On December 13, 2018, the District Court for the Northern District of California dismissed a putative securities class action brought against PayPal Holdings, its subsidiary TIO Networks Corp., and several executives of both companies for a security breach that resulted in the potential compromise of personally identifiable information for 1.6 million customers.  In Sgarlata v. PayPal Holdings Inc., No. 17-cv-06956-EMC, 2018 WL 6592771 (N.D. Cal. Dec. 13, 2018) (“Sgarlata”), the court dismissed the complaint for failure to plead scienter because plaintiffs failed to adequately plead that defendants knew not only of an actual security breach, but also the magnitude of the breach and the type of data accessed.[1] Continue Reading California District Court Dismisses Securities Class Action After Plaintiffs Failed to Plead that PayPal Knew Magnitude of Security Breach

On December 20, 2018, the U.S. Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released its 2019 Examination Priorities.  The six themes for this year’s priorities are:  retail investors (including seniors and those saving for retirement), compliance and risk in registrants responsible for critical market infrastructure (clearing agencies, transfer agents, national securities exchanges and Regulation SCI entities), oversight of the Financial Industry Regulatory Authority and Municipal Securities Rulemaking Board, digital assets, cybersecurity and anti-money laundering.  The only new theme for 2019 compared to 2018 is digital assets, which we take to imply a plan to more closely—and substantively—regulate investment advisers and broker-dealers involved with this asset class.  The 2019 priorities also more explicitly than the 2018 priorities describe specific practices that OCIE found concerning in examinations of those entities, many of which involved failure to adequately safeguard client assets and the adequacy of disclosures of conflicts of interest.  We expect to see a corresponding focus in Enforcement Division investigations and cases on these issues as a result. Continue Reading Lessons from the SEC Office of Compliance Inspections and Examinations’ 2019 Priorities

On December 6, 2018, in Williams-Diggins v. Mercy Health, an Ohio district court granted the defendant’s motion to dismiss a putative class action related to a cybersecurity vulnerability in the Ohio-based medical provider’s computer systems that allegedly left patient health information publicly accessible online for years.  United States District Judge Jeffrey Helmick dismissed the case for lack of jurisdiction (among other reasons), finding that the plaintiff’s theories of harm—overpayment and risk of future exposure or breach of his sensitive health information—were insufficient to create Article III standing. Continue Reading Ohio District Court: No Standing Where Patients’ Medical Records “Might” Be Accessed Improperly Due To A Cybersecurity Vulnerability

On November 27, 2018, the Senate Commerce, Science, and Transportation Committee’s Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security held an oversight hearing of the U.S. Federal Trade Commission.  The hearing marked the first appearance before the Senate of the full slate of current FTC commissioners: Republicans Chairman Joe Simons, Noah Phillips, and Christine Wilson, and Democrats Rohit Chopra and Rebecca Slaughter.  In addition to confirming that the FTC will continue to prioritize data security and privacy enforcement under its consumer protection mandate, the commissioners were unanimous in their support for comprehensive federal data privacy legislation to be enforced by the FTC.  Each, however, offered slightly different views as to the right approach for potential legislation and future enforcement. Continue Reading FTC Chair, Commissioners Endorse Comprehensive Privacy Legislation at Senate Oversight Hearing

Knuddels GmbH & Co KG, a German social media app, has received the first administrative fine issued by a German supervisory authority under the General Data Protection Regulation (“GDPR”).

The fine of € 20,000 has been levied on Knuddels by the Commissioner for Data Protection and Freedom of Information in Baden-Württemberg (one of 16 regional data protection authorities in Germany) following a hack reported by Knuddels in September which resulted in the personal data of approximately 330,000 users being stolen and subsequently published. Such personal data included users’ emails addresses and passwords. Continue Reading First German Fine Issued Under the GDPR

On November 16, 2018, the U.S. Securities and Exchange Commission (“SEC”) Division of Corporation Finance (“Corp. Fin.”), Division of Investment Management, and Division of Trading and Markets issued a joint public statement on “Digital Asset Securities Issuance and Trading.”  The public statement is the latest in the Divisions’—and the Commission’s—steady efforts to publicly outline and develop its analysis on the application of the federal securities laws to initial coin offerings (“ICOs”) and certain digital tokens.  These efforts have combined a series of enforcement proceedings with public statements by Chairman Jay Clayton and staff, including a more detailed statement of the SEC’s analytical approach in Corp. Fin. Director William Hinman’s speech on digital assets in June 2018. Continue Reading SEC Divisions’ Issue Public Statement on Digital Assets and ICOs, Echoing Recent Enforcement Actions

On November 6-8, 2018, the U.S. Federal Trade Commission (“FTC”) hosted a public hearing on “Privacy, Big Data, and Competition.”  The event was part of a series of public hearings on Competition and Consumer Protection in the 21st Century, modeled after the agency’s 1995 “Pitofsky Hearings.”  The series solicits input from a wide variety of private and public sector stakeholders and academics to inform and guide the FTC’s regulatory and enforcement efforts in light of broad economic changes, evolving business practices, new technologies, and international developments. Continue Reading Consumer Protection and Antitrust Regulators, Experts Discuss Privacy, Big Data, and Competition at FTC Hearings

On October 4, 2018, the Financial Markets Law Committee (“FMLC”) published a paper on the subject of “Data Protection: Issues of Legal Uncertainty Arising from the UK Data Protection Act 2018.”  Cleary Gottlieb contributed to this paper as a participant in the FMLC’s data protection working group.

The FMLC’s paper focuses on issues of legal uncertainty potentially hindering the continuation of the lawful flow of personal data between the UK, the European Economic Area and/or Third Countries (i.e., countries that are not Member States of the European Union) following Brexit, as well as on the framework and mechanics for supervision and enforcement of the data protection regimes post-Brexit. The FMLC’s paper also proposes solutions and/or mitigants to these uncertainties.

The FMLC is an educational charity that was established at (but is independent from) the Bank of England. Its stated role is to identify issues of legal uncertainty or misunderstanding, present and future, in the framework of the wholesale financial markets which might give rise to material risks and to consider how such issues should be addressed.

On October 16, 2018, the Securities and Exchange Commission released a Report of Investigation that cautioned public companies to consider cyber threats when designing and implementing internal accounting controls.  The report was based on an investigation of nine victims of email cyber-fraud schemes for potentially failing to have adequate internal accounting controls, in violation of the Securities Exchange Act of 1934.  The report highlights the need for companies to reassess their controls in light of the current cybersecurity risk environment.  By describing the remedial steps taken by the investigated companies, it further provides guidance about the key areas that companies should consider when assessing their own policies and procedures. Continue Reading SEC Investigative Report Urges Public Companies to Guard Against Cyber Threats When Implementing Internal Accounting Controls

On October 15, 2018, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a $16 million settlement with Anthem, Inc. over alleged violations of federal privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA).  The settlement resolves an investigation following a data breach that exposed protected health information of nearly 79 million people.  According to OCR, the incident is the largest health data breach to date in the United States and Anthem’s payment similarly represents the largest HIPAA settlement to date.  The settlement is consistent with OCR’s recent focus on enforcing regulatory requirements to conduct an accurate and thorough risk analysis and maintain appropriate mechanisms to monitor systems that contain protected health information and to control access to that information. It also highlights the agency’s distinct cybersecurity remediation approach. Continue Reading The U.S. Department of Health And Human Services Settles With Anthem for Record $16M Over Alleged HIPAA Violations