On April 11, 2018, the Seventh Circuit reversed a district court’s dismissal, for failure to state a claim, of plaintiffs’ proposed class action arising out of a 2012 data breach affecting Barnes & Noble.[1]  In so holding, the court reaffirmed its view that allegations of data theft with a substantial risk of future harm are sufficient to assert an “injury” under Article III, even in the absence of allegations that the risk actually materialized.[2]  The Seventh Circuit further found that such injury may also satisfy the requisite damages allegations under federal pleading requirements. Continue Reading Seventh Circuit Expands Jurisprudence in Data Breach Cases

On April 18, 2018, government officials and cyber industry experts gathered in Washington, D.C., for the 2018 Incident Response Forum addressing legal and compliance challenges that arise following a data breach.  At the conference, representatives from the SEC, DOJ, FTC, and other federal and state enforcement agencies discussed their top data breach-related concerns and enforcement priorities.  Representatives spoke in their own capacity and were not making official agency statements, but their opinions can provide useful insight into agencies’ decision making processes and substantive views. Continue Reading Regulators and Law Enforcement Discuss Cyber Enforcement Priorities and Urge Cooperation Following Data Breaches

In a recent letter to leaders of the House Financial Services Committee, 31 state attorneys general urged Congress not to move forward with the Data Acquisition and Technology Accountability and Security Act, a federal breach notification bill, which aims to create a uniform set of reporting requirements for businesses nationwide.  In their letter, the attorneys general argue that states have proven able enforcers of their citizens’ data privacy and security and, as such, the bill’s proposed preemption of state data breach and data security laws is unwarranted.   Continue Reading State Attorneys General Warn Against Federal Data Breach Bill

Over recent months, numerous state regulators, including in Massachusetts, Texas, and New Jersey, have been exercising greater oversight of cryptocurrency businesses.[1]  On April 17, 2018, the office of the New York Attorney General Eric Schneiderman (“NYAG”) launched the Virtual Markets Integrity Initiative, which will seek information from various platforms that trade cryptocurrencies to better protect consumers.  The initiative responds to concerns that cryptocurrency trading platforms may not provide consumers with the same information available from traditional exchanges.  As part of the initiative, the NYAG’s Investor Protection Bureau sent thirteen major cryptocurrency trading platforms questionnaires relating to internal policies, controls, and best practices.  The Bureau intends to consolidate and disseminate to consumers the information it receives. Continue Reading New York Attorney General Becomes Most Recent State Regulator To Foray Into Cryptocurrency Oversight

On April 12, 2018, the U.S. Federal Trade Commission (“FTC” or “Commission”) announced an agreement with Uber Technologies, Inc., to expand an August 2017 settlement regarding a 2014 data breach to include new violations arising from a second data breach that Uber discovered in 2016 but did not publicly disclose for over one year.  The revised settlement order imposes new notification, reporting, and records retention obligations on Uber for up to 20 years regarding third-party audits of its privacy program, future data breaches involving personal data, and its bug bounty program.  The proposed settlement order will be open for public comment for 30 days, after which time the Commission is likely to make the order final.

In August 2017, Uber entered into a consent agreement with the FTC related to a data breach that occurred three years before.  The complaint resolved by the 2017 settlement order alleged that, in May 2014, an intruder used an access key publicly posted on the website GitHub to access sensitive personal information of Uber drivers (who the FTC treats as consumers) that Uber stored with a cloud provider.  This information allegedly included unencrypted names, driver’s license numbers, bank account and routing numbers, and Social Security numbers.  The FTC alleged that Uber had failed to (1) “implement reasonable access controls” to safeguard personal data of drivers and riders stored in the cloud, (2) implement reasonable security training and guidance, (3) maintain a written security program, and (4) encrypt certain information stored with the cloud provider.  The complaint charged that Uber’s representations about the security of, and internal monitoring and auditing regarding access to, consumers’ personal information were false or misleading in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).

In the 2018 complaint, the FTC alleges that Uber contemporaneously discovered a second data breach that had occurred in the fall of 2016—during the midst of the FTC’s nonpublic investigation into the 2014 breach.  According to the complaint, intruders used an access key that had been posted to a private repository associated with GitHub to download unencrypted files containing personal data of U.S. riders and drivers, including approximately “25.6 million names and email addresses, 22.1 million names and mobile phone numbers, and 607,000 names and driver’s license numbers.” Continue Reading Revised FTC-Uber data breach settlement to include second breach, criticize ‘bug bounty’ payment

The 2018 Consolidated Appropriations Act, which was signed by President Donald Trump on March 23, 2018, included a little-debated provision that revised portions of the 1986 Stored Communications Act (“SCA”) to permit the government to access through the use of a warrant or subpoena stored communications held abroad by providers of electronic communications services that are subject to United States jurisdiction.

