In 2017, companies settled violations with the DOJ in unprecedented non-prosecution agreements that contained disavowals of any criminal liability. Who’s Who Legal’s sister publication GIR Just Anti-Corruption investigates why.
In July, the US Attorney’s Office for the Middle District of Pennsylvania announced non-prosecution agreements (NPAs) with four separate alcohol vendors all containing similar denials of criminal liability. The settlements resolved allegations that the companies “provided things of value” to officials at the Pennsylvania Liquor Control Board.
Then in December, Netcracker Security Corporation, a US software company, and the Justice Department (DOJ) signed an NPA to resolve allegations of poor data security. In the settlement, the company denied any criminal wrongdoing, but agreed to the statement of facts “in the interest of reaching a mutual agreement” and enhancing US national security.
The lack of admissions in the NPAs caught the attention of Gibson Dunn & Crutcher, which in a recent report described the deals as novel because “most NPAs and DPAs (deferred prosecution agreements) require a clear acknowledgement by the company that the statement of facts is ‘true and accurate,’ and that ‘the company bears responsibility.’”
Brandon Garrett, a professor at the University of Virginia School of Law who runs a website tracking DPAs and NPAs, said the company denials are unprecedented and troubling.
“Neither admit nor deny language undermines the goal of criminal accountability – that if a company committed crimes it must acknowledge having done so – and if the evidence is doubtful no prosecution should be brought,” Garrett wrote in an email. “The SEC [US Securities and Exchange Commission] has walked back its use of neither admit nor deny language in civil cases, and it would be troubling if DOJ went in that direction in most corporate criminal cases.”
Lawyers familiar with both NPA agreements, speaking on the condition of anonymity, said these NPAs included denials of criminal liability because of the lack of available evidence necessary to secure a conviction.
In July 2017, four alcohol vendors entered into NPAs with the US Attorney’s Office for the Middle District of Pennsylvania for conduct that appeared vague – they were accused of offering things of value to government officials but not of bribing the officials.
According to the agreements, material goods were exchanged and if these goods were “given in quid pro quo exchange for official decisions, [it] would constitute violations of federal law.” In the NPAs, the companies denied “criminal liability for the conduct”. In total the companies agreed to pay US$9 million in fines.
An attorney familiar with the case said that the Pennsylvanian US attorney’s office has been nervous about filling bribery charges because “the McDonnell case had a huge impact on them.” That may have opened the door for securing an NPA without an admission of guilt, the lawyer said.
In the McDonnell case, the Supreme Court struck down public corruption charges in 2016 against former Virginia governor Bob McDonnell after finding that prosecutors had overreached in their definition of what constitutes an “official act” by a government official. Under federal bribery law, a public official is prohibited from accepting something of value in exchange for an “official act”.
McDonnell, a Republican, was accused of accepting more than US$175,000 in gifts and loans from a wealthy businessman who sought favourable consideration from government agencies for his dietary supplement company, Star Scientific. The Supreme Court ruled that the “official acts” taken by McDonnell as a result of the gifts – such as setting up meetings, talking to other officials and organising events – did not rise to an official act as described by the statute.
Each of the four NPAs contain descriptions of goods that executives from the liquor companies gave to the director of marketing at the Pennsylvania Liquor Control Board – including gift cards, free meals and golfing trips – but don’t say what purpose these gifts were given for.
An attorney familiar with the case believed the NPAs were agreed because the US Attorney’s Office was worried it would be unable to prove these gifts were given in exchange for official acts. He said it would be “interesting to track the number of bribery convictions pre- and post- the Supreme Court ruling in McDonnell.” The US attorney’s office declined to comment.
According to a statement of facts accompanying Netcracker’s NPA, the company erred when it allegedly employed foreign coders who did not have proper US security clearances. These employees were storing sensitive information on Moscow-based servers, the NPA said. Under Russian law, any data transmitted through the country can be made available to Russian intelligence agencies to be searched.
That created a problem for Netcracker because it had two government subcontracts with the Defense Information Systems Agency (DISA), a US agency responsible for securing all defence-related communications around the globe. DISA thought under the terms of its contract with Netcracker, the company could only hire US citizens to work on its software. But Netcracker thought the company was allowed under the agreement to hire foreign personnel as long as they were not handling sensitive information.
Although Netcracker agreed to the statement of facts, the company “denies that it engaged in any criminal wrongdoing.” According to a press release from Netcracker: “The evidence did not support the government’s concerns” and the NPA “validates Netcracker’s long standing assertion of no wrongdoing and that Netcracker performed all its obligations under this contract”.
Netcracker was not required to pay a fine. Instead, it agreed to pay US$35 million if it failed to comply with the terms of the NPA, which included a requirement to upgrade its security protocols.
Gibson Dunn highlighted the Netcracker NPA as “an especially interesting example of how NPAs and DPAs may be tailored creatively to resolve government investigations into corporate conduct”. The Netcracker NPA “most strikingly” contains an “express disavowal of guilt”, which the law firm report described as “highly unusual”.
A source familiar with the Netcracker case said the NPA “took a very long time to negotiate”, adding that Netcracker “probably would have taken it to trial if the DOJ did not allow the denial of criminal wrongdoing because of how strong they believed their case was”.
One motivating factor for Netcracker to sign the NPA may have been the risk of “losing its government contracts in light of Kaspersky”, said a former government official who requested anonymity to talk about the case.
A few months earlier in September 2017, the US government banned the use of all Kaspersky products by all civilian agencies amid reports of the company’s close relationship with Russia’s main intelligence agency, the FSB. Kaspersky Lab is a Moscow-based cybersecurity and antivirus provider.
Kaspersky denies any connections to the Russian government, and Kaspersky CEO Eugene Kaspersky called the allegations “unfounded conspiracy theories” and “total BS”, according to a Bloomberg report.
Kaspersky has filed a motion in DC federal court to block the Department of Homeland Security directive banning the use of its products arguing that the ban did not provide “due process”.
Lawyers said there is another unusual part of Netcracker’s NPA that required the company to implement a stronger security programme – a feature that was highlighted by Gibson Dunn’s report.
“This is the first instance of a requirement under a non-prosecution agreement of a security plan that protects consumers,” the former government official said. “That is new.”
According to the NPA, Netcracker must beef up its security programme by implementing a new monitoring system to detect unauthorised access of US customer data, requiring additional background checks for its employees, and moving sensitive US information stored on foreign servers back to the US.
DOJ officials said they hope the new security plan implemented by Netcracker will serve as an industry model.
Acting Assistant Attorney General Boente said in a statement: “As threats to our critical infrastructure increase, especially from abroad, these protocols serve as a model for the kind of security that US critical infrastructure should expect from the firms they use to develop, install, and maintain technology in their networks.”