On June 27, 2018, Equifax Inc., the credit reporting agency, agreed to implement stronger data security measures under a consent order with the New York State Department of Financial Services (“NYDFS”) and seven other state banking regulators. The order imposes detailed duties on Equifax’s Board of Directors in response to criticisms raised by the regulators during an examination of Equifax’s cybersecurity and internal audit functions. The examination followed the company’s massive 2017 data breach, which exposed sensitive personal information of nearly 148 million customers. Equifax agreed to the order without admitting or denying any charges of “unsafe or unsound information security practices.” Continue Reading State Regulators Reach Settlement With Equifax in Connection With Massive Data Breach
On June 22, 2018, the United States Supreme Court decided Carpenter v. United States, in which it held that the government must generally obtain a search warrant supported by probable cause before acquiring more than seven days of historical cell-site location information (“CSLI”) from a service provider. Noting “the deeply revealing nature of CSLI, its depth, breadth, and comprehensive reach, and the inescapable and automatic nature of its collection,” the Court held that an individual “maintains a legitimate expectation of privacy in the record of his physical movements captured through CSLI” that warrants Fourth Amendment protection. While the Court sought to construe its decision narrowly, the reasoning of the majority and Justice Gorsuch in his dissent raise significant questions about whether and to what extent individuals may have a reasonable expectation of privacy or possessory interest in other sensitive personal data held by third parties beyond the CSLI at issue in Carpenter.
Please click here to read the full alert memorandum.
On April 24, 2018, Altaba, formerly known as Yahoo, entered into a settlement with the Securities and Exchange Commission (the “SEC”), pursuant to which Altaba agreed to pay $35 million to resolve allegations that Yahoo violated federal securities laws in connection with the disclosure of the 2014 data breach of its user database. The case represents the first time a public company has been charged by the SEC for failing to adequately disclose a cyber breach, an area that is expected to face continued heightened scrutiny as enforcement authorities and the public are increasingly focused on the actions taken by companies in response to such incidents. Altaba’s settlement with the SEC, coming on the heels of its agreement to pay $80 million to civil class action plaintiffs alleging similar disclosure violations, underscores the increasing potential legal exposure for companies based on failing to properly disclose cybersecurity risks and incidents.
Please click here to read the full alert memorandum.
The 2018 Consolidated Appropriations Act, which was signed by President Donald Trump on March 23, 2018, included a little-debated provision that revised portions of the 1986 Stored Communications Act (“SCA”) to permit the government to access through the use of a warrant or subpoena stored communications held abroad by providers of electronic communications services that are subject to United States jurisdiction.
The Clarifying Lawful Overseas Use of Data Act – or “CLOUD Act” – establishes that the SCA’s provisions concerning the production of electronic communications extend to those held abroad, establishes a framework for service providers to challenge an SCA warrant, directs courts to conduct a limited comity analysis to balance certain factors relevant to cross-border transfers of data, and introduces an incentive for foreign governments to enter into executive agreements with the United States governing cross-border data requests.
Prior to the enactment of the CLOUD Act, the Supreme Court was poised to rule in the case Microsoft Corporation v. United States of America, No. 17-2, on whether the SCA in its previous form permitted the use of a warrant to obtain electronic communications stored by a U.S. company on foreign servers. The relevance of that case, which was argued in February, is substantially undermined by this Congressional action.
Click here, to read the full alert.
In an indictment unsealed on March 23, 2018, the Department of Justice (DOJ) brought criminal charges against nine Iranian nationals affiliated with the Mabna Institute in Iran, alleging computer intrusion, fraud, and aggravated identity theft. Prosecutors charged the defendants with conspiring to steal a massive amount of intellectual property from universities, private companies, and government institutions worldwide, obtaining more than 31 terabytes of data. The defendants allegedly acted on behalf of the Islamic Revolutionary Guard Corps (IRGC), which is an arm of the Iranian government whose responsibilities include foreign operations and intelligence gathering. In addition to the announced charges, the nine defendants and the Mabna Institute were also designated for sanctions by the Treasury Department, Office of Foreign Asset Control, pursuant to Executive Order 13694 “Blocking the Property of certain Persons Engaging in Significant Malicious Cyber-Enabled Activities.” Continue Reading Department of Justice Indicts Iranian Hackers, Revealing Significant Data Breach and Targeting of Intellectual Property of Private Companies and Educational Institutions
In February 2018, the Supreme Court will hear argument in United States v. Microsoft Corporation on the issue of whether a U.S. email provider must comply with a warrant issued pursuant to Section 2703 of the Stored Communications Act (“SCA”) by making disclosure in the United States of electronic communications stored exclusively on servers at datacenters abroad. Recently the parties submitted briefing on the merits to the Court, and a number of amici weighed in to support Microsoft Corp. (“Microsoft”).  Through more than twenty amicus briefs, major tech giants like Google, Apple, and Amazon, along with members of Congress, European lawmakers, European legal groups, and foreign sovereigns, expressed concern about the Government’s interpretation of the SCA.  As this interest demonstrates, the Court’s decision is expected to have far reaching implications for the treatment of foreign data protection laws in U.S. courts. Continue Reading Accessing Servers Abroad: The Global Comity and Data Privacy Implications of United States v. Microsoft
FINRA released its 2018 Regulatory and Examination Priorities Letter (“2018 Letter”) on January 8, 2018. The 2018 Letter highlights areas of emphasis for FINRA in the coming year. While many of the areas of focus are similar to those included in the 2017 Regulatory and Examination Priorities Letter—including continued focus on high-risk brokers, fraud, firms’ surveillance systems, cybersecurity protocols, and protecting vulnerable investors—there are additional topics included in the 2018 Letter based on market developments throughout 2017 and the results of FINRA’s 2017 exam program, summarized in the 2017 Report on FINRA Examination Findings.
