Part A: Crisis Management
Overall, “of the twenty-five largest financial institutions in the United States at the start of 2008, thirteen either failed (Lehman, Washington Mutual); received government assistance to avoid failure (Fannie, Freddie, AIG, Citi, Bank of America); merged or were acquired to avoid failure (Bear, Countrywide, Merrill Lynch, Wachovia); or transformed their business structure and raised private capital to avoid failure (Morgan Stanley, Goldman Sachs)”.129 The vast majority of this occurred through ad hoc government action that stretched the authority of institutions like the Fed beyond what was previously thought possible.130 As Former Federal Reserve Chairman Paul Volcker said at the Economic Club of New York in April 2008:
Simply stated, the bright new financial system—for all its talented participants, for all its rich rewards—has failed the test of the market place. To meet the challenge, the Federal Reserve judged it necessary to take actions that extend to the very edge of its lawful and implied powers, transcending certain long embedded central banking principles and practices. The extension of lending directly to non-banking financial institutions—while under the authority of nominally “temporary” emergency powers—will surely be interpreted as an implied promise of similar action in times of future turmoil. What appears to be in substance a direct transfer of mortgage and mortgage-backed securities of questionable pedigree from an investment bank to the Federal Reserve seems to test the time honored central bank mantra in time of crisis—“lend freely at high rates against good collateral”—to the point of no return.131
The Dodd-Frank Act made changes to the Federal Reserve’s emergency authority by prohibiting its use for insolvent firms, requiring the Fed to develop emergency lending procedures and assign lendable value to its collateral, and imposing consultation and reporting requirements designed to improve accountability.132 In addition, the Fed’s capacity to invoke emergency authority was modified under Dodd-Frank to be subject to the approval of the Secretary of the Treasury.133
Did the government assistance programs during the crisis create or exacerbate a problem of moral hazard in the financial industry? If the crisis was, as Bernanke suggests, a “classic financial panic,” is reform enough to prevent a future crisis?
Will a government backstop (e.g., the role of the Fed as the Lender of Last Resort) always be necessary? What are the potential pitfalls of the changes Dodd-Frank made to the emergency authority of the Fed?
Former Treasury Secretary Larry Summers says that “[a] competent lender of last resort—in Bagehot’s sense of one who lends freely at a penalty rate against good collateral—actually turns a profit, as the IMF did in its response to the financial crises of the 1990s.”134 Do the Treasury and the Fed’s actions during the crisis qualify for this standard?
What could have been done differently? Should Lehman have been “allowed to fail,” as the popular narrative goes, where Bear and AIG were not?
What is meant by “Systemically significant”? Is it determined simply by the rise of the system if the institution fails? Or are there positive contributions to the global financial system by the existence and scale of the SIFI’s?
Part B: Long-term financial market reform
Former FDIC Chair Sheila Bair argues that under Dodd-Frank, taxpayer bailouts are “completely prohibited,” and that the problem of Too Big to Fail has been abolished. Meanwhile, U.S. Senator Elizabeth Warren argues that the problem of Too Big to Fail has only gotten worse, pointing to the evidence that today, the four biggest banks are 30% larger than they were five years ago. U.S. Senator Sherrod Brown also thinks that “too big to fail is alive and well,” but not because of the size of the institutions, but because the biggest banks have yet to submit credible living wills to the FDIC.135
What does “too big to fail” (TBTF) mean? What should be the primary concern—size of institutions or possibility of taxpayer-funded bailouts? Can the two be separated? Has the TBTF problem been solved? Will it be solved once banks submit living wills that are deemed sufficient by the Fed and the FDIC?
The reform effort has created some tension between efforts to coordinate regulatory reform at the international level (that is, a focus on cross-border regulation) and efforts to maintain the safety and soundness of domestic financial systems. While Dodd-Frank exhorts U.S. regulators to coordinate with their foreign counterparts, it also includes enhanced powers for them to oversee and terminate operations of foreign financial institutions in the United States.136 Under this authority, the Federal Reserve is in the process of finalizing a rule that will require a foreign banking organization with $50 billion or more in U.S. assets to place virtually all of its U.S. subsidiaries in a U.S. intermediate holding company (IHC). The IHC will be subject to U.S. Basel III, capital planning, Dodd-Frank stress testing, liquidity, and risk management requirements.137 Some have called this a new form of “financial protectionism” that will force foreign banks to “ring-fence” their capital or assets within a jurisdiction and lead to a “Balkanization” of banking activity, as financial institutions will shift away from international activity.138
How should regulators think about balancing the need to mitigate the vulnerabilities created by a highly interconnected global financial system with the desire to preserve the benefits of interconnectedness, such as the ability to share risks across a variety of jurisdictions?
The end of the financial crisis has not been accompanied by an end of alleged wrongdoing at some of the world’s largest financial institutions. Perhaps most notably, the LIBOR scandal (and associated rate-rigging scandals) revealed that traders continued to manipulate global interest rates even after 2008.139 New York Fed President Bill Dudley said in a speech that enhancements to the current regulatory regime “may not solve another important problem evident within some large financial institutions—the apparent lack of respect for law, regulation and the public trust.”140
What issues within the financial industry has the post-crisis reform effort not addressed? The difficulty of imposing regulatory convergence across national boundaries? Is compensation a problem? What can be done about it? What about the Balkanized structure of regulatory authority in the US?
