On November 18, 2021, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the Board of Governors of the Federal Reserve System (Board) announced a final rule requiring banking organizations to notify their primary regulator of certain significant computer-security incidents as soon as possible and no later than 36 hours after they occur.[1]  The rule separately requires bank service providers to notify their bank customers if they experience a cyber incident that causes, or is reasonably likely to cause, a material disruption of services that lasts for four or more hours. Continue Reading Banking Regulators Approve Final Rule Establishing Cyber Incident Notification Requirements

On November 8, 2021, the U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC) designated a virtual currency exchange, Chatex, and its infrastructure support providers on the list of Specially Designated Nationals and Blocked Persons (SDN List) for their role in facilitating financial transactions for ransomware actors.[i]  The Financial Crimes Enforcement Network (FinCEN) also released an updated advisory on ransomware and the use of the financial system to facilitate ransomware payments.[ii]  These actions were taken in furtherance of a coordinated “whole-of-government” effort to disrupt criminal ransomware actors and the virtual currency exchanges used to launder ransom payments around the world. Continue Reading OFAC Ramps up Targeting of Ransomware-linked Actors and FinCEN Updates Ransomware Advisory

On 10 November 2021, the Supreme Court of the United Kingdom handed down its much-awaited judgment in the case of Lloyd v Google LLC [2021] UKSC 50.  The Supreme Court unanimously ruled that the claim, which is a representative action alleging breaches of the Data Protection Act 1998 (“DPA 1998”), could not proceed.

The Supreme Court ruled that the claim did not fulfil the requirement that individual claimants in a representative action must have the “same interest” under rule 19.6 of the English Civil Procedure Rules (“CPR”). Further, the Supreme Court held that it was not enough for a claim for compensation to be premised on mere contravention of a data controller’s statutory duties under the Data Protection Act 1998, but that “material damage” must result in order for a claim for compensation to be brought.

This judgment provides clarity to data controllers that data subjects cannot recover compensation for a breach (even if non-trivial) of the data controller’s statutory duties without demonstrating the damage or distress suffered as a consequence. It also provides important clarifications on when an “opt-out” style representative action can be pursued.

Please click here to read the full alert memorandum.

On September 21, 2021, the U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC): (i) issued an updated advisory on potential sanctions risks for facilitating ransomware payments; and (ii) designated SUEX OTC, S.R.O. (SUEX), a virtual currency exchange, on the list of Specially Designated Nationals and Blocked Persons (SDN List) for its role in facilitating financial transactions for ransomware actors.[1]  These actions demonstrate the U.S. government’s increasing focus on virtual currencies as a key means of facilitating ransomware payments and related money laundering, as well as OFAC’s commitment to combating ransomware attacks and other malicious cyber activities. Continue Reading OFAC Updates Ransomware Advisory and Sanctions Virtual Currency Exchange

On August 9, 2021, the SEC issued a cease-and-desist order against digital asset exchange Poloniex, Inc. for allegedly operating an unregistered exchange in violation of Section 5 of the Exchange Act in connection with its operation of a trading platform that facilitated the buying and selling of digital asset securities.[1]

In the cease-and-desist order, the SEC alleged that Poloniex met the definition of an “exchange” because it “provided the non-discretionary means for trade orders to interact and execute through the combined use of the Poloniex website, an order book, and the Poloniex trading engine.”  The SEC also found, based on internal communications, that Poloniex decided to be “aggressive,” ultimately listing token(s) it had internally determined carried a “medium” risk of being considered securities under the Securities Act of 1933 pursuant to the test set forth by the U.S. Supreme Court in SEC v. W.J. Howey.[2]  However, the SEC did not identify what digital asset(s) it determined were securities nor why, simply stating that Poloniex facilitated trading of “digital assets that were investment contracts and therefore securities.”

