If you’ve ever let your kids sign into your Netflix or HBO Go account, or given your marketing department access to your Twitter feed, you may be committing a federal crime, depending on how the Ninth Circuit rules on a case argued before it just last month.
The case, United States v. Nosal, is the latest chapter in a series of cases in which federal prosecutors have used a thirty-year-old anti-hacking statute to turn seemingly routine business disputes into federal felony cases. The statute, known as the Computer Fraud and Abuse Act (CFAA), contains broad prohibitions on accessing a computer system “without authorization” or in a way that “exceeds authorized access.” Though intended to prevent malicious hacking and espionage, those prohibitions have repeatedly been applied to disgruntled former employees who logged back into company databases to access proprietary information after their termination and when their authorization to access those files had been revoked.
However, the Nosal case goes a step further, and a ruling in favor of the United States threatens to criminalize password sharing of all kinds. Nosal was an executive at the recruiting firm Korn Ferry International (KFI). After he left the firm, he obtained the help of several former colleagues to obtain protected KFI data to start a competing business. Although several of the charges against Nosal were thrown out in an earlier case, he was still prosecuted for accessing KFI files using his former assistant’s login information, which she had given him willingly.
According to prosecutors, Nosal’s former assistant was not authorized to give him access to KFI’s systems under the company’s computer usage policy, and so his use of that password was “without authorization” by the proper authorities. Upholding that argument could have a broad reach because so many password-protected services have prohibitions against password sharing in their user agreements, including Netflix, LinkedIn, Facebook, and HBO Go, to name a few. For that reason, a ruling that the CFAA prohibits password sharing when not authorized by these agreements could turn us all into criminals.
Following argument, this case is difficult to handicap. Although Judge McKeown seemed particularly concerned with the fact that Nosal clearly had engaged in wrongful conduct when he knew his authorization had been revoked, Chief Judge Thomas and Judge Reinhardt clearly recognized the scope of the issue at stake, and all three panel members were concerned by the government’s apparent lack of a limiting principle.
A ruling can be expected in the next few months. Until then, all we can do is hold our breath, and hope that the court ensures that the next time we share an account with the others in our household, we won’t end up living an episode ofOrange is the New Black instead of just watching it.
Beating their chests and breathing fire to rouse the polity, the Department of Justice recently came out with an announcement as earth shattering as the sun rising. The DOJ proclaimed it has adopted new policies to prioritize the prosecution of individuals for white-collar crime.
Deputy Attorney General, Sally Q. Yates, was quoted in the New York Times: “It’s only fair that the people who are responsible for committing those crimes be held accountable. The public needs to have confidence that there is one system of justice and it applies equally regardless of whether that crime occurs on a street corner or in a boardroom.”
What’s the hoped-for public response? Probably something like this: “And the crowd goes wild. Finally, after years of corporate executives sporting Teflon and sliding past investigators, the government is going to put its fist down and make the wrongly rich execs pay for their nefarious acts of fraud, insider trading, embezzling, racketeering, and tax evasion! “
But things look a little different in the actual world of white-collar criminal investigations and defense. In fact, prosecutors from the Southern District of New York and across the country are zealously prosecuting employees accused of white-collar offenses, and their companies are never shy about providing the backup data regulators request.. What’s more, convicted offenders are often subject to penalties far exceeding their crimes, as U.S. District Judge Jed Rakoff noted in the 2012 sentencing of Rajat Gupta.
The fact of the matter is that the DOJ doesn’t need to announce a new policy to go after individuals for white-collar crimes. The reality on the ground is we deal with employees being investigated and indicted all the time.
So why did Washington make the announcement? It sounds more like a PR stunt than anything else. Perhaps the Administration is gearing up for the next election cycle, which includes some obvious key elections. The DOJ wants to have a strong response to public outcries for accountability at the opportune time of impending regime change. In prior election cycles, administrations have taken some sort of hard stance on crime and punishment, whether it is increasing sentencing guidelines or messaging prosecutors about white-collar plea agreements.
From our viewpoint, it’s a little hard to take the DOJ’s new policy announcement at face value. We don’t see any recent motivation (outside PR). However, it’s also true that the wheels of Justice move slowly and this may just be a reflection from public dissatisfaction after the 2008 economic crisis, which saw corporations, but few Wall Street execs, held accountable. Regardless, we see the DOJ’s announcement much ado about nothing.