Is culture something that can be changed? How would you change it? How would you deal with the problems of repeated ethical lapses such as the allegations of collusion in setting rates, the incidence of fraud, the number of regulatory breaches; the challenge of assuming effective risk management, compliance and controls?
What about the competition for talent and the culture within regulatory or supervisory institutions? Are concerns of regulatory capture in the financial industry the same, better, or worse than in other industries? What can or should change in this regard?
In a response to Judge Rakoff’s piece, one corporate lawyer wrote:
[U]nder present corporate and securities law, horrible management of a financial institution is not a civil wrong, much less a crime, so long as appropriate procedural steps were taken and there was adequate disclosure to investors of the risks associated with the practices and transactions in question. . . . Without a doubt, there were far too many sloppy and reckless business practices leading up to the 2008 meltdown. . . . There was also far too little oversight of the persons responsible for these practices by their ostensible superiors on boards of directors and in upper management. However, under our present system of corporate and securities laws, there is a fundamental difference between reckless practice and fraud. . . . ([M]ore) high-level executives have not been prosecuted because they have not committed crimes or civil wrongs as the law now stands. 141
Judge Rakoff replied:
[M]anagement, that is, executives, have been the subject of numerous private and regulatory lawsuits in the wake of the financial crisis, in a great many of which they have accepted judgments against them, even if not admitting liability.To note just the most prominent example, in June 2009 the SEC (which has no power to bring criminal prosecutions) brought a civil action against Countrywide Financial Corporation’s three most senior executives—Angelo Mozilo, David Sambol, and Eric Sieracki—accusing them of falsely and intentionally misrepresenting the quality of Countrywide’s mortgage-backed securities over a period of several years. Four days before the case was scheduled to go to trial, the defendants settled, with Mr. Mozilo agreeing to pay $67.5 million. . . . Although, in accordance with the SEC’s policy at the time, the defendants were permitted to settle “without admitting or denying” the allegations of fraud, one is left to wonder why the Department of Justice did not bring a parallel criminal case.142
Is financial regulatory reform enough? Does this argue for a fundamental revision or U.S. corporate laws? Or would it be enough for, as Judge Rakoff suggests, the Department of Justice to undertake criminal prosecutions that parallel the SEC’s civil enforcement actions?
Before Class 1
Please read the assigned articles below and either (1) respond to one of the discussion questions from part A or (2) write about some aspect of crisis management that interests you and that you would like our discussion to cover (in particular, you might consider how to improve culture in order to respond to another future crisis). Send your response to this question to Professor Kaden (lewis.kaden@gmail.com) the day before Class 1 by 9:00 pm.
V. Reading list
Helpful Background Materials.
The following readings are especially helpful in explaining some of the technical concepts in this module:
James B. Stewart, “Eight Days: The battle to save the American financial system,” The New Yorker (September, 21, 2009).
Alan Blinder, “After the Music Stopped: The Financial Crisis, the Response, and the Work Ahead” (2013).
Chapter 1: “What’s a nice economy like you doing in a place like this?”
Chapter 6: “The Panic of 2008”
Chapter 10: “It’s Broke, Let’s fix it: The need for Financial Reform”
Glossary of Financial Crisis Terms, Federal Reserve Bank of Boston (Revised April 2011).
Rose, C., & Sesia, A. (2009). What Happened at Citigroup? (Rev. July 20, 2009)
HBS No. 9-310-004. Boston, MA: Harvard Business School Publishing
Hon. Jed Rakoff, “Why Have No High-Level Executives Been Prosecuted?”
Ben Bernanke, “The Crisis as a Classic Financial Panic” (Speech of November 8, 2013)
Stanley Fischer, “Financial Sector Reform: How Far Are We?” (Speech of July 10, 2014)
Sheila Bair, “Dodd-Frank really did end taxpayer bailouts,” Washington Post (May 28, 2013)
Lawrence Summers, “Beware Moral Hazard Fundamentalists,” Financial Times (Sept. 23, 2007)
Cline and Gagnon, “Lehman Died, Bagehot Lives: Why did the Fed and Treasury Let a Major Wall Street Bank Fail?” PIIE Policy Brief, September 2013.
FCIC Conclusions, January 2011
FCIC Dissenting Statement, January 2011.
Simon Johnson and James Kwak, “Policy Advice and Actions during the Asian and Global Financial Crises” (Chapter 5 of Responding to Financial Crisis: Lessons from Asia Then, the United States and Europe Now, edited by Changyong Rhee and Adam S. Posen, published by the Peterson Institute for International Economics and the Asian Development Bank).
Timothy Geithner, “Stress Test: Reflections on Financial Crises”—pp. 176-186; 190-195; 202-206; 255-257
Daniel K. Tarullo, “Good Compliance, Not Mere Compliance” (Speech of October 20, 2014)
William C. Dudley, “Enhancing Financial Stability by Improving Culture in the Financial Services Industry” (Speech of October 20, 2014)
Financial Times, "Why Wells Fargo is a watershed moment for clawbacks" (2016) https://www.ft.com/content/33a8e0ae-856d-11e6-8897-2359a58ac7a5.
