On January 10, 2019, a Magistrate Judge in the Northern District of California issued an order denying an application for a search warrant that would have compelled any individual present at the premises to be searched to unlock their digital devices using biometric features, such as thumb prints and facial scans. The order is notable in that the search warrant was not rejected on Fourth Amendment grounds, but rather on the grounds that requiring a person to unlock his or her digital device ran afoul of the Fifth Amendment’s privilege against self-incrimination. Providing a thumb or facial scan, the court reasoned, constituted testimony protected by the Fifth Amendment, analogizing biometrics to passwords that similarly protect information stored on devices. This decision highlights the current tension in the courts on the accessibility of information stored on digital devices, and the courts’ continuing efforts to develop rules governing this rapidly-evolving area of law. Continue Reading Court Holds That 5th Amendment Self-Incrimination Privilege Precludes Compelling Fingerprint or Facial Recognition Access to Digital Devices
Nearly a decade ago, WikiLeaks ushered in the age of mass leaks. Since then, corporations, governments, public figures and private entities have increasingly had to reckon with a new reality: that vigilantes, activists, extortionists and even state actors can silently steal and rapidly disseminate proprietary information, including customer data and other sensitive information. Last month, the Department of Justice (“DOJ”) indicted four individuals based on information first revealed in the “Panama Papers” leak. This marks a significant milestone in law enforcement’s reliance on evidence based on an unauthorized mass leak of information. While leaks and hacks are not a novel phenomenon—in 1971, the New York Times published top secret documents on the Vietnam War and, in 1994, a paralegal leaked tobacco industry documents that ultimately cost the industry billions of dollars in litigation and settlement costs—the frequency, scale and ease of dissemination of leaked information today presents a difference not only of degree, but of kind. The new Panama Papers-based criminal case will likely raise a host of novel legal issues based on legal challenges to the DOJ’s reliance on information illegally obtained by a third party, as well as information that would ordinarily be protected by the attorney-client privilege. In this memorandum, we discuss the potential issues raised by the prosecution and their implications. Continue Reading U.S. Criminal Prosecution Based on Panama Papers Hack Raises Novel Legal Issues
On December 20, 2018, the Financial Industry Regulatory Authority (“FINRA”) released a Report on Selected Cybersecurity Practices for broker-dealer firms. This report reflects FINRA’s current perspective on the cybersecurity threat landscape based on observations from its examinations of securities firms. Below we discuss the report’s key observations and contextualize these insights for members of the financial industry. Continue Reading FINRA Provides Updated Cybersecurity Guidance to Broker-Dealer Firms
On December 20, 2018, the U.S. Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released its 2019 Examination Priorities. The six themes for this year’s priorities are: retail investors (including seniors and those saving for retirement), compliance and risk in registrants responsible for critical market infrastructure (clearing agencies, transfer agents, national securities exchanges and Regulation SCI entities), oversight of the Financial Industry Regulatory Authority and Municipal Securities Rulemaking Board, digital assets, cybersecurity and anti-money laundering. The only new theme for 2019 compared to 2018 is digital assets, which we take to imply a plan to more closely—and substantively—regulate investment advisers and broker-dealers involved with this asset class. The 2019 priorities also more explicitly than the 2018 priorities describe specific practices that OCIE found concerning in examinations of those entities, many of which involved failure to adequately safeguard client assets and the adequacy of disclosures of conflicts of interest. We expect to see a corresponding focus in Enforcement Division investigations and cases on these issues as a result. Continue Reading Lessons from the SEC Office of Compliance Inspections and Examinations’ 2019 Priorities
Continuing its efforts to engage with FinTech innovators and market participants in the adoption of new technologies, the Commodity Futures Trading Commission (“CFTC”) and its LabCFTC released a Primer on Smart Contracts (the “Primer”) on November 27. The Commission focused its Primer on (1) detailing the technical aspects of smart contract technology; (2) examining potential benefits and risks connected to their widespread adoption; and (3) the CFTC’s role in regulating the adoption of the technology within those markets under its jurisdiction.
