Responding to Cyber Risks and Defending Against Cyberattacks is a 24/7 Proposition in Today’s Corporate Environment. If Your Company is Under Attack, You Need to Engage Experienced Litigation Counsel Immediately.

Is your company at risk for a cyberattack? Are you prepared to defend against hackers and other intruders seeking access to your company’s and clients’ data? While these were questions that allowed for a certain amount of uncertainty a decade ago, in today’s world companies need to be resolutely prepared. If you do not take legal action immediately, proprietary data could be lost forever, and your company could be at risk for lawsuits from its customers, shareholders, and employees.

But, even with the most extensive and up-to-date security controls, companies are still subject to vulnerabilities. Hackers around the world are working endlessly to find new ways in, and they are succeeding. According to data from Juniper, total losses from cyberattacks exceeded $2 trillion in 2019; and, according to CPO Magazine, global spending on cybersecurity is estimated to climb to more than $10 billion annually over the next decade.

Corporate Crisis Management Consultants for Cybersecurity Breaches

If your company has suffered a cybersecurity breach, or if your company is under the constant threat of cyberattacks, we can help. We are a team of former federal agents and highly-experienced data security consultants who specialize in helping U.S. companies mitigate risk and avoid catastrophic losses. We work with companies across the country to help them implement effective cybersecurity protocols, and we help companies of all sizes and in all industries respond to cyberattacks targeting corporate, consumer, and government data.

Cyber threats can take many forms. They can target many different types of data, and they can come in many different shapes and sizes. At Corporate Investigation Consulting, our expertise extends to helping companies successfully defend against, respond to, and overcome threats including:

• Private Hackers – Whether working independently or for hire, private hackers can wreak havoc for companies by targeting their sensitive and proprietary data. We help our clients uncover intrusions, identify intruders, and respond quickly to mitigate any potential losses.
• Foreign Intrusions – Foreign intruders seeking to disrupt U.S. markets or gain access to data with national security implications have become an increasing concern in recent years. We have the technological tools and capabilities required to track foreign intrusions around the world.
• Corporate Espionage – Corporate spies seeking access to research and development (R&D) data and other proprietary information can compromise millions of dollars’ worth of investment in the blink of an eye. We help our clients uncover cases of corporate espionage and gather the evidence they need in order to pursue appropriate legal remedies.
• Third–Party Vendor Cybersecurity Risks – When outside interests gain access to your company’s data through third-party vendors, these vendors may ultimately hold legal responsibility, but the consequences for your company can still be substantial. We help our clients assess third-party vendors’ vulnerabilities and execute timely responses to mitigate corporate crises.
• Malware and Ransomware – Malware, ransomware, and other viruses can infect companies’ entire information technology (IT) infrastructures. If your company’s data (or third-party data in your company’s custody and control) is at risk, we can help you control this risk and implement the necessary cybersecurity protocols to prevent similar attacks in the future.

This is How We Help Companies Targeted in Cyberattacks

When engaged to advise companies targeted in cyberattacks, we offer comprehensive cybersecurity consulting services focused on both responding to the immediate threat and preventing similar attacks in the future. This includes assisting with matters such as:

1. Responding to Breaches of Corporate Cybersecurity

First and foremost, we will determine what is necessary to respond to the breach itself. Among the various questions we will seek to answer, the single most important question is: Do the intruders still have access? If they do, then immediate action is required, and our corporate crisis management team will do what is necessary to bring an end to the attack.

There are various other aspects to responding to a corporate data security breach as well. Once the threat has been neutralized, we will work diligently to answer questions such as: Who were the intruders? Why did they target your company specifically? How did they get in, and does the risk remain? Whether your company’s, your employees’, or your customers’ data has been compromised, you need to have a comprehensive understanding of the attack in order to move forward.

2. Assessing Data and Financial Loss Due to Cyberattacks

Once the risk is contained, we will shift our focus to assessing your company’s losses—current and future. This will begin with gaining a comprehensive understanding of the data that were compromised. Utilizing state-of-the-art forensic investigative tools and tactics, we can determine where the intruders went, how deep they went, and what they took when they left.

When assessing the impact of a cyberattack, it is necessary to look beyond the compromised information itself. If the hackers stole proprietary information about products in your company’s pipeline, the information itself could be worth millions, but the market impact of competing against your company’s own R&D could be far greater. Are the intruders capable of using this information themselves, or will they most likely try to sell it to a third party? How usable is the information in its current form for experts outside of your company’s walls? In order to fully assess your company’s financial risk, these are the types of questions you need to ask and answer.

If the cyberattack targeted employee or customer data, then the analysis is different but no less important. Not only must your company assess the costs of remediation, but it must assess its litigation risk as well. We can examine all of the circumstances surrounding the breach to determine what information was accessed, and we can provide you with a detailed report of the affected employees or customers. We can also help you understand the implications for these individuals—and the resultant implications for your company as well.

3. Handling Data Breach Notifications and Other Compliance Issues

For cyberattacks that result in theft of credit information, health information, or other consumer data, companies will generally have obligations under federal breach notification laws. In these circumstances, breach notification compliance is imperative, as non-compliance can lead to federal enforcement action and also increase companies’ exposure to liability in civil litigation. Our consultants have extensive experience in this area, and we can assist in all aspects of breach notification compliance, from communicating with federal authorities to crafting appropriate notification language and managing the notification process.

Additionally, public companies that suffer losses due to cyberattacks may have disclosure obligations, and failure to make the requisite public filings could lead to costly enforcement action by the U.S. Securities and Exchange Commission (SEC). Our consultants are experienced in this area as well, and we can assist you in making informed decisions about if, when, and how to report losses from cyberattacks.

4. Addressing Cybersecurity Vulnerabilities

Concurrently with assessing and mitigating the risks arising out of the attack, our consulting team will also assist your company’s IT department in addressing any and all outstanding cybersecurity vulnerabilities. This begins with a comprehensive data security threat assessment, and it culminates with assisting in the implementation of our data security recommendations. While the attackers may have targeted a particular vulnerability, this does not necessarily mean that other vulnerabilities do not exist. In order to adequately protect all sensitive and proprietary data, your company’s security protocols need to be fully comprehensive. We can ensure that they are.

