Jun

30

Jury Award for $60 Million Entered Against Transunion over SDN List Reports


Posted by at 4:49 pm on June 30, 2017
Category: OFACSDN List

https://www.instagram.com/p/BKeO97kg4MG/On June 20, a federal jury awarded a $60 million damage verdict against mammoth credit reporting agency Transunion arising from the company’s misuse of the Office of Foreign Assets Control’s List of Specially Designated Nationals and Blocked Persons (the “SDN List”) on credit reports. The plaintiffs in that case where individuals who were not on the SDN List but whom Transunion identified as such, resulting in adverse credit decisions for these individuals.

The class action lawsuit was based on a number of related violations of the federal Fair Credit Reporting Act and a similar California statute. Among the violations at issue were the provisions of section 1681(e) which requires credit bureaus to “follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates.” The Third Circuit in Cortez v. Trans Union, 617 F.3d 688 (3d Cir. 2010), previously rejected Transunion’s efforts in that case to make the implausible argument that the SDN List information it supplied with respect to credit applicants was not part of their credit report.

In the current case, the complaint details the experience of one of the representative plaintiffs with Transunion’s OFAC reporting. That plaintiff, named Sergio L. Ramirez, had a car loan denied because his name was similar to two entries on the SDN List, namely, Sergio Humberto Ramirez Aguirre and Sergio Alberto Cedulo Ramirez Rivera. Not only were the names different, but also the birthdate for Plaintiff Ramirez, which Transunion had in its file on the plaintiff, was different from the birthdates listed in the entries for the two aforementioned SDNs.

OFAC has issued guidance about the use of the SDN List by credit bureaus:

The text on the report should explain that the individual’s information is similar to the information of an individual on OFAC’s SDN list. It should not state that the information matches or that the credit applicant is in fact the individual on the SDN list unless the credit bureau has already verified that the person is indeed the SDN.

Even assuming that Transunion followed this guidance, which is not clear, it seems hard to justify transmitting the information to the car dealership when Transunion had information that clearly indicated the credit applicant was not either of the SDNs. It seems to me that credit bureaus can easily protect themselves from outcomes like the $60 million verdict by transmitting SDN information with a disclaimer but doing so only in cases where the credit bureau does not itself have information, such as birthdates, places of birth, etc., sufficient to resolve the potential hit.

Permalink Comments Off on Jury Award for $60 Million Entered Against Transunion over SDN List Reports

Bookmark and Share


Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)



Jun

28

OFAC Fines AIG for Drafting Error in Global Insurance Policies


Posted by at 10:40 am on June 28, 2017
Category: Cuba SanctionsEconomic SanctionsIran SanctionsSudan

IG Employees via http://www.aig.com/about-us [Fair Use]On Monday, the Office of Foreign Assets Control (“OFAC”) announced that insurance giant AIG had agreed to pay $148,698 to settle charges that it had insured 555 shipments involving Sudan, Iran and Cuba. Although some of the apparent violations involved single shipment policies to the sanctioned destinations or paying claims under global policies on shipments to those destinations, others involved simply accepting premiums under global insurance policies that were later used to cover shipments on which no claims were made to sanctioned destinations.

In November of last year, OFAC provided guidance on how global insurance policies should deal with U.S. economic sanctions

The best and most reliable approach for insuring global risks without violating U.S. sanctions law is to insert in global insurance policies an explicit exclusion for risks that would violate U.S. sanctions law. For example, the following standard exclusion clause is often used in open marine cargo policies to avoid OFAC compliance problems: “whenever coverage provided by this policy would be in violation of any U.S. economic or trade sanctions, such coverage shall be null and void.” The legal effect of this exclusion is to prevent the extension of a prohibited service (insurance or risk assumption) to sanctioned countries, entities or individuals. It essentially shifts the risk of loss for the underlying transaction back to the insured – the person more likely to have direct control over the economic activity giving rise to the contact with a sanctioned country, entity or individual. [11-16-07]

This is a sensible and reasonable policy with respect to global insurance policies. So, you must be assuming, AIG must have left the language cited above out of its global policies and that led to the fines. But you would be wrong. OFAC said this about the AIG global policies:

While a majority of the policies were issued with exclusionary clauses, most were too narrow in their scope and application to be effective.

