Category Archives: Uncategorized

Akrivis Scores Major Victory in Massive Sanctions Penalty Case

I’m proud of my firm and my team’s big win that came out yesterday in a major, widely-watched sanctions case at the U.S. Court of Appeals for the District of Columbia Circuit. Read our last alert to see why win is important not just for our client but for the trade community.Client AlertThe U.S. Court of Appeals for the District of Columbia Circuit ruled today in favor of our client Epsilon Electronics, Inc., in a case against the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), the primary U.S. government body administrating trade restrictions against sanctioned countries like Iran and Cuba. This case is already the subject of exceptional interest and significance for the trade compliance community. The ruling is particularly timely in the aftermath of the agreement over Iran’s nuclear program resulting in the 2015 Joint Comprehensive Plan of Action (JCPOA), which led to partial but not complete sanctions relief for Iran.

Today’s victory was a direct result of the zealous efforts of Akrivis Partner Teresa N. Taylor, who spearheaded the litigation strategy for Epsilon on this case and very successfully argued in favor of Epsilon in litigation and at oral argument on November 9, 2016. Ms. Taylor worked very closely with Farhad R. Alavi, Akrivis Managing Partner, on the technical interpretation of the complex web of U.S. sanctions and the commercial aspects surrounding the international transactions at issue.

It should be emphasized that the U.S. Court of Appeals for the DC Circuit is arguably the nation’s second most influential court and commonly referred to as the “mini Supreme Court,” both because it sends more cases to the U.S. Supreme Court than any other federal appellate circuit, and as many recent Supreme Court appointments have come from this court’s bench.

Factual Context

Epsilon Electronics is a small business in southern California in the automotive after-market business. In July 2014, OFAC imposed a massive $4,073,000 penalty on Epsilon, alleging that a series of shipments by the company to Asra International Corporation, LLC in Dubai, United Arab Emirates (UAE) were in fact destined for end-use in Iran, which would signify a breach of U.S. sanctions. $1.25 million of this penalty stemmed from five shipments in 2012 to Asra International, wherein OFAC imposed the maximum $250,000 statutory penalty at the time per shipment, although some of these shipments being only several hundred dollars in value and even though Asra International had a retail store in Dubai that was selling Epsilon’s products. This penalty was imposed despite Epsilon’s cooperation with OFAC during its investigation and it being a modestly sized family enterprise of limited sophistication.
This case turned on the issue of the Administrative Procedure Act (APA), U.S. sanctions on Iran, and U.S. Constitutional Claims. It is exceptionally challenging to bring APA cases before federal courts after a final agency action. Courts have relied on prior cases, which establish that federal agencies such as OFAC, the Bureau of Industry and Security (BIS), or the Environmental Protection Agency (EPA) are subject matter experts in their respective domains and that judges should give such agencies a high degree of deference and not second-guess their rulings on subject-specific matters. This premise holds that courts should only review federal agency actions when they are “arbitrary and capricious.” Akrivis argued this on Epsilon’s behalf, among many other claims.

The U.S. Court of Appeals for the District of Columbia Circuit today remanded the case to the district court, with instructions to remand the matter to OFAC for further consideration of the five alleged 2012 violations, and calculation of the total monetary penalty imposed for all liability findings. The Court’s order also remanded OFAC’s determination that Epsilon’s five shipments to Asra International in 2012 violated the regulations. OFAC’s determination that Epsilon had reason to know that the 2012 shipments were specifically intended for reexport to Iran was not supported by substantial evidence and was therefore arbitrary and capricious, as OFAC did not explain in the Administrative Record why e-mails between Epsilon and Asra regarding Asra’s stores in Dubai were not credible evidence.

What this means for Compliance

Beyond the many benefits accruing to Epsilon, today’s opinion is a standard bearer for the trade compliance community as it establishes several key precedents. First, as OFAC is rarely challenged and because OFAC’s holdings are not fully available for public access it offers a crucial, rare window into the inner workings of U.S. sanctions policy. Second, the case also demonstrates that agency enforcement actions can be subject to greater judicial review, which could lead to enhanced transparency in the dialogue between alleged violators and the government in the penalty phase at the administrative level. Third, it establishes that the government does not need to prove that goods or services actually reached the sanctioned destination, but it must clearly establish reason to know that such exports were intended specifically for the that destination.

The Epsilon case is particularly important for U.S. businesses exporting to the Middle East, particularly the UAE because it reveals OFAC’s interpretations of key regulations, which will help companies chart out key compliance strategies. Further, the case’s importance extends far beyond the Middle East to companies doing business overseas, particularly regions with higher sanctions risks exposure, be they in the Persian Gulf region, Russia, Cuba, or elsewhere. This explains why this case has been the subject of numerous articles and presentations around the world.