In December 2017, the US Department of Justice, Criminal Division’s Computer Crime and Intellectual Property Section (“DOJ”) released guidance for law enforcement to follow when seeking data stored by an entity with a cloud service provider. In short, DOJ suggests that prosecutors should seek data directly from the company, rather than its cloud service provider, so long as doing so will not compromise the investigation. Continue Reading New DOJ Guidelines on Collecting Cloud–Based Data
The SEC has recently signaled an increased concern with the offerings and marketing of Initial Coin Offerings (“ICOs”), which should be of interest to companies and institutions involved with ICOs. On November 1, 2017, the SEC Division of Enforcement and Office of Compliance Inspections and Examinations (“OCIE”) jointly issued a public statement warning celebrities and other influencers promoting Initial Coin Offerings (“ICOs”) about potential violations of a host of federal securities laws, including the anti-touting and anti-fraud provisions of the federal securities laws. Specifically, the public statement noted that endorsements may be unlawful if they do not “disclose the nature, source, and amount of any compensation paid, directly or indirectly . . . in exchange for the endorsement.,” and that endorsers may also face liability for potential violations of the anti-fraud provisions, for participation in an unregistered securities offering, and for acting as unregistered brokers. The public statement also noted that investment decisions should not be based solely on an endorsement and cautioned that “celebrity endorsement may appear unbiased, but instead be part of a paid promotion.” The public statement follows an investigative report issued by the Division of Enforcement on July 25, 2017, which announced that blockchain technology-based coins or tokens sold in an ICO may be a form of security under the Securities Act of 1933 and the Securities Exchange Act of 1934.
The SEC’s announcement follows recent endorsements of such ICOs by celebrities such as Floyd Mayweather, DJ Khaled, Paris Hilton and Jamie Foxx, who each used their social media platforms to promote ICOs in the past months. According to an article published byThe New York Times five days before the SEC’s public announcement, celebrity endorsements have helped raise $3.2 billion in ICOs this year, which is a 3,000 percent increase over the total amount raised in ICOs last year.
In its statement, the SEC said it “will continue to focus on these types of promotions to protect investors and to ensure compliance with the securities laws.” Additionally, the SEC Office of Investor Education and Advocacy posted an Investor Alert on their website the same day cautioning against investment decisions based on endorsements from celebrities and encouraging investors to report any possible securities fraud to the SEC. These recent pronouncements indicate a dovetailing of recent areas of focus for the SEC’s enforcement program—new technologies that expand the scope and ease of securities offerings with increased efforts to focus enforcement resources on areas having the potential to harm retail investors.
Following the SEC’s public statement and Investor Alert signaling increased attention on ICOs, the SEC announced that it had filed charges against PlexCorps and two of its principals based on an alleged ICO fraud. PlexCorps had raised up to $15 million in an ICO this year by promising a 13-fold profit in less than one month. The company has been charged with violating anti-fraud provisions and the registration provision of the federal securities laws. These charges are the first filed by the SEC’s Cyber Unit, which was created in September 2017. Robert Cohen, the Chief of the Cyber Unit, stated “[t]his first Cyber Unit case hits all the characteristics of a full-fledged cyber scam and is exactly the kind of misconduct the unit will be pursuing.” To read more about this case, please see our previous article.
 ICOs are fundraising mechanisms, similar to crowdfunding, in which companies create and sell new virtual currency, in the form of blockchain-based coins or tokens.
On October 27, 2017, the Hong Kong Securities and Futures Commission (“SFC”) issued Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading (the “Guidelines”),1 a set of baseline cybersecurity requirements that all persons licensed or registered with the SFC and engaged in internet trading will be required to implement. The Hong Kong Monetary Authority (“HKMA”) simultaneously issued a circular to CEOs of Registered Institutions requiring them to apply the Guidelines.
The new guidelines should be viewed as requirements for securities and futures dealers and asset managers registered with the SFC and banks supervised by the HKMA (which include a number of foreign banks that operate branches in Hong Kong). For e-commerce firms and other companies that do business in or have connections to Hong Kong, the new guidelines should additionally be viewed as relevant guidance for best practices in cybersecurity.
Click here, to continue reading.