The £16.4 million fine imposed by the UK Financial Conduct Authority on Tesco Personal Finance plc provides a salutary lesson on the regulatory exposure associated with failing adequately to prepare for and respond to a cyber-attack – one of the FCA’s stated regulatory priorities.

The episode illustrates how cybersecurity failures can expose a business not only to increasingly draconian penalties under the EU’s General Data Protection Regulation where personal data is involved (effective from 25 May 2018), but also to regulatory enforcement penalties where systems are not in place or are not operated effectively in a crisis.

It highlights the critical importance for businesses of:

  • Establishing cybersecurity and data protection compliance firmly on the management and risk agenda. More than just the costs of doing business in the digital economy, these can give rise to serious regulatory and franchise exposure;
  • Taking effective action to prevent foreseeable cyber-attacks;
  • Establishing appropriate crisis management procedures and providing training to staff on how to invoke them, including through desktop exercises that provide scenario planning training; and

Engaging constructively and immediately with the relevant authorities and stakeholders to mitigate even greater damage to the business once an attack has occurred.

Please click here to read the full alert memorandum.

On September 27, 2018, the Commodity Futures Trading Commission (CFTC) and Securities and Exchange Commission (SEC) filed parallel actions in federal court against an internet dealer that sold “contracts for difference” (CFD) based on securities and commodities margined with bitcoin.  The actions, which were assisted by the Federal Bureau of Investigation and the Department of Justice, signal continued coordination among federal agencies to police market activity involving financial transactions in cryptocurrencies. Continue Reading The CFTC and SEC Bring Charges Against International Securities Dealer for Bitcoin-Funded Swaps Activity

On September 26, 2018, a federal court in the District of Massachusetts found that virtual currencies are a commodity under the Commodity Exchange Act, 7 U.S.C. § 1 et seq, (“CEA”). This marks the second time that a court has accepted the Commodity Futures Trading Commission’s (“CFTC”) position and upheld the agency’s authority to regulate unleveraged and unmargined spot transactions in virtual currency under the agency’s anti-fraud and manipulation enforcement authority.  Most notably, however, the reasoning behind its decision potentially expands the scope of the CFTC’s oversight of the market. Continue Reading Second District Court Determines Virtual Currencies Are Commodities

Over the past year, the U.S Securities and Exchange Commission (“SEC”) has increasingly scrutinized initial coin offerings (“ICO”) and certain digital assets.  On September 20, 2018, the SEC’s Enforcement Division co-Director, Stephanie Avakian, gave a speech in which she addressed the Division’s approach to dealing with these new forms of tradeable assets.  This speech came only days after the SEC settled its first case charging an unregistered broker-dealer for facilitating the sale of digital tokens from several ICOs since the 2017 DAO Report.  In her speech, Avakian provided three key insights into the Division’s enforcement strategy. Continue Reading SEC Enforcement Division Co-Director Provides Insight Into Commission’s Approach to ICOs and Cryptocurrencies

On Tuesday, September 11, 2018, Judge Raymond J. Dearie of the Eastern District of New York issued a decision holding that Initial Coin Offerings (“ICO”) may qualify as securities offerings and therefore be subject to the criminal federal securities laws.  This ruling came as two U.S. regulators—the Securities and Exchange Commission (“SEC”) and the Financial Industry Regulatory Authority (“FINRA”)—announced separate actions under securities laws against companies engaged in the cryptocurrency marketplace, including the sale of digital tokens.  As the popularity of cryptocurrencies grows and businesses and entrepreneurs increasingly turn to ICOs to raise capital, these developments may serve as guideposts for how cryptocurrencies and ICOs will be viewed by courts and federal regulators in cases to follow. Continue Reading Federal Court, SEC, and FINRA Scrutinize Cryptocurrencies and ICOs

On June 22, 2018, the United States Supreme Court decided Carpenter v. United States, in which it held that the government must generally obtain a search warrant supported by probable cause before acquiring more than seven days of historical cell-site location information (“CSLI”) from a service provider. Noting “the deeply revealing nature of CSLI, its depth, breadth, and comprehensive reach, and the inescapable and automatic nature of its collection,” the Court held that an individual “maintains a legitimate expectation of privacy in the record of his physical movements captured through CSLI” that warrants Fourth Amendment protection. While the Court sought to construe its decision narrowly, the reasoning of the majority and Justice Gorsuch in his dissent raise significant questions about whether and to what extent individuals may have a reasonable expectation of privacy or possessory interest in other sensitive personal data held by third parties beyond the CSLI at issue in Carpenter.

