Tag Archives: Daniel F. Forester

SEC Office of Compliance Inspections and Examinations (OCIE) Issues Observations on Cybersecurity and Resiliency Practices

by Greg D. Andres, Robert A. Cohen, Neil H. MacBride, Annette L. Nazareth, Margaret E. Tahyar, Leor Landa, Michael S. Hong, Matthew J. Bacal, Daniel F. Forester, and Matthew A. Kelly

The SEC Office of Compliance Inspections and Examinations (OCIE) recently published observations (PDF: 854 KB) related to cybersecurity and operational resiliency practices observed in its examinations. OCIE reiterated its continued focus on cybersecurity issues, citing eight risk alerts related to cybersecurity it has published over the last few years.[1] OCIE conducts examinations for compliance with Regulation S-P and S-ID, which apply to broker-dealers and investment advisers, and Regulation SCI, which applies to exchanges and other SCI entities. The publication provides important guidance to regulated entities about the likely subjects of SEC exams, the expectations of its examiners, and the subjects of potential enforcement referrals. Continue reading

The NYAG Dunkin’ Donuts Cyber Case – One More Sign that the Days of Stick for Cybersecurity Enforcement May Be Around the Corner

by  

Over the last few years, the creation of new cybersecurity regulations has been robust, but actual enforcement has been tepid. This is understandable in any new regulatory regime, especially one where the standards are vague, the conduct is evolving, and therefore, there is considerable uncertainty on the part of the regulated as to what is required. In addition, companies that experience data breaches are often the victims of a crime (rather than the perpetrators), so regulators don’t want to be seen as piling on and further punishing victims. But, after years of conducting cybersecurity exams, speaking on panels, issuing guidance, encouraging best practices, and publicly warning companies, there are signs that 2019 was a transition year, and 2020 is likely to be a time when cybersecurity enforcement leans more towards the stick side of the equation. There are several explanations for this development.

Continue reading

Ephemeral Messaging for Businesses: Balancing the Risks of Keeping and Deleting Data by Default

by Avi Gesser, Daniel F. Forester, and Mengyi Xu

One way for companies to decrease their cybersecurity risks, as well as their risks from new privacy regulations, is through data minimization—significantly reducing the amount of their data.  By deleting old data and collecting less new data, companies will have less sensitive information to protect and process in accordance with their regulatory obligations.  But getting rid of old data isn’t easy, in part because of the legal limitations on what can be deleted.  We have previously written about these challenges, as well as the benefits of data minimization, which include reducing:

  • the growth of a company’s data over time, and the associated storage costs;
  • lost productivity associated with searching large volumes of irrelevant data;
  • the cybersecurity and privacy risks of having large volumes of unneeded data, especially considering CCPA and GDPR-type rights of access and erasure;
  • internal audit and compliance risks;
  • contractual risks (e.g., obligations to clients and customers to delete data once it is no longer needed); and
  • the volume of documents that may be unhelpful to the company in potential, but not yet reasonably anticipated, litigation or regulatory inquiries.

Continue reading

Federal Privacy Legislation Is Coming. Maybe. Here’s What It Might Include

by Avi Gesser, Jon Leibowitz, Mathew Kelly, Joseph Kniaz, and Daniel F. Forester

Momentum is building for federal data privacy legislation, in large part due to the passage of the California Consumer Privacy Act (CCPA) (which goes into effect in 2020) and other states enacting or considering their own consumer privacy laws.  These developments have businesses concerned that they will face a patchwork of inconsistent and onerous state privacy laws, which is currently the case with breach notification.  Many leading tech companies, trade groups, and the U.S. Chamber of Commerce have voiced support for a national privacy law.  On top of these domestic considerations, the EU’s General Data Protection Regulation (“GDPR”), a sweeping privacy law that affects many U.S. companies conducting business in the EU, is also now in effect.  Several legislative proposals have been put forward in Congress, and we are starting to see the broad outlines of a potential law.  But for many of the details, there is still nothing close to a consensus.  Here are some of the issues that will likely be the subject of the most intense debate in the next congressional term: Continue reading