The positive outcome in this case is a direct result of the hard work and diligence of Ms. Taylor, an experienced litigator and former federal law clerk. Prior to joining Akrivis, Ms. Taylor served in the office of the Chief Counsel at the U.S. Department of the Treasury and practiced at a leading global law firm. Ms. Taylor’s experience includes extensive work on federal litigation and investigatory matters involving U.S. trade laws. Ms. Taylor’s experience has helped Akrivis build a highly sophisticated federal white collar practice.

Mr. Alavi, also previously with leading global law firms, is a frequent commentator appearing in international media on U.S. sanctions and trade laws. He regularly advises U.S. and foreign companies on related complex compliance and cross-border commercial matters. More broadly, Akrivis’s team has long been established as a go-to firm for U.S. trade compliance, particularly the area of U.S. sanctions.

Akrivis Law Group, PLLC would also like to thank its team for their hard work, as well as Abu Dhabi-based attorney John P. McGowan, Jr., who submitted an amicus brief on behalf of his company JPM Legal Advisors Worldwide Ltd., and his counsel.

Citation: Epsilon Electronics, Inc. v. U.S. Department of the Treasury, Office of Foreign Assets Control, et al., No. 1:16-5118 slip op. (D.C. Cir. May 26, 2017)

The opinion can be ready by clicking on this link on the Court’s website.  A PDF version of this alert is available here.

The text of this post has been copied verbatim from Akrivis Law Group’s website.

 

 

تاثیر توافقات هسته ای بین ایران و گروه 5+ 1 و تعلیق احتمالی برخی از تحریم های آمریکا

اعلام رسمی خبر توافق ایران و اعضای گروه 5+1 (ایالات متحده آمریکا، انگلستان، فرانسه، روسیه، چین، و آلمان) در تاریخ 2 آوریل 2015 (برابر با 13 فروردین 1394) در مورد پرونده هسته ای ایران موجی از امید و هیجان را به وجود آورد.

اطراف مذاکره امیدوار هستند که این توافق اولیه مبنای صدور برنامه جامع عملکرد مشترک آنها (Joint Comprehensive Plan of Action)[1]  در تاریخ 30 ژوئن 2013 (برابر با 9 تیر 1394) قرار گیرد. در حقیقت این توافقنامه در ادامه معاهده موقت 24 نوامبر 2013 می باشد که بخش محدودی از تحریم های ایران که از ژانویه 2014 اعمال شده بود را، به حالت تعلیق در می آورد.

در پی مسرت و رضایت ناشی از خبر توافقات در هفته گذشته، موجی از ابهام در مورد وضعیت فعلی و آینده تحریم های ایالات متحده آمریکا بر ایران ایجاد شده است. در اینجا مفصلاً شرح داده خواهد شد که در حالیکه هنوز رفع برخی از تحریم ها در هاله ای از ابهام قرار داد، تا به حال هیچ قانونی تغییر نکرده است. حتی اگر توافق نهایی در تاریخ 30 ژوئن 2015 محقق شود، بیشتر تحریم ها که معاملات روز به روز فی مابین آمریکا و اشخاص آمریکایی[2] با ایران را در بر میگیرد، همچنان موثر باقی خواهد ماند.

ساختار تحریم آمریکا از بین نرفته است

پارامترهای مذکور در توافق 2 آوریل گروه 5+1 با ایران به روشنی ابراز می دارد که ایالات متحده مجموعه تحریم های خود را علیه ایران در آینده نزدیک پایان نخواهد داد. اولاً، لازم به ذکر است که با وجود اعلام توافق هفته گذشته، هیچیک از قوانین تحریم تغییر نکرده است. همچنین شرایط توافق هنوز نهایی نشده است و تا صدور برنامه جامع عملکرد مشترک (JCPOA) اجرا نخواهد شد و حتی پس از آن بیشتر تغییرات به صورت مرحله به مرحله پیش خواهد رفت و همچنین برنامه زمان بندی این تغییرات هنوز مورد توافق قرار نگرفته است.

در حقیقت با محقق ساختن مراحل مختلف مذکور در برنامه جامع عملکرد مشترک از طرف ایران برخی از تحریم های از پیش معین شده به صورت مرحله به مرحله معلق خواهد شد، این ها در حقیقت تحریم های اعمال شده به منظور بازداشتن ایران از فعالیت های هسته ای هستند. ایالات متحده آمریکا به صراحت اعلام کرده است که قوانین و مقررات تحریم آمریکا ناشی از اتهام حمایت از تروریسم بین الملل و فعالیت های خلاف حقوق بشر دوستانه ایران در میان تحریم های قابل لغو نخواهد بود.

بر اساس پارامتر های اعلام شده در برنامه جامع عملکرد مشترک، تحریم های آمریکا که محتمل است به حالت تعلیق در آیند در حوزه نفت و گاز، صنعت خودروسازی، معاملات فلزات گران قیمت و صنعت پتروشیمی ایران و غیره خواهد بود.

