Photo of Jonathan S. Kolodner

Jonathan S. Kolodner’s practice focuses on criminal, securities, and other enforcement and regulatory matters as well as on complex commercial litigation.

A 2021 survey of chief legal officers demonstrated that cybersecurity has overtaken compliance as the most significant legal risk that businesses face today. This should not come as a surprise as 2021 brought a series of high-profile cyberattacks on major companies and U.S. infrastructure targets.
Continue Reading Cybersecurity: Data Breaches, Ransomware Attacks and Increased Regulatory Focus

On January 4, 2022, the Federal Trade Commission (FTC) issued a clear warning to companies to remediate any software vulnerabilities associated with the Java-based Log4j software.  A critical security flaw was identified in Log4j, which is embedded in major software applications and is widely used by businesses in all sectors of the economy, this past December.  The security flaw potentially allows bad actors to gain unfettered access to affected computer systems and to any sensitive information they contain.

The FTC, which increasingly prioritizes privacy and data security enforcement, stressed that companies have a legal duty to mitigate known software vulnerabilities—including Log4j—that risk harm to consumers and may face legal action from the FTC if they fail to do so.


Continue Reading The Federal Trade Commission Warns Companies to Remediate the “Log4j” Software Security Vulnerability

On December 6, 2021, the National Risk Committee of the Office of the Comptroller of the Currency (OCC) issued its Semiannual Risk Perspective for Fall 2021, which reports on key issues affecting the federal banking system.[1]  The report highlights the “evolving and increasingly complex” danger to the financial system from cyber threats, and encourages banks and financial institutions to adopt robust cyber controls to minimize operational risk.  It also stresses the need for risk-management policies and procedures that are tailored to new technological innovations, including cryptocurrencies and other digital assets.
Continue Reading The Office of the Comptroller of the Currency Warns of Increasingly Complex Cyber Risks for Banks

On August 9, 2021, the SEC issued a cease-and-desist order against digital asset exchange Poloniex, Inc. for allegedly operating an unregistered exchange in violation of Section 5 of the Exchange Act in connection with its operation of a trading platform that facilitated the buying and selling of digital asset securities.[1]

In the cease-and-desist order, the SEC alleged that Poloniex met the definition of an “exchange” because it “provided the non-discretionary means for trade orders to interact and execute through the combined use of the Poloniex website, an order book, and the Poloniex trading engine.”  The SEC also found, based on internal communications, that Poloniex decided to be “aggressive,” ultimately listing token(s) it had internally determined carried a “medium” risk of being considered securities under the Securities Act of 1933 pursuant to the test set forth by the U.S. Supreme Court in SEC v. W.J. Howey.[2]  However, the SEC did not identify what digital asset(s) it determined were securities nor why, simply stating that Poloniex facilitated trading of “digital assets that were investment contracts and therefore securities.”

Without admitting or denying the SEC’s findings, Poloniex agreed to the entry of the order and a payment of $10,388,309 in disgorgement, prejudgment interest, and a civil penalty.
Continue Reading SEC Enforcement Action Against Poloniex Signals Heightened Scrutiny for Crypto Exchanges

Colorado is set to become the third state in the nation to enact comprehensive privacy legislation with the passing of SB 21-190, more commonly known as the Colorado Privacy Act (“ColoPA” or the “Act”). Governor Jared Polis is expected to sign the ColoPA into law in the coming days, after which

Recently, the New York Department of Financial Services (“DFS”) issued two memoranda addressing the ongoing increase in cyberattacks.  The first recent guidance provides best practices for insurance entities with regard to cyber insurance.[1]  The second guidance deals with the surge in benefits fraud that has been ongoing since the beginning of the COVID-19 pandemic, with directions on how regulated entities can best secure data.[2]
Continue Reading New York Department of Financial Services Issues New Guidance on Cyber Threats

Last month, in Guo Wengui v. Clark Hill, PLC, the United States District Court for the District of Columbia granted Plaintiff’s motion to compel production of Defendant’s third-party forensic investigation report following a cybersecurity incident.[1]  The court held that the forensic report was not covered by the attorney-client privilege or the work product doctrine, providing a cautionary tale for companies conducting post-breach investigations.
Continue Reading D.C. District Court Rejects Privilege Claim for Post-Data Breach Forensic Report

Cybersecurity and data privacy, topics that were already top of mind for companies at the start of 2020, were pushed even further to the forefront due to the COVID-19 pandemic, significant data security enforcement actions, and the SolarWinds breach discovered in December.

The increased prevalence of remote work made it all the more critical for

On August 20, 2020, the Department of Justice (“DOJ”) announced that it had charged Joseph Sullivan, the former Chief Security Officer (“CSO”) of Uber Technologies Inc. (“Uber”), with obstruction of justice and misprision of a felony for allegedly attempting to cover up Uber’s 2016 data incident during the course of an investigation by the Federal Trade Commission (“FTC”).
Continue Reading DOJ Charges Former Uber Executive for Alleged Role in Attempted Cover-Up of 2016 Data Breach

In a landmark enforcement action related to a bank data breach, the Office of the Comptroller of the Currency (“OCC”) assessed an $80 million civil monetary penalty and entered into a cease and desist order with the bank subsidiaries of Capital One on August 6, 2020.  The actions follow a 2019 cyber-attack against Capital One.  The Federal Reserve Board also entered into a cease and desist order with the banks’ parent holding company.  The OCC actions represent the first imposition of a significant penalty against a bank in connection with a data breach or an alleged failure to comply with the OCC’s guidelines relating to information security.
Continue Reading OCC Imposes $80 Million Penalty in Connection with Bank Data Breach