| | The Daily Bugle is a free daily newsletter from Full Circle Compliance, containing changes to export/import regulations (ATF, Customs, NISPOM, EAR, FACR/OFAC, FTR/AES, HTSUS, and ITAR), plus news and events. Subscribe here for free subscription. Contact us for advertising inquiries and rates.
EX/IM ITEMS FROM TODAY’S FEDERAL REGISTER
| | 1 . President Signs Executive Order to Strengthen the Cybersecurity of Federal Networks and Critical Infrastructure
82 FR 22391-22397: Executive Order 13800 of May 11, 2017; Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure
By the authority vested in me as President by the Constitution and the laws of the United States of America, and to protect American innovation and values, it is hereby ordered as follows:
Section 1. Cybersecurity of Federal Networks.
(a) Policy. The executive branch operates its information technology (IT) on behalf of the American people. Its IT and data should be secured responsibly using all United States Government capabilities. The President will hold heads of executive departments and agencies (agency heads) accountable for managing cybersecurity risk to their enterprises. In addition, because risk management decisions made by agency heads can affect the risk to the executive branch as a whole, and to national security, it is also the policy of the United States to manage cybersecurity risk as an executive branch enterprise.
(i) Cybersecurity risk management comprises the full range of activities undertaken to protect IT and data from unauthorized access and other cyber threats, to maintain awareness of cyber threats, to detect anomalies and incidents adversely affecting IT and data, and to mitigate the impact of, respond to, and recover from incidents. Information sharing facilitates and supports all of these activities.
(ii) The executive branch has for too long accepted antiquated and difficult- to-defend IT.
(iii) Effective risk management involves more than just protecting IT and data currently in place. It also requires planning so that maintenance, improvements, and modernization occur in a coordinated way and with appropriate regularity.
(iv) Known but unmitigated vulnerabilities are among the highest cybersecurity risks faced by executive departments and agencies (agencies). Known vulnerabilities include using operating systems or hardware beyond the vendor’s support lifecycle, declining to implement a vendor’s security patch, or failing to execute security-specific configuration guidance.
(v) Effective risk management requires agency heads to lead integrated teams of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy, and human resources.
(c) Risk Management.
(i) Agency heads will be held accountable by the President for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data. They will also be held accountable by the President for ensuring that cybersecurity risk management processes are aligned with strategic, operational, and budgetary planning processes, in accordance with chapter 35, subchapter II of title 44, United States Code.
(ii) Effective immediately, each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology, or any successor document, to manage the agency’s cybersecurity risk. Each agency head shall provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days of the date of this order. The risk management report shall:
(A) document the risk mitigation and acceptance choices made by each agency head as of the date of this order, including:
(1) the strategic, operational, and budgetary considerations that in- formed those choices; and
(2) any accepted risk, including from unmitigated vulnerabilities; and (B) describe the agency’s action plan to implement the Framework.
(iii) The Secretary of Homeland Security and the Director of OMB, consistent with chapter 35, subchapter II of title 44, United States Code, shall jointly assess each agency’s risk management report to determine whether the risk mitigation and acceptance choices set forth in the reports are appropriate and sufficient to manage the cybersecurity risk to the executive branch enterprise in the aggregate (the determination).
(iv) The Director of OMB, in coordination with the Secretary of Homeland Security, with appropriate support from the Secretary of Commerce and the Administrator of General Services, and within 60 days of receipt of the agency risk management reports outlined in subsection (c)(ii) of this section, shall submit to the President, through the Assistant to the President for Homeland Security and Counterterrorism, the following:
(A) the determination; and
(B) a plan to:
(1) adequately protect the executive branch enterprise, should the determination identify insufficiencies;
(2) address immediate unmet budgetary needs necessary to manage risk to the executive branch enterprise;
(3) establish a regular process for reassessing and, if appropriate, re- issuing the determination, and addressing future, recurring unmet budgetary needs necessary to manage risk to the executive branch enterprise;
(4) clarify, reconcile, and reissue, as necessary and to the extent per- mitted by law, all policies, standards, and guidelines issued by any agency in furtherance of chapter 35, subchapter II of title 44, United States Code, and, as necessary and to the extent permitted by law, issue policies, standards, and guidelines in furtherance of this order; and
(5) align these policies, standards, and guidelines with the Frame- work.
(v) The agency risk management reports described in subsection (c)(ii) of this section and the determination and plan described in subsections (c)(iii) and (iv) of this section may be classified in full or in part, as appropriate.
(vi) Effective immediately, it is the policy of the executive branch to build and maintain a modern, secure, and more resilient executive branch IT architecture.
(A) Agency heads shall show preference in their procurement for shared IT services, to the extent permitted by law, including email, cloud, and cybersecurity services.
(B) The Director of the American Technology Council shall coordinate a report to the President from the Secretary of Homeland Security, the Director of OMB, and the Administrator of General Services, in consultation with the Secretary of Commerce, as appropriate, regarding modernization of Federal IT. The report shall:
(1) be completed within 90 days of the date of this order; and
(2) describe the legal, policy, and budgetary considerations relevant to-as well as the technical feasibility and cost effectiveness, including timelines and milestones, of-transitioning all agencies, or a sub- set of agencies, to:
(aa) one or more consolidated network architectures; and
(bb) shared IT services, including email, cloud, and cybersecurity services.
