Demonstrating trade secret misappropriation in a civil case often turns on the IP owner’s ability to show that it has a protectable trade secret. Yet in the criminal context, the US Government has taken the position that it can establish attempted trade secret theft irrespective of such a showing. In a criminal prosecution of theft, the Government must generally prove beyond a reasonable doubt each element of the offense — including the specific object of the alleged theft. Recent prosecutions involving allegations of trade secret theft and attempted trade secret theft highlight an important deviation from this principle and draw a line between two provisions of the Economic Espionage Act, 18 U.S.C. § 1831 and 18 U.S.C. § 1832.

In United States v. O’Rourke,1 it was undisputed that the defendant took information that he was not legally entitled to from his employer.2 The defendant argued that § 1832 permits prosecution for attempt violations only if a defendant tries and fails to misappropriate actual trade secrets.3 Relying on United States v. Hsu,4 the legislative history of the EEA, and the analogous case law addressing convictions for distributors of sham drugs, O’Rourke held that the Government can pursue attempt charges under § 1832 if the defendant believed the information to be a trade secret, even if the information taken did not constitute a trade secret under the Act.5 The court reasoned that individuals seeking to harm a company and benefit a competitor should not receive a “get out of jail free” card due to their mistaken belief as to the proprietary nature of the misappropriated material.6

Similar issues are arising in United States v. Levandowski,7 as the Government pursues criminal charges of attempted trade secret theft against a former engineer accused of stealing trade secrets related to self-driving cars. In response to a bill of particulars filed by the defendant on November 6, 2019, US District Judge William Alsup has ordered both parties to file a brief outlining their positions as to the level of specificity required by the prosecution when it pursues trade secret theft charges. The prosecution has argued that they have met this threshold by proving that the defendant reasonably believed the information was a trade secret to support the attempt charges.

O’Rourke established that criminal penalties can be imposed for the attempted theft of trade secrets, even if the information does not qualify as a trade secret per 18 U.S.C. § 1839. Levandowski may provide more clarity on level of specificity required by the Government in order to pursue charges of attempted trade secret theft.

If you have any questions about these updates, please contact the authors or the Baker McKenzie attorney with whom you work.


1 United States v. O’Rourke, No. 17-cr-00495, 2019 U.S. Dist. LEXIS 174962 (N.D. Ill. Oct. 9, 2019).
2 Id. at *11.
3 Id. at *8.
4 United States v. Hsu, 155 F.3d 189, 198 (3d Cir. 1998).
5 United States v. O’Rourke, No. 17-cr-00495, 2019 U.S. Dist. LEXIS 174962, *10-11 (N.D. Ill. Oct. 9, 2019).
6 Id. at *11.
7 5:19-cr-00377 (N.D. Cal.).

The post Criminal Liability for Attempted Trade Secret Theft May Not Require Trade Secrets in the US appeared first on Global Compliance News.


Support for California Consumer Privacy Act (CCPA) standards in HITRUST CSF to help businesses better identify and remediate gaps in CCPA-specific security and privacy controls

FRISCO, Texas – November 21, 2019 – HITRUST, a leading data protection standards development and certification organization, has incorporated the CCPA standard into HITRUST CSF version 9.3, providing businesses with a strong basis for measuring CCPA compliance as part of their existing assessment and certification processes. Organizations can assess against the CCPA to conclude quickly if they meet the new requirements identified in the law or if there are any gaps that must be remediated.

Given the number of consumers and size of the California economy, the CCPA will have a significant impact on the market as almost every for-profit business in the United States will have to comply with the ruling to “implement and maintain reasonable security procedures and practices” to protect consumer data.  The law is serving as a model and has created an expectation among consumers that they can have access to their data, ask for it to be deleted or corrected, and limit its uses.

Businesses that are required to comply with the law due to go into effect on January 1, 2020, can perform a CCPA assessment by including the CCPA as a regulatory factor in the MyCSF® assessment tool.

The HITRUST CSF includes comprehensive privacy controls as well as mappings to both the CCPA and the GDPR. The CCPA is just different enough from the GDPR to create confusion in terms of compliance. HITRUST has helped businesses manage GDPR compliance and will help organizations doing business in California to minimize the impact of new regulatory requirements.

“The CCPA requires American organizations to look at data in a new way, as we are not used to data subjects having the type of rights granted them under the CCPA,” explains Anne Kimbol, Chief Privacy Officer, HITRUST. “By including leading privacy standards and principles, including the European Union’s General Data Protection Regulation (GDPR) and the CCPA mappings into the HITRUST CSF, we help our customers identify and mitigate gaps and risks in their existing programs that help them meet not just the growing compliance requirements but also customer expectations.”

Even though many companies have tried to get their heads around GDPR, there are differences between the GDPR and the CCPA which leaves much confusion in the market about what the CCPA compliance means. HITRUST continues to be committed to helping organizations translate privacy laws into actions, first with the GDPR and now with the CCPA. HITRUST has looked holistically at information risk management, working beyond what organizations are required to do, and bringing to light what they should be doing by addressing both security and privacy controls across their internal infrastructure as well as throughout their third-party supply chain. Organizations already utilizing HITRUST to identify and implement their applicable privacy controls will need to devote fewer resources to adjusting their programs to meet the CCPA requirements.

HITRUST’s privacy team worked to ensure that the HITRUST CSF v9.3 includes mappings and related information on the CCPA reflecting not just the original act, but also the amendments made during the recent California Legislative Session. HITRUST will continue to enhance the CCPA language in the HITRUST CSF and, as appropriate, other elements of the HITRUST suite of information risk management and compliance tools by monitoring changes to the law.

For example, performing a HITRUST CSF Assessment can help your organization gain insight into what action items need to be prioritized to meet regulatory compliance requirements. Giving prescriptive control requirement statements and granular illustrative procedures to simplify and streamline an organization’s journey to information risk management and compliance.

HITRUST encourages organizations with a CCPA requirement to participate in the HITRUST webinar on CCPA Compliance on December 3, sign up at

To download the HITRUST CSF go to

The post HITRUST CSF® Brings Clarity to Security Requirements as Countdown to California’s New Privacy Protection Act Looms appeared first on HITRUST.


