The emergence of online, non-traditional financial service platforms creates additional avenues for terrorist groups to receive and transfer funds outside of the traditional banking system.  One consequence of this trend is the potential for increased litigation against these providers under U.S. statutes that create civil liability for provision of material support to terrorists: the Anti-Terrorism Act (the “ATA”), 18 U.S.C. § 2333(a), and the Justice Against Sponsors of Terrorism Act (“JASTA”), 18 U.S.C. § 2333(d)(2).

Civil claims for damages under the ATA and JASTA have historically been brought against large banks for providing financial services to entities with alleged terrorist links.  Typically in such cases, victims of a terrorist attack and/or their family members allege that the bank supported the attack by processing U.S. dollar denominated transactions to an entity with links to terrorism (often through a chain of intermediaries).  In recent years, the range of entities against which ATA and JASTA claims have been brought has increasingly expanded to include companies outside of the banking sector, such as pharmaceutical companies, government contractors, and social media platforms.  As terrorist groups increase their use of non-traditional financial service platforms, cryptocurrency exchanges, decentralized fintech platforms, and other similar businesses may begin to face ATA and JASTA claims. Continue Reading Online Financial Service Companies:  The Anti-Terrorism Act’s Next Frontier

As firms respond to the ongoing coronavirus pandemic by increasingly transitioning to remote and telework arrangements, the Financial Industry Regulatory Authority (“FINRA”) issued an alert on measures that firms and associated persons can take to address resulting cybersecurity vulnerabilities:

  • Measures for Firms. Firms should take steps to ensure network security.  This may include providing employees with secure connections (through the use of virtual-private networks (“VPNs”) or secure sessions with multi-factor authentication, for example) and regularly evaluating privileges to access sensitive information.
    • Firms should also consider training staff on how to securely connect to the firm’s network from remote locations while avoiding potential scams or cyberattacks, and to alert the firm’s IT support staff about potential fraudsters seeking to exploit remote work arrangements by impersonating firm personnel.
  • Measures for Associated Persons. Associated persons should utilize a secure connection to access a firm’s network and ensure that their wireless connections use stringent security protocols, their devices are using up-to-date software and non-default login credentials, they are using anti-virus and anti-malware software, and they secure their device when working in public areas.  Associated persons should also review firm policies on storage and back-up of information, particularly where customer personally identifiable information is being accessed on personal devices.
    • Associated persons should be aware of fraudsters using the current situation as a cover for cyberattacks, for example by impersonating “Helpdesk” personnel or engaging in tradition phishing scams. They should also consider their role in a firm’s incident response plan, including who they should contact and when.

The alert notes that it “does not create any new legal requirements or change any existing regulatory obligation.”  For additional guidance on cybersecurity considerations for firms as they respond to the ongoing pandemic, please see our prior posting on the subject.

On Wednesday, March 11, 2020, the California Attorney General released a second set of modifications (the “March Revisions”) to the proposed regulations implementing the California Consumer Privacy Act of 2018 (the “CCPA”), including substantive changes to both the initial draft regulations issued in October (the “Initial Regulations”) and the revisions published Friday, February 7, 2020 (as supplemented on Monday, February 10, 2020, the “February Revisions”).

(We previously analyzed the CCPA here, the legislative amendments here, the Initial Regulations here, and the February Revisions here.)  While the March Revisions address several of the issues raised by stakeholders commenting upon the February Revisions, there are many issues that remain unaddressed.  Another round of modifications to the regulations may be issued following the conclusion of the public comment period on March 27, 2020.

This alert memorandum highlights certain notable changes to the proposed regulations, particularly with respect to service providers, requirements for privacy policies and other notices to consumers, and the processing of CCPA consumer rights requests.

Please click here to read the full alert memorandum.

Efforts to contain COVID-19 have resulted in many employees working remotely for potentially an extended period of time.  While such precautions are in place, it is important to stay vigilant of cybersecurity risks.  There are already reports of COVID-19 related phishing scams and a recent hack of the U.S. Health and Human Services Department amid its pandemic response.  Remote working can exacerbate these risks.  Below is a checklist of key issues to keep in mind on this subject: Continue Reading Managing Cyber Risk During COVID-19 Response

On February 19, 2020 the European Data Protection Board (“EDPB”) published its second statement on privacy in the context of corporate transactions.