(C) The report described in subsection (c)(vi)(B) of this section shall assess the effects of transitioning all agencies, or a subset of agencies, to shared IT services with respect to cybersecurity, including by making recommendations to ensure consistency with section 227 of the Homeland Security Act (6 U.S.C. 148) and compliance with policies and practices issued in accordance with section 3553 of title 44, United States Code. All agency heads shall supply such information concerning their current IT architectures and plans as is necessary to complete this report on time.
(vii) For any National Security System, as defined in section 3552(b)(6) of title 44, United States Code, the Secretary of Defense and the Director of National Intelligence, rather than the Secretary of Homeland Security and the Director of OMB, shall implement this order to the maximum extent feasible and appropriate. The Secretary of Defense and the Director of National Intelligence shall provide a report to the Assistant to the President for National Security Affairs and the Assistant to the President for Homeland Security and Counterterrorism describing their implementation of subsection (c) of this section within 150 days of the date of this order. The report described in this subsection shall include a justification for any deviation from the requirements of subsection (c), and may be classified in full or in part, as appropriate.
Sec. 2. Cybersecurity of Critical Infrastructure.
(a) Policy. It is the policy of the executive branch to use its authorities and capabilities to support the cybersecurity risk management efforts of the owners and operators of the Nation’s critical infrastructure (as defined in section 5195c(e) of title 42, United States Code) (critical infrastructure entities), as appropriate.
(b) Support to Critical Infrastructure at Greatest Risk. The Secretary of Homeland Security, in coordination with the Secretary of Defense, the Attorney General, the Director of National Intelligence, the Director of the Federal Bureau of Investigation, the heads of appropriate sector-specific agencies, as defined in Presidential Policy Directive 21 of February 12, 2013 (Critical Infrastructure Security and Resilience) (sector-specific agencies), and all other appropriate agency heads, as identified by the Secretary of Homeland Security, shall:
(i) identify authorities and capabilities that agencies could employ to support the cybersecurity efforts of critical infrastructure entities identified pursuant to section 9 of Executive Order 13636 of February 12, 2013 (Improving Critical Infrastructure Cybersecurity), to be at greatest risk of attacks that could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security (section 9 entities);
(ii) engage section 9 entities and solicit input as appropriate to evaluate whether and how the authorities and capabilities identified pursuant to subsection (b)(i) of this section might be employed to support cybersecurity risk management efforts and any obstacles to doing so;
(iii) provide a report to the President, which may be classified in full or in part, as appropriate, through the Assistant to the President for Homeland Security and Counterterrorism, within 180 days of the date of this order, that includes the following:
(A) the authorities and capabilities identified pursuant to subsection (b)(i) of this section;
(B) the results of the engagement and determination required pursuant to subsection (b)(ii) of this section; and
(C) findings and recommendations for better supporting the cybersecurity risk management efforts of section 9 entities; and
(iv) provide an updated report to the President on an annual basis there- after.
(c) Supporting Transparency in the Marketplace. The Secretary of Home- land Security, in coordination with the Secretary of Commerce, shall provide a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, that examines the sufficiency of existing Federal policies and practices to promote appropriate market transparency of cybersecurity risk management practices by critical infrastructure entities, with a focus on publicly traded critical infrastructure entities, within 90 days of the date of this order.
(d) Resilience Against Botnets and Other Automated, Distributed Threats. The Secretary of Commerce and the Secretary of Homeland Security shall jointly lead an open and transparent process to identify and promote action by appropriate stakeholders to improve the resilience of the internet and communications ecosystem and to encourage collaboration with the goal of dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets). The Secretary of Commerce and the Secretary of Homeland Security shall consult with the Secretary of Defense, the Attorney General, the Director of the Federal Bureau of Investigation, the heads of sector-specific agencies, the Chairs of the Federal Communications Commission and Federal Trade Commission, other interested agency heads, and appropriate stakeholders in carrying out this subsection. Within 240 days of the date of this order, the Secretary of Commerce and the Secretary of Homeland Security shall make publicly available a preliminary report on this effort. Within 1 year of the date of this order, the Secretaries shall submit a final version of this report to the President.
(e) Assessment of Electricity Disruption Incident Response Capabilities. The Secretary of Energy and the Secretary of Homeland Security, in consultation with the Director of National Intelligence, with State, local, tribal, and territorial governments, and with others as appropriate, shall jointly assess:
(i) the potential scope and duration of a prolonged power outage associated with a significant cyber incident, as defined in Presidential Policy Directive 41 of July 26, 2016 (United States Cyber Incident Coordination), against the United States electric subsector;
(ii) the readiness of the United States to manage the consequences of such an incident; and
(iii) any gaps or shortcomings in assets or capabilities required to mitigate the consequences of such an incident.
The assessment shall be provided to the President, through the Assistant to the President for Homeland Security and Counterterrorism, within 90 days of the date of this order, and may be classified in full or in part, as appropriate.
(f) Department of Defense Warfighting Capabilities and Industrial Base. Within 90 days of the date of this order, the Secretary of Defense, the Secretary of Homeland Security, and the Director of the Federal Bureau of Investigation, in coordination with the Director of National Intelligence, shall provide a report to the President, through the Assistant to the President for National Security Affairs and the Assistant to the President for Homeland Security and Counterterrorism, on cybersecurity risks facing the defense industrial base, including its supply chain, and United States military plat- forms, systems, networks, and capabilities, and recommendations for miti- gating these risks. The report may be classified in full or in part, as appropriate.
Sec. 3. Cybersecurity for the Nation.