5. Monitoring for Additional Threats and Losses

Due to the ongoing risk of cyberattacks, companies must continuously monitor the effectiveness of their cybersecurity measures. As threats morph and new tactics are uncovered, companies must continue to update their cybersecurity protocols as well. We provide our clients with ongoing cyberattack monitoring services, and we provide recommendations for when upgrades and additional data security measures are necessary.

We also provide ongoing monitoring services to assess continued risks arising out of prior data security breaches. For example, if the intruders stole R&D data, we can monitor the marketplace for signs of the data being used. We provide the same services for cybersecurity incidents involving theft of software code, recipes, customer lists, business strategies, and other types of information with commercial value as well. Bad actors know that their activities are likely to be monitored in the immediate aftermath of a cyberattack, and they also know that most companies do not continue their monitoring efforts long-term. So, they wait. When they decide to act, your company needs to be prepared to act as well.

Contact Us to Learn More about Our Cyber Risk and Defense Services

We provide cyber risk and defense consulting services to companies nationwide, and the former federal agents on our corporate crisis management team bring decades of high-level experience to helping our clients make informed, strategic, and timely decisions in the wake of cyberattacks. If you would like to learn more about our cyber risk and defense practice, we encourage you to get in touch.

To discuss your company’s situation with one of our former federal agents in confidence, call 214-692-2171 or tell us how we can help online today. We are available 24/7.

When a Breach of Fiduciary Duty Threatens Your Company or Results in the Loss of a Business Opportunity, You Must Be Prepared to Take Swift Legal Action in Order to Protect Your Business.

In the corporate realm, risks lie in many different places. This includes risks that lie within your company’s own internal structure. Among these internal risks, perhaps no risk has the potential for a greater overall impact than the risk of a breach of fiduciary duty by an officer, director, or employee. If a breach of fiduciary duty is threatening your business’s operations or profitability, you may need to take legal action immediately in order to prevent unnecessary losses.

Corporate insiders owe fiduciary duties to their companies. These duties take two primary forms: (i) the duty of care, and (ii) the duty of loyalty. A breach of either duty can have significant immediate and long-term ramifications, and companies that fail to react appropriately can face substantial losses that could – and should – have been avoided.

Uncovering, Remedying, and Preventing Corporate Breaches of Fiduciary Duties

At Corporate Investigation Consulting, we help companies respond to breaches of fiduciary duties the right way. We do this by uncovering evidence of the breach through a forensic investigation, advising our clients with regard to appropriate courses of action once a breach has been uncovered, and assisting our clients with the implementation of policies and procedures designed to prevent future breaches. With a team comprised of former senior officials with the Federal Bureau of Investigation (FBI) and other federal agencies, we bring unique skills and insights to the table, and we offer unparalleled commitment and diligence when it comes to protecting our clients.

Has Your Company Experienced a Breach of Fiduciary Duty?

What Constitutes a Fiduciary Breach?

The concept of fiduciary breach is commonly misconstrued. For example, many people assume that a fiduciary preach implies an element of intent—a nefarious attempt to profit privately at the company’s expense. While this is certainly one type of fiduciary breach, these breaches can take various other forms as well. As a result, when investigating the loss of a corporate opportunity or any other apparent result of internal wrongdoing, it is first necessary to understand all of the various types of misconduct that must be scrutinized during the company’s internal investigation.

As we mentioned above, broadly speaking, fiduciary breaches come in two forms:

• Breach of the Duty of Care – The duty of care obligates corporate insiders (i.e. executives, board members, and certain other employees) to make thoughtful and informed decisions with regard to matters of corporate importance by actively participating in the decision-making process.
• Breach of the Duty of Loyalty – The duty of loyalty requires corporate insiders to always act in the corporation’s best interests, and to never put their own personal interests ahead of the company’s or its shareholders’ when it comes to pursuing (or choosing not to pursue) corporate opportunities.

As you can see, neither the duty of care nor the duty of loyalty expressly incorporates an element of intent. When assessing potential fiduciary breaches, and when taking remedial action in response to a fiduciary breach, it is imperative to keep this factor in mind. While intentional breaches absolutely require a particular type of response, companies must be prepared to respond appropriately to all types of fiduciary breaches. Not only could responding appropriately be crucial to protecting corporate opportunities and limiting the company’s litigation exposure with respect to its day-to-day operations, but it could be crucial to mitigating the company’s risk of federal enforcement action, shareholder derivative litigation, and other similar types of threats as well.

How Can Your Company Uncover (and Prevent) Fiduciary Breaches?

In order to uncover breaches of the duty of care and the duty of loyalty, companies must be prepared to act at the first sign of a potential breach. At Corporate Investigation Consulting, our former federal agents specialize in conducting covert, comprehensive, and productive investigations diligently and cost-effectively. If your company is facing a loss or threat as the result of an apparent breach, our former federal agents can get to work immediately, and we can quickly gather the intelligence you need in order to begin making informed decisions in your company’s and shareholders’ best interests.

In matters involving breaches (or potential breaches) of executives’, board members’, and internal personnel’s fiduciary duties, our services include:

1. Investigation

With our corporate crisis management team lead by retired Supervisory Special Agents with the FBI, we excel in conducting effective internal investigations to uncover evidence of fiduciary breaches. This includes evidence of both unintentional breaches of the duty of care and malicious and self-interested breaches of the duty of loyalty. We can conduct our investigation covertly to ensure that those who are under investigation remain unaware, and we can deliver actionable intelligence so that your company’s leadership (who were not involved in the breach) can make strategic and informed decisions.

2. Threat Assessment

Once we uncover the breach, we can assess its potential consequences. The consequences of a fiduciary breach can vary greatly depending on the specific nature of the issue at hand, and quickly gaining a clear picture of the risks your company is facing is crucial to executing an appropriate response. Our former federal agents will examine all potential threats, and we will provide your company’s leadership with a comprehensive threat assessment that is tailored to the specifics of the breach and your company’s commercial operations.

