax (DST) “discriminates” against and is “unusually burdensome” for US companies, and published a Federal Register note setting out proposed tariffs as high as 100 percent on US$2.4 billion in French imports into the United States. USTR will conduct hearings in January on its proposed actions. In making his announcement, Ambassador Lighthizer also noted that “USTR is exploring whether to initiate similar investigations into the digital services taxes of Austria, Italy, and Turkey.

USTR initiated in July 2019 its investigation of France’s Digital Services Tax DST under section 301(b)(1)(A) of the Trade Act of 1974 (the Trade Act) and concluded that discriminates against US companies. The DST was signed into law by President Macron on July 24, 2019 and imposes a 3 percent levy on revenues that certain companies generate from providing certain digital services to, or aimed at, persons in France. In its report published December 2, USTR found:

“France’s [DST] discriminates against U.S. companies, is inconsistent with prevailing principles of international tax policy, and is unusually burdensome for affected US companies. Specifically, USTR’s investigation found that the French DST discriminates against US digital companies, such as Google, Apple, Facebook, and Amazon.”

USTR stated that the French DST is inconsistent with prevailing tax principles on account of its retroactivity to January 1, 2019, its application to revenue rather than income, its extraterritorial application (the DST applies to revenues unconnected to a physical presence in France) and its purpose of penalizing particular US technology companies (since smaller companies, that are more likely to be locally based, are exempt).

The United States has also criticized the impact of the French DST on international negotiations occurring at the Organisation for Economic Co-operation and Development (OECD). Those negotiations are aimed at developing a consensus approach to corporate income taxation affecting the digital economy. The United States has argued that France’s law undermines the OECD negotiations.

In the wake of these findings, USTR is authorized by Section 301 to take all appropriate and feasible action, including the imposition of duties on the goods and imposition of fees or restrictions on the services of France. As noted, USTR is issuing a Federal Register notice soliciting comments from the public on USTR’s proposed action, which includes additional duties of up to 100 percent on certain French products. The notice also seeks comment on the option of imposing fees or restrictions on French services. The list of French products subject to potential duties includes 63 tariff subheadings with an approximate trade value of US$2.4 billion. The value of any US action through either duties or fees may take into account the level of harm to the US economy resulting from the DST. A list of the products proposed by USTR for the additional duties may be found in the Federal Register Notice. Click here to access.

USTR requests comments with respect to any issue related to the action to be taken in this investigation. With respect to action in the form of additional duties, USTR invites comments regarding:

  • The specific products to be subject to increased duties, including whether products listed in the Annex should be retained or removed, or whether products not currently on the list should be added.
  • The level of the increase, if any, in the rate of duty.
  • The level of the burden or restriction on the US economy resulting from the DST.
  • The appropriate aggregate level of trade to be covered by additional duties.

In commenting on the inclusion or removal of particular products on the list of products subject to the proposed additional duties, USTR requests that commenters address specifically whether imposing increased duties on a particular product would be practicable or effective to obtain the elimination of France’s DST, and whether imposing additional duties on a particular product would cause disproportionate economic harm to US interests, including small- or medium-size businesses and consumers.

With respect to action in the form of fees or restrictions on services of France, USTR seeks comments on issues such as:

  • Which services would be covered by a fee or restriction.
  • If a fee is imposed, the rate (flat or percentage) of the fee, and the basis upon which any fee would be applied.
  • If a restriction is imposed, the form of such restriction.
  • Whether imposing fees or restrictions on services of France would be practicable or effective to obtain the elimination of France’s acts, policies, and practices.

USTR is inviting public comment on these issues and will be holding a hearing. We are assisting many clients in responding to these proposed tariffs.

If you would like to submit public comments and/or participate in a public hearing to be held on January 7, 2020, we would be pleased to assist.


The post USTR Proposes Tariffs on US$2.4 Billion in French Goods in Response to France’s Digital Services Tax appeared first on Global Compliance News.


FRISCO, Texas – Dec. 11, 2019 – HITRUST®, a leading data protection standards development and certification organization, announced a collaboration with Frist Cressey Ventures to form the Venture Capital Advisory Council (“VC Council”) and Venture Program, comprised of some of the most influential venture capital firms. As venture capital firms seek to reduce cyber risks and data breaches within their portfolio companies, they incorporate information risk management into their due diligence and investment decision making processes, recommending portfolio companies demonstrate the appropriate levels of information security and privacy, and regulatory compliance. Historically, many VC firms have given preference to HITRUST CSF® Certified organizations as HITRUST offers a common approach as well as practical and efficient solutions to identifying and mitigating the risks of potential cyber incidents, making their portfolio companies as competitive as possible within their markets. The new Venture Program expands and formalizes an approach to information risk management and compliance for portfolio companies.

