On November 27, 2018, the Senate Commerce, Science, and Transportation Committee’s Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security held an oversight hearing of the U.S. Federal Trade Commission. The hearing marked the first appearance before the Senate of the full slate of current FTC commissioners: Republicans Chairman Joe Simons, Noah Phillips, and Christine Wilson, and Democrats Rohit Chopra and Rebecca Slaughter. In addition to confirming that the FTC will continue to prioritize data security and privacy enforcement under its consumer protection mandate, the commissioners were unanimous in their support for comprehensive federal data privacy legislation to be enforced by the FTC. Each, however, offered slightly different views as to the right approach for potential legislation and future enforcement. Continue Reading FTC Chair, Commissioners Endorse Comprehensive Privacy Legislation at Senate Oversight Hearing
Alexis Collins’ practice focuses on litigation, including criminal and regulatory enforcement matters and complex civil and antitrust litigation.
On November 28, 2018, Judge Gonzalo P. Curiel of the U.S. District Court for the Southern District of California denied the U.S. Securities and Exchange Commission’s motion for a preliminary injunction against Blockvest, LLC and Reginald Ringgold in connection with Defendants’ initial coin offering (“ICO”). In doing so, the court found disputed issues of fact existed regarding whether the so-called “BLV” tokens constituted “securities” under the test set out in SEC v. W.J. Howey Co. This is not the first time a court has characterized the question of whether an ICO token satisfies Howey’s requirements as a factual one. But, the decision is notable for being the first instance of a court ruling against the SEC in an ICO and because it focused its inquiry under Howey on the subjective understanding of particular investors rather than the objective characteristics of the tokens themselves. Continue Reading California District Court Denies SEC Preliminary Injunction in ICO Case, Says Tokens’ Status As Securities Is Question of Fact
On November 28, 2018, the Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) identified for the first time digital currency addresses associated with sanctioned persons. The newly sanctioned individuals, Iran-based Ali Khorashadizadeh and Mohammad Ghorbaniyan, were accused of converting digital currency payments into Iranian rial as part of a widespread ransomware scheme. Since 2015, the ransomware scheme (known as “SamSam”) has infected the data networks of corporations, hospitals, universities, and government agencies. According to OFAC’s announcement, the identified bitcoin addresses were used with over 40 digital currency exchangers to process more than 7,000 illicit transactions in bitcoins worth millions of U.S. dollars. Continue Reading OFAC Lists Digital Currency Addresses for First Time, Releases New Guidance
On November 16, 2018, the U.S. Securities and Exchange Commission (“SEC”) Division of Corporation Finance (“Corp. Fin.”), Division of Investment Management, and Division of Trading and Markets issued a joint public statement on “Digital Asset Securities Issuance and Trading.” The public statement is the latest in the Divisions’—and the Commission’s—steady efforts to publicly outline and develop its analysis on the application of the federal securities laws to initial coin offerings (“ICOs”) and certain digital tokens. These efforts have combined a series of enforcement proceedings with public statements by Chairman Jay Clayton and staff, including a more detailed statement of the SEC’s analytical approach in Corp. Fin. Director William Hinman’s speech on digital assets in June 2018. Continue Reading SEC Divisions’ Issue Public Statement on Digital Assets and ICOs, Echoing Recent Enforcement Actions
On November 6-8, 2018, the U.S. Federal Trade Commission (“FTC”) hosted a public hearing on “Privacy, Big Data, and Competition.” The event was part of a series of public hearings on Competition and Consumer Protection in the 21st Century, modeled after the agency’s 1995 “Pitofsky Hearings.” The series solicits input from a wide variety of private and public sector stakeholders and academics to inform and guide the FTC’s regulatory and enforcement efforts in light of broad economic changes, evolving business practices, new technologies, and international developments. Continue Reading Consumer Protection and Antitrust Regulators, Experts Discuss Privacy, Big Data, and Competition at FTC Hearings
On November 8, the Securities and Exchange Commission (“SEC”) imposed a cease-and-desist order against Zachary Coburn for causing his former company, EtherDelta, to operate as an unregistered securities exchange in violation of Section 5 of the Securities Exchange Act of 1934 (“Exchange Act”). Notably, EtherDelta, a trading platform specializing in digital assets known as Ether and ERC20 tokens, was not operated like a traditional exchange with centralized operations, as there was no ongoing, active management of the platform’s order taking and execution functions. Instead, EtherDelta was “decentralized,” in that it connected buyers and sellers through a pre-established smart contract protocol upon which all operational decisions were carried out.
