Photo of Michael H. Krimminger

Michael H. Krimminger’s practice focuses on U.S. and international banking and financial institutions.

On November 16, 2018, the U.S. Securities and Exchange Commission (“SEC”) Division of Corporation Finance (“Corp. Fin.”), Division of Investment Management, and Division of Trading and Markets issued a joint public statement on “Digital Asset Securities Issuance and Trading.”  The public statement is the latest in the Divisions’—and the Commission’s—steady efforts to publicly outline and develop its analysis on the application of the federal securities laws to initial coin offerings (“ICOs”) and certain digital tokens.  These efforts have combined a series of enforcement proceedings with public statements by Chairman Jay Clayton and staff, including a more detailed statement of the SEC’s analytical approach in Corp. Fin. Director William Hinman’s speech on digital assets in June 2018. Continue Reading SEC Divisions’ Issue Public Statement on Digital Assets and ICOs, Echoing Recent Enforcement Actions

Over the past year, the U.S Securities and Exchange Commission (“SEC”) has increasingly scrutinized initial coin offerings (“ICO”) and certain digital assets.  On September 20, 2018, the SEC’s Enforcement Division co-Director, Stephanie Avakian, gave a speech in which she addressed the Division’s approach to dealing with these new forms of tradeable assets.  This speech came only days after the SEC settled its first case charging an unregistered broker-dealer for facilitating the sale of digital tokens from several ICOs since the 2017 DAO Report.  In her speech, Avakian provided three key insights into the Division’s enforcement strategy. Continue Reading SEC Enforcement Division Co-Director Provides Insight Into Commission’s Approach to ICOs and Cryptocurrencies

On the heels of the European Union’s implementation of the General Data Protection Regulation (“GDPR”) and public outcry over the Cambridge Analytica scandal, on June 28, 2018, California enacted the most comprehensive data privacy law to date in the United States. The California Consumer Privacy Act of 2018 (the “CCPA”) was hastily passed by the California legislature to secure the withdrawal of an even more far-reaching measure that had qualified for the November ballot. Legislative amendments to the law are expected before it goes into effect on January 1, 2020.

The CCPA requires covered businesses to comply with requirements that give California consumers broad rights to know what personal information has been collected about them, the sources for the information, the purpose of collecting it, and whether it is sold or otherwise disclosed to third parties. It also gives consumers the right to access personal information about them held by covered businesses, to require deletion of the information and/or to prevent its sale to third parties. Other key provisions limit the ability of a covered business to discriminate against consumers who exercise their rights under the statute by charging them higher prices or delivering lower quality products or services.  The rights provided under the CCPA are similar in many respects to those afforded EU residents under the GDPR, but there are distinctions in approach on some key issues.

Please click here to read the full alert memorandum.

On March 27, 2018, Massachusetts Secretary of State William Galvin announced that the state had ordered five firms to halt initial coin offerings (“ICOs”) on the grounds that the ICOs constituted unregistered offerings of securities but made no allegations of fraud.  These orders follow a growing line of state enforcement actions aimed at ICOs.

This was not Massachusetts’s first foray into regulating ICOs.  On January 17, 2018 the state filed a complaint alleging violations of securities and broker-dealer registration requirements against the company Caviar and its founder for an ICO that sought to create a “pooled investment fund with hedged exposure to crypto-assets and real estate debt.”

Continue Reading Massachusetts Orders Five Companies to Halt ICOs as States Step Up Enforcement Efforts

This past week, we received further evidence that U.S. federal regulators will continue to scrutinize potential compliance issues in virtual currency trading and initial coin offerings (“ICOs”) under existing law. However, the key takeaway is that the U.S. regulators, so far, are doing so under established interpretations of their existing authority. In our view, none of these events should be construed either as establishing a new regulatory framework or as a significant expansion of prior regulatory authority.

Please click here to read the full alert memorandum.

New York’s new cybersecurity regulations (the “Regulations”) become effective on August 28, 2017, marking a significant milestone in what is likely to be a new era in cybersecurity regulation on both a national and international level.

As governments grapple with how best to address cyber threats to their citizens, businesses and national security, there is an increasing focus on the potential use of regulatory requirements to impose minimum cybersecurity standards, particularly in the financial services sector. As more states and nation states adopt cybersecurity requirements, financial institutions are facing increased compliance costs and potentially a diversion of resources away from risk mitigation to compliance with regulatory requirements. As the Regulations come into effect, we briefly take stock of their requirements, their impact on international best practices, and related global developments.

Click here, to continue reading.

On August 1, 2017, the United States Court of Appeals for the D.C. Circuit held that policyholders of the health insurer CareFirst had standing to sue the company after their information was compromised during a cyberattack.

Wading into a vigorously contested area between plaintiffs and companies that have suffered data breaches, the court held that the policyholders’ elevated risk of identity theft and medical fraud was a sufficient injury to bring suit—even without any evidence that plaintiffs had actually suffered such harm. In so holding, the D.C. Circuit came down on one side of a circuit split, which may ultimately need to be resolved by the Supreme Court.

Click here, to continue reading.

On March 1, 2017, the New York Department of Financial Services’ Cybersecurity Regulations entered into effect.

The Regulations impose on financial institutions minimum cybersecurity standards that exceed existing federal standards and introduce new requirements, including obligations to critically evaluate cybersecurity practices, maintain detailed documentation demonstrating compliance and report cyber events to the New York Department of Financial Services.

Click here, to continue reading.

On September 13, 2016, the New York Department of Financial Services issued the first comprehensive state regulatory proposal to address cybersecurity.

Under the proposed regulations, certain banks, insurers and other financial services institutions authorized to operate in New York will be required to assess their cybersecurity risks and establish and maintain a cybersecurity program designed to address such risks.  This alert memorandum covers the key obligations set forth in the state proposal and contrasts them with the obligations required under the federal Gramm-Leach-Bliley Act.

Click here, to continue reading.