On April 16, 2019, the U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert addressing all registered broker-dealers and investment advisers’ (together, “Firms”)[1] privacy-related obligations under Regulation S-P (“Reg S-P”).  The Risk Alert set out the most frequent Reg S-P deficiencies OCIE identified during examinations over the past two years, and encouraged registrants to review their written privacy policies and procedures as well as the consistency with which these policies and procedures have been implemented.  The Alert is the latest in a series of recent privacy and cybersecurity guidance documents issued by the SEC, including the February 2018 Commission Statement and Guidance on Public Company Cybersecurity Disclosures and October 2018 Report of Investigation on cyber-related frauds and public company accounting controls.

This Risk Alert is consistent with the SEC’s approach of seeking to influence the conduct of registrants by providing guidance on specific compliance issues, followed by Risk Alerts noting common exam deficiencies, prior to pursuing enforcement actions.  Investment advisers and broker-dealers should  take this as a prompt to review their relevant policies and procedures to ensure they are appropriate and being followed in practice.
Continue Reading

On February 20, the Securities and Exchange Commission (the “SEC” or “Commission”) issued a cease-and-desist order against Gladius Network LLC (“Gladius”) concerning its 2017 initial coin offering (“ICO”).  The SEC found that the Gladius ICO violated the Securities Act of 1933’s (“Securities Act”) prohibition against the public offer or sale of any securities not made pursuant to either an effective registration statement on file with the SEC or under an exemption from registration.[1]  While this is far from the first time that the SEC has found that a particular ICO token meets the definition of a “security” under the Securities Act,[2] this is notably the first action involving an ICO token issuer that self-reported its potential violation.  Due to this, and Gladius’s cooperation throughout the investigation, the SEC stopped short of imposing any civil monetary penalties among its ordered remedial measures.
Continue Reading

On January 25, 2019, the Illinois Supreme Court held in Rosenbach v. Six Flags Entertainment Corporation that plaintiffs are not required to allege actual harm in order to seek damages against private entities under the state’s Biometric Information Privacy Act (BIPA).  BIPA regulates companies’ collection, retention, and disclosure of biometric identifiers.  It further provides a private right of action for persons “aggrieved” by a violation of the Act for recovery of liquidated damages, injunctive relief, attorneys’ fees, and costs.  By allowing suits for technical violations of BIPA’s notice and consent provision to go forward, the Rosenbach decision will likely encourage the filing of new cases under the Act and may influence the interpretation of data privacy laws in other states.
Continue Reading

Nearly a decade ago, WikiLeaks ushered in the age of mass leaks.  Since then, corporations, governments, public figures and private entities have increasingly had to reckon with a new reality: that vigilantes, activists, extortionists and even state actors can silently steal and rapidly disseminate proprietary information, including customer data and other sensitive information.  Last month, the Department of Justice (“DOJ”) indicted four individuals based on information first revealed in the “Panama Papers” leak.  This marks a significant milestone in law enforcement’s reliance on evidence based on an unauthorized mass leak of information.  While leaks and hacks are not a novel phenomenon—in 1971, the New York Times published top secret documents on the Vietnam War and, in 1994, a paralegal leaked tobacco industry documents that ultimately cost the industry billions of dollars in litigation and settlement costs—the frequency, scale and ease of dissemination of leaked information today presents a difference not only of degree, but of kind.  The new Panama Papers-based criminal case will likely raise a host of novel legal issues based on legal challenges to the DOJ’s reliance on information illegally obtained by a third party, as well as information that would ordinarily be protected by the attorney-client privilege.  In this memorandum, we discuss the potential issues raised by the prosecution and their implications.

