On January 8, 2018, the Financial Industry Regulatory Authority (“FINRA”) published its 2018 Regulatory and Examination Priorities Letter, which provides an overview of particular areas of regulatory focus in the upcoming year. Under the category of operational and financial risks, FINRA specifically identifies cybersecurity as a high-priority area that member broker-dealer firms “may wish to consider as they identify opportunities to improve their compliance, supervisory and risk management programs” and commends the firms that have already devoted resources to this important area. The letter notes that FINRA will assess the effectiveness of member firms’ cybersecurity programs at guarding sensitive information (including personally identifiable information) as well as such firms’ cybersecurity preparedness, technical defenses and resiliency measures. FINRA also reminds member firms that they are required to have policies and procedures in place to evaluate whether a suspicious activity report must be filed with the U.S. Department of Treasury’s Financial Crimes Enforcement Network (“FinCEN”) upon identification of a cybersecurity incident. The letter also advises review of the 2017 Report on FINRA Examination Findings for further information about FINRA’s cybersecurity concerns and observations regarding effective cybersecurity practices. Continue Reading FINRA Announces 2018 Priorities and Issues First-Ever Report on Examination Findings
Following the generally positive assessment of the EU-U.S. Privacy Shield framework (the “Privacy Shield”) by the European Commission further to its first annual review, the Article 29 Working Party (an advisory group consisting of representatives from national data protection authorities together with the European Commission), released its own opinion (the “WP29 Opinion”), which was more critical and called for immediate actions to be taken on the part of the United States.
While the Article 29 Working Party praised some improvements made by U.S. authorities in terms of transparency and surveillance, the WP29 Opinion noted significant outstanding issues which ought to be remedied before the second annual review of the Privacy Shield or even earlier. In particular, the Article 29 Working Party expressed concerns relating to the supervision of U.S. surveillance programs, the processing by U.S. authorities of personal data transferred under the Privacy Shield for national security purposes and the implementation of redress mechanisms available to individuals located in the EU against U.S. companies that are not using personal data in accordance with their commitments under the Privacy Shield. The Article 29 Working Party has set out as priorities the appointment of an independent Ombudsperson entrusted with the appropriate powers, the clarification of internal procedural rules relating to the interaction between the Ombudsperson and other intelligence or oversight bodies (including declassification rules) and the appointment by the U.S. administration of the members of the Privacy and Civil Liberties Oversight Board contemplated by the Privacy Shield. According to the Article 29 Working Party, those priority issues should be resolved by May 25, 2018, which is the deadline for compliance with the EU’s General Data Protection Regulation (GDPR) (please refer to our prior Alert Memo in that regard).
Other issues identified by the Article 29 Working Party related to the lack of information given to individuals in the EU regarding the exercise of their rights under the Privacy Shield and the need to increasingly monitor compliance of companies certified under the Privacy Shield. The WP29 Opinion also provided specific recommendations with regard to the processing of employee data, rules regarding automated decision-making and the profiling of individuals, and the self-certification process by U.S. companies wishing to take advantage of the Privacy Shield.
The Article 29 Working Party advised that in the event of a failure to take the actions it prescribed in the WP29 Opinion within the next year, it reserved the right to challenge the validity of the European Commission’s adequacy decision underlying the Privacy Shield in national courts, which could result in its annulment. In that regard, some of the arguments the Article 29 Working Party could raise (such as the broad access to personal data by U.S. authorities for national security purposes) appear to be similar to those that resulted in the invalidation of the Safe Harbor scheme (the Privacy Shield’s predecessor) by the Court of Justice of the European Union in its Schrems v. Data Protection Commissioner judgment.
The Privacy Shield is also subject to pending challenges, one of which was dismissed on November 22, 2017, albeit not on substantive grounds but as a result of the applicant’s lack standing to act. These challenges to the Privacy Shield echo other actions seeking to invalidate alternative legal grounds to transfer personal data from the EU to the United States, such as the one initiated by Mr. Schrems and the Irish Data Commissioner to question the legitimacy of so-called Standard Contractual Clauses (“SCCs,” also commonly referred to as Model Contracts), which is now pending before the Court of Justice of the European Union for a preliminary ruling.
The invalidation of both the Privacy Shield and the SCCs as approved methods for transferring personal data would cause serious disruptions in the flow of data and, as a result, business relations, between EU and U.S. companies.
On Monday, December 4, 2017, the U.S. Securities and Exchange Commission (SEC) obtained an emergency order from a U.S. District Court in New York to enjoin an allegedly fraudulent initial coin offering scheme. The SEC’s complaint alleges that Dominic Lacroix, a recidivist securities law violator, and his company PlexCorps violated the anti-fraud and registration provisions of the U.S. federal securities laws in collecting up to $15 million in investor funds purportedly in exchange for digital tokens and promised returns in excess of 1,000% in 29 days. The complaint also charges Lacroix’s partner Sabrina Paradis-Royer with securities fraud. Among other relief, the district court has granted the SEC’s request to freeze the defendants’ assets.
Last Friday, December 1, 2017, the U.S. Commodity Futures Trading Commission (CFTC) announced that three futures exchanges—the Chicago Mercantile Exchange Inc. (CME), the CBOE Futures Exchange (CBOE) and the Cantor Exchange (Cantor)—self-certified that they will be listing futures contracts (CME and CBOE) and options (Cantor) referencing bitcoin. Trading in bitcoin futures will commence at the CBOE on December 10 and on CME on December 18, with Cantor’s options trading to follow. Listing these contracts will allow both institutional and retail investors to obtain long or short exposure to bitcoin without buying or selling the underlying bitcoin itself.
In his remarks yesterday at the Cambridge Cyber Summit, Deputy Attorney General Rod J. Rosenstein discussed the ever-growing threat posed by cyber criminals, the DOJ’s recent successes in combating cyber threats, and how private corporations and law enforcement can collaborate in the battle against cybercrime. Continue Reading Deputy AG Rosenstein Addresses Public-Private Collaboration on Cybersecurity