A Canadian federal court recently released an opinion holding that meta tags, at least in some circumstances, are not entitled to copyright protection. Although the precedent is not binding in American courts, the well-reasoned opinion provides an excellent logical analysis on why meta tags may or may not be afforded copyright protection.
In Red Label Vacations Inc. v. 411 Travel Buys Limited, the plaintiff travel business implemented meta tags including its registered trademarks: “redtag.ca,” “redtag.ca vacations,” and “Shop. Compare. Payless!! Guaranteed.” The defendant is a competing travel business in the Canadian market. In 2009, Red Tag experienced a drop in sales and noticed that search engine results for its company were returning results for its competitor, 411 Travel Buys. Upon further inspection, Red Label found that 411 had apparently copied its metadata including content, ordering, and misspellings. Red Label informed 411 of the violation and 411, being Canadian, immediately removed the content. Nevertheless, Red Label brought suit for lost profits during the period it was active.
In analyzing the duplicated meta tags, the court concluded that the tags were substantially derived from a list of Google keywords which were incorporated into phrases describing travel. The court held that there was little evidence of any degree of skill, judgment, or creativity in creating the meta tags at issue in the case. The court noted that there may be circumstances in which meta tags are so creative and original so as to qualify for copyright protection, but they were not present here.
The court further found that there was not substantial copying when viewing the website as a whole. Defendant 411 copied 48 pages out of approximately 180,000 on Red Tag’s website. The court considered substantial similarity between the original work and the allegedly infringing work when viewed as a whole, and did not find that a substantial reproduction had occurred.
Even though 411 used Red Tag’s trademarks in its meta tags, the court held that no trademark violation had occurred because the meta tags were not visible to the site’s visitors, but were rather used by search engines. The court found that even if a patron had reached the 411 site by searching for Red Tag terms, once visitors arrived at the website they would have no doubt that they were at the site of 411. Notably, the Canadian court identified a substantial difference between its law and trademark law in the US. In the US, a court may find a trademark violation occurred where trademark use causes “initial interest confusion” where a patron searching for one company diverts their business to what the patron realizes is a different company offering a similar product or service. Regardless, the Canadian court indicated that it wouldn’t find a trademark violation even under the initial interest confusion test, because when search engines use meta tags they return a list of links that customers may choose from at will, rather than directing the viewer to a particular competitor.
Despite the Canadian court’s thoughtful and in-depth analysis, in the six years since the events of the case meta tags have increasingly become a relic of the past as search engines increasingly use their own algorithms to determine search results. However this is still a claim that many plaintiffs include when throwing in the kitchen sink in a trademark case, and it would not be surprising to see US courts cite to the reasoning of our neighbors to the north in future decisions.
The government has voluntarily dismissed its case against Jae Shik Kim, the South Korean businessman for whom Ifrah Law obtained a motion to suppress in federal court. In 2012, Mr. Kim was stopped by federal agents as he tried to board a plane to South Korea from LAX. The government seized his laptop and copied his hard drive based on suspicion that he had engaged in illegal activity years earlier. The government indicted Mr. Kim based on evidence it found on the laptop relating to past transactions.
Everyone who has been through a security checkpoint at an airport knows that the government has wide latitude to conduct certain warrantless searches at the border without any suspicion of illegal conduct. However, the U.S. District Court for the District of Columbia concurred with Ifrah Law’s argument that the government’s latitude is wide, but it is not unbounded. In order to conduct a non-routine search of electronics at the border–including copying a hard drive for the government to conduct a later search unbounded in time and scope—the government must have reasonable suspicion that the owner is presently engaged or will imminently engage in illegal activity. An ongoing investigation of suspected past criminal activity is not a sufficient basis on which to perform such a search. To use a border search for that purpose is an illegal attempt to circumvent the warrant requirements imposed by the Fourth Amendment to obtain evidence in an ongoing investigation, and any evidence obtained in that manner cannot be used to convict the defendant.
The government understood that when the court suppressed the evidence obtained from Mr. Kim’s laptop, it did not have a case on which it could obtain a conviction. Shortly after the court granted Ifrah Law’s motion to suppress, the government filed an interlocutory appeal of the court’s order. The government hoped that the Court of Appeals would reverse the order and allow the government to present evidence obtained from the laptop in order to secure a conviction.
