Nearly a decade ago, WikiLeaks ushered in the age of mass leaks. Since then, corporations, governments, public figures and private entities have increasingly had to reckon with a new reality: that vigilantes, activists, extortionists and even state actors can silently steal and rapidly disseminate proprietary information, including customer data and other sensitive information. Last month, the Department of Justice (“DOJ”) indicted four individuals based on information first revealed in the “Panama Papers” leak. This marks a significant milestone in law enforcement’s reliance on evidence based on an unauthorized mass leak of information. While leaks and hacks are not a novel phenomenon—in 1971, the New York Times published top secret documents on the Vietnam War and, in 1994, a paralegal leaked tobacco industry documents that ultimately cost the industry billions of dollars in litigation and settlement costs—the frequency, scale and ease of dissemination of leaked information today presents a difference not only of degree, but of kind. The new Panama Papers-based criminal case will likely raise a host of novel legal issues based on legal challenges to the DOJ’s reliance on information illegally obtained by a third party, as well as information that would ordinarily be protected by the attorney-client privilege. In this memorandum, we discuss the potential issues raised by the prosecution and their implications.
On January 7, 2019 the National Futures Association (“NFA”) provided additional guidance on the required cybersecurity practices of certain NFA members by amending its Interpretive Notice entitled NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs (the “Interpretive Notice”). The Interpretive Notice currently requires each NFA member futures commission merchant (“FCM”), commodity trading advisor, commodity pool operator, introducing broker (“IB”), retail foreign exchange dealer, swap dealer (“SD”) and major swap participant to implement a written information systems security program (“ISSP”) and enact other cybersecurity procedures sufficient to identify, address and respond to cybersecurity incidents. The amendments to the Interpretive Notice are informed by NFA examinations of member ISSPs since the Interpretive Notice became effective in March 2016. They are intended to clarify certain common questions posed by NFA members related to internal approvals of the ISSP and employee training. The amendments additionally impose a new notification requirement for specified cybersecurity incidents. Continue Reading NFA Amends Interpretive Notice Regarding Cybersecurity Programs
The European Data Protection Board (“EDPB”) adopted its highly anticipated guidelines on the territorial scope of the General Data Protection Regulation (“GDPR”) (the “Guidelines”), which are currently open for public consultation until January 18, 2019.
The extraterritorial application of the GDPR to entities located in non-EU countries marks a significant shift in the legal framework compared to the GDPR’s predecessor (Directive 95/46/EC).
The GDPR’s extraterritorial scope is based on two main criteria described in its Article 3:
- the “establishment” criterion, according to which the GDPR applies where processing of personal data is undertaken by a person in the context of the activities of an establishment in the European Union regardless of whether the processing takes place in the European Union or not, and
- the “targeting” criterion, according to which the GDPR applies where processing activities conducted by a person established outside the European Union relate to the offering of goods or services or the monitoring of behavior of data subjects in the European Union.
