Photo of Alexis Collins

Alexis Collins’ practice focuses on litigation, including criminal and regulatory enforcement matters and complex civil and antitrust litigation.

Recently, the New York Department of Financial Services (“DFS”) issued two memoranda addressing the ongoing increase in cyberattacks.  The first recent guidance provides best practices for insurance entities with regard to cyber insurance.[1]  The second guidance deals with the surge in benefits fraud that has been ongoing since the beginning of the COVID-19 pandemic, with directions on how regulated entities can best secure data.[2]
Continue Reading New York Department of Financial Services Issues New Guidance on Cyber Threats

Last month, in Guo Wengui v. Clark Hill, PLC, the United States District Court for the District of Columbia granted Plaintiff’s motion to compel production of Defendant’s third-party forensic investigation report following a cybersecurity incident.[1]  The court held that the forensic report was not covered by the attorney-client privilege or the work product doctrine, providing a cautionary tale for companies conducting post-breach investigations.
Continue Reading D.C. District Court Rejects Privilege Claim for Post-Data Breach Forensic Report

Cybersecurity and data privacy, topics that were already top of mind for companies at the start of 2020, were pushed even further to the forefront due to the COVID-19 pandemic, significant data security enforcement actions, and the SolarWinds breach discovered in December.

The increased prevalence of remote work made it all the more critical for

On Monday, November 9, 2020, the U.S. Federal Trade Commission announced a proposed settlement with Zoom Video Communications, Inc. (“Zoom”), a video conferencing provider, regarding allegations that Zoom misrepresented its data security practices to users and designed its product to circumvent certain embedded security features of third-party software.  The proposed settlement requires Zoom to undertake a range of specific remedial measures related to its data security practices.  It also imposes multiple layers of reporting and certification requirements.
Continue Reading FTC Announces Settlement with Zoom Regarding Data Security Practices

In the wake of one of the largest reported medical ransomware attacks in U.S. history,[1] the U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN) issued last week a pair of advisories to assist in efforts to combat the increasing threat of ransomware attacks and related sanctions and anti-money laundering (AML) compliance issues.[2]  Like our blog post last month on the same topic, the advisories highlight the importance of considering the legal risks relating to ransomware payments and confirm that OFAC may pursue enforcement actions against ransomware payments that violate U.S. sanctions.[3]
Continue Reading OFAC and FinCEN Issue Advisories on Cyber Ransom Payments

On September 15, 2020, the Securities and Exchange Commission issued a cease‑and‑desist order against Unikrn, Inc. concerning its 2017 initial coin offering  of UnikoinGold .  The SEC found that the Unikrn ICO violated the prohibition in Section 5 of the Securities Act of 1933 against the unregistered public offer or sale of securities.  The SEC imposed several remedies, including requiring Unikrn to permanently disable the UnikoinGold token and a civil money penalty of $6.1 million.
Continue Reading SEC Issues Enforcement Action Against Unikrn, Inc. for its ICO, Prompting Rare Public Dissent from Commissioner Hester Peirce

Last month, reports surfaced that fitness technology company Garmin may have made a multimillion dollar payment in response to a ransomware attack with reported links to Evil Corp, a Russian hacking group subject to U.S. sanctions.  This incident and other recent reports of ransomware attacks against large companies highlights that companies should consider potential civil and criminal liability under U.S. sanctions laws when responding to ransomware attacks.
Continue Reading Ransomware and Sanctions Compliance: Considerations for Responses to Attacks

In a landmark enforcement action related to a bank data breach, the Office of the Comptroller of the Currency (“OCC”) assessed an $80 million civil monetary penalty and entered into a cease and desist order with the bank subsidiaries of Capital One on August 6, 2020.  The actions follow a 2019 cyber-attack against Capital One.  The Federal Reserve Board also entered into a cease and desist order with the banks’ parent holding company.  The OCC actions represent the first imposition of a significant penalty against a bank in connection with a data breach or an alleged failure to comply with the OCC’s guidelines relating to information security.
Continue Reading OCC Imposes $80 Million Penalty in Connection with Bank Data Breach

On June 25, 2020, a federal district court in the Eastern District of Virginia held that a bank must produce in discovery a report generated by its cybersecurity forensic investigator following a 2019 data breach involving unauthorized access to personal information of customers and individuals who had applied for accounts.[1]  Even though the report was produced at the direction of outside counsel, the court rejected arguments that the forensic report is protected from disclosure by the work product doctrine.  Instead, the court determined that the report was not produced primarily in anticipation of litigation based on several factors, including the similarity of the report to past business-related work product by the investigator and the bank’s subsequent use and dissemination of the report.  This decision raises questions about the scope of work product protection for forensic expert and other similar reports in the context of an internal investigation.
Continue Reading Federal Court Compels Production of Data Breach Forensic Investigation Report

Last month, the Financial Services Information Sharing and Analysis Center[1] (“FS-ISAC”) warned financial services companies, and particularly smaller firms, of a substantial increase in attempted cyberattacks since the start of the COVID-19 pandemic.  In particular, cyber-attacks targeted at bank employees rose in the first quarter of 2020.  As of early April, FS-ISAC had also identified over 1,500 fraudulent or phishing websites designed to look like pandemic-related lending or financial support programs to deceive visitors into disclosing sensitive personal information.
Continue Reading FS-ISAC Warns that Cyberattacks Against Financial Services Firms Increased Substantially in Response to COVID-19 Mitigation Efforts