On June 27, 2018, Equifax Inc., the credit reporting agency, agreed to implement stronger data security measures under a consent order with the New York State Department of Financial Services (“NYDFS”) and seven other state banking regulators. The order imposes detailed duties on Equifax’s Board of Directors in response to criticisms raised by the regulators during an examination of Equifax’s cybersecurity and internal audit functions. The examination followed the company’s massive 2017 data breach, which exposed sensitive personal information of nearly 148 million customers. Equifax agreed to the order without admitting or denying any charges of “unsafe or unsound information security practices.” Continue Reading State Regulators Reach Settlement With Equifax in Connection With Massive Data Breach
Alexis Collins’ practice focuses on litigation, including criminal and regulatory enforcement matters and complex civil and antitrust litigation.
On June 22, 2018, the United States Supreme Court decided Carpenter v. United States, in which it held that the government must generally obtain a search warrant supported by probable cause before acquiring more than seven days of historical cell-site location information (“CSLI”) from a service provider. Noting “the deeply revealing nature of CSLI, its depth, breadth, and comprehensive reach, and the inescapable and automatic nature of its collection,” the Court held that an individual “maintains a legitimate expectation of privacy in the record of his physical movements captured through CSLI” that warrants Fourth Amendment protection. While the Court sought to construe its decision narrowly, the reasoning of the majority and Justice Gorsuch in his dissent raise significant questions about whether and to what extent individuals may have a reasonable expectation of privacy or possessory interest in other sensitive personal data held by third parties beyond the CSLI at issue in Carpenter.
Please click here to read the full alert memorandum.
In an indictment unsealed on March 23, 2018, the Department of Justice (DOJ) brought criminal charges against nine Iranian nationals affiliated with the Mabna Institute in Iran, alleging computer intrusion, fraud, and aggravated identity theft. Prosecutors charged the defendants with conspiring to steal a massive amount of intellectual property from universities, private companies, and government institutions worldwide, obtaining more than 31 terabytes of data. The defendants allegedly acted on behalf of the Islamic Revolutionary Guard Corps (IRGC), which is an arm of the Iranian government whose responsibilities include foreign operations and intelligence gathering. In addition to the announced charges, the nine defendants and the Mabna Institute were also designated for sanctions by the Treasury Department, Office of Foreign Asset Control, pursuant to Executive Order 13694 “Blocking the Property of certain Persons Engaging in Significant Malicious Cyber-Enabled Activities.” Continue Reading Department of Justice Indicts Iranian Hackers, Revealing Significant Data Breach and Targeting of Intellectual Property of Private Companies and Educational Institutions
The U.S. Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released its 2018 National Exam Program Examination Priorities. The 2018 priorities highlight areas of emphasis for OCIE, including cryptocurrencies, cybersecurity, anti-money laundering, and issues affecting retail investors (especially seniors and those saving for retirement). While the core areas of focus and many of the priorities for 2018 are similar to those from 2017, there is a clear shift in emphasis that we attribute to the change in leadership at the SEC. Some specific changes also likely stem from OCIE’s 2017 examination findings, recent market developments, and trends in enforcement. Continue Reading Lessons for Broker-Dealers and Investment Advisers from the SEC Office of Compliance Inspections and Examinations 2018 Priorities
As the Securities and Exchange Commission Division of Enforcement signaled in its recent annual report, policing the asset management industry will be a key priority in its continuing focus on protecting retail investors. This renewed emphasis reaffirms the view that if a significant error or misconduct is detected, firms generally should not wait for SEC scrutiny to take corrective steps and mitigate investor harm. Voluntary remediation must be considered as part of any strategy for managing regulatory exposure as well as reputational and litigation risk. Where a firm does decide to remediate, it must proceed carefully to avoid pitfalls that could lead to fresh scrutiny from regulators or even private civil litigation.
This post provides guidance to regulated firms on managing risks once they determine to voluntarily remediate – as distinct from the fact-specific issue of whether to “self-report” errors or misconduct – in the SEC context. It begins with an overview of the benefits and risks of voluntary remediation and common types of remedial measures. It then identifies potential issues that can arise when undertaking remediation. Finally, it advises on structuring and implementing remedial measures to minimize risks of regulatory or litigation exposure. Continue Reading Voluntary Remediation in the SEC Context: Avoiding Common Pitfalls
In December 2017, the US Department of Justice, Criminal Division’s Computer Crime and Intellectual Property Section (“DOJ”) released guidance for law enforcement to follow when seeking data stored by an entity with a cloud service provider. In short, DOJ suggests that prosecutors should seek data directly from the company, rather than its cloud service provider, so long as doing so will not compromise the investigation. Continue Reading New DOJ Guidelines on Collecting Cloud–Based Data
On November 15, 2017, the Securities and Exchange Commission Division of Enforcement released its annual report detailing its priorities for the coming year and evaluating enforcement actions that occurred during Fiscal Year (“FY”) 2017. The Report captures the SEC during a period of transition—Chairman Jay Clayton assumed the helm of the Commission in May 20172 and Stephanie Avakian and Steven Peikin were named co-directors of the Enforcement Division soon thereafter.3 The Report provides insight into changes in the SEC’s approach to enforcement actions and a glimpse into its priorities for the coming year. The following summarizes key shifts from FY 2016, outlines the Enforcement Division’s current priorities, and, in view of its stated focus on the conduct of investment professionals and protection of retail investors, provides guidance to the investment management industry as it gears up for the coming year.
Click here, to continue reading.