To listen to the Federal Newscast on your phone or mobile device, subscribe in PodcastOne or Apple Podcasts. The best listening experience on desktop can be found using Chrome, Firefox or Safari.

  • A group of Washington, D.C. area Democrats in the House are hoping to block any funding meant for the relocation of the Bureau of Land Management’s headquarters. E&E News reported the lawmakers sent a letter to House Interior, Environment and Related Agencies Appropriations Subcommittee Chairwoman Betty McCollum (D-Minn.), saying BLM’s planned move to Colorado “is designed to harm public lands and limit congressional oversight” by scattering senior leadership across the West. The lawmakers in question also worry the new location will give certain oil and gas companies easier access to agency leadership.
  • The four-week continuing resolution has cleared the House. The CR would keep the government open through Dec. 20. It includes a 3.1% pay raise for military members. But it’s silent on a pay raise for civilian federal employees. The CR also includes additional funding for the upcoming census and extends some health care programs. The CR passed with a 231-192 House vote. The Senate must pass the CR before sending it to the president’s desk for his signature. (Federal News Network)
  • A bipartisan bill would give the General Services Administration the ability to negotiate fixed-price contracts for future government leases. If passed, it would allow GSA to buy a property from a private owner, once its lease expires. Supporters said it could save GSA billions of dollars and eliminate wasteful agency leases. Sens. James Lankford (R-Okla.) and Gary Peters (D-Mich.) introduced the bill in the Senate while Reps. Mark Meadows (R-N.C.) and Greg Pence (R-Ind.) introduced the bill in the House. (Sen. James Lankford)
  • GSA is working on tools to streamline the Federal Risk Authorization and Management Program, or FedRAMP. The agency has partnered with the National Institute of Standards and Technology, to develop a common machine-readable language called the Open Security Controls Assessment Language, or OSCAL, to expedite the agency risk and compliance process that vendors go through for FedRAMP certification. GSA is also looking to revamp, to include short videos that help answer technical questions for vendors. (Federal News Network)
  • Three new policy memos are expected to kick start a series of sweeping changes to the suitability, credentialing and security clearance process. The president is expected to first sign a presidential national security memo to start the reforms. It will direct the Office of the Director of National Intelligence and the Office of Personnel Management to start these reforms. A second document will go out to agencies. It will instruct them to begin implementing continuous vetting capabilities. And a third memo will serve as a core federal vetting doctrine. (Federal News Network)
  • Agencies received new cybersecurity marching orders for fiscal 2020. OMB told agencies they must report any cyber incident that has been under investigation for 72 hours without a successful determination of the event’s root cause or nature to the Department of Homeland Security. In the fiscal 2020 Federal Information Security Management Act (FISMA) guidance, OMB laid out this new timeline as part of the Federal Incident Notification Guidelines. This is one of the few changes from the 2019 FISMA guidance. OMB said by reporting real or potential cyber incidents, DHS can use these details and other data to produce a Cyber Incident Scoring System score to estimate the risk of an incident. (White House)
  • The Government Accountability Office set a new record for cost saving . The watchdog agency estimated it saved the federal government more than $200 billion in fiscal 2019. For every dollar invested in its budget GAO said it identified $338 in savings. That’s more than double its five-year average return on investment of $171 for every dollar invested in the agency. GAO identified the most cost savings through its audits of Defense Department weapons systems and the IRS’ efforts to prevent identity theft. (Government Accountability Office)
  • A Senate bill to address a $12-billion maintenance backlog at the National Park Service cleared its first legislative hurdle. The Restore Our Parks Act cleared the Senate Energy and Natural Resources Committee. The bill would set up a restoration fund from money the government receives from offshore energy development. That revenue would begin to fund deferred maintenance projects across the country. Sens. Rob Portman (R-Ohio), Lamar Alexander (R-Tenn.),  Mark Warner (D-Va.) and Angus King (I-Maine) sponsored the bill. (Sen. Mark Warner)
  • A bipartisan cadre of senators are calling on President Donald Trump to designate a senior coordinator dedicated to developing and deploying 5G technologies. The leaders of the Senate Intelligence, Homeland Security and Governmental Affairs, Foreign Relations and Armed Services Committees said in a letter to Trump’s national security adviser that it is urgent to develop a national strategy for 5G. The letter also stressed the dangers of allowing China to continue to lead in the growth of 5G technology. (Sen. Mark Warner)
  • The Defense Innovation Unit is teaming up with civilian organizations like NASA and FEMA to find ways to automate the analysis of satellite images after a natural disaster. DIU is hosting an artificial intelligence prize challenge where industry, academia and individuals can submit code to identify buildings damaged in hurricanes, fires or earthquakes. Using AI to find those buildings on satellite images is much faster than doing it by eye, and can get first responder resources into needed areas faster. (Federal News Network)
  • The Senate’s getting closer to filling some key vacancies at the Defense Department. The Senate Armed Services Committee voted Tuesday to confirm Lisa Hershman as DoD’s chief management officer — the third-highest ranking position in the department. That job has been vacant since John Gibson resigned a year ago. The committee also approved Robert Sander to be the Navy’s general counsel. That job hasn’t had a Senate-confirmed appointee since the beginning of the Trump administration. Senators also advanced the nomination of Dana Deasy as the Pentagon’s chief information officer. Deasy has been the CIO since 2017, before Congress made the job subject to Senate confirmation. All three nominations now head to the full Senate. (Senate Armed Services Committee)
  • Add the Air Force to the list of government organizations reminding its employees CBD products are not OK because they may cause a positive drug test. The Air Force Judge Advocate General Office said those products may have unregulated levels of THC in them, which is still illegal on a federal level. (Air Force)
  • The Social Security Administration aims to bring down what it calls a skyrocketing fraud problem. It launched an online form for people to report telephone scams. The callers demand money or gift cards to avoid arrest. Recipients are told there’s some legal problem with their Social Security number. Officials will analyze data from the online forms, seeking trends and investigative leads, and, they hope , to disrupt the callers. SSA the calls are the number one fraud the public reports to it and the Federal Trade Commission. (Social Security Administration)


When it comes to its annual cybersecurity exam, the Department of Veterans Affairs has a less than stellar history.