Financial Times, “Wells Fargo sham-accounts scandal lifts lid on ‘ridiculous’ cross-selling” (2016) https://www.ft.com/content/32b989ac-870f-11e6-a75a-0c4dce033ade.
Wall Street Journal, “Lawmakers Take More Swings at Wells Fargo CEO John Stumpf (2016) http://www.wsj.com/articles/lawmakers-take-more-swings-at-wells-fargo-ceo-john-stumpf-1475171906.
Bloomberg, “Stumpf’s Bad Day: A Summary of Lawmakers’ Withering Attacks” (2016) http://www.bloomberg.com/news/articles/2016-09-29/stumpf-s-bad-day-a-summary-of-lawmakers-most-bitter-attacks.
Optional resources
“Margin Call,” Lions Gate Films, Inc., 2011. Film
“The Big Short,” Paramount Pictures, 2015. Film
“The Giant Pool of Money,” Transcript, This American Life, NPR, (originally aired May 5, 2008). Audio: http://www.thisamericanlife.org/radio-archives/episode/355/the-giant-pool-of-money
Before Class 2
Based on the group assignments below, each group should please write a brief memo answering the assigned question. Please upload your group memo into the "assignments" folder on iSites by Tuesday at 9 pm.
There are three questions below. For each question, two groups will prepare a memo, one from the perspective of a federal agency (regulator) and one from the perspective of a financial institution (general counsel or CEO).
Group 1: Question 1 - federal agency
Group 2: Question 1 - financial institution
Group 3: Question 2 - federal agency
Group 4: Question 2 - financial institution
Group 5: Question 3 - federal agency
Group 6: Question 3 - financial institution
1. How do you assess or grade the key reforms adopted in Dodd Frank and its implementation to date? After five years since Dodd Frank's passage, what gaps or revisions must still be addressed?
2. How would you improve the culture of financial institutions? How would you bolster reputation and improve performance under conditions of severe financial stress?
3. How can financial institutions and regulators deal with the competition for talent? To the extent you think it important, how can we achieve greater international convergence of rules and standards? In your answer, please include your thoughts on compensation.
CYBER SECURITY
Prime Oil & Gas (“Prime”) is a multi-billion dollar, multinational public oil and gas company, headquartered in the U.S. and with customers primarily in the U.S. and Europe. Prime’s business includes oil and gas exploration, refining, export, and delivery to customers. Recently, Prime has been growing its natural gas business due to the shale-gas and fracking boom in the United States. However, the U.S. cannot absorb all of the natural gas supply because the U.S. infrastructure is primarily set up for oil and gasoline, not natural gas. Prime has been looking to other markets to profit off its accumulated supply of natural gas.
In contrast with the U.S., Europe’s energy infrastructure is designed largely for natural gas consumption. Russia, the second largest natural gas producer after the U.S., supplies much of Europe’s natural gas needs, and the Russian oil and gas companies transport the gas to Europe by pipeline. Russia charges high prices for the natural gas it sells to the Europeans, and given recent tensions between Russia and Europe over Ukraine, the Europeans are now more than ever looking for ways to become less dependent on Russia for its energy needs. The U.S. government would also like to see Europe become less dependent on Russia to fulfill its energy demands so that Europe can join the United States in taking a harder line against Russia, particularly by imposing sanctions against Russia.
U.S. energy companies have already been taking steps to enter the European natural gas market and compete with Russia. Technology exists to liquefy natural gas, which makes it possible to transport and thus export the liquefied natural gas (LNG) to Europe. The process requires a liquefaction facility that cools the gas to transform it into liquid, special double-hulled ships to keep the LNG sufficiently cool to stay in liquid form, and regasification facilities to return LNG to its gaseous state. U.S. LNG is cheaper than Russian LNG because natural gas is so plentiful in the U.S. Therefore, Russia is carefully watching the developments in the U.S. natural gas sector.
Prime sees a huge business opportunity in selling LNG to its European customers. Particularly now that the Transatlantic Trade and Investment Partnership, a free trade agreement between the European Union and the United States, is in negotiation, Prime is making plans to increase its business in Europe. Prime already has one liquefaction and another regasification facility and has started selling LNG in Europe. However, one of the challenges to this new line of business is that the liquefaction and regasification process is extremely expensive and dangerous. Prime has wanted to expand by building additional facilities in both the U.S. and Europe, but it has had significant trouble finding a location for these facilities because local communities and governments do not want these plants in their backyards. To address this issue, Prime put its research and development team to work to develop new technology that would enable them to convert natural gas into LNG and vice versa in a more cost-effective, safer and environmentally friendly way. Prime succeeded in making these highly innovative chemical and engineering advances, and although the technology is still a secret, the company is now ready to implement this technology in order to export natural gas to Europe as a major competitor. Prime will offer lower prices with a safer regasification process, a major blow to Russia’s energy business in Europe.
