On Wednesday, March 11, 2020, the California Attorney General released a second set of modifications (the “March Revisions”) to the proposed regulations implementing the California Consumer Privacy Act of 2018 (the “CCPA”), including substantive changes to both the initial draft regulations issued in October (the “Initial Regulations”) and the revisions published Friday, February 7, 2020

In 2019, boards and senior management across a range of industries continued to cite cybersecurity as one of the most significant risks facing their companies.

At the same time, comprehensive data privacy regulation became a new reality in the United States as many companies implemented major revisions to their privacy policies and data systems to

Since the end of 2018, the Federal Trade Commission has reportedly been considering how to strengthen the injunctive relief imposed in orders in data security cases.  The FTC began its evaluation with a public hearing in December 2018 on data breaches and data breach assessments.  Several months later, in March 2019, the Commission issued a statement explaining that it was examining the obligations in its orders in data security cases and mandating “new requirements” while “anticipat[ing] further refinements.”  Thereafter, the FTC ultimately issued seven data security orders with specific data security practices and obligations that differed markedly from past orders.
Continue Reading

On November 21, 2019, the French data protection authority (the “Commission Nationale de l’Informatique et des Libertés” or “CNIL”) imposed a €500,000 fine on Futura Internationale, a midsized French company, for serious infringements of the EU General Data Protection Regulation (the “GDPR”) in connection with cold calling campaigns.[1]
Continue Reading

On October 1, 2019, the Court of Justice of the European Union (CJEU) issued a decision outlining the requirements for a user to consent to a service provider’s use of cookies.[1],  The Court held that active consent is required, and thus requiring a user to deselect a pre-checked tracking cookie notice in order to disallow the use of cookies does not sufficiently constitute consent to the collection and use of data under EU law.
Continue Reading

On Tuesday, November 12, 2019, the U.S. Federal Trade Commission (“FTC” or “Commission”) announced a proposed settlement with InfoTrax Systems, L.C. (“InfoTrax”), a third-party service provider, regarding multiple data security failures.  As a result of these security shortcomings, a hacker accessed about one million consumers’ sensitive personal information after more than twenty intrusions into InfoTrax’s network.  This settlement marks one of the first instances in which the FTC has alleged a violation of the FTC Act predicated solely upon the failure to maintain reasonable security measures by a third-party service provider.  The settlement is also notable for a Commissioner’s concurring statement criticizing the settlement’s standard twenty-year term.
Continue Reading

On October 11, 2019, the leaders of the Commodity Futures Trading Commission, Financial Crimes Enforcement Network, and Securities and Exchange Commission issued a joint statement to remind businesses that engage in digital asset activities of their anti-money laundering (“AML”) and countering the financing of terrorism (“CFT”) obligations under the Bank Secrecy Act (“BSA”).

As market

In late July 2019, U.S. federal and state regulators announced three headline‑grabbing data privacy and cybersecurity enforcement actions against Equifax and Facebook.  Although coverage of these cases has focused largely on their striking financial penalties, as important are the terms the settlements imposed on the companies’ operations as well as their officers, directors, and compliance professionals—and what they signal about potential future enforcement activity to come.
Continue Reading

On January 22, the Financial Industry Regulatory Authority (“FINRA”)[1] released its 2019 Risk Monitoring and Examination Priorities Letter (the “Letter”).  The Letter highlights material new priorities for FINRA examinations in the coming year, as well as priorities in areas of ongoing concern.  The topics highlighted in this year’s Letter reflect FINRA’s increasing focus on its members’ interaction with, and adoption of, innovative financial technologies, as well as its implicit acknowledgement of the ability for such innovations to assist in regulatory compliance.  The new priorities highlighted in the Letter include several related to FinTech, including online distribution platforms, use of regulatory technology (or “RegTech”), and supervision of digital asset businesses.  In priority areas of ongoing concern, the Letter confirmed that FINRA will continue to focus on reviewing the adequacy of firms’ cybersecurity programs.  Below we detail FINRA’s discussion of these priorities and analyze them in the context of other recent guidance and enforcement actions.
Continue Reading

On November 28, 2018, the Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) identified for the first time digital currency addresses associated with sanctioned persons.  The newly sanctioned individuals, Iran-based Ali Khorashadizadeh and Mohammad Ghorbaniyan, were accused of converting digital currency payments into Iranian rial as part of a widespread ransomware scheme.  Since 2015, the ransomware scheme (known as “SamSam”) has infected the data networks of corporations, hospitals, universities, and government agencies.  According to OFAC’s announcement, the identified bitcoin addresses were used with over 40 digital currency exchangers to process more than 7,000 illicit transactions in bitcoins worth millions of U.S. dollars.
Continue Reading