Please click here to read the full alert memorandum.

On April 24, 2018, Altaba, formerly known as Yahoo, entered into a settlement with the Securities and Exchange Commission (the “SEC”), pursuant to which Altaba agreed to pay $35 million to resolve allegations that Yahoo violated federal securities laws in connection with the disclosure of the 2014 data breach of its user database.  The case represents the first time a public company has been charged by the SEC for failing to adequately disclose a cyber breach, an area that is expected to face continued heightened scrutiny as enforcement authorities and the public are increasingly focused on the actions taken by companies in response to such incidents.  Altaba’s settlement with the SEC, coming on the heels of its agreement to pay $80 million to civil class action plaintiffs alleging similar disclosure violations, underscores the increasing potential legal exposure for companies based on failing to properly disclose cybersecurity risks and incidents.

Please click here to read the full alert memorandum.

Over recent months, numerous state regulators, including in Massachusetts, Texas, and New Jersey, have been exercising greater oversight of cryptocurrency businesses.[1]  On April 17, 2018, the office of the New York Attorney General Eric Schneiderman (“NYAG”) launched the Virtual Markets Integrity Initiative, which will seek information from various platforms that trade cryptocurrencies to better protect consumers.  The initiative responds to concerns that cryptocurrency trading platforms may not provide consumers with the same information available from traditional exchanges.  As part of the initiative, the NYAG’s Investor Protection Bureau sent thirteen major cryptocurrency trading platforms questionnaires relating to internal policies, controls, and best practices.  The Bureau intends to consolidate and disseminate to consumers the information it receives. Continue Reading New York Attorney General Becomes Most Recent State Regulator To Foray Into Cryptocurrency Oversight

On March 27, 2018, Massachusetts Secretary of State William Galvin announced that the state had ordered five firms to halt initial coin offerings (“ICOs”) on the grounds that the ICOs constituted unregistered offerings of securities but made no allegations of fraud.  These orders follow a growing line of state enforcement actions aimed at ICOs.

This was not Massachusetts’s first foray into regulating ICOs.  On January 17, 2018 the state filed a complaint alleging violations of securities and broker-dealer registration requirements against the company Caviar and its founder for an ICO that sought to create a “pooled investment fund with hedged exposure to crypto-assets and real estate debt.”

Continue Reading Massachusetts Orders Five Companies to Halt ICOs as States Step Up Enforcement Efforts

The 2018 Consolidated Appropriations Act, which was signed by President Donald Trump on March 23, 2018, included a little-debated provision that revised portions of the 1986 Stored Communications Act (“SCA”) to permit the government to access through the use of a warrant or subpoena stored communications held abroad by providers of electronic communications services that are subject to United States jurisdiction.

The Clarifying Lawful Overseas Use of Data Act – or “CLOUD Act” – establishes that the SCA’s provisions concerning the production of electronic communications extend to those held abroad, establishes a framework for service providers to challenge an SCA warrant, directs courts to conduct a limited comity analysis to balance certain factors relevant to cross-border transfers of data, and introduces an incentive for foreign governments to enter into executive agreements with the United States governing cross-border data requests.

Prior to the enactment of the CLOUD Act, the Supreme Court was poised to rule in the case Microsoft Corporation v. United States of America, No. 17-2, on whether the SCA in its previous form permitted the use of a warrant to obtain electronic communications stored by a U.S. company on foreign servers. The relevance of that case, which was argued in February, is substantially undermined by this Congressional action.

Click here, to read the full alert.