Prime also plans to leverage its new technology by partnering with foreign gas companies. Prime has almost completed negotiations to form a joint venture with a gas company in Qatar and a gas company in Turkey. Qatar has a large natural gas supply and is close to Europe, and Turkey is the starting point for the recently completed Nabucco-West gas pipeline to Europe. Qatar already has one facility to liquefy natural gas for export, but Qatar now wants to partner with Prime to use Prime’s new technology for a second liquefaction facility in order to increase its exports. Like Prime, Qatar recognizes that there is high demand for natural gas in Europe, especially given Europe’s desire to diversify its energy source beyond Russia. Turkey wants to partner with Prime in order to build a regasification plant to increase the volume of natural gas exported to Europe through its pipeline. Turkey, too, recognizes that it would benefit from finding additional natural gas suppliers given worsening relations between Europe and Russia.
Prime had some strategic concerns about the joint venture, but has decided to move ahead with the deal. Prime was concerned that by increasing Qatar’s ability to export, it might be creating another natural gas competitor in Europe, which could hurt Prime’s natural gas exports to Europe. There had also been concerns that the transaction would raise issues with the Committee on Foreign Investment in the United States (CFIUS), the U.S. government agency which reviews the national security implications of foreign investments. The region has recently been volatile given the Arab uprising, fighting in the Middle East, and the conflict in Ukraine, so the transaction could have raised national security concerns. Moreover, the joint venture will give Turkey and Qatar information about Prime’s computer systems, possibly making the company vulnerable to hacking. The companies have not yet created the joint venture, nor has Prime shared its technology, but the deal is nearly sealed.
However, Prime is facing a major PR challenge. Groups like the Sierra Club have been increasingly vocal against energy companies like Prime that are expanding their fracking and natural gas production, raising concerns about the impact on the water supply and recent data indicating that the use of natural gas and the LNG production process increases carbon emissions. These issues have recently been picked up in the media and by government officials. This is not a good time for Prime to be facing heightened criticism given its priority on implementing its new LNG liquefaction and regasification technology.
To make matters worse, Prime’s website was recently hacked by Anonymous, a notorious group of hackers that frequently hack as a form of protest. The hackers did not inflict any permanent damage to the company, but they placed images of cross and bones, explosions, and dying polar bears all over Prime’s website. It took the company twenty-four hours to remove the images. U.S. federal prosecutors managed to identify, arrest, and indict the particular hackers who engaged in the attack on Prime—a huge coup for the government given the difficulty in identifying these hackers. The convicted hackers face several years in jail. Prime is still facing significant PR backlash on environmental issues, and the company must decide how it wants to respond to the news of the hackers’ indictment.
However, Prime is also facing some more serious hacking troubles. Prime detected a breach in its servers where it stores sensitive information, including the designs for its new technology to convert natural gas for export more safely and cost efficiently. The company suspected that the hackers gained access to those designs, and it considered whether to report the breach to government authorities. Prime’s CEO made the decision to notify U.S. law enforcement and agreed to give the FBI and NSA full access to its computer systems so that the government could attempt to trace who these hackers were. The government discovered that a group of Russian government-sponsored hackers were responsible for infiltrating Prime’s computer systems and that they had taken information regarding Prime’s new technology. Prime has also realized that this attack happened one day after the U.S. imposed a new round of sanctions against Russia in response to Russia’s latest actions in Ukraine.
Prime is now concerned about what it can do to protect its very valuable LNG technology. Prime’s technology team has begun to find its designs for the LNG technology appearing on black market web sites based in the Isle of Man, Gibraltar, and Belarus. The company is seeking some way to block these sites and prevent the further spread of its confidential, valuable technology. Prime is frustrated that it has become a pawn in the U.S.-Russia geopolitical struggles, and it wants support from the U.S. government in protecting its intellectual property.
At the request of the U.S. government, Prime refrained from disclosing the hack and the theft to its shareholders for three weeks in order to facilitate the government’s efforts to identify the hackers by not tipping them off. However, Prime now faces an inquiry from the U.S. Securities and Exchange Commission (“SEC”) for not disclosing the breach sooner to shareholders. The company had made a general announcement one week before the hack that it was going to implement a new technology that made LNG production safer and less expensive. The SEC claims that shareholders have been hurt because they bought Prime stock at an artificially inflated price in the period between the hack and its disclosure. Prime wants to defend itself by arguing that the only reason it did not make the disclosure was because U.S. law enforcement officials asked them not to do so.
The Qatari and Turkish gas companies have now also learned of the breach at Prime and that this much coveted natural gas liquefaction and regasification technology is no longer proprietary. Both companies have started to delay the deal closing on the joint venture, offering public explanations that Prime knows is not the real reason for their newfound hesitation. Prime has heard from unofficial sources that both Qatar and Turkey are now possibly in talks with Russia about a partnership—indicating that they may be leaning toward siding with Russia in the larger geo-political struggle. This is certainly very worrisome for Prime, who is beginning to think it may have taken too great a risk in moving forward with the joint venture, but it is also of major concern to the U.S. State Department.