3. Response Evaluation

Armed with a clear understanding of the breach and threats it presents, we can then consult with your company’s leadership and legal counsel with regard to possible responses. While the company’s response must be carefully measured, it must also be executed quickly. The former FBI agents on our corporate crisis management team have extensive experience dealing with corporate white-collar matters, and we can leverage this experience to help you make the right decision at the right time.

4. Response Execution

When responding to a breach of fiduciary duty, the response must be flawless in its execution. We take a systematic approach to helping our clients respond to corporate crises, and we rely on strategies that have been proven over decades of relevant experience. From taking appropriate disciplinary action to documenting the entire effort in order to show regulators and shareholders that your company’s response was both adequate and legally-compliant, we can ensure that your company’s response serves to protect it rather than enhancing its exposure in subsequent litigation.

5. Risk Mitigation

When responding to a breach of fiduciary duty, it is important not to limit your company’s response to the breach itself. Your company must undertake adequate measures to prevent future fiduciary breaches as well. In addition to consulting with our clients with regard to corporate crisis management, we also help our clients develop and implement effective risk mitigation programs designed to avoid future crises through training, security controls, and other means of proactive protection.

External Breaches of Fiduciary Duties: Attorneys, Accountants, and Other Agents

Fiduciary breaches can also arise externally. Possible fiduciary breaches involving attorneys, accountants, and other agents require a different approach, as less information may be available through the company’s internal information technology (IT) and recordkeeping systems. At Corporate Investigation Consulting, we are equally adept at conducting internal and external fiduciary breach investigations, and our former federal agents can work with your company’s legal counsel as necessary in order to secure the evidence required to take appropriate responsive action.

We provide assistance with all types of internal and external breaches of the duty of care and the duty of loyalty. This includes instances of:

• Misappropriation of business opportunities
• Conflict-of-interest transactions
• Instances of self-dealing
• Negligent or grossly-negligent decision making at the executive leadership or board level
• Failure to act in the company’s or shareholders’ best interests

This list is by no means exhaustive. Breaches of the duty of care and the duty of loyalty can take many different forms; and, if you have any concerns about a possible fiduciary breach, we encourage you to speak with one of our former federal agents immediately.

In many cases, fiduciary breaches will involve other wrongs as well. If your company needs to build a case against an insider, an outside advisor, or another party to a fraudulent transaction, our former federal agents can work with your company’s counsel to gather evidence in support of all additional causes of action – from breaches of confidentiality and non-solicitation covenants to intellectual property (IP) infringement. Ultimately, you need to do what is necessary to protect your company’s best interests and the best interests of its shareholders. At Corporate Investigation Consulting, we can provide you with the intelligence and insights you need in order to do so.

Contact the Corporate Crisis Management Team at Corporate Investigation Consulting

Is your company facing the loss of a business opportunity or relationship, or any other financial harm, as the result of a breach of fiduciary duty? If so, you can trust the corporate crisis management team at Corporate Investigation Consulting to help you protect your company and its shareholders to the fullest extent possible. To discuss your company’s situation with one of our former federal agents in confidence, call 214-692-2171 or tell us how we can help online now.

What Do Pharmacy Owners and Prescribers Need to Know about DEA Drug Diversion Investigations?

An Interview with Former Assistant U.S. Attorney Joanne Fine DeLena and Department of Justice (DOJ) Special Agent Roger Bach

Combatting the illicit diversion of prescription medications has long been a top priority of the U.S. Drug Enforcement Administration (DEA), among other federal agencies. In order to fight the problem at its source (or one of its sources), the DEA targets pharmacies and other providers suspected of facilitating diversion in invasive and high-stakes investigations.

As a pharmacy owner, pharmacist, or prescriber, making informed decisions is crucial to avoiding unwanted scrutiny. Here, former Assistant U.S. Attorney Joanne Fine DeLena and Department of Justice (DOJ) Special Agent Roger Bach answer some important questions about the risks providers face in DEA investigations:

Regarding Priorities in DEA Drug Diversion Investigations:

Q: Is there is a heavy focus on codeine?

Mr. Bach: Yes, due to the fact that codeine is the most-abused prescription controlled substance. Codeine is found in prescribed cough syrups such as Promethazine with Codeine, and these types of medicines are both easily diverted and easily abused.

Q: What are “cocktail” drugs?

Mr. Bach: In Texas, the “Houston cocktail” as it’s known, is a combination of hydrocodone 10/325 taken with Alprazolam 2mg (Xanax-for anxiety) and Carisoprodol 350mg (Soma-muscle relaxer). It gives the user a heroin-type high. These cocktail drugs are prime candidates for diversion as well, and this means that they are also high on the DEA’s radar.

Q: What about oxycodone?

Mr. Bach: Oxycodone is another highly-addictive substance often prescribed in 30mg doses. Due to its addictiveness, oxycodone is a common target in DEA diversion investigations.

Q: What role do pharmacists play in preventing diversion of prescription medications?

Mr. Bach: The pharmacist’s role is extremely important, as the failure to ensure that a prescription is valid can lead to the unauthorized distribution, or diversion, of controlled substances. Due to pharmacists’ central role in both facilitating and preventing diversion, the DEA sets high expectations for pharmacy compliance.

Q: Are electronic prescriptions always secure (and therefore not a concern when it comes to diversion prevention)?

Mr. Bach: No. An office worker can easily obtain a doctor’s assigned E-Scrip number and then use it to issue false prescriptions.

Q: What else does DEA look for when investigating pharmacies in connection with possible allegations of drug diversion?

Mr. Bach: Pill mills, as they are known, will have very few over-the-counter products on their shelves. Clusters of customers who arrive staggered with one another but seem to know each other will also be viewed as potentially indicative of a pharmacy facilitating a drug diversion scheme, as will multiple out-of-state license plates (particularly from the same state) in the pharmacy’s parking lot. These are just a few of numerous types of circumstantial evidence that the DEA may consider in deciding whether a pharmacy appears to be engaged in illegal drug diversion.

