Category Archives: Cybercrime & Cybersecurity

FTC’s Consent Order Against Marriott: Expectations for Reasonable Security

by Erez LiebermannJim PastoreChristopher S. FordMichael BloomMengyi XuAchutha Raman, and Michelle Shen  

Photos of the authors

Top left to right: Erez Liebermann, Jim Pastore, Christopher S. Ford, Michael Bloom.
Bottom left to right: Mengyi Xu, Achuta Raman and Michelle Shen. (Photos courtesy of the authors.)

Introduction

On December 20, 2024, the Federal Trade Commission (the “FTC”) finalized a consent agreement (“Consent Order”) with Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide LLC (collectively, “Marriott”) to settle allegations that Marriott failed to implement reasonable data security measures, resulting in three large data breaches from 2014 to 2020 and affecting more than 344 million customers worldwide. With obligations extending 20 years, the Consent Order requires Marriott to, among other remedial steps, implement a comprehensive information security program (“ISP”) with prescribed security measures, the effectiveness of which will be subject to a third-party independent biennial assessment. Key elements of the required ISP include multi-factor authentication (“MFA”), encryption, asset inventory, written documentation, and vulnerability and patch management. The final Consent Order is materially identical to the proposal announced on October 9, 2024.

Continue reading

Thoughts for Boards: Key Issues in Corporate Governance for 2025

by Martin Lipton, Steven A. Rosenblum, Karessa L. Cain, Elina Tetelbaum, and Hannah Clark

Photos of the authors

Left to right: Martin Lipton, Steven A. Rosenblum, Karessa L. Cain, Elina Tetelbaum, and Hannah Clark (photos courtesy of Wachtell, Lipton, Rosen & Katz)

As we look ahead to the challenges and opportunities facing boards of directors in this new year, it is illuminating to reflect on how much has changed in corporate governance. Over the last five decades, we have been on the front lines with our clients as the evolution of corporate governance has been propelled by multiple crises and systemic shocks—including the Enron and WorldCom scandals and ensuing Sarbanes-Oxley legislation, which prompted incremental layers of disclosure and regulations, followed by the financial crisis and subsequent Dodd-Frank reforms, and most recently the Covid pandemic, which intensified the spotlight on ESG and stakeholder governance. In the private ordering arena, ISS and shareholder activists were remarkably successful in changing the status quo for once-common governance features like staggered board structures, and we saw the shelving of poison pills—a defense we originated and subsequently defended in Moran, Airgas and other cases. These trends have, in turn, increased the prevalence and omnipresent threat of proxy fights. And as the corporate governance debates have continued to evolve, we have seen institutional investors become increasingly active participants, with detailed and often diverging policies setting forth their priorities, preferences and perspectives on issues ranging from climate disclosures to DEI to over-boarded directors. The compounding effect is that boards today are expected to navigate a corporate governance landscape that has become much more complex and nuanced, with an expanding set of expectations for their oversight role and responsibilities.

Continue reading

New York Data Breach Notification Law Updated

by Jenna Rode and Emilie Galper

Photos of the authors

Jenna Rode and Emilie Galper (Photos courtesy of Hunton Andrews Kurth LLP)

New York Governor Kathy Hochul recently signed into law several bills (S2659B and S2376B) modifying the state’s data breach notification law. The amendments revise the timing requirements for notice to affected individuals, expand the list of regulators to be notified, and add new data elements to New York’s definition of “private information.”

Continue reading

Key Considerations for Updating 2024 Annual Report Risk Factors

by Maia Gez, Scott Levi, Michelle Rutta, Melinda Anderson, and Danielle Herrick

Photos of the Authors.

Left to Right: Maia Gez, Scott Levi, Michelle Rutta, Melinda Anderson, and Danielle Herrick. (Photos courtesy of White & Case LLP)

With the 2025 annual reporting season upon us, public companies should consider potential updates to their risk factors for their Form 10-Ks and 20-Fs in light of recent economic, political, technological, and regulatory developments.[1]

As a starting point, this alert features (i) a list of key developments that US public companies should consider as they update risk factors in Part I and (ii) critical drafting considerations in Part II. Each company will, of course, need to assess its own material risks and tailor its risk factor disclosure to its particular circumstances.

As further described below, calendar year-end companies should review and update their risk factors by assessing the material risks that impact their businesses. Well-drafted risk factors play a crucial role in defending public companies against allegations of fraud under the US federal securities laws, and companies should therefore take the time to update their risk factor disclosure and tailor risks to their own facts and circumstances.

Continue reading

Cybersecurity Disclosure and Enforcement Developments and Predictions

by Francesca L. OdellRahul Mukhi, Tom Bednar, Nina E. Bell, and Greg Stephens

Photos of the authors

Left to right: Francesca L. Odell, Rahul Mukhi, Tom Bednar, and Nina E. Bell (Photos courtesy of Cleary Gottlieb Steen & Hamilton LLP) (Not Pictured: Greg Stephens)

The SEC pursued multiple high-profile enforcement actions in 2024, alongside issuing additional guidance around compliance with the new cybersecurity disclosure rules.

Together these developments demonstrate a continued focus by the SEC on robust disclosure frameworks for cybersecurity incidents. Public companies will need to bear these developments in mind as they continue to grapple with cybersecurity disclosure requirements going into 2025.