At the same time, Prime is also facing a lawsuit by the Federal Trade Commission (“FTC”) as a result of the Russian hack. In addition to Prime’s intellectual property, the hackers stole Prime’s customers’ personal data. Because Prime’s business includes heating oil and gas delivery to homeowners in the U.S. and Europe, Prime offered its customers a mobile device application that enables customers to remotely check their heating oil and gas supply and to order more. The Russian hackers were able to access customers’ names, addresses, and phone numbers through their mobile devices using Prime’s mobile application. If a Prime customer did not have the mobile application, his or her personal information was not taken. Nevertheless, the FTC has sued Prime for 1) deceiving the public by overstating the effectiveness of its cyber security, and 2) engaging in unfair business practices (i.e. investing inadequately in cyber security) that caused substantial injury to consumers that the consumers could not reasonably avoid themselves. Prime thinks it may be able to challenge the suit given that there is no indication yet that customers’ personal information has been shared by the hackers, no credit card information or social security numbers were stolen, and given that the information was removed from customers’ phones, arguably placing the burden of protecting personal information on the individual.
Just a few months ago, Prime’s future looked bright as it was about to break into the European market as a major competitor with its new technology. Now, despite its best efforts to implement cyber security, its intellectual property has been stolen as part of a larger geopolitical struggle, it faces lawsuits from several government agencies, and its public image has suffered an even larger blow. In considering how to address all these new problems and the prospects for its future ahead, Prime is contemplating pressing the U.S. government for increased cyber security support for U.S. companies, including subsidies for cyber security investments and legislative changes to enable U.S. companies to employ self-help measures to investigate and neutralize cyber-attacks.
Before Class 1
Please read the 3 background pieces and all the articles from the reading subsections to which you are assigned and respond to one of the discussion questions that follow. Send your response to this question to Professor Kaden (lewis.kaden@gmail.com) the day before Class 1 by 9:00 pm.
You may also choose to review the articles in the optional “recent controversies” section.
Reading Assignments – Class 1.
U.S. and China cybersecurity relations [Groups 1-2]
Privacy at stake: cyber theft of personal information [Groups 3-4]
Denial of service attacks (DOS): “hacktivism,” warfare, and financial motivations [Groups 5-6]
Readings - Class 1
Cybersecurity Background
David Clark, Thomas Berson, and Herbert S. Lin, At the Nexus of Cybersecurity and Public Policy, The National Academies Press.
Verizon, 2015 Data Breach Investigations Report, April 2015.
McAfee, The Economic Impact of Cybercrime and Cyber Espionage, Center for Strategic and International Studies, July 2013.
U.S. and China cybersecurity relations
The Wall Street Journal, What’s Next for the U.S. and China in Cybersecurity, July 5, 2016.
Economic Espionage and Trade Secret Theft: An Overview of the Legal Landscape and Policy Responses.
The Washington Post Editorial Board, The U.S. needs to tame the cyber-dragon, February 14, 2013
Edward Wong, U.S. Case Offers Glimpse Into China’s Hacker Army, The New York Times, May 22, 2014
Shane Harris, Exclusive: Inside the FBI’s Fight Against Chinese Cyber-Espionage, www.foreignpolicy.com, June 18, 2014
Adam Segal, Department of Justice Indicts Chinese Hackers:What Next, Council on Foreign Relations, May 19, 2014
Adam Segal, Chinese Cyber Espionage: We Know the Who, How, Why, and Why it Matters – We’re Missing the What to Do, Council on Foreign Relations, June 11, 2014
Nicole Perlroth, Russian Hackers Targeting Oil and Gas Companies, the New York Times, June 30, 2014
Jack Goldsmith, More Questions About the USG Basis for Complaints about China’s Cyber Exploitations, Lawfare, May 30, 2013
Michael Riley, How the U.S. Government Hacks the World, Bloomberg Businessweek, May 23, 2013
Kristine Kwok and Stephen Chen, Snowden effect changes US-China dynamic on cybersecurity, U.S. China Perception Monitor, June 17, 2014
Privacy at stake: cyber theft of personal information
Michael Riley, Ben Elgin, Dune Lawrence, and Carol Matlack, Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It, Bloomberg Businessweek, March 13, 2014
The White House, Executive Office of the President, Big Data: Seizing Opportunities, Preserving Values, May 2014.
Mark Scott, Europe Urges U.S. to Handle Data Private With Care, The New York Times, November 27, 2013
David Jolly, European Union Takes Steps Toward Protecting Data, The New York Times, March 12, 2014
Denial of service attacks (DOS): “hacktivism,” warfare, and financial motivations
EconoTimes, New cryptocurrency ‘DDoSCoin’ incentivizes users for participating in DDoS attacks, August 15, 2016
Somini Sengupta, The Soul of the New Hacktivist, The New York Times, March 17, 2012
John Markoff, Before the Gunfire, Cyberattacks, The New York Times, August 13, 2008
Nicole Perlroth and Quentin Hardy, Bank Hacking Was the Work of Iranians, Officials Say, The New York Times, January 8, 2013
William J. Broad, John Markoff and David E. Sanger, Israeli Test on Worm Called Crucial in Iran Nuclear Delay, The New York Times, January 15, 2011
Nicole Perlroth and David E. Sanger, Nations Buying as Hackers Sell Flaws in Computer Code, The New York Times, July 13, 2013
Nicole Perlroth, Cybercriminals Zero In on a Lucrative New Target: Hedge Funds, The New York Times, June 19, 2014
Noah Hampson, Hacktivism: A New Breed of Protest in a Networked World, 35 B.C. Int'l & Comp. L. Rev. 511 (2012)
Recent Cybersecurity Controversies [Optional]
Nicole Perlroth, Sony Pictures Computers Down for a Second Day After Network Breach, The New York Times, November 25, 2014.
