Photo of Rahul Mukhi

Rahul Mukhi’s practice focuses on criminal, securities, and other enforcement and regulatory matters as well as on complex commercial litigation.

On April 24, 2018, Altaba, formerly known as Yahoo, entered into a settlement with the Securities and Exchange Commission (the “SEC”), pursuant to which Altaba agreed to pay $35 million to resolve allegations that Yahoo violated federal securities laws in connection with the disclosure of the 2014 data breach of its user database.  The case represents the first time a public company has been charged by the SEC for failing to adequately disclose a cyber breach, an area that is expected to face continued heightened scrutiny as enforcement authorities and the public are increasingly focused on the actions taken by companies in response to such incidents.  Altaba’s settlement with the SEC, coming on the heels of its agreement to pay $80 million to civil class action plaintiffs alleging similar disclosure violations, underscores the increasing potential legal exposure for companies based on failing to properly disclose cybersecurity risks and incidents.

Please click here to read the full alert memorandum.

On April 18, 2018, the U.S. Supreme Court heard oral argument in Lagos v. United States.  Lagos presents the important issue of whether a corporate victim’s professional costs—such as investigatory and legal expenses—incurred as a result of a criminal defendant’s offense conduct must be reimbursed under the Mandatory Victims Restitution Act.

The court’s decision will impact a company’s considerations when deciding whether and how to conduct an internal investigation, particularly when the corporation is the potential victim of a crime.

Please click here to read the full alert memorandum.

In an indictment unsealed on March 23, 2018, the Department of Justice (DOJ) brought criminal charges against nine Iranian nationals affiliated with the Mabna Institute in Iran, alleging computer intrusion, fraud, and aggravated identity theft.[1]  Prosecutors charged the defendants with conspiring to steal a massive amount of intellectual property from universities, private companies, and government institutions worldwide, obtaining more than 31 terabytes of data.  The defendants allegedly acted on behalf of the Islamic Revolutionary Guard Corps (IRGC), which is an arm of the Iranian government whose responsibilities include foreign operations and intelligence gathering.  In addition to the announced charges, the nine defendants and the Mabna Institute were also designated for sanctions by the Treasury Department, Office of Foreign Asset Control, pursuant to Executive Order 13694 “Blocking the Property of certain Persons Engaging in Significant Malicious Cyber-Enabled Activities.”[2] Continue Reading Department of Justice Indicts Iranian Hackers, Revealing Significant Data Breach and Targeting of Intellectual Property of Private Companies and Educational Institutions

The SEC has recently signaled an increased concern with the offerings and marketing of Initial Coin Offerings (“ICOs”),[1] which should be of interest to companies and institutions involved with ICOs.  On November 1, 2017, the SEC Division of Enforcement and Office of Compliance Inspections and Examinations (“OCIE”) jointly issued a public statement warning celebrities and other influencers promoting Initial Coin Offerings (“ICOs”) about potential violations of a host of federal securities laws, including the anti-touting and anti-fraud provisions of the federal securities laws.  Specifically, the public statement noted that endorsements may be unlawful if they do not “disclose the nature, source, and amount of any compensation paid, directly or indirectly . . . in exchange for the endorsement.,” and that endorsers may also face liability for potential violations of the anti-fraud provisions, for participation in an unregistered securities offering, and for acting as unregistered brokers.  The public statement also noted that investment decisions should not be based solely on an endorsement and cautioned that “celebrity endorsement may appear unbiased, but instead be part of a paid promotion.”  The public statement follows an investigative report issued by the Division of Enforcement on July 25, 2017, which announced that blockchain technology-based coins or tokens sold in an ICO may be a form of security under the Securities Act of 1933 and the Securities Exchange Act of 1934.

The SEC’s announcement follows recent endorsements of such ICOs by celebrities such as Floyd Mayweather, DJ Khaled, Paris Hilton and Jamie Foxx, who each used their social media platforms to promote ICOs in the past months.  According to an article published byThe New York Times five days before the SEC’s public announcement, celebrity endorsements have helped raise $3.2 billion in ICOs this year, which is a 3,000 percent increase over the total amount raised in ICOs last year.

In its statement, the SEC said it “will continue to focus on these types of promotions to protect investors and to ensure compliance with the securities laws.”  Additionally, the SEC Office of Investor Education and Advocacy posted an Investor Alert on their website the same day cautioning against investment decisions based on endorsements from celebrities and encouraging investors to report any possible securities fraud to the SEC.  These recent pronouncements indicate a dovetailing of recent areas of focus for the SEC’s enforcement program—new technologies that expand the scope and ease of securities offerings with increased efforts to focus enforcement resources on areas having the potential to harm retail investors.

Following the SEC’s public statement and Investor Alert signaling increased attention on ICOs,  the SEC announced that it had filed charges against PlexCorps and two of its principals based on an alleged ICO fraud.  PlexCorps had raised up to $15 million in an ICO this year by promising a 13-fold profit in less than one month.  The company has been charged with violating anti-fraud provisions and the registration provision of the federal securities laws. These charges are the first filed by the SEC’s Cyber Unit, which was created in September 2017.  Robert Cohen, the Chief of the Cyber Unit, stated “[t]his first Cyber Unit case hits all the characteristics of a full-fledged cyber scam and is exactly the kind of misconduct the unit will be pursuing.” To read more about this case, please see our previous article.

[1] ICOs are fundraising mechanisms, similar to crowdfunding, in which companies create and sell new virtual currency, in the form of blockchain-based coins or tokens.

On October 27, 2017, the Hong Kong Securities and Futures Commission (“SFC”) issued Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading (the “Guidelines”),1 a set of baseline cybersecurity requirements that all persons licensed or registered with the SFC and engaged in internet trading will be required to implement. The Hong Kong Monetary Authority (“HKMA”) simultaneously issued a circular to CEOs of Registered Institutions requiring them to apply the Guidelines.

The new guidelines should be viewed as requirements for securities and futures dealers and asset managers registered with the SFC and banks supervised by the HKMA (which include a number of foreign banks that operate branches in Hong Kong). For e-commerce firms and other companies that do business in or have connections to Hong Kong, the new guidelines should additionally be viewed as relevant guidance for best practices in cybersecurity.

Click here, to continue reading.