2019 is shaping up to be a record year for venture capital investments with roughly $50 billion invested in the healthcare sector alone, according to data from CB Insights. 31 percent of these healthcare deals are in digital health companies. According to a Ponemon Institute study, many of these early stage companies have experienced a data breach in the last 12 months. Specifically, 76 percent of small- and medium-sized businesses have experienced a data breach in the past year. The data further suggests that these businesses lack appropriate security and privacy oversight, that translates to greater risk for their customers. This coupled with looming deadlines for complying with privacy laws such as the CCPA in January 2020, intensifies the pressure on start-up and early stage companies to address regulatory compliance requirements.

The HITRUST Venture Program™, governed by the VC Council, was established to focus on the unique risk management challenges that early- to late-stage companies face when integrating security, privacy, and compliance into their organizations to reduce their risk profile and increase their market opportunities.  The Venture Program establishes a common recommended approach to information risk management and compliance that VC firms can expect of their portfolio companies. It leverages the HITRUST CSF® and CSF® Assurance Program, providing participating companies with access to a collection of tools and services to facilitate a cost-effective and efficient process to adopt strong information protection practices and obtain HITRUST CSF Certification.

A few of the leading venture capital funds are uniting with HITRUST and bringing their economic power to address these challenges. An early list of distinguished founding members of the VC Council include Ascension VenturesBain Capital VenturesEcho Health Ventures, Frist Cressey Ventures, Heritage Group, Maverick Ventures, New Enterprise Associates, 7Wire Ventures, and others, with combined assets under management of more than $30 billion including over 1000 companies within their portfolios. The VC Council is co-chaired by former U.S. Senate Majority Leader Bill Frist, Co-founder and Partner, Frist Cressey Ventures, and Chris Booker, Partner, Frist Cressey Ventures.

“Securing private data and personal information should be a top priority for every organization. While a data breach negatively impacts any organization, for a start-up or early-stage company trying to instill customer confidence, it can be catastrophic,” said Senator Frist, “Frist Cressey Ventures is strategically positioned to align entrepreneurs, venture firms, and HITRUST to promote best practices in data protection and compliance.”

HITRUST understands information risk management and compliance and the challenges of assembling and maintaining the many and varied programs. HITRUST’s integrated approach ensures that the comprehensive components are aligned and maintained to support an organization’s information risk management and compliance program.

“I applaud Senator Frist and Mr. Booker for the foresight and leadership demonstrated in recognizing a need as well as assembling such an influential group from the investment community to better enable and support early- to late-stage companies in addressing information risk management and compliance” said Daniel Nutkis, Chief Executive Officer, HITRUST.

“Today, venture capital firms see how quickly data and privacy can be compromised. Our goal is for our portfolio companies to recognize the value of mitigating risk early on in their DNA with the adoption of the highest standards of security and privacy,” said Yumin Choi, Partner, Bain Capital Ventures. “By leveraging HITRUST’s expansive toolset and services, our portfolio companies have access to a comprehensive and efficient approach to mitigate and manage risk.”

The VC Council, made up of founding member funds, serves as the governing body of the Venture Program, providing valuable expertise and insight to early- to late-stage companies incorporating information risk management and data protection into their culture and offerings. Members of the VC Council oversee the program, serving as thought leaders in the space, and liaisons between their organization, portfolio companies, and HITRUST.

Any qualifying venture fund can participate in the program. To learn more about the Venture Capital Advisory Council and Venture Program, including requirements, can download the datasheet https://hitrustalliance.net/hitrust-venture-program/ or contact Jay Martin at Jay.Martin@HITRUSTalliance.net.

The post HITRUST® and Frist Cressey Ventures Launch Venture Council and Program to Build Security and Privacy into the “DNA” of Tech Startups appeared first on HITRUST.


Demonstrating trade secret misappropriation in a civil case often turns on the IP owner’s ability to show that it has a protectable trade secret. Yet in the criminal context, the US Government has taken the position that it can establish attempted trade secret theft irrespective of such a showing. In a criminal prosecution of theft, the Government must generally prove beyond a reasonable doubt each element of the offense — including the specific object of the alleged theft. Recent prosecutions involving allegations of trade secret theft and attempted trade secret theft highlight an important deviation from this principle and draw a line between two provisions of the Economic Espionage Act, 18 U.S.C. § 1831 and 18 U.S.C. § 1832.

In United States v. O’Rourke,1 it was undisputed that the defendant took information that he was not legally entitled to from his employer.2 The defendant argued that § 1832 permits prosecution for attempt violations only if a defendant tries and fails to misappropriate actual trade secrets.3 Relying on United States v. Hsu,4 the legislative history of the EEA, and the analogous case law addressing convictions for distributors of sham drugs, O’Rourke held that the Government can pursue attempt charges under § 1832 if the defendant believed the information to be a trade secret, even if the information taken did not constitute a trade secret under the Act.5 The court reasoned that individuals seeking to harm a company and benefit a competitor should not receive a “get out of jail free” card due to their mistaken belief as to the proprietary nature of the misappropriated material.6

Similar issues are arising in United States v. Levandowski,7 as the Government pursues criminal charges of attempted trade secret theft against a former engineer accused of stealing trade secrets related to self-driving cars. In response to a bill of particulars filed by the defendant on November 6, 2019, US District Judge William Alsup has ordered both parties to file a brief outlining their positions as to the level of specificity required by the prosecution when it pursues trade secret theft charges. The prosecution has argued that they have met this threshold by proving that the defendant reasonably believed the information was a trade secret to support the attempt charges.