لغو بسیاری از این تحریم ها نیاز به عملکرد کنگره آمریکا دارد، اگر چه رئیس جمهور در موارد محدودی اختیار دارد که این تحریم ها را تعلیق کند. دفتر کنترل دراییهای خارجی (OFAC) که زیر مجموعه وزارت دارایی آمریکا است در یک بیانیه عمومی در تاریخ 3 آوریل به طور مجزا و موکدا به این موضوع اشاره کرده است که هنوز قوانین و مقررات تغییر نکرده است و تحریم ها لغو نشده  اند. به علاوه تا به امروز هیچگونه مذاکره ای در مورد تحریم های یک جانبه که به صورت اولیه اجرا شد و هم اکنون مانع برقراری روابط بازرگانی بین ایران و آمریکا می شوند صورت نگرفته است.

چه چیزهایی تحت تاثیر قرار نگرفته است

تحریم های آمریکا که معاملات روز به روز اشخاص حقیقی و حقوقی ایرانی- آمریکایی را در بر می گیرد به احتمال بسیار زیاد تا آینده نزدیک به قوت خود باقی خواهند ماند. بسیاری از اصول مذکور در قوانین تحریم و معاملات ایرانیان (ITSR) CFR 560  31 در مذاکرات هسته ای مورد اشاره قرار نگرفته است، به همین خاطر این محدودیت ها همچنان موثر خواهند بود.

از آنجمله موارد ذیل قابل توجه می باشند:

  • صادرات مجاز به ایران (مستقیم یا غیر مستقیم) همچنان به برخی از تجهیزات پزشکی، دارویی، مواد غذایی، کالاهای کشاورزی و سخت افزار و نرم افزار های فناوری اطلاعات محدود خواهد بود.
  • واردات بسیاری از کالاها از ایران همچنان ممنوع خواهد بود.
  • فروش بسیاری از اموال غیر منقول و دارایی ها در ایران به وسیله اشخاص آمریکایی همچنان به اخذ مجوز از دفتر کنترل دارایی های خارجی ((OFAC نیاز خواهد داشت.
  • سرمایه گذاری در ایران از قبیل خرید ملک و یا مشارکت در فعالیت های تجاری  همچنان به مجوز دفتر کنترل داراییهای خارجی ((OFAC نیاز خواهد داشت، حتی اگر سرمایه از ابتدا در ایران بوده باشد و از خارج از کشور به ایران منتقل نشده باشد.
  • داشتن حساب در بانک های ایران همچنان برای اشخاص آمریکایی ممنوع بوده و بستن این حساب ها نیاز به اخذ مجوز دارد.
  • بانک های آمریکایی همچنان وجوهی را که محتمل است از ایران ارسال شده باشد  با دقت بررسی خواهند کرد، حتی اگر این وجوه از کشورهای ثالث مانند هنگ کنگ، ترکیه و یا امارات متحده عربی ارسال شده باشند.

لازم به یادآوری است که ممنوعیت های ITSR اشخاص آمریکایی[3] را در بر می گیرد که در این میان اتباع آمریکایی و مقیمان دائمی (دارندگان کارت سبز) را هم صرف نظر از محل سکونت فعلی آنها شامل می شود. اشخاصی که به صورت فیزیکی در آمریکا هستند، اشخاص حقوقی که طبق قوانین ایالات متحد آمریکا تشکیل شده اند و یا هر نهادی در خارج از کشور که به آنها تعلق دارد یا توسط آنها اداره می شود، مشمول این بند خواهد بود و تابعیت آمریکایی این افراد هر گونه تابعیت خارجی دیگر آنها را تحت شعاع قرار خواهد داد.

اجرای قوانین تحریم همچنان ادامه خواهد داشت

 نظر از اینکه بیشتر ساختار مقررات تحریم فعلی ایران همچنان به قوت خود باقی خواهد بود، دفتر کنترل دارایی های خارجی (OFAC) صراحتا اعلام کرده است که به اجرا کردن قوانین تحریم ادامه خواهد داد. در یک بیانیه رسمی در تاریخ 3 آوریل 2015، OFAC اظهار داشت که:

                   تا به امروز و تا تاریخ شروع اجرای برنامه جامع عملکرد مشترک،

                   به غیر از تحریم های تعلیق شده طبق JPOA همه تحریم ها مجری

                    آمریکا به دقت اعمال خواهد شد.

 تخلفات سابق بر این به دقت مورد بررسی قرار خواهد گرفت و بدیهی است که قوانین فعلی اعمال خواهد شد. به همین خاطر، موافقتنامه اخیر به هیچ وجه نباید مجوزی برای تخطی از قوانین تحریم در نظر گرفته شود. در صورت تغییر قوانین و یا لغو تحریم ها فراتر از موارد توافق شده به صورت یک جانبه از سوی آمریکا، همچنان باید به پیروی از قوانین تحریم توجه خاصی مبذول گردد.

