Category Archives: Cybercrime & Cybersecurity

SEC Releases New Guidance on Cybersecurity Disclosures and Controls

by John F. Savarese, David A. Katz, Wayne M. Carlin, David B. Anders, Sabastian V. Niles, Marshall L. Miller, and Jonathan Siegel

Yesterday, in keeping with a heightened governmental focus on cybersecurity, as exemplified by the Justice Department’s formation of a new Cyber-Digital Task Force earlier this week, the Securities and Exchange Commission announced new guidance on cybersecurity disclosures by public companies (the Guidance”).

Much of the Guidance tracks 2011 interpretive guidance from the SEC’s Division of Corporation Finance and retains a focus on “material” cyber risks and incidents.  However, the expanded details and heightened pressure to disclose indicated in the Guidance, along with its issuance by the Commission itself, signal that the SEC expects public companies to consider more detailed disclosure of cyber risks and incidents, and to maintain “comprehensive” policies and procedures in this area.  The SEC is also encouraging, though not requiring, forward-leaning approaches, such as with respect to disclosures about the company’s cyber risk management programs and the engagement of the board of directors with management on cybersecurity issues.  SEC Chairman Jay Clayton has also directed SEC staff to monitor corporate cyber disclosures. Continue reading

Deliberate Data Breaches: Consequences for Companies Just Got Even Tougher

by Kelly Hagedorn, Tracey Lattimer, Emily Bruemmer, and Jennifer Yun

In today’s world, data breaches are a regular occurrence.  The size and scale varies, and they have different causes, but those matters are irrelevant if you are a data subject affected – you just want the situation resolved and compensation for any losses you suffer.  Who should be responsible for those breaches?  Where a company has not taken sufficient steps to safeguard personal data, the answer is obvious.  But what about where a rogue employee leaks personal data with the deliberate intention of harming his employer?  The English High Court has recently decided that even in that instance, the employer is liable to data subjects.  Although there is no specific case on this point, we believe that a similar outcome would be reached in an action under US law. Continue reading

White Collar and Regulatory Enforcement: What to Expect in 2018

by John F. Savarese, Ralph M. Levene, Wayne M. Carlin, David B. Anders, Jonathan M. Moses, Marshall L. Miller, Louis J. Barash, and Carol Miller

Introduction

In our memo last year, we acknowledged that it was close to impossible to predict the likely impact that the newly elected Trump administration would have on white-collar and regulatory enforcement.  (White Collar and Regulatory Enforcement: What to Expect in 2017)  Instead, we set out a list of initiatives we urged the new administration to consider, including clarifying standards for when cooperation credit would be given, reducing the use of monitors, and giving greater weight to a company’s pre-existing compliance program when exercising prosecutorial discretion, among other suggestions.  While the DOJ under Attorney General Jeff Sessions has, for example, taken some steps toward clarifying the applicable standards for cooperation and increasing incentives to disclose misconduct in the FCPA area, few other policy choices or shifts in approach have been articulated or implemented.  Continue reading

Draft GDPR Transparency Guidelines Issued: What Does Your Privacy Policy Need to Contain?

by Jeremy Feigelson, Jane Shvets, Dr. Thomas Schürrle, Ceri Chave, Dr. Friedrich Popp, and Christopher Garrett

Late last year, the Article 29 Working Party (the “Working Party”) issued detailed draft guidance (the “Guidelines”) on transparency under the EU General Data Protection Regulation (the “GDPR”), which comes into force in May 2018. These Guidelines, which will be finalized following a consultation process, contain the Working Party’s interpretation of the mandatory transparency information that must be provided to a data subject by way of privacy policy or other disclosures.

One of the express requirements of the GDPR relates to how businesses communicate their use of a data subject’s personal information to that data subject at the point of data collection or consent, typically via a privacy policy or notice. Getting this right is crucial. Businesses will need to examine their current privacy policies and other disclosures closely, and consider whether these need revising not just in the light of the GDPR, but also to factor in the requirements listed in the Guidelines, which elaborate on existing GDPR provisions. While the Guidelines will not be binding, data protection authorities may take a dim view of businesses which fail to comply with the Guidelines without good reason, given that representatives from all of the EU data protection authorities are part of the Working Party. Businesses that fail to comply with the information duties under the GDPR will face fines of up to the higher of 4% of annual worldwide turnover or EUR 20 million. Continue reading

Securities Fraud Class Action Suits following Cyber Breaches: The Trickle Before the Wave

by Michael S. Flynn, Avi Gesser, Joseph A. Hall, Edmund Polubinski III, Neal A. Potischman, Brian S. Weinstein, Peter Starr and Jessica L. Turner

Overview

Large-scale data breaches can give rise to a host of legal problems for the breached entity, ranging from consumer class action litigation to congressional inquiries and state attorneys general investigations.  Increasingly, issuers are also facing the specter of federal securities fraud litigation.[1]

The existence of securities fraud litigation following a cyber breach is, to some extent, not surprising.  Lawyer-driven securities litigation often follows stock price declines, even declines that are ostensibly unrelated to any prior public disclosure by an issuer.  Until recently, significant declines in stock price following disclosures of cyber breaches were rare.  But that is changing.  The recent securities fraud class actions brought against Yahoo! and Equifax demonstrate this point; in both of those cases, significant stock price declines followed the disclosure of the breach.  Similar cases can be expected whenever stock price declines follow cyber breach disclosures.  Continue reading

Trend Setting in Cloud Computing Legal Contracts….Who Knew?