Regarding Recent Examples of DEA Drug Diversion Investigations:

Q: Can you give an example of a recent DEA investigation of a pharmacy involving allegations of drug diversion?

Mr. Bach: In one recent case, the DEA audited an independent pharmacy and determined that the pharmacy failed to maintain complete and accurate records regarding Hydrocodone/APAP10/325mg, Oxycodone 30mg and Alprazolam 2mg. Of course, given the known potentially-fatal and often inappropriately0prescribed combination of these controlled substances, there were suspicions of possible diversion through the pharmacy.

Title 21 of the United States Code (which is known as the Controlled Substances Act), Section 827(a)(3) and Title 21 of the Code of Federal Regulation (which, in part, controls DEA Registrants) Section 1304.21(a) require every DEA registrant to maintain complete and accurate records of all controlled substances that are “manufactured, imported, received, sold, delivered, exported, or otherwise disposed of” through the registrant. As it relates to pharmacies, this record-keeping regulation is important for purposes of identifying either miscounting or improper packaging of prescriptions filled for patients or theft of controlled substances internally or by outside parties.

In this particular investigation, the pharmacy also failed to maintain separately required records for Schedule 2 and Schedule 3-5 controlled substances in violation of 21 USC §827(a)(3) and CRF §1304.04(h)(1), which require inventories and records of all controlled substances listed in Schedule 1 and 2 to be kept separate from the pharmacy’s other records. The same is required of Schedule 3, 4, and 5 controlled substances. Under all circumstances, all records are to be immediately retrievable by DEA during any inspection.

During a subsequent audit of the same pharmacy, the DEA determined that the pharmacy had failed to comply with the warning it received following the prior audit, and the DEA requested that the pharmacist surrender his DEA registration. A surrender of registration means that a pharmacist can no longer fill prescriptions, even if the pharmacist maintains his or her state-required license. Instead of surrendering his registration, and before proceeding with an administrative hearing on the matter, the pharmacist retained the services of Corporate Investigation Consulting. Through an independent review conducted by a former DEA Diversion Investigator working with Corporate Investigation Consulting, an error in DEA’s original calculations was discovered and it was confirmed that the pharmacy had properly accounted for all controlled substances.

Q: Can you provide an example of a recent criminal case involving prescription drug diversion and healthcare fraud?

Ms. DeLena: In May of this year, multiple individuals who were charged in a large-scale conspiracy pled guilty to perpetrating a prescription drug billing scheme in which a pharmacy owned by some of the defendants billed for medically-unnecessary prescription drugs. The pharmacy paid prescribers to write prescriptions for without proof of medical necessity. The pharmacy’s owners, pharmacy employees, and medical practitioners were all charged with healthcare fraud and conspiracy to pay kickbacks for their involvement in the scheme. This type of case is not unique and the DEA routinely investigates similar types of cases throughout the country.

Q: Given the decrease in opioid overdose deaths, are there still as many investigations into opioid manufacturers and distributors?

Ms. DeLena: Yes. As recent as June 2020, the United States entered into a settlement agreement with Omnicare Inc., a subsidiary of CVS Health, for Omnicare’s failure to prevent opioids and other controlled substances from being distributed without a valid prescription. Omnicare is a “closed-door” pharmacy, servicing clients such as nursing homes and long-term care facilities. Omnicare paid $15.3 million to the United States as a civil penalty.

Q: With fentanyl being illicitly manufactured outside the United States, how does this impact DEA diversion investigations?

Ms. DeLena: Despite illicitly-manufactured fentanyl coming from outside of the United States, the DEA is still able to fully investigate cases of involving this dangerous drug. Addicts and drug traffickers are seeking other controlled substances to take (or sell) with the fentanyl to make a “cocktail” of an opioid and benzodiazepine (such as Xanax, Valium, Ativan, or Klonopin) or carisoprodol (muscle relaxers) and stimulants (such as Adderall or Ritalin). Investigations targeting DEA registrants are focusing on the diversion of these “cocktail” drugs for use in combination with fentanyl.

Regarding “Red Flags” for DEA Drug Diversion Investigators:

Q: Do pharmacies and other providers need to be cautious about accepting cash payments for prescription drugs?

Mr. Bach: Yes. The DEA views cash purchases a red flag for diversion, particularly if a pharmacy processes a high volume of cash transactions.

Q: What are some other “red flags” that might raise questions during an investigation of a DEA registrant?

Ms. DeLena: A medical practice that does not have sinks to wash hands in medical examination rooms, that is missing basic medical equipment (i.e. scales, stethoscopes, tables, or sterilization materials), or that has equipment that is not working properly will be at risk during a DEA investigation. Not accepting insurance, having an unusually large number of people waiting for appointments, serving patients from out of state, and booking appointments in 5 to 10-minute increments are “red flags” as well.

Doctors frequently prescribing the same types of medicines in the same dosage levels and quantities can also be problematic. Generally speaking, there are a number of factors that, considered in isolation, might not suggest criminal conduct, but when pieced together can built a strong case for criminal culpability.

Regarding Other Federal Agencies’ Efforts to Combat Prescription Drug Diversion:

Q: How are the Centers for Medicare and Medicaid Services (CMS) supporting the federal government’s efforts to combat opioid addiction and prevent medical providers from inappropriately prescribing opioids to their patients?

Ms. DeLena: CMS has established the Medicare Part D Overutilization Monitoring System (OMS) to monitor the implementation of drug utilization management efforts designed to prevent the over-prescription of commonly-diverted medications. The information gathered from this database is frequently utilized in determining the direction of criminal diversion investigations.

Q: What are other federal agencies doing to investigate criminal acts by medical practitioners?

