The following post was originally included as part of our recently published memorandum “Selected Issues for Boards of Directors in 2022”.

For those following data privacy and consumer data protection trends, it should come as no surprise that enacting comprehensive legislation to regulate companies’ use of personal data has continued to be a focal point both internationally and in the U.S., at the federal, state and local levels.

In the last three years, over 10 federal proposals and over 40 state proposals for comprehensive privacy legislation were introduced across the U.S., and we expect this trend to continue well into 2022, given the growing bipartisan support for legislation to protect consumer interests and mitigate against the risks associated with the digital economy. The ever-changing landscape and patchwork of compliance obligations globally will only continue to grow more complex and costly, and may lead to increased regulatory scrutiny and potential enforcement actions despite best compliance efforts.  In the U.S., without comprehensive federal data privacy legislation, businesses remain subject to numerous state laws with ambiguous and sometimes conflicting legal obligations. Trans-Atlantic and other international data flows will only continue to become increasingly difficult and costly to navigate in light of recent developments, including in China, the UK  and the European Union.

To read the full post, please click here.

For a PDF of the full memorandum, please click here.

The following post was originally included as part of our recently published memorandum “Selected Issues for Boards of Directors in 2022”.

A 2021 survey of chief legal officers demonstrated that cybersecurity has overtaken compliance as the most significant legal risk that businesses face today. This should not come as a surprise as 2021 brought a series of high-profile cyberattacks on major companies and U.S. infrastructure targets. Regulators also brought a number of cybersecurity enforcement actions, and announced new rules, guidance and initiatives on ransomware and other cyber-related issues. In addition, after many years of debate, Congress has made some progress in crafting legislation that would require certain companies to report significant cyberattacks and ransomware payments to the U.S. federal government.

To read the full post, please click here.

For a PDF of the full memorandum, please click here.

On January 4, 2022, the Federal Trade Commission (FTC) issued a clear warning to companies to remediate any software vulnerabilities associated with the Java-based Log4j software.  A critical security flaw was identified in Log4j, which is embedded in major software applications and is widely used by businesses in all sectors of the economy, this past December.  The security flaw potentially allows bad actors to gain unfettered access to affected computer systems and to any sensitive information they contain.

The FTC, which increasingly prioritizes privacy and data security enforcement, stressed that companies have a legal duty to mitigate known software vulnerabilities—including Log4j—that risk harm to consumers and may face legal action from the FTC if they fail to do so.

Continue Reading The Federal Trade Commission Warns Companies to Remediate the “Log4j” Software Security Vulnerability

We are delighted that Anthony M. Shults has rejoined Cleary Gottlieb as a senior attorney from the U.S. Department of Justice (DOJ), where he served as acting Deputy Assistant Attorney General and Senior Counsel in the Office of Legal Policy and as Attorney-Advisor in the National Security Division. He is based in our New York office and will focus on cybersecurity, data privacy, and emerging technologies, as well as securities, appellate, and complex commercial litigation. Continue Reading Cleary Gottlieb Welcomes Back Anthony M. Shults, Former Acting Deputy Assistant Attorney General and Senior Counsel at the Department of Justice

On December 6, 2021, the National Risk Committee of the Office of the Comptroller of the Currency (OCC) issued its Semiannual Risk Perspective for Fall 2021, which reports on key issues affecting the federal banking system.[1]  The report highlights the “evolving and increasingly complex” danger to the financial system from cyber threats, and encourages banks and financial institutions to adopt robust cyber controls to minimize operational risk.  It also stresses the need for risk-management policies and procedures that are tailored to new technological innovations, including cryptocurrencies and other digital assets. Continue Reading The Office of the Comptroller of the Currency Warns of Increasingly Complex Cyber Risks for Banks

