On October 16, 2018, the Securities and Exchange Commission released a Report of Investigation that cautioned public companies to consider cyber threats when designing and implementing internal accounting controls. The report was based on an investigation of nine victims of email cyber-fraud schemes for potentially failing to have adequate internal accounting controls, in violation of the Securities Exchange Act of 1934. The report highlights the need for companies to reassess their controls in light of the current cybersecurity risk environment. By describing the remedial steps taken by the investigated companies, it further provides guidance about the key areas that companies should consider when assessing their own policies and procedures.
Continue Reading SEC Investigative Report Urges Public Companies to Guard Against Cyber Threats When Implementing Internal Accounting Controls
The U.S. Department of Health And Human Services Settles With Anthem for Record $16M Over Alleged HIPAA Violations
On October 15, 2018, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a $16 million settlement with Anthem, Inc. over alleged violations of federal privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA). The settlement resolves an investigation following a data breach that exposed protected health information of nearly 79 million people. According to OCR, the incident is the largest health data breach to date in the United States and Anthem’s payment similarly represents the largest HIPAA settlement to date. The settlement is consistent with OCR’s recent focus on enforcing regulatory requirements to conduct an accurate and thorough risk analysis and maintain appropriate mechanisms to monitor systems that contain protected health information and to control access to that information. It also highlights the agency’s distinct cybersecurity remediation approach.
Continue Reading The U.S. Department of Health And Human Services Settles With Anthem for Record $16M Over Alleged HIPAA Violations
The CFTC and SEC Bring Charges Against International Securities Dealer for Bitcoin-Funded Swaps Activity
On September 27, 2018, the Commodity Futures Trading Commission (CFTC) and Securities and Exchange Commission (SEC) filed parallel actions in federal court against an internet dealer that sold “contracts for difference” (CFD) based on securities and commodities margined with bitcoin. The actions, which were assisted by the Federal Bureau of Investigation and the Department of Justice, signal continued coordination among federal agencies to police market activity involving financial transactions in cryptocurrencies.
Continue Reading The CFTC and SEC Bring Charges Against International Securities Dealer for Bitcoin-Funded Swaps Activity
Second District Court Determines Virtual Currencies Are Commodities
On September 26, 2018, a federal court in the District of Massachusetts found that virtual currencies are a commodity under the Commodity Exchange Act, 7 U.S.C. § 1 et seq, (“CEA”). This marks the second time that a court has accepted the Commodity Futures Trading Commission’s (“CFTC”) position and upheld the agency’s authority to regulate unleveraged and unmargined spot transactions in virtual currency under the agency’s anti-fraud and manipulation enforcement authority. Most notably, however, the reasoning behind its decision potentially expands the scope of the CFTC’s oversight of the market.
Continue Reading Second District Court Determines Virtual Currencies Are Commodities
SEC Enforcement Division Co-Director Provides Insight Into Commission’s Approach to ICOs and Cryptocurrencies
Over the past year, the U.S. Securities and Exchange Commission (“SEC”) has increasingly scrutinized initial coin offerings (“ICO”) and certain digital assets. On September 20, 2018, the SEC’s Enforcement Division co-Director, Stephanie Avakian, gave a speech in which she addressed the Division’s approach to dealing with these new forms of tradeable assets. This speech came only days after the SEC settled its first case charging an unregistered broker-dealer for facilitating the sale of digital tokens from several ICOs since the 2017 DAO Report. In her speech, Avakian provided three key insights into the Division’s enforcement strategy.
Continue Reading SEC Enforcement Division Co-Director Provides Insight Into Commission’s Approach to ICOs and Cryptocurrencies
Federal Court, SEC, and FINRA Scrutinize Cryptocurrencies and ICOs
On Tuesday, September 11, 2018, Judge Raymond J. Dearie of the Eastern District of New York issued a decision holding that Initial Coin Offerings (“ICO”) may qualify as securities offerings and therefore be subject to the criminal federal securities laws. This ruling came as two U.S. regulators—the Securities and Exchange Commission (“SEC”) and the Financial Industry Regulatory Authority (“FINRA”)—announced separate actions under securities laws against companies engaged in the cryptocurrency marketplace, including the sale of digital tokens. As the popularity of cryptocurrencies grows and businesses and entrepreneurs increasingly turn to ICOs to raise capital, these developments may serve as guideposts for how cryptocurrencies and ICOs will be viewed by courts and federal regulators in cases to follow.
Continue Reading Federal Court, SEC, and FINRA Scrutinize Cryptocurrencies and ICOs
State Regulators Reach Settlement With Equifax in Connection With Massive Data Breach
On June 27, 2018, Equifax Inc., the credit reporting agency, agreed to implement stronger data security measures under a consent order with the New York State Department of Financial Services (“NYDFS”) and seven other state banking regulators.[1] The order imposes detailed duties on Equifax’s Board of Directors in response to criticisms raised by the regulators during an examination of Equifax’s cybersecurity and internal audit functions. The examination followed the company’s massive 2017 data breach, which exposed sensitive personal information of nearly 148 million customers. Equifax agreed to the order without admitting or denying any charges of “unsafe or unsound information security practices.”
Continue Reading State Regulators Reach Settlement With Equifax in Connection With Massive Data Breach
Divided Supreme Court Requires Warrants for Cell Phone Location Data
On June 22, 2018, the United States Supreme Court decided Carpenter v. United States, in which it held that the government must generally obtain a search warrant supported by probable cause before acquiring more than seven days of historical cell-site location information (“CSLI”) from a service provider. Noting “the deeply revealing nature of CSLI,
Department of Justice Indicts Iranian Hackers, Revealing Significant Data Breach and Targeting of Intellectual Property of Private Companies and Educational Institutions
In an indictment unsealed on March 23, 2018, the Department of Justice (DOJ) brought criminal charges against nine Iranian nationals affiliated with the Mabna Institute in Iran, alleging computer intrusion, fraud, and aggravated identity theft.[1] Prosecutors charged the defendants with conspiring to steal a massive amount of intellectual property from universities, private companies, and government institutions worldwide, obtaining more than 31 terabytes of data. The defendants allegedly acted on behalf of the Islamic Revolutionary Guard Corps (IRGC), which is an arm of the Iranian government whose responsibilities include foreign operations and intelligence gathering. In addition to the announced charges, the nine defendants and the Mabna Institute were also designated for sanctions by the Treasury Department, Office of Foreign Asset Control, pursuant to Executive Order 13694 “Blocking the Property of certain Persons Engaging in Significant Malicious Cyber-Enabled Activities.”[2]
Continue Reading Department of Justice Indicts Iranian Hackers, Revealing Significant Data Breach and Targeting of Intellectual Property of Private Companies and Educational Institutions
Lessons for Broker-Dealers and Investment Advisers from the SEC Office of Compliance Inspections and Examinations 2018 Priorities
The U.S. Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released its 2018 National Exam Program Examination Priorities. The 2018 priorities highlight areas of emphasis for OCIE, including cryptocurrencies, cybersecurity, anti-money laundering, and issues affecting retail investors (especially seniors and those saving for retirement). While the core areas of focus and many of the priorities for 2018 are similar to those from 2017, there is a clear shift in emphasis that we attribute to the change in leadership at the SEC. Some specific changes also likely stem from OCIE’s 2017 examination findings, recent market developments, and trends in enforcement.
Continue Reading Lessons for Broker-Dealers and Investment Advisers from the SEC Office of Compliance Inspections and Examinations 2018 Priorities