The Department of Justice has raised the bar on penalties for violations of federal immigration law.  On June 30, 2016, DOJ issued an interim final rule that goes into effect on August 1, 2016.  This rule, implemented as an inflation adjustment, increases the fines for employing unauthorized workers, for Form I-9 paperwork violations, and for

In April 2016, the Department of Justice (DOJ) announced its Foreign Corrupt Practices Act Enforcement Plan and Guidance, which includes a one-year pilot program to incentivize individuals and companies to voluntarily self-disclose Foreign Corrupt Practices Act-related (FCPA) misconduct, cooperate with DOJ investigations and remediate controls and compliance programs.  Under the guidance, the DOJ may

With policyholders facing increased losses from hacking and business email compromise, insurers are fighting hard to escape their obligations under financial institution bonds, crime policies and cyber insurance policies. In a case that  bolsters policyholders seeking coverage for digital fraud, the U.S. Court of Appeals for the Eighth Circuit held that a bank’s financial institution bond provided coverage for losses arising from the fraudulent transfer of $485,000 by computer hackers to a foreign bank, even though the bank’s employees were negligent in securing the bank’s computer network.
In its May 20 decision, issued in State Bank of Bellingham v. BancInsure, Inc., No. 14-3432, — F.3d —, 2016 WL 2943161 (8th Cir. May 20, 2016), the Eighth Circuit affirmed the District Court’s conclusion that the efficient and proximate cause of the loss was the criminal activity of the third-party hackers.
The Underlying Breach and Loss
In October 2011, an employee of the State Bank of Bellingham (the “Bank”) completed a wire transfer, which required several security steps, including the entry of the names and passwords of two Bank employees and the insertion of two physical tokens.  At the end of the work day, the employee left the two tokens in the computer and left the computer running.  Prior to the wire transfer, a Zeus Trojan horse virus had infected the Bank’s computer system.  This virus then allowed a computer hacker to access the Bank’s network and transfer funds to accounts in Poland (the “Loss”).
The Bank held a financial institution bond issued by BancInsure providing coverage for losses such as those arising from dishonesty and computer systems fraud.  The Bank submitted a claim and proof of loss to BancInsure seeking coverage for the Loss.  BancInsure denied coverage, relying on exclusions for (a) employee-caused losses, (b) theft of confidential information, and (c) mechanical breakdown or deterioration of a computer system.
The Litigation and the District Court Decision
The Bank filed suit seeking damages for the insurer’s breach of contract.  The U.S. District Court for the District of Minnesota granted the Bank’s motion for summary judgment, holding that the “computer systems fraud was the efficient and proximate cause of [Bank’s] loss,” and “neither the employees’ violations of policies and practices … the taking of confidential passwords, nor the failure to update the computer’s antivirus software was the efficient and proximate cause of [Bank’s] loss.”
The Eighth Circuit Decision

Recently, the Supreme Court handed down its much-anticipated opinion in Universal Health Services, Inc. v. United States ex rel. Escobar et al.—a case addressing the viability of the implied certification theory in FCA litigation.  Justice Thomas, writing on behalf of a unanimous Court, found that the implied certification theory can in fact serve as

The DOJ recently intervened in a lawsuit against Prime Healthcare Services, Inc., and its subsidiaries (“Prime”).  The lawsuit alleges that Prime submitted claims for medically unnecessary services and routinely pressured its staff to exaggerate Medicare beneficiaries illnesses in order to increase the number of inpatient admissions and billed for services as inpatient admissions that should

Employee benefit plan data stored online may include participants’ names and Social Security numbers, account information and protected health information (PHI), all of which are inviting targets for hackers. Highly-publicized data breaches in recent years have called attention to the obligations of benefit plan administrators (typically the employers sponsoring the plans) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to safeguard PHI.
These data breaches are also causing benefit plan administrators and other fiduciaries under the Employee Retirement Income Security Act of 1974 (ERISA) to consider whether their ERISA responsibilities include securing online plan data from cyberattacks, especially as to 401(k) and other benefit plans that are not subject to HIPAA. Although definitive guidance has not been provided, fiduciaries would be well-advised to proceed on the assumption that cybersecurity is an ERISA issue.
The Cybersecurity ERISA Regulatory Gap
When ERISA was enacted, the predecessor to today’s Internet was in its formative years. Although online storage of benefit plan data has been the norm for some time, Congress has not amended ERISA to address cybersecurity. Moreover, the Department of Labor (DOL), which is charged with enforcing ERISA, has not formally addressed cybersecurity in the ERISA context.
In 2011, the ERISA Advisory Council, established to advise the Secretary of Labor, recommended that the DOL issue guidance on the obligation of plan fiduciaries to secure and keep private the personal identifiable information of plan participants and beneficiaries. In a recent release, the current council indicated that its goal is to offer the DOL draft materials that will help plan sponsors understand, evaluate and protect benefit plan data and assets from cybersecurity risks.

Last week, social media giant Facebook announced an expansion of its online advertising business to include serving ads to users who are not members of Facebook. Under a press posting titled “Bringing People Better Ads,” Facebook decried ads that are “annoying, distracting or misleading” and talked about its efforts to do better.  This move highlights again the sometimes contentious topic of Internet ads and ad-blocking technology. Internet advertising and the technological and social aspects of ad-blocking have important consequences for user privacy and data security, both for individuals and for enterprises.
In the press information posted on its news site, Facebook talked about some of the issues raised by “bad” advertising. Much of the discussion of ads and ad-blocking has focused on user inconvenience and consumer ethics. On the one hand, Internet advertising slows the retrieval of requested content, utilizes megabytes of expensive bandwidth, drains power-thirsty mobile batteries, and annoys users with unexpected sound and video. On the other hand, some ask whether it is right to block ads but still consume ad-supported content when, as Facebook noted, “apps rely on advertising to pay the bills.”
The ad-blocking debate also has an “us” versus “them” element, as Internet companies dependent on advertising revenue are pitted against those that profit from device sales. Indeed, the expansion of ad-blocking to some mobile platforms last year was seen by some as a competitive step by smartphone providers aimed at search and social network companies.