And how were they “too narrow in their scope and application”? OFAC is not saying. Apparently, OFAC thinks it will be easier to fine other insurance companies later if it keeps secret the drafting errors in the global policies that made the exclusionary clauses in the AIG global policies “too narrow in their scope and application.” And what about those clauses other than most clauses that were too narrow?  Why was AIG being fined for shipments under policies where the exclusionary clauses were acceptable?

Worse yet, after staying mum on what was wrong with “most” of AIG’s exclusionary clauses beyond being “too narrow,” OFAC has the nerve to say this in its announcement:

This enforcement action highlights the important role that properly executed exclusionary clauses play in the global insurance industry’s efforts to comply with U.S. economic sanctions programs.

If “properly executed exclusionary clauses” are so gosh-darned important, then why on earth does OFAC refuse to give the insurance industry a single clue as to what exactly are  “properly executed exclusionary clauses” and what was wrong with “most” of the clauses in the AIG global policies? Did they leave out the word “void” from the recommended language? Did they just say “U.S. economic sanctions” instead of “U.S.economic or trade sanctions”?  How hard would it have been for the agency to say precisely and specifically what was wrong with AIG’s exclusionary clauses?  This just underscores the perception that OFAC is more interested in terrifying than regulating U.S. businesses.

Permalink Comments Off on OFAC Fines AIG for Drafting Error in Global Insurance Policies

Bookmark and Share


Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)



Jun

26

Vladimir Wants To See Your Source Code


Posted by at 4:08 pm on June 26, 2017
Category: BISEncryption

Vladimir Putin by Kremlin.ru [CC BY 3.0 (http://creativecommons.org/licenses/by/3.0)] via https://commons.wikimedia.org/wiki/File%3AVladimir_Putin_12019.jpg [cropped]According to this Reuters report, the Russians are demanding from U.S. companies the right to view source code of software that these companies wish to sell in Russia. The software at issue includes software with encryption capabilities, anti-virus software and firewalls. You don’t have to be a rocket (or computer) scientist to figure out why Vladimir and his spy master buddies want to look at such software. They are looking for vulnerabilities that would allow the Russians to continue to hack into U.S. networks and infrastructure. Surprisingly, Reuters suggests that some big names in U.S. software are actually complying.

That’s surprising because, as many readers probably know, handing over the source code of programs with encryption functionality to the Russian government requires a license from the Bureau of Industry and Security (“BIS”). Normally, I would expect BIS, at least for the moment, to grant such a license when hell freezes over or, as Vladimir himself might say, когда рак на горе свистнет (“when crawfish whistle in the mountains.”)

Here’s why a license is necessary. First, keep in mind that BIS controls the export of software with encryption functionality. This includes software that does not contain any encryption algorithms but calls those algorithms from an external source to perform the actual encryption. Although the language of the EAR is far from making it clear, BIS makes it quite clear here on its website:

Almost all items controlled under Category 5, Part 2 of the EAR are controlled because they include encryption functionality. Items may be controlled as encryption items even if the encryption is actually performed by the operating system, an external library, a third-party product or a cryptographic processor. If an item uses encryption functionality, whether or not the code that performs the encryption is included with the item, then BIS evaluates the item based on the encryption functionality it uses.

Most programs, in fact, call encryption from the operating system. Some browsers, such as Firefox, incorporate their own encryption, and programs may utilize browser encryption when sending and retrieving date from the Internet. In any event, the vast majority of software has some encryption functionality either by using the operating system or native encryption in certain browsers.

Second, source code does not fall under EAR section 740.17(b)(1) and is not eligible for self-classification and export under License Exception ENC. Rather source code that is not publicly available falls under 740.17(b)(2)(i)(B). Items that fall within (b)(2), such as source code, can be exported thirty days after the filing of a classification report to “non-‘government end users’ located or headquartered in a country not listed in supplement no. 3.” See Section 740.17(b)(2)(i). As a result, license exception ENC does not authorize exports to government end-users outside Supplement 3 countries. As Russia is not a Supplement 3 country, a license is required to provide source code with encryption functionality to the government of Russia.