Ms. DeLena: In addition to the DEA and CMS, the U.S. Department of Health and Human Services Office of Inspector General (HHS-OIG) is working with the U.S. Department of Justice (DOJ), Federal Bureau of Investigation (FBI), and State Medicaid fraud control units (MFCUs) to conduct healthcare fraud investigations and enforcement efforts.

Regarding Drug Diversion Compliance for Pharmacies:

Q: What do the DEA and other federal authorities expect pharmacies to do in order to ensure prescriptions are legitimate?

Ms. DeLena: Pharmacists are bound by the requirements of their DEA registrations and state licenses, and they have a corresponding obligation to ensure that the prescriptions with which they are presented are legitimate. As a result, pharmacies need to check each prescription as it comes in for accuracy, and they must contact the prescribing doctor to confirm the legitimacy of a prescription. While pharmacists are not expected to know how diagnostic decisions are made, they do know the drugs that are prescribed, and they should know when prescriptions presented appear to be suspect.

Pharmacists must also report the prescriptions they fill in their respective state-run Prescription Drug Monitoring Programs (PDMP). Currently, 49 states, the District of Columbia, and Puerto Rico have PDMPs, and most states’ systems allow for the sharing of information across state lines. In the event a pharmacist sees that a patient has filled a similar prescription issued by another doctor within a narrow window of time, the pharmacist has an obligation to act and should decline to fill the prescription, contact the issuing prescriber, and/or report the matter to DEA. More information is available in the “Statement of Robert W. Patterson, Acting Administrator Drug Enforcement Administration Before the Subcommittee on Oversight and Investigations Committee on Energy and Commerce U.S. House of Representatives, for a Hearing Entitled ‘The Drug Enforcement Administration’s Role in Combating the Opioid Epidemic,’” available from the DEA.

Q: What else should pharmacies do to validate prescriptions?

Mr. Bach: There are several steps that pharmacists should take in order to validate prescriptions prior to dispensing medications. This is true in general, but it is especially important with respect to opioids, “cocktail” drugs, and other drugs that are frequently diverted. Additional steps pharmacists should take to validate prescriptions include:

• Determine if the prescribing doctor is still practicing;
• Check with the appropriate state medical board to verify the doctor’s DEA number; and,
• Call the doctor’s office to confirm the prescription using the office’s publicly-listed number (not the number on the prescription, as this number might have been altered).

Q: What is the SUPPORT (Substance Use-Disorder Prevention that Promotes Opioid Recover and Treatment) for Patients and Communities Act (the “Act”), and how does it affect law enforcement investigations targeting prescription drug diversion?

Ms. DeLena: Enacted in October 2018, the Act’s purpose is to address the opioid crisis in the United States. It imposed a deadline on the federal government to create a centralized database for reporting suspicious orders of controlled substances by DEA registrants, and it allows information to flow more freely between registrants, the DEA, and state and local law enforcement authorities. Additionally, under the Act, all DEA registrants (including pharmacies, manufacturers and distributors of controlled substances) must report suspicious orders of controlled substances.

More information is available in the “Statement of Thomas W. Prevoznik Deputy Assistant Administrator Diversion Control Division Drug Enforcement Administration U.S. Department of Justice Before the Subcommittee on Health House Committee on Energy and Commerce U.S. House of Representatives At a Hearing Entitled ‘Combatting an Epidemic: Legislation to Help Patients with Substance Use Disorders’” given on March 3, 2020, available from the DEA.

Contact Corporate Investigation Consulting for More Information

Do you have more-specific questions about DEA compliance or the risks of facing a DEA investigation? If so, we encourage you to get in touch. To speak with Mr. Bach or any of our other former federal agents in confidence, call us at (866) 352-9324 to arrange a free and confidential consultation today.

What Kind Of Investigations Can We Expect As A Result Of The Coronavirus?

Anytime the government pays out billions of dollars in cash as a bailout, you can expect significant criminal investigations for many years thereafter focused on the fraudulent use and receipt of those funds. A recent example is the TARP Program – the $700 billion bailout of the financial industry and troubled homeowners after the market crash in 2007-2008. As a result of that bailout, the Department of the Treasury, by and through a Special Inspector General, was assigned federal agents to conduct criminal investigations and sent hundreds of bankers and homeowners to federal prison for the misuse of those funds. The current crises dwarfs the TARP Program with more than $1.8 trillion already authorized for disbursement under the CARES Act, including the expansion of unemployment benefits, direct payments to citizens, and more than $500 billion for corporations. Funds going to small businesses through the Paycheck Protection Program, administered through the Small Business Administration, are going to attract significant attention of federal investigators. This is particularly so because those funds were disbursed by SBA lenders prior to the issuance of clear guidance and definitions, which was confusing and changed over the course of several weeks. Small businesses, particularly if they received more than $2 million through the PPP, can expect to see a significant number of federal investigations and are wisely advised to consult with counsel to carefully review the propriety of the receipt and disbursement of those funds.

What Are The Most Recent Trends In Government Investigations?

After the 2001 terrorist attacks in the United States, the Federal Bureau of Investigation (FBI) shifted most of its assets to terrorism cases. Recently, the FBI has begun to allocate more resources to traditional criminal activity, particularly public corruption and corporate fraud and misappropriation of assets. Other regulatory and investigative authorities have also stepped up enforcement activities. The Securities and Exchange Commission (SEC) has increased its technological capabilities and is now more aggressively pursuing corporations for fraudulent financial reporting and individuals suspected of insider trading. The Consumer Financial Protection Bureau (CFPB), created in the wake of the 2007/2008 market crash has traditionally focused on cases against financial institutions and will now, due to the Corona virus, once again revisit mortgage relief programs offered by financial institutions, as well as consumer fraud. Federal banking regulators, including the OCC, NCUA and the FDIC, are currently grappling with the legalized marijuana industry and the fact that hundreds of banks and credit unions are now openly banking marijuana – presumably a money laundering violation.

Are Investigations Into Healthcare Fraud Still Prevalent?

