On November 1, 2018, the Canadian Digital Privacy Act came into effect.  The Act, passed on June 18, 2015, modified the data breach obligations for companies subject to the Personal Information Protection and Electronic Documents Act (“PIPEDA”) by introducing three new requirements in the event of certain data breaches:  reporting to the Canadian Office of the Privacy Commissioner (“OPC”), notification to the affected individuals, and recordkeeping obligations.  Below, we discuss these requirements and recent guidance provided by the OPC, and explore some implications for companies subject to PIPEDA. Continue Reading New Mandatory Data Breach Reporting Requirements Become Effective for Companies Doing Business in Canada

On November 2, the SEC’s Enforcement Division released its annual report detailing the facts and figures of its enforcement efforts in fiscal year 2018.  At first blush, this year’s report looks strikingly similar to those from recent years, as the headline numbers in most categories are nearly indistinguishable from 2015, 2016, and 2017.  This consistency may be surprising given that 2018 is the first such report reflecting exclusively the enforcement priorities of the Commission since it was reconstituted under Chair Jay Clayton.

But a closer examination of the report, including the components feeding into the top-line facts and figures and commentary by Division co-directors Stephanie Avakian and Steven Peikin, reveals a clear shift in priorities by the Division.  These range from a philosophical shift in its mission to the reallocation of resources during a hiring freeze.  We address here the most notable of these subtle but important changes.  Continue Reading Retail, Remedies, Resources and Results: Observations From the SEC Enforcement Division 2018 Annual Report

On October 4, 2018, the Financial Markets Law Committee (“FMLC”) published a paper on the subject of “Data Protection: Issues of Legal Uncertainty Arising from the UK Data Protection Act 2018.”  Cleary Gottlieb contributed to this paper as a participant in the FMLC’s data protection working group.

The FMLC’s paper focuses on issues of legal uncertainty potentially hindering the continuation of the lawful flow of personal data between the UK, the European Economic Area and/or Third Countries (i.e., countries that are not Member States of the European Union) following Brexit, as well as on the framework and mechanics for supervision and enforcement of the data protection regimes post-Brexit. The FMLC’s paper also proposes solutions and/or mitigants to these uncertainties.

The FMLC is an educational charity that was established at (but is independent from) the Bank of England. Its stated role is to identify issues of legal uncertainty or misunderstanding, present and future, in the framework of the wholesale financial markets which might give rise to material risks and to consider how such issues should be addressed.

On October 16, 2018, the Securities and Exchange Commission released a Report of Investigation that cautioned public companies to consider cyber threats when designing and implementing internal accounting controls.  The report was based on an investigation of nine victims of email cyber-fraud schemes for potentially failing to have adequate internal accounting controls, in violation of the Securities Exchange Act of 1934.  The report highlights the need for companies to reassess their controls in light of the current cybersecurity risk environment.  By describing the remedial steps taken by the investigated companies, it further provides guidance about the key areas that companies should consider when assessing their own policies and procedures. Continue Reading SEC Investigative Report Urges Public Companies to Guard Against Cyber Threats When Implementing Internal Accounting Controls

On October 15, 2018, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a $16 million settlement with Anthem, Inc. over alleged violations of federal privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA).  The settlement resolves an investigation following a data breach that exposed protected health information of nearly 79 million people.  According to OCR, the incident is the largest health data breach to date in the United States and Anthem’s payment similarly represents the largest HIPAA settlement to date.  The settlement is consistent with OCR’s recent focus on enforcing regulatory requirements to conduct an accurate and thorough risk analysis and maintain appropriate mechanisms to monitor systems that contain protected health information and to control access to that information. It also highlights the agency’s distinct cybersecurity remediation approach. Continue Reading The U.S. Department of Health And Human Services Settles With Anthem for Record $16M Over Alleged HIPAA Violations

The £16.4 million fine imposed by the UK Financial Conduct Authority on Tesco Personal Finance plc provides a salutary lesson on the regulatory exposure associated with failing adequately to prepare for and respond to a cyber-attack – one of the FCA’s stated regulatory priorities.

The episode illustrates how cybersecurity failures can expose a business not only to increasingly draconian penalties under the EU’s General Data Protection Regulation where personal data is involved (effective from 25 May 2018), but also to regulatory enforcement penalties where systems are not in place or are not operated effectively in a crisis.

It highlights the critical importance for businesses of:

  • Establishing cybersecurity and data protection compliance firmly on the management and risk agenda. More than just the costs of doing business in the digital economy, these can give rise to serious regulatory and franchise exposure;
  • Taking effective action to prevent foreseeable cyber-attacks;
  • Establishing appropriate crisis management procedures and providing training to staff on how to invoke them, including through desktop exercises that provide scenario planning training; and

Engaging constructively and immediately with the relevant authorities and stakeholders to mitigate even greater damage to the business once an attack has occurred.

Please click here to read the full alert memorandum.

On September 26, 2018, the attorney generals of all 50 states and the District of Columbia (“State AGs”) announced a record-breaking $148 million settlement with Uber Technologies Inc. (“Uber”) over Uber’s alleged failure to disclose a massive data breach in 2016.[1] The settlement holds significant implications for U.S. companies concerned about their cybersecurity measures in the face of increasing incidents of data breaches, as well as intensifying scrutiny by authorities. Continue Reading State AGs Announce Settlement With Uber Over Data Breach

On September 27, 2018, the Commodity Futures Trading Commission (CFTC) and Securities and Exchange Commission (SEC) filed parallel actions in federal court against an internet dealer that sold “contracts for difference” (CFD) based on securities and commodities margined with bitcoin.  The actions, which were assisted by the Federal Bureau of Investigation and the Department of Justice, signal continued coordination among federal agencies to police market activity involving financial transactions in cryptocurrencies. Continue Reading The CFTC and SEC Bring Charges Against International Securities Dealer for Bitcoin-Funded Swaps Activity

On September 26, 2018, a federal court in the District of Massachusetts found that virtual currencies are a commodity under the Commodity Exchange Act, 7 U.S.C. § 1 et seq, (“CEA”). This marks the second time that a court has accepted the Commodity Futures Trading Commission’s (“CFTC”) position and upheld the agency’s authority to regulate unleveraged and unmargined spot transactions in virtual currency under the agency’s anti-fraud and manipulation enforcement authority.  Most notably, however, the reasoning behind its decision potentially expands the scope of the CFTC’s oversight of the market. Continue Reading Second District Court Determines Virtual Currencies Are Commodities

Over the past year, the U.S Securities and Exchange Commission (“SEC”) has increasingly scrutinized initial coin offerings (“ICO”) and certain digital assets.  On September 20, 2018, the SEC’s Enforcement Division co-Director, Stephanie Avakian, gave a speech in which she addressed the Division’s approach to dealing with these new forms of tradeable assets.  This speech came only days after the SEC settled its first case charging an unregistered broker-dealer for facilitating the sale of digital tokens from several ICOs since the 2017 DAO Report.  In her speech, Avakian provided three key insights into the Division’s enforcement strategy. Continue Reading SEC Enforcement Division Co-Director Provides Insight Into Commission’s Approach to ICOs and Cryptocurrencies