The Clarifying Lawful Overseas Use of Data Act – or “CLOUD Act” – establishes that the SCA’s provisions concerning the production of electronic communications extend to those held abroad, establishes a framework for service providers to challenge an SCA warrant, directs courts to conduct a limited comity analysis to balance certain factors relevant to cross-border transfers of data, and introduces an incentive for foreign governments to enter into executive agreements with the United States governing cross-border data requests.

Prior to the enactment of the CLOUD Act, the Supreme Court was poised to rule in the case Microsoft Corporation v. United States of America, No. 17-2, on whether the SCA in its previous form permitted the use of a warrant to obtain electronic communications stored by a U.S. company on foreign servers. The relevance of that case, which was argued in February, is substantially undermined by this Congressional action.

Click here, to read the full alert.

In September 2017, the SEC announced the creation of a new Cyber Unit within the Enforcement Division. Commenting on the launch of the new unit, Enforcement Division Co-Director Stephanie Avakian described “[c]yber-related threats and misconduct” as “among the greatest risks facing investors and the securities industry.” This alert memorandum takes stock of the SEC’s cyber enforcement actions since the Cyber Unit was formed as well as other recent SEC enforcement actions, guidelines, and public comments that shed light on potential future SEC cyber-enforcement in areas such as insider trading, cryptocurrencies and ICOs, cyber-related disclosures and policies, and cybersecurity safeguards.

Please click here to read the full alert memorandum.

In an indictment unsealed on March 23, 2018, the Department of Justice (DOJ) brought criminal charges against nine Iranian nationals affiliated with the Mabna Institute in Iran, alleging computer intrusion, fraud, and aggravated identity theft.[1]  Prosecutors charged the defendants with conspiring to steal a massive amount of intellectual property from universities, private companies, and government institutions worldwide, obtaining more than 31 terabytes of data.  The defendants allegedly acted on behalf of the Islamic Revolutionary Guard Corps (IRGC), which is an arm of the Iranian government whose responsibilities include foreign operations and intelligence gathering.  In addition to the announced charges, the nine defendants and the Mabna Institute were also designated for sanctions by the Treasury Department, Office of Foreign Asset Control, pursuant to Executive Order 13694 “Blocking the Property of certain Persons Engaging in Significant Malicious Cyber-Enabled Activities.”[2] Continue Reading Department of Justice Indicts Iranian Hackers, Revealing Significant Data Breach and Targeting of Intellectual Property of Private Companies and Educational Institutions

Following on the heels of the SEC’s updated interpretive guidance on cybersecurity disclosure, SEC Chairman Jay Clayton and SEC Commissioner Robert Jackson each recently made public statements underscoring the agency’s increasing focus on cybersecurity.

On March 12, 2018, Chairman Clayton stated that the SEC will closely monitor how corporations respond to the new interpretive guidance at a conference held by the Council of Institutional Investors.  During an interview conducted by former Chairwoman Elisse Walter, Chairman Clayton said implementation of the interpretive guidance “will be a focal point for staff review” and that companies should work to determine their disclosure obligations under the current rules.[1]  Reiterating the interpretive guidance’s statement that the SEC expects companies to make disclosures “tailored” to their particular cybersecurity risks and incidents, Chairman Clayton stated that companies must put significant effort into determining their individual disclosure obligations under the current rules, meaning that “[r]eally good lawyering and governance is necessary.”[2]  Chairman Clayton also alluded to calls by certain SEC Commissioners for rulemaking requiring the disclosure of cybersecurity incidents in 8-K filings:  “In terms of writing a rule, if you wanted to make it a specific 8-K requirement, the issue there is whether something is material,” said Chairman Clayton, adding “[i]t’s really a facts and circumstances situation, and it can vary from industry to industry and company to company.”[3]    Continue Reading SEC Officials Emphasize Close Monitoring of Cybersecurity Disclosures Following Release of Interpretive Guidance

On March 7, 2018, FBI Director Christopher Wray delivered remarks at Boston College that highlight the agency’s ongoing efforts to better respond to cyber threats.  Director Wray’s remarks focused on the private and public sector partnerships that the FBI (and other authorities) are cultivating to combat the increased sophistication of cyber threats as they evolve into what he described as “full-blown economic espionage and extremely lucrative cyber crime.” Continue Reading FBI Director: FBI Might Not Share Information With Adversarial Authorities