VA’s inspector general still considers cybersecurity — despite efforts from an array of prior chief information officers — as a material weakness, according to the most recent Federal Information Security Management Act (FISMA) audit.

This is a common challenge for agencies across government, and VA was one of 18 organizations to earn this distinction in 2018.

Even so, VA holds a unique distinction among other agencies, the Government Accountability Office said.

“When it comes to looking at the length of time that it has consistently reported a material weakness in the security controls over its financial systems for financial reporting purposes, it’s been going on 17 years in a row,” Greg Wilshusen, director of IT and cybersecurity at GAO, told the House Veterans Affairs Technology Modernization Subcommittee at a hearing Thursday on VA cybersecurity challenges. “Few agencies meet that longevity of that particular weakness.”

VA’s inspector general made 28 recommendations to improve IT security controls in its most recent FISMA audit. Most recommendations are repeats from the previous years, said Nick Dahl, deputy assistant inspector general for audits and evaluations.

Lawmakers see these patterns as particularly alarming, especially as cyber attacks have become more prevalent at major private sector health systems.

This all comes as the department juggles several IT modernization initiatives, and members of the House Veterans Affairs Technology Modernization Subcommittee said they feared VA’s cybersecurity posture was taking a backseat to those higher-profile projects.

“My concern is that assessing risk and developing mitigation strategies does not have enough attention,” Rep. Susie Lee (D-Nev.), the subcommittee chairman, said. “Many OIG and GAO reports on security incidents cite management failures or lack of internal oversight as the reason behind the incidents. Too often strong leadership on risk management and information security becomes an afterthought or a paperwork exercise done once a year for the FISMA audit.”

Still, the members, VA’s Office of Inspector General and the Government Accountability Office said there is some slow progress in the right direction.

For one thing, VA has reported fewer cyber incidents in recent years.

And VA has, the OIG said, made progress in staying on top of cyber-related policies. For example, the department updated its enterprise cybersecurity and privacy strategy this year to align with industry and National Institute of Standards and Technology best practices.

Paul Cunningham, VA’s chief information security officer, came to the agency in January after several years at the Energy Department and Immigration and Customs Enforcement.

He said he noticed several cybersecurity challenges that largely stemmed from VA’s legacy systems. But he did recall some bright spots with VA’s cybersecurity posture.

“We had an incredibly talented pool of people, especially in regards to how we monitor the network traffic and our ability to respond,” Cunningham said. “I also saw a very strong relationship with DHS, which is a very positive thing.”

He said VA’s centralized approach to cybersecurity was a welcome change, citing a newly established, departmentwide Office of Quality, Process and Risk as example.

“They established a risk officer, which is an incredible feat because a lot of organizations have difficulty in getting [one] set up and staffed,” Cunningham said. “It’s a great ally for cybersecurity as a whole to be able to have somebody who is an equal pairing and has [an] unbiased feeding to the CIO and the secretary information regarding cybersecurity risk.”

Cunningham noted some “siloing” in VA’s IT organization but said the department’s technical operations employees had a strong working relationship with its cybersecurity employees. That kind of relationship, he said, doesn’t exist at all agencies.

“It sounds like you’re making some progress, especially at the management level at VA,” Lee said.

In addition, VA said it achieved a major milestone in its ongoing efforts to implement the continuous diagnostics and mitigation program two weeks ago.

The department implemented the tools needed for hardware asset discovery, Cunningham said in his written testimony. The project was four-year effort in partnership with DHS and will give VA visibility to the assets connected to the network, he said.

VA is also in the middle of a 30-month “request for service” effort with DHS, an initiative that Cunningham said will allow the department to improve its identity and access management tools, better manage users on its network and grant special access to select systems.


The Division of Investment Management recently issued guidance on the obligation of investment advisers to disclose financial conflicts of interest in the form of Frequently Asked Questions Regarding Disclosure of Certain Financial Conflicts Related to Investment Adviser Compensation (the “Guidance”).  The Guidance substantiates (and to some degree legitimizes) the positions previously articulated in the course of SEC examinations and enforcement actions, and indicates that the SEC staff will continue to expand its focus beyond 12b-1 fees and revenue sharing to evaluate how investment advisers manage conflicts of interest associated with the receipt of compensation from investments the advisers recommend to their clients.

Although the Guidance does not alter or amend applicable law, nor does it have legal force or effect, this is the first time the staff of the Division of Investment Management is affirmatively addressing disclosure obligations that have been at the heart of SEC examinations and enforcement actions preceding and resulting from the SEC Mutual Fund Share Class Selection Disclosure Initiative (“SCSD”).  Accordingly, advisers should use this as an opportunity to review and enhance their disclosure about financial conflicts of interest.  In addition to the specific disclosure components discussed below, advisers should consider the following broad concepts from the Guidance:

  • Consider all direct and indirect compensation.  Although the Guidance focuses on disclosure of conflicts of interest associated with the receipt of 12b-1 fees and revenue sharing, advisers should not stop there.  The Guidance makes clear that “many of the same principles and disclosure obligations apply to other forms of compensation,” including service fees from clearing brokers, marketing support payments, compensation designed to defray the cost of educating and training sales personnel, and transaction fees.  Importantly, the staff refers to “compensation” broadly to include the reduction or avoidance of expenses that the investment adviser incurs or would otherwise incur.
  • Be thoughtful about all types of investments.  Much of the compensation referenced in the Guidance is related to the offering of mutual funds, but the staff does not limit the discussion to mutual funds, rather it refers to “investments” broadly.
  • More disclosure is just more disclosure.  Consistent with the principles set forth in the recent adoption of Form CRS and the SEC Standards of Conduct more generally, the staff makes clear that it expects Form ADV disclosure to be “concise, direct, appropriate to the level of financial sophistication of the adviser’s clients and written in plain English.  As a result, longer disclosures may not be better disclosures.”  This is a pretty clear warning that simply adding more disclosure will not address the staff’s concerns.  Rather, the focus should be on developing disclosure that is specific enough to explain whether and how the conflict could affect the advice a client receives.
  • Be proactive.  One of the criticisms of the SEC staff’s positions in the SCSD cases was that the SEC was evaluating disclosure with the benefit of hindsight, but that the staff of the Division of Investment Management had never precisely articulated principles that investment advisers should follow when seeking to satisfy their fiduciary obligation to disclose financial conflicts of interest under Section 206.  The staff is now providing affirmative guidance and it will be difficult to defend in examinations or enforcement investigations future disclosure that does not conform to the disclosure points referenced in the Guidance to the extent relevant to the adviser’s business practices.
  • Don’t Delay.  There will be a desire to wait until the next annual update of Form ADV (in March 2020 for most firms) to make any changes, but depending on the nature of the adviser’s existing disclosure, it may be worthwhile to file an interim update that incorporates the disclosure points set forth in the Guidance, as well as the recently adopted Interpretation of Standards of Conduct for Investment Advisers (the “Interpretation”).

