As the Equifax breach litigation gets underway, several recent decisions have widened a split on when and under what conditions customers or other affected individuals may bring claims against a company that suffers a data breach. Late last month, a D.C. federal judge dismissed a lawsuit based on the massive breach at the U.S. Office of Personnel Management (“OPM”), ruling that the theft of data alone was not enough to establish standing. The Court of Appeals for the Eighth Circuit issued a similar recent ruling, holding that plaintiffs suing the grocery retail company SuperValu had not shown that they were at greater risk of identity theft as a result of a data breach at the company and they therefore lacked standing. In contrast to these decisions, a California federal judge allowed claims to proceed against Yahoo! based on the allegation that the customer-plaintiffs alleged a risk of future identify theft and loss of value of their personal identification information. The differing interpretations of the standing requirements in data breach cases will no doubt continue to be vigorously litigated and may ultimately need to be resolved by the Supreme Court.

Click here, to continue reading.

Yesterday, Yahoo announced that the data breach it suffered in August 2013 was much broader than previously believed, affecting all three billion of its users.  This announcement comes on the heels of a federal judge refusing to dismiss a consumer class action against the company.  Our recent memorandum discussing that decision and other recent decisions involving data breach claims can be found here.

Additional information about the breach can be found on Yahoo’s public Q&A website on the topic: https://yahoo.com/security-update.

On September 20, 2017, SEC Chairman Clayton issued a statement after reports circulated that the SEC’s EDGAR filing system had been hacked.  Chairman Clayton disclosed that the SEC learned in August 2017 that a breach previously detected in 2016 may have resulted in illicit trading based on the hacked information.  The SEC’s statement sought to assure the market that the SEC was taking seriously the cybersecurity risks to its own systems.  This comes on the heels of the SEC stating that cybersecurity was one of its top enforcement priorities with respect to regulated entities.  In his statement discussing the SEC’s own breach, Chairman Clayton said: “We also must recognize—in both the public and private sectors, including the SEC—that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”

Click here for the full statement.

Several regulators have promptly announced investigations into the circumstances surrounding the Equifax breach. The New York Attorney General was the first to announce his office was launching an inquiry.  Since then, the FTC announced it was also conducting an investigation and the Massachusetts Attorney General brought an enforcement suit against Equifax alleging that the company knew about the vulnerabilities but failed to secure its systems.  It is almost a near certainty that more regulators have or will open their own inquiries as more becomes known about the Equifax breach in the coming weeks and months.

New York Governor Andrew Cuomo announced that in response to the Equifax breach he was proposing a new NY Department of Financial Services (“DFS”) regulation that would give DFS oversight over credit reporting agencies for the first time.  To date, DFS’s cybersecurity regulations, some of the toughest in the country, have applied to financial institutions and insurance companies.  Under the proposed regulation, all consumer credit reporting agencies that operate in New York would be required to register annually with DFS beginning on or before February 1, 2018 and by February 1 of each successive year for the calendar year thereafter.  The registration form would include an agency’s officers or directors who will be responsible for compliance with DFS’s regulations.

Click here for the full statement and the proposed regulation.

New York Attorney General Eric T. Schneiderman announced his office was opening a “formal investigation” into the massive breach disclosed by Equifax.  Schneiderman stated that the breach lasted from mid-May through July, when hackers accessed names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers.  Under New York law, businesses with New York customers are required to inform customers and the Attorney General’s Office about security breaches that have placed personal information in jeopardy.

Click here for the full statement.

Speaking on a panel at NYU, SEC Chairman Clayton reiterated prior statements by agency officials that cybersecurity is one of the agency’s top priorities.  In the remarks reported by Law360, Chairman Clayton stated that he believed that disclosures by regulated entities concerning cyber risks could be improved.  One of the agency’s Enforcement Directors, who was also present, likewise stated that the agency was focused on disclosure as well as failures to safeguard customer data and material nonpublic information.

Click here for the article on the panel.

On August 21, 2017, Delaware Governor John Carney signed legislation requiring companies to comply with additional data security and breach obligations if they do business in Delaware or maintain personal information on Delaware residents.   Among other things, the new Delaware law requires all companies doing business in Delaware to implement and maintain reasonable security to protect personal information.  The law also requires businesses to provide free credit monitoring services for customers whose sensitive personal information is compromised in a cybersecurity breach. The law also now requires businesses to notify Delaware residents if their information has been compromised unless the breach is “unlikely to cause harm,” while the prior law required notification only when harm was “likely to occur.”  Delaware’s new obligations on businesses is part of the growing trend of imposing heightened cyber breach requirements as breaches become more common and states respond to political pressures to increase consumer protections.

Click here, for more information on the new Delaware law.

New York’s new cybersecurity regulations (the “Regulations”) become effective on August 28, 2017, marking a significant milestone in what is likely to be a new era in cybersecurity regulation on both a national and international level.

As governments grapple with how best to address cyber threats to their citizens, businesses and national security, there is an increasing focus on the potential use of regulatory requirements to impose minimum cybersecurity standards, particularly in the financial services sector. As more states and nation states adopt cybersecurity requirements, financial institutions are facing increased compliance costs and potentially a diversion of resources away from risk mitigation to compliance with regulatory requirements. As the Regulations come into effect, we briefly take stock of their requirements, their impact on international best practices, and related global developments.

Click here, to continue reading.

The Securities Exchange Commission (“SEC”), Office of Compliance Inspections and Examinations (the “OCIE”), published a Risk Alert describing its findings from its second cybersecurity survey of regulated entities (the “Cybersecurity 2 Initiative”).

The survey covered 75 registered broker-dealers, investment advisers, and investment companies and built upon OCIE’s prior round of cybersecurity examinations in 2014 (the “Cybersecurity 1 Initiative”).

While OCIE found improvements in cybersecurity preparedness since the Cybersecurity 1 Initiative, it also identified areas for improvement. Among other things, OCIE concluded that it is not sufficient for firms to simply establish written cybersecurity policies and procedures—such policies must also be maintained, sensibly enforced, and capable of addressing cybersecurity deficiencies as they arise.

Click here, to continue reading.