On November 28, 2018, the Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) identified for the first time digital currency addresses associated with sanctioned persons. The newly sanctioned individuals, Iran-based Ali Khorashadizadeh and Mohammad Ghorbaniyan, were accused of converting digital currency payments into Iranian rial as part of a widespread ransomware scheme. Since 2015, the ransomware scheme (known as “SamSam”) has infected the data networks of corporations, hospitals, universities, and government agencies. According to OFAC’s announcement, the identified bitcoin addresses were used with over 40 digital currency exchangers to process more than 7,000 illicit transactions in bitcoins worth millions of U.S. dollars. Continue Reading OFAC Lists Digital Currency Addresses for First Time, Releases New Guidance
On November 16, 2018, the U.S. Securities and Exchange Commission (“SEC”) Division of Corporation Finance (“Corp. Fin.”), Division of Investment Management, and Division of Trading and Markets issued a joint public statement on “Digital Asset Securities Issuance and Trading.” The public statement is the latest in the Divisions’—and the Commission’s—steady efforts to publicly outline and develop its analysis on the application of the federal securities laws to initial coin offerings (“ICOs”) and certain digital tokens. These efforts have combined a series of enforcement proceedings with public statements by Chairman Jay Clayton and staff, including a more detailed statement of the SEC’s analytical approach in Corp. Fin. Director William Hinman’s speech on digital assets in June 2018. Continue Reading SEC Divisions’ Issue Public Statement on Digital Assets and ICOs, Echoing Recent Enforcement Actions
On November 6-8, 2018, the U.S. Federal Trade Commission (“FTC”) hosted a public hearing on “Privacy, Big Data, and Competition.” The event was part of a series of public hearings on Competition and Consumer Protection in the 21st Century, modeled after the agency’s 1995 “Pitofsky Hearings.” The series solicits input from a wide variety of private and public sector stakeholders and academics to inform and guide the FTC’s regulatory and enforcement efforts in light of broad economic changes, evolving business practices, new technologies, and international developments. Continue Reading Consumer Protection and Antitrust Regulators, Experts Discuss Privacy, Big Data, and Competition at FTC Hearings
On September 26, 2018, a federal court in the District of Massachusetts found that virtual currencies are a commodity under the Commodity Exchange Act, 7 U.S.C. § 1 et seq, (“CEA”). This marks the second time that a court has accepted the Commodity Futures Trading Commission’s (“CFTC”) position and upheld the agency’s authority to regulate unleveraged and unmargined spot transactions in virtual currency under the agency’s anti-fraud and manipulation enforcement authority. Most notably, however, the reasoning behind its decision potentially expands the scope of the CFTC’s oversight of the market. Continue Reading Second District Court Determines Virtual Currencies Are Commodities
The UK Information Commissioner’s Office (ICO) has provided Facebook with a Notice of Intent to issue a monetary penalty against the social media platform for its lack of transparency and failure to maintain the security of its users’ personal data in relation to the Cambridge Analytica scandal. The ICO’s fine is the maximum possible under the Data Protection Act 1998 (the UK implementing legislation for the former EU data protection regime under the Data Protection Directive). Facebook will have the opportunity to make representations to the ICO before the ICO’s decision is finalised.
On the heels of the European Union’s implementation of the General Data Protection Regulation (“GDPR”) and public outcry over the Cambridge Analytica scandal, on June 28, 2018, California enacted the most comprehensive data privacy law to date in the United States. The California Consumer Privacy Act of 2018 (the “CCPA”) was hastily passed by the California legislature to secure the withdrawal of an even more far-reaching measure that had qualified for the November ballot. Legislative amendments to the law are expected before it goes into effect on January 1, 2020.
The CCPA requires covered businesses to comply with requirements that give California consumers broad rights to know what personal information has been collected about them, the sources for the information, the purpose of collecting it, and whether it is sold or otherwise disclosed to third parties. It also gives consumers the right to access personal information about them held by covered businesses, to require deletion of the information and/or to prevent its sale to third parties. Other key provisions limit the ability of a covered business to discriminate against consumers who exercise their rights under the statute by charging them higher prices or delivering lower quality products or services. The rights provided under the CCPA are similar in many respects to those afforded EU residents under the GDPR, but there are distinctions in approach on some key issues.
Please click here to read the full alert memorandum.
Over recent months, numerous state regulators, including in Massachusetts, Texas, and New Jersey, have been exercising greater oversight of cryptocurrency businesses. On April 17, 2018, the office of the New York Attorney General Eric Schneiderman (“NYAG”) launched the Virtual Markets Integrity Initiative, which will seek information from various platforms that trade cryptocurrencies to better protect consumers. The initiative responds to concerns that cryptocurrency trading platforms may not provide consumers with the same information available from traditional exchanges. As part of the initiative, the NYAG’s Investor Protection Bureau sent thirteen major cryptocurrency trading platforms questionnaires relating to internal policies, controls, and best practices. The Bureau intends to consolidate and disseminate to consumers the information it receives. Continue Reading New York Attorney General Becomes Most Recent State Regulator To Foray Into Cryptocurrency Oversight
On March 27, 2018, Massachusetts Secretary of State William Galvin announced that the state had ordered five firms to halt initial coin offerings (“ICOs”) on the grounds that the ICOs constituted unregistered offerings of securities but made no allegations of fraud. These orders follow a growing line of state enforcement actions aimed at ICOs.