Brooke Barnes and Nicole Perlroth, Sony Pictures and F.B.I. Widen Hack Inquiry, The New York Times, December 3, 2014.
Press Statement by White House Secretary of State, John Kerry, Condemning Cyberattack by North Korea, December 19, 2014.
David Sanger and Martin Fackler, N.S.A. Breached North Korean Networks before Sony Attack, Officials Say, The New York Times, January 19, 2015.
David E. Sanger and Julie Davis, Hacking Linked to China Exposes Millions of U.S. Workers, The New York Times, June 4, 2015.
Discussion Questions
Should the hacks of protest organizations such as Anonymous be treated as part of free speech? In the case study, the Anonymous hack only harmed Prime’s public image; it did not result in the theft of any of Prime’s property. Should we treat “protest” hacking different from other types of hacking?
Why would the U.S. government indict foreign nationals when it is unclear whether they will be able to prosecute them? Do you think this was wise on the U.S.’s part given the U.S.’s own cyber espionage? Is the U.S.’s public position on China’s or Russia’s cyber espionage valid? Why? In the case study example, should the U.S. government bring charges against the Russian hackers?
What options are available to Prime after a cybersecurity breach? What risks does the company face? What, if any, should be the limits of corporate civil liability for cybersecurity breaches where customer information is stolen, as in the Target case or customer funds are taken, as in the case of hedge fund hacking? How should policy makers allocate responsibility in this rapidly changing environment? Is there a significant role for regulation? For insurance? For diplomatic solutions through trade and investment treaties? Should these be pursued on a multi-lateral global basis, through regional negotiations or as bilateral agreements?
Compare EU and U.S. privacy law. What are the pros and cons of each approach?
What should a company do if it were to face a conflict in its ability to simultaneously abide by EU and US privacy law?
Should the private sector cooperate with the government on cybersecurity issues? To what extent? What are the advantages and disadvantages of a company disclosing to the government that it has suffered a cyber-attack? What should a company do if it gets conflicting messages from different parties of the U.S. government, like Prime in the case study? Should there be a formal protocol for private companies to report hacking to the U.S. government? What would the protocol require?
Should private companies take matters into their own hands to rebuff cyber-attacks? Should they launch counter-attacks? Should they attempt to identify the hackers, such as determining whether the hackers are private parties or government-sponsored? What are the risks of companies taking counter-measures in response to a cyber-attack? Should the law protect such countermeasures?
What should a private company do if it believes it was attacked by entities that are part of or affiliated with a foreign government as part of a geopolitical struggle? Does your view of a company’s obligation or options depend on whether you believe the hackers were driven by geo-political strategy, economic gain or other interests? Does a private company have any way to avoid becoming a victim in geopolitical conflicts or international criminal behavior?
To what extent is it possible to protect intellectual property in today’s rapidly changing technology landscape? How does this affect innovation?
How can the government effectively legislate in an area such as cybersecurity which evolves almost daily? In the absence of formal legislation on cybersecurity, does the guidance that agencies like the DOJ produce suffice to guide companies in the face of cyber - attacks ? Which agencies should get a say in formulating such ‘guidance’ for companies?
Should government regulators bring enforcement actions against companies who have lost customer personal information in a cyber -attack? Can a company use its compliance with the DOJ guidelines, for example, as an affirmative defense when it faces charges for data loss after a cyber-attack? On the other hand, can a company’s non-compliance with such guidelines be used against it in enforcement actions?
Should companies be required or incentivized to invest more on cybersecurity? Should certain companies receive a greater subsidy or incentive to increase cybersecurity protections because of the nature of their technologies or data and the likely motivations of those responsible for the breach?
Do individuals have responsibility for the personal information accessible on their mobile phones? Should Prime be liable in private lawsuits for stolen customer information where the information was stolen from customers’ phones and not directly from Prime’s servers?
Should there be a coordinated global response to cyber-attacks against private entities? What would the response entail?
Should the government use cyber as a tool for intelligence gathering or for other offensive purposes and also seek to protect its public and private entities from cyber attacks?
Before Class 2
Reflecting on the new readings and on the readings/discussion from class 1, each group should prepare a brief memo that prioritizes provisions for federal legislation on their assigned topic: IP theft, consumer privacy, and security (including denial of service attacks). Group assignments are the same as for class 1. Please send your memos directly to Professor Kaden (lewis.kaden@gmail.com) by 9:00 pm.
In addition, you may also consider: To what extent must Congress act to address cyber security challenges? In the absence of congressional action, to what extent may the President act unilaterally to address cyber security breaches or attacks? What can/should states and private businesses do?
Aside from the memo, everyone should also please read the following short articles relating to the recent U.S.-China cyber agreement and consider the following questions: Why did Washington and Beijing make this deal? What did each government achieve? Did China agree to change its behavior in any meaningful way? Given news reports of China’s continued IP theft after the deal, can we expect any change in China's behavior?