 فضای رضایتمندی در پی توافق لوزان و آینده ایران برای پیوستن مجدد به جامعه جهانی مسلما قابل درک است، هر چند که درک واقعیت بسیار مهم است، علی الخصوص پس ازاینکه مقامات آمریکایی اعلام کردند که تحریم ها یک دفعه از بین نخواهند رفت.

 حتی کوچکترین تخلفات از قوانین تحریم می توانند سوء سابقه کیفری ایجاد کنند و پیامدهای سنگین مالی و اتلاف وقت را در پی داشته باشند و همچنین در مورد معاملات بازرگانی می توانند باعث سوء شهرت شود. درها هنوز باز نشده اند، به همین خاطر مطلع بودن از قوانین مجری و عمل کردن بر طبق آنها بسیار مهم است.

 

[1] (JCPOA)

[2]31 CFR § 560.314 (2014(  “شخص آمریکایی” اشاره دارد به تعریف شخص آمریکایی در

[3] United States Person

New Sudan General License for Communications

OFAC this week issued a new general license expanding the range of informational technology (IT) related goods and services U.S. persons can now export to Sudan.  The amended general license, which went into effect on February 18, is incorporated into the Sudanese Sanctions Regulations, 31 CFR Part 538, and opens many windows for U.S. persons, as well as opportunities for people in Sudan to be better engaged with the outside world.

Notably, the new general license expands on a 2010 general license allowing U.S. persons to export certain types of personal communication software and services to Sudan, primarily those related to free, publicly available applications that was “EAR99,” i.e., not subject to U.S. export controls for potential dual use.  As OFAC itself states, the new general license follows the Iran General License D-1 model, whose precursor, General License D, was issued in May 2013 to allow Iranians to have more access to information and communication tools. General License D and D-1 authorizes U.S. persons to export of a host of computing hardware, software and services to Iran.

Here are some basic features of the new Sudan General License:

1. Software. The general license has been expanded to include certain fee-based software as well (formerly only some free applications and services were allowed), so long as they are “widely available to the public” and related to personal communications.  Interestingly, these have also been made available to the Government of Sudan. Certain non-U.S., non-EAR controlled software can also be exported to Sudan by U.S. persons if necessary to enable certain types of personal communications.

2. Hardware. A host of technologies are now exportable to Sudan under certain circumstances. These include certain internet communications technologies and tools, as well as items such as computers, modems, personal data assistants, harddrives, and mobile phones.

As can be seen, the general license is certainly not a blank check to deal in whatever types of IT goods, services, and technologies with Sudan. However, within the parameters set forth in the general license, this general license does open many doors for the exportation of a wide range of goods and services to Sudan, and may hopefully have a positive impact in empowering communications in and with that country.

Standard Chartered in Sanctions Trouble Again?

Reuters carried a story Sunday about the Office of the U.S. Attorney in the Southern District of New York (SDNY) investigating London-based Standard Chartered bank (known by many as “StanChart”) for potential violations of U.S. sanctions against Iran.  According to the report, the investigation is tied to information obtained by U.S. authorities in their investigation of French-based BNP Paribas for sanctions violations – a case which ultimately settled for a hefty $8.9 billion.

But wait, wasn’t StanChart recently fined for sanctions matters? Yes – if you recall, in 2012, the bank, which does quite a bit of business in emerging markets, settled for $667 million for alleged violations of the U.S. sanctions regime against Iran, including allegations that the bank engaged in so-called “wire stripping,” whereby references to the Iranian connection of a payment were stripped from the actual bank wire.  Those fines were paid to a number of entities, including the New York Department of Financial Services, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), and the U.S. Department of Justice (DOJ).

Did StanChart not learn its lesson last time? Well, it looks like the potential violations happened a number of years ago, but were not revealed and have only been uncovered.  It will have to be seen what comes of this.

What to Make of this Development

This story really highlights two important issues.  First off, the U.S. has not lightened up on sanctions enforcement in light of the increased dialogue between it and Iran in the past year following the election of Iranian President Hassan Rouhani, and the November 2013 deal between Iran and the P5+1. While that agreement resulted in some sanctions being suspended, contrary to some belief, the Administration isn’t taking other violations lightly. This is a prime example. Iran sanctions are still very popular in the halls of government, and the government has made it clear that it will continue to enforce the existing laws.  Notably, many have also emphasized that even if sanctions are lightened, meaning even if a deal is reached by November 24 over Iran’s nuclear file, they will not be lifted overnight. The common, conventional wisdom is that assuming there is a deal, it will still take a few years.

