The SEC and a consortium of 32 states recently announced a $100 million settlement with BlockFi Lending LLC over its crypto lending product, BlockFi Interest Accounts. The SEC alleged BlockFi had violated the securities laws by failing to register its interest-bearing crypto lending product as a security, failing to register itself as an investment company, and making false statements about the risks of its product.

On the heels of this settlement, BlockFi announced that it will seek to register its crypto lending product as a security. While hailed by SEC Chair Gary Gensler as a signal of “the Commission’s willingness to work with crypto platforms to determine how they can come into compliance with” the securities laws, the settlement leaves unanswered important questions for those similarly situated in the industry. However, given the SEC’s short 60-day timeline for BlockFi to come into compliance with the securities laws, the wait for regulatory clarity may not be long.

Please click here to read the full alert memorandum.

February 17, 2022 was a busy day for the Department of Justice and its growing cyber portfolio.  First, Deputy Attorney General Lisa O. Monaco delivered remarks at the Annual Munich Cyber Security Conference, stressing the Department’s efforts to confront cyber criminals and its increasing focus on disruption and prevention, even if doing so would limit criminal prosecutions.  Additionally, the Department announced the appointment of the first Director of the National Cryptocurrency Enforcement Team, which was established to address criminal misuse of cryptocurrencies and digital assets. Continue Reading Developments at Justice: The Deputy Attorney General Talks Cybersecurity and the National Cryptocurrency Enforcement Team Gets its First Director

On January 24, 2022, Securities and Exchange Commission Chair Gary Gensler gave a speech at the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute signaling the SEC’s intention to step up its cyber-related regulatory and enforcement efforts.  Gensler described the continued rise in cybersecurity incidents targeting the financial sector as a serious threat to the nation’s economy and critical infrastructure, with costs potentially in the trillions of dollars. Continue Reading SEC Chair Previews Ramp Up in Regulation and Enforcement in the Cybersecurity Context

Cybersecurity and data privacy continue to be among the most significant legal risks that businesses face today.

Last year brought a series of high-profile cyberattacks on major companies and U.S. infrastructure targets, continuing the trend seen in recent years. Regulators also brought a number of cybersecurity enforcement actions and announced new rules, guidance, and initiatives on ransomware and other cyber-related issues. In addition, after many years of debate, Congress made some progress in crafting legislation that would require certain companies to report significant cyberattacks and ransomware payments to the U.S. federal government. Companies should expect the demands of cybersecurity risk management and oversight to intensify as we enter 2022. Continue Reading 2021 Cybersecurity and Privacy Developments in the United States

On January 19, 2022, District Judge Jesse M. Furman of the Southern District of New York dismissed a putative class action filed against men’s clothing store Bonobos, Inc., following an August 2020 data breach.  Judge Furman determined that a Bonobos customer whose personal information was stolen in the breach failed to demonstrate a sufficiently substantial risk of harm to establish standing to sue.

The decision in Cooper v. Bonobos reflects the increased uncertainty regarding the viability of suits for damages based solely on future risk of identity theft or fraud, in light of the Supreme Court’s recent decision in TransUnion LLC v. Ramirez. Continue Reading Data Breach Class Action Against Bonobos Dismissed For Lack of Standing

The following post was originally included as part of our recently published memorandum “Selected Issues for Boards of Directors in 2022”.

For those following data privacy and consumer data protection trends, it should come as no surprise that enacting comprehensive legislation to regulate companies’ use of personal data has continued to be a focal point both internationally and in the U.S., at the federal, state and local levels.

In the last three years, over 10 federal proposals and over 40 state proposals for comprehensive privacy legislation were introduced across the U.S., and we expect this trend to continue well into 2022, given the growing bipartisan support for legislation to protect consumer interests and mitigate against the risks associated with the digital economy. The ever-changing landscape and patchwork of compliance obligations globally will only continue to grow more complex and costly, and may lead to increased regulatory scrutiny and potential enforcement actions despite best compliance efforts.  In the U.S., without comprehensive federal data privacy legislation, businesses remain subject to numerous state laws with ambiguous and sometimes conflicting legal obligations. Trans-Atlantic and other international data flows will only continue to become increasingly difficult and costly to navigate in light of recent developments, including in China, the UK  and the European Union.

To read the full post, please click here.

For a PDF of the full memorandum, please click here.

The following post was originally included as part of our recently published memorandum “Selected Issues for Boards of Directors in 2022”.

A 2021 survey of chief legal officers demonstrated that cybersecurity has overtaken compliance as the most significant legal risk that businesses face today. This should not come as a surprise as 2021 brought a series of high-profile cyberattacks on major companies and U.S. infrastructure targets. Regulators also brought a number of cybersecurity enforcement actions, and announced new rules, guidance and initiatives on ransomware and other cyber-related issues. In addition, after many years of debate, Congress has made some progress in crafting legislation that would require certain companies to report significant cyberattacks and ransomware payments to the U.S. federal government.

To read the full post, please click here.

For a PDF of the full memorandum, please click here.

On January 4, 2022, the Federal Trade Commission (FTC) issued a clear warning to companies to remediate any software vulnerabilities associated with the Java-based Log4j software.  A critical security flaw was identified in Log4j, which is embedded in major software applications and is widely used by businesses in all sectors of the economy, this past December.  The security flaw potentially allows bad actors to gain unfettered access to affected computer systems and to any sensitive information they contain.

The FTC, which increasingly prioritizes privacy and data security enforcement, stressed that companies have a legal duty to mitigate known software vulnerabilities—including Log4j—that risk harm to consumers and may face legal action from the FTC if they fail to do so.

Continue Reading The Federal Trade Commission Warns Companies to Remediate the “Log4j” Software Security Vulnerability

We are delighted that Anthony M. Shults has rejoined Cleary Gottlieb as a senior attorney from the U.S. Department of Justice (DOJ), where he served as acting Deputy Assistant Attorney General and Senior Counsel in the Office of Legal Policy and as Attorney-Advisor in the National Security Division. He is based in our New York office and will focus on cybersecurity, data privacy, and emerging technologies, as well as securities, appellate, and complex commercial litigation. Continue Reading Cleary Gottlieb Welcomes Back Anthony M. Shults, Former Acting Deputy Assistant Attorney General and Senior Counsel at the Department of Justice

On December 6, 2021, the National Risk Committee of the Office of the Comptroller of the Currency (OCC) issued its Semiannual Risk Perspective for Fall 2021, which reports on key issues affecting the federal banking system.[1]  The report highlights the “evolving and increasingly complex” danger to the financial system from cyber threats, and encourages banks and financial institutions to adopt robust cyber controls to minimize operational risk.  It also stresses the need for risk-management policies and procedures that are tailored to new technological innovations, including cryptocurrencies and other digital assets. Continue Reading The Office of the Comptroller of the Currency Warns of Increasingly Complex Cyber Risks for Banks