Photo of Jonathan S. Kolodner

Jonathan S. Kolodner’s practice focuses on criminal, securities, and other enforcement and regulatory matters as well as on complex commercial litigation.

In 2018, data privacy and cyber breaches made headlines throughout the year.

Major companies continued to suffer data breaches, highlighting the risks and potential costs of cyber incidents across industries.  At the same time, a growing and overlapping thicket of data security and privacy regulations—within the U.S., European Union, Latin America, and elsewhere—continued to increase

On the heels of the European Union’s implementation of the General Data Protection Regulation (“GDPR”) and public outcry over the Cambridge Analytica scandal, on June 28, 2018, California enacted the most comprehensive data privacy law to date in the United States. The California Consumer Privacy Act of 2018 (the “CCPA”) was hastily passed by the

On June 27, 2018, Equifax Inc., the credit reporting agency, agreed to implement stronger data security measures under a consent order with the New York State Department of Financial Services (“NYDFS”) and seven other state banking regulators.[1] The order imposes detailed duties on Equifax’s Board of Directors in response to criticisms raised by the regulators during an examination of Equifax’s cybersecurity and internal audit functions.  The examination followed the company’s massive 2017 data breach, which exposed sensitive personal information of nearly 148 million customers.  Equifax agreed to the order without admitting or denying any charges of “unsafe or unsound information security practices.”

Continue Reading

On June 22, 2018, the United States Supreme Court decided Carpenter v. United States, in which it held that the government must generally obtain a search warrant supported by probable cause before acquiring more than seven days of historical cell-site location information (“CSLI”) from a service provider. Noting “the deeply revealing nature of CSLI,

In the aftermath of the Facebook-Cambridge Analytica data privacy controversy, Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) introduced a federal data privacy bill on April 10, 2018 titled the Customer Online Notification for Stopping Edge-provider Network Transgressions Act, or the CONSENT Act (the “Act”).  While the Act is unlikely to pass in the near term given the lack of a Republican sponsor, it reflects increasing attention to privacy concerns in the United States, including consideration by both federal and state legislatures of significantly more prescriptive privacy requirements.
Continue Reading

Last month, the Brazilian National Monetary Council (the “CMN”) issued Resolution No. 4,658 (the “Resolution”), which establishes new cybersecurity requirements covering institutions regulated by the Brazilian Central Bank (Banco Central do Brasil).  The Resolution requires covered financial institutions to have cybersecurity policies in place by May 6, 2019, and be fully compliant with the regulation by December 31, 2021.  Notably, the Resolution’s requirements cover third-party service providers that contract with covered institutions, including those located outside of Brazil. 
Continue Reading

In September 2017, the SEC announced the creation of a new Cyber Unit within the Enforcement Division. Commenting on the launch of the new unit, Enforcement Division Co-Director Stephanie Avakian described “[c]yber-related threats and misconduct” as “among the greatest risks facing investors and the securities industry.” This alert memorandum takes stock of the SEC’s cyber

On March 7, 2018, FBI Director Christopher Wray delivered remarks at Boston College that highlight the agency’s ongoing efforts to better respond to cyber threats.  Director Wray’s remarks focused on the private and public sector partnerships that the FBI (and other authorities) are cultivating to combat the increased sophistication of cyber threats as they evolve into what he described as “full-blown economic espionage and extremely lucrative cyber crime.”
Continue Reading

A pair of recent enforcement actions by the CFTC and New York Attorney General’s Office (“NYAG”) show that both federal and state authorities are pursuing cases against companies believed to have insufficient data security practices, even in the absence of breaches resulting in harm to customers.

First, late last month, the CFTC entered into a settlement with a registered futures commission merchant that allegedly failed to diligently supervise an unnamed “IT Provider.”  The IT Provider inadvertently introduced a vulnerability to the merchant’s network, exposing private customer records and sensitive information, including personally identifiable information.  An unnamed “Third Party” detected the vulnerability and accessed nearly 100,000 files containing sensitive information.  The Third Party eventually contacted the merchant and federal authorities to disclose vulnerability, and deleted the data.  It appears that the data was not otherwise improperly accessed.
Continue Reading