Second, the key (often mentioned on this blog) is that even if the Iran sanctions are lifted, we live in a world of compliance and a vigorous anti-money laundering (AML) culture. The U.S. and European Union (E.U.) are increasingly using sanctions as a tool of foreign policy and whether it’s Iran, Russia, Syria, Cuba, or anywhere else, thorough compliance is now the name of the game. Even outside sanctioned jurisdictions, banks and other businesses cannot turn a blind eye to U.S. law and will have to implement best practices (if they have not already).  Be they financial institutions, manufacturers or trading companies, compliance programs featuring education on the laws, updating of policies, transparency, know your customer provisions and contractual clauses will continue to be important if not more vital.

Compliance Programs Are For Everybody

While StanChart is a huge bank of global proportions, any company doing business internationally should place careful emphasis on compliance. A good compliance program is one that is adapted to the needs of the company – what may work for a large UK-bank may very likely not be appropriate for a small trading company in the U.S. focused on Latin America or East Asia. That does not, however, mean that such a company should not worry about compliance.  Rather, such a business should adopt policies that better ensure its own compliance.  The key is to be proactive, knowledgeable, and willing to institute good practices that will keep the business on the right side of the law and minimize risk.

OFAC Releases Much-Needed Guidance on Humanitarian Assistance

Moments ago, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) released a two page primer on its position on humanitarian assistance to sanctioned jurisdictions.  Although this document is not binding in the sense that it is not a codification of law, it is a clarification of policy.  Some key points highlighted are that:

(1) While the U.S. government supports humanitarian assistance, this is generally conditioned on assistance not being directed towards entities that are designated by OFAC or owned or controlled by such entities.

(2) In the case of regions that are under control of individuals who are blocked, the payment of certain fees such as taxes is not necessarily prohibited.

(3) Interestingly, OFAC has also clarified that in certain cases, humanitarian aid may unintentionally wind up in the hands of designated entities but that this is not a focus of its enforcement agenda. This of course, should not be seen as any type of tacit authorization to aid designated entities as that remains prohibited.

The case of humanitarian assistance is one that is causing increasing compliance challenges, particularly due to the dire situation in jurisdictions such as Syria and Iraq where parts of territory are under control of the Islamic State (IS).  Furthermore, even in the case of fully sovereign jurisdictions such as Iran, the logistics chain of delivering aid has been made considerably more difficult by the fear of third party actors (such as banks in the United States and third countries) to facilitate even authorized transactions.  You may recall this article in Al-Monitor two weeks ago where I was interviewed on this same issue.

As such, those seeking to engage in charitable and humanitarian assistance in sanctioned countries or in areas where exposure to potential violations is high (such as in Iraq) should be particularly careful to (1) understand the scope of U.S. laws; (2) ensure compliance; and (3) educate third party actors and vendors of the legality of their transactions.  The latter is a significant part of what I do for many compliance clients.

GCC Nations Ascend to US FATCA

The last two months have seen the three Gulf Cooperation Council (GCC) countries of the United Arab Emirates (UAE), Qatar, and Kuwait go into force based on agreements in principle to an Intergovernmental Agreement (IGA) with the United States Department of the Treasury regarding the US Foreign Account Tax Compliance Act (FATCA). This dovetails a number of similar agreements the United States has entered into with other countries in its attempt to counter US taxpayers maintaining secret, unreported financial assets overseas.

FATCA What is FATCA? 

Although the United States has maintained the Foreign Bank Account Report (commonly referred to as the “FBAR”) for many years, it is now requiring foreign financial institutions (“FFIs”) provide reporting to the Department of the Treasury on accounts maintained on the FFIs’ books belonging to US taxpayers (or accounts in which the taxpayers have an interest).  To motivate compliance with the FATCA, Treasury has announced that it will impose significant withholding on non-complying FFI’s banking activities in the United States.  FFIs that do not comply with FATCA can face 30% withholding on US-sourced payments.

How is FATCA being Enforced by and through Non-US States?

The US Treasury has entered into agreements with a number of foreign countries such as Switzerland, Canada, Japan, Mexico, Spain and the United Kingdom.  By executing an IGA with the United States, the foreign state agrees to require its financial institutions to report specified financial accounts involving (through whole or partial ownership) US taxpayers to the US Treasury.

How does this Impact GCC Financial Institutions? 

The United States’s agreements with Qatar took effect in April, and more recently in the case of Kuwait (May 1) and the UAE (May 23).  The agreements between the United States and the UAE, Qatar and Kuwait are based on the “Model 1” IGAs (notably, there are two types of Model IGAs). The Model 1 allows for an upward reporting requirement from the FFI to the partner country (say, the UAE central government), which will then report the relevant financial information to the US Department of the Treasury’s Internal Revenue Service (IRS).