(a) Policy. To ensure that the internet remains valuable for future generations, it is the policy of the executive branch to promote an open, interoperable, reliable, and secure internet that fosters efficiency, innovation, communication, and economic prosperity, while respecting privacy and guarding against disruption, fraud, and theft. Further, the United States seeks to support the growth and sustainment of a workforce that is skilled in cybersecurity and related fields as the foundation for achieving our objectives in cyberspace.
(b) Deterrence and Protection. Within 90 days of the date of this order, the Secretary of State, the Secretary of the Treasury, the Secretary of Defense, the Attorney General, the Secretary of Commerce, the Secretary of Homeland Security, and the United States Trade Representative, in coordination with the Director of National Intelligence, shall jointly submit a report to the President, through the Assistant to the President for National Security Affairs and the Assistant to the President for Homeland Security and Counterterrorism, on the Nation’s strategic options for deterring adversaries and better protecting the American people from cyber threats.
(c) International Cooperation. As a highly connected nation, the United States is especially dependent on a globally secure and resilient internet and must work with allies and other partners toward maintaining the policy set forth in this section. Within 45 days of the date of this order, the Secretary of State, the Secretary of the Treasury, the Secretary of Defense, the Secretary of Commerce, and the Secretary of Homeland Security, in coordination with the Attorney General and the Director of the Federal Bureau of Investigation, shall submit reports to the President on their inter- national cybersecurity priorities, including those concerning investigation, attribution, cyber threat information sharing, response, capacity building, and cooperation. Within 90 days of the submission of the reports, and in coordination with the agency heads listed in this subsection, and any other agency heads as appropriate, the Secretary of State shall provide a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, documenting an engagement strategy for inter- national cooperation in cybersecurity.
(d) Workforce Development. In order to ensure that the United States maintains a long-term cybersecurity advantage:
(i) The Secretary of Commerce and the Secretary of Homeland Security, in consultation with the Secretary of Defense, the Secretary of Labor, the Secretary of Education, the Director of the Office of Personnel Management, and other agencies identified jointly by the Secretary of Commerce and the Secretary of Homeland Security, shall:
(A) jointly assess the scope and sufficiency of efforts to educate and train the American cybersecurity workforce of the future, including cybersecurity-related education curricula, training, and apprenticeship programs, from primary through higher education; and
(B) within 120 days of the date of this order, provide a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, with findings and recommendations regarding how to support the growth and sustainment of the Nation’s cybersecurity work- force in both the public and private sectors.
(ii) The Director of National Intelligence, in consultation with the heads of other agencies identified by the Director of National Intelligence, shall:
(A) review the workforce development efforts of potential foreign cyber peers in order to help identify foreign workforce development practices likely to affect long-term United States cybersecurity competitiveness; and
(B) within 60 days of the date of this order, provide a report to the President through the Assistant to the President for Homeland Security and Counterterrorism on the findings of the review carried out pursuant to subsection (d)(ii)(A) of this section.
(iii) The Secretary of Defense, in coordination with the Secretary of Commerce, the Secretary of Homeland Security, and the Director of National Intelligence, shall:
(A) assess the scope and sufficiency of United States efforts to ensure that the United States maintains or increases its advantage in national- security-related cyber capabilities; and
(B) within 150 days of the date of this order, provide a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, with findings and recommendations on the assessment carried out pursuant to subsection (d)(iii)(A) of this section.
(iv) The reports described in this subsection may be classified in full or in part, as appropriate.
Sec. 4. Definitions.
For the purposes of this order:
(a) The term ”appropriate stakeholders” means any non-executive-branch
person or entity that elects to participate in an open and transparent process established by the Secretary of Commerce and the Secretary of Homeland Security under section 2(d) of this order.
(b) The term ”information technology” (IT) has the meaning given to that term in section 11101(6) of title 40, United States Code, and further includes hardware and software systems of agencies that monitor and control physical equipment and processes.
(c) The term ”IT architecture” refers to the integration and implementation of IT within an agency.
(d) The term ”network architecture” refers to the elements of IT architecture that enable or facilitate communications between two or more IT assets.
Sec. 5. General Provisions.
(a) Nothing in this order shall be construed to impair or otherwise affect:
(i) the authority granted by law to an executive department or agency, or the head thereof; or
(ii) the functions of the Director of OMB relating to budgetary, administrative, or legislative proposals.
(b) This order shall be implemented consistent with applicable law and subject to the availability of appropriations.
(c) All actions taken pursuant to this order shall be consistent with requirements and authorities to protect intelligence and law enforcement sources and methods. Nothing in this order shall be construed to supersede measures established under authority of law to protect the security and integrity of specific activities and associations that are in direct support of intelligence or law enforcement operations.
(d) This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.
THE WHITE HOUSE,
May 11, 2017.
* * * * * * * * * * * * * * * * * * * *
| | OTHER GOVERNMENT SOURCES
|2. Ex/Im Items Scheduled for Publication in Future Federal Register Editions |
* Foreign Assets Control Office; NOTICES; Blocking or Unblocking of Persons and Properties [Publication Date: 17 May 2017.]
* * * * * * * * * * * * * * * * * * * *
|3. Commerce/BIS: (No new postings.) |
* * * * * * * * * * * * * * * * * * * *
| | 4.
Justice: Office of Attorney General Publishes “Department Charging and Sentencing Policy” Memorandum
MEMORANDUM FOR ALL FEDERAL PROSECUTORS
FROM: The Attorney General
SUBJECT: Department Charging and Sentencing Policy
DATE: May 10, 2017
This memorandum establishes charging and sentencing policy for the Department of Justice. Our responsibility is to fulfill our role in a way that accords with the law, advances public safety, and promotes respect for our legal system. It is of the utmost importance to enforce the law fairly and consistently. Charging and sentencing recommendations are crucial responsibilities for any federal prosecutor. The directives I am setting forth below are simple but important. They place great confidence in our prosecutors and supervisors to apply them in a thoughtful and disciplined manner, with the goal of achieving just and consistent results in federal cases.
