HITRUST Announces Availability of Shared Responsibility Matrix

FRISCO, Texas – March 4, 2020 – HITRUST, a leading data protection, standards development, and certification organization, announces the general availability of the HITRUST Shared Responsibility Program and Matrix™ Version 1.0. The Matrix is the first ever common model for communicating and assigning security and privacy responsibility between cloud service providers (CSPs) and their tenants or customers.

The Matrix is part of the HITRUST Shared Responsibility Program, which was established to address the growing misunderstandings, risks, and complexities when leveraging service providers. The Shared Responsibility Program clarifies the roles and responsibilities regarding ownership and operation of security controls while automating and streamlining the assurance process when privacy and security controls are shared or inherited. Organizations will benefit from streamlined communication processes as well as reduced inefficiencies and burdens of compliance when leveraging services from cloud providers.

The Shared Responsibility Program is led by Becky Swain, Director of Standards Development at HITRUST, and supported by a Working Group comprised of representatives of leading cloud service providers, including Armor, AWS, Google, Microsoft Azure and Salesforce, as well as enterprise cloud customers, cloud professional services firms, and solution providers. “With the continued adoption of cloud services, being able to understand and accurately inherit controls from service providers in an automated manner will be key to an organization’s information risk management and assurance process,” said Swain. “The next milestone will be HITRUST continuing to work with leading CSPs to ensure they provide the Matrix to their customers.”

“As PDHI collaborates with cloud service providers, we will leverage the HITRUST Shared Responsibility Matrix in understanding, documenting, and inheriting privacy and security control responsibility,” explains Lee Penn, the Chief Financial Officer and Chief Compliance Officer for PDHI and Shared Responsibility Working Group Member. “The Matrix simplifies providing evidence to our auditors and other interested parties that what we deliver, together with services we contract from Microsoft Azure cloud, meets the HITRUST guidelines and certification requirements—from end-to-end.”

HITRUST will continue to collaborate with leading CSPs as they provide the Matrix to their customers to further streamline security control ownership and responsibility. The Matrix offers many benefits, including:

  • A standard set of core principles and common language for all cloud service model types (e.g., SaaS, PaaS, IaaS, and Colo).
  • Helping organizations navigate an agreed-upon shared security and privacy responsibility in a way that is transparent, traceable, and accountable.
  • The ability to be tailored by CSPs in a completely customizable template to support their proprietary products and services.
  • Supporting an Assess Once, Inherit Many™

Businesses around the globe spent $107 billion in 2019 for cloud computing infrastructure services, fueled by 37% growth in Q4. With the proliferation of enterprise cloud computing, HITRUST continues its commitment to provide industry-leading risk management and vendor risk solutions for global organizations across all industries.

David Houlding, Director of Healthcare Experiences, Microsoft Azure: Healthcare Cloud and Shared Responsibility Working Group Member said, “The continued growth and strategic reliance on cloud computing, coupled with the ever-growing risk and compliance landscape, make communicating control responsibility and assurances more complex and intricate. The HITRUST Shared Responsibility Program addresses the need for a common language around security risks and responsibilities between the customer and cloud service provider, and to have confidence that nothing will fall through the cracks.”

“When control responsibility is shared, organizations must have these discussions with their cloud service providers to ensure everyone is on the same page,” says HITRUST Shared Responsibility Working Group Member Bob Smith, Senior Manager of Security Compliance at Salesforce. “The HITRUST Shared Responsibility Matrix will make those conversations much easier and serve as a guide to ensure every party knows what is required of them as well as that all reasonable steps are taken to protect information entrusted to their cloud service providers.”

IDC reported that 48% of organizations have applications in one public cloud that communicate regularly with applications in a different public cloud. The Matrix will help organizations more easily come to agreements with their CSPs as to which party is responsible for individual security and privacy controls, in turn ensuring that all applicable controls are properly addressed.

For more information on the HITRUST Shared Responsibility Program and how to access the HITRUST Shared Responsibility Matrix, visit the HITRUST Shared Responsibility Program webpage.

Join us on Tuesday, March 17th at 12 pm CT for the HITRUST Shared Responsibility Program Webinar; register here.

The post HITRUST Delivers on Commitment to Reduce Supply Chain Risk and Streamline Compliance Management in the Cloud appeared first on HITRUST.


The Treasury Department (“Treasury”) and the Internal Revenue Service (“IRS”) issued the highly anticipated final regulations (the “Final Regulations”) implementing the base erosion and anti-avoidance tax (the “BEAT”) on December 2, 2019.  Treasury and the IRS simultaneously issued proposed regulations (the “Proposed Regulations” and with the Final Regulations, the “Regulations”). The Regulations resolve several areas of uncertainty in the statute in a taxpayer-favorable manner.

This column focuses on certain important changes Treasury and the IRS made to the proposed BEAT regulations introduced December 13, 2018 (the “2018 Proposed Regulations”), and provides some updates to our column on the 2018 Proposed Regulations. This column also notes some key requests that Treasury and the Service did not adopt. Among other items, we will cover:

  • Clarifications to the Aggregation Rules;
  • Treasury’s refusal to exempt certain “pass-through,” middleman, or global services payments;
  • Modifications to the rules with respect to tax free transactions;
  • The interaction between the BEAT, ECI, Subpart F and GILTI; and
  • The proposed election to forgo deductions.