I have no way of knowing whether the U.S. companies that have let Vlad peek at their source code bothered with, or even knew of the requirement for, licenses.   And although not so long ago, BIS would probably have said “nyet” to any such license request, it is altogether possible that BIS is now saying “da” instead.   In any event, companies should think long and hard before spilling their source code for software with encryption functionality to the Russkis without getting a license from BIS first.

 

Permalink Comments Off on Vladimir Wants To See Your Source Code

Bookmark and Share


Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)



Jun

22

The Chewbacca Defense: Export Edition


Posted by at 5:26 pm on June 22, 2017
Category: Arms ExportCriminal PenaltiesDDTC

Human Cannonball by Laura LaRose [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Flickr https://flic.kr/p/6shAzP [cropped and processed]The decision in United States v. Burden, decided back in November of 2016, is not breaking news, but as I’ve seen several commentaries on it recently, I thought I might weigh in.  The defendants in that case argued that they had not violated the Arms Export Control Act because — get this — ammunition magazines and grenade launcher mounts, according to the defendants, are not defense articles. The defendants argued that these items are not defense articles because they can also be used with airsoft guns.  Accordingly they claimed the magazine and mount are not defense articles as defined in section 120.4 of the International Traffic in Arms Regulations and no license was required for their export.   This is pretty much like arguing that cannons are not defense articles because you could use them in circuses to shoot people into trampoline nets.

For reasons that are not clear, this led the District Court to actually consider whether these items were defense articles or not as defined in section 120.4.  That section deals with commodity jurisdiction determinations and had no relevance to the case under consideration.  The question properly before the court was whether the grenade mounts and ammunition magazines are on the United States Munitions List (“USML”), not whether they are defense articles.

If the items are on the USML, they are by definition defense articles.   The very first sentence of the USML makes this crystal clear:

U.S. Munitions List. In this part, articles, services, and related technical data are designated as defense articles or defense services pursuant to sections 38 and 47(7) of the Arms Export Control Act.

This means that the only real question the court had to answer was whether the grenade mount and ammunition magazine were described in Category I(h) of the USML which covers “[c]omponents, parts, accessories and attachments” of firearms described in Category I, subparts (a) through (h). It doesn’t matter that these items can be used on airsoft or paintball guns any more than it matters that a cannon can be used in a circus act or a performance of the 1812 Overture. Certainly the magazine meets the definition of a component and the mount meets the definition of an attachment and that, pretty much, should have been the end of it.

Even so, the court decided that the items were defense articles not because they were on the USML but because an expert witness from DDTC said that they were defense articles. The expert in question was Robert Warren, formerly Division Chief of the Plans, Personnel, Programs, and Procedures Division of DDTC, an odd choice in comparison to, say, the division chief for the division that handles licensing for firearms.  In any event, the court noted that Warren testified that “a defense article as we termed it is anything that has a military significance or military application.”  And that, according to the court, settled the question as to whether the mount and the magazine were defense articles.

Of course, the idea that something is a defense article if it has a military application is the equally stupid mirror argument to the defendants’ nonsensical claim that something is not a defense article if it has a non-military use.  Under the standard articulated by Warren, a water canteen purchased at a camping store or a pair of camo pants purchased from a clothing store would be defense articles.

As noted above, there was no need for anyone to dive down this rabbit hole and figure whether the mount and the magazine were defense articles.  If they were described by Category I(h) as attachments and components of firearms then they were defense articles.  End of story.  No further proof as to whether they were defense articles was necessary.   And, given that the defendants did not appear to dispute that these items were components and attachments of firearms but only that they were defense articles, it is not unfair to accuse them of raising the fabled Chewbacca defense.

