The £16.4 million fine imposed by the UK Financial Conduct Authority on Tesco Personal Finance plc provides a salutary lesson on the regulatory exposure associated with failing adequately to prepare for and respond to a cyber-attack – one of the FCA’s stated regulatory priorities.

The episode illustrates how cybersecurity failures can expose a business not only to increasingly draconian penalties under the EU’s General Data Protection Regulation where personal data is involved (effective from 25 May 2018), but also to regulatory enforcement penalties where systems are not in place or are not operated effectively in a crisis.

It highlights the critical importance for businesses of:

  • Establishing cybersecurity and data protection compliance firmly on the management and risk agenda. More than just the costs of doing business in the digital economy, these can give rise to serious regulatory and franchise exposure;
  • Taking effective action to prevent foreseeable cyber-attacks;
  • Establishing appropriate crisis management procedures and providing training to staff on how to invoke them, including through desktop exercises that provide scenario planning training; and

Engaging constructively and immediately with the relevant authorities and stakeholders to mitigate even greater damage to the business once an attack has occurred.

Please click here to read the full alert memorandum.

On September 26, 2018, the attorney generals of all 50 states and the District of Columbia (“State AGs”) announced a record-breaking $148 million settlement with Uber Technologies Inc. (“Uber”) over Uber’s alleged failure to disclose a massive data breach in 2016.[1] The settlement holds significant implications for U.S. companies concerned about their cybersecurity measures in the face of increasing incidents of data breaches, as well as intensifying scrutiny by authorities. Continue Reading State AGs Announce Settlement With Uber Over Data Breach

On September 27, 2018, the Commodity Futures Trading Commission (CFTC) and Securities and Exchange Commission (SEC) filed parallel actions in federal court against an internet dealer that sold “contracts for difference” (CFD) based on securities and commodities margined with bitcoin.  The actions, which were assisted by the Federal Bureau of Investigation and the Department of Justice, signal continued coordination among federal agencies to police market activity involving financial transactions in cryptocurrencies. Continue Reading The CFTC and SEC Bring Charges Against International Securities Dealer for Bitcoin-Funded Swaps Activity

On September 26, 2018, a federal court in the District of Massachusetts found that virtual currencies are a commodity under the Commodity Exchange Act, 7 U.S.C. § 1 et seq, (“CEA”). This marks the second time that a court has accepted the Commodity Futures Trading Commission’s (“CFTC”) position and upheld the agency’s authority to regulate unleveraged and unmargined spot transactions in virtual currency under the agency’s anti-fraud and manipulation enforcement authority.  Most notably, however, the reasoning behind its decision potentially expands the scope of the CFTC’s oversight of the market. Continue Reading Second District Court Determines Virtual Currencies Are Commodities

Over the past year, the U.S Securities and Exchange Commission (“SEC”) has increasingly scrutinized initial coin offerings (“ICO”) and certain digital assets.  On September 20, 2018, the SEC’s Enforcement Division co-Director, Stephanie Avakian, gave a speech in which she addressed the Division’s approach to dealing with these new forms of tradeable assets.  This speech came only days after the SEC settled its first case charging an unregistered broker-dealer for facilitating the sale of digital tokens from several ICOs since the 2017 DAO Report.  In her speech, Avakian provided three key insights into the Division’s enforcement strategy. Continue Reading SEC Enforcement Division Co-Director Provides Insight Into Commission’s Approach to ICOs and Cryptocurrencies

On Tuesday, September 11, 2018, Judge Raymond J. Dearie of the Eastern District of New York issued a decision holding that Initial Coin Offerings (“ICO”) may qualify as securities offerings and therefore be subject to the criminal federal securities laws.  This ruling came as two U.S. regulators—the Securities and Exchange Commission (“SEC”) and the Financial Industry Regulatory Authority (“FINRA”)—announced separate actions under securities laws against companies engaged in the cryptocurrency marketplace, including the sale of digital tokens.  As the popularity of cryptocurrencies grows and businesses and entrepreneurs increasingly turn to ICOs to raise capital, these developments may serve as guideposts for how cryptocurrencies and ICOs will be viewed by courts and federal regulators in cases to follow. Continue Reading Federal Court, SEC, and FINRA Scrutinize Cryptocurrencies and ICOs

The UK Information Commissioner’s Office (ICO) has provided Facebook with a Notice of Intent to issue a monetary penalty against the social media platform for its lack of transparency and failure to maintain the security of its users’ personal data in relation to the Cambridge Analytica scandal. The ICO’s fine is the maximum possible under the Data Protection Act 1998 (the UK implementing legislation for the former EU data protection regime under the Data Protection Directive). Facebook will have the opportunity to make representations to the ICO before the ICO’s decision is finalised.

Continue Reading UK Data Protection Regulator Set to Levy Maximum Fine on Facebook in Cambridge Analytica Case

On the heels of the European Union’s implementation of the General Data Protection Regulation (“GDPR”) and public outcry over the Cambridge Analytica scandal, on June 28, 2018, California enacted the most comprehensive data privacy law to date in the United States. The California Consumer Privacy Act of 2018 (the “CCPA”) was hastily passed by the California legislature to secure the withdrawal of an even more far-reaching measure that had qualified for the November ballot. Legislative amendments to the law are expected before it goes into effect on January 1, 2020.

The CCPA requires covered businesses to comply with requirements that give California consumers broad rights to know what personal information has been collected about them, the sources for the information, the purpose of collecting it, and whether it is sold or otherwise disclosed to third parties. It also gives consumers the right to access personal information about them held by covered businesses, to require deletion of the information and/or to prevent its sale to third parties. Other key provisions limit the ability of a covered business to discriminate against consumers who exercise their rights under the statute by charging them higher prices or delivering lower quality products or services.  The rights provided under the CCPA are similar in many respects to those afforded EU residents under the GDPR, but there are distinctions in approach on some key issues.

Please click here to read the full alert memorandum.

The nature of any injury suffered by individuals from a cyber incident continues to be a major issue in data breach litigation.  As we have previously discussed, the Supreme Court has thus far declined to address the issue of Article III standing in the data breach context, resulting in an ongoing circuit split on whether data theft is by itself sufficient to satisfy Article III’s injury requirements.[1]  Two federal Courts of Appeals recently grappled with injury requirements in the data breach context.  Continue Reading Fourth Circuit and Eighth Circuit Address Injury in Data Breach Cases