On October 1, 2019, the Court of Justice of the European Union (CJEU) issued a decision outlining the requirements for a user to consent to a service provider’s use of cookies.[1],  The Court held that active consent is required, and thus requiring a user to deselect a pre-checked tracking cookie notice in order to disallow the use of cookies does not sufficiently constitute consent to the collection and use of data under EU law.
Continue Reading

On Tuesday, November 12, 2019, the U.S. Federal Trade Commission (“FTC” or “Commission”) announced a proposed settlement with InfoTrax Systems, L.C. (“InfoTrax”), a third-party service provider, regarding multiple data security failures.  As a result of these security shortcomings, a hacker accessed about one million consumers’ sensitive personal information after more than twenty intrusions into InfoTrax’s network.  This settlement marks one of the first instances in which the FTC has alleged a violation of the FTC Act predicated solely upon the failure to maintain reasonable security measures by a third-party service provider.  The settlement is also notable for a Commissioner’s concurring statement criticizing the settlement’s standard twenty-year term.
Continue Reading

Have the right policies in place

– Ensure clear, readily accessible, and (where necessary) country-specific policies are in place indicating the permitted uses of company devices and other IT equipment, including messaging services. If you allow employees to use their own devices to perform work, make sure your policies adequately address issues of access in the context of investigations.
Continue Reading

Many investigations, particularly those that are cross-border in nature, are likely to present data privacy issues, and managing these issues is frequently a key consideration in an investigation.  By keeping data privacy laws in mind as soon as an investigation starts, an organization will avoid the risk that it has failed to satisfy certain requirements, thereby exposing itself to the possibility of a fine or sanction from a regulator.
Continue Reading

The final version of the California Consumer Privacy Act of 2018 is coming into view.

On October 10, California’s Attorney General released the long-anticipated draft regulations to implement the CCPA, and on October 12, the Governor signed into law five amendments to the CCPA passed during the 2019 legislative session.  (We previously discussed the CCPA 

On September 18, 2019, the Securities and Exchange Commission (“SEC”) filed its first civil suit alleging violations of broker-dealer registration requirements in U.S. digital asset markets.  In a case filed in the U.S. District Court for the Central District of California, the SEC alleged that Defendants ICOBox and its founder, Nikolay Evdokimov, illegally conducted an unregistered public securities offering for their 2017 initial coin offering (“ICO”), and have operated an unregistered brokerage service facilitating the launch of ICOs in digital asset securities since 2017.
Continue Reading

Responding to a request by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE), the EU’s data protection supervisory bodies released an initial joint opinion on the impact of the U.S. Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) on the EU data protection framework.

The preliminary assessment by the European

In late July 2019, U.S. federal and state regulators announced three headline‑grabbing data privacy and cybersecurity enforcement actions against Equifax and Facebook.  Although coverage of these cases has focused largely on their striking financial penalties, as important are the terms the settlements imposed on the companies’ operations as well as their officers, directors, and compliance professionals—and what they signal about potential future enforcement activity to come.
Continue Reading

On April 16, 2019, the U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert addressing all registered broker-dealers and investment advisers’ (together, “Firms”)[1] privacy-related obligations under Regulation S-P (“Reg S-P”).  The Risk Alert set out the most frequent Reg S-P deficiencies OCIE identified during examinations over the past two years, and encouraged registrants to review their written privacy policies and procedures as well as the consistency with which these policies and procedures have been implemented.  The Alert is the latest in a series of recent privacy and cybersecurity guidance documents issued by the SEC, including the February 2018 Commission Statement and Guidance on Public Company Cybersecurity Disclosures and October 2018 Report of Investigation on cyber-related frauds and public company accounting controls.

This Risk Alert is consistent with the SEC’s approach of seeking to influence the conduct of registrants by providing guidance on specific compliance issues, followed by Risk Alerts noting common exam deficiencies, prior to pursuing enforcement actions.  Investment advisers and broker-dealers should  take this as a prompt to review their relevant policies and procedures to ensure they are appropriate and being followed in practice.
Continue Reading