The large number of foreign nationals living in or otherwise having financial accounts in the Persian Gulf make FATCA compliance a pressing need, particularly given that many of these people have U.S. citizenship or permanent residency status.  GCC-based FFIs (which include investment funds) should take care to know the full scope of their responsibilities under FATCA, which can be very nuanced.  Given the wide variety of banks in the region and the fact that many of them have subsidiaries overseas, understanding the breadth of their compliance obligations is critical.  Although Qatar, Kuwait and UAE have “agreed in substance” on the IGAs for FATCA, there are still unilateral requirements by the actual FFI.  First and foremost, they should be registered with the Treasury Department and obtain what is called a Global Intermediary Identification Number (GIIN). This entails coordination with any affiliate, parent, subsidiary or otherwise related financial institution as there are various subcategories of registration under FATCA. Furthermore, FFIs should naturally ensure compliance with reporting requirements.

Overall, FATCA represents the United States’ attempt to crack down on tax non-compliance and any benefits by hiding money offshore. Although there is already the FBAR/FinCen 114 forms, the FATCA pushes the burden on foreign financial institutions to help the US government identify US taxpayers who maintain certain foreign financial assets.  Given the steep financial penalties for non-compliance by the United States (not to mention potential penalties by their own countries), foreign financial institutions should ensure compliance and diligence in meeting the requirements placed on them under this very nascent law .

Developments in Dubai Medical Tourism

Just finished reading an article in Monday’s Gulf News discussing Dubai’s grandiose plans for attracting medical tourism. Indeed, the UAE is on its way to becoming a hub in many areas, such as logistics, banking, shipping, and even Islamic finance. Medical care must be high on the agenda.

Using its role as a transport hub and a highly desirable place to live, the Emirate has taken steps to realize its ambitious plans to be a health care hub.  This is in line with the Dubai Health Strategy 2013-2025 that was rolled out recently.  This will include three new hospitals and 40 clinics.  With Expo2020 coming its way, it would be expected that this be the case.

One of the more interesting issues I noticed in the article was

What does this mean for health care companies seeking to get a piece of the action?

1. Due Diligence. Do you know who your partner will be? If you are not setting up in the free zones and do need a partner substantial due diligence should be done, as a bad partner can open the door to various types of liability.

2. Territoriality.  Companies seeking to make their first foray into the Persian Gulf region should take care to note territoriality in their contracts.  Irrespective of whether you are are entering into a joint venture, distributorship or franchise, territory is key.  It’s best to make sure contracts outline what territory – this is particularly important in a cash region where duplication and replication in other jurisdictions is quite common.

3. Intellectual Property Law. Particular attention must be paid to IP rights to make sure there is no misappropriation and that all requisite rights are licensed while control stays with the principal.

4. Human Resources Issues.  It is critical to get people on the ground and making sure you are able to have the visas processed and are fully aware of local labor law issues is absolutely imperative.

5. Compliance.  Compliance is the name of the game these days and appears to be taking hold in the GCC as well. Whether you have due-diligence, know your customer (KYC) type requirements or you want to make sure you comply with the US Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy standards (which may be come the gold standard, even abroad) and potentially applicable data privacy guides. There may be trade-related matters to deal with, such as ensure compliance with US sanctions on Iran and Syria, which are often in flux.

6. Confidentiality. Use Non-Disclosure Agreements (NDAs) where possible. This will help keep your plan under wraps and will help guard against somebody spilling the beans as they say. The cities in the Gulf (Dubai being no exception) tend to a bit small and people can talk!

A good foray will be well-papered, meaning there should be robust, comprehensive contracts in place that protect the parties.  A solid entry is one that takes all the legal issues into perspective to deliver an optimal strategy that will move beyond any type of “gold rush” approach and into one that can create legal stability for the future.

Cybersecurity and Data Privacy Compliance: Looking Forward

The world of legal accountability in cyber space and data privacy is continually evolving. The United Nations is on the horizon of applying international law to cyber space based on sovereign principals that countries are responsible for actions and harms that occur within their borders as a result of data breaches.  Hackers today widely vary from bored rudimentary teenagers to rogue governments with surprisingly successful tactics, yet over ninety percent of hackers are successful. Iran has posed one of the biggest hacker threats in suspected retaliation against banks and financial institutions in response to Stuxnet. The bulk of critical infrastructure (i.e., energy, telecommunication, transportation, financial services, food and water, public health) and private corporate networks remain nevertheless particularly vulnerable to internal and external cyber attacks and data breaches of Personally Identifiable Information (PII), proprietary information, intellectual property, business intelligence, and customer information. Universities and non-profit organizations are particularly vulnerable targets as well.

Most companies have no strategic plan in place to deal with attacks, insider threats, or data privacy breaches, including law firms. Companies must have a framework for protection that goes beyond mere technological filters. Lawyers now have an additional duty technologically to protect against such attacks and breaches internally, and to also advise clients on strategic plans and compliance that effectively address cyber attacks and data protection in effort to mitigate potential liability and damage stemming from such attacks. Law firms have to be as well-informed as any other organization and must have a model in place to address attacks. Law firms are persistently targeted by insidious hackers. Financial institutions are now auditing law firms to see if they have such protections in place to secure their clients’ data.