Continue reading

DOJ Issues Final Rule Targeting Foreign Access to Americans’ Sensitive Data

by Michael T. Borgia and Assaf Ariely

Photos of Author

Michael T. Borgia and Assaf Ariely (photos courtesy of Davis Wright Tremaine LLP)

The U.S. Department of Justice (DOJ) has issued a comprehensive final rule (the “Rule”) targeting foreign access to sensitive U.S. data, including Americans’ “bulk” sensitive personal data.

The Rule, which DOJ announced on December 27, 2024, prohibits and restricts U.S. persons from entering into certain transactions involving access by “countries of concern” and “covered persons” to “bulk U.S. sensitive personal data” and “government-related data” by “countries of concern” and “covered persons.” “U.S. persons” subject to the Rule are defined broadly to include any U.S. citizen, national, or lawful person, any entity organized under the laws of the United States or any U.S. jurisdiction, and any person physically within the United States.

Continue reading

Virginia Supreme Court Expands Computer Crime Law, Raising Legal Issues for Ethical Hackers

by Harley Geiger and Tanvi Chopra

Photos of the authors

Harley Geiger and Tanvi Chopra (photos courtesy of the authors)

On Nov. 21, 2024, the Virginia Supreme Court issued a pivotal ruling with significant implications for corporate security, ethical hacking, and everyday computer users. The Commonwealth v. Wallace decision greatly expands the scope of Virginia’s computer fraud law, turning any unauthorized use of a computer into a state hacking crime.

The Hacking Policy Council previously warned that overbroad state laws risk conflating security research and ordinary internet activities with malicious cybercrime. While substantial progress on this issue has been made at the federal level, sweeping state statute language and court decisions like Commonwealth v. Wallace demonstrate the need for engagement to focus enforcement of state anti-hacking laws on actual criminal behavior.

In the meantime, state laws continue to be a legal minefield for ethical hackers who test systems to identify vulnerabilities in an effort to improve cybersecurity. Prosecutor discretion and guidelines will be key to focusing broad state computer crime laws on malicious behavior and not good faith security researchers. Continue reading

CPPA Proposed Rulemaking Package Part 1 – Cybersecurity Audits

by Avi Gesser, Matt Kelly, Johanna N. Skrzypczyk, H. Jacqueline Brehmer, Ned Terrace, Mengyi Xu, and Amer Mneimneh

Photos of the authors

Top: Avi Gesser, Matt Kelly, and Johanna N. Skrzypczyk,. Bottom: H. Jacqueline Brehmer, Ned Terrace, and Mengyi Xu. (Photos courtesy of Debevoise & Plimpton LLP)

Key Takeaways

  • On November 22, 2024, the California Privacy Protection Agency (CPPA) launched a formal public comment period on its draft regulations addressing annual cybersecurity audits and other privacy obligations under the California Consumer Privacy Act (CCPA).
  • These proposed rules aim to establish robust standards for thorough and independent cybersecurity audits, delineating both procedural and substantive requirements for businesses processing personal information.
  • In this update, we provide an overview of the new cybersecurity audit provisions, including key thresholds for applicability, detailed audit expectations, and the evolving regulatory landscape shaping cybersecurity compliance.

Continue reading

An Update on SEC Cybersecurity Reporting

by Scott Kimpel

Photo of the author

Photo courtesy of Hunton Andrews Kurth LLP

As we approach the one-year anniversary of the effective date of the U.S. Securities and Exchange Commission (“SEC”) reporting rules on Form 8-K for material cybersecurity incidents, we provide a high-level overview of the last year’s developments.

Background on SEC Reporting Rules

Under the SEC’s rules, Item 1.05 of Form 8-K generally requires public companies in the United States to disclose material cybersecurity incidents within four business days of determining that the incident is material. The disclosure must contain the nature, scope and timing of the incident and the impact or reasonably likely impact of the incident on the company, its financial condition and its results of operations. For these purposes, SEC rules define “cybersecurity incident” to include “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”

Continue reading

SEC Continues Focus on AI and Cyber-Risk Related Enforcement Cases

by Brendan F. Quigley and Matthew R. Baker

photos of authors

Left to right: Brendan F. Quigley and Matthew R. Baker. (Photos courtesy of Baker Botts)

The SEC kicked off its fiscal year by bringing enforcement actions focused on AI and cyber disclosures. As discussed in more detail below:

  • These actions again show SEC Enforcement prioritizing “hot button” issues like AI and cyber, highlighting, for example, a company’s statements about its use of AI in what otherwise appeared to be a fairly garden-variety securities fraud case.
  • The actions largely involve well-worn principles of securities law applied in the context of emerging technologies, including (i) while there may be no obligation to speak on a particular issue (such as AI), if a company does speak, its statements must be full, complete, and not misleading and (ii) companies’ obligation to consider whether existing disclosures need to be updated in light of recent events (such as a cyberattack).
  • The cyber-disclosure actions prompted a lengthy, two-commissioner dissent, accusing the commission of playing “Monday morning quarterback” by bringing the case, highlighting the potential for the upcoming election (and the appointment of commissioners under a new administration) to impact the SEC’s enforcement posture.
  • The dissent in the cyber cases also undertook a lengthy analysis, comparing the allegations in the settled cases to allegations against another company, arising out of the same series of cyberattacks, in an action the SEC litigated in federal district court. As we discussed here and as pointed out by the dissent, the federal district court dismissed many of those allegations. While deciding to settle with the SEC (or any government agency) is always a complicated, multi-faceted decision, the dissent’s comparison of the litigated case and the settled actions shows the need for parties under investigation to seriously consider the merits of potentially litigating cases when appropriate.

Continue reading