For those following data privacy and consumer data protection trends, it should come as no surprise that enacting comprehensive legislation to regulate companies’ use of personal data has continued to be a focal point both internationally and in the U.S., at the federal, state and local levels.
Continue Reading Navigating the Complex Regulation of Privacy and Data Protection
Enforcement
Cybersecurity: Data Breaches, Ransomware Attacks and Increased Regulatory Focus
A 2021 survey of chief legal officers demonstrated that cybersecurity has overtaken compliance as the most significant legal risk that businesses face today. This should not come as a surprise as 2021 brought a series of high-profile cyberattacks on major companies and U.S. infrastructure targets.
Continue Reading Cybersecurity: Data Breaches, Ransomware Attacks and Increased Regulatory Focus
Second Circuit Articulates Injury Standard in Data Breach Suits
Last week, the Second Circuit affirmed the dismissal for lack of Article III standing a proposed class action against a health services provider that mistakenly disclosed personally identifiable information (“PII”). In its opinion, the Second Circuit held that plaintiffs may establish Article III standing based on an increased risk of identity theft or fraud following an unauthorized disclosure of their data, but that the standard was not met based on the facts presented. The decision, which is the first time the Second Circuit has explicitly adopted this standard, has potentially important implications going forward for data breach cases.
Continue Reading Second Circuit Articulates Injury Standard in Data Breach Suits
OFAC Settles with Digital Currency Payment Processor for Sanctions Violations
On February 18, 2021, the U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC) announced a $507,375 settlement with BitPay, Inc. (BitPay), a payment processor for merchants accepting digital currency as payment for goods and services, for 2,102 apparent violations of multiple sanctions programs between 2013 and 2018.[1] The settlement highlights that financial service providers facilitating digital currency transactions must not only establish sanctions compliance programs to screen their own customers but also must monitor third-party non-customer transaction information.
Continue Reading OFAC Settles with Digital Currency Payment Processor for Sanctions Violations
Turning the Page: Highlights of the SEC’s Division of Examination’s 2021 Priorities
On March 3, 2021, the U.S. Securities and Exchange Commission (“SEC”) Division of Examinations (the “Division”)—formerly the Office of Compliance Inspections and Examinations—released its 2021 Examination Priorities (“2021 Priorities”). The 2021 Priorities generally retain perennial risk areas as the Division’s core focus, but do include several new and emerging risk areas reflecting broader policy shifts under new SEC leadership.
The 2021 Priorities include: retail investors; information security and operational resilience; financial technology (“Fintech”), including digital assets; anti-money laundering; transition from the London Inter‑Bank Offered Rate (“LIBOR”); several areas covering registered investment advisers and investment companies; market infrastructure; and oversight of the Financial Industry Regulatory Authority and Municipal Securities Rulemaking Board programs and policies. Although not formal priorities, the Division will also focus on climate-related risks and environmental, social and governance (“ESG”) matters in light of recent market developments and broader attention in these areas.
Continue Reading Turning the Page: Highlights of the SEC’s Division of Examination’s 2021 Priorities
Ready to Pounce: Regulators Are Intensifying GDPR Enforcement
After what appears to be a period of relative leniency in 2018/19, enforcement actions for violations of the EU General Data Protection Regulation (“GDPR”) have since intensified. In 2020, according to publically available information, supervisory authorities across the EU and the UK Information Commissioner’s Office (“ICO”) have issued over EUR 170 million worth of fines combined[1], with six of the top ten individual fines imposed being issued in 2020[2].
Continue Reading Ready to Pounce: Regulators Are Intensifying GDPR Enforcement
First Circuit Upholds Border Searches of Electronic Devices Without Probable Cause
In a decision with potentially far-reaching implications, Alasaad v. Mayorkas, Nos. 20-1077, 20-1081, 2021 WL 521570 (1st Cir. Feb. 9, 2021), the First Circuit recently rejected First and Fourth Amendment challenges to the U.S. government agency policies governing border searches of electronic devices. These policies permit so-called “basic” manual searches of electronic devices without any articulable suspicion, requiring reasonable suspicion only when officers perform “advanced” searches that use external equipment to review, copy, or analyze a device. The First Circuit held that even these “advanced” searches require neither probable cause nor a warrant, and it split with the Ninth Circuit in holding that searches need not be limited to searches for contraband, but may also be used to search for evidence of contraband or evidence of other illegal activity. This decision implicates several takeaways for company executives entering and leaving the United States, particularly if they or their employers are under active investigation. In-house counsel in particular should consider the implications of the decision given obligations of lawyers to protect the confidentiality of attorney-client privileged information.
Continue Reading First Circuit Upholds Border Searches of Electronic Devices Without Probable Cause
D.C. District Court Rejects Privilege Claim for Post-Data Breach Forensic Report
Last month, in Guo Wengui v. Clark Hill, PLC, the United States District Court for the District of Columbia granted Plaintiff’s motion to compel production of Defendant’s third-party forensic investigation report following a cybersecurity incident.[1] The court held that the forensic report was not covered by the attorney-client privilege or the work product doctrine, providing a cautionary tale for companies conducting post-breach investigations.
Continue Reading D.C. District Court Rejects Privilege Claim for Post-Data Breach Forensic Report
FTC Announces Settlement with Zoom Regarding Data Security Practices
On Monday, November 9, 2020, the U.S. Federal Trade Commission announced a proposed settlement with Zoom Video Communications, Inc. (“Zoom”), a video conferencing provider, regarding allegations that Zoom misrepresented its data security practices to users and designed its product to circumvent certain embedded security features of third-party software. The proposed settlement requires Zoom to undertake a range of specific remedial measures related to its data security practices. It also imposes multiple layers of reporting and certification requirements.
Continue Reading FTC Announces Settlement with Zoom Regarding Data Security Practices
OFAC and FinCEN Issue Advisories on Cyber Ransom Payments
In the wake of one of the largest reported medical ransomware attacks in U.S. history,[1] the U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN) issued last week a pair of advisories to assist in efforts to combat the increasing threat of ransomware attacks and related sanctions and anti-money laundering (AML) compliance issues.[2] Like our blog post last month on the same topic, the advisories highlight the importance of considering the legal risks relating to ransomware payments and confirm that OFAC may pursue enforcement actions against ransomware payments that violate U.S. sanctions.[3]
Continue Reading OFAC and FinCEN Issue Advisories on Cyber Ransom Payments