On January 8, 2018, the Financial Industry Regulatory Authority (“FINRA”) published its 2018 Regulatory and Examination Priorities Letter, which provides an overview of particular areas of regulatory focus in the upcoming year.  Under the category of operational and financial risks, FINRA specifically identifies cybersecurity as a high-priority area that member broker-dealer firms “may wish to consider as they identify opportunities to improve their compliance, supervisory and risk management programs” and commends the firms that have already devoted resources to this important area.  The letter notes that FINRA will assess the effectiveness of member firms’ cybersecurity programs at guarding sensitive information (including personally identifiable information) as well as such firms’ cybersecurity preparedness, technical defenses and resiliency measures.  FINRA also reminds member firms that they are required to have policies and procedures in place to evaluate whether a suspicious activity report must be filed with the U.S. Department of Treasury’s Financial Crimes Enforcement Network (“FinCEN”) upon identification of a cybersecurity incident.  The letter also advises review of the 2017 Report on FINRA Examination Findings for further information about FINRA’s cybersecurity concerns and observations regarding effective cybersecurity practices.
Continue Reading FINRA Announces 2018 Priorities and Issues First-Ever Report on Examination Findings

In the wake of recent high-profile data breaches and in the absence of federal data protection legislation, states continue to propose new laws aimed at protecting the personal data of their residents.  On January 23, 2018, the Senate Judiciary Committee of South Dakota approved and forwarded for consideration by the full senate a bill that would require companies and individuals who operate and collect personal data in South Dakota to report data breaches affecting residents of the state within 60 days of discovery and, if more than 250 residents are affected by a data breach, to the Attorney General and consumer reporting agencies as well.  Following a number of comments received from state business associations, the Senate Judiciary Committee added to the proposed bill a threshold for risk of harm such that if, pursuant to “an appropriate investigation” and following notice to the Attorney General, a company reasonably determines that a breach is not likely to result in harm to an affected South Dakota resident, then notice to such resident is not required.  Failure to comply with the breach notification law could constitute a “deceptive act or practice” under state law enforceable by the Attorney General, who is also empowered under the law to recover civil damages not to exceed $10,000 per violation per day.  The bill will next be considered by the full senate and if passed, would leave Alabama as the sole U.S. state without a consumer data breach notification law.
Continue Reading South Dakota and Colorado are Latest States to Propose New Data Privacy Laws

On December 27, 2017, the New York Secretary of State sent a demand letter to Equifax Inc.’s interim CEO requesting additional information to aid the Division of Consumer Protection’s efforts “to investigate, mediate and/or mitigate identity theft complaints from consumers generally” as well as its investigation into the data breach disclosed by Equifax, Inc. on July 29, 2017, in which the personal data of approximately 143 million individuals (including 8.4 million New York residents) was compromised.  The letter demands that Equifax, Inc. provide a direct contact to respond to consumer concerns and requests information in 10 categories, including (a) a summary of the credit reporting agency’s plan (if any) to make affected New York residents “whole” following the breach, (b) a copy of the forensic review prepared by the cybersecurity firm Mandiant, (c) New York-specific data for those consumers whose credit card details or dispute documents containing personally identifiable information were exposed in the breach and (d) the number of children 15 years old and younger affected by the breach, nationwide as well as within New York, and the “long-term protection response” (if any) created for such affected children.  The demand was made pursuant to emergency regulations adopted by the Department of State in December 2017 that require credit reporting agencies to respond to requests made by the Division of Consumer Protection within 10 business days.  A company spokesperson for Equifax, Inc. confirmed on January 4, 2018 that the credit reporting agency intends to respond to the demand letter within the required time period.  This demand is the latest development in a plethora of investigations by various law enforcement agencies and regulators into the breach and follows requests for information from all 50 state attorneys general as well as a subpoena from the New York Department of Financial Services (“DFS”).
Continue Reading New York Regulator Demands Additional Information from Equifax