In the SEC’s view, EtherDelta met Exchange Act Rule 3b-16(a)’s definition of an exchange notwithstanding the lack of ongoing centralized management of order taking and execution. Robert Cohen, the Chief of the SEC’s Cyber Unit within the Division of Enforcement stated after the order’s release, “The focus is not on the label you put on something . . . The focus is on the function . . . whether it’s decentralized or not, whether it’s on a smart contract or not, what matters is it’s an exchange.” This functional approach echoes prior SEC guidance and enforcement actions in the digital asset securities markets in emphasizing that the Commission will look to the substance and not the form of a market participants’ operations in evaluating their effective compliance with U.S. securities laws. Continue Reading SEC Brings First Enforcement Action Against a Digital Assets Trading Platform for Failure to Register as a Securities Exchange
On November 1, 2018, the Canadian Digital Privacy Act came into effect. The Act, passed on June 18, 2015, modified the data breach obligations for companies subject to the Personal Information Protection and Electronic Documents Act (“PIPEDA”) by introducing three new requirements in the event of certain data breaches: reporting to the Canadian Office of the Privacy Commissioner (“OPC”), notification to the affected individuals, and recordkeeping obligations. Below, we discuss these requirements and recent guidance provided by the OPC, and explore some implications for companies subject to PIPEDA. Continue Reading New Mandatory Data Breach Reporting Requirements Become Effective for Companies Doing Business in Canada
On November 2, the SEC’s Enforcement Division released its annual report detailing the facts and figures of its enforcement efforts in fiscal year 2018. At first blush, this year’s report looks strikingly similar to those from recent years, as the headline numbers in most categories are nearly indistinguishable from 2015, 2016, and 2017. This consistency may be surprising given that 2018 is the first such report reflecting exclusively the enforcement priorities of the Commission since it was reconstituted under Chair Jay Clayton.
But a closer examination of the report, including the components feeding into the top-line facts and figures and commentary by Division co-directors Stephanie Avakian and Steven Peikin, reveals a clear shift in priorities by the Division. These range from a philosophical shift in its mission to the reallocation of resources during a hiring freeze. We address here the most notable of these subtle but important changes. Continue Reading Retail, Remedies, Resources and Results: Observations From the SEC Enforcement Division 2018 Annual Report
On October 16, 2018, the Securities and Exchange Commission released a Report of Investigation that cautioned public companies to consider cyber threats when designing and implementing internal accounting controls. The report was based on an investigation of nine victims of email cyber-fraud schemes for potentially failing to have adequate internal accounting controls, in violation of the Securities Exchange Act of 1934. The report highlights the need for companies to reassess their controls in light of the current cybersecurity risk environment. By describing the remedial steps taken by the investigated companies, it further provides guidance about the key areas that companies should consider when assessing their own policies and procedures. Continue Reading SEC Investigative Report Urges Public Companies to Guard Against Cyber Threats When Implementing Internal Accounting Controls
On October 15, 2018, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a $16 million settlement with Anthem, Inc. over alleged violations of federal privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA). The settlement resolves an investigation following a data breach that exposed protected health information of nearly 79 million people. According to OCR, the incident is the largest health data breach to date in the United States and Anthem’s payment similarly represents the largest HIPAA settlement to date. The settlement is consistent with OCR’s recent focus on enforcing regulatory requirements to conduct an accurate and thorough risk analysis and maintain appropriate mechanisms to monitor systems that contain protected health information and to control access to that information. It also highlights the agency’s distinct cybersecurity remediation approach. Continue Reading The U.S. Department of Health And Human Services Settles With Anthem for Record $16M Over Alleged HIPAA Violations