On December 5, 2017, the National Institute of Standards and Technology (“NIST”) published a proposed update to its Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”).  NIST is a non-regulatory federal agency within the Department of Commerce, with a mission to promote innovation and industrial competitiveness in the United States by advancing measurement science, standards and technology in beneficial ways.  The Framework was initially developed as a result of the issuance of Executive Order 13636 in 2013 (“Executive Order”), which specifically addressed the cybersecurity of critical infrastructure (defined below) and directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks to such critical infrastructure.  Therefore, the Framework provides nonbinding guidance, and compliance is not mandatory.  In practice, the Framework is used as the basis for best practices by many companies in the United States that have cybersecurity policies and procedures.  The Framework has generally been praised as a successful example of cooperation between the public and private sector and is cited by many as a more effective approach than prescriptive regulatory requirements. Continue Reading NIST Proposes Fine-Tuning of its Framework for Improving Critical Infrastructure Cybersecurity

The SEC has recently signaled an increased concern with the offerings and marketing of Initial Coin Offerings (“ICOs”),[1] which should be of interest to companies and institutions involved with ICOs.  On November 1, 2017, the SEC Division of Enforcement and Office of Compliance Inspections and Examinations (“OCIE”) jointly issued a public statement warning celebrities and other influencers promoting Initial Coin Offerings (“ICOs”) about potential violations of a host of federal securities laws, including the anti-touting and anti-fraud provisions of the federal securities laws.  Specifically, the public statement noted that endorsements may be unlawful if they do not “disclose the nature, source, and amount of any compensation paid, directly or indirectly . . . in exchange for the endorsement.,” and that endorsers may also face liability for potential violations of the anti-fraud provisions, for participation in an unregistered securities offering, and for acting as unregistered brokers.  The public statement also noted that investment decisions should not be based solely on an endorsement and cautioned that “celebrity endorsement may appear unbiased, but instead be part of a paid promotion.”  The public statement follows an investigative report issued by the Division of Enforcement on July 25, 2017, which announced that blockchain technology-based coins or tokens sold in an ICO may be a form of security under the Securities Act of 1933 and the Securities Exchange Act of 1934. Continue Reading The SEC Warns That Celebrity Endorsements of Virtual Currency May Violate Federal Securities Laws

On Monday, December 4, 2017, the U.S. Securities and Exchange Commission (SEC) obtained an emergency order from a U.S. District Court in New York to enjoin an allegedly fraudulent initial coin offering scheme.  The SEC’s complaint alleges that Dominic Lacroix, a recidivist securities law violator, and his company PlexCorps violated the anti-fraud and registration provisions of the U.S. federal securities laws in collecting up to $15 million in investor funds purportedly in exchange for digital tokens and promised returns in excess of 1,000% in 29 days.  The complaint also charges Lacroix’s partner Sabrina Paradis-Royer with securities fraud.  Among other relief, the district court has granted the SEC’s request to freeze the defendants’ assets.

Continue Reading Newly Created SEC Cyber Unit Takes First Action Against Allegedly Fraudulent ICO

Last Friday, December 1, 2017, the U.S. Commodity Futures Trading Commission (CFTC) announced that three futures exchanges—the Chicago Mercantile Exchange Inc. (CME), the CBOE Futures Exchange (CBOE) and the Cantor Exchange (Cantor)—self-certified that they will be listing futures contracts (CME and CBOE) and options (Cantor) referencing bitcoin.  Trading in bitcoin futures will commence at the CBOE on December 10 and on CME on December 18, with Cantor’s options trading to follow.  Listing these contracts will allow both institutional and retail investors to obtain long or short exposure to bitcoin without buying or selling the underlying bitcoin itself.

Continue Reading Bitcoin’s Future: CME and Other Exchanges Self-Certify Bitcoin Futures and Options with the CFTC

The disclosure by Uber of a data breach that occurred in October 2016 has prompted a growing number of regulators to open investigations into the company.  According to Bloomberg, the breach (which Uber disclosed on November 21, 2017) involved hackers accessing the names, email addresses and phone numbers of 50 million riders and 7 million drivers and the driver’s license numbers of approximately 600,000 U.S. drivers.