The statement, the full text of which can be read here, highlights the existence of concerns related to the combination and accumulation of sensitive personal data and the possibility that such combinations could result in a high level of risk to the fundamental rights to privacy and  the protection of personal data. Continue Reading EDPB Publishes Statement on Privacy Implications of M&A Transactions

On Friday, February 7, 2020, the California Attorney General released an amended set of proposed regulations (supplemented on February 10, 2020) implementing the California Consumer Privacy Act of 2018 (the “CCPA”), including substantial changes to the draft regulations issued in October.  While the revised regulations eliminate certain requirements that businesses found to be onerous and provide clarification on several points of lingering ambiguity, they also impose additional new compliance obligations and still fail to address certain thorny issues.  Comments on the proposed regulations are due February 25, 2020.

This alert memorandum highlights certain notable changes that may affect the mechanisms and procedures businesses must implement in order to be in compliance with the CCPA, particularly  with respect to public privacy policies, other notices to consumers, receipt and processing of CCPA consumer rights requests and avoiding discriminatory practices.

Please click here to read the full alert memorandum.

On January 27, 2020, the U.S. Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) issued examination observations related to cybersecurity and operational resiliency practices (“Examination Observations”). The observations highlight a set of best practices by market participants in the following areas:  (1) governance and risk management, (2) access rights and controls, (3) data loss prevention, (4) mobile security, (5) incident response and resiliency, (6) vendor management and (7) training and awareness.  Cybersecurity has been a key priority for OCIE since 2012.  Since then, it has published eight cybersecurity-related risk alerts, including an April 2019 alert addressing mobile security. OCIE has perennially included cybersecurity practices as part of its examination priorities (“Examination Priorities”) and listed all but mobile security as “particular focus areas” in the “information security” priority for 2020Continue Reading OCIE Cybersecurity and Resiliency Observations and Best Practices

In 2019, boards and senior management across a range of industries continued to cite cybersecurity as one of the most significant risks facing their companies.

At the same time, comprehensive data privacy regulation became a new reality in the United States as many companies implemented major revisions to their privacy policies and data systems to achieve compliance with California’s groundbreaking privacy legislation. New York also imposed for the first time affirmative cybersecurity obligations on companies, which go into effect in March 2020. European regulators announced several notable enforcement actions under the GDPR which confirmed that European authorities are willing to use the GDPR’s authorization to levy large fines, even outside the context of major breaches resulting in exposure of customer information.

In this 2019 Year in Review, we highlight the most significant cybersecurity and privacy developments of 2019 and predict key challenges and areas of focus for the coming year.

Please click here to read the full alert memorandum.

The UK Information Commissioner’s Office (“ICO”) issued its first penalty notice under the GDPR in December 2019.  Despite publishing notices of its intention to fine Marriott and British Airways in July 2019, the ICO has not yet taken its final enforcement action in these cases (and it is understood that the ICO has granted an extension for representations by the companies, until March 2020).  The £275,000 fine levied on Doorstep Dispensaree, a pharmaceutical company that provides various prescription medicines to care homes in the UK, therefore provides the first insight into the ICO’s approach to administrative fines under the GDPR (as further described below). Continue Reading UK ICO Finally Issues GDPR Fine

The European Commission (the “EC”) has published (see link here) slides from its Task Force for Relations with the United Kingdom regarding the future relationship with the UK, in connection with personal data protection. The slides discuss a possible “adequacy” decision for the UK’s data protection regime, to be delivered by the EC by the end of the “transition period” which, under the draft Agreement on the Withdrawal of the UK from the EU (the “Withdrawal Agreement”), is currently envisaged to be December 31, 2020.

The slides were used for internal “preparatory discussions” and were presented on January 10, 2020 to the European Council’s Ad hoc Working Party on Article 50. The slides are not binding and are stated as being for “presentational and information purposes only”. Continue Reading European Commission Provides Further Hints at Post-Brexit Adequacy Decision for the UK