First, it is a core principle that prosecutors should charge and pursue the most serious, readily provable offense. This policy affirms our responsibility to enforce the law, is moral and just, and produces consistency. This policy fully utilizes the tools Congress has given us. By definition, the most serious offenses are those that carry the most substantial guidelines sentence, including mandatory minimum sentences.
There will be circumstances in which good judgment would lead a prosecutor to conclude that a strict application of the above charging policy is not warranted. In that case, prosecutors should carefully consider whether an exception may be justified. Consistent with longstanding Department of Justice policy, any decision to vary from the policy must be approved by a United States Attorney or Assistant Attorney General, or a supervisor designated by the United States Attorney or Assistant Attorney General, and the reasons must be documented in the file.
Second, prosecutors must disclose to the sentencing court all facts that impact the sentencing guidelines or mandatory minimum sentences, and should in all cases seek a reasonable sentence under the factors in 18 U.S.C. § 3553. In most cases, recommending a sentence within the advisory guideline range will be appropriate. Recommendations for sentencing departures or variances require supervisory approval, and the reasoning must be documented in the file.
Any inconsistent previous policy of the Department of Justice relating to these matters is rescinded, effective today. [FN/1]
Each United States Attorney and Assistant Attorney General is responsible for ensuring that this policy is followed, and that any deviations from the core principle are justified by unusual facts.
I have directed the Deputy Attorney General to oversee implementation of this policy and to issue any clarification and guidance he deems appropriate for its just and consistent application.
Working with integrity and professionalism, attorneys who implement this policy will meet the high standards required of the Department of Justice for charging and sentencing.
[FN/1] Previous policies include: Department Policy on Charging Mandatory Minimum Sentences and Recidivist Enhancements in Certain Drug Cases (August 12, 2013), available here ; and Guidance Regarding § 851 Enhancements in Plea Negotiations (September 24, 2014), available here .
* * * * * * * * * * * * * * * * * * * *
| | 5. State/DDTC: (No new postings.)
* * * * * * * * * * * * * * * * * * * *
| | 6.
Australia DEC Experiences Technical Difficulties
Australia Defence Export Controls (DEC) is experiencing technical difficulties with our contact line (1800 66 10 66). Callers who contact Defence Export Controls outside our operating hours will not be able to leave a voice message and will instead be advised their call has been placed in a queue.
Until this issue has been resolved, please email if you need to contact Defence Export Controls outside the hours of 8.30am – 4.30pm Monday to Friday. Email enquiries can be directed to email@example.com.
* * * * * * * * * * * * * * * * * * * *
ST&R Trade Report: “Mexico Advances Plan to Hike Import Duties on U.S. Goods”
Mexico has asked the World Trade Organization to consider at the 22 May meeting of its Dispute Settlement Body a request to impose retaliatory sanctions against the U.S. in a long-running dispute over dolphin-safe tuna labeling. Mexico said it plans to increase import tariffs on goods from the U.S. but did not specify which products might be affected, information that will be provided “at the earliest possible date.”
In late April the WTO set $163.23 million as the amount of annual trade sanctions Mexico may impose against the U.S. for its failure to bring its dolphin-safe tuna labeling rules into compliance with its WTO obligations. However, the U.S. revised those rules in March 2016 and a separate WTO panel is currently examining the sufficiency of those changes. If the panel finds in favor of the U.S., Mexico would have to cease any retaliatory sanctions it may implement between now and then.
* * * * * * * * * * * * * * * * * * * *
| | 8.
L. Connell: “Data Privacy and Security – What is the Difference?”
* Author: Lauren Connell, Esq., Volkov Law Group, firstname.lastname@example.org.
The terms “Data Privacy and Security” are being thrown around a lot lately. Just recently, England’s health services and medical facilities were shut-down and the target of a ransom note (demanding, of course, payment in bitcoin) to access blocked files. This is an extreme outcome, but the bad publicity and customer alienation from cyber-attacks are unfortunately familiar to many US companies, including Home Depot, Target, AshleyMadison.com, and Yahoo.
This problem is not going to go away. As our reliance on digital technology for every facet of business grows, the frequency with which cyber criminals attack, and succeed in those attacks, will only grow. Just like companies have developed robust procedures to keep their cash safe, businesses need to do the same for their data. This represents real risks with significant costs to companies. Compliance departments are best positioned to ensure that appropriate procedures and controls are in place.
Unfortunately, it is not as easy as hiring Brinks or Loomis to show up and put all your data in an armored, guarded vehicle for transport. Data security is multifaceted, an attack can come through a number of ways, and it is ongoing, as cyber criminals, like other types of criminals, are constantly evolving.
For a company, managing this area starts with first understanding the terms. Data privacy is what you promise your customers you do. If you promise that a picture is automatically erased and can never be viewed again, you had better make sure that your software actually does that. This is an area that the Federal Trade Commission has enforced in a number of actions against companies who promise privacy or security … but do not deliver.
