On Tuesday, September 11, 2018, Judge Raymond J. Dearie of the Eastern District of New York issued a decision holding that Initial Coin Offerings (“ICO”) may qualify as securities offerings and therefore be subject to the criminal federal securities laws.  This ruling came as two U.S. regulators—the Securities and Exchange Commission (“SEC”) and the Financial Industry Regulatory Authority (“FINRA”)—announced separate actions under securities laws against companies engaged in the cryptocurrency marketplace, including the sale of digital tokens.  As the popularity of cryptocurrencies grows and businesses and entrepreneurs increasingly turn to ICOs to raise capital, these developments may serve as guideposts for how cryptocurrencies and ICOs will be viewed by courts and federal regulators in cases to follow. Continue Reading Federal Court, SEC, and FINRA Scrutinize Cryptocurrencies and ICOs

The UK Information Commissioner’s Office (ICO) has provided Facebook with a Notice of Intent to issue a monetary penalty against the social media platform for its lack of transparency and failure to maintain the security of its users’ personal data in relation to the Cambridge Analytica scandal. The ICO’s fine is the maximum possible under the Data Protection Act 1998 (the UK implementing legislation for the former EU data protection regime under the Data Protection Directive). Facebook will have the opportunity to make representations to the ICO before the ICO’s decision is finalised.

Continue Reading UK Data Protection Regulator Set to Levy Maximum Fine on Facebook in Cambridge Analytica Case

On the heels of the European Union’s implementation of the General Data Protection Regulation (“GDPR”) and public outcry over the Cambridge Analytica scandal, on June 28, 2018, California enacted the most comprehensive data privacy law to date in the United States. The California Consumer Privacy Act of 2018 (the “CCPA”) was hastily passed by the California legislature to secure the withdrawal of an even more far-reaching measure that had qualified for the November ballot. Legislative amendments to the law are expected before it goes into effect on January 1, 2020.

The CCPA requires covered businesses to comply with requirements that give California consumers broad rights to know what personal information has been collected about them, the sources for the information, the purpose of collecting it, and whether it is sold or otherwise disclosed to third parties. It also gives consumers the right to access personal information about them held by covered businesses, to require deletion of the information and/or to prevent its sale to third parties. Other key provisions limit the ability of a covered business to discriminate against consumers who exercise their rights under the statute by charging them higher prices or delivering lower quality products or services.  The rights provided under the CCPA are similar in many respects to those afforded EU residents under the GDPR, but there are distinctions in approach on some key issues.

Please click here to read the full alert memorandum.

The nature of any injury suffered by individuals from a cyber incident continues to be a major issue in data breach litigation.  As we have previously discussed, the Supreme Court has thus far declined to address the issue of Article III standing in the data breach context, resulting in an ongoing circuit split on whether data theft is by itself sufficient to satisfy Article III’s injury requirements.[1]  Two federal Courts of Appeals recently grappled with injury requirements in the data breach context.  Continue Reading Fourth Circuit and Eighth Circuit Address Injury in Data Breach Cases

On June 27, 2018, Equifax Inc., the credit reporting agency, agreed to implement stronger data security measures under a consent order with the New York State Department of Financial Services (“NYDFS”) and seven other state banking regulators.[1] The order imposes detailed duties on Equifax’s Board of Directors in response to criticisms raised by the regulators during an examination of Equifax’s cybersecurity and internal audit functions.  The examination followed the company’s massive 2017 data breach, which exposed sensitive personal information of nearly 148 million customers.  Equifax agreed to the order without admitting or denying any charges of “unsafe or unsound information security practices.”

Continue Reading State Regulators Reach Settlement With Equifax in Connection With Massive Data Breach

On June 22, 2018, the United States Supreme Court decided Carpenter v. United States, in which it held that the government must generally obtain a search warrant supported by probable cause before acquiring more than seven days of historical cell-site location information (“CSLI”) from a service provider. Noting “the deeply revealing nature of CSLI, its depth, breadth, and comprehensive reach, and the inescapable and automatic nature of its collection,” the Court held that an individual “maintains a legitimate expectation of privacy in the record of his physical movements captured through CSLI” that warrants Fourth Amendment protection. While the Court sought to construe its decision narrowly, the reasoning of the majority and Justice Gorsuch in his dissent raise significant questions about whether and to what extent individuals may have a reasonable expectation of privacy or possessory interest in other sensitive personal data held by third parties beyond the CSLI at issue in Carpenter.

Please click here to read the full alert memorandum.

In response to pressure from advocacy group Californians for Consumer Privacy, on June 21, 2018, California lawmakers proposed a new law, the California Consumer Privacy Act of 2018, which would significantly expand consumers’ rights over their data.  The proposed law would apply to entities that do business in California, collect consumers’ personal information or determine the purpose and means of processing such data, and satisfy at least one of the following: (i) have over $25 million in annual gross revenue, (ii) buy or receive, sell or share for commercial purposes, the personal information of 50,000 or more consumers, households or devices, or (iii) derive 50 percent or more of revenue from the sale of consumer personal information. Continue Reading California Introduces Bill Expanding Consumer Rights Over Data Privacy

In recent years, the Federal Trade Commission (“FTC”) has taken the lead among federal agencies in regulating the cybersecurity practices of companies that handle consumer personal information.  The FTC has entered into numerous consent orders and other settlements with regulated companies that broadly require implementation and maintenance of information security programs that are “reasonably designed” to protect security and confidentiality of consumer information.  A federal appeals court has now cast doubt on the viability of such orders.  In a ruling issued on June 6, 2018, the Eleventh Circuit vacated a cease-and-desist order against LabMD, Inc. (“LabMD”) as unenforceable because it found that the order commanded an overhaul of the company’s data security program without providing a reasonably definite standard by which a court could determine compliance. Continue Reading Eleventh Circuit Vacates FTC Order Mandating Implementation of Cybersecurity Program

The consequences of a cybersecurity incident can be severe. The economic loss associated with an incident can often be compounded by reputational damage, loss of trade secrets, destruction of assets, operational impairment, lost revenue following the announcement of the cybersecurity incident and the expense of implementing remedial measures. The timing and content of any public communication about a suspected or confirmed cybersecurity incident can exacerbate this loss and have a significant impact on the trading price of the issuer’s securities.[1] The disclosure considerations become even more complex when a company is subject to overlapping, and potentially conflicting, regulatory obligations in multiple jurisdictions, including the United States and the European Union (“EU”). This issue is now at the forefront with the EU’s new data security and privacy regime, the General Data Protection Regulation (“GDPR”), which became effective on May 25, 2018.

Continue Reading Untangling the Tangled Web of Cybersecurity Disclosure Requirements: A Practical Guide