As a result of these two criteria, businesses which did not previously need to consider the applicability of EU data protection law to their processing activities may now be caught within the GDPR’s territorial scope. The Guidelines are intended to bring clarity to non-EU businesses doing business with the EU, either directly or through “establishments”, which must undertake a careful assessment of their data processing activities in order to determine whether the GDPR applies. The full text of the Guidelines can be accessed here and their key features are summarized below. Continue Reading EDPB Publishes Draft Guidelines on the Territorial Scope of the GDPR
On November 21, 2018, in Dittman v. UPMC d/b/a The University of Pittsburgh Medical Center, the Supreme Court of Pennsylvania held that an employer has a legal duty to exercise reasonable care to safeguard its employees’ sensitive personal information stored on an internet-accessible computer. Dittman is notable because it is the first time a state’s highest court has broadly held that a company owes a duty to its employees to protect their personal data that it collects and stores. Also, by rejecting the economic loss doctrine, the court opened the door to the potential recovery of pecuniary damages in data breach cases alleging a negligence theory. If the holding of Dittman is adopted by courts in other states, employers could face increased risk of financial liability following a data breach that compromises personal information of employees. Continue Reading Pennsylvania’s Highest Court Rules that Employers Have a Duty to Guard Their Employees’ Personal Data
On December 20, 2018, the Financial Industry Regulatory Authority (“FINRA”) released a Report on Selected Cybersecurity Practices for broker-dealer firms. This report reflects FINRA’s current perspective on the cybersecurity threat landscape based on observations from its examinations of securities firms. Below we discuss the report’s key observations and contextualize these insights for members of the financial industry. Continue Reading FINRA Provides Updated Cybersecurity Guidance to Broker-Dealer Firms
On December 13, 2018, the District Court for the Northern District of California dismissed a putative securities class action brought against PayPal Holdings, its subsidiary TIO Networks Corp., and several executives of both companies for a security breach that resulted in the potential compromise of personally identifiable information for 1.6 million customers. In Sgarlata v. PayPal Holdings Inc., No. 17-cv-06956-EMC, 2018 WL 6592771 (N.D. Cal. Dec. 13, 2018) (“Sgarlata”), the court dismissed the complaint for failure to plead scienter because plaintiffs failed to adequately plead that defendants knew not only of an actual security breach, but also the magnitude of the breach and the type of data accessed. Continue Reading California District Court Dismisses Securities Class Action After Plaintiffs Failed to Plead that PayPal Knew Magnitude of Security Breach
On December 20, 2018, the U.S. Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released its 2019 Examination Priorities. The six themes for this year’s priorities are: retail investors (including seniors and those saving for retirement), compliance and risk in registrants responsible for critical market infrastructure (clearing agencies, transfer agents, national securities exchanges and Regulation SCI entities), oversight of the Financial Industry Regulatory Authority and Municipal Securities Rulemaking Board, digital assets, cybersecurity and anti-money laundering. The only new theme for 2019 compared to 2018 is digital assets, which we take to imply a plan to more closely—and substantively—regulate investment advisers and broker-dealers involved with this asset class. The 2019 priorities also more explicitly than the 2018 priorities describe specific practices that OCIE found concerning in examinations of those entities, many of which involved failure to adequately safeguard client assets and the adequacy of disclosures of conflicts of interest. We expect to see a corresponding focus in Enforcement Division investigations and cases on these issues as a result. Continue Reading Lessons from the SEC Office of Compliance Inspections and Examinations’ 2019 Priorities
On December 6, 2018, in Williams-Diggins v. Mercy Health, an Ohio district court granted the defendant’s motion to dismiss a putative class action related to a cybersecurity vulnerability in the Ohio-based medical provider’s computer systems that allegedly left patient health information publicly accessible online for years. United States District Judge Jeffrey Helmick dismissed the case for lack of jurisdiction (among other reasons), finding that the plaintiff’s theories of harm—overpayment and risk of future exposure or breach of his sensitive health information—were insufficient to create Article III standing. Continue Reading Ohio District Court: No Standing Where Patients’ Medical Records “Might” Be Accessed Improperly Due To A Cybersecurity Vulnerability
Continuing its efforts to engage with FinTech innovators and market participants in the adoption of new technologies, the Commodity Futures Trading Commission (“CFTC”) and its LabCFTC released a Primer on Smart Contracts (the “Primer”) on November 27. The Commission focused its Primer on (1) detailing the technical aspects of smart contract technology; (2) examining potential benefits and risks connected to their widespread adoption; and (3) the CFTC’s role in regulating the adoption of the technology within those markets under its jurisdiction.
On November 27, 2018, the Senate Commerce, Science, and Transportation Committee’s Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security held an oversight hearing of the U.S. Federal Trade Commission. The hearing marked the first appearance before the Senate of the full slate of current FTC commissioners: Republicans Chairman Joe Simons, Noah Phillips, and Christine Wilson, and Democrats Rohit Chopra and Rebecca Slaughter. In addition to confirming that the FTC will continue to prioritize data security and privacy enforcement under its consumer protection mandate, the commissioners were unanimous in their support for comprehensive federal data privacy legislation to be enforced by the FTC. Each, however, offered slightly different views as to the right approach for potential legislation and future enforcement. Continue Reading FTC Chair, Commissioners Endorse Comprehensive Privacy Legislation at Senate Oversight Hearing