This week, the government reversed course. The government not only dropped its appeal on the suppression issue, but moved to dismiss the indictment entirely, resulting in an event all too rare in the criminal justice system—a dismissal of all charges against the defendant. The government’s action implicitly acknowledges restrictions on its authority to conduct non-routine searches at the border when there is no suspicion of present criminal activity. It is a big win not only for our client, but for the ongoing effort to preserve our right to privacy.
In an ironic twist, the U.S. Justice Department unsealed a 47-count indictment this morning charging nine present and former officials of the Federation Internationale de Football Association (better known by its acronym, FIFA) and five sports marketing executives with fraud, racketeering, bribery and money laundering. The guilty pleas of four individuals and two entities relating to these same allegations were also unsealed.
The indictment alleges that officials of FIFA, which controls the media and marketing rights to international soccer tournaments worldwide, received bribes totaling more than $150 million in connection with the award of those rights. The defendants also include sports executives alleged to have paid those bribes, and the indictment also charges that intermediaries were used to launder the proceeds of those bribes. The lead charge in the indictment is an alleged violation of the federal Racketeering Influenced and Corrupt Organizations Act (RICO).
At the request of U.S. authorities, Swiss authorities arrested a number of individuals in Zurich this morning where FIFA executives had gathered for the organization’s annual meeting. The indictment was disclosed along with a Swiss investigation into mismanagement and money laundering associated with the award of the 2018 World Cup to Russia and the 2022 World Cup to Qatar. FIFA has stated that the award of those tournaments will not be reconsidered.
The great irony of the indictment is that this is about football – not “American football” but “real” football (what we Americans call “soccer”) – the most popular sport on the planet. From a sports perspective, Americans are still newcomers to the game, though the women’s national team has enjoyed perennial success, the men’s national team has climbed in world rankings, and individual American players are becoming more commonplace on teams in the English Premier League and elsewhere in Europe. It is surely ironic for the U.S. to police a sport that struggles for attention at home.
But on the other hand, it should be no surprise to see a U.S. indictment that seeks to address corruption in FIFA that has been the stuff of rumors for years. The FIFA indictment is another example of how the United States projects not only military power but legal power overseas, using its robust Justice Department and court system to impose on the world the legal standard enshrined in its criminal laws. Given that the case is being prosecuted in the Eastern District of New York – where now-Attorney General Loretta Lynch previously served as the United States Attorney – the case may also signal something about Attorney General Lynch’s approach to such multinational cases.
The Department of Justice presumably justifies this extraterritorial exercise because the defendants include several Americans and because FIFA includes component associations located in the United States; the alleged offenses therefore impact Americans as well as those overseas. To the extent this is true, that seems to be appropriate justification. But another question is how that exercise of power will be perceived outside of the United States. Is the United States helping to solve a problem that has dogged international soccer for years? Or is it meddling in matters that are largely outside of its borders and that should not concern it? As news of this morning’s arrests and the unsealing of the indictment spreads, the world’s reaction may answer those questions.
Last July, we reported on United States v. Davis, an Eleventh Circuit decision in favor of privacy rights. In that case, a three-judge panel held that cell phone users have a reasonable expectation of privacy in their cell phone location data. If the government wants to collect the data, it must first obtain a probable-cause warrant, as required by the Fourth Amendment.
The groundbreaking decision seemed a clear victory for privacy rights, but the victory proved to be ephemeral. Last year, the en banc court agreed to revisit the question and, weeks ago, declared that subscribers do not have a reasonable expectation of privacy in their cell tower location data. As a result, the government can collect such data from third-party service providers if it shows reasonable grounds to believe the information is relevant and material to an ongoing criminal investigation.
In February 2010, defendant Quartavius Davis was convicted on multiple counts for robbery and weapons offenses. Davis appealed on grounds that the trial court admitted cell tower location data that the prosecution had obtained from a cell phone service provider in violation of Davis’ constitutional rights. An Eleventh Circuit panel agreed with Davis. Speaking for the court, Judge Sentelle explained that Davis had a reasonable expectation of privacy in the aggregation of data points reflecting his movement in public and private places. The government’s collection of the data was a warrantless “search” in violation of the Fourth Amendment.
