On August 9, 2021, the SEC issued a cease-and-desist order against digital asset exchange Poloniex, Inc. for allegedly operating an unregistered exchange in violation of Section 5 of the Exchange Act in connection with its operation of a trading platform that facilitated the buying and selling of digital asset securities.[1]

In the cease-and-desist order, the SEC alleged that Poloniex met the definition of an “exchange” because it “provided the non-discretionary means for trade orders to interact and execute through the combined use of the Poloniex website, an order book, and the Poloniex trading engine.”  The SEC also found, based on internal communications, that Poloniex decided to be “aggressive,” ultimately listing token(s) it had internally determined carried a “medium” risk of being considered securities under the Securities Act of 1933 pursuant to the test set forth by the U.S. Supreme Court in SEC v. W.J. Howey.[2]  However, the SEC did not identify what digital asset(s) it determined were securities nor why, simply stating that Poloniex facilitated trading of “digital assets that were investment contracts and therefore securities.”

Without admitting or denying the SEC’s findings, Poloniex agreed to the entry of the order and a payment of $10,388,309 in disgorgement, prejudgment interest, and a civil penalty. Continue Reading SEC Enforcement Action Against Poloniex Signals Heightened Scrutiny for Crypto Exchanges

The past few years have brought monumental changes to how we handle international data transfers from the EU. Schrems I, GDPR, Schrems II, Brexit and now the new Standard Contractual Clauses, published in June, 2021.

Here we share our views on improvements and challenges this modernised version of the SCCs has brought and how it interplays with the EDPB’s Recommendations on supplemental measures, also just released in their final version.

Please click here to read the full alert memorandum.

Colorado is set to become the third state in the nation to enact comprehensive privacy legislation with the passing of SB 21-190, more commonly known as the Colorado Privacy Act (“ColoPA” or the “Act”). Governor Jared Polis is expected to sign the ColoPA into law in the coming days, after which the Act will become effective July 1, 2023, giving covered entities roughly two years to become compliant.

While the ColoPA draws heavily from Virginia’s Consumer Data Protection Act (“VDPA”), the California Privacy Rights Act of 2020 (“CPRA”), which amends and expands the California’s Consumer Privacy Act (“CCPA”), and the European Union’s General Data Protection Regulation (“GDPR”), there are material differences amongst these laws. Without federal legislation that includes preemption, it is likely that states will continue to enact privacy laws and that such laws will continue to diverge from one another in nuanced ways. To combat rising compliance costs and growing uncertainty for covered entities, commissioners at the Federal Trade Commission have begun to discuss using their rulemaking authority to establish a unified privacy framework. Until that time, however, covered entities must remain informed of their obligations under each law applicable to them and adapt their privacy programs accordingly.

This alert memorandum summarizes key elements of the Act while highlighting its similarities and differences with the CCPA/CPRA, VDPA and GDPR.

Recent developments in a lawsuit have illustrated the importance of maintaining sufficient data security measures and responding adequately to data breaches, which topics are addressed in Cleary Gottlieb’s Global Crisis Management Handbook in depth. A class-action lawsuit in the Northern District of California against Robinhood Financial, LLC, a securities trading platform, alleges that unauthorized users accessed approximately 2,000 Robinhood customers’ accounts storing the customers’ sensitive personal information.

The information included social security numbers, telephone numbers, bank account numbers, and tax information. The unauthorized users also looted the funds in the customers’ accounts. The lawsuit seeks recovery for the looted funds as well as the time and money the class members spent attempting to cure the violations of their privacy.

Please click here to read more.

While large financial institutions have traditionally been hesitant to enter new areas of financial products, particularly virtual assets, many more banks and companies have expressed interest in virtual currencies as cryptocurrency has become increasingly mainstream.  Given the use of such services by terrorist groups, it is important for banks and other financial institutions to consider evolving dynamics in this area.  On the one hand, one of the widely described benefits of virtual currency is the transparency and public nature of transactions since they are typically recorded in a publicly accessible blockchain, which could facilitate policing and enforcement against illicit activity.  At the same time, the relevant legal framework for combating terrorist funding creates potential areas of liability, including, in particular under the Anti-Terrorism Act (“ATA”) and the Justice Against Sponsors of Terrorism Act (“JASTA”).  These considerations are important for companies and banks that provide services related to virtual currency, but also are relevant to any company that could be the target of ransomware attacks since attackers may be sanctioned entities or have ties to terrorism and as a matter of practice demand that the ransom payment be made in virtual currency.