Passwords and Supervisory Control and Data Acquisition (“SCADA”, used to collect real time data) systems with default passwords are easily available through forums such as Russian hacker chatter. Yet the most commonly used employee password remains “password.” Mobile devices remain big targets, and many employees charge these devices at work thereby opening the door to another avenue of attack. Many computer networks are easily defeated by malware.  Malware is available for sale on the internet and is easily available for purchase to carry out cyber attacks. Firewalls and similar technological protection software are too often easy to hack, and therefore due diligence requires companies to go beyond technological protections. Many companies who have experienced attacks or have had data breaches remain completely unaware and unprepared. In fact, it is more probable that the only reason a company may not have yet been attacked would be a lack of intent or interest by hackers or insiders with access, and would not be because the data is not available or the networks are not accessible.

Unpatched programs pose a serious, major threat, but this is not merely a technical issue as it is really a business risk issue. Companies need to ask where their critical information is located. Most company Information Technology personnel and service companies cannot respond to this question easily. A company’s critical information is usually scattered across the company, and identifying and finding the location of that information is an ongoing process requiring continuous high-level conversations.

Data retention is a key issue for corporations. The usual cost to remediate a data breach is roughly $200 per file. Customer lists containing 10,000 or more persons can therefore be very expensive.  Adherence to data retention policies by destruction of information and records when this information is no longer needed is good policy. Regular risk assessments in different business lines is also good policy given that business lines have different types of valuable data and therefore have different targets; different targets equates to different methods of targeting by internal and external threats. Good data hygiene requires that data security policies and procedures are up to date and regularly checked by a third party. This should be an ongoing process.  All corporate stakeholders must be involved to have a full business view of the risks, as opposed to merely a technical view of the risks. Effective data security and compliance therefore mandates that corporations work across business lines and together with high-level management and the C-suite, and finance, legal, and IT departments. It is also prudent for corporations to involve the Board, set up a high-level Risk Committee, and develop an external audit system with major assessments to identify threats and the most valuable corporate information. Corporations need more than just one or two solutions, but require a series of interventions at every possible level to effectuate due diligence and compliance.

Soon due diligence will not be optional, but in the foreseeable future will involve liability for attacks and tighter regulation beyond mere voluntary frameworks.  Privacy laws are complex and directly related to cyber security. Protection of PII, such as credit card information, health care information, and corporate secrets are at risk by phishing emails. Insidious tweets or false social media postings can cause immediate harm to a corporation’s bottom line and net worth. A filibuster of cyber legislation does not mean that corporations can ignore and escape due diligence responsibility or liability concerning data protection.  Data protection concerns public safety on every level and the complexity of legal issues are only mounting.

More legislation and regulations are surely looming in the near future.  Potential initial investigative steps following a data breach can be difficult and daunting tasks for a corporation, such as responding to a Foreign Intelligence Surveillance Act (“FISA”) subpoena, determining whether any protected personal and private information has in fact been shared, and determining whether a corporation has therefore triggered mandated notification requirements. Over time litigation will end up shaping corporate guidance governing data breaches beyond the current voluntary suggestions. It is therefore imperative that corporations begin now to learn how to monetize various potential data breaches of differing information and how to conclude what constitutes a material breach requiring notification. Corporations often have no way of predicting how or when information might be exploited following a breach. These exercises are vital for corporations doing international business, particularly in Europe given the European Union’s intent to tighten requirements governing data protection within two years and that will affect aid.

Data protection is a never-ending process. Corporations can no longer be static or concerned solely with defense should a breach occur; corporations must be proactive.  Hackers have been successfully hacking for many years. Corporations who are unaware of who is operating the network place their money at risk and stand to lose huge amounts of money daily should a breach happen. All corporations and states in the United States have theft of data despite data privacy laws. How corporations share data about these breaches, and how they overcome information sharing hurdles, such as how to address breaches involving national security and secret information that cannot be conveyed to other members of board or company, is imperative to mitigation. Cyber space is now a global network that has become a global problem.  No country or corporation, no matter how big or small, is exempt from these risks, the loss of data, or the resulting damage.

Lessons from last week’s US-Saudi Business Opportunities Forum

I was in Los Angeles last week, in large part to attend the annual US-Saudi Business Opportunities Forum. This yearly event brings together a wide range of top tier speakers along with business people and government officials from around the world (mainly the USA and Saudi) for 3 days of panels, discussions, and networking meals.  If I had to underscore a single theme, it was that there is a lot more to the Kingdom of Saudi Arabia (KSA) than most in the US probably know.

Ambassador James Smith, the US’ chief diplomat in KSA delivered a very interesting speech outlining the many different facets (and geography) of the Kingdom. Why is this relevant?  Beyond giving us non-Saudis in the audience a better understanding of the country, it highlights the fact that KSA has a very unique economy. Beyond being the largest market in the Gulf Cooperation Council (GCC), I was interested to see that KSA has a significant industrial base and an impressive number of qualified nationals who can help the country move into the new milenium. 