To reach that decision, the panel leaned heavily on a 2012 Supreme Court case called United States v. Jones. In Jones, the Court announced that the government must have a probable-cause warrant before it can place a GPS tracking device on a suspect’s car and monitor his travel on public streets. The Court so held based on a trespass (or physical intrusion) theory. Absent probable cause, the government could not commandeer the suspect’s bumper for purposes of tracking his movement, even if each isolated movement was observable in public. Several Justices went further, suggesting that the same result should obtain even without a trespass. They hinted that location data might be protected because individuals have a reasonable expectation of privacy in the sequence of their movements over time. It was this persuasive but nonbinding privacy theory that guided the Eleventh Circuit’s panel decision.
On rehearing, the en banc court rejected the panel’s approach. The court noted that Davis could prevail only if he showed that a Fourth Amendment “search” occurred and that the search was unreasonable. He could show neither. To demonstrate a search, Davis had to establish a subjective expectation and objective expectation of privacy in his cell tower location data. But this case involved the collection of non-content cell tower data from a third-party provider who collected the information for legitimate business purposes: the records were not Davis’ to withhold. According to the court, Davis had no subjective expectation of privacy in the data because cell phone subscribers know (i) that when making a call, they must transmit their signal to a cell tower within range, (ii) that in doing so, they are disclosing to the provider their general location within a cell tower’s range, and (iii) that the provider keeps records of cell-tower usage. But even if Davis could claim a subjective expectation of privacy, he could not show an objective expectation. In the court’s view, Supreme Court precedent made clear that customers do not have a reasonable expectation of privacy in non-content data voluntarily transmitted to third-party providers. Because there was no “search,” there could be no violation of Davis’ constitutional rights.
The en banc court explained further that Jones did nothing to undermine the third-party doctrine. For one, Jones involved a government trespass on private property. But the records in Davis were not obtained by means of a government trespass or even a search, so Jones did not control. Additionally, Jones involved location data that was first collected by the government in furtherance of a criminal investigation. By contrast, Davis involved location data that was first compiled by a service provider in the ordinary course of business. Simply put, “[t]he judicial system does not engage in monitoring or a search when it compels the production of preexisting documents from a witness.”
Photo: “LAX-International-checkin” by TimBray at en.wikipedia.
Developments in law are sluggish compared to the rapid rate of technological advancement, and courts must constantly apply old legal principles to technologies which were not contemplated at the time the laws were enacted. Recently, technology has been at the forefront of privacy rights debates, in light of revelations that the government has access to online communications, personal data storage and extensive monitoring via technology. The Fourth Amendment of the United States Constitution establishes a privacy right by prohibiting unreasonable search and seizure, but the extent to which that applies to technology is largely untested. Last week, a federal judge upheld this fundamental right as she ruled that our client’s rights had indeed been violated by an unreasonable search and seizure of a laptop computer conducted by the government.
U.S. District Court Judge Amy Berman Jackson granted a motion which we filed on behalf of our client, South Korean businessman Jae Shik Kim, to suppress evidence seized from his laptop as he departed the country from Los Angeles International Airport in October 2012. The decision severely cripples the government’s case alleging that Kim conspired to sell aircraft technology illegally to Iran, in United States of America vs. Jae Shik Kim, Karham Eng. Corp. (Crim. Action No. 13-0100 in the U.S. District Court for the District of Columbia).
The seizure of Mr. Kim’s laptop presents a unique challenge in an undeveloped area of law. The government claimed that because Mr. Kim’s laptop was seized at the border, it was free to search the computer without having any suspicion that he was presently engaged in criminal activity, the same way the government is free to search a piece of luggage or a cargo container. Yet anyone who owns a laptop, smartphone, tablet, or any other personal mobile device, knows that the breadth and depth of private information stored within these gadgets are intimately tied to our identities and should be entitled to a heightened level of privacy.
Judge Jackson, who understood this aspect of modern mobile devices, wisely rejected the government’s argument that a computer is simply a ‘container’ and that the government has an ‘unfettered right’ to search. In her memorandum opinion and order, she wrote, “…given the vast storage capacity of even the most basic laptops, and the capacity of computers to retain metadata and even deleted material, one cannot treat an electronic storage device like a handbag simply because you can put things in it and then carry it onto a plane.”
In her decision, Judge Jackson also repeatedly referred to “reasonableness” as the “touchstone for a warrantless search.” She keenly balanced the government’s imperative to protect our borders with individuals’ privacy rights. Judge Jackson found that the nature of the search — including that the government conducted the search as Kim departed the country (and not as he entered) to gather evidence in a pre-existing investigation, and that it made a copy of the entire contents of Kim’s laptop for an “unlimited duration and an examination of unlimited scope” — amounted to an invasion of privacy and an unreasonable search and seizure.