The post US: The Final Proposed Base Erosion and Anti-avoidance Tax Regulations: A Favorable Turn appeared first on Global Compliance News.



The Federal Trade Commission has announced the annual adjustment to notification thresholds that determine whether proposed transactions may trigger a filing obligation under the Hart-Scott-Rodino Antitrust Improvements Act of 1976, as amended. The revised thresholds will apply to all transactions that will close on or after February 27, 2020.


Under the updated thresholds, the lowest “size of transaction” notification threshold for any non-exempt acquisitions of voting securities, assets, or non-corporate interests will increase from USD 90 million to USD 94 million. For transactions valued above USD 94 million but below USD 376 million, an HSR filing may be triggered only if the below described “size of person” test is satisfied. Non-exempt transactions valued above USD 376 million will trigger an HSR filing obligation irrespective of the size of the parties involved.

The HSR Act “size of person” threshold, when applicable, generally will be satisfied if one party to the transaction has annual net sales or total assets of USD 188 million or more and the other party has USD 18.8 million or more in annual net sales or total assets. In each case, the operative “party” is the ultimate parent entity of the party to the potentially notifiable transaction.

The HSR Act filing amounts remain the same, but the relevant transaction values triggering the higher fee amounts have correspondingly increased.

  • USD 45,000 for transactions valued above USD 94 million but less than USD 188 million
  • USD 125,000 for transactions valued at USD 188 million or more but less than USD 940.1 million, and
  • USD 280,000 for transactions valued at USD 940.1 million or more.

Compliance with the HSR Act is imperative. The FTC previously announced the annual increase of the maximum civil penalty available for HSR Act violations from USD 42,530 to USD 43,280 per day. This new maximum penalty may be imposed for any enforcement action taken on or after 14 January 2020 even if the underlying violation preceded that date.

The Federal Register notice announcing the new HSR Act notification and filing-fee thresholds can be found here. The Federal Register notice on the increase to the maximum civil penalty is available here.

The post US: Federal Trade Commission Adjusts Hart-Scott-Rodino Premerger Notification and Filing-fee Thresholds appeared first on Global Compliance News.


View presentation

At the recent roundtable discussion, “SEC Regulatory and Enforcement Trends: How to Prepare for the SEC in 2020,” held at the Baker McKenzie Chicago office, our North America Financial Regulation & Enforcement team talked about what to expect from the Staff in 2020.

Drawing from their collective SEC regulatory and enforcement expertise and experience, the team focused on recent SEC releases, proposals and guidance concerning various topics, including:

  • conflicts of interest
  • proposed advertising and solicitation rules
  • Regulation Best Interest and cybersecurity
  • how best to prepare for expected SEC regulatory, examination and enforcement initiatives in the current environment
  • various state securities standards of care regulatory initiatives

The post US: SEC Regulatory and Enforcement Trends: How to Prepare for the SEC in 2020 appeared first on Global Compliance News.


On December 20, 2019, the Treasury and IRS released proposed regulations1 implementing the Tax Cuts and Jobs Act’s changes to section 162(m)’s $1,000,00 limit on the deductibility of “covered employee” compensation.2 In key part, the TCJA3 eliminated the exception from section 162(m) for performance-based compensation and expanded the covered employees and publicly held corporations subject to section 162(m). The Proposed Regulations build on this initial expansion of the 162(m) limit, dramatically increasing the extent to which the compensation of current and former executives will be non-deductible and introducing significant complexity into the identification and tracking of an ever-expanding pool of covered employees. In this summary, we address some of the most significant changes that taxpayers should note:

The particularly broad interpretation of the “predecessors” whose covered employees become covered employees of a publicly held corporation and its impact in corporate transactions.

  • The expansive definition of the “publicly held corporations” subject to 162(m) and elimination of the IPO transition period for newly public companies.
  • The new application of the 162(m) deduction limit to compensation paid by partnerships.
  • The ability to modify certain arrangements in view of the new 162(m) rules without violating section 409A, which may require action by December 31, 2020.
  • Clarifications of the grandfathering rule, including the impact of clawbacks and vesting acceleration and the treatment of severance.

1. Expansion of Covered Employees has a Significant Impact in Corporate Transactions

The Proposed Regulations confirm the guidance in Notice 2018-684 that the covered employees of a publicly held corporation include:

  • Its Principal Executive Officer and Principal Financial Officer at any time during a tax year,
  • Its three other most highly compensated executive officers for the tax year, regardless of whether the officer’s compensation is subject to disclosure for the last completed fiscal year under SEC rules or whether the officer is employed at the end of the tax year, and
  • Anyone who was a covered employee of the corporation or a predecessor for any tax year beginning after December 31, 2016.

The above rules generally apply for tax years ending on or after September 10, 2018, except with respect to two items not addressed by Notice 2018-68, both of which are addressed in the Proposed Regulations in a manner unfavorable to taxpayers.

First, the Proposed Regulations state that a company with a fiscal year and tax year which do not align (e.g., in the case of a short tax year due to a corporate transaction) must determine its three most highly compensated officers for the tax year based on the SEC summary compensation table rules, even if the corporation is not preparing a summary compensation table for the tax year. This rule applies to tax years beginning on or after December 20, 2019, i.e., effective for the 2020 calendar year in the case of calendar year taxpayers.