This was not Massachusetts’s first foray into regulating ICOs. On January 17, 2018 the state filed a complaint alleging violations of securities and broker-dealer registration requirements against the company Caviar and its founder for an ICO that sought to create a “pooled investment fund with hedged exposure to crypto-assets and real estate debt.”
On January 8, 2018, the Financial Industry Regulatory Authority (“FINRA”) published its 2018 Regulatory and Examination Priorities Letter, which provides an overview of particular areas of regulatory focus in the upcoming year. Under the category of operational and financial risks, FINRA specifically identifies cybersecurity as a high-priority area that member broker-dealer firms “may wish to consider as they identify opportunities to improve their compliance, supervisory and risk management programs” and commends the firms that have already devoted resources to this important area. The letter notes that FINRA will assess the effectiveness of member firms’ cybersecurity programs at guarding sensitive information (including personally identifiable information) as well as such firms’ cybersecurity preparedness, technical defenses and resiliency measures. FINRA also reminds member firms that they are required to have policies and procedures in place to evaluate whether a suspicious activity report must be filed with the U.S. Department of Treasury’s Financial Crimes Enforcement Network (“FinCEN”) upon identification of a cybersecurity incident. The letter also advises review of the 2017 Report on FINRA Examination Findings for further information about FINRA’s cybersecurity concerns and observations regarding effective cybersecurity practices. Continue Reading FINRA Announces 2018 Priorities and Issues First-Ever Report on Examination Findings
Following the generally positive assessment of the EU-U.S. Privacy Shield framework (the “Privacy Shield”) by the European Commission further to its first annual review, the Article 29 Working Party (an advisory group consisting of representatives from national data protection authorities together with the European Commission), released its own opinion (the “WP29 Opinion”), which was more critical and called for immediate actions to be taken on the part of the United States.
While the Article 29 Working Party praised some improvements made by U.S. authorities in terms of transparency and surveillance, the WP29 Opinion noted significant outstanding issues which ought to be remedied before the second annual review of the Privacy Shield or even earlier. In particular, the Article 29 Working Party expressed concerns relating to the supervision of U.S. surveillance programs, the processing by U.S. authorities of personal data transferred under the Privacy Shield for national security purposes and the implementation of redress mechanisms available to individuals located in the EU against U.S. companies that are not using personal data in accordance with their commitments under the Privacy Shield. The Article 29 Working Party has set out as priorities the appointment of an independent Ombudsperson entrusted with the appropriate powers, the clarification of internal procedural rules relating to the interaction between the Ombudsperson and other intelligence or oversight bodies (including declassification rules) and the appointment by the U.S. administration of the members of the Privacy and Civil Liberties Oversight Board contemplated by the Privacy Shield. According to the Article 29 Working Party, those priority issues should be resolved by May 25, 2018, which is the deadline for compliance with the EU’s General Data Protection Regulation (GDPR) (please refer to our prior Alert Memo in that regard).
Other issues identified by the Article 29 Working Party related to the lack of information given to individuals in the EU regarding the exercise of their rights under the Privacy Shield and the need to increasingly monitor compliance of companies certified under the Privacy Shield. The WP29 Opinion also provided specific recommendations with regard to the processing of employee data, rules regarding automated decision-making and the profiling of individuals, and the self-certification process by U.S. companies wishing to take advantage of the Privacy Shield.
The Article 29 Working Party advised that in the event of a failure to take the actions it prescribed in the WP29 Opinion within the next year, it reserved the right to challenge the validity of the European Commission’s adequacy decision underlying the Privacy Shield in national courts, which could result in its annulment. In that regard, some of the arguments the Article 29 Working Party could raise (such as the broad access to personal data by U.S. authorities for national security purposes) appear to be similar to those that resulted in the invalidation of the Safe Harbor scheme (the Privacy Shield’s predecessor) by the Court of Justice of the European Union in its Schrems v. Data Protection Commissioner judgment.
The Privacy Shield is also subject to pending challenges, one of which was dismissed on November 22, 2017, albeit not on substantive grounds but as a result of the applicant’s lack standing to act. These challenges to the Privacy Shield echo other actions seeking to invalidate alternative legal grounds to transfer personal data from the EU to the United States, such as the one initiated by Mr. Schrems and the Irish Data Commissioner to question the legitimacy of so-called Standard Contractual Clauses (“SCCs,” also commonly referred to as Model Contracts), which is now pending before the Court of Justice of the European Union for a preliminary ruling.
The invalidation of both the Privacy Shield and the SCCs as approved methods for transferring personal data would cause serious disruptions in the flow of data and, as a result, business relations, between EU and U.S. companies.