On September 15, 2020, the Securities and Exchange Commission issued a cease‑and‑desist order against Unikrn, Inc. concerning its 2017 initial coin offering  of UnikoinGold .  The SEC found that the Unikrn ICO violated the prohibition in Section 5 of the Securities Act of 1933 against the unregistered public offer or sale of securities.  The SEC imposed several remedies, including requiring Unikrn to permanently disable the UnikoinGold token and a civil money penalty of $6.1 million.
Continue Reading SEC Issues Enforcement Action Against Unikrn, Inc. for its ICO, Prompting Rare Public Dissent from Commissioner Hester Peirce

Last month, reports surfaced that fitness technology company Garmin may have made a multimillion dollar payment in response to a ransomware attack with reported links to Evil Corp, a Russian hacking group subject to U.S. sanctions.  This incident and other recent reports of ransomware attacks against large companies highlights that companies should consider potential civil and criminal liability under U.S. sanctions laws when responding to ransomware attacks.
Continue Reading Ransomware and Sanctions Compliance: Considerations for Responses to Attacks

On August 20, 2020, the Department of Justice (“DOJ”) announced that it had charged Joseph Sullivan, the former Chief Security Officer (“CSO”) of Uber Technologies Inc. (“Uber”), with obstruction of justice and misprision of a felony for allegedly attempting to cover up Uber’s 2016 data incident during the course of an investigation by the Federal Trade Commission (“FTC”).
Continue Reading DOJ Charges Former Uber Executive for Alleged Role in Attempted Cover-Up of 2016 Data Breach

In a landmark enforcement action related to a bank data breach, the Office of the Comptroller of the Currency (“OCC”) assessed an $80 million civil monetary penalty and entered into a cease and desist order with the bank subsidiaries of Capital One on August 6, 2020.  The actions follow a 2019 cyber-attack against Capital One.  The Federal Reserve Board also entered into a cease and desist order with the banks’ parent holding company.  The OCC actions represent the first imposition of a significant penalty against a bank in connection with a data breach or an alleged failure to comply with the OCC’s guidelines relating to information security.
Continue Reading OCC Imposes $80 Million Penalty in Connection with Bank Data Breach

On June 25, 2020, a federal district court in the Eastern District of Virginia held that a bank must produce in discovery a report generated by its cybersecurity forensic investigator following a 2019 data breach involving unauthorized access to personal information of customers and individuals who had applied for accounts.[1]  Even though the report was produced at the direction of outside counsel, the court rejected arguments that the forensic report is protected from disclosure by the work product doctrine.  Instead, the court determined that the report was not produced primarily in anticipation of litigation based on several factors, including the similarity of the report to past business-related work product by the investigator and the bank’s subsequent use and dissemination of the report.  This decision raises questions about the scope of work product protection for forensic expert and other similar reports in the context of an internal investigation.
Continue Reading Federal Court Compels Production of Data Breach Forensic Investigation Report

On January 27, 2020, the U.S. Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) issued examination observations related to cybersecurity and operational resiliency practices (“Examination Observations”). The observations highlight a set of best practices by market participants in the following areas:  (1) governance and risk management, (2) access rights and controls, (3) data loss prevention, (4) mobile security, (5) incident response and resiliency, (6) vendor management and (7) training and awareness.  Cybersecurity has been a key priority for OCIE since 2012.  Since then, it has published eight cybersecurity-related risk alerts, including an April 2019 alert addressing mobile security. OCIE has perennially included cybersecurity practices as part of its examination priorities (“Examination Priorities”) and listed all but mobile security as “particular focus areas” in the “information security” priority for 2020
Continue Reading OCIE Cybersecurity and Resiliency Observations and Best Practices

In 2019, boards and senior management across a range of industries continued to cite cybersecurity as one of the most significant risks facing their companies.

At the same time, comprehensive data privacy regulation became a new reality in the United States as many companies implemented major revisions to their privacy policies and data systems to

Since the end of 2018, the Federal Trade Commission has reportedly been considering how to strengthen the injunctive relief imposed in orders in data security cases.  The FTC began its evaluation with a public hearing in December 2018 on data breaches and data breach assessments.  Several months later, in March 2019, the Commission issued a statement explaining that it was examining the obligations in its orders in data security cases and mandating “new requirements” while “anticipat[ing] further refinements.”  Thereafter, the FTC ultimately issued seven data security orders with specific data security practices and obligations that differed markedly from past orders.
Continue Reading FTC Summarizes a Year of Change in its Data Security Orders

On January 7, 2020, the U.S. Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released its 2020 Examination Priorities (“2020 Priorities”).  While at first blush the themes appear consistent with and predictable from their 2019 priorities, on closer read OCIE has provided some new insights and some unexpected focus areas.  The themes for the 2020 Priorities are:  retail investors, information security, financial technology (“Fintech”) and innovation (including digital assets and electronic investment advice), several areas covering registered investment advisers and investment companies, anti-money laundering, market infrastructure (clearing agencies, national securities exchanges, alternative trading systems, transfer agents), and oversight of the Financial Industry Regulatory Authority and Municipal Securities Rulemaking Board programs and policies.  OCIE also stressed the challenges it faced in light of last year’s government shutdown and resource constraints, as the Division of Enforcement did in its 2019 Annual Report (see our analysis here), and the challenges in examining non-U.S. advisers due to limits that foreign data protection and privacy laws may place on cross-border information transfers.  In this post, we analyze the highlights in and our takeaways from the 2020 Priorities.
Continue Reading From the Expected to the Surprises: Highlights of SEC OCIE’s 2020 Priorities

On November 21, 2019, the French data protection authority (the “Commission Nationale de l’Informatique et des Libertés” or “CNIL”) imposed a €500,000 fine on Futura Internationale, a midsized French company, for serious infringements of the EU General Data Protection Regulation (the “GDPR”) in connection with cold calling campaigns.[1]
Continue Reading French Regulator Fines Futura Internationale €500,000 for Infringements of the GDPR in Connection With Telephone Advertising Campaigns