Photo of Katherine Mooney Carroll

Katherine Mooney Carroll’s practice focuses on advising U.S. and international financial institutions on U.S. regulatory matters, including recent reforms pursuant to the Dodd-Frank Act, regulatory aspects of bank M&A, cybersecurity and privacy matters, and compliance with U.S. sanctions and anti-money laundering laws.

On June 25, 2020, a federal district court in the Eastern District of Virginia held that a bank must produce in discovery a report generated by its cybersecurity forensic investigator following a 2019 data breach involving unauthorized access to personal information of customers and individuals who had applied for accounts.[1]  Even though the report was produced at the direction of outside counsel, the court rejected arguments that the forensic report is protected from disclosure by the work product doctrine.  Instead, the court determined that the report was not produced primarily in anticipation of litigation based on several factors, including the similarity of the report to past business-related work product by the investigator and the bank’s subsequent use and dissemination of the report.  This decision raises questions about the scope of work product protection for forensic expert and other similar reports in the context of an internal investigation.
Continue Reading Federal Court Compels Production of Data Breach Forensic Investigation Report

On April 15, 2020, the U.S. Departments of State, the Treasury, and Homeland Security, and the Federal Bureau of Investigation issued an advisory alert providing guidance on the North Korean cyber threat and steps to mitigate that threat (the “Alert”).[1]  The U.S. Government has repeatedly warned the private sector that North Korea, formally known as the Democratic People’s Republic of Korea (“DPRK”), routinely engages in malicious cyber activities and has specifically targeted financial institutions.

This Alert serves as a reminder, especially during this pandemic as businesses go remote and virtual to an unprecedented degree, that the cyber threat, including from the DPRK, remains a critical risk for all companies.  Financial institutions in particular, a traditional target of North Korean cyber activity, should take steps to ensure they are protecting themselves from and responding effectively to malicious cyber intrusions.
Continue Reading CISA Alert: North Korean Cyber Threat Poses Increased Risk for Financial Institutions

As firms respond to the ongoing coronavirus pandemic by increasingly transitioning to remote and telework arrangements, the Financial Industry Regulatory Authority (“FINRA”) issued an alert on measures that firms and associated persons can take to address resulting cybersecurity vulnerabilities:

  • Measures for Firms. Firms should take steps to ensure network security.  This may include providing

On Wednesday, March 11, 2020, the California Attorney General released a second set of modifications (the “March Revisions”) to the proposed regulations implementing the California Consumer Privacy Act of 2018 (the “CCPA”), including substantive changes to both the initial draft regulations issued in October (the “Initial Regulations”) and the revisions published Friday, February 7, 2020

Efforts to contain COVID-19 have resulted in many employees working remotely for potentially an extended period of time.  While such precautions are in place, it is important to stay vigilant of cybersecurity risks.  There are already reports of COVID-19 related phishing scams and a recent hack of the U.S. Health and Human Services Department amid its pandemic response.  Remote working can exacerbate these risks.  Below is a checklist of key issues to keep in mind on this subject:
Continue Reading Managing Cyber Risk During COVID-19 Response

On Friday, February 7, 2020, the California Attorney General released an amended set of proposed regulations (supplemented on February 10, 2020) implementing the California Consumer Privacy Act of 2018 (the “CCPA”), including substantial changes to the draft regulations issued in October.  While the revised regulations eliminate certain requirements that businesses found to be onerous and

In 2019, boards and senior management across a range of industries continued to cite cybersecurity as one of the most significant risks facing their companies.

At the same time, comprehensive data privacy regulation became a new reality in the United States as many companies implemented major revisions to their privacy policies and data systems to

The final version of the California Consumer Privacy Act of 2018 is coming into view.

On October 10, California’s Attorney General released the long-anticipated draft regulations to implement the CCPA, and on October 12, the Governor signed into law five amendments to the CCPA passed during the 2019 legislative session.  (We previously discussed the CCPA 

On September 18, 2019, the Securities and Exchange Commission (“SEC”) filed its first civil suit alleging violations of broker-dealer registration requirements in U.S. digital asset markets.  In a case filed in the U.S. District Court for the Central District of California, the SEC alleged that Defendants ICOBox and its founder, Nikolay Evdokimov, illegally conducted an unregistered public securities offering for their 2017 initial coin offering (“ICO”), and have operated an unregistered brokerage service facilitating the launch of ICOs in digital asset securities since 2017.
Continue Reading SEC Files First Suit Against Alleged Unregistered Broker-Dealer Operating in Digital Asset Markets

California’s 2019 legislative session has drawn to a close with passage of five amendments to the California Consumer Privacy Act (CCPA) during the final days of the session.  Assuming that the bills are timely signed by the Governor before the October 13 deadline, businesses will finally have the complete version of the statute that will