Please click here to read the full alert memorandum.

Last week, the Second Circuit affirmed the dismissal for lack of Article III standing a proposed class action against a health services provider that mistakenly disclosed personally identifiable information (“PII”).  In its opinion, the Second Circuit held that plaintiffs may establish Article III standing based on an increased risk of identity theft or fraud following an unauthorized disclosure of their data, but that the standard was not met based on the facts presented.  The decision, which is the first time the Second Circuit has explicitly adopted this standard, has potentially important implications going forward for data breach cases.

Continue Reading Second Circuit Articulates Injury Standard in Data Breach Suits

On April 28, 2021, the U.S. Federal Trade Commission (“FTC”) published a blog post reminding corporate boards of directors of their responsibility to oversee data security issues and ensure that consumer and employee data are protected.  The FTC’s post is a continuation of its efforts to “elevate data security considerations to the C-Suite and Board level.”

By way of background, the FTC noted that it has continued to challenge companies’ data security practices on the grounds of allegedly deceptive or unfair conduct.  The Commission is also actively reviewing certain data security rules targeted at safeguarding health records and consumer information held by financial institutions.

Continue Reading FTC to Corporate Boards: Mind Your Data Security

Last month, the Virginia Consumer Data Protection Act was signed into law, making Virginia the second state in the nation to enact comprehensive data privacy legislation.  The Act resembles and adopts some terms from the California Consumer Privacy Act (“CCPA”); the California Privacy Rights Act of 2020, which amends and expands the CCPA; and the European Union’s General Data Protection Regulation (“GDPR”).  However, the Act contains a number of distinctive provisions, compliance with which will require covered entities to adjust their privacy policies and practices, even if they are already CCPA and GDPR compliant, rendering the existing patchwork of state and national privacy laws even more complex.

Please click here to read our full alert memorandum summarizing key elements of the Act and highlighting key similarities and differences with the CCPA and GDPR.

On 11 February 2021, the Abu Dhabi Global Market (“ADGM”), Abu Dhabi’s financial free zone, enacted the new Data Protection Regulations 2021 (the “Regulations”), replacing the Data Protection Regulations 2015 in their entirety and bringing the ADGM regime closer to the European Union’s data protection regime under the General Data Protection Regulation (“GDPR”).

Our alert memo, published at the end of 2020 following the ADGM’s opening of a public consultation period on the draft Data Protection Regulations 2020 (the “Draft Regulations”), provides an overview of the key features of the Draft Regulations, areas of overlap with the GDPR, as well as certain proposed departures from the GDPR that will need to be monitored by organisations doing business in both the ADGM and the European Union.

The Regulations are applicable to those processing personal data where a controller or processor has been established in the ADGM, regardless of whether the processing actually takes place in the ADGM or not.

We set out below an update to our alert memo, highlighting the few notable additions/amendments to the Draft Regulations as compared with the final Regulations published on 11 February 2021.

Continue Reading ADGM enacts new Data protection Regulations 2021

Last month, the United States District Court for the Southern District of New York granted a motion to dismiss in In re Fed Ex Corp. Securities Litigation, a putative class action securities fraud case filed against FedEx following numerous disclosures in 2017 and 2018 regarding the impact of a Russian cyberattack on its recently acquired subsidiary, TNT Express Services B.V (“TNT”).[1]  The court held that the complaint failed to adequately plead that FedEx had made any material misrepresentations or had the requisite scienter.  FedEx’s successful defense against the lawsuit highlights the importance for companies to consider their disclosure obligations following a cyber-incident and carefully tailor their disclosures to account for their risks and accurately reflect the consequences of the incident. Continue Reading District Court Dismisses Securities Fraud Claim Against FedEx Concerning Disclosures About NotPetya Cyberattack