Photo of Alexis Collins

Alexis Collins’ practice focuses on litigation, including criminal and regulatory enforcement matters and complex civil and antitrust litigation.

On June 25, 2020, a federal district court in the Eastern District of Virginia held that a bank must produce in discovery a report generated by its cybersecurity forensic investigator following a 2019 data breach involving unauthorized access to personal information of customers and individuals who had applied for accounts.[1]  Even though the report was produced at the direction of outside counsel, the court rejected arguments that the forensic report is protected from disclosure by the work product doctrine.  Instead, the court determined that the report was not produced primarily in anticipation of litigation based on several factors, including the similarity of the report to past business-related work product by the investigator and the bank’s subsequent use and dissemination of the report.  This decision raises questions about the scope of work product protection for forensic expert and other similar reports in the context of an internal investigation.
Continue Reading Federal Court Compels Production of Data Breach Forensic Investigation Report

Last month, the Financial Services Information Sharing and Analysis Center[1] (“FS-ISAC”) warned financial services companies, and particularly smaller firms, of a substantial increase in attempted cyberattacks since the start of the COVID-19 pandemic.  In particular, cyber-attacks targeted at bank employees rose in the first quarter of 2020.  As of early April, FS-ISAC had also identified over 1,500 fraudulent or phishing websites designed to look like pandemic-related lending or financial support programs to deceive visitors into disclosing sensitive personal information.
Continue Reading FS-ISAC Warns that Cyberattacks Against Financial Services Firms Increased Substantially in Response to COVID-19 Mitigation Efforts

On May 5, 2020, the Seventh Circuit Court of Appeals held that a plaintiff has standing to assert a claim under the Illinois Biometric Information Privacy Act (BIPA) even without alleging any economic loss or data breach.  The court’s decision in Bryant v. Compass Group USA, Inc.,[1] held that merely alleging a failure to receive adequate disclosure or provide informed consent is sufficient to state a claim, potentially establishing in the Seventh Circuit a low bar for making claims under BIPA and other state statutes modeled off of it.
Continue Reading The Seventh Circuit Holds That Lack of Disclosure and Informed Consent Under Biometric Information Privacy Act Satisfies Article III Standing Requirement

Earlier this year, the Cybersecurity Unit (“CsU”) of the Computer Crime and Intellectual Property Section of the United States Department of Justice released guidance for the private sector entitled “Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources.”  The Guidance (available here) is intended to aid private actors to assess the potential legal exposure under federal criminal law as a result of engaging in common cyber intelligence-gathering activities on the dark web.  Focusing on activity on TOR-based Dark Markets, i.e., “online forums in which computer crimes are discussed and planned and stolen data is bought and sold,” CsU offers practical tips and best practices for legitimate private actors to reduce the risk of liability and other negative repercussions under federal law.[1]
Continue Reading DOJ Issues Guidance on Private Sector Intelligence Gathering Activities on the Dark Web

The emergence of online, non-traditional financial service platforms creates additional avenues for terrorist groups to receive and transfer funds outside of the traditional banking system.  One consequence of this trend is the potential for increased litigation against these providers under U.S. statutes that create civil liability for provision of material support to terrorists: the Anti-Terrorism Act (the “ATA”), 18 U.S.C. § 2333(a), and the Justice Against Sponsors of Terrorism Act (“JASTA”), 18 U.S.C. § 2333(d)(2).

Civil claims for damages under the ATA and JASTA have historically been brought against large banks for providing financial services to entities with alleged terrorist links.  Typically in such cases, victims of a terrorist attack and/or their family members allege that the bank supported the attack by processing U.S. dollar denominated transactions to an entity with links to terrorism (often through a chain of intermediaries).  In recent years, the range of entities against which ATA and JASTA claims have been brought has increasingly expanded to include companies outside of the banking sector, such as pharmaceutical companies, government contractors, and social media platforms.  As terrorist groups increase their use of non-traditional financial service platforms, cryptocurrency exchanges, decentralized fintech platforms, and other similar businesses may begin to face ATA and JASTA claims.
Continue Reading Online Financial Service Companies:  The Anti-Terrorism Act’s Next Frontier

As firms respond to the ongoing coronavirus pandemic by increasingly transitioning to remote and telework arrangements, the Financial Industry Regulatory Authority (“FINRA”) issued an alert on measures that firms and associated persons can take to address resulting cybersecurity vulnerabilities:

  • Measures for Firms. Firms should take steps to ensure network security.  This may include providing

On Wednesday, March 11, 2020, the California Attorney General released a second set of modifications (the “March Revisions”) to the proposed regulations implementing the California Consumer Privacy Act of 2018 (the “CCPA”), including substantive changes to both the initial draft regulations issued in October (the “Initial Regulations”) and the revisions published Friday, February 7, 2020

On Friday, February 7, 2020, the California Attorney General released an amended set of proposed regulations (supplemented on February 10, 2020) implementing the California Consumer Privacy Act of 2018 (the “CCPA”), including substantial changes to the draft regulations issued in October.  While the revised regulations eliminate certain requirements that businesses found to be onerous and

On January 27, 2020, the U.S. Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) issued examination observations related to cybersecurity and operational resiliency practices (“Examination Observations”). The observations highlight a set of best practices by market participants in the following areas:  (1) governance and risk management, (2) access rights and controls, (3) data loss prevention, (4) mobile security, (5) incident response and resiliency, (6) vendor management and (7) training and awareness.  Cybersecurity has been a key priority for OCIE since 2012.  Since then, it has published eight cybersecurity-related risk alerts, including an April 2019 alert addressing mobile security. OCIE has perennially included cybersecurity practices as part of its examination priorities (“Examination Priorities”) and listed all but mobile security as “particular focus areas” in the “information security” priority for 2020
Continue Reading OCIE Cybersecurity and Resiliency Observations and Best Practices

In 2019, boards and senior management across a range of industries continued to cite cybersecurity as one of the most significant risks facing their companies.

At the same time, comprehensive data privacy regulation became a new reality in the United States as many companies implemented major revisions to their privacy policies and data systems to