The Department of Justice’s (DOJ) proposed Safe Harbor policy, as described in your provided information, is aimed at encouraging companies engaging in mergers and acquisitions to voluntarily disclose any previous or ongoing cyber misconduct within the acquired company. This disclosure would be made to the DOJ, with the hope of avoiding potential criminal charges for the acquiring company.
Here’s a summary of how the Safe Harbor policy works:
1. Disclosure of Cyber Misconduct: When a company (referred to as Company A) is acquiring or merging with another company (Company B), Company A is given a specific period (in this case, 1 calendar year) to disclose any cyber misconduct that occurred in Company B before or during the merger process.
2. Cooperation with DOJ Investigation: Company A is expected to cooperate with the DOJ’s investigation into the cyber misconduct, sharing information and assisting in the investigation process.
3. Legal Consequences for Non-Disclosure: If Company A fails to disclose the cyber misconduct or cooperate with the DOJ investigation, it may face criminal charges for not taking due diligence in accordance with the Safe Harbor policy.
4. US Deputy Attorney General’s Announcement: US Deputy Attorney General Lisa Monaco has publicly disclosed this policy. She mentioned that the policy includes additional conditions to benefit companies involved in acquisition activities.
5. Restitution Period: It’s important to note that the Safe Harbor policy doesn’t guarantee that the DOJ will refrain from prosecuting the acquired entity (Company B) that committed the cyber misconduct. Instead, it offers a period for the acquiring company (Company A) to make necessary disclosures and cooperate. The outcome for Company B will depend on the specific circumstances and the results of the investigation.
The Safe Harbor policy appears to be a way to incentivize transparency and cooperation in cases of cyber misconduct during mergers and acquisitions, potentially reducing legal risks for the acquiring company. However, it does not guarantee immunity from prosecution for the acquired entity. The effectiveness and implementation of such a policy would depend on the details of its execution and how well companies comply with its requirements.