In 2014, the FTC settled charges against Snapchat because Snapchat promised its users, among other things, that there was no way to view a picture after the allotted timer ran out. At the time, there were a number of third party apps that allowed picture recipients to download and save the photos for however long they wanted, sending videos resulted in storage for longer on the user’s phone, and, not to mention, the user could just take a screenshot. There were other areas the FTC cited, such as tracking location data despite promise not to, as well. Long story short, Snapchat’s promises misled consumers.
Snapchat did not receive a fine or admit fault, but did agree to an independent privacy monitor for the next 20 years – which is not free.
The FTC’s website contains a long list of data privacy enforcement actions that did not receive as much publicity as the Snapchat action, many of which resulted in fines in the millions of dollars. So, to comply with data privacy regulation, companies need to make sure that their products and information technology processes can actually deliver on what they promise.
is a different matter. To manage data security, companies need to look inward. Data security covers how well your information technology infrastructure is protected. This means robust security protocols – such as making sure access to your server room is controlled, that your users frequently change their passwords, that your users are trained on how to avoid facilitating a breach by not clicking on malware, and making sure that your data is protected and encrypted at all stages: creation, transmission, and storage.
Large companies will be able to manage this in-house, but small and medium-sized companies will likely need to turn to outside vendors to make sure their information is safe. Data security does not just “happen.” Ensuring the safety of your data is a deliberate process that must be thought out and implemented just like any other compliance policy – with training and support to ensure that the procedures are “operationalized.”
The impact of poor data security can be significant – terrible publicity, loss of consumer confidence, high costs of remedying the problem (such as by offering identify theft protection to those whose information was released), and notification of all those affected. Not to mention it sucks of valuable management time in responding to a crisis when it occurs.
The ransom attack on England’s health system is frightening because it shows the broad reach of cyber criminals and their willingness to do anything, even shut down hospitals, to accomplish their crime. Every CEO should take this occurrence as a stark warning and wake-up call – address data security before its too late.
Compliance professionals can do their part by including data privacy and security as a risk source for their organizations. Elevating this concern from the IT department to corporate-wide risk management personnel is the first step.
* * * * * * * * * * * * * * * * * * * *
| | 9.
Ropes & Gray LLP: “Managing Sanctions and Export Control Risks in the Health Care Industry”
Over the past 15 years, pharmaceutical manufacturers, medical device companies, and other participants in the health care industry have been regular targets of U.S. Foreign Corrupt Practices Act (“FCPA”) enforcement actions brought by the U.S. government. FCPA cases levied against health care companies have commanded significant attention, and many companies have responded by implementing robust anti-corruption compliance programs consisting of policies and procedures, employee training, risk-based due diligence, and proactive compliance testing and monitoring.
Recent settlements suggest that a new trend may be emerging: the U.S. government bringing enforcement actions against health care companies for violating economic sanctions and export control laws. Like the FCPA, U.S. economic sanctions and export control laws have broad extraterritorial application. Many health care companies are large organizations with expansive international operations and distributors and end users dispersed throughout the world. These attributes make health care industry participants likely to confront sanctions- and export control-related regulatory challenges, and natural targets for enforcement actions.
Penalties for violations of economic sanctions and export control laws can be severe. In addition to civil fines and criminal penalties, running afoul of these laws can result in non-monetary consequences such as loss of export privileges, the imposition of compliance monitorships, U.S. Securities and Exchange Commission reporting obligations, and reputational harm. Recent settlements illustrate these consequences are not merely hypothetical.
This article discusses sanctions- and export control-related risks affecting the health care industry, as well as steps that companies may take to mitigate their exposure.
I. RISK AREAS & PROACTIVE MITIGATION STEPS
(A) Indirect Exports to Restricted Countries
Many U.S.-based health care companies with international operations are aware of the restrictions and licensing requirements associated with exporting products to sanctioned countries. To deal with this risk, these companies have designed compliance programs to prevent direct sales to countries subject to comprehensive sanctions or wide-ranging export controls. It is therefore unsurprising that many enforcement actions targeting health care companies have involved indirect exports to entities in restricted countries.
During the last decade, a number of U.S.-based pharmaceutical and medical device companies have been subject to enforcement actions for selling products to embargoed countries through foreign affiliates or third parties. The most notable of these enforcement actions involved U.S. and foreign affiliates of Alcon, which entered into coordinated settlements with the Office of Foreign Assets Control (“OFAC”) and the Bureau of Industry and Security (“BIS”) in July 2016 to resolve alleged violations of sanctions and export control laws. OFAC and BIS alleged that an Alcon subsidiary in Switzerland purchased U.S.-origin products from an Alcon U.S. affiliate and subsequently reexported those items to Iran and Syria. The Alcon entities ultimately agreed to pay a fine of over $9.4 million to resolve their potential liability.
More recently, in February 2017, United Medical Instruments, Inc. (“UMI”), a U.S.-based supplier of ultrasound equipment, agreed to pay over $500,000 to OFAC in order to resolve alleged violations of the Iranian sanctions. [FN/1] As in the Alcon case, OFAC alleged that UMI exported products to Iranian end users via intermediaries in third countries. Other companies also have entered into settlement agreements with OFAC, BIS, and the Department of Justice based on similar fact patterns.
These settlements underscore the importance of robust due diligence, ongoing monitoring, and periodic auditing of supply chain activities. For example, before exporting products, a company should identify the ultimate destination and end user of the products, as well as any intermediate parties-such as distributors and sales agents-involved in the transaction. Companies should exercise heightened diligence if a party to any transaction is located in a known gateway to sanctioned countries (e.g., China, the United Arab Emirates, Turkey) or do not have well-established reputations. Companies exporting products to third-party distributors and sales agents may seek contractual protections, such as covenants, to comply with applicable sanctions and export control laws and to refrain from doing business with embargoed countries or parties targeted by list-based sanctions. Finally, companies should perform ongoing monitoring and periodic audits of their compliance with applicable sanctions and export control laws. Depending on a company’s risk profile and the availability of resources, monitoring and auditing activities may be performed either in person or remotely.