O’Rourke established that criminal penalties can be imposed for the attempted theft of trade secrets, even if the information does not qualify as a trade secret per 18 U.S.C. § 1839. Levandowski may provide more clarity on level of specificity required by the Government in order to pursue charges of attempted trade secret theft.

If you have any questions about these updates, please contact the authors or the Baker McKenzie attorney with whom you work.


1 United States v. O’Rourke, No. 17-cr-00495, 2019 U.S. Dist. LEXIS 174962 (N.D. Ill. Oct. 9, 2019).
2 Id. at *11.
3 Id. at *8.
4 United States v. Hsu, 155 F.3d 189, 198 (3d Cir. 1998).
5 United States v. O’Rourke, No. 17-cr-00495, 2019 U.S. Dist. LEXIS 174962, *10-11 (N.D. Ill. Oct. 9, 2019).
6 Id. at *11.
7 5:19-cr-00377 (N.D. Cal.).

The post Criminal Liability for Attempted Trade Secret Theft May Not Require Trade Secrets in the US appeared first on Global Compliance News.


Support for California Consumer Privacy Act (CCPA) standards in HITRUST CSF to help businesses better identify and remediate gaps in CCPA-specific security and privacy controls

FRISCO, Texas – November 21, 2019 – HITRUST, a leading data protection standards development and certification organization, has incorporated the CCPA standard into HITRUST CSF version 9.3, providing businesses with a strong basis for measuring CCPA compliance as part of their existing assessment and certification processes. Organizations can assess against the CCPA to conclude quickly if they meet the new requirements identified in the law or if there are any gaps that must be remediated.

Given the number of consumers and size of the California economy, the CCPA will have a significant impact on the market as almost every for-profit business in the United States will have to comply with the ruling to “implement and maintain reasonable security procedures and practices” to protect consumer data.  The law is serving as a model and has created an expectation among consumers that they can have access to their data, ask for it to be deleted or corrected, and limit its uses.

Businesses that are required to comply with the law due to go into effect on January 1, 2020, can perform a CCPA assessment by including the CCPA as a regulatory factor in the MyCSF® assessment tool.

The HITRUST CSF includes comprehensive privacy controls as well as mappings to both the CCPA and the GDPR. The CCPA is just different enough from the GDPR to create confusion in terms of compliance. HITRUST has helped businesses manage GDPR compliance and will help organizations doing business in California to minimize the impact of new regulatory requirements.

“The CCPA requires American organizations to look at data in a new way, as we are not used to data subjects having the type of rights granted them under the CCPA,” explains Anne Kimbol, Chief Privacy Officer, HITRUST. “By including leading privacy standards and principles, including the European Union’s General Data Protection Regulation (GDPR) and the CCPA mappings into the HITRUST CSF, we help our customers identify and mitigate gaps and risks in their existing programs that help them meet not just the growing compliance requirements but also customer expectations.”

Even though many companies have tried to get their heads around GDPR, there are differences between the GDPR and the CCPA which leaves much confusion in the market about what the CCPA compliance means. HITRUST continues to be committed to helping organizations translate privacy laws into actions, first with the GDPR and now with the CCPA. HITRUST has looked holistically at information risk management, working beyond what organizations are required to do, and bringing to light what they should be doing by addressing both security and privacy controls across their internal infrastructure as well as throughout their third-party supply chain. Organizations already utilizing HITRUST to identify and implement their applicable privacy controls will need to devote fewer resources to adjusting their programs to meet the CCPA requirements.

HITRUST’s privacy team worked to ensure that the HITRUST CSF v9.3 includes mappings and related information on the CCPA reflecting not just the original act, but also the amendments made during the recent California Legislative Session. HITRUST will continue to enhance the CCPA language in the HITRUST CSF and, as appropriate, other elements of the HITRUST suite of information risk management and compliance tools by monitoring changes to the law.

For example, performing a HITRUST CSF Assessment can help your organization gain insight into what action items need to be prioritized to meet regulatory compliance requirements. Giving prescriptive control requirement statements and granular illustrative procedures to simplify and streamline an organization’s journey to information risk management and compliance.

HITRUST encourages organizations with a CCPA requirement to participate in the HITRUST webinar on CCPA Compliance on December 3, sign up at https://go.hitrustalliance.net/privacyandccpawebinar2019

To download the HITRUST CSF go to https://hitrustalliance.net/hitrust-csf/

The post HITRUST CSF® Brings Clarity to Security Requirements as Countdown to California’s New Privacy Protection Act Looms appeared first on HITRUST.