On November 18, 2021, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the Board of Governors of the Federal Reserve System (Board) announced a final rule requiring banking organizations to notify their primary regulator of certain significant computer-security incidents as soon as possible and no later than 36 hours after they occur.[1]  The rule separately requires bank service providers to notify their bank customers if they experience a cyber incident that causes, or is reasonably likely to cause, a material disruption of services that lasts for four or more hours. Continue Reading Banking Regulators Approve Final Rule Establishing Cyber Incident Notification Requirements

On November 8, 2021, the U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC) designated a virtual currency exchange, Chatex, and its infrastructure support providers on the list of Specially Designated Nationals and Blocked Persons (SDN List) for their role in facilitating financial transactions for ransomware actors.[i]  The Financial Crimes Enforcement Network (FinCEN) also released an updated advisory on ransomware and the use of the financial system to facilitate ransomware payments.[ii]  These actions were taken in furtherance of a coordinated “whole-of-government” effort to disrupt criminal ransomware actors and the virtual currency exchanges used to launder ransom payments around the world. Continue Reading OFAC Ramps up Targeting of Ransomware-linked Actors and FinCEN Updates Ransomware Advisory

On 10 November 2021, the Supreme Court of the United Kingdom handed down its much-awaited judgment in the case of Lloyd v Google LLC [2021] UKSC 50.  The Supreme Court unanimously ruled that the claim, which is a representative action alleging breaches of the Data Protection Act 1998 (“DPA 1998”), could not proceed.

The Supreme Court ruled that the claim did not fulfil the requirement that individual claimants in a representative action must have the “same interest” under rule 19.6 of the English Civil Procedure Rules (“CPR”). Further, the Supreme Court held that it was not enough for a claim for compensation to be premised on mere contravention of a data controller’s statutory duties under the Data Protection Act 1998, but that “material damage” must result in order for a claim for compensation to be brought.

This judgment provides clarity to data controllers that data subjects cannot recover compensation for a breach (even if non-trivial) of the data controller’s statutory duties without demonstrating the damage or distress suffered as a consequence. It also provides important clarifications on when an “opt-out” style representative action can be pursued.

Please click here to read the full alert memorandum.

On September 21, 2021, the U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC): (i) issued an updated advisory on potential sanctions risks for facilitating ransomware payments; and (ii) designated SUEX OTC, S.R.O. (SUEX), a virtual currency exchange, on the list of Specially Designated Nationals and Blocked Persons (SDN List) for its role in facilitating financial transactions for ransomware actors.[1]  These actions demonstrate the U.S. government’s increasing focus on virtual currencies as a key means of facilitating ransomware payments and related money laundering, as well as OFAC’s commitment to combating ransomware attacks and other malicious cyber activities. Continue Reading OFAC Updates Ransomware Advisory and Sanctions Virtual Currency Exchange

On August 9, 2021, the SEC issued a cease-and-desist order against digital asset exchange Poloniex, Inc. for allegedly operating an unregistered exchange in violation of Section 5 of the Exchange Act in connection with its operation of a trading platform that facilitated the buying and selling of digital asset securities.[1]

In the cease-and-desist order, the SEC alleged that Poloniex met the definition of an “exchange” because it “provided the non-discretionary means for trade orders to interact and execute through the combined use of the Poloniex website, an order book, and the Poloniex trading engine.”  The SEC also found, based on internal communications, that Poloniex decided to be “aggressive,” ultimately listing token(s) it had internally determined carried a “medium” risk of being considered securities under the Securities Act of 1933 pursuant to the test set forth by the U.S. Supreme Court in SEC v. W.J. Howey.[2]  However, the SEC did not identify what digital asset(s) it determined were securities nor why, simply stating that Poloniex facilitated trading of “digital assets that were investment contracts and therefore securities.”

Without admitting or denying the SEC’s findings, Poloniex agreed to the entry of the order and a payment of $10,388,309 in disgorgement, prejudgment interest, and a civil penalty. Continue Reading SEC Enforcement Action Against Poloniex Signals Heightened Scrutiny for Crypto Exchanges