(B) Violations of Licenses and Exemptions
Another potential avenue of liability for health care companies is the provision of products or services that exceed export authorizations. OFAC has issued general licenses-and BIS maintains license exceptions-that authorize transactions that otherwise would be prohibited by U.S. sanctions or export control laws. These general licenses and license exceptions, which vary in scope and are updated periodically, usually contain limitations. For example, OFAC’s general license that allows for the exportation and reexportation of certain medicine and medical devices to Iran does not cover exports or reexports to military, intelligence, or law enforcement purchasers (e.g., military hospitals), or to parties included on the Specially Designated Nationals List. These carve-outs to licenses can create compliance challenges, particularly for companies with limited compliance resources.
OFAC and BIS also grant specific licenses authorizing transactions that are not within the scope of existing general licenses and license exceptions. Specific licenses typically are limited by activity, end user, and duration. Companies that intentionally or inadvertently violate the terms of a specific license-for example, by engaging in activities outside the scope of the license or making sales that are within scope but occur after the license has expired-risk incurring liability.
Companies can take several steps to mitigate the risk of non-compliance with applicable licenses and license exceptions. First, companies may designate one or more employees as the primary point(s) of contact for trade compliance matters, including license-related inquiries, to promote accountability and consistency in approach to interpreting the licenses. Assessing the scope of applicable licenses and exceptions can be technical-ideally, such determinations should be made by appropriately qualified personnel. Second, companies may train employees to confirm that a contemplated transaction is permissible pursuant to a license (or exception codified in the Export Administration Regulations) with a designated trade compliance contact before moving forward with the transaction. Finally, companies with extensive international operations may establish a central repository for housing export licenses and authorizations. In addition to expediting access to export authorizations by relevant personnel, creation of a centralized repository may facilitate ongoing monitoring of compliance with license conditions.
(C) Failure to Identify Clinical Trial-Related Risks
Clinical trials present a host of complex-yet frequently overlooked-export compliance considerations. Many items used in the conduct of clinical trials may be subject to export control restrictions-for example, electronic devices (e.g., laptops, tablets, and cell phones) with encryption technology used for data collection, biological agents, and laboratory equipment. Further complicating compliance efforts, a single clinical trial may have trial sites in multiple foreign countries, each with its own export and import control regimes and requirements. Finally, the prospect of increased sales-which frequently drives violations of sanctions and export control laws by health care companies-is more attenuated in the clinical trial setting. As a result, clinical trial-related activities may receive less scrutiny from compliance and audit personnel.
Many clinical trial sponsors choose to outsource, to varying degrees, export and import compliance-related tasks to third parties, such as technology suppliers or contract research organizations. Depending on the circumstances, delegation of export compliance activities, such as obtaining licenses, may not relieve the sponsor of responsibility for ensuring compliance with applicable laws. For this reason, an important step in mitigating clinical trial-related export and import compliance risks is the careful selection and vetting of prospective third party services providers. Companies involved with clinical trials also may seek contractual protections and/or indemnification provisions from third parties. In addition, sponsors and vendors alike may consider consulting with vetted, in-country resources in unfamiliar jurisdictions (e.g., local counsel, customs brokers), to ensure compliance with local laws.
(D) Historical Liability for Acquisition Targets
Pharmaceutical and medical device companies frequently acquire other health care companies. A company that purchases a health care target with known (or unknown) liability for economic sanctions or export control violations may assume the target’s liabilities, depending upon the relevant facts and transaction structure. For example, Ellman International, Inc. (“Ellman”), a U.S.-based manufacturer of devices used in surgical and aesthetic procedures, was purchased by a private equity group in 2008. Unbeknownst to its purchasers, Ellman had violated the Iranian sanctions by (1) indirectly exporting products to Iran through a distributor in Dubai, and (2) engaging the services of an Iranian physician. Upon discovering these potential violations, Ellman’s new owners self-reported the Iran transactions to OFAC. In January 2013, Ellman agreed to pay $191,700 to resolve its liability stemming from its pre-acquisition conduct.
Appropriately, many prospective purchasers of health care companies seek to mitigate historical liability risk through pre-acquisition due diligence and negotiation of trade-related representations in purchase agreements. Pre-acquisition due diligence and contractual protections are important-but not necessarily sufficient-risk mitigation steps for transactions involving higher risk targets. In many cases, the representatives of targets who participate in the due diligence process are unfamiliar with the target’s trade compliance controls or lack sufficient insight into the target’s supply chain to respond effectively to sanctions- and export-related inquiries. And, as discussed above, violations frequently arise in the context of indirect exports, which are unlikely to be reflected in the sales and financial information provided in response to written diligence requests. Finally, while many prospective targets will represent that they are not aware of any historical violations of sanctions or export control laws, such representations are only as reliable as the strength of the targets’ existing compliance controls. For example, historical sanctions violations would be difficult to identify if a target lacks formal restricted party screening procedures.