Material Facts to be Disclosed

The Guidance provides examples of material facts that the Staff believes should be disclosed in connection with the receipt of 12b-1 fees and revenue sharing payments.  This list is not intended to be comprehensive, so advisers should consider whether they need to disclose different or additional facts depending on the firm’s particular circumstances.

  • Disclose the existence and effect of different incentives and resulting conflicts. 
    • The fact that different share classes are available and that different share classes of the same fund represent the same underlying investments.
    • How differences in sales charges, transaction fees and ongoing fees would affect a client’s investment returns over time.
    • The fact that the adviser has financial interests in the choice of share classes that conflict with the interests of its clients.
    • Any agreements to receive payments from a clearing broker for recommending particular share classes (e.g., NTF mutual fund share classes or 12b-1-fee-paying share classes).
  • Disclose the nature of the conflict. 
    • Whether the conflict arises from differences in the compensation the adviser and its affiliates receive, or results from financial incentives shared between the adviser and others (e.g., clearing brokers, custodians, fund investment advisers, or other service providers).  These financial incentives might include offsets, credits, waivers of fees and expenses.  In the case of revenue sharing arrangements, these incentives could also include the receipt of payments and expense offsets from a custodian for recommending that the adviser’s clients maintain assets at the custodian.
    • Whether there are any limitations on the availability of share classes to clients that result from decisions or relationships at the adviser or its service providers (e.g., where the clearing firm only makes certain share classes available, the fund or clearing firm has minimum investment requirements, or the adviser limits investment by type or class of clients, advice, or transactions).
    • Whether an adviser’s share class selection practices differ when making an initial recommendation to invest in a fund as compared to recommendations to convert to another share class, or buy additional shares of the fund. For example, the adviser could consider disclosing its practices for reviewing, in conjunction with its periodic account monitoring, whether to convert mutual fund investments in existing or acquired accounts to another share class.
  • Disclose how the adviser addresses the conflict. 
    • The circumstances under which the adviser recommends share classes with different fee structures and the factors that the adviser considers in making recommendations to clients (e.g., considerations associated with selecting between share classes that charge 12b-1 fees or transaction fees).
    • Whether the adviser has a practice of offsetting or rebating some or all of the additional costs to which a client is subject (such as 12b-1 fees and/or sales charges), the impact of such offsets or rebates, and whether that practice differs depending on the class of client, advice, or transaction (e.g., retirement accounts).

The Guidance also noted that in making disclosure determinations, an adviser needs to look both to “the specific disclosure requirements in Form ADV” as well as broader, general, disclosure obligations as a fiduciary.  The Guidance did not expound on this latter point, but it serves as a reminder to advisers that during any examination or enforcement investigation, the staff will review Form ADV disclosures in a non-formulaic fashion and disclosures should be drafted and reviewed accordingly.

“May”- Based Disclosure

The Guidance reiterates that disclosure that an adviser “may” have a conflict of interest resulting from the receipt of compensation is not sufficient if the conflict actually exists.  This was a central point of contention in evaluating the adequacy of disclosure in the SDSC Initiative and related mutual fund share class cases.  In this regard, the Guidance is consistent with the Interpretation, which warned that “may”-based disclosure could be appropriately used only in cases where the disclosure identifies a potential conflict that does not currently exist but might “reasonably present itself in the future.” According to the Interpretation, investment advisers should not use “may” to explain that a conflict exists only with respect to a subset of clients or services it provides, unless the “may”-based disclosure specifies the subset of clients or services where the conflict applies. In the SEC’s view, “may”-based disclosure that precedes a list of all possible or potential conflicts regardless of likelihood has the effect of “obfuscating” actual conflicts to a point that clients cannot provide informed consent.

Available Share Classes and Account Monitoring

When evaluating the presence of a conflict of interest advisers are required to consider the “available” share classes.  The Guidance clarifies that references to “available” share classes means all share classes offered by the fund for which the client is eligible (based on, for example, minimum investment amounts) at the time of a recommendation, “except to the extent the adviser or the adviser’s service provider imposes limitations on the availability of a share class to certain types of clients and the adviser provides full and fair disclosure and receives informed consent from the client with respect to those limitations.”  In doing so, the staff clarifies that advisers can limit the universe of funds they consider in making investment recommendations to those funds available on the clearing firm’s platform or to particular classes of shares that the adviser decides to offer to its clients – so long as those limitations are clearly disclosed in a manner that is specific enough to meet the standard for informed consent under the Interpretation.

In clarifying this position, however, the staff also notes that eligibility for a particular share class is evaluated at the time of a recommendation – “including a recommendation to continue holding current investments.”  Accordingly, the Guidance suggests that advisers that have an ongoing relationship with their clients should reevaluate whether a particular share class continues to be appropriate for a client over time consistent with the adviser’s periodic account monitoring responsibility, and should consider whether to convert existing or new positions to a lower cost share class.  This would be the case regardless of whether the adviser made the initial recommendation with respect to the investments in the account.