Photo Credit: Human Cannonball by Laura LaRose [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Flickr https://flic.kr/p/6shAzP [cropped and processed]. Copyright 2009 Laura LaRose

Permalink Comments (1)

Bookmark and Share


Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)



Jun

20

Shedding Light on Gun Exports on the Dark Web


Posted by at 9:57 pm on June 20, 2017
Category: Arms ExportCriminal PenaltiesDDTC

Cobray M-11 Pistol via https://www.gunsamerica.com/UserImages/199/917418641/wm_md_10452136.jpg [Fair Use]
ABOVE: Cobray M-11 Pistol

Two geniuses in Georgia hit on what they must have imagined was the perfect crime: sell guns to foreigners anonymously on the dark web; get paid anonymously in Bitcoins; make a billion dollars; spend the rest of their lives watching extreme wrestling and tractor pulls on cable TV. Except, of course, what really happened means that their cable TV viewing options over the next few years are likely to be extremely limited.

Even if, as the dog in the famous cartoon tells the other dog, “on the Internet nobody knows you’re a dog” (or a gun smuggler), you can’t stay on the Internet forever. Not surprisingly, even though the two defendants tried to cloak themselves behind the dark web and supposedly anonymous cryptocurrency, they still had to leave their computers, buy the guns, take them to the post office and ship them to real people. And that, as they say, was all she wrote.

According to the indictment, the two defendants, Gerren Johnson and William Jackson, who used the pseudonyms CherryFlavor and CherryFlavor_2, first captured the attention of authorities when a 9mm pistol was “recovered” in the Netherlands from a buyer who said he bought the gun from dark web vendor named CherryFlavor. Shortly thereafter Australian customs recovered another pistol hidden in a karaoke machine (see, nothing ever good comes from karaoke), and the Australian buyer also identified his seller as CherryFlavor.

And here’s how the feds figured out who was hiding behind the CherryFlavor screen name: according to the indictment, Johnson bought an unusual gun, a Cobray Model M-11 Georgia Commemorative 9mm pistol from a dealer in Georgia. Two days later he posted the gun for sale on his dark web site. Now the feds had the link they needed: a non-virtual gun dealer making a real sale in the real world to a real person of a real gun that then shows up on CherryFlavor’s page. Game over.

The interesting thing is what Messrs. CherryFlavor are charged with in the indictment. The first count is operating an unregistered firearms business. The second and third counts are for exports of two guns in violation of the anti-smuggling statute, 18 U.S.C. 554, which forbids exports from the United States “contrary to any law or regulation of the United States.” Oddly, the law said to be violated was not the Arms Export Control Act but 18 U.S.C. § 922(e) which prohibits shipping a firearm without disclosing to the shipper that a firearm is being shipped.

So why aren’t the defendants charged with what appears to be a clear violation of the Arms Export Control Act? We know that prosecutors have argued, not very persuasively, that the knowledge requirement for violations of section 554 is just an intentional export without any requirement that the defendant knows the intentional export is in violation of law. But here, if the allegations of the indictment are true, the case that the defendants knew what they were doing is, as they say, a slam dunk. They sold guns to foreign customers using pseudonyms on the dark web in exchange for Bitcoins and sent the guns hidden in karaoke machines. Criminal intent does not get much clearer than that. My guess is that there is more going on here than Dumb and Dumber selling guns on the dark web. Charges like this suggest that the prosecutors have negotiated with the defendants in exchange for some broader cooperation. If that’s true, it will be interesting to see what happens next.

UPDATE:  Commenter “Name” makes a good point: because the case is in the 11th Circuit, the prosecution has to deal with a stricter intent requirement and has to show that the defendants knew that an export license was required.  See United States v. Macko, 994 F.2d 1526 (11th Cir. 1993).  The defendants’ concealment of the gun in a karaoke machine shows a knowledge of illegality but, perhaps, not necessarily a knowledge of a license requirement under the AECA.  It was for this reason, the commenter said, that the charge was under 18 U.S.C. § 554, which might not be subject to the stricter intent requirement.  Commenter “Name” used a VPN to conceal his/her identity and location, so I suspect this is a person who has some actual knowledge of why the government charged this case the way it did.

Permalink Comments (1)

Bookmark and Share


Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)


« Previous posts | Next posts »