Continue Reading

On January 7, 2019 the National Futures Association (“NFA”) provided additional guidance on the required cybersecurity practices of certain NFA members by amending its Interpretive Notice entitled NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs (the “Interpretive Notice”).  The Interpretive Notice currently requires each NFA member futures commission merchant (“FCM”), commodity trading advisor, commodity pool operator, introducing broker (“IB”), retail foreign exchange dealer, swap dealer (“SD”) and major swap participant to implement a written information systems security program (“ISSP”) and enact other cybersecurity procedures sufficient to identify, address and respond to cybersecurity incidents.  The amendments to the Interpretive Notice are informed by NFA examinations of member ISSPs since the Interpretive Notice became effective in March 2016.  They are intended to clarify certain common questions posed by NFA members related to internal approvals of the ISSP and employee training.  The amendments additionally impose a new notification requirement for specified cybersecurity incidents.
Continue Reading

On November 21, 2018, in Dittman v. UPMC d/b/a The University of Pittsburgh Medical Center, the Supreme Court of Pennsylvania held that an employer has a legal duty to exercise reasonable care to safeguard its employees’ sensitive personal information stored on an internet-accessible computer.[1] Dittman is notable because it is the first time a state’s highest court has broadly held that a company owes a duty to its employees to protect their personal data that it collects and stores. Also, by rejecting the economic loss doctrine, the court opened the door to the potential recovery of pecuniary damages in data breach cases alleging a negligence theory. If the holding of Dittman is adopted by courts in other states, employers could face increased risk of financial liability following a data breach that compromises personal information of employees.
Continue Reading

On December 20, 2018, the U.S. Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released its 2019 Examination Priorities.  The six themes for this year’s priorities are:  retail investors (including seniors and those saving for retirement), compliance and risk in registrants responsible for critical market infrastructure (clearing agencies, transfer agents, national securities exchanges and Regulation SCI entities), oversight of the Financial Industry Regulatory Authority and Municipal Securities Rulemaking Board, digital assets, cybersecurity and anti-money laundering.  The only new theme for 2019 compared to 2018 is digital assets, which we take to imply a plan to more closely—and substantively—regulate investment advisers and broker-dealers involved with this asset class.  The 2019 priorities also more explicitly than the 2018 priorities describe specific practices that OCIE found concerning in examinations of those entities, many of which involved failure to adequately safeguard client assets and the adequacy of disclosures of conflicts of interest.  We expect to see a corresponding focus in Enforcement Division investigations and cases on these issues as a result.
Continue Reading

On November 27, 2018, the Senate Commerce, Science, and Transportation Committee’s Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security held an oversight hearing of the U.S. Federal Trade Commission.  The hearing marked the first appearance before the Senate of the full slate of current FTC commissioners: Republicans Chairman Joe Simons, Noah Phillips, and Christine Wilson, and Democrats Rohit Chopra and Rebecca Slaughter.  In addition to confirming that the FTC will continue to prioritize data security and privacy enforcement under its consumer protection mandate, the commissioners were unanimous in their support for comprehensive federal data privacy legislation to be enforced by the FTC.  Each, however, offered slightly different views as to the right approach for potential legislation and future enforcement.
Continue Reading

On November 28, 2018, Judge Gonzalo P. Curiel of the U.S. District Court for the Southern District of California denied the U.S. Securities and Exchange Commission’s motion for a preliminary injunction against Blockvest, LLC and Reginald Ringgold in connection with Defendants’ initial coin offering (“ICO”).  In doing so, the court found disputed issues of fact existed regarding whether the so-called “BLV” tokens constituted “securities” under the test set out in SEC v. W.J. Howey Co.[1]  This is not the first time a court has characterized the question of whether an ICO token satisfies Howey’s requirements as a factual one.[2]  But, the decision is notable for being the first instance of a court ruling against the SEC in an ICO and because it focused its inquiry under Howey on the subjective understanding of particular investors rather than the objective characteristics of the tokens themselves.
Continue Reading

On November 28, 2018, the Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) identified for the first time digital currency addresses associated with sanctioned persons.  The newly sanctioned individuals, Iran-based Ali Khorashadizadeh and Mohammad Ghorbaniyan, were accused of converting digital currency payments into Iranian rial as part of a widespread ransomware scheme.  Since 2015, the ransomware scheme (known as “SamSam”) has infected the data networks of corporations, hospitals, universities, and government agencies.  According to OFAC’s announcement, the identified bitcoin addresses were used with over 40 digital currency exchangers to process more than 7,000 illicit transactions in bitcoins worth millions of U.S. dollars.
Continue Reading