Continue Reading EU and U.S. Regulators respond to the Uber breach

Earlier this month, on November 2, New York Attorney General Eric T. Schneiderman announced that he was working with New York state legislators to introduce comprehensive new legislation to address data breaches and data privacy.  After pointing to the Equifax breach as the impetus of the legislation, the Attorney General’s Office also explained that it had received over 1,300 data breach notifications in 2016, affecting 1.6 million New Yorkers.  To address these issues, the proposed Stop Hacks and Improve Electronic Data Security (SHIELD) Act would require companies to take steps to protect private information, broadens the type of private information covered, and increases potential penalties for failures to comply with the law.  This post summarizes the key aspects of the proposed legislation, and compares it to other recently enacted data privacy legislation. Continue Reading In Wake of the Equifax Breach, New York’s Attorney General Proposes New, Stricter Data Privacy Law

The EU General Data Protection Regulation (GDPR) represents the biggest change to EU data protection law in more than twenty years. It has grabbed headlines as a result of its extra-territorial reach and the potentially vast fines for non-compliance.  (For a general overview of the GDPR, please refer to our Alert Memo.)   With the GDPR’s May 25, 2018 effective date rapidly approaching, the Article 29 Working Party (an advisory group made up of representatives from EU data protection authorities as well as the European Commission) recently published its latest wave of GDPR guidance.  In this post, we summarize both the prior guidance and the most recent update, which covers critical issues such as data breach notification requirements and the calculation of penalties for non-compliance. Continue Reading Preparing for GDPR – Guidance from the Article 29 Working Party

Cyberattacks have increased in scope and severity over the past few years, including the widespread WannaCry ransomware attacks and the Equifax breach in which the personal data of over 140 million people may have been stolen.  Due to the increasing number of breaches and the difficulties that law enforcement faces in responding to these events in a timely manner, a bill has been proposed in the U.S. Congress that seeks to empower private actors to use cyber defensive measures outside the boundaries of their networks.  Rep. Tom Graves (R-Ga.) introduced the Active Cyber Defense Certainty Act (the “Act”) to protect from criminal prosecution companies who use certain countermeasures against cyber intrusions.[1]  Whether or not this legislation is ultimately adopted, it highlights some of the unique difficulties in effectively addressing cybercrime and the ongoing efforts by the government to enlist the aid of the private sector. Continue Reading The Active Cyber Defense Act: Congress Considers Authorizing Companies to Use Offensive Measures Against Cybercriminals

On October 24, 2017, the National Association of Insurance Commissioners (the “NAIC”) adopted the Insurance Data Security Model Law (the “Model Law”).  According to the NAIC’s press release, the purpose of the Model Law is to provide “rules for insurers, agents and other licensed entities covering data security, investigation and notification of breach.”  The NAIC is a U.S. standard-setting and regulatory support organization composed of state-level insurance regulators, and the Model Law is non-mandatory, model legislation that states must voluntarily adopt in order for it to be enforceable.  Importantly, based on a Drafting Note in the Model Law, the drafters intended for entities that are in compliance with the New York State Department of Financial Services (the “DFS”) Cybersecurity Regulations, which apply to DFS-licensed banks and insurance companies operating in New York, to automatically also be in compliance with the Model Law.  Similar to the DFS’s Cybersecurity Regulations, the Model Law sets forth standards for data security, as well as the response to, and notification of, data breach incidents. Continue Reading NAIC Adopts Insurance Data Security Model Law

On October 27, 2017, the Hong Kong Securities and Futures Commission (“SFC”) issued Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading (the “Guidelines”), a set of baseline cybersecurity requirements that all persons licensed or registered with the SFC and engaged in internet trading will be required to implement. The Hong Kong Monetary Authority (“HKMA”) simultaneously issued a circular to CEOs of Registered Institutions requiring them to apply the Guidelines.

The new guidelines should be viewed as requirements for securities and futures dealers and asset managers registered with the SFC and banks supervised by the HKMA (which include a number of foreign banks that operate branches in Hong Kong). For e-commerce firms and other companies that do business in or have connections to Hong Kong, the new guidelines should additionally be viewed as relevant guidance for best practices in cybersecurity.

Click here, to continue reading.