On April 11, 2018, the Seventh Circuit reversed a district court’s dismissal, for failure to state a claim, of plaintiffs’ proposed class action arising out of a 2012 data breach affecting Barnes & Noble. In so holding, the court reaffirmed its view that allegations of data theft with a substantial risk of future harm are sufficient to assert an “injury” under Article III, even in the absence of allegations that the risk actually materialized. The Seventh Circuit further found that such injury may also satisfy the requisite damages allegations under federal pleading requirements. Continue Reading Seventh Circuit Expands Jurisprudence in Data Breach Cases
Rahul Mukhi’s practice focuses on criminal, securities, and other enforcement and regulatory matters as well as on complex commercial litigation.
On April 18, 2018, government officials and cyber industry experts gathered in Washington, D.C., for the 2018 Incident Response Forum addressing legal and compliance challenges that arise following a data breach. At the conference, representatives from the SEC, DOJ, FTC, and other federal and state enforcement agencies discussed their top data breach-related concerns and enforcement priorities. Representatives spoke in their own capacity and were not making official agency statements, but their opinions can provide useful insight into agencies’ decision making processes and substantive views. Continue Reading Regulators and Law Enforcement Discuss Cyber Enforcement Priorities and Urge Cooperation Following Data Breaches
In a recent letter to leaders of the House Financial Services Committee, 31 state attorneys general urged Congress not to move forward with the Data Acquisition and Technology Accountability and Security Act, a federal breach notification bill, which aims to create a uniform set of reporting requirements for businesses nationwide. In their letter, the attorneys general argue that states have proven able enforcers of their citizens’ data privacy and security and, as such, the bill’s proposed preemption of state data breach and data security laws is unwarranted. Continue Reading State Attorneys General Warn Against Federal Data Breach Bill
Over recent months, numerous state regulators, including in Massachusetts, Texas, and New Jersey, have been exercising greater oversight of cryptocurrency businesses. On April 17, 2018, the office of the New York Attorney General Eric Schneiderman (“NYAG”) launched the Virtual Markets Integrity Initiative, which will seek information from various platforms that trade cryptocurrencies to better protect consumers. The initiative responds to concerns that cryptocurrency trading platforms may not provide consumers with the same information available from traditional exchanges. As part of the initiative, the NYAG’s Investor Protection Bureau sent thirteen major cryptocurrency trading platforms questionnaires relating to internal policies, controls, and best practices. The Bureau intends to consolidate and disseminate to consumers the information it receives. Continue Reading New York Attorney General Becomes Most Recent State Regulator To Foray Into Cryptocurrency Oversight
As of last month, when South Dakota and Alabama passed data breach notification laws, all 50 states (as well as the District of Columbia and several U.S. territories) now have data breach notification laws on their books. Continue Reading All 50 States Now Have Data Breach Notification Laws
On March 27, 2018, Massachusetts Secretary of State William Galvin announced that the state had ordered five firms to halt initial coin offerings (“ICOs”) on the grounds that the ICOs constituted unregistered offerings of securities but made no allegations of fraud. These orders follow a growing line of state enforcement actions aimed at ICOs.
This was not Massachusetts’s first foray into regulating ICOs. On January 17, 2018 the state filed a complaint alleging violations of securities and broker-dealer registration requirements against the company Caviar and its founder for an ICO that sought to create a “pooled investment fund with hedged exposure to crypto-assets and real estate debt.”
In September 2017, the SEC announced the creation of a new Cyber Unit within the Enforcement Division. Commenting on the launch of the new unit, Enforcement Division Co-Director Stephanie Avakian described “[c]yber-related threats and misconduct” as “among the greatest risks facing investors and the securities industry.” This alert memorandum takes stock of the SEC’s cyber enforcement actions since the Cyber Unit was formed as well as other recent SEC enforcement actions, guidelines, and public comments that shed light on potential future SEC cyber-enforcement in areas such as insider trading, cryptocurrencies and ICOs, cyber-related disclosures and policies, and cybersecurity safeguards.
Please click here to read the full alert memorandum.
In an indictment unsealed on March 23, 2018, the Department of Justice (DOJ) brought criminal charges against nine Iranian nationals affiliated with the Mabna Institute in Iran, alleging computer intrusion, fraud, and aggravated identity theft. Prosecutors charged the defendants with conspiring to steal a massive amount of intellectual property from universities, private companies, and government institutions worldwide, obtaining more than 31 terabytes of data. The defendants allegedly acted on behalf of the Islamic Revolutionary Guard Corps (IRGC), which is an arm of the Iranian government whose responsibilities include foreign operations and intelligence gathering. In addition to the announced charges, the nine defendants and the Mabna Institute were also designated for sanctions by the Treasury Department, Office of Foreign Asset Control, pursuant to Executive Order 13694 “Blocking the Property of certain Persons Engaging in Significant Malicious Cyber-Enabled Activities.” Continue Reading Department of Justice Indicts Iranian Hackers, Revealing Significant Data Breach and Targeting of Intellectual Property of Private Companies and Educational Institutions
On March 7, 2018, FBI Director Christopher Wray delivered remarks at Boston College that highlight the agency’s ongoing efforts to better respond to cyber threats. Director Wray’s remarks focused on the private and public sector partnerships that the FBI (and other authorities) are cultivating to combat the increased sophistication of cyber threats as they evolve into what he described as “full-blown economic espionage and extremely lucrative cyber crime.” Continue Reading FBI Director: FBI Might Not Share Information With Adversarial Authorities
In the first criminal charges brought in connection with the Equifax data breach, the United States Attorney for the Northern District of Georgia announced yesterday the indictment of Jun Ying, a former Chief Information Officer of a U.S. business division of Equifax, on charges of insider trading in violation of federal securities laws. At the same time, the SEC announced parallel civil charges against Ying. Both the indictment and the SEC complaint allege that Ying was not specifically informed that Equifax had been breached, but, as a result of his position, was made aware of enough confidential information to—according to his own contemporaneous text messages—“put 2 and 2 together” to infer that “[w]e may be the one breached.” After deducing this material information, Ying allegedly conducted internet research on the 2015 data breach of Experian, another major credit bureau, and its negative impact on Experian’s stock price. Immediately following his internet search, Ying allegedly exercised all of his vested stock options and sold those Equifax shares for a total of $950,000 in proceeds, avoiding more than $117,000 in losses that he would have incurred had he still been holding the shares at the time the data breach was publicly announced more than a week later. The SEC is seeking disgorgement of an amount equal to the losses Ying allegedly avoided, civil monetary penalties, an order barring Ying from ever serving as an officer or director of a public company, and an injunction enjoining Ying from further violating the federal securities laws. The indictment charges Ying with two counts of criminal securities fraud, which, if he is convicted, carry a maximum sentence of 45 years. Continue Reading DOJ And SEC Charge Former Equifax Executive With Insider Trading