Second, the Proposed Regulations take what appears to be the broadest possible approach to the “predecessor” issue. Under this approach, a publicly held corporation’s covered employees will include the covered employees of any of the following “predecessor” entities, if such individuals perform services – whether as an employee or nonemployee – for the publicly held corporation:

Transaction Predecessor
Merger/Reorg. A publicly held target corporation that is acquired or is the transferor in a corporate reorganization under section 368(a)(1).
Spin-off A publicly held distributing corporation in a spin-off, to the extent that its covered employees commence services with the publicly held spun-off corporation within 12 months before or after the spin-off. (Such employees also remain covered employees of the distributing corporation.)
Stock-deal A publicly held target that, in a stock acquisition, becomes a member of a publicly held affiliated group (under newly expanded affiliated group rules).
Asset deal A publicly held target of which at least 80% of the operating assets are acquired over a period of 12 months, to the extent that its covered employees commence services with the publicly held acquirer within 12 months before or after the asset deal.
Private – Public Transition An acquired privately held corporation, if it was previously public and the acquisition occurs before the 3-year anniversary of the due date for the acquired private corporation’s federal tax return for the last tax year for which it was public.

The regulations also capture predecessors of predecessors, so any of the above predecessors of corporations that become part of a publicly held corporation’s affiliated group under section 162(m) are also covered employees of the publicly held corporation. The predecessor rule is proposed to apply to corporate transactions for which all events necessary for the transaction occur on or after the date of publication of the final rule in the federal register, or in the case of a private – public transition, to a private company that becomes public again on or after publication of the final rule. Until the final regulations are effective, taxpayers may rely on the definition of predecessor in the proposed rules or on a reasonable good faith interpretation of the term “predecessor.” However, the preamble states that it would not be a reasonable good faith interpretation to exclude as a predecessor a publicly held target corporation of which (i) the stock or assets are acquired in a transaction to which section 381(a) applies or (ii) at least 80% of the total voting power, and at least 80% of the total value of, the stock is acquired. Given the limited deference given to regulation preambles, and the fact that the Treasury could easily have interpreted a predecessor to include only an alter ego of the public company, taxpayers who acquire a public company before the effective date of the final regulations have a difficult decision as to how they reasonably interpret the statute before the final regulations become effective.

With these statutory interpretations, the Proposed Regulations introduce significant complexity to identifying and tracking the individuals who are permanently treated as covered employees. This is especially true in the context of corporate transactions, likely resulting in an ever-increasing amount of required diligence. Publicly held corporations that acquire predecessor corporations will have to maintain a full inventory of all individuals who were covered employees of each such predecessor (or of any predecessors to those predecessors) for any tax year after 2016. Given the complexities that arise and the fact that the Treasury has chosen the broadest possible approach to defining a predecessor, taxpayers and their trade organizations should consider commenting on this aspect of the Proposed Regulations in hopes of obtaining a more taxpayer favorable definition of the term predecessor, as well as a more lenient effective date.

2. Expansion of “Public” Companies subject to 162(m) and Elimination of IPO Transition Rule

The Proposed Regulations confirm that a “publicly held corporation” is a corporation (i) with any class of securities (including debt) that is required to be registered under Section 12 of the Exchange Act5 or (ii) that is required to file reports under Section 15(d) of the Exchange Act (even if not listed on any exchange). However, the Proposed Regulations expand the application of 162(m) to public partnerships that are treated as corporations under section 7704, companies that own publicly held disregarded entities and S corporations that own publicly held QSubs. The rules also expand the existing rules on affiliated groups, including to capture privately-held companies with a publicly held subsidiary.

The Proposed Regulations also confirm that foreign private issuers that meet the requirements of a “publicly held corporation” will be subject to 162(m). However, recognizing that foreign private issuers are not generally required to disclose executive compensation under the SEC’s disclosure rules, the IRS requests comments on whether it should design a safe harbor for such issuers to determine their three most highly compensated executive officers.

In one piece of good news, the Proposed Regulations clarify that the determination of a publicly held corporation is made as of the last day of the corporation’s taxable year, which means that companies whose filing obligation or registration is suspended as of such date are not subject to 162(m).

However, in less good news, the Proposed Regulations provide that a company that becomes publicly held after December 20, 2019 will immediately become subject to the section 162(m) limit, eliminating prior transition relief that generally afforded such companies more than three years of exemption from the 162(m) limit.

3. Expansion of Remuneration subject to 162(m), including Amounts Paid by Partnerships

The TCJA and Notice 2018-68 punted on the question of the application of the deduction limit to compensation paid by a partnership to a publicly held corporate partner’s executives, commonly occurring in the so-called “UP-C” or “UPREIT” partnership structure. However, the Proposed Regulations address this issue head-on. The Proposed Regulations clarify that the publicly held corporation must take into account its distributive share of the partnership’s deduction for compensation expense paid to the publicly held corporation’s covered employee and aggregate that distributive share and the corporation’s otherwise allowable deduction for compensation paid directly to that employee in determining the amount allowable to the corporation as a deduction for compensation under section 162(m).