Healthcare fraud investigations involving any of the federally funded benefit programs to include Medicare, Medicaid and Tricare continue to be at the top of the list priority-wise for the government. Healthcare fraud continues to be one of the biggest monetary theft schemes in the country. In 2019 alone, the federal government recouped over $2.6 billion in illegal gains from various healthcare fraud schemes.

What’S New In Private Litigation?

Sexual harassment and hostile workplace litigation remain hot topics and the cause of significant changes in the compliance environment of most large companies. Sometimes these changes only increase the chance of complaints and litigation. Sexual harassment litigation has become a national topic due to celebrity backed social movements and a result of such movements, more individuals are feeling comfortable to speak up regarding alleged harassment and misconduct.

What Can We Expect Regarding Investigations Dealing With Emerging Technologies?

Although there have been significant recent privacy violations, including data breaches, by large corporations (and even some government agencies), courts have not significantly recognized plaintiff’s non-pecuniary losses. Notwithstanding such decisions, government agencies (including the FTC and CFPB) have demonstrated a commitment to pursue corporations responsible for the privacy violations for substantial financial penalties. Anytime there is a new trend in technology, whether it be a tech startup firm introducing a new “app” or a corporation rebuilding its internal software, data privacy is always a concern. New technologies utilizing consumer data and information can draw scrutiny from enforcement agencies for their abilities, or lack thereof to conform to state and federal privacy laws.

What Is Going On With These “Fake News” Investigations?

The concept of “fake news” first became a journalistic buzzword in 2017 and has been a hot topic ever since. Even President Donald Trump has been a harsh critic of fake news outlets. With the ongoing coronavirus crisis, the country has seen a surge of fake news stories and even more dangerous, fake news surrounding cures for the coronavirus. While most fake news stories often get swept under the rug because they don’t deal with important issues, the coronavirus fake news has spurred a wealth of criminal investigations. Individuals claiming to have treatments or cures for the virus (without any scientific or medical background) face potential fines and prison time for their purposeful dissemination of false information.

Should Our Company’s Attorney Handle The Investigation?

Commonly, companies initially decide to allow corporate insiders, e.g.., the general counsel, to conduct an internal investigation. In most cases, this is not the ideal solution. Corporate investigations can consume significant resources, diverting those insiders from their normal professional responsibilities within the company. Further, most investigations have regulatory and law enforcement implications, with exposure to administrative, civil and even criminal penalties. Although your corporate insiders may have some familiarity with regulatory and law enforcement investigations, outside experts with extensive experience in these matters is more appropriate. Generally, insiders that conduct internal investigations will not meet the expectations of government investigators. A former federal prosecutor with former federal agents and regulators on staff in addition to forensic accountants would be in a much better position to satisfy government expectations, convince the government of the company’s commitment to cooperation but, at the same time, best prepare to defend the company should the government decide to take action.

What Precautions Do We Need To Take In Interviewing Employees?

Generally, employees have no choice but to agree to be interviewed because, in most cases, they can be terminated for refusing to cooperate. Recent court decisions indicate a shifting legal landscape with respect to employee interviews. Attorneys conducting employee interviews are now on notice that they should carefully inform the employee that the attorney does not represent the employee and in fact represents the company. The employee should be further advised that the company may voluntarily provide information learned during the interview to government authorities, or that it may be required to. These warnings are best provided in writing and signed by the employee being interviewed. Lastly, attorneys conducting the investigation must be careful to protect the independence of the interview from any government investigations. That is, the attorney conducting the interviews should be careful to ensure that he/she is not conducting the employee interview at the request of the government only to immediately provide the government with the results of the interview.

What Is A Common Mistake In Conducting An Internal Investigation?

A significant yet all too common mistake is failing to adequately formulate the scope of the investigation. The internal investigation must be designed to accomplish two primary goals. First, thoroughly investigate the conduct at issue and formulate a remedial plan. Second, identify and mitigate the corporation’s exposure to liability, primarily through a comprehensive look at the environment that allowed the conduct at issue to occur and/or remain undetected. Questions to bring within the scope of the investigation include:

• Was the act in question an isolated incident or is it part of a pattern of other similar acts?
  • Was the pattern of unlawful conduct commonly known of by employees?
  • Were senior managers and officers aware of the conduct but ignored or even encouraged it?
  • Does the company have a compliance program that should have identified and prevented the conduct?
  • Has the company been the subject of examinations or audits (internal or external) that previously identified or warned about lack of controls that could lead to the unlawful conduct?
  • Has the company received prior complaints about the conduct but failed to diligently address them?
  • If there is no direct knowledge of the conduct, were there red flags identified but ignored by the company?
  • Does the company have an adequate training program that addresses the conduct at issue?
  • Did the company make a significant amount of money or advantage through the unlawful conduct?
  • Did any managers of officers of the company receive increased compensation as a result of the unlawful conduct?

How Can I Contain Costs?

Internal investigations can consume significant resources, particularly when paired with discovery obligations in private or government litigation or investigation environments. Further exposure to significant financial penalties or judgments only add to that burden. The prudent course of action is to estimate the costs of the investigation as well as any potential financial penalties and immediately prepare a budget to absorb those expected expenditures. The sooner funds can be set aside for possible future costs and financial penalties the better because the company can benefit from making quarterly allocations while typically long-term investigations play out. At the same time, the use of outside experts who are very familiar and experienced in the particular issue you are confronting can save significant time and money. No one wants to pay money for yet more consultants but, in the long run, an experienced group of experts can more effectively conduct the investigation and, in the long-term , reduce if not avoid significant financial penalties.

Should We Cooperate With The Government?

Cooperation with a government investigation should not be interpreted as waiving all rights and throwing open the doors to the company, even if the company believes it has nothing to hide. As an initial matter, the company must fully and timely comply with all lawfully-issued government orders, including subpoenas.

Any other efforts by the company to work cooperatively with the government are purely voluntary, so what can be achieved by cooperating? Generally, whether or not a company cooperated with a government investigation will be a very significant factor for the prosecutor to consider in deciding how to resolve the investigation. That is, assuming wrongful and harmful conduct was discovered by the government, in addition to holding individuals responsible for their conduct, should the government file criminal charges against the company and, if so, what charges? or should the government consider entering into a settlement agreement with the company or perhaps not prosecuting the company at all? Whether or not the company cooperated with the government and the extent of that cooperation can be a very significant factor in answering that question.

