Tag Archives: Nicole Friedlander

President Biden Issues Executive Order Granting Authorities to Regulate the Transfer of Sensitive U.S. Data to Countries of National Security Concern

by Eric J. Kadel Jr., Sharon Cohen Levin, Nicole Friedlander, Anthony J. Lewis, Andrew J. DeFilippis, Joshua Spiegel, and George L. McMillan

photos of authors

Top left to right: Eric J. Kadel Jr., Sharon Cohen Levin, Nicole Friedlander, Anthony J. Lewis.
Bottom left to right: Andrew J. DeFilippis, Joshua Spiegel and George L. McMillan. (Photos courtesy of Sullivan & Cromwell LLP).

SUMMARY

On February 28, 2024, President Biden issued Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “Executive Order”), delegating new authorities to the U.S. Department of Justice (“DOJ”) and other agencies to regulate the transfer of sensitive U.S. data to countries of national security concern. The Executive Order focuses primarily on personal and other sensitive information, such as U.S. persons’ financial information, biometric data, personal health data, geolocation data, and information relating to government personnel and facilities.[1]

Continue reading

Looking Back at Fall 2023 PCCE Events: Conference on Security, Privacy, and Consumer Protection

As we prepare for a full schedule of events in 2024, the NYU School of Law Program on Corporate Compliance and Enforcement (PCCE) is taking a moment to reflect on our busy Fall 2023 program. In this post, we review our November 17, 2023 full day conference on Security, Privacy, and Consumer Protection.

Photo of conference

(©Hollenshead: Courtesy of NYU Photo Bureau)

Continue reading

Privacy Experts Share Tips for Managing an Effective Privacy Program from PCCE’s