We are Here to Help

We expect the SEC examination and enforcement staff will evaluate the adequacy of disclosure relating to financial conflicts of interest against this Guidance and the principles set forth the Interpretation.  Accordingly, advisers should revisit existing Form ADVs, as well as other client facing materials, to update the disclosure or consider whether to document why the incorporation of particular disclosure points may not be relevant in relation to the adviser’s business practices.  In addition, advisers may wish to update their policies and procedures around the selection of particular investments where there is a conflict of interest and to confirm that their disclosure matches actual business practices.


Baker McKenzie’s Financial Regulation and Enforcement Practice provides our clients with a full range of regulatory advice and enforcement counseling. This integrated approach helps clients navigate the challenges presented by developing new products and offering financial services in a rapidly changing regulatory environment, while simultaneously considering how to assess and minimize potential enforcement exposure. Enforcement investigations and regulatory examinations are similarly addressed, not only with considerable enforcement experience, but also by fully leveraging the enormous value added by regulatory expertise.


The post SEC Staff Publishes Guidance on Investment Adviser Disclosure of Financial Conflicts of Interest appeared first on Global Compliance News.


Comprehensive TPRM Methodology and enhancements to HITRUST Assessment XChange™ combine to overcome TPRM Challenges  

FRISCO, Texas – November 12, 2019 – HITRUST, a leading data protection standards development and certification organization, today announced a major release of its HITRUST Third-Party Risk Management (“TPRM”) Methodology that introduces numerous new components including an Inherent Risk Questionnaire, Rapid Assessment, and Trust Score.

Also announced today are enhancements to the HITRUST Assessment XChange (the “Xchange”) Manager platform to fully integrate the TPRM Methodology. This enables the XChange Manager platform to automate the TPRM process from the vendor qualification through the organization’s management of its vendors’ risks. Further, by bringing the methodology and technology platform together, HITRUST is simplifying the deployment and operationalization of the process organizations use to qualify a third party for a business relationship and provide a common approach that can be used across industries to drive efficient and effective third-party risk management.

“Representing an organization with over a hundred thousand business partners, the alignment of the HITRUST TPRM Methodology provides a significant step forward for any organization that wants to address the inconsistencies, inefficiencies, ineffectiveness, and high costs of their current approach to TPRM and third-party assurance”, Taylor Lehmann, vice president and CISO, Athena Health, “We need more ‘win-win’ opportunities for organizations and their third parties like this and this gets us a lot closer.”

Today there is no consistent way to determine what information security, privacy, and compliance risk assurances should be provided and maintained when an organization shares sensitive information with a third party, including vendors, suppliers, and business partners. This creates inconsistencies when organizations seek assurances from their third parties, which can be higher than warranted for risk or regulatory compliance requirements, or lower than warranted for exposing organizations themselves to more risk than intended.

Implementation of the HITRUST TPRM methodology solves this issue by incorporating greater oversight early in the vendor selection process in support of informed decision-making, determining an acceptable level of risk, and reducing the likelihood of vulnerabilities being interjected into an organization’s environment. This is done by determining how much information security and individual privacy risk a vendor poses and developing strategies to reduce the likelihood and impact of a potential breach before a breach occurs.

The new release of the HITRUST TPRM Qualification Methodology expands on HITRUST’s popular Risk Triage Methodology with a six-step qualification process that provides organizations a comprehensive approach to defining inherent risk factors: 1. Pre-Qualification, 2. Risk Triage, 3. Risk Assessment, 4. Risk Mitigation, 5. Risk Evaluation and 6. Qualification Decision. With this new qualification process HITRUST also introduces:

  • The Inherent Risk Questionnaire: A new questionnaire used to support risk triage by collecting information on a common set of inherent risk factors—independent of the security and privacy controls that may or may not be implemented by a vendor—to assess the inherent risk of an existing or proposed business relationship and determine an appropriate mechanism for the assurances it needs at a reasonable cost. The assurance recommendations also help organizations ensure the remaining residual risk (after controls are applied) does not exceed the organization’s risk tolerance. The Inherent Risk Questionnaire can be implemented and customized through the XChange.
  • The HITRUST CSF Rapid Assessment: A new “pre-qualifying” self-attested assessment to quickly vet the security posture of any vendor and that can be answered in a minimal amount of time by the vendor. The HITRUST CSF® Rapid Assessment (the “Rapid Assessment”) was designed to support a quick evaluation of an organization’s security posture by selecting specific ‘good security hygiene’ practices from the HITRUST CSF that are suitable for any organization regardless of size or industry. The requirements are based on HITRUST’s prior work on small business security and privacy programs and assessments, along with recommended security practices from NIST and the U.S. Small Business Administration (SBA). The Rapid Assessment is industry and framework agnostic, and the data can be leveraged to populate a readiness (previously named “Self-Assessment,” the next level in the assessment process) or Validated Assessment (for potential HITRUST CSF Certification) eliminating duplicate entries and reducing inefficiencies. The Rapid Assessment will be implemented through the HITRUST MyCSF® and the XChange.
  • The HITRUST Trust Score: A new measure that supports third-party assurance by comparing the results of a HITRUST CSF Readiness Assessment with the results of a HITRUST CSF Validated Assessment generated later in the qualification process. The Trust Score helps encourage accurate self-assessments and provides another useful data point in an organization’s evaluation of a vendor’s information protection program and the overall trustworthiness of a third party and confidence in the assurances provided. The HITRUST Trust Score will be implemented through the XChange.

“Organizations often struggle to leverage their existing technology because they lack an underlying risk management methodology to support it. HITRUST is changing the way organizations look at third-party risk by providing both of these elements in a standardized and automated approach that benefits the entire supply chain,” said Dr. Bryan Cline, Chief Research Officer, HITRUST.

To register for the webinar on December 11th:

To access the TPRM Methodology White Paper:

To access Dr. Bryan Cline’s TPRM Blog visit:

To go to the HITRUST Assessment XChange® portal:

The post HITRUST® Releases New Tools to Improve Efficiency and Effectiveness of Third-Party Risk Management appeared first on HITRUST.