Where comprehensive, pre-signing sanctions and export control diligence is impracticable-or a prospective target presents an enhanced risk profile-purchasers should consider conducting supplemental diligence after signing, to identify and address any ongoing violations. In addition, where existing controls are insufficient, purchasers should require the newly acquired target to promptly implement appropriate compliance enhancements. Enforcement actions show that U.S. regulators are willing to give meaningful credit to purchasers that remediate the underdeveloped compliance programs of acquired companies. For example, in the Ellman case, OFAC treated the purchaser’s’ prompt disclosure and remedial efforts as mitigating factors when calculating the applicable penalty.
U.S. regulators are carefully scrutinizing companies’ compliance with sanctions regulations and export control laws, violations of which may result in significant penalties and disproportionate reputational costs. U.S. sanctions and export control laws impose strict liability for civil violations, and regulators commonly allege multiple violations per transaction. Due to their size and geographic footprint, health care companies are potentially attractive enforcement targets for regulators.
Because investigations of violations of sanctions and export control laws tend to span multiple years, it is likely too early to assess whether we are at the early stages of an industry sweep (similar to previous FCPA-focused sweeps of the health care industry). As an upfront investment in compliance could stave off a future, high-profile settlement, health care companies may benefit from assessing their existing controls and addressing any potential deficiencies.
[FN/1] UMI had entered into a settlement agreement with BIS in 2013 related to the same or similar conduct. OFAC agreed to accept payment of only $15,400 if UMI satisfied the terms of the BIS settlement, including (1) satisfactory completion of a two-year probation period, and (2) prompt implementation of an export compliance program.
* * * * * * * * * * * * * * * * * * * *
| | 10.
S. Kovarovics, G. Kreijen & J. VanKerckhoven: “Voluntary Disclosures: Whether, When and To Whom – US and EU Perspectives – Part III: To Whom to Disclose”
* Authors: Susan Kovarovics, Esq., Brian Cave LLP, email@example.com; Gerard Kreijen, Esq., Loyens & Loeff (Amsterdam), firstname.lastname@example.org; and Jochen Vankerckhoven, Esq., Loyens & Loeff (Brussels), email@example.com.
[Editor’s Note: This is the third part in a series of World Trade Controls Blog items on Voluntary Disclosures. Part I was included in the Daily Bugle of Friday, 31 March 2017, item #14. Part II was included in the Daily Bugle of Thursday, 27 April 2017, item #12.]
Deciding to whom to submit a voluntary disclosure is also important. US as well as EU businesses should realize that in some cases more than one set of laws and regulations may apply.
For instance, if items are controlled under EU export controls and subject to EU trade sanctions, there may be disclosures warranted to EU member state entities. In addition, if the items involved are also controlled under the EAR and were sent to Iran in violation of the Iranian Transactions and Sanctions Regulations, both the BIS and OFAC would also have jurisdiction over the matter. As a result, it may be in your best interest to submit a voluntary disclosure to both of those US agencies, as well. Depending on the circumstances of the transaction (for instance, if US persons are involved) this may also apply to EU companies. Furthermore, if violations persisted over a period of time involving military items that transitioned from the ITAR to the EAR, it may be appropriate to submit a voluntary disclosure to both DDTC and BIS, since each may have jurisdiction over a portion of the transactions at issue.
If there is the possibility that a matter may involve intentional violations, such that the government may consider there to be potential criminal liability, the US Department of Justice (“DOJ”) issued guidance last year indicating that it expects to receive voluntary disclosures directly, rather than simply learning of voluntary disclosures submitted to OFAC, BIS or DDTC. You should consider carefully which agencies should receive a voluntary disclosure, as this decision may have an impact on which agencies ultimately deem your entity to warrant mitigation credit for having voluntarily submitted a disclosure to the government.
If you think that there may be a breach of EU trade controls and that a voluntary disclosure in the Netherlands is required the authority to turn to is Team POSS (precursors, strategic goods and sanction regulations). Team POSS, which is part of Dutch Customs and, as such, of the Dutch internal revenue service, is the responsible supervisor with respect to both economic sanctions and export controls. In addition to its more general controlling and auditing tasks Team POSS deals with voluntary disclosures. Once you have made the disclosure, you may expect a call or a letter from Team POSS to arrange for an on-site visit from one or two of its team members, who will be conducting an audit. In the course of the audit, Team POSS will usually want to interview responsible staff, ask detailed questions about the suspected breach and have access to the company files and the internal compliance program. If Team POSS suspects intentional violations (entailing criminal liability) or deems that a penalty should be applied, it will write a formal police report which it will submit to the Public Prosecution Service. Subject to the fulfilment of the conditions as set out in our first post on voluntary disclosure Team POSS has discretion to desist from such a move and offer a settlement or issue a formal warning.
In the Netherlands, the breach of economic sanctions and export control regulations constitutes an economic offence for the ultimate enforcement of which the Public Prosecution Service is generally competent. In theory, therefore, you may also submit your voluntary disclosure to the public prosecutor’s office irrespective of whether there is potential criminal liability. Practice in the Netherlands, however, shows that a voluntary disclosure to the public prosecution is rather exceptional.
As mentioned in our earlier posts, also in Belgium there is no official voluntary disclosure mechanism and there are thus no strict procedures foreseen. The competent enforcement authority is Belgian Customs which ultimately decides on further enforcement actions and penalties or which can propose a settlement in case of a voluntary disclosure.
In practice, however, it is recommended to present your disclosure first to the “competent” licensing export control or sanction authority in Belgium. This will generally be the regional authorities in charge of export, import or transit licenses for dual-use and military items – click here for an overview of the competent export control and sanction authorities in Belgium. They will assess the suspected breach, how you have dealt with it and what measures you have taken to prevent further breaches in the future. On that basis, they will present your disclosure file to Customs along with their advice on what they consider to be mitigating circumstances and which usually includes recommendations of measures that can be taken to prevent future breaches.
