In late July 2019, U.S. federal and state regulators announced three headline‑grabbing data privacy and cybersecurity enforcement actions against Equifax and Facebook. Although coverage of these cases has focused largely on their striking financial penalties, as important are the terms the settlements imposed on the companies’ operations as well as their officers, directors, and compliance professionals—and what they signal about potential future enforcement activity to come.
Continue Reading July 2019 Privacy and Cybersecurity Enforcement: Lessons for Management and Directors
Pamela L. Marcogliese
Pamela L. Marcogliese’s practice focuses on corporate and financial transactions, particularly capital markets matters and corporate governance matters.
SEC Expands on Its Digital Asset Guidance: At Inception, (Nearly) Every New Token Is a Security
On April 3, 2019, staff of the Securities and Exchange Commission released (1) a framework providing principles for analyzing whether a digital asset constitutes an investment contract, and thus a security, as defined in SEC v. W.J. Howey Co. and (2) a no-action letter permitting TurnKey Jet, Inc., without satisfying registration requirements under the Securities…
SEC Issues First ICO Enforcement Action Against a Self-Reporting Token Issuer
On February 20, the Securities and Exchange Commission (the “SEC” or “Commission”) issued a cease-and-desist order against Gladius Network LLC (“Gladius”) concerning its 2017 initial coin offering (“ICO”). The SEC found that the Gladius ICO violated the Securities Act of 1933’s (“Securities Act”) prohibition against the public offer or sale of any securities not made pursuant to either an effective registration statement on file with the SEC or under an exemption from registration.[1] While this is far from the first time that the SEC has found that a particular ICO token meets the definition of a “security” under the Securities Act,[2] this is notably the first action involving an ICO token issuer that self-reported its potential violation. Due to this, and Gladius’s cooperation throughout the investigation, the SEC stopped short of imposing any civil monetary penalties among its ordered remedial measures.
Continue Reading SEC Issues First ICO Enforcement Action Against a Self-Reporting Token Issuer
2018 Cybersecurity and Data Privacy Developments: A Year in Review
In 2018, data privacy and cyber breaches made headlines throughout the year.
Major companies continued to suffer data breaches, highlighting the risks and potential costs of cyber incidents across industries. At the same time, a growing and overlapping thicket of data security and privacy regulations—within the U.S., European Union, Latin America, and elsewhere—continued to increase…
SEC Divisions’ Issue Public Statement on Digital Assets and ICOs, Echoing Recent Enforcement Actions
On November 16, 2018, the U.S. Securities and Exchange Commission (“SEC”) Division of Corporation Finance (“Corp. Fin.”), Division of Investment Management, and Division of Trading and Markets issued a joint public statement on “Digital Asset Securities Issuance and Trading.” The public statement is the latest in the Divisions’—and the Commission’s—steady efforts to publicly outline and develop its analysis on the application of the federal securities laws to initial coin offerings (“ICOs”) and certain digital tokens. These efforts have combined a series of enforcement proceedings with public statements by Chairman Jay Clayton and staff, including a more detailed statement of the SEC’s analytical approach in Corp. Fin. Director William Hinman’s speech on digital assets in June 2018.
Continue Reading SEC Divisions’ Issue Public Statement on Digital Assets and ICOs, Echoing Recent Enforcement Actions
California’s Groundbreaking Privacy Law: The New Front Line in the U.S. Privacy Debate
On the heels of the European Union’s implementation of the General Data Protection Regulation (“GDPR”) and public outcry over the Cambridge Analytica scandal, on June 28, 2018, California enacted the most comprehensive data privacy law to date in the United States. The California Consumer Privacy Act of 2018 (the “CCPA”) was hastily passed by the…
State Regulators Reach Settlement With Equifax in Connection With Massive Data Breach
On June 27, 2018, Equifax Inc., the credit reporting agency, agreed to implement stronger data security measures under a consent order with the New York State Department of Financial Services (“NYDFS”) and seven other state banking regulators.[1] The order imposes detailed duties on Equifax’s Board of Directors in response to criticisms raised by the regulators during an examination of Equifax’s cybersecurity and internal audit functions. The examination followed the company’s massive 2017 data breach, which exposed sensitive personal information of nearly 148 million customers. Equifax agreed to the order without admitting or denying any charges of “unsafe or unsound information security practices.”
Continue Reading State Regulators Reach Settlement With Equifax in Connection With Massive Data Breach
Untangling the Tangled Web of Cybersecurity Disclosure Requirements: A Practical Guide
The consequences of a cybersecurity incident can be severe. The economic loss associated with an incident can often be compounded by reputational damage, loss of trade secrets, destruction of assets, operational impairment, lost revenue following the announcement of the cybersecurity incident and the expense of implementing remedial measures. The timing and content of any public communication about a suspected or confirmed cybersecurity incident can exacerbate this loss and have a significant impact on the trading price of the issuer’s securities.[1] The disclosure considerations become even more complex when a company is subject to overlapping, and potentially conflicting, regulatory obligations in multiple jurisdictions, including the United States and the European Union (“EU”). This issue is now at the forefront with the EU’s new data security and privacy regime, the General Data Protection Regulation (“GDPR”), which became effective on May 25, 2018.
Continue Reading Untangling the Tangled Web of Cybersecurity Disclosure Requirements: A Practical Guide
Yahoo’s Successor Settles First-Ever Case Involving SEC Charges for Failing to Disclose a Cybersecurity Incident
On April 24, 2018, Altaba, formerly known as Yahoo, entered into a settlement with the Securities and Exchange Commission (the “SEC”), pursuant to which Altaba agreed to pay $35 million to resolve allegations that Yahoo violated federal securities laws in connection with the disclosure of the 2014 data breach of its user database. The case…
NIST Proposes Fine-Tuning of its Framework for Improving Critical Infrastructure Cybersecurity
On December 5, 2017, the National Institute of Standards and Technology (“NIST”) published a proposed update to its Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”). NIST is a non-regulatory federal agency within the Department of Commerce, with a mission to promote innovation and industrial competitiveness in the United States by advancing measurement science, standards and technology in beneficial ways. The Framework was initially developed as a result of the issuance of Executive Order 13636 in 2013 (“Executive Order”), which specifically addressed the cybersecurity of critical infrastructure (defined below) and directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks to such critical infrastructure. Therefore, the Framework provides nonbinding guidance, and compliance is not mandatory. In practice, the Framework is used as the basis for best practices by many companies in the United States that have cybersecurity policies and procedures. The Framework has generally been praised as a successful example of cooperation between the public and private sector and is cited by many as a more effective approach than prescriptive regulatory requirements.
Continue Reading NIST Proposes Fine-Tuning of its Framework for Improving Critical Infrastructure Cybersecurity