Required
Goldsmith, Jack. “What Explains the U.S.-China Cyber ‘Agreement’? (Links to an external site.),” Lawfare, September 26, 2015.
Nye, Joseph. "The World Needs New Norms on Cyberwarfare (Links to an external site.)," Washington Post, October 1, 2015.
Ellen Nakashima. "China Still Trying to Hack U.S. Firms Despite Xi's Vow to Refrain, Analysts Say (Links to an external site.)," Washington Post, October 19, 2015.
MandiantReport (Links to an external site.), Executive Summary (pp. 2-6).
Optional
Significant Cyber Events Since 2006 (Links to an external site.), Center for Strategic & International Studies
Sanger, David. “Cyberthreat Posed by China and Iran Confounds White House (Links to an external site.),” New York Times, September 15, 2015.
Perlroth, Nicole. “Online Attacks on Infrastructure Are Increasing at a Worrying Pace (Links to an external site.),” New York Times, October 14, 2015.
Readings - Class 2
How do we and should we respond to cybersecurity breaches? How should the private sector cooperate with the government?
Preet Bharara, Asleep at the Laptop, The New York Times, June 3, 2012
William A. Owens, Kenneth W. Dam, and Herbert S. Lin, Editors, Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of CYBERATTACK CAPABILITIES, National Research Council of the National Academies, pp. 202-213
Ian Urbina, Hacker Tactic: Holding Data Hostage, Hackers Find New Ways to Breach Computer Security, The New York Times, June 21, 2014
Paul A. Ferrillo, Weil, Gotshal & Manges LLP, Cybersecurity, Cyber Governance, And Cyber Insurance: What Every Public Company Director Needs to Know, The Metropolitan Corporate Counsel, June 16, 2014
Nicole Perlroth and Elizabeth A. Harris, Cyberattack Insurance a Challenge for Business, The New York Times, June 8, 2014
Haynes and Boone, A Desk Guide to Data Protection and Breach Response
Paul Rosenzweig, The Most Important Cybersecurity Case You’ve Never Heard Of, Lawfare, May 29, 2013
Brent Kendall, Ruling Rejects Hotelier Wyndham’s Claim That Agency Lacks Power Over Cybersecurity Practices, The Wall Street Journal, April 7, 2014
Sidley Austin LLP, SEC Launches Cybersecurity Examination Initiative – Promoting Cyber Preparedness, April 24, 2014
Sidley Austin LLP, White House Releases NIST Cybersecurity Framework, February 13, 2014
King & Spalding, Five Things Every In-House Counsel Should Understand About The NIST Cybersecurity Framework, February 25, 2014
Optional: The Report of the Commission on the Theft of American Intellectual Property, The IP Commission Report, The National Bureau of Asian Research, May 2013
Reuters, U.S. senators push ahead with cybersecurity legislation, Thomson Reuters, June 17, 2014
Melissa E. Hathaway, Change the Conversation, Change the Venue and Change Our Future, Centre for International Governance Innovation, May 13, 2013.
Executive and Legislative developments in U.S. Cybersecurity
The White House, Securing Cyberspace – President Obama Announces New Cybersecurity Legislative Proposal and Other Cybersecurity Efforts, January 13, 2015
The Department of Justice, Sharing Cyber threat information under 18 USC §2072(a)(3), May 9, 2014.
The Department of Justice and the Federal Trade Commission, Antitrust Policy Statement of Sharing Cybersecurity Information, April 10, 2014.
The Department of Justice, Cybersecurity Unit, Best Practices for Victim Response and Reporting of Cyber Incidents, April 15, 2015.
MULTIJURISDICTIONAL LAW ENFORCEMENT:
PUBLIC-PRIVATE REGULATORY REGIMES
Japan Tobacco International (JTI) Case
A. International Cigarette Smuggling
In the late 1990s, many countries were being flooded with smuggled cigarettes, especially popular American brands such as Camel and Marlboro.143 Because American cigarettes were often subject to high taxes and import duties, smugglers began buying these cigarettes in countries where they were not heavily taxed, such as Ukraine and Panama, and smuggling them into higher-tax countries like Colombia, Spain, and Italy.144 Smuggled brand name cigarettes could be sold at a much cheaper price than their legally imported counterparts, while still earning substantial profits and leading to increased market share over other brands and local competitors.145 Targeted countries were concerned for several reasons. First, cigarette smuggling cost governments billions of dollars in lost tax revenue.146 Second, countries believed that tobacco smuggling was linked to organized terrorism, organized crime, and drug money laundering.147
B. Europe and Colombia Go to Court
To combat the problem of cigarette smuggling, the targeted countries went to court. Colombia, various European countries and the European Community (EC) brought multiple civil suits in U.S. federal court against large tobacco companies like Philip Morris, R.J. Reynolds, British American Tobacco, and Japan Tobacco International.148 Led by a Florida lawyer, Kevin Malone, who had made a career of representing plaintiffs in air-crash class action litigation,149 Colombia and the European Community, on behalf of itself, brought nearly identical suits in the Eastern District of New York in 2000.150 The plaintiffs claimed that the tobacco companies had violated the federal Racketeer Influenced and Corrupt Act (RICO) and were also liable under various state common law causes of action.151 The plaintiffs alleged that the tobacco companies intentionally over-supplied certain markets knowing that the cigarettes would be smuggled into Colombia and Europe,152 actively conspired with smugglers and assisted them in their smuggling activities,153 and knew their smuggling activity was tied to organized crime and drug money laundering.154 For their part, the tobacco companies insisted they were equally victims of cigarette smuggling. They argued that many of the supposedly brand name cigarettes were, in fact, cheap counterfeits that threatened to undercut their sales and valuable brand names.155 The district court, however, never