As of last month, when South Dakota and Alabama passed data breach notification laws, all 50 states (as well as the District of Columbia and several U.S. territories) now have data breach notification laws on their books. Continue Reading All 50 States Now Have Data Breach Notification Laws
Jonathan S. Kolodner’s practice focuses on criminal, securities, and other enforcement and regulatory matters as well as on complex commercial litigation.
In September 2017, the SEC announced the creation of a new Cyber Unit within the Enforcement Division. Commenting on the launch of the new unit, Enforcement Division Co-Director Stephanie Avakian described “[c]yber-related threats and misconduct” as “among the greatest risks facing investors and the securities industry.” This alert memorandum takes stock of the SEC’s cyber enforcement actions since the Cyber Unit was formed as well as other recent SEC enforcement actions, guidelines, and public comments that shed light on potential future SEC cyber-enforcement in areas such as insider trading, cryptocurrencies and ICOs, cyber-related disclosures and policies, and cybersecurity safeguards.
Please click here to read the full alert memorandum.
On March 7, 2018, FBI Director Christopher Wray delivered remarks at Boston College that highlight the agency’s ongoing efforts to better respond to cyber threats. Director Wray’s remarks focused on the private and public sector partnerships that the FBI (and other authorities) are cultivating to combat the increased sophistication of cyber threats as they evolve into what he described as “full-blown economic espionage and extremely lucrative cyber crime.” Continue Reading FBI Director: FBI Might Not Share Information With Adversarial Authorities
A pair of recent enforcement actions by the CFTC and New York Attorney General’s Office (“NYAG”) show that both federal and state authorities are pursuing cases against companies believed to have insufficient data security practices, even in the absence of breaches resulting in harm to customers.
First, late last month, the CFTC entered into a settlement with a registered futures commission merchant that allegedly failed to diligently supervise an unnamed “IT Provider.” The IT Provider inadvertently introduced a vulnerability to the merchant’s network, exposing private customer records and sensitive information, including personally identifiable information. An unnamed “Third Party” detected the vulnerability and accessed nearly 100,000 files containing sensitive information. The Third Party eventually contacted the merchant and federal authorities to disclose vulnerability, and deleted the data. It appears that the data was not otherwise improperly accessed. Continue Reading Recent Enforcement Actions by Regulators Show Continued Focus on Cybersecurity and Data Protection Issues
Over the last year, the existential risk posed by cyberattacks and data security vulnerabilities has become one of the top concerns for boards of directors, management, government agencies, and the public.
This memo surveys some of the key cybersecurity and data privacy developments of 2017, including the major data breaches and cyberattacks, regulatory and legislative actions, and notable settlements and court decisions, with an eye towards what may be in store in 2018.
A recent decision by an intermediate Illinois appellate court, Rosenbach v. Six Flags Entm’t Corp., suggests that state courts—which are not bound by federal Article III standing limitations in entertaining suits—will not necessarily provide a more plaintiff-friendly forum for data privacy suits than their federal counterparts.
Earlier this month, we wrote about the Second Circuit’s summary order in Vigil v. Take-Two Interactive Software, Inc. There, the court affirmed the dismissal of a class action lawsuit brought in the Southern District of New York under the Illinois Biometric Information Privacy Act (“BIPA”) for want of Article III standing because the plaintiffs had failed to allege an injury-in-fact, but remanded the case with instructions to amend the judgment and enter a dismissal without prejudice. The district court had ruled that the BIPA’s limitation of the private right of action to a “person aggrieved by a violation” meant that the plaintiffs’ failure to allege an injury-in-fact was also fatal to their claims as a matter of state law, meaning that the case should be dismissed with prejudice for failure to state a claim. The Second Circuit vacated that portion of the ruling on jurisdictional grounds, which left the door open for the plaintiffs to attempt to bring their claims in state court without any allegation of actual harm. Continue Reading Illinois Appellate Court Holds That Mere Technical Violations Of Data Privacy Statute Are Insufficient To State A Claim
In late November, the Second Circuit issued a summary order in Vigil v. Take-Two Interactive Software, Inc, which affirmed the dismissal of a class action lawsuit brought in the Southern District of New York under the Illinois Biometric Information Privacy Act (“BIPA”) for lack of standing. In doing so, the court followed established Second Circuit precedent and highlighted the continuing difficulties plaintiffs face in establishing standing for certain technical violations of data privacy statutes, when those violations are unaccompanied by allegations of a breach or likelihood of improper access. The case also serves as a reminder that as states pass statutes covering new types of technology and data, companies will need to remain vigilant in protecting a wider range of information than before. Continue Reading Second Circuit Issues Order Affirming Dismissal of Data Privacy Class Action Suit
A recent enforcement action by the Massachusetts’s Attorney General Office (“Mass. AG”) serves as a stark reminder of how important it is to have robust data security policies and practices in all respects, including with respect to company equipment and locally stored data. Continue Reading Massachusetts Attorney General Settles For Data Breach Over Stolen Laptop—Sign of Increased Enforcement Scrutiny?
The SEC has recently signaled an increased concern with the offerings and marketing of Initial Coin Offerings (“ICOs”), which should be of interest to companies and institutions involved with ICOs. On November 1, 2017, the SEC Division of Enforcement and Office of Compliance Inspections and Examinations (“OCIE”) jointly issued a public statement warning celebrities and other influencers promoting Initial Coin Offerings (“ICOs”) about potential violations of a host of federal securities laws, including the anti-touting and anti-fraud provisions of the federal securities laws. Specifically, the public statement noted that endorsements may be unlawful if they do not “disclose the nature, source, and amount of any compensation paid, directly or indirectly . . . in exchange for the endorsement.,” and that endorsers may also face liability for potential violations of the anti-fraud provisions, for participation in an unregistered securities offering, and for acting as unregistered brokers. The public statement also noted that investment decisions should not be based solely on an endorsement and cautioned that “celebrity endorsement may appear unbiased, but instead be part of a paid promotion.” The public statement follows an investigative report issued by the Division of Enforcement on July 25, 2017, which announced that blockchain technology-based coins or tokens sold in an ICO may be a form of security under the Securities Act of 1933 and the Securities Exchange Act of 1934. Continue Reading The SEC Warns That Celebrity Endorsements of Virtual Currency May Violate Federal Securities Laws
Earlier this month, on November 2, New York Attorney General Eric T. Schneiderman announced that he was working with New York state legislators to introduce comprehensive new legislation to address data breaches and data privacy. After pointing to the Equifax breach as the impetus of the legislation, the Attorney General’s Office also explained that it had received over 1,300 data breach notifications in 2016, affecting 1.6 million New Yorkers. To address these issues, the proposed Stop Hacks and Improve Electronic Data Security (SHIELD) Act would require companies to take steps to protect private information, broadens the type of private information covered, and increases potential penalties for failures to comply with the law. This post summarizes the key aspects of the proposed legislation, and compares it to other recently enacted data privacy legislation. Continue Reading In Wake of the Equifax Breach, New York’s Attorney General Proposes New, Stricter Data Privacy Law