Photo of Alexis Collins

Alexis Collins’ practice focuses on litigation, including criminal and regulatory enforcement matters and complex civil and antitrust litigation.

On Monday, November 9, 2020, the U.S. Federal Trade Commission announced a proposed settlement with Zoom Video Communications, Inc. (“Zoom”), a video conferencing provider, regarding allegations that Zoom misrepresented its data security practices to users and designed its product to circumvent certain embedded security features of third-party software.  The proposed settlement requires Zoom to undertake a range of specific remedial measures related to its data security practices.  It also imposes multiple layers of reporting and certification requirements.
Continue Reading FTC Announces Settlement with Zoom Regarding Data Security Practices

In the wake of one of the largest reported medical ransomware attacks in U.S. history,[1] the U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN) issued last week a pair of advisories to assist in efforts to combat the increasing threat of ransomware attacks and related sanctions and anti-money laundering (AML) compliance issues.[2]  Like our blog post last month on the same topic, the advisories highlight the importance of considering the legal risks relating to ransomware payments and confirm that OFAC may pursue enforcement actions against ransomware payments that violate U.S. sanctions.[3]
Continue Reading OFAC and FinCEN Issue Advisories on Cyber Ransom Payments

On September 15, 2020, the Securities and Exchange Commission issued a cease‑and‑desist order against Unikrn, Inc. concerning its 2017 initial coin offering  of UnikoinGold .  The SEC found that the Unikrn ICO violated the prohibition in Section 5 of the Securities Act of 1933 against the unregistered public offer or sale of securities.  The SEC imposed several remedies, including requiring Unikrn to permanently disable the UnikoinGold token and a civil money penalty of $6.1 million.
Continue Reading SEC Issues Enforcement Action Against Unikrn, Inc. for its ICO, Prompting Rare Public Dissent from Commissioner Hester Peirce

Last month, reports surfaced that fitness technology company Garmin may have made a multimillion dollar payment in response to a ransomware attack with reported links to Evil Corp, a Russian hacking group subject to U.S. sanctions.  This incident and other recent reports of ransomware attacks against large companies highlights that companies should consider potential civil and criminal liability under U.S. sanctions laws when responding to ransomware attacks.
Continue Reading Ransomware and Sanctions Compliance: Considerations for Responses to Attacks

In a landmark enforcement action related to a bank data breach, the Office of the Comptroller of the Currency (“OCC”) assessed an $80 million civil monetary penalty and entered into a cease and desist order with the bank subsidiaries of Capital One on August 6, 2020.  The actions follow a 2019 cyber-attack against Capital One.  The Federal Reserve Board also entered into a cease and desist order with the banks’ parent holding company.  The OCC actions represent the first imposition of a significant penalty against a bank in connection with a data breach or an alleged failure to comply with the OCC’s guidelines relating to information security.
Continue Reading OCC Imposes $80 Million Penalty in Connection with Bank Data Breach

On June 25, 2020, a federal district court in the Eastern District of Virginia held that a bank must produce in discovery a report generated by its cybersecurity forensic investigator following a 2019 data breach involving unauthorized access to personal information of customers and individuals who had applied for accounts.[1]  Even though the report was produced at the direction of outside counsel, the court rejected arguments that the forensic report is protected from disclosure by the work product doctrine.  Instead, the court determined that the report was not produced primarily in anticipation of litigation based on several factors, including the similarity of the report to past business-related work product by the investigator and the bank’s subsequent use and dissemination of the report.  This decision raises questions about the scope of work product protection for forensic expert and other similar reports in the context of an internal investigation.
Continue Reading Federal Court Compels Production of Data Breach Forensic Investigation Report

Last month, the Financial Services Information Sharing and Analysis Center[1] (“FS-ISAC”) warned financial services companies, and particularly smaller firms, of a substantial increase in attempted cyberattacks since the start of the COVID-19 pandemic.  In particular, cyber-attacks targeted at bank employees rose in the first quarter of 2020.  As of early April, FS-ISAC had also identified over 1,500 fraudulent or phishing websites designed to look like pandemic-related lending or financial support programs to deceive visitors into disclosing sensitive personal information.
Continue Reading FS-ISAC Warns that Cyberattacks Against Financial Services Firms Increased Substantially in Response to COVID-19 Mitigation Efforts

On May 5, 2020, the Seventh Circuit Court of Appeals held that a plaintiff has standing to assert a claim under the Illinois Biometric Information Privacy Act (BIPA) even without alleging any economic loss or data breach.  The court’s decision in Bryant v. Compass Group USA, Inc.,[1] held that merely alleging a failure to receive adequate disclosure or provide informed consent is sufficient to state a claim, potentially establishing in the Seventh Circuit a low bar for making claims under BIPA and other state statutes modeled off of it.
Continue Reading The Seventh Circuit Holds That Lack of Disclosure and Informed Consent Under Biometric Information Privacy Act Satisfies Article III Standing Requirement

Earlier this year, the Cybersecurity Unit (“CsU”) of the Computer Crime and Intellectual Property Section of the United States Department of Justice released guidance for the private sector entitled “Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources.”  The Guidance (available here) is intended to aid private actors to assess the potential legal exposure under federal criminal law as a result of engaging in common cyber intelligence-gathering activities on the dark web.  Focusing on activity on TOR-based Dark Markets, i.e., “online forums in which computer crimes are discussed and planned and stolen data is bought and sold,” CsU offers practical tips and best practices for legitimate private actors to reduce the risk of liability and other negative repercussions under federal law.[1]
Continue Reading DOJ Issues Guidance on Private Sector Intelligence Gathering Activities on the Dark Web

The emergence of online, non-traditional financial service platforms creates additional avenues for terrorist groups to receive and transfer funds outside of the traditional banking system.  One consequence of this trend is the potential for increased litigation against these providers under U.S. statutes that create civil liability for provision of material support to terrorists: the Anti-Terrorism Act (the “ATA”), 18 U.S.C. § 2333(a), and the Justice Against Sponsors of Terrorism Act (“JASTA”), 18 U.S.C. § 2333(d)(2).

Civil claims for damages under the ATA and JASTA have historically been brought against large banks for providing financial services to entities with alleged terrorist links.  Typically in such cases, victims of a terrorist attack and/or their family members allege that the bank supported the attack by processing U.S. dollar denominated transactions to an entity with links to terrorism (often through a chain of intermediaries).  In recent years, the range of entities against which ATA and JASTA claims have been brought has increasingly expanded to include companies outside of the banking sector, such as pharmaceutical companies, government contractors, and social media platforms.  As terrorist groups increase their use of non-traditional financial service platforms, cryptocurrency exchanges, decentralized fintech platforms, and other similar businesses may begin to face ATA and JASTA claims.
Continue Reading Online Financial Service Companies:  The Anti-Terrorism Act’s Next Frontier