On November 29, 2018, in a speech at the Georgetown University Law School, Deputy Attorney General Rod Rosenstein renewed his call for tech companies to build into their products the means for law enforcement to legally access decrypted data, the development of so-called “responsible encryption.” Mr. Rosenstein analogized such encryption to requirements that buildings disable elevators in the event of a fire but still retain firemen’s access, and he beseeched the private sector to work with the government to mitigate the security threats posed by rapid technological advances.
Summary of Mr. Rosenstein’s Address
Detailing the threat of ransomware, Mr. Rosenstein warned that the “malicious use of technology will be more pernicious and pervasive tomorrow than it is today, and even more difficult to combat.” To “forestall those ominous consequences,” he proposed three steps: Continue reading →
A little-noticed consent decree entered into by the U.S. Securities and Exchange Commission earlier this year should be setting off alarm bells for financial firms and their boards of directors.
In a cease and desist order against Voya Financial Advisors, the investment advisory unit of Voya Financial, the SEC – for the first time – enforced its “Identity Theft Red Flags Rule” in punishing the firm for allegedly lackluster data security practices. The SEC charged that hackers were able to access sensitive client information including Social Security Numbers, account balances and even details of client investment accounts. The commission called out the company’s board of directors for failing to “administer and oversee” compliance with the rule. Continue reading →
Public Companies Should Implement Sufficient Internal Controls to Avoid Becoming Victims of Cyber-Related Frauds and to Comply With the Exchange Act
On October 16, the SEC issued a report on an investigation into whether nine public issuers that were victims of cyber-related frauds may have violated Sections 13(b)(2)(B)(i) and (iii) of the Exchange Act by failing to have a sufficient system of internal accounting controls to provide reasonable assurances that those frauds were detected and prevented.
The issuers, which the SEC stated represent a variety of industries, were victims of two types of “business email compromise” scams that resulted in mostly unrecovered losses ranging from $1 million to over $45 million.
While the SEC determined not to pursue enforcement actions against the issuers under investigation, it issued its report of investigation to make issuers aware that the cyber-related threats exist and concluded that all companies should reassess the sufficiency not only of existing internal controls, but also of policies and procedures that ensure employee compliance with controls. Continue reading →
This post reviews the New York State Office of the Attorney General’s (the “OAG”) Virtual Markets Integrity Initiative Report (the “Report”), which was published on September 18, 2018. The publication of the OAG’s 42-page Report brings to a close its six-month fact-finding inquiry of several virtual currency platforms. The OAG sent out detailed letters and questionnaires to a number of virtual currency platforms seeking information from the platforms across a wide-range of issues, including trading operations, fees charged to customers, the existence of robust policies and procedures, and the use of risk controls. Continue reading →
On July 19, 2018, Attorney General Jeff Sessions announced the public release of the first report produced by the Department of Justice’s (DOJ) Cyber-Digital Task Force, which the Attorney General established in February to combat cyber-enabled threats confronting the United States and, specifically, to answer two fundamental questions: First, what is the DOJ doing to address global cyber threats? And second, what can the DOJ do to accomplish this mission more effectively? In discussing the report at the Aspen Security Forum on July 19, Deputy Attorney General Rod J. Rosenstein explained that the Report answers the first question, “providing a detailed assessment of the cyber threats confronting America and the Department’s efforts to combat them.” Continue reading →
With the EU General Data Protection Regulation (“GDPR”) in force for less than two months, many companies are already experiencing an increase in requests from individuals seeking to obtain a copy, or request correction or erasure, of their personal data under Articles 15 to 17 of the GDPR.
Do we have to respond?
Yes. A response is required even if the response is that the company will not honour the request because a relevant exemption applies. Continue reading →
The recent convictions of two traders for using hacked press releases and the settlement of SEC insider trading charges against a former Equifax manager highlight the significant insider trading risks companies face when dealing with a cyber event. These risks come in two forms.
First, there is the risk that someone (either inside or outside the company) has gained unauthorized electronic access to material nonpublic information (“MNPI”) about the company or one of its business or transaction partners, and will use that information for illegal securities trading purposes. On July 6, a jury in Brooklyn convicted two traders for securities fraud, money laundering and computer intrusion for using hacked press releases to trade on MNPI. To reduce that risk, companies can adopt various cybersecurity measures such as two-factor authentication, access controls, encryption, phishing training, network segmentation, and system monitoring. Davis Polk’s Cyber Portal 2.0, which is now available to our clients, provides detailed checklists and other resources to help companies reduce cybersecurity risks. Continue reading →
Security breaches and hacking cost publicly traded companies billions of dollars annually in stolen assets, lost business, and damaged reputations. Although detailed data are difficult to collate, the 2017’s annual Cost of Data Breach Study run by the Ponemon Institute for IBM estimated that the average per-capita cost of data breaches reached an all-time high of $225 (a 60% increase over the last decade). This is as much of a concern for businesses as it is for regulators.
As a matter of fact, the knock-on effect of a data breach can substantially affect a company’s reputation, resulting in abnormal customer turnover and loss of goodwill, which in turn affect firms’ policies and ultimately revenues and profits. For this reason, companies are often reluctant to reveal information about security breaches due to fear of both short-term and long-term market reactions.
The Eleventh Circuit Court of Appeals recently vacated a Federal Trade Commission cease-and-desist order that required a medical laboratory company to implement a “reasonably designed” cybersecurity program after customer data on the company’s systems were compromised. LabMD, Inc. v. Federal Trade Commission (PDF: 548 KB). The decision represents a judicial curb on FTC enforcement efforts seeking expansive cease-and-desist orders requiring companies to maintain “reasonable” or “appropriate” data security systems in the wake of cyber incidents. By limiting the FTC to orders that prohibit specific unfair conduct, or that require specific responsive remedial action, this ruling may alter the cyber enforcement landscape and affect the balance between the FTC and companies affected by cyber incidents. Continue reading →
Last week, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released an updated Cybersecurity Framework (PDF: 1,038 KB) that revises NIST’s baseline recommendations for the design of cybersecurity risk management programs. In announcing its release, Commerce Secretary Wilbur Ross described the updated Framework as “a must do for all CEOs” and recommended that “every company” adopt the Framework as its “first line of defense.” As with the prior version, the updated NIST Framework provides a useful tool to guide and benchmark company approaches to cybersecurity risk and will impact how regulators evaluate cybersecurity programs and incident responses across sectors. Continue reading →