The European Union Commission (“Commission“) has issued a report on its findings from the third annual Privacy Shield review, which took place in September. In its report, the Commission confirmed that the EU-US Privacy Shield framework continues to ensure an adequate level of protection for personal data transferred from the EU to companies participating in the Privacy Shield program in the United States. In concluding its report, the Commission provided additional action items necessary to ensure the continued functioning of Privacy Shield, including time limits for re-certifications and encouraging US authorities to expand their substantive review of Privacy Shield compliance spot-checks.

By way of brief background, the EU General Data Protection Regulation (“GDPR“) restricts the transfer of personal data to third countries unless such countries provide an adequate level of protection for personal data or an exception/derogation applies. The Commission may determine that a third country ensures an adequate level of protection by its domestic law or international commitments on data protection. On July 12, 2016, the Commission adopted a decision finding Privacy Shield ensures an adequate level of protection for personal data transferred from the EU to companies participating in the Privacy Shield program in the US.1 The Commission’s 2016 adequacy decision also requires an annual review of Privacy Shield to evaluate the functioning of the framework. Currently, over 5,000 companies participate in the Privacy Shield program.

A press statement from the Commission on the third annual review noted that, “the review focused on the lessons learnt from [Privacy Shield’s] practical implementation and day-to-day functionality.” Participating in the review were US government departments overseeing enforcement of Privacy Shield, including the US Department of Commerce (“Commerce“), the US Federal Trade Commission (“FTC“), and newly appointed Privacy Shield Ombudsperson, Keith Krach.

In concluding that Privacy Shield continues to ensure an adequate level of protection for personal data transferred from the EU, the Commission noted the following next step action items to ensure the continued functioning of Privacy Shield:

  • Re-certification. To increase the transparency and reliability of the Privacy Shield list for both businesses and individuals, grace periods for companies that have not completed their re-certifications should be limited to 30 days. If these companies have not completed their re-certification at the end of this period, Commerce should send them a warning letter.
  • Spot-checking. In April 2019, Commerce introduced a system for checking 30 companies per month for Privacy Shield violations. While the Commission encourages such compliance checks, the review found that Commerce’s spot-checks focused on formal requirements, such as unresponsive points of contact at companies participating in the program or inaccessibility to the companies’ privacy policy. As a next step, the Commission encourages Commerce to review more substantive obligations, including the Accountability for Onward Transfers Principles, which would require Privacy Shield companies to produce their data sharing agreements.
  • False claims. Commerce should expand its quarterly reviews for false Privacy Shield claims to include companies that have never applied for Privacy Shield.
  • Human Resource Data Guidance. In the coming months, the EU Data Protection Authorities, Commerce and the FTC should develop guidance on the definition and treatment of human resources data.
  • Authority sharing. The EU and US authorities should find ways to share meaningful information on ongoing investigations.

While the Commission’s report confirms that Privacy Shield continues to provide adequate protection for EU to US personal data transfers, an ongoing matter before the Court of Justice of the European Union raises questions regarding the validity of Privacy Shield.2 The Commission’s report does not address its position on this case, however, the Commission notes it will reassess Privacy Shield once the Court issues its judgement. For now, companies currently participating in the Privacy Shield or applying to the program should continue to evaluate and document their capabilities of meeting the Privacy Shield’s obligations.

1 Adequacy decisions made prior to the new EU General Data Protection Regulation remain in force unless a Commission decision decides otherwise.
2 C-311/18, Data Protection Commissioner v Facebook Ireland Limited, Maximilliam Schrems.


The post Third Annual Privacy Shield Review Confirms EU Commission’s Adequacy Decision appeared first on Global Compliance News.


Dealing with the compliance challenges presented by near daily new US sanctions and export controls requires a risk-based compliance program that addresses rapid change and mitigates increasing global enforcement risk, while still being practical and business friendly.

Executive Summary

Most GCs will be familiar, at least to some degree, with the increasing risks presented by the extraterritorial application of US sanctions and export controls. Frequently changes, in both scope of territories and parties caught and the types of restrictions, coupled with possible severe consequences (blacklisting, monetary penalties), mean that compliance programs must be nimble, addressing key risks while being practical and business friendly.

Key Risk Assessment Questions

What is my US nexus?

  • US corporate ownership or control of a non-US company can mean that US sanctions apply directly (in case of Cuba and Iran sanctions). Even if such sanctions do not apply directly, US ownership and control usually means operational involvement of US persons such that most companies consider policies that either recuse involvement of such US persons or set forth restrictive corporate policies on doing business with sanctioned territories.
  • A listing on a US stock exchange subjects a non-US company to SEC jurisdiction. While this does not prohibit sanctioned territory dealing by the non-US company per se, such business can implicate SEC reporting requirements and increased scrutiny.
  • Working with US financial institutions/USD also means increased US sanctions scrutiny as these financial institutions act as effective gatekeepers for the review of sanctions risks. Even non-US financial institutions seek to comply with US sanctions given, among other things, the risk of sanctions for processing or facilitating financial transactions with US sanctions targets.
  • Dealing in US-origin hardware, software, and technology (“Items”) can mean that US sanctions and export control jurisdiction attaches. Thus, non-US companies should assess the US nexus of their supply chain, prioritizing identification of those Items that are perhaps dual-use or subject to higher controls. Inadvertent reexport of Items subject to US law, not only to sanctioned territories and parties but also to countries subject to higher US export controls in general, can result in violations.

Where do I do business?

  • Business involving Crimea, Cuba, Iran, North Korea, Russia, Syria, and Venezuela should be the focus of US sanctions compliance efforts because these are the territories subject to the most sanctions. Recently, Turkey has been the subject of some limited US sanctions, providing a recent example of how sanctions can be used in rapid response to geo-political situations.
  • Dealing with some of these territories also presents risks under EU sanctions and not dealing with Cuba and Iran because of US sanctions presents risks under European countermeasures such as the so-called EU Blocking Regulation.
  • Even if there is no US nexus, business with these markets can present US secondary sanctions risks for dealing with certain sanctioned parties or sectors associated with these territories. Secondary sanctions range from becoming a Specially Designated National (“SDN”) (i.e., a “blacklisted” party effectively cut off from the US market) to menu-based sanctions (for example, inability to obtain visas for US travel or licenses for Items subject to US law).

