Tag Archives: Mengyi Xu

Recent SEC Enforcement Action Against App Annie Signals Continuing Focus on Data-related Disclosure and Policy Violations

by Avi Gesser, Charu Chandrasekhar, Eric SilverbergMengyi Xu, and Adrian Gonzalez

As part of our ongoing series on enforcement actions by the Securities and Exchange Commission (“SEC”) in data- and cybersecurity-related matters (here, here, and here), we have been closely tracking regulatory developments and gathering insights on enforcement trends.  Last week, the SEC announced that App Annie and its former CEO and Chairman, Bertrand Schmitt, (“App Annie”) had agreed to a $10.3 million payment to settle charges for engaging in fraudulent practices and making material misrepresentations about its data use from 2014 to 2018 (the “Relevant Period”) in violation of Section 10(b) of the Securities Exchange Act of 1934 (“Exchange Act”) and Rule 10b-5 thereunder (“SEC Order”). Although not explicitly articulated in the SEC Order, the SEC’s basis for jurisdiction was ostensibly the fact that the app aggregated public company data.  This is the SEC’s first enforcement action against an alternative data provider.  As was the case in the BlueCrest settlement late last year, the App Annie enforcement action underscores the importance of making accurate disclosures regarding data collection and use, and the regulatory risk for companies that do not follow their data policies and procedures.

Continue reading

Effective Access Controls, Timely Breach Notification, and Other Takeaways from the Latest NYDFS Cyber Resolution

by Luke Dembosky, Jeremy Feigelson, Avi Gesser, Jim Pastore, Johanna Skrzypczyk, Christopher S. Ford, Parker Eudy, and Mengyi Xu

On April 14, 2021, the New York State Department of Financial Services (the “DFS”)  announced that its cyber-enforcement action against National Securities Corporation (“National Securities”) has been resolved by a Consent Order (PDF: 550 KB) that imposes a $3 million penalty. This is the latest step in the DFS’s very active cyber-enforcement agenda. The charges against First American Title Insurance Company are pending with an August 16 hearing date, and last month, the DFS reached its first full cybersecurity resolution with Residential Mortgage Services.

Continue reading

Court Chips Away at Privilege Protections for Cyber Forensic Reports

by Jim Pastore, Luke Dembosky, Jeremy Feigelson, Avi Gesser, Corey Goldstein, and Mengyi Xu

On January 12, Judge James Boasberg of the U.S. District Court for the District of Columbia granted plaintiff Guo Wengui’s motion to compel production of a report (the “Report”) —and related materials—prepared by forensic vendor Duff & Phelps in Guo’s lawsuit against the law firm that formerly represented him, Clark Hill, PLC (the “Firm”). See Wengui v. Clark Hill, PLC, No. 19-cv-3195 (JEB), 2021 WL 106417 (D.D.C. Jan. 12, 2021). The court rejected claims the Report was protected by the work-product doctrine and attorney-client privilege.

Continue reading

Post-Election Law Privacy Law Prospects

by Jeremy Feigelson, Avi Gesser, Jim Pastore, Frank Colleluori, Mengyi Xu, Jeffrey Cunard, Luke Dembosky, and Tigist Kassahun

California voters have approved the new California Privacy Rights Act (“CPRA”). The margin was 56% – 44% – comfortable, if significantly tighter than pre-election polling that showed CPRA winning in a landslide. That comes on the heels of the California Attorney General’s release of still more proposed amendments to the regulations for the existing California Consumer Privacy Act (“CCPA”). Below we sum up these important changes emerging from Sacramento. We also note some possible Election Day impacts on the privacy law reforms that have been percolating in Washington, D.C.

Continue reading

Schrems II – Where are we now?

by Luke DemboskyJeremy FeigelsonAvi GesserJim Pastore,  Friedrich Popp, Christopher Garrett, Fanny Gauthier, Robert Maddox, and Mengyi Xu

As covered in our previous blog post, the CJEU has invalidated the EU-U.S. Privacy Shield for cross-border transfers of personal data from the EU to the U.S. (the “Schrems II” decision) and cast significant doubts over whether companies can continue to use the European Commission-approved Standard Contractual Clauses (“SCCs”) to transfer EU personal data to the U.S., or to other jurisdictions with similarly broad surveillance regimes.