By Joanna Fields

Over the past two years, US firms have experienced a significant increase in the number of mandatory regulatory reports, including the future Consolidated Audit Trail (CAT), Markets in Financial Instruments Directive (MiFID II) requirements applicable to firms doing business in Europe, new reporting requirements for swaps, the SEC’s Trade Reporting and Compliance Engine (TRACE), and the Treasury Department’s Regulation Systems Compliance and Integrity (Reg SCI).  Each of these reporting requirements could require some financial firms to process approximately a terabyte of metadata every day.  This has resulted in financial firms’ renewed interest in leveraging cloud technology.

Although it may seem like a recent technology trend in conversation, early network references to cloud computing date back to the 1960s.   The cloud computing discussed today has been derived by various technology marketing campaigns to make the language of engineers colloquial.  The cloud is an easy to adopt metaphor that has a myriad of meanings; for example, firms that allow employees to Bring Your Own Devices (BYOD) or issue laptops for remote access, are technically using cloud computing. Continue reading

Securities and Exchange Commission Releases Public Statement on Cybersecurity

By Nicolas H.R. Dumont, Hillary H. Holmes, Lori Zyskowski and Ron Mueller

On Wednesday, September 20, 2017, Chairman Jay Clayton of the U.S. Securities and Exchange Commission (the “Commission”) released a public statement addressing cybersecurity risks.

Chairman Clayton’s statement is part of an ongoing effort to communicate the Commission’s approach to cybersecurity in connection with the May 2017 assessments of the Commission’s internal cybersecurity and of its approach to cybersecurity as a regulatory agency. Continue reading

SEC Leadership Discusses Continuing Priorities

by Mary Jo White, Andrew J. Ceresney, Kara Novaco Brockmeyer, Robert B. Kaplan, Julie M. Riewe, Jonathan R. Tuttle and Arian M. June

SEC Chairman Jay Clayton, Co-Directors of Enforcement Stephanie Avakian and Steven Peikin, and Acting Director of the Office of Compliance, Inspections and Examinations (“OCIE”) Peter Driscoll participated in a panel discussion on Tuesday, September 5, at NYU Law School. The moderated discussion, followed by questions from the audience, was titled “The Securities and Exchange Commission: Priorities Going Forward.”

In sum, the SEC officials emphasized that investors should expect no major shift from the SEC in terms of enforcement or examinations. While there has been some discussion in recent months of frauds victimizing retail investors, there will not be a major paradigm shift in the kinds of cases the Commission will focus on. The panelists also spent a significant amount of time discussing cybersecurity and cyber-related enforcement actions, as well as the SEC’s increased use of big data in investigations and examinations. Continue reading

Insights for All Companies from the SEC’s Cybersecurity Examination of Regulated Financial Entities

By Sabastian V. Niles and Marshall L. Miller

In August 2017, the Office of Compliance Inspections and Examinations (“OCIE”) of the Securities and Exchange Commission released the results of its second Cybersecurity Initiative, which examined cybersecurity-related preparedness and implementation efforts by 75 regulated financial entities.  The resulting OCIE Risk Alert depicts an industry demonstrating heightened sensitivity to cyber risks, but also experiencing gaps between policy ambition and day-to-day execution, and confronting growing pains associated with accelerated change, including the introduction of significant new policies and procedures that may lack focus or consistent implementation.  While the Risk Alert directly addresses the cybersecurity procedures of broker-dealers, investment advisers, and other SEC-regulated entities, companies in all industries should consider assessing their practices with respect to the issues highlighted by the SEC. Continue reading

The Growing Risk of Director Liability for Cyberattacks

by Peter Varlan

Despite the increase in cyberattacks and data breaches against large corporations, directors have avoided personal liability. In three recent data breaches—Wyndham, Target, and Home Depot—shareholders have unsuccessfully brought derivative claims against directors. These Caremark[1] claims against directors have failed because oversight duties for cybersecurity are not yet specific enough to establish that directors deliberately breached a known duty of care.

The current protection that directors have enjoyed from cybersecurity-related Caremark suits may soon come to an end. New and pending regulations from the New York Department of Financial Services and the Federal Reserve System provide more specific cybersecurity guidance for corporations. Failing to comply with these more detailed regulations prior to a cyberattack may increase the possibility that directors will be held liable for violating their Caremark oversight duties. Accordingly, directors should familiarize themselves with these new regulations that are applicable to the corporations they serve, and develop best practices to both protect corporate data and inoculate themselves from personal liability. Continue reading