While the search of Mr. Kim was technically a border search, his laptop was not searched at the airport. Instead, it was transported 150 miles to San Diego and held until government agents were able to find and secure information they deemed valuable to their case. In fact, Mr. Kim was deemed so little of a threat to national security that he was permitted to board his flight. Judge Jackson noted that if the government’s asserted justification for the search were to stand, it “would mean that the border search doctrine has no borders.”
In this case, unfortunately, the government overstepped the boundaries established by Fourth Amendment of the Constitution, however the checks and balances imposed by the same foundational document proved to correct this error, and rightly so, as our laws continuously strive to adjust to the reality of rapidly evolving technology.
A recent decision of the U.S. Court of Appeals for the Fifth Circuit Court serves as a good reminder that criminal statutes say only what they say, and that it is up to the legislature to revise statutes to expand their scope if the legislature cares to do so.
The opinion, United States v. Kaluza, arose from the April 20, 2010, blowout of oil, natural gas and mud at the Macondo well, located on the Outer Continental Shelf in the waters of the Gulf of Mexico. The blowout resulted in explosions and fires on the Deepwater Horizon, a drilling rig chartered by the BP petroleum company, that led to the death of eleven men.
Robert Kaluza and Donald Vidrine were “well site leaders” – the highest ranking BP employees working on the rig. Kaluza and Vidrine were indicted in the Eastern District of Louisiana on 23 counts, including 11 counts of “seaman’s manslaughter” or “ship officer manslaughter” in violation of 18 U.S.C. § 1115. Section 1115 is titled “Misconduct or neglect of ship officers” and provides, in part, that:
Every captain, engineer, pilot, or other person employed on any steamboat or vessel, by whose misconduct, negligence, or inattention to his duties on such vessel the life of any person is destroyed, and every owner, charterer, inspector, or other public officer, through whose fraud, neglect, connivance, misconduct, or violation of law the life any person is destroyed, shall be fined under this title or imprisoned not more than ten years, or both.
On the one hand, unlike the common law definition of manslaughter and the companion statutory definition for general manslaughter found in Section 1112, Section 1115 only requires proof of negligence. On the other hand, the portion of the statute quoted above specifically states that it applies only to two groups of individuals: (1) every captain, engineer, pilot, or other person employed on any steamboat or vessel; and (2) every owner, charterer, inspector, or other public official. The second of these categories clearly did not apply to the two individual defendants, and the Fifth Circuit upheld the district court’s dismissal of the Section 1115 charges on the ground that neither of the defendants fit in the first.
Because neither of the defendants was a “captain, engineer [or] pilot” of a vessel, the issue was whether the men fell within the scope of “[e]very . . . other person employed on any . . . vessel.” In making this assessment, the Court of Appeals literally walked through this phrase word by word, indicating the dictionary definition for each one. Having done so, the Court rejected the government’s argument that the plain text of the statute was unambiguous, and encompassed every person employed on the Deepwater Horizon. The Court noted that such a conclusion would make the inclusion of “captain,” “engineer,” and “pilot” superfluous; instead, invoking the principle of ejusdem generis, the Court held that these terms limit the scope of the otherwise open-ended “every . . . other person.”
The Court emphasized that the limiting principle of ejusdem generis has particular force with respect to criminal statutes, so that unsuspecting persons are not ensnared by ambiguous statutory language. Finding that the common attribute of these specific positions was that all are involved in positions of authority responsible for the success of a vessel as a means of transportation on water. Because the defendants were responsible for drilling operations, and not the marine transportation functions of the Deepwater Horizon, they did not fall within this category, and therefore could not be held liable for seaman’s manslaughter.
The Kaluza case is a textbook example of how courts can and should carefully interpret ambiguous statutes so that they may be applied only to those persons and acts to which Congress intended them to apply. The case is certain to provide guidance to trial judges in the Fifth Circuit and elsewhere when similar circumstances arise in other cases.