Should We Self-Disclose To The Government?

It is exceedingly difficult for any company to decide whether or not to disclose to the government illegal activity uncovered through an internal corporate investigation. After all, corporations can be held criminally liable for the acts of employees and the resulting financial penalties can be severe. However, recent policy changes by the Department of Justice indicate that self-disclosure may in fact completely alleviate the company from liability. What started as a policy the Department enacted with respect to Foreign Corrupt Practices Act (FCPA) violations, has now been informally adopted throughout the Department. The policy, entitled “FCPA Corporate Enforcement Policy,” is designed to encourage voluntary self-disclosure by offering a “presumption of declination” for companies that voluntarily self-disclose and fully cooperate and remediate (all three are required). The bottom line is that the Department wants to reward companies when self-disclosure and full cooperation allow prosecutors to gather evidence in a more timely and efficient manner and to take investigative steps they might not otherwise have been able to take against the individual wrongdoers.

What Can We Do To Proactively Offset Future Investigations?

No company can always have complete control over its officers and employees – individuals can engage in corporate wrongdoings without the knowledge of the company itself. However, to mitigate future risk of investigations, companies can take certain steps to protect themselves. A company should always have corporate compliance policies and procedures in place regarding applicable state and federal laws. All company officers and employees should undergo mandatory training on these policies and procedures. To be most effective, companies should use outside counsel experienced in the company’s industry to develop these polices and procedures. Outside counsel will have the best knowledge base surrounding applicable laws and regulations that the company needs to adhere to. The company should require mandatory compliance training every calendar year for its officers and employees. Yearly training ensures that the company is up to date on any relevant laws and regulations that may have changed.

How Vulnerable Is The Cloud To Cyber-Attacks, Especially As Companies Increasingly Use And Rely On Cloud Computing?

The cloud refers to a data server maintained by a cloud provider without the direct management of the user. Cloud storage is safe because it is located in places such as warehouses where workers generally do not access to and because files stored on the cloud are encrypted. Companies find it attractive to move critical applications to public clouds because it is viewed as more secure than on-premises storage. About 88% of companies are using public cloud infrastructure services in 2020.

Significantly, the Oracle and KPMG Cloud Threat Report 2020 reveals that while cloud adoption by companies continues to expand, the basics of cloud security are still not understood and cyber fraud is increasing. About 3/4 companies have experienced data loss from a cloud service more than once. Targeted and untargeted ransomware is a billion-dollar business for criminals who have recently turned their attention to the cloud and are focusing on companies that cannot operate without downtime such as healthcare industries and state and local governments. As more information and data are moved to the cloud, cybersecurity and protecting infrastructure will become critical.

Will Advances In Automation And Ai Help Or Hurt The Cybersecurity Of Companies?

Automation through the use of AI technologies is an appealing option for companies seeking to reduce the workload on understaffed teams, reduce the costs of human labor, save time, and overall accomplish more with less. It can also help companies manage risk and improve the quality of product and service development. At the same time, criminals leverage AI to perpetrate elaborate and complex cyber-attacks on companies and engage in cyber experimentation with malicious software.

AI is helping companies detect malware but constantly needs adjustments in order to avoid detecting too many false positives. Malwarebytes’s 2019 Report on AI notes that cybercriminals exploit this weakness by circumventing malware detection to make AI see its files as legitimate or by solving Captcha or creating more convincing spam. The cyber risks associated with using robotic process automation (“RPA”) include abuse of privileged access, disclosure of sensitive data, security vulnerabilities, and denial of service, according to EY’s Report on robotics and cyber-attacks. These risks are likely to continue in magnitude and intensity for the upcoming year.

What Is GDPR, Does It Apply To U.S. Companies, And What Are Its Compliance Obligations?

The General Data Protection Regulation (“GDPR”) is a regulation that addresses data protection and privacy in the European Union and the European Economic Area and governs the transfer of data outside of the EU and EEA. GDPR was passed in May 2016 and took effect in May 2018. The provisions are enforced by the national data protection authorities in the EU. The GDPR has extraterritorial application. It is applicable to companies who have a website in the United States and visitors from the European Union regardless of whether the goods or services are marketed in the EU. The GDPR places restrictions on how companies can collect and process consumers’ personal data and how consumers can limit company access to their personal data. If a company infringes a consumer’s information or a breach is not reported, companies could face significant fines and penalties.

Fines for GDPR violations include up to 10 million euros, or up to 2% of the undertaking’s entire global turnover of the preceding fiscal year, whichever is higher. In January 2019, Google was fined 50 million euros in accordance with the GDPR for lack of transparency and valid consent, and inadequate information given to consumers, and Marriot International, Inc. was fined more than 99 million euros under GDPR for data breach. As Facebook and other websites share consumer and company information, consumers rally for increased data protection laws. In the absence of federal regulation on data privacy, states have responded by recently enacting their own legislation on consumer privacy rights. For instance, the California Consumer Privacy Act (“CCPA”) took effect on January 1, 2020 and gives California residents the right to control the data that companies collect. In 2020, more states are expected to follow California’s lead and enact similar laws.

What Is “Deepfake” And How Do Cybercriminals Use It Against Consumers And Companies?

“Deepfake” refers to fake audio or video used by cyber criminals for illicit purposes. It generally entails swapping people’s faces and modifying audio to simulate another individual. These videos originated in 2017 and were commercially developed as mobile apps in 2018 and 2019. These apps allow users to swap faces with one another and impose their image on movie clips and supplement it with desired clothing and fashion. In March 2020, a video face swap app, Impressions, was created that allows the user to make high-quality face-swap videos.

