On March 7, 2018, FBI Director Christopher Wray delivered remarks at Boston College that highlight the agency’s ongoing efforts to better respond to cyber threats. Director Wray’s remarks focused on the private and public sector partnerships that the FBI (and other authorities) are cultivating to combat the increased sophistication of cyber threats as they evolve into what he described as “full-blown economic espionage and extremely lucrative cyber crime.” Continue Reading FBI Director: FBI Might Not Share Information With Adversarial Authorities
This past week, we received further evidence that U.S. federal regulators will continue to scrutinize potential compliance issues in virtual currency trading and initial coin offerings (“ICOs”) under existing law. However, the key takeaway is that the U.S. regulators, so far, are doing so under established interpretations of their existing authority. In our view, none of these events should be construed either as establishing a new regulatory framework or as a significant expansion of prior regulatory authority.
Please click here to read the full alert memorandum.
In the first criminal charges brought in connection with the Equifax data breach, the United States Attorney for the Northern District of Georgia announced yesterday the indictment of Jun Ying, a former Chief Information Officer of a U.S. business division of Equifax, on charges of insider trading in violation of federal securities laws. At the same time, the SEC announced parallel civil charges against Ying. Both the indictment and the SEC complaint allege that Ying was not specifically informed that Equifax had been breached, but, as a result of his position, was made aware of enough confidential information to—according to his own contemporaneous text messages—“put 2 and 2 together” to infer that “[w]e may be the one breached.” After deducing this material information, Ying allegedly conducted internet research on the 2015 data breach of Experian, another major credit bureau, and its negative impact on Experian’s stock price. Immediately following his internet search, Ying allegedly exercised all of his vested stock options and sold those Equifax shares for a total of $950,000 in proceeds, avoiding more than $117,000 in losses that he would have incurred had he still been holding the shares at the time the data breach was publicly announced more than a week later. The SEC is seeking disgorgement of an amount equal to the losses Ying allegedly avoided, civil monetary penalties, an order barring Ying from ever serving as an officer or director of a public company, and an injunction enjoining Ying from further violating the federal securities laws. The indictment charges Ying with two counts of criminal securities fraud, which, if he is convicted, carry a maximum sentence of 45 years. Continue Reading DOJ And SEC Charge Former Equifax Executive With Insider Trading
Last week, the Ninth Circuit reversed a Nevada district court’s dismissal, for lack of Article III standing, of plaintiffs’ claims arising out of a data breach. In so holding, the Ninth Circuit reaffirmed its position on one side of a circuit split on the issue of standing to bring suit based on a substantial risk of identity theft or fraud resulting from a data breach, even in the absence of allegations that the risk actually materialized, an issue that the Supreme Court recently declined to review. Continue Reading Ninth Circuit Reverses Dismissal For Lack of Standing in Data Breach Case
Last week, Pennsylvania’s Attorney General sued Uber for allegedly failing to provide timely notice to its drivers that their personal identifying information (“PII”) had been compromised in a data breach in 2016. The lawsuit seeks $13.5 million in penalties against Uber—$1,000 for each of the 13,500 Pennsylvanian Uber drivers whose driver’s license information was accessed by hackers. The complaint alleges that, in violation of Pennsylvania’s data breach notification law, Uber failed to provide notice “without unreasonable delay” to the affected drivers, instead paying the hackers to allegedly “delete the data and stay quiet.” A second claim in the lawsuit against Uber alleges the company’s conduct violated the Pennsylvania Unfair Trade Practices and Consumer Protection Law. Continue Reading Pennsylvania Attorney General Sues Uber Over Data Breach
The Office of the Comptroller of the Currency (“OCC”) recently issued its Semiannual Risk Perspective. The OCC identified cybersecurity as a key operational risk, pointing to the increasing speed and sophistication of cybersecurity threats, which can target the theft of personally identifiable information, intellectual property, and bank funds. Continue Reading Cybersecurity Key Operational Risk in OCC’s Semiannual Risk Perspective Report
A pair of recent enforcement actions by the CFTC and New York Attorney General’s Office (“NYAG”) show that both federal and state authorities are pursuing cases against companies believed to have insufficient data security practices, even in the absence of breaches resulting in harm to customers.
First, late last month, the CFTC entered into a settlement with a registered futures commission merchant that allegedly failed to diligently supervise an unnamed “IT Provider.” The IT Provider inadvertently introduced a vulnerability to the merchant’s network, exposing private customer records and sensitive information, including personally identifiable information. An unnamed “Third Party” detected the vulnerability and accessed nearly 100,000 files containing sensitive information. The Third Party eventually contacted the merchant and federal authorities to disclose vulnerability, and deleted the data. It appears that the data was not otherwise improperly accessed. Continue Reading Recent Enforcement Actions by Regulators Show Continued Focus on Cybersecurity and Data Protection Issues
On March 6, 2018, the World Economic Forum (WEF) published a white paper report analyzing challenges that financial services and fintech firms face in protecting customer information against the increasing risk of cyber-attacks and setting out proposals to better manage this cyber-risk. As described below, the report recommends industry-wide efforts to adopt standardized cyber-risk metrics and to develop mechanisms for assessing cybersecurity. In conjunction with the publication of these recommendations, Citigroup Inc., Kabbage, Inc., Zurich Insurance Group AG and the Depository Trust & Clearing Corporation have formed a consortium to address cybersecurity risks in the fintech industry. Continue Reading World Economic Forum Publishes Recommendations for Managing Cyber-Risk
On March 2, 2018, Yahoo! entered into a proposed settlement of a securities class action filed against the company following its disclosures in 2016 that it had suffered significant data breaches in 2013 and 2014. Under the settlement, which is still subject to court approval, Yahoo! has agreed to pay $80 million to settle claims that it misled investors by failing to disclose the breaches in its public filings, while still touting the strength of its cybersecurity practices. Continue Reading Yahoo! Enters Proposed Settlement in Data Breach Securities Class Action
Late last month, the Supreme Court declined to review the D.C. Circuit’s decision in CareFirst v Attias. In CareFirst, the D.C. Circuit ruled that the mere theft of personal information was sufficient to provide standing to bring suit, even in the absence of other alleged harm. As we have previously discussed, the federal Courts of Appeals have reached differing conclusions on the issue—with the D.C., Third, Sixth, Seventh, Ninth, and Eleventh Circuits holding that data theft, with the attendant risk of future identify theft fraud, is by itself sufficient for Article III standing, and the Second, Fourth, and Eighth Circuits holding, in contrast, that such allegations are not sufficient on their own to satisfy Article III’s injury requirements. Continue Reading Supreme Court Declines to Review Standing in the Data Breach Context Despite Ongoing Circuit Split