In sum, there are several key considerations related to voluntary disclosures. It’s not enough to simply decide whether or not to disclose. One must also consider carefully when to disclose and to whom.
* * * * * * * * * * * * * * * * * * * *
|EDITOR’S NOTES |
* Tucker Carlson (Tucker Swanson McNear Carlson, born May 16, 1969, is an American political commentator.)
– “It is nice to be around people who think differently than you. They challenge your ideas and keep you from being complacent.”
* Homer (Homerus, born circa 750, BC, is the name ascribed by the ancient Greeks to the author of The Iliad and The Odyssey, two epic poems which are the central works of ancient Greek literature.)
– “I loathe like Hell’s Gates the man who thinks one thing and says another.”
* * * * * * * * * * * * * * * * * * * *
| | 12 . Are Your Copies of Regulations Up to Date? (Source: Editor)
The official versions of the following regulations are published annually in the U.S. Code of Federal Regulations (C.F.R.), but are updated as amended in the Federal Register. Changes to applicable regulations are listed below.
– Last Amendment: 15 Jan 2016: 81 FR 2657-2723: Machineguns, Destructive Devices and Certain Other Firearms; Background Checks for Responsible Persons of a Trust or Legal Entity With Respect To Making or Transferring a Firearm
– Last Amendment: 27 Jan 2017: 82 FR 8589-8590: Delay of Effective Date for Importations of Certain Vehicles and Engines Subject to Federal Antipollution Emission Standards [New effective date: 21 March 2017.]; and 82 FR 8590: Delay of Effective Date for Toxic Substance Control Act Chemical Substance Import Certification Process Revisions [New effective date: 21 March 2017.] – Last Amendment: 18 Apr 2017: 82 FR 18217-18220: Revision to an Entry on the Entity List
– Last Amendment: 10 Feb 2017: 82 FR 10434-10440: Inflation Adjustment of Civil Monetary Penalties.
– Last Amendment: 19 Apr 2017: 82 FR 18383-18393: Foreign Trade Regulations: Clarification on Filing Requirements – HTS codes that are not valid for AES are available here
– The latest edition (19 Apr 2017) of Bartlett’s Annotated FTR (“BAFTR”), by James E. Bartlett III, is available for downloading in Word format. The BAFTR contains all FTR amendments, FTR Letters and Notices, a large Index, and footnotes containing case annotations, practice tips, and Census/AES guidance. Subscribers receive revised copies every time the FTR is amended. The BAFTR is available by annual subscription from the Full Circle Compliance website. BITAR subscribers are entitled to a 25% discount on subscriptions to the BAFTR.
– HTS codes for AES are available here . – HTS codes that are not valid for AES are available here
– Latest Amendment: 11 Jan 2017: 82 FR 3168-3170: 2017 Civil Monetary Penalties Inflationary Adjustment – The only available fully updated copy (latest edition 8 Mar 2017) of the ITAR with all amendments is contained in Bartlett’s Annotated ITAR (“BITAR”), by James E. Bartlett III. The BITAR contains all ITAR amendments to date, plus a large Index, over 750 footnotes containing case annotations, practice tips, DDTC guidance, and explanations of errors in the official ITAR text. Subscribers receive updated copies of the BITAR in Word by email, usually revised within 24 hours after every ITAR amendment. The BITAR is available by annual subscription from the Full Circle Compliance website . BAFTR subscribers receive a 25% discount on subscriptions to the BITAR, please contact us to receive your discount code.
* * * * * * * * * * * * * * * * * * * *
| | 13 . Weekly Highlights of the Daily Bugle Top Stories (Source: Editor) Review last week’s top Ex/Im stories in “Weekly Highlights of the Daily Bugle Top Stories” published here .
* * * * * * * * * * * * * * * * * * * *
|* The Ex/Im Daily Update is a publication of FCC Advisory B.V., edited by James E. Bartlett III and Alexander Bosch, and emailed every business day to approximately 8,000 subscribers to inform readers of changes to defense and high-tech trade laws and regulations. We check the following sources daily: Federal Register, Congressional Record, Commerce/AES, Commerce/BIS, DHS/CBP, DOJ/ATF, DoD/DSS, DoD/DTSA, State/DDTC, Treasury/OFAC, White House, and similar websites of Australia, Canada, U.K., and other countries and international organizations. Due to space limitations, we do not post Arms Sales notifications, Denied Party listings, or Customs AD/CVD items. |
* RIGHTS & RESTRICTIONS: This email contains no proprietary, classified, or export-controlled information. All items are obtained from public sources or are published with permission of private contributors, and may be freely circulated without further permission. Any further use of contributors’ material, however, must comply with applicable copyright laws.
* CAVEAT: The contents cannot be relied upon as legal or expert advice. Consult your own legal counsel or compliance specialists before taking actions based upon news items or opinions from this or other unofficial sources. If any U.S. federal tax issue is discussed in this communication, it was not intended or written by the author or sender for tax or legal advice, and cannot be used for the purpose of avoiding penalties under the Internal Revenue Code or promoting, marketing, or recommending to another party any transaction or tax-related matter.
* SUBSCRIPTIONS: Subscriptions are free. Subscribe by completing the request form on the Full Circle Compliance website.
* TO UNSUBSCRIBE: Use the Safe Unsubscribe link below.
Copyright © 2017. All Rights Reserved.