Growing alongside their commercial and entertainment uses are “deepfake” video crimes. Cybercriminals use computer algorithms to create disruptions to industry sectors. For instance, “deepfake” videos can impersonate politicians or CEOs and entice people to transfer funds or otherwise steal millions of dollars from unwary consumers and companies. They can also interrupt the financial industry, media, and the 2020 elections. It is an elaborate yet highly convincing form of forgery and is becoming a major cybersecurity threat. “Deepfake” videos are likely to have a significant impact across various industry sectors as cybercriminals embrace its use for cybercrimes.

What Are The Cybersecurity Risks Associated With The Spread Of 5g/Advanced Wi-Fi Technology?

The new 5G technology touts improvements in speed and reliability for the user. Consumers and companies are already operating on 5G technology in many instances. To achieve the best connectivity for the user, smart phones will generally automatically switch from 5G to Wi-Fi. Specifically, wireless carriers of either 4G or 5G will sometimes switch to Wi-Fi networks for calls and data in high-density areas such as shopping centers and airports in order to save network bandwidth. When this happens, voice and data information is transferred to Wi-Fi access points in these public areas and to cell towers.

However, due to defects that occur during this transition, hackers can sometimes access voice and data of 5G cell phone devices. This trend is likely to increase in 2020 as cyber criminals find additional vulnerabilities in 5G technology, according to Cyber Magazine. Strategies such as utilizing a VPN or testing company Wi-Fi access points can prevent cyber-attacks and thefts that occur during these cellular to Wi-Fi shifts. Despite this, cyber criminals are also exploiting the time it takes for industries and locations to accumulate the investments needed to upgrade network infrastructures to 5G capacity.

Because Smart Contracts Are A New Method Of Engaging In Business Transactions, How Safe Is It For Consumers And Companies To Use Them?

Smart contracts are a relatively new form of contracting between consumers and companies. A smart contract is an agreement embedded in computer code, mutually agreed to by the parties, and stored on the blockchain. Once the pre-defined terms of the contract are satisfied, the smart contract is automatically enforced.

As cybercriminals turn to blockchain technology to perpetrate fraud, smart contracts have become highly attractive due to the ability of the parties to create the rules of the contract that are eventually transferred to the blockchain. Criminals prey on the lack of knowledge and regulations surrounding smart contracts and use sophisticated malware against consumers and companies to steal intellectual property, personal identifiable information, health records, and financial data, according to a Deloitte Report on Blockchain and Cybersecurity. In 2016, the DAO was hacked when a criminal exploited a programming mistake in the smart contract and stole over $50 million of the virtual currency, Ether. These vulnerabilities make it easy for cyber criminals to hack smart contracts and are likely to increase in 2020.

What is the Internet of Things (“IoT”)?

The Internet of Things (“IoT”) refers to a network of devices connected to the Internet that can collect and exchange data. Examples include electronic appliances, alarm clocks, speaker systems, and connected security systems. The Internet of Things has been applied in smart homes, cars, and even cities. While the IoTs is not a new topic and has been around since the late 1990s, its popularity by consumers and companies has increased in recent years due to advances in computing, blockchain, and various smart devices. However, the use of IoTs without having an adequate, private 5G network in place could put the company’s privacy and data at risk. A 2019 Report from F-Secure notes that cyber-attacks on IoT devices have tripled in the first half of 2019 alone.

The security of the IoT is only as secure as the particular IoT device. The problem is that there is a significant lack of awareness about which devices are included within the definition of IoT and, therefore, consumers and companies are unable to implement procedures to safeguard attacks on these devices. Cyber criminals readily develop new techniques to hack devices connected to an IoT network to steal sensitive consumer information and company intellectual property. Exploiting the weaknesses in 5G or hacking less well-known IoT devices is a common practice and is expected to increase.

Is It Necessary For Companies To Purchase Cyber Insurance?

Cyber insurance is becoming a popular means of company data protection, as data breaches increase in quantity and severity. The costs of a typical breach include replacing laptops, repairing databases, and strengthening internal controls. It also includes the loss of the company’s customer base as well as reputational losses. Traditional company insurance is no longer sufficient to cover such losses. Cyber insurance is frequently sought to compensate for potential data breaches.

According to the 2019 Travelers Risk Index, only 51% of companies are purchasing cyber insurance. This number is expected to rise substantially in 2020 as cyber-crimes increase. Companies are advised to explore cyber insurance coverage options. Many options exist such as First-Party Coverage, Worldwide Coverage, or Business Interruption Coverage. The best coverage for a company will depend on the nature of its business and the specific risks it faces.

How Significant Is The Cybersecurity Skills Gap And How Will This Affect Company-Implemented Cybersecurity Measures In 2020?

The advances in cybersecurity technologies have always lagged behind cyber-attacks and other system threats. As companies increasingly report a shortage of IT staff, the demand for enhanced cybersecurity professionals continues to exceed supply by far. The United States has a gap in cybersecurity professionals of about 500,000, and, if this trend continues, there will be 3.5 million unfilled cybersecurity jobs in the world by 2021. Companies report that this gap has severely decreased their security systems and makes their operations incredibly susceptible to cyber-attacks. This trend is unfortunately likely to continue and, by extension, exacerbate the severity and frequency of company cyber-attacks. Security Magazine predicts an additional 15% increase in the cybersecurity skills gap in 2020.

How Can Consumers And Companies Keep Up With Advances In Technology And Safeguard Data?

Despite the increase in cybersecurity risks, consumers and companies are encouraged to be proactive. The following list is representative of best strategies that can be undertaken to both prevent and combat cyber-attacks:

• Create and maintain a strong password combination that is unique and equipped with two-factor authentication.
• Establish a strong cybersecurity awareness program for employees.
• Using virtual private networks and not unsecured Wi-Fi.
• Utilize periodic reviews and security audits of physical devices and IT infrastructure.
• Apply encryption to all company sensitive files.
• Reboot, reset, and wipe out all old technological devices before disposing them.
• Have strong data loss prevention software and backup policy.
• Make sure all systems have antivirus software and firewalls that are able to adequately scan threats and install updates.