On November 16, 2018, the U.S. Securities and Exchange Commission (“SEC”) Division of Corporation Finance (“Corp. Fin.”), Division of Investment Management, and Division of Trading and Markets issued a joint public statement on “Digital Asset Securities Issuance and Trading.” The public statement is the latest in the Divisions’—and the Commission’s—steady efforts to publicly outline and develop its analysis on the application of the federal securities laws to initial coin offerings (“ICOs”) and certain digital tokens. These efforts have combined a series of enforcement proceedings with public statements by Chairman Jay Clayton and staff, including a more detailed statement of the SEC’s analytical approach in Corp. Fin. Director William Hinman’s speech on digital assets in June 2018. Continue Reading SEC Divisions’ Issue Public Statement on Digital Assets and ICOs, Echoing Recent Enforcement Actions
On November 2, the SEC’s Enforcement Division released its annual report detailing the facts and figures of its enforcement efforts in fiscal year 2018. At first blush, this year’s report looks strikingly similar to those from recent years, as the headline numbers in most categories are nearly indistinguishable from 2015, 2016, and 2017. This consistency may be surprising given that 2018 is the first such report reflecting exclusively the enforcement priorities of the Commission since it was reconstituted under Chair Jay Clayton.
But a closer examination of the report, including the components feeding into the top-line facts and figures and commentary by Division co-directors Stephanie Avakian and Steven Peikin, reveals a clear shift in priorities by the Division. These range from a philosophical shift in its mission to the reallocation of resources during a hiring freeze. We address here the most notable of these subtle but important changes. Continue Reading Retail, Remedies, Resources and Results: Observations From the SEC Enforcement Division 2018 Annual Report
On October 16, 2018, the Securities and Exchange Commission released a Report of Investigation that cautioned public companies to consider cyber threats when designing and implementing internal accounting controls. The report was based on an investigation of nine victims of email cyber-fraud schemes for potentially failing to have adequate internal accounting controls, in violation of the Securities Exchange Act of 1934. The report highlights the need for companies to reassess their controls in light of the current cybersecurity risk environment. By describing the remedial steps taken by the investigated companies, it further provides guidance about the key areas that companies should consider when assessing their own policies and procedures. Continue Reading SEC Investigative Report Urges Public Companies to Guard Against Cyber Threats When Implementing Internal Accounting Controls
On October 15, 2018, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a $16 million settlement with Anthem, Inc. over alleged violations of federal privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA). The settlement resolves an investigation following a data breach that exposed protected health information of nearly 79 million people. According to OCR, the incident is the largest health data breach to date in the United States and Anthem’s payment similarly represents the largest HIPAA settlement to date. The settlement is consistent with OCR’s recent focus on enforcing regulatory requirements to conduct an accurate and thorough risk analysis and maintain appropriate mechanisms to monitor systems that contain protected health information and to control access to that information. It also highlights the agency’s distinct cybersecurity remediation approach. Continue Reading The U.S. Department of Health And Human Services Settles With Anthem for Record $16M Over Alleged HIPAA Violations
The £16.4 million fine imposed by the UK Financial Conduct Authority on Tesco Personal Finance plc provides a salutary lesson on the regulatory exposure associated with failing adequately to prepare for and respond to a cyber-attack – one of the FCA’s stated regulatory priorities.
The episode illustrates how cybersecurity failures can expose a business not only to increasingly draconian penalties under the EU’s General Data Protection Regulation where personal data is involved (effective from 25 May 2018), but also to regulatory enforcement penalties where systems are not in place or are not operated effectively in a crisis.
It highlights the critical importance for businesses of:
- Establishing cybersecurity and data protection compliance firmly on the management and risk agenda. More than just the costs of doing business in the digital economy, these can give rise to serious regulatory and franchise exposure;
- Taking effective action to prevent foreseeable cyber-attacks;
- Establishing appropriate crisis management procedures and providing training to staff on how to invoke them, including through desktop exercises that provide scenario planning training; and
Engaging constructively and immediately with the relevant authorities and stakeholders to mitigate even greater damage to the business once an attack has occurred.
Please click here to read the full alert memorandum.