Following on the heels of the SEC’s updated interpretive guidance on cybersecurity disclosure, SEC Chairman Jay Clayton and SEC Commissioner Robert Jackson each recently made public statements underscoring the agency’s increasing focus on cybersecurity.

On March 12, 2018, Chairman Clayton stated that the SEC will closely monitor how corporations respond to the new interpretive guidance at a conference held by the Council of Institutional Investors.  During an interview conducted by former Chairwoman Elisse Walter, Chairman Clayton said implementation of the interpretive guidance “will be a focal point for staff review” and that companies should work to determine their disclosure obligations under the current rules.[1]  Reiterating the interpretive guidance’s statement that the SEC expects companies to make disclosures “tailored” to their particular cybersecurity risks and incidents, Chairman Clayton stated that companies must put significant effort into determining their individual disclosure obligations under the current rules, meaning that “[r]eally good lawyering and governance is necessary.”[2]  Chairman Clayton also alluded to calls by certain SEC Commissioners for rulemaking requiring the disclosure of cybersecurity incidents in 8-K filings:  “In terms of writing a rule, if you wanted to make it a specific 8-K requirement, the issue there is whether something is material,” said Chairman Clayton, adding “[i]t’s really a facts and circumstances situation, and it can vary from industry to industry and company to company.”[3]    Continue Reading SEC Officials Emphasize Close Monitoring of Cybersecurity Disclosures Following Release of Interpretive Guidance

On March 7, 2018, FBI Director Christopher Wray delivered remarks at Boston College that highlight the agency’s ongoing efforts to better respond to cyber threats.  Director Wray’s remarks focused on the private and public sector partnerships that the FBI (and other authorities) are cultivating to combat the increased sophistication of cyber threats as they evolve into what he described as “full-blown economic espionage and extremely lucrative cyber crime.” Continue Reading FBI Director: FBI Might Not Share Information With Adversarial Authorities

This past week, we received further evidence that U.S. federal regulators will continue to scrutinize potential compliance issues in virtual currency trading and initial coin offerings (“ICOs”) under existing law. However, the key takeaway is that the U.S. regulators, so far, are doing so under established interpretations of their existing authority. In our view, none of these events should be construed either as establishing a new regulatory framework or as a significant expansion of prior regulatory authority.

Please click here to read the full alert memorandum.

In the first criminal charges brought in connection with the Equifax data breach, the United States Attorney for the Northern District of Georgia announced yesterday the indictment of Jun Ying, a former Chief Information Officer of a U.S. business division of Equifax, on charges of insider trading in violation of federal securities laws.  At the same time, the SEC announced parallel civil charges against Ying.  Both the indictment and the SEC complaint allege that Ying was not specifically informed that Equifax had been breached, but, as a result of his position, was made aware of enough confidential information to—according to his own contemporaneous text messages—“put 2 and 2 together” to infer that “[w]e may be the one breached.”  After deducing this material information, Ying allegedly conducted internet research on the 2015 data breach of Experian, another major credit bureau, and its negative impact on Experian’s stock price.  Immediately following his internet search, Ying allegedly exercised all of his vested stock options and sold those Equifax shares for a total of $950,000 in proceeds, avoiding more than $117,000 in losses that he would have incurred had he still been holding the shares at the time the data breach was publicly announced more than a week later.  The SEC is seeking disgorgement of an amount equal to the losses Ying allegedly avoided, civil monetary penalties, an order barring Ying from ever serving as an officer or director of a public company, and an injunction enjoining Ying from further violating the federal securities laws.  The indictment charges Ying with two counts of criminal securities fraud, which, if he is convicted, carry a maximum sentence of 45 years.  Continue Reading DOJ And SEC Charge Former Equifax Executive With Insider Trading

Last week, the Ninth Circuit reversed a Nevada district court’s dismissal, for lack of Article III standing, of plaintiffs’ claims arising out of a data breach.[1]  In so holding, the Ninth Circuit reaffirmed its position on one side of a circuit split on the issue of standing to bring suit based on a substantial risk of identity theft or fraud resulting from a data breach, even in the absence of allegations that the risk actually materialized,[2] an issue that the Supreme Court recently declined to review. Continue Reading Ninth Circuit Reverses Dismissal For Lack of Standing in Data Breach Case

Last week, Pennsylvania’s Attorney General sued Uber for allegedly failing to provide timely notice to its drivers that their personal identifying information (“PII”) had been compromised in a data breach in 2016.  The lawsuit seeks $13.5 million in penalties against Uber—$1,000 for each of the 13,500 Pennsylvanian Uber drivers whose driver’s license information was accessed by hackers.  The complaint alleges that, in violation of Pennsylvania’s data breach notification law,[1] Uber failed to provide notice “without unreasonable delay” to the affected drivers, instead paying the hackers to allegedly “delete the data and stay quiet.”  A second claim in the lawsuit against Uber alleges the company’s conduct violated the Pennsylvania Unfair Trade Practices and Consumer Protection Law. Continue Reading Pennsylvania Attorney General Sues Uber Over Data Breach

The Office of the Comptroller of the Currency (“OCC”) recently issued its Semiannual Risk Perspective.  The OCC identified cybersecurity as a key operational risk, pointing to the increasing speed and sophistication of cybersecurity threats, which can target the theft of personally identifiable information, intellectual property, and bank funds. Continue Reading Cybersecurity Key Operational Risk in OCC’s Semiannual Risk Perspective Report

A pair of recent enforcement actions by the CFTC and New York Attorney General’s Office (“NYAG”) show that both federal and state authorities are pursuing cases against companies believed to have insufficient data security practices, even in the absence of breaches resulting in harm to customers.

First, late last month, the CFTC entered into a settlement with a registered futures commission merchant that allegedly failed to diligently supervise an unnamed “IT Provider.”  The IT Provider inadvertently introduced a vulnerability to the merchant’s network, exposing private customer records and sensitive information, including personally identifiable information.  An unnamed “Third Party” detected the vulnerability and accessed nearly 100,000 files containing sensitive information.  The Third Party eventually contacted the merchant and federal authorities to disclose vulnerability, and deleted the data.  It appears that the data was not otherwise improperly accessed. Continue Reading Recent Enforcement Actions by Regulators Show Continued Focus on Cybersecurity and Data Protection Issues

On March 6, 2018, the World Economic Forum (WEF) published a white paper report analyzing challenges that financial services and fintech firms face in protecting customer information against the increasing risk of cyber-attacks and setting out proposals to better manage this cyber-risk.[1] As described below, the report recommends industry-wide efforts to adopt standardized cyber-risk metrics and to develop mechanisms for assessing cybersecurity. In conjunction with the publication of these recommendations, Citigroup Inc., Kabbage, Inc., Zurich Insurance Group AG and the Depository Trust & Clearing Corporation have formed a consortium to address cybersecurity risks in the fintech industry.[2] Continue Reading World Economic Forum Publishes Recommendations for Managing Cyber-Risk

On March 2, 2018, Yahoo! entered into a proposed settlement of a securities class action filed against the company following its disclosures in 2016 that it had suffered significant data breaches in 2013 and 2014.[1]  Under the settlement, which is still subject to court approval, Yahoo! has agreed to pay $80 million to settle claims that it misled investors by failing to disclose the breaches in its public filings, while still touting the strength of its cybersecurity practices. Continue Reading Yahoo! Enters Proposed Settlement in Data Breach Securities Class Action