ruled on the substance of these smuggling allegations. In July 2001, the court dismissed the European Community’s initial complaint on technical standing grounds. It found that the European Community’s alleged injury (a reduced budget resulting from member states’ inability to collect tax revenue) did not flow from the defendant’s alleged violations of RICO law, at least for the purposes of standing.156 The European Community wasted no time in returning to court, bringing a second suit a few weeks later. To circumvent the standing issue, this time the European Community was joined by various European Community member states, who could assert an injury sufficient to support standing under RICO.157 This suit was again joined to the Colombian suit.In February 2002, the district court dismissed the combined European and Colombian lawsuits on standing grounds, this time finding that the U.S. federal courts lack the power to adjudicate alleged violations of foreign tax law, or what is known at the “revenue rule.”158 As the district court explained, “[t]he revenue rule provides that courts of one sovereign will not enforce final tax judgments or unadjudicated tax claims of other sovereigns”159 unless the rule is either abrogated by treaty160 or “the plaintiff can show adequate manifestation of executive and legislative will sufficient to allay the foreign relations and separation of powers concerns the underlying the revenue rule.”161 Applying the rule to the claims, the district court found that the rule barred the action:The present actions involve RICO claims for injury in the form of lost customs duties, lost value added taxes, and lost excise taxes, and also for injury in the form of additional contributions by Member States to the European Community to compensate for tax revenue that the European Community otherwise would have collected. Predicated on smuggling, the claims all clearly implicate the revenue rule in that they would necessarily cause this court to pass on foreign tax laws.
Plaintiffs also bring various RICO claims predicated on harms derivative of smuggling. The injuries include, inter alia, loss of funds spent to combat cigarette smuggling, and coordinate damage to the security and integrity of Plaintiffs’ relevant institutions and markets. Additionally, Plaintiffs seek equitable and injunctive relief designed to impede smuggling, improve future defenses against smuggling, and recoup monies lost to smuggling. All of these claims also trigger the revenue rule under the [Second Circuit’s] Attorney General of Canada ruling. Here, as there, “we would have to examine whether, when and to what extent the smuggling existed, which would require a determination that tax laws were applicable to defendants.”162Frustrated in their efforts to combat cigarette smuggling, the European and Colombian plaintiffs spent the next several years appealing the decision with little success.163 In January 2004, the Second Circuit affirmed the district court’s dismissal.164 However, in May 2005 the Supreme Court granted certiorari and remanded for further consideration in light of its intervening decision in Pasquantino v. United States.165 Pasquantino held that the revenue rule, while prohibiting civil suits to enforce the tax laws of another country, still permitted the United States to criminally prosecute individuals or companies who violated foreign tax laws.166 On remand, the Second Circuit re-affirmed the district court’s original ruling that the lawsuits were barred by the revenue rule.167 For their part, the tobacco companies fought back by bringing various claims in the Court of Justice of the European Communities, seeking annulment of the European Commission’s authorization of the U.S. lawsuits on the grounds it was illegal. However, these claims were ultimately rejected by the Court of Justice.168
C. The Problem
The refusal of the courts to resolve the substantive legal issues surrounding cigarette smuggling did not end the matter. Governments in Colombia and Europe still faced cigarette smuggling and lost tax revenue. The tobacco companies faced an uncertain legal environment in key markets. They were also worried that increased media attention and political pressure abroad would grab the attention of the United States Department of Justice, which was able to criminally prosecute companies that knowingly assisted in the violation of foreign tax laws under Pasquantino.169 In addition, both sides continued to be hurt by the increasing prevalence of counterfeit cigarettes. On top of these problems, the relationship between the parties had soured. Both sides had shown a willingness to fight expensive, protracted legal battles, and neither side was willing to give up. Bilateral negotiations were also unlikely, given the number of countries involved and, on the European side, the various supra-national organizations, including the European Commission, the European Anti-Fraud Office (OLAF), the European Parliament, and its Trade and Justice Committees.Faced with limited legal options, the parties found a novel solution. The readings that follow present this solution, focusing on one tobacco company, Japan Tobacco International (JTI). JTI is the international division of Japan Tobacco, the largest tobacco company in Japan170 and one of the four largest tobacco companies in the world.171 JTI owns the rights to popular R.J. Reynolds brands sold outside the United States, such as Winston, Camel, and Benson & Hedges.172 * * * * *
D. Other Public-Private Regulatory Regime Contexts
The preceding discussion presents one context in which a public-private regulatory regime can, and did, arise. However, due to the nature of the issues and parties involved, no two regimes will be the same. This section introduces several other types of public-private regulatory regimes, which are discussed in greater detail in the following readings.
Share with your friends: |