Without admitting or denying the SEC’s findings, Poloniex agreed to the entry of the order and a payment of $10,388,309 in disgorgement, prejudgment interest, and a civil penalty. Continue Reading SEC Enforcement Action Against Poloniex Signals Heightened Scrutiny for Crypto Exchanges

The past few years have brought monumental changes to how we handle international data transfers from the EU. Schrems I, GDPR, Schrems II, Brexit and now the new Standard Contractual Clauses, published in June, 2021.

Here we share our views on improvements and challenges this modernised version of the SCCs has brought and how it interplays with the EDPB’s Recommendations on supplemental measures, also just released in their final version.

Please click here to read the full alert memorandum.

Colorado is set to become the third state in the nation to enact comprehensive privacy legislation with the passing of SB 21-190, more commonly known as the Colorado Privacy Act (“ColoPA” or the “Act”). Governor Jared Polis is expected to sign the ColoPA into law in the coming days, after which the Act will become effective July 1, 2023, giving covered entities roughly two years to become compliant.

While the ColoPA draws heavily from Virginia’s Consumer Data Protection Act (“VDPA”), the California Privacy Rights Act of 2020 (“CPRA”), which amends and expands the California’s Consumer Privacy Act (“CCPA”), and the European Union’s General Data Protection Regulation (“GDPR”), there are material differences amongst these laws. Without federal legislation that includes preemption, it is likely that states will continue to enact privacy laws and that such laws will continue to diverge from one another in nuanced ways. To combat rising compliance costs and growing uncertainty for covered entities, commissioners at the Federal Trade Commission have begun to discuss using their rulemaking authority to establish a unified privacy framework. Until that time, however, covered entities must remain informed of their obligations under each law applicable to them and adapt their privacy programs accordingly.

This alert memorandum summarizes key elements of the Act while highlighting its similarities and differences with the CCPA/CPRA, VDPA and GDPR.

Recent developments in a lawsuit have illustrated the importance of maintaining sufficient data security measures and responding adequately to data breaches, which topics are addressed in Cleary Gottlieb’s Global Crisis Management Handbook in depth. A class-action lawsuit in the Northern District of California against Robinhood Financial, LLC, a securities trading platform, alleges that unauthorized users accessed approximately 2,000 Robinhood customers’ accounts storing the customers’ sensitive personal information.

The information included social security numbers, telephone numbers, bank account numbers, and tax information. The unauthorized users also looted the funds in the customers’ accounts. The lawsuit seeks recovery for the looted funds as well as the time and money the class members spent attempting to cure the violations of their privacy.

Please click here to read more.

While large financial institutions have traditionally been hesitant to enter new areas of financial products, particularly virtual assets, many more banks and companies have expressed interest in virtual currencies as cryptocurrency has become increasingly mainstream.  Given the use of such services by terrorist groups, it is important for banks and other financial institutions to consider evolving dynamics in this area.  On the one hand, one of the widely described benefits of virtual currency is the transparency and public nature of transactions since they are typically recorded in a publicly accessible blockchain, which could facilitate policing and enforcement against illicit activity.  At the same time, the relevant legal framework for combating terrorist funding creates potential areas of liability, including, in particular under the Anti-Terrorism Act (“ATA”) and the Justice Against Sponsors of Terrorism Act (“JASTA”).  These considerations are important for companies and banks that provide services related to virtual currency, but also are relevant to any company that could be the target of ransomware attacks since attackers may be sanctioned entities or have ties to terrorism and as a matter of practice demand that the ransom payment be made in virtual currency.

Please click here to read the full alert memorandum.

Last week, the Second Circuit affirmed the dismissal for lack of Article III standing a proposed class action against a health services provider that mistakenly disclosed personally identifiable information (“PII”).  In its opinion, the Second Circuit held that plaintiffs may establish Article III standing based on an increased risk of identity theft or fraud following an unauthorized disclosure of their data, but that the standard was not met based on the facts presented.  The decision, which is the first time the Second Circuit has explicitly adopted this standard, has potentially important implications going forward for data breach cases.

Continue Reading Second Circuit Articulates Injury Standard in Data Breach Suits