Continue reading

First Enforcement Action by New York DFS Under Its Cyber Rules Shows Where Companies Face Regulatory Risk – Six Quick Takeaways

by Luke Dembosky, Jeremy Feigelson, Avi Gesser, Jim Pastore, Lisa Zornberg, Zila Reyes Acosta-Grimes, Michael BloomChristopher S. Ford, and Mengyi Xu

The New York State Department of Financial Services (“DFS”) issued a Statement of Charges and Notice of Hearing (PDF: 278 KB) (the “Charges”) on July 21, 2020 against First American Title Insurance Company (“First American”) for multiple violations of the DFS Part 500 Cybersecurity Regulation (PDF: 97.4 KB) (the “Regulation”), including:

    • Failure to perform an adequate risk assessment
    • Failure to maintain proper access controls
    • Failure to provide adequate security training for cybersecurity employees
    • Failure to encrypt certain nonpublic information

The Charges carry potential penalties of up to $1,000 per violation, and in its press release, the DFS asserts that each instance of nonpublic information that was accessed by an unauthorized person constitutes a separate violation. The Charges allege that hundreds of millions of documents were at risk, more than 350,000 documents were accessed without authorization, and a sample of 1,000 documents found that 30% contained nonpublic information.

Continue reading

Preparing for and Responding to Ransomware Attacks: Thirteen Lessons from the NIST Framework and Recent Events

by Luke Dembosky, Avi Gesser, H Jacqueline BrehmerRobert Maddox, Dr. Friedrich Popp, and Mengyi Xu

Ransomware attacks continue to plague businesses across the globe. As companies enhance their defenses, attackers increase the sophistication of their software and its deployment. Ransomware attacks used to be limited to the locking of a company’s computer system by encryption software and a demand to pay in order to obtain the key, but not anymore.

In early June 2020, for example, the REvil ransomware group auctioned off three databases containing approximately 22,000 stolen files that were associated with a Canadian agricultural firm, for a starting price of $50,000, after the victim refused or failed to pay the ransom. This sale reflects a growing trend of ransomware attacks that includes theft of sensitive company data, along with the usual locking up of computer systems, as a means of amplifying the pressure on victim entities. As a result, companies that have operational backup systems, and therefore do not need to pay the ransom to get access to their data, may still consider paying in order to prevent the public release of their stolen confidential information.

Continue reading

Six Tips for Getting Rid of Old Electronic Files, Which Reduces Cyber and Privacy Risk and Is Now a Legal Requirement for Most Companies

by Avi Gesser, Michael Bloom, Mengyi Xu, and Dr. Friedrich Popp

Much has been written recently on the increased cybersecurity and privacy risks that companies are facing. One of the most effective ways for organizations to mitigate those risks is to significantly reduce the amount of data that they collect and maintain. Having less data means that there is less sensitive information to protect from hacks or leaks which is why regulators are increasingly focused on the following data minimization requirements:

  • Collecting only the data that you actually need;
  • Using collected data only for authorized purposes; and 
  • Retaining only data that you actually need.

Companies that have failed in the third element of data minimization, effectively getting rid of old data, have recently been the subject of regulatory action. In this Data Blog post, we discuss the regulatory requirements for getting rid of old data and offer six tips for complying with this new and difficult obligation.

Continue reading

The NYAG Dunkin’ Donuts Cyber Case – One More Sign that the Days of Stick for Cybersecurity Enforcement May Be Around the Corner

by Avi GesserDaniel F. Forester & Mengyi Xu 

Over the last few years, the creation of new cybersecurity regulations has been robust, but actual enforcement has been tepid. This is understandable in any new regulatory regime, especially one where the standards are vague, the conduct is evolving, and therefore, there is considerable uncertainty on the part of the regulated as to what is required. In addition, companies that experience data breaches are often the victims of a crime (rather than the perpetrators), so regulators don’t want to be seen as piling on and further punishing victims. But, after years of conducting cybersecurity exams, speaking on panels, issuing guidance, encouraging best practices, and publicly warning companies, there are signs that 2019 was a transition year, and 2020 is likely to be a time when cybersecurity enforcement leans more towards the stick side of the equation. There are several explanations for this development.

Continue reading

Ephemeral Messaging for Businesses: Balancing the Risks of Keeping and Deleting Data by Default

by Avi Gesser, Daniel F. Forester, and Mengyi Xu

One way for companies to decrease their cybersecurity risks, as well as their risks from new privacy regulations, is through data minimization—significantly reducing the amount of their data.  By deleting old data and collecting less new data, companies will have less sensitive information to protect and process in accordance with their regulatory obligations.  But getting rid of old data isn’t easy, in part because of the legal limitations on what can be deleted.  We have previously written about these challenges, as well as the benefits of data minimization, which include reducing:

  • the growth of a company’s data over time, and the associated storage costs;
  • lost productivity associated with searching large volumes of irrelevant data;
  • the cybersecurity and privacy risks of having large volumes of unneeded data, especially considering CCPA and GDPR-type rights of access and erasure;
  • internal audit and compliance risks;
  • contractual risks (e.g., obligations to clients and customers to delete data once it is no longer needed); and
  • the volume of documents that may be unhelpful to the company in potential, but not yet reasonably anticipated, litigation or regulatory inquiries.

Continue reading