With whom am I doing business?

  • Dealing with SDNs or other restricted parties can be prohibited or restricted where there is a US nexus, risk secondary sanctions even without US nexus, and create commercial/contractual risk.

Compliance Program Minimum Considerations

Much of the above risk can be mitigated by a compliance program which at least has robust controls to cover:

  1. Restricted Party Screening: a risk-based process to screen (usually involving automated and manual review) third parties, such as partners, distributors, purchasers, and customers.
  2. Review of Dealings Involving Sanctioned Territories: coupled with screening, a process to assess legality of such dealings, risk of secondary sanctions, and commercial/contractual risks, which can start with something as simple as a checklist for reviewing key issues.

First published in General Counsel Netherlands October 2019.


The post Navigating US Extraterritorial Sanctions and Export Control Risks with a Nimble Compliance Program appeared first on Global Compliance News.


Latest release of HITRUST CSF adds CCPA, SCIDSA, and NIST SP 800-171 authoritative sources as well as updates six others

FRISCO, Texas – October 28, 2019 – HITRUST, a leading data protection standards development and certification organization, today announced the availability of version 9.3 of the HITRUST CSF information risk and compliance management framework, further delivering on its mission of One Framework, One Assessment, Globally™.

HITRUST CSF version 9.3 now incorporates and harmonizes 44 authoritative sources, most recently adding one new data privacy-related and two new security-related authoritative sources, as well as updating six existing sources as compared to the previous release.

As security and privacy requirements change in response to new and updated laws and regulations, or breaches and other cyber events, HITRUST is committed to maintaining and expanding the relevancy and applicability of the HITRUST CSF to meet the evolving regulatory and risk management landscape and associated control requirements. HITRUST CSF v9.3 updates include:

  • The California Consumer Privacy Act (CCPA) 1798 – requiring qualifying organizations to protect consumer data in specific ways as well as that consumers be able to opt-out sharing of their data;
  • The South Carolina Insurance Data Security Act 2018 (SCIDSA) 4655 – requiring qualifying organizations have a comprehensive information security program and the reporting of cybersecurity events;
  • NIST SP 800-171 R2 (DFARS) – providing guidance on protecting controlled unclassified information in nonfederal systems and organizations; and
  • Updating various authoritative sources to latest versions, specifically AICPA 2017, CIS CSC v7.1, ISO 27799:2016, CMS/ARS v3.1, IRS Publication 1075 2016, and NIST Cybersecurity Framework v1.1.

Further enhancements include:

  • Updates to the glossary to better clarify terms found in the HITRUST CSF,
  • Adjusted authoritative source mappings to more fully harmonize requirements across industries and sectors, and
  • Adjusted selected risk and regulatory factors to ensure that only controls appropriate to a given assessment are included, streamline the required questions.

HITRUST’s privacy team worked to ensure that the HITRUST CSF v9.3 includes mappings and related information on the CCPA reflecting not just the original act, but the amendments made thereto during the recent California Legislative Session. Businesses of various sizes, industries, and privacy and security maturity levels must comply with the CCPA starting January 1, 2020.

There is still much confusion in the market about what CCPA compliance means, and HITRUST is committed to helping organizations meet the challenge. HITRUST will continue to enhance the CCPA work in the HITRUST CSF and, as appropriate, other elements of the HITRUST suite of information risk management and compliance tools by monitoring changes to the law by reviewing the draft rules released by the California Attorney General’s Office and the new ballot initiative proposed by Californians for Consumer Privacy and related legislation.

HITRUST understands the challenges of assembling and maintaining the many and varied programs needed to manage information risk and compliance. The HITRUST CSF is a key component of the HITRUST Approach, which provides organizations an integrated information risk management and compliance approach that ensures all programs are aligned, maintained, and comprehensive to support an organization’s information risk management and compliance objectives.

HITRUST recognizes that many organizations prefer the reporting structure defined in the NIST Cybersecurity Framework. HITRUST has been actively supporting the development and implementation of the NIST Cybersecurity Framework since its initial release. In fact, a 2018 Government Accountability Office (GAO) Report to Congress recognized the alignment of the HITRUST CSF to the NIST Cybersecurity Framework, as the HITRUST CSF provides a reasonable and appropriate set of controls and assessment of those controls via the HITRUST CSF Assurance Program. In addition, organizations can subsequently receive a certification of its implementation of the NIST Cybersecurity Framework by HITRUST.

HITRUST developed the Healthcare Sector Cybersecurity Framework Implementation Guide, available from the US-CERT Cybersecurity Framework Website at The Sector Guide helps healthcare organizations integrate all aspects of the NIST Cybersecurity Framework into their cybersecurity program leveraging HITRUST’s approach to control framework-based risk analysis. Building on this model, HITRUST has committed to developing and maintaining additional guidance documents to support more streamlined implementation of the NIST Framework for many industry sectors. The next guide is expected in early 2020.

For those interested in commenting on the latest draft guidance on how HITRUST CSF controls map to the NIST Cybersecurity Framework version 1.1 Core Subcategories as an Informative Reference, see the NIST Cybersecurity Framework Informative Reference Catalog Website at

Looking forward to the next major release of the HITRUST CSF v10, which has a targeted release date of Q4 2020, HITRUST is preparing to evolve the framework to be even more complete, efficient, and intuitive.

“HITRUST understands the challenges of managing information risk and compliance – no matter what industry you are in,” said Sarah Phillips, Senior Manager of Standards for HITRUST. “We help organizations address these challenges by providing the depth and breadth of controls needed, while eliminating redundancies and the need for organizations to interpret and harmonize a multitude of global frameworks, standards and regulations.”

To download the HITRUST CSF go to:

To learn more about the HITRUST CSF v9.3 and HITRUST Shared Responsibility Program register for the webinar:

The post HITRUST® Releases Version 9.3 of the HITRUST CSF® Incorporating New Privacy and Security Standards appeared first on HITRUST.