Since the 1990s and the rise of the Internet and social media, each one of us has become increasingly aware of the risks and dangers of unwanted posts and how fast a “discreet” image can go viral. The development and evolution of the Internet has brought with it a host of novel legal issues, from the worldwide threat of cyber bullying to disgruntled employee posts, a flippant press of a button can mean tremendous consequences and legal challenges for many involved parties. Combine the viral nature of an image with the fuel of raw emotions over a breakup with a spouse or former lover and it is a recipe for disaster!
In a case that is considered the first of its kind, a website operator was found criminally liable for identity theft and extortion by a California state jury last week. The defendant operator Kevin Bollaert owned the website YouGotPosted.com, which permitted jilted lovers to submit nude pictures of their exes in order to publicly humiliate them. The site would identify the victim by name and also include the victim’s phone number next to the photo. On a sister website set up by the same operator, ChangeMyReputation.com, the victims were asked to pay up to $350 in order to have the photo removed. Between December 2012 and September 2013, less than one year, the site put up over 10,000 posts.
“Revenge porn” sites like this one permit the online posting of nude and sexual photos of people, by its nature mostly women, whose exes post the images to try to humiliate them. Images can also be easily picked up by other websites, so even if a person succeeds in getting images removed from one site, it may be difficult or impossible to remove them completely from the Internet. So, of course this sounds like it would clearly be illegal? Not so. Perhaps surprisingly, most states do not make it a crime to post people’s photos or personal information online without their permission. Many revenge porn sites have popped up in recent years and have brought national attention, as states scramble to enact laws or amendments to existing laws to help the defenseless victims. With the quick rise of revenge porn, states have often used laws already in existence to prosecute those accused of committing revenge porn, such as laws against disseminating pornography or laws protecting privacy. Even so, many current laws regarding invasion of privacy, harassment or disorderly conduct were enacted long before revenge porn was contemplated or became a rising concern. Oftentimes, a loophole makes it difficult to prosecute because the victims don’t own the photographs in which they appear or have voluntarily disseminated the photo without the intention of it going viral. It is for this reason that in the past few years, sixteen states have enacted criminal revenge porn laws, and there is legislation pending in over twenty additional states.
The case against Bollaert was the first conviction following California’s revenge porn bill, signed into law in October 2013 by Governor Jerry Brown. The law amends the state’s disorderly conduct law and makes it a crime to post nude photos of another online without permission and with intent to publicly shame the subject. However, this law as first drafted did not include photos taken as “selfies” but only those taken by another party. To remedy this, the law was subsequently amended, which will take effect in July of this year. Unlike other revenge porn sites, though, YouGotPosted.com permitted users to share personally identifying information about the photo’s subject. Bollaert was therefore prosecuted for identify theft and extortion, not under the revenge porn law. Bollaert faces up to 20 years in state prison when he is sentenced on April 3.
So, is this case unique due to the egregious nature of the facts, or should website operators beware of government’s tightened grip on website content? I think the answer is both. The facts are egregious but far from uncommon and increasingly more frequent. As devious players contemplate use of the Internet in unprecedented ways, state laws are feverishly attempting to catch up to evolving technology. While many object to such laws based on First Amendment free speech rights, it seems that governments are in fact taking stricter control over website content, with new laws and amendments pending in almost half the states in order to close the loopholes currently existing on this issue. Even so, there is a lesson to be learned to prevent humiliation and the time and expense of litigation – for all of those who leave their smart phones next to their beds, think twice before undressing and snapping!
This article first appeared on FEE.org – you can access this version at http://fee.org/freeman/detail/bureaucracy-unlimited
Big Gov and Big Biz. Are they holding hands, shaking hands, or boxing? It depends on the day and the issue. But while Big Biz hardly seems like a sympathetic character, Big Gov always has the upper hand.
Remember Arthur Anderson? Perhaps not. It used to be the biggest accounting firm around. Then the Justice Department went after it with little proof but lots of gusto. The megalith firm fought the law, and the law won (temporarily). The Department of Justice obtained a criminal conviction against the firm that was the equivalent of a death sentence: the company lost its reputation and therefore lost its clients. By the time the Supreme Court overturned the conviction, it was a pyrrhic victory for the defunct firm.
Through Arthur Anderson, companies learned that no matter how big you are, the government is bigger. When the government comes after you, stand down and don’t fight.