For example, assume a publicly held Corporation T and a privately held Corporation S form a general partnership and, for 2021, a covered employee of Corporation T performs services for the partnership and receives $800,000 from the partnership for those services, $400,000 of which is allocated to Corporation T. Corporation T’s $400,000 share of the partnership’s deduction for the compensation expense is aggregated with Corporation T’s deduction for compensation paid directly to the covered employee by Corporation T, if any, in determining the amount allowable as a deduction to Corporation T for compensation paid to such covered employee for Corporation T’s taxable year 2021. Notably, the result is the same whether the covered employee performs services for the partnership as a common law employee, an independent contractor, or a partner, and whether the payment is a payment under section 707(a) or a guaranteed payment under section 707(c).

As this is a dramatic departure from the prior application of the 162(m) rules to compensation paid by partnerships, the Proposed Regulations provide transition relief for current compensation arrangements. Accordingly, the rule with respect to compensation paid by a partnership will apply to any deduction for compensation that is otherwise allowable for a taxable year ending on or after December 20, 2019 but will not apply to compensation paid pursuant to a written binding contract in effect on December 20, 2019 that is not materially modified after that date. Of course, this transition relief is subject to all the interpretive issues that have arisen with respect to the TCJA grandfather rule.

4. Coordination with Section 409A

The preamble to the Proposed Regulations indicates that the regulations under section 409A governing nonqualified deferred compensation arrangements will be modified in light of the changes to section 162(m). As a result, there may be planning opportunities that companies may wish to consider that would require action by December 31, 2020.

As background, a payment of compensation may be delayed past the originally designated payment date without violating section 409A to the extent the service recipient reasonably anticipates that, if the payment were made as scheduled, the service recipient’s deduction with respect to such payment would not be permitted due to the application of section 162(m).

Given that amounts that might previously have quickly become deductible under the former 162(m) (e.g., after termination of employment) now might never become so deductible (due to the new “once a covered employee, always a covered employee” rule), the preamble to the Proposed Regulations indicates that the section 409A regulations will be amended to permit companies to (i) delay scheduled payment of grandfathered amounts to qualify for deduction under section 162(m), without delaying payment of non-grandfathered amounts; and (ii) amend deferred compensation arrangements to eliminate provisions requiring the company to delay payments on account of the deduction limitation under section 162(m), provided the amendment is made by December 31, 2020. Further, the foregoing should not result in a violation of section 409A or a material modification that would negatively impact the grandfathered status of the compensation arrangement.

5. Confirmation and Clarification of Grandfathering Rules

Under the TCJA’s grandfathering rule, the new 162(m) rules do not apply to remuneration provided pursuant to a written binding contract in effect on November 2, 2017 which is not modified in any material respect after that date. To determine whether a written binding contract exists, taxpayers still need to apply the same ambiguous standard as to whether the corporation was obligated to pay the amounts under applicable law. However, in noteworthy clarifications, the Proposed Regulations confirm that:

  • The presence of a clawback provision will not prevent an arrangement from being grandfathered as a written binding contract provided that the corporation’s right to recoup the compensation is based on the occurrence of conditions that are objectively outside the corporation’s control (e.g., detrimental conduct on the part of an executive).
  • Acceleration of the vesting of equity awards or other unvested compensation is not considered a material modification that would cause the loss of any applicable grandfathering. (However, the regulations are silent on whether the extension of the term of an option is a material modification.)
  • In determining whether severance is grandfathered, each component of the severance formula must be analyzed separately to determine the amount of severance that is grandfathered. So if a severance payment is based on salary plus discretionary bonus, it is only the amount of the bonus that is required to be paid as of November 2, 2017 based on a prior exercise of discretion that could be grandfathered. Further, if severance includes a base salary-based payment, an increase in base salary that is more than a reasonable cost of living increase causes the loss of grandfathering for the entire severance amount.

Because the Proposed Regulations adopt the prior guidance in Notice 2018-68 on grandfathering and material modifications, these aspects of the regulations apply for tax years ending on or after September 10, 2018.

Closing Remarks

Given the unanticipated breadth of many aspects of the Proposed Regulations, taxpayers should consider whether to comment on areas of concern. Any such comments are due to the IRS by February 18, 2020.

1 REG–122180–18.
2 Section references are to sections of the Internal Revenue Code of 1986, as amended, unless otherwise stated.
3References to the TCJA mean the Tax Cuts and Jobs Act of 2017.
4 Notice 2018-68, issued on August 21, 2018, provided initial IRS and Treasury guidance on the changes made to section 162(m) by the TJCA, including the grandfather rule.
5“Exchange Act” means the Securities Exchange Act of 1934, as amended. 

The post US: Proposed Regulations Dramatically Expand Limit on Deductibility of Executive Compensation appeared first on Global Compliance News.


FRISCO, TEXAS, January 31 – The formation of the Cybersecurity Maturity Model Certification Accreditation Body (CMMC AB) in partnership with the Department of Defense (DoD) is a landmark achievement and the next logical step in bringing the CMMC to reality with this release.

HITRUST has been actively involved with the DoD and in related industry efforts to finalize the CMMC standard and the associated CMMC Accreditation Body (AB). Leveraging our twelve years of experience as a leader in delivering the highest quality assurance reports, developing our framework, assurance program, academy, assessor network, assessment infrastructure and related programs, HITRUST has made and continues to make valuable contributions and share key insights with the DoD and the CMMC AB in order to help them determine how best to go about accrediting auditors, delivering training, and issuing certifications.