On 3 October 2019, the United Kingdom and the United States signed a first-of-its-kind Bilateral Data Access Agreement (the “Agreement”), which is expected to reduce the time it takes UK and US law enforcement agencies to access electronic evidence held by technology companies located in each other’s territory. A link to the Agreement can be found below.1

The issue of ready access to electronic data stored abroad has become increasingly acute in recent years. This has particularly been the case for UK law enforcement agencies, since the evidence needed to further their investigations and support subsequent prosecutions is often stored by technology companies headquartered in the US.

Under pre-existing arrangements between the UK, the US and other jurisdictions, law enforcement agencies are able to request information held by a company abroad through Mutual Legal Assistance Treaties (“MLAT”). Under these MLAT processes, law enforcement agencies submit information requests to the government of the country in which the data-holding company is based. The government in turn reviews the request, obtains and serves an order as needed locally, collects the data and ultimately returns it to the requesting country’s law enforcement agency. This is a multi-stage process that can take months or even years to obtain the relevant data from abroad.

The Agreement will expedite the process, by allowing law enforcement agencies to ask a domestic court to issue a production order for electronic data (such as emails, texts and instant messages) to be issued directly against a communication service provider (“CSP”) located in the other country. As a result, following authorization from the court in their home country, law enforcement agencies will be able to serve that order for production of electronic data directly on a CSP in the other country, without that request having to be routed through the MLAT processes. The CSPs which are required to comply with production orders issued pursuant to the Agreement include email providers, mobile phone networks, social media companies and cloud storage services. Prosecutors hope that this process will mean that relevant evidential data can be obtained abroad in a matter of days or weeks, rather than months or years.

However, it is important to note that the Agreement will not:

  • allow law enforcement agencies to access data to which they would not otherwise have had a right to access under existing domestic legislation and Constitutional protections. Accordingly the standard of proof and the jurisdictional requirements for the issuance of an order or warrant to access data remain unchanged;
  • apply to circumstances in which the data subject is a resident of the country from which the evidence is requested (i.e., UK authorities may not request data related to US residents, and vice versa); and
  • require CSPs to provide law enforcement agencies with a means of decrypting data (e.g., from encrypted messaging apps).

The Agreement was facilitated by complementing pieces of legislation recently passed in the UK and the US: the Crime (Overseas Production Orders) Act 2019 in the UK,2 and the Clarifying Lawful Overseas Use of Data Act (CLOUD) Act enacted in 2018 in the US.3 Both Acts anticipate that agreements of this type would be entered into with countries with equivalent levels of due process, privacy and the rule of law; the UK-US Agreement is the first. More agreements of this type are anticipated. In September, 2019 the US and EU released a joint statement that they had commenced negotiating a data access agreement,4 and in October 2019, a similar announcement was made by the US and Australia.5

In the US, the CLOUD Act also had an important secondary objective of clarifying that the 1986 Stored Communications Act (“SCA”)6 does require disclosure of data subject to a search warrant that is stored abroad by companies subject to US jurisdiction. That question had caused some controversy after a 2016 Second Circuit decision in Microsoft v. United States7 held that the SCA did not require Microsoft to disclose information in its custody and control that it had stored on a server in Ireland.

The Microsoft case was on appeal to the US Supreme Court at the point that the CLOUD Act was passed and was therefore determined to be mooted.

What does the Agreement mean for you?

If you are a CSP, the Agreement, and any subsequent agreements entered into pursuant to the Crime (Overseas Production Orders) Act and the CLOUD Act, will allow foreign law enforcement agencies to serve upon you orders requiring the production of electronic data directly to the enforcement agency. The relative ease of their issuance, and the reduced timeframe, is likely to increase the volume of such international requests and accordingly increase the burden on CSPs in receiving, coordinating, and responding to them.

From a prosecutorial perspective, once in force, UK law enforcement agencies, including the Serious Fraud Office (“SFO”), should find that they have much quicker access to data stored by CSPs in the US, as will their US counterparts to data stored by CSPs in the UK. This should, for example, speed up SFO investigations, which are often hampered by the lengthy MLAT process, reduce the amount of SFO investigations that have on occasion been abandoned due to an inability to access data and evidence overseas, and potentially speed up the process of eliminating suspects from enquiries.

Since many of the major global CSPs are located in the US (rather than the UK), the effects of the Agreement in facilitating investigations are likely to be more pronounced for UK enforcement agencies than they will be for their US counterparts, who already have more immediate access to data held by domestic CSPs. However, since the US currently receives many more MLAT requests than it issues, the Agreement, and others like it, should diminish the burden on US law enforcement and its diplomatic apparatus currently handling them.

More broadly, the Agreement is another manifestation of global law enforcement cooperation. Evidence and information are more freely flowing across borders as seen by the ever increasing number of multijurisdictional prosecutions and investigations. This trend can only increase as governments continue to develop mechanisms to share information in global criminal matters.

Finally, of course, the Agreement will not impact the MLAT arrangements currently in place with other jurisdictions and those processes will still need to be followed with those counties until such time as similar data access agreements can be negotiated.

What should you do?

In anticipation of the Agreement’s ratification, CSPs in the US and the UK should familiarise themselves with the new regime and implement the necessary processes and procedures to respond to electronic data production orders from foreign agencies, within the relatively short timeframes anticipated.

Other companies and individuals, potentially subject to investigation in either the US or the UK, should be aware that law enforcement agencies in each country will have more ready and speedy access to electronic data abroad believed to be relevant to their enquiries. This may in turn impact those agencies’ expectations when assessing a company’s own cooperation and voluntary document production.

1 See
2 For more information on the Crime (Overseas Production Orders) Act 2019, please read our publication from June.
3 For more information on the CLOUD Act, see the US Department of Justice’s recent White Paper and FAQs at:
4 See
5 See
6 18 U.S.C. Chapter 121 §§ 2701–2712
7 829 F.3d 197 (2d Cir. 2016)

The post UK and US sign Data Access Agreement to Expedite Digital Evidence-Sharing in Criminal Investigations appeared first on Global Compliance News.