Do you care that Big Gov picks on Big Biz? While Big Gov is busy starting wars of attrition with Big Biz, it is building out its bureaucratic infrastructure — all while sharpening a strategy that means it can’t lose. And that’s everyone’s concern. Companies regularly acquiesce to government demands and pave the way for what I’ll call enforcement creep — de facto lawmaking whereby government agencies use the threat of costly litigation, the threat of multiple agency investigations, or the threat of Arthur Anderson’s sad fate to gain settlements with defendants, even when the companies haven’t committed any significant wrongs.
These settlements often exceed the scope of existing laws and regulations, more accurately reflecting what the agencies want, not necessarily what the law requires. Agencies thus further their policy initiatives — including those not defined by statute or by implementing regulations — on an ad hoc basis, outside the purview of traditional lawmaking.
Here are two examples of how enforcement creep plays out.
In May 2014, the Consumer Financial Protection Bureau announced a $96.6 million settlement against student loan servicer Sallie Mae (now Navient Solutions). The agreement was to settle allegations that the company failed to reduce interest rates on loans to military members as required under the Servicemembers Civil Relief Act (SCRA). In the settlement agreement, Sallie Mae didn’t admit to any wrongdoing (a typical agreement term) but nonetheless agreed to pay fines and restitution. It also agreed to institute new measures to ensure compliance with the SCRA.
Here’s the kicker: the new measures require that Sallie Mae not only comply with current law, but go several steps further. That is, current law puts the burden on service members to seek loan reduction relief, but the consent order shifts the burden to Sallie Mae. It requires that the company presume loan reduction requests based upon service member actions (such as a request from the service member for another form of relief). It also requires the company to undertake other measures proactively to seek service member rate reductions (such as creating an online intake form and training designated customer service representatives to advise on SCRA protections).
It probably seemed to government regulators that the loan servicer, instead of the service member, was in a better position to bear the burden of looking after SCRA rights. And so they shifted that burden through an investigation and settlement with a major loan servicer — as opposed to going through the more public rulemaking process and requesting that Congress revise the law.
Here’s another example. In September 2014, Costco settled charges with the Environmental Protection Agency. The government authorities alleged the company violated the Clean Air Act by failing to repair refrigerant leaks and failing to keep adequate records of the servicing of its refrigeration equipment. The consent decree, in which Costco admitted no liability, requires that the company cut its leak rate to almost half the legal maximum over the next three years. (The decree requires Costco to achieve corporate-wide average leak rates of 19.1 percent; the regulations, 40 C.F.R. § 82.156 and EPA guidance, provide a legal leak rate maximum for commercial refrigeration equipment of 35 percent.)
The agreement requires the company to retrofit, replace, and install systems in a manner that similarly appears to surpass legal standards. Comparing the EPA guidance with the consent decree, the decree looks like a big leap from current regulatory requirements. The settlement agreement terms sound a lot more like policy objectives, in keeping with the EPA’s GreenChill initiative, than legal standards.
Give us your lunch money
It’s okay to encourage companies voluntarily to adopt more rigorous environmental standards than the law requires, but when a company’s decision not to comply can result in steep sanctions, the decision is no longer voluntary. So when the government looks for excuses to impose extralegal preferences, it starts to sound less like cheerleading and more like bullying. Think of it this way: it is still legal to encrypt your smartphone, but would you feel free to do so if you knew that the police were investigating everyone pursuing that form of privacy?
Where companies don’t do anything wrong, or where the wrongs committed pale in comparison to the punishment exacted, why do they settle with the feds? It has a lot to do with cost-benefit analysis. Rational parties will assess whether it makes financial sense to defend their positions in protracted litigation or to settle and move on. Since legal defense can be very costly, accepting a reasonable penalty that frees time and economic resources may seem like the best option. It’s similar to the pressure on someone charged with a serious crime, even when they are innocent, to plea bargain rather than face the expense of a long legal defense and the real possibility of a wrongful conviction. Plus, these companies don’t want to face significant bad press or a conviction that could effectively shutter operations. So Big Biz stands down; Big Gov expands its legal reach by applying an extralegal strategy of legislation by threat.
The companies entering into settlement agreements will obviously have to adopt the terms of those agreements or be in breach. But they are not the only ones looking carefully at applying settlement terms. Other companies with similar business practices will recognize a world of limited choices: adopt the government’s policy objectives or prepare for your time in the ring. New de facto law is made outside the courts, outside Congress, and entirely outside the public sphere. The extent to which Big Biz could once serve as a check on Big Gov fades into history, as enforcement creep becomes the new reality.