While the CMMC program is being brought to market, HITRUST customers can rest easy knowing that for every component of the CMMC program contemplated by the DoD, HITRUST has a program or service to support those seeking CMMC. The HITRUST CSF already integrates with and contains mappings to the baseline standards upon which the CMMC framework is based (i.e., NIST SP 80-53, DFARS/NIST SP 800-171, and FedRAMP) enabling organizations to understand the controls requirements and identify any gaps.

As the DoD and CMMC AB move forward with developing and implementing the requirements of the CMMC, HITRUST will be at the forefront, continuing to participate as a subject matter expert and thought leader while helping simplify the road to CMMC for organizations of all sizes, across all industries. HITRUST is poised and pleased to continue to share knowledge, technology and working solutions for securing the defense industrial base from industrial property theft, data breaches and compromises to national security intelligence.

To learn more about how HITRUST integrates with CMMC visit https://hitrustalliance.net/cybersecurity-maturity-model-certification/.

To learn more about HITRUST Approach visit: https://hitrustalliance.net/the-hitrust-approach/

The post HITRUST Statement on Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) appeared first on HITRUST.


Ken Vander Wal Retiring; Jeremy Huval Named as New Chief Compliance Officer

FRISCO, TX, January 27, 2020 – HITRUST, a leading data protection standards development and certification organization, announced today that Jeremy Huval was promoted to Chief Compliance Officer, effective January 15, 2020. Huval served as Vice President of Compliance and Internal Audit for HITRUST since 2019 and will succeed Ken Vander Wal, who retired on January 1, 2020, after a successful ten-year career with the Company.

The promotion of Huval to the CCO role was a logical choice following the successful implementation of an enhanced quality monitoring and reporting initiative and successful launch of the Certified HITRUST Quality Professional (CHQP) course in 2019 that he and Vander Wal developed.

“It has been a privilege to work with a man of Ken’s intellect and insight in pursuit of the highest quality standards for organizations achieving the HITRUST CSF® Certification,” said Jeremy Huval. “Ken’s tremendous leadership advanced a comprehensive approach to reporting and assessing information risk, and compliance is more than just a framework, but a complete program tailored to an organization’s ecosystem. He leaves a strong legacy that I intend to build upon with continued innovation and a commitment to excellence for HITRUST.”

In September 2019, Vander Wal was voted by the Board to Chair the newly formed Quality Assurance Subcommittee, which provides additional governance and oversight of the HITRUST CSF Assurance Program. Vander Wal served as HITRUST’s Chief Compliance Officer since 2009. Under his leadership, the HITRUST CSF became recognized as an industry standard for the protection of healthcare data—the equivalent of the “Good Housekeeping Seal” of approval.

Vander Wal’s notable accomplishments include establishment of a formal review and approval process for creating authorized third-party assessors; enhancements to the HITRUST CSF Assurance program to ensure consistency, quality, and rely-ability™; collaboration with the AICPA to have the CSF framework recognized as acceptable criteria for SOC 2® + HITRUST CSF reports; and the launch of an interactive and highly successful customer hotline for users to anonymously report issues, concerns and suggestions to the CSF.

“My time at HITRUST has been an incredible journey, and I am humbled to know that my work has contributed to HITRUST’s mission of improving global security standards,” explained Vander Wal. “This is the perfect time to transition to the next generation knowing that the best is yet to come under Jeremy’s capable leadership. I look forward to continuing my involvement with HITRUST as Chair of the Board Quality Assurance Subcommittee and supporting the governance and oversight for our Assurance Program.”

“On behalf of HITRUST and the Board, I would like to express my appreciation to Ken for his invaluable leadership, drive, and focus, ensuring the integrity of our Assurance Program over the past ten years,” said Daniel Nutkis, CEO and Chairman of the Board. “Under Ken’s leadership, HITRUST has helped thousands of businesses transform their security protocols and processes while strengthening the Company’s standing as a global leader in a dynamic industry. Our company and leadership team has never been stronger, and we look forward to a seamless transition.”

Nutkis continued, “I am pleased to promote Jeremy to this new role and am confident that Jeremy’s keen understanding and knowledge of our business and commitment to delivering on the unique approach of the HITRUST Assurance Program will greatly contribute to the Company’s next level of success.”

Before his promotion, Huval served as the Vice President of Compliance and Internal Audit for HITRUST. His responsibilities included overseeing the integrity of the HITRUST CSF Assurance Program and leading an internal consulting and assurance function aimed at improving internal operations and controls within the organization. Huval has been an integral part of several initiatives since joining HITRUST that include automation of all reports issued and quality-check routines in Q&A processes; and implementation of new internal metrics to continuously monitor the quality and effectiveness of the CSF Assurance Program.

To learn more about the HITRUST CSF Assurance Program visit: https://hitrustalliance.net/csf-assurance/

To learn more about the Certified HITRUST Quality Professional (CHQP) Course visit: https://hitrustalliance.net/hitrust-academy/certified-hitrust-quality-professional-chqp-course/

The post HITRUST® Chief Compliance Officer Retires; Successor Named appeared first on HITRUST.


On 26 November 2019, the US Department of Commerce (Commerce) issued a highly anticipated proposed rule with proposed regulations (Proposed Regulations) to implement Executive Order 13873, “Securing the Information and Communications Technology and Services Supply Chain” (Executive Order 13873).