Key areas of interest appeared to be energy, oil & gas (no surprise there) but also health care. I was impressed to see that the country is planning over 100 hospitals in the next few years and will have a shortage of about 80,000 physicians by some measures. How they will make up for this, I do not know. Given that one Saudi legal professional at the conference told me, the country also only has about 2,000 lawyers. This leaves the door wide open to not only skilled experts (more broadly) but also individuals with the bandwidth and capacity to help get big projects running.

This leads me to my next point – the legal landscape. Not surprising, this is often overlooked. It’s amazing how many people still do not know the difference between a branch and a subsidiary, or the type of rights they need to guarantee in a joint venture or franchise agreement.  Often simply wanting to get a deal quick, businessmen commonly overlook these legal implications, even though they can be significant.  Making sure you have the right local partner, do not run afoul of US laws and have recourse locally (and the US arguably) are just among the most basic of concerns one should consider addressing before entering any foreign market, but especially one like that of the KSA. Just another reason why not only contracts should be used but should also be solid.

Data Privacy, Cyber Security, and GCC Countries

President Obama’s recent Executive Order No. 13636, issued February 12, 2013, places data privacy and cyber security as lead initiatives for critical infrastructure sectors, such as financial services, health services, and energy. Data privacy and cyber security are hot topics globally. In the U.S., data privacy and cyber security regulations are challenging and vast. The EU has stringent privacy laws as well. Today, nearly every industry sector is touched by data privacy regulations, threats, and demands, and is therefore also liable for breaches or other non-compliance when things go awry.

Many companies fail to routinely audit their compliance situation or Information Technology operations. Many do not have a breach or notification plan in place. Further, high-level executives and boards often fail to review cyber security, privacy, and risk management as part of corporate good governance operations or policies. Because financial services and energy are two prime critical infrastructure sectors that attackers target, Gulf Cooperation Council (GCC) countries and those companies operating in the region are particularly vulnerable. A Gulf Business Machine (GBM) survey of regional IT professionals revealed that 35 percent of all cyber crime and breaches were from the result of an organization’s own internal employees. Social media was noted as a primary source for attack. Other attacks come from external hackers. In 2012, hackers linked to the government of Iran attacked data and disabled 30,000 computers, thereby causing millions in damages at Aramco

In the U.S., civil and criminal liability is on the rise as class actions have mounted for breaches involving Personally Identifiable Information (PII). State and federal investigations and prosecutions are on the rise for noncompliance in nearly every industry, including financial services, health services, manufacturing, and energy. Energy companies and financial institutions are particularly vulnerable for cyber attacks, and the targets may vary from customer information to company secrets. Energy companies are routinely targeted by insiders, foreign governments, organized crime, or competitors seeking corporate secrets and intelligence, control over critical industrial control systems, or other data or intellectual property. The most widely known attack against U.S. oil and gas companies was by China through use of its Night Dragon. Night Dragon was launched to steal confidential information from major U.S. energy companies, of whom at least one company said it was not aware of any successful attacks.

Because the energy and financial sectors are prime targets for data and cyber attacks, a strong compliance program and breach plan is crucial to prevention, mitigation of losses, and protection of a company’s reputation. Billions of dollar a year are routinely lost by companies simply in stolen intellectual property. Mitigating exposure to liability as a result of data security breaches can save millions per year in lost assets or reputation, intellectual property, customer information, fines, or other damages. The risks are even direr for energy companies where an attack could result in an oil spill or other environmental damage, prolonged power outages, and loss of life.

Threats and attacks from outside hackers are usually what comes to mind when one thinks of data and cyber protection, however, what most are not aware of is that the bulk of threats actually come from inside a company by either disgruntled employees, poorly trained employees, poor compliance controls, poor oversight of employees with access to sensitive information, and employees who are interested in selling competitive corporate intelligence for whatever reason. The actual amount of breaches and other cyber crime by insiders is actually much higher than the GBM survey, and most incidents are unreported, confidential, or undiscovered.

Information technology personnel cannot front the risks alone and are not equipped to conduct assessments and analysis as are regulatory attorneys. Even the best IT personnel and management need legal guidance and assistance with investigating breaches and attacks. Legal representation at every level of compliance activities and investigation is the best insurance to successful mitigation and management of risks. It is imperative that outside counsel be involved in routine audits and assessments of compliance review and development, training, and in development of a solid breach plan. Cyber and privacy insurance rarely covers liability or damages for breaches in all scenarios. Compliance will always remain cheaper than the losses a company may suffer in stolen property or loss of reputation.

Teresa N. Taylor is Of Counsel at Akrivis Law Group, PLLC in Washington and is an Adjunct Faculty member at Georgetown University Law Center.  Her professional biography is available here.