Executive Order 13873 gives the Secretary of Commerce (Secretary) sweeping, unprecedented authority to prevent or modify transactions involving information and communications technology and services (ICTS) originating in countries designated as “foreign adversaries” which pose an undue risk to critical infrastructure or the digital economy in the United States, or an unacceptable risk to US national security or the safety of United States persons. All industries are potentially affected by the Proposed Regulations, whether directly or indirectly, which allow for case-by-case reviews of transactions at the Secretary’s discretion. Any transaction that is ongoing as of, or was initiated on or after, 15 May 2019, can be reviewed and there is no mechanism by which a company may seek to clear transactions in advance.

A summary of the background and the Proposed Regulations is provided below:

I. Covered Transactions

On May 15, 2019, President Trump issued Executive Order 13873, which grants the Secretary the authority to prohibit or condition certain transactions involving ICTS designed, developed, manufactured, or supplied by persons owned, controlled, or directed by a foreign adversary. Our previous blog post regarding Executive Order 13873 can be read here.

Consistent with Executive Order 13873, the Proposed Regulations are sweeping in nature. Under the Proposed Regulations, the Secretary will consider the following five prongs in determining whether a transaction is covered by Executive Order 13873 and whether or not to permit the transaction:

  1. The transaction is conducted by any person subject to the jurisdiction of the United States or involves property subject to the jurisdiction of the United States;
  2. The transaction involves any property in which any foreign country or a national thereof has an interest (including through an interest in a contract for the provision of the technology or service);
  3. The transaction was initiated, is pending, or will be completed after 15 May 2019, regardless of when any contract applicable to the transaction was entered into, dated, or signed or when any license, permit, or authorization applicable to such transaction was granted (Transactions involving certain ongoing activities, including but not limited to managed services, software updates, or repairs, constitute transactions that “will be completed” on or after 15 May 2019 even if a contract was entered into prior to 15 May 2019);
  4. The transaction involves ICTS designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary; and
  5. The transaction: (i) poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States; (ii) poses an undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the digital economy of the United States; or (iii) otherwise poses an unacceptable risk to the national security of the United States or the security and safety of United States persons.

In determining whether a transaction involves ICTS designed, developed, manufactured, or supplied, by persons “owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary,” Commerce will consider a number of factors, including:

  • the laws and practices of the foreign adversary; and
  • equity interest, access rights, seats on a board of directors or other governing body, contractual arrangements, voting rights, and control over design plans, operations, hiring decisions, or business plan development.

The following are key defined terms in the Proposed Regulations:

  • Foreign adversary means any foreign government or foreign non-government person determined by the Secretary to have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons for the purposes of Executive Order 13783. The Proposed Regulations do not specify which parties are “foreign adversaries,” but state that this is a matter reserved for executive branch discretion.
  • ICTS means any hardware, software, or other product or service primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means, including through transmission, storage, or display. This is a broad definition, which would appear to cover virtually all hardware/commodities, software, technology, or services associated with the telecommunications and communications sectors.
  • Transaction means any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service. Use of the term “transaction” in this part includes a class of transactions. “Dealing in, or use” is not further defined.

II. The Proposed Review Process & Penalities

The Proposed Regulations establish a regime for the Secretary to engage in a case-by-case, fact-specific analysis of certain transactions involving ICTS, with a goal of targeting transactions that must be prohibited or mitigated without inadvertently barring less risky transactions or precluding innovation or access to technology in the United States. There is no process to clear any transactions in advance. In fact, the Proposed Regulations state that no advisory opinion or declaratory ruling will be issued with respect to any particular transaction.

Further, the Secretary has declined to identify classes of transactions or technologies that are subject to prohibition or are excluded from prohibition. As mentioned above, the Secretary conducts the review on a case-by-case basis. The Secretary, however, has reserved the right to issue class exclusion or inclusion determinations and related guidance in the future.

1. Initiation of Review

The Secretary may commence a review of a transaction in one of three ways: (i) at the Secretary’s discretion; (ii) upon the written request of other Government department, agency, governmental body, or the Federal Acquisition Security Council; or (iii) based on information submitted to the Secretary by credible private parties.

The Proposed Regulations do not provide for any time bars for review, which means that any transaction conducted post-15 May 2019 could be reviewed. Parties will only find out that a review has been initiated when they receive a preliminary determination.

2. Commerce’s Review Procedure

Commerce’s proposed review framework and its timeline are as follows:

  • The Secretary provides a preliminary determination in the form of a written notice to the parties to a transaction that the aforementioned criteria have been met and the basis thereof.
  • Within 30 days after receipt of the notice, the party may submit an opposition to the preliminary determination and supporting information or information on proposed mitigation measures. The Secretary can, but is not required to, grant an extension of time.
  • Within 30 days of receipt of such information, the Secretary will then issue a final determination describing whether the transaction is prohibited, not prohibited, or an otherwise prohibited transaction is permitted pursuant to the adoption of mitigation measures (and a description of the mitigation measures adopted). A summary of the Secretary’s final determination will be made public on https://www.commerce.gov/issues/ict-supply-chain and in the Federal Register.

3. Penalties

Any determination to either prohibit a transaction or permit an otherwise prohibited transaction based on mitigation measures will also provide a clear statement of the penalties that parties will face if they fail to comply fully with either the prohibition or the mitigation measures.

  • Any person who violates any determination, regulation, prohibition, or other action issued under the Proposed Regulations or makes false or misleading representation to Commerce may be liable for a civil penalty up to $302,584 per violation, adjusted for inflation, or an amount that is twice the value of the relevant transaction.
  • Any person who violates a material provision of a mitigation measure or a material condition imposed under the Proposed Regulations may be liable for a civil penalty up to $302,584 per violation, adjusted for inflation, or the value of the relevant transaction. Any penalty assessed because of such violation will be separate from any damages sought pursuant to a mitigation measure.

A determination to impose penalties under either of the above situations will be made by the Secretary with a written notice to the penalized party. Within 15 days of receipt of notice of a penalty, the penalized party may submit a petition for reconsideration to the Secretary, including a defense, justification, or explanation for the penalized conduct. The Proposed Regulations do not address whether an extension of time can be granted for the petition. The Secretary will review the petition and issue a final decision within 30 days of receipt of the petition.The actual amount of the penalty assessed for a violation shall be based on the nature of the violation.

III. Request for Comment

Commerce invites comments on all aspects of the Proposed Regulations except for the determination of a “foreign adversary,” which is a matter reserved for executive branch discretion. Specifically, Commerce requests public comments on questions including:

  • Are there instances where the Secretary should consider categorical exclusions or exempt certain classes of persons whose use of ICTS can never violate Executive Order 13873?
  • Are there transactions involving types or classes of ICTS where the transaction could present an undue or unacceptable risk but that risk could be reliably and adequately mitigated? What form can such mitigation measures take?
  • If mitigation measures are adopted for a transaction, how should the Secretary ensure that parties consistently execute and comply with the agreed-upon mitigation measures? How best could Secretary make sure the mitigation measures are not obsolete?
  • How should the definition of “transaction” (in particular, the terms “dealing in” and “use”) be interpreted?

If you wish to submit a comment to Commerce or have any questions, please contact any member of our Outbound Trade Compliance team. Comments must be submitted to Commerce on or before 27 December 2019. The authors acknowledge the assistance of Iris Zhang in the preparation of this client alert.

The post United States Commerce Proposes Rules re Securing the Information and Communications Technology and Services Supply Chain; Comments Due on or Before December 27 appeared first on Global Compliance News.


On December 2, 2019, the US Trade Representative (USTR) published a report concluding France’s Digital Services Tax (DST) “discriminates” against and is “unusually burdensome” for US companies, and published a Federal Register note setting out proposed tariffs as high as 100 percent on US$2.4 billion in French imports into the United States. USTR will conduct hearings in January on its proposed actions. In making his announcement, Ambassador Lighthizer also noted that “USTR is exploring whether to initiate similar investigations into the digital services taxes of Austria, Italy, and Turkey.

USTR initiated in July 2019 its investigation of France’s Digital Services Tax DST under section 301(b)(1)(A) of the Trade Act of 1974 (the Trade Act) and concluded that discriminates against US companies. The DST was signed into law by President Macron on July 24, 2019 and imposes a 3 percent levy on revenues that certain companies generate from providing certain digital services to, or aimed at, persons in France. In its report published December 2, USTR found:

“France’s [DST] discriminates against U.S. companies, is inconsistent with prevailing principles of international tax policy, and is unusually burdensome for affected US companies. Specifically, USTR’s investigation found that the French DST discriminates against US digital companies, such as Google, Apple, Facebook, and Amazon.”

USTR stated that the French DST is inconsistent with prevailing tax principles on account of its retroactivity to January 1, 2019, its application to revenue rather than income, its extraterritorial application (the DST applies to revenues unconnected to a physical presence in France) and its purpose of penalizing particular US technology companies (since smaller companies, that are more likely to be locally based, are exempt).

The United States has also criticized the impact of the French DST on international negotiations occurring at the Organisation for Economic Co-operation and Development (OECD). Those negotiations are aimed at developing a consensus approach to corporate income taxation affecting the digital economy. The United States has argued that France’s law undermines the OECD negotiations.

In the wake of these findings, USTR is authorized by Section 301 to take all appropriate and feasible action, including the imposition of duties on the goods and imposition of fees or restrictions on the services of France. As noted, USTR is issuing a Federal Register notice soliciting comments from the public on USTR’s proposed action, which includes additional duties of up to 100 percent on certain French products. The notice also seeks comment on the option of imposing fees or restrictions on French services. The list of French products subject to potential duties includes 63 tariff subheadings with an approximate trade value of US$2.4 billion. The value of any US action through either duties or fees may take into account the level of harm to the US economy resulting from the DST. A list of the products proposed by USTR for the additional duties may be found in the Federal Register Notice. Click here to access.

USTR requests comments with respect to any issue related to the action to be taken in this investigation. With respect to action in the form of additional duties, USTR invites comments regarding:

  • The specific products to be subject to increased duties, including whether products listed in the Annex should be retained or removed, or whether products not currently on the list should be added.
  • The level of the increase, if any, in the rate of duty.
  • The level of the burden or restriction on the US economy resulting from the DST.
  • The appropriate aggregate level of trade to be covered by additional duties.

In commenting on the inclusion or removal of particular products on the list of products subject to the proposed additional duties, USTR requests that commenters address specifically whether imposing increased duties on a particular product would be practicable or effective to obtain the elimination of France’s DST, and whether imposing additional duties on a particular product would cause disproportionate economic harm to US interests, including small- or medium-size businesses and consumers.

With respect to action in the form of fees or restrictions on services of France, USTR seeks comments on issues such as:

  • Which services would be covered by a fee or restriction.
  • If a fee is imposed, the rate (flat or percentage) of the fee, and the basis upon which any fee would be applied.
  • If a restriction is imposed, the form of such restriction.
  • Whether imposing fees or restrictions on services of France would be practicable or effective to obtain the elimination of France’s acts, policies, and practices.

USTR is inviting public comment on these issues and will be holding a hearing. We are assisting many clients in responding to these proposed tariffs.

If you would like to submit public comments and/or participate in a public hearing to be held on January 7, 2020, we would be pleased to assist.


The post USTR Proposes Tariffs on US$2.4 Billion in French Goods in Response to France’s Digital Services Tax appeared first on Global Compliance News.


FRISCO, Texas – Dec. 11, 2019 – HITRUST®, a leading data protection standards development and certification organization, announced a collaboration with Frist Cressey Ventures to form the Venture Capital Advisory Council (“VC Council”) and Venture Program, comprised of some of the most influential venture capital firms. As venture capital firms seek to reduce cyber risks and data breaches within their portfolio companies, they incorporate information risk management into their due diligence and investment decision making processes, recommending portfolio companies demonstrate the appropriate levels of information security and privacy, and regulatory compliance. Historically, many VC firms have given preference to HITRUST CSF® Certified organizations as HITRUST offers a common approach as well as practical and efficient solutions to identifying and mitigating the risks of potential cyber incidents, making their portfolio companies as competitive as possible within their markets. The new Venture Program expands and formalizes an approach to information risk management and compliance for portfolio companies.

2019 is shaping up to be a record year for venture capital investments with roughly $50 billion invested in the healthcare sector alone, according to data from CB Insights. 31 percent of these healthcare deals are in digital health companies. According to a Ponemon Institute study, many of these early stage companies have experienced a data breach in the last 12 months. Specifically, 76 percent of small- and medium-sized businesses have experienced a data breach in the past year. The data further suggests that these businesses lack appropriate security and privacy oversight, that translates to greater risk for their customers. This coupled with looming deadlines for complying with privacy laws such as the CCPA in January 2020, intensifies the pressure on start-up and early stage companies to address regulatory compliance requirements.

The HITRUST Venture Program™, governed by the VC Council, was established to focus on the unique risk management challenges that early- to late-stage companies face when integrating security, privacy, and compliance into their organizations to reduce their risk profile and increase their market opportunities.  The Venture Program establishes a common recommended approach to information risk management and compliance that VC firms can expect of their portfolio companies. It leverages the HITRUST CSF® and CSF® Assurance Program, providing participating companies with access to a collection of tools and services to facilitate a cost-effective and efficient process to adopt strong information protection practices and obtain HITRUST CSF Certification.

A few of the leading venture capital funds are uniting with HITRUST and bringing their economic power to address these challenges. An early list of distinguished founding members of the VC Council include Ascension VenturesBain Capital VenturesEcho Health Ventures, Frist Cressey Ventures, Heritage Group, Maverick Ventures, New Enterprise Associates, 7Wire Ventures, and others, with combined assets under management of more than $30 billion including over 1000 companies within their portfolios. The VC Council is co-chaired by former U.S. Senate Majority Leader Bill Frist, Co-founder and Partner, Frist Cressey Ventures, and Chris Booker, Partner, Frist Cressey Ventures.

“Securing private data and personal information should be a top priority for every organization. While a data breach negatively impacts any organization, for a start-up or early-stage company trying to instill customer confidence, it can be catastrophic,” said Senator Frist, “Frist Cressey Ventures is strategically positioned to align entrepreneurs, venture firms, and HITRUST to promote best practices in data protection and compliance.”

HITRUST understands information risk management and compliance and the challenges of assembling and maintaining the many and varied programs. HITRUST’s integrated approach ensures that the comprehensive components are aligned and maintained to support an organization’s information risk management and compliance program.

“I applaud Senator Frist and Mr. Booker for the foresight and leadership demonstrated in recognizing a need as well as assembling such an influential group from the investment community to better enable and support early- to late-stage companies in addressing information risk management and compliance” said Daniel Nutkis, Chief Executive Officer, HITRUST.

“Today, venture capital firms see how quickly data and privacy can be compromised. Our goal is for our portfolio companies to recognize the value of mitigating risk early on in their DNA with the adoption of the highest standards of security and privacy,” said Yumin Choi, Partner, Bain Capital Ventures. “By leveraging HITRUST’s expansive toolset and services, our portfolio companies have access to a comprehensive and efficient approach to mitigate and manage risk.”

The VC Council, made up of founding member funds, serves as the governing body of the Venture Program, providing valuable expertise and insight to early- to late-stage companies incorporating information risk management and data protection into their culture and offerings. Members of the VC Council oversee the program, serving as thought leaders in the space, and liaisons between their organization, portfolio companies, and HITRUST.

Any qualifying venture fund can participate in the program. To learn more about the Venture Capital Advisory Council and Venture Program, including requirements, can download the datasheet https://hitrustalliance.net/hitrust-venture-program/ or contact Jay Martin at Jay.Martin@HITRUSTalliance.net.

The post HITRUST® and Frist Cressey Ventures Launch Venture Council and Program to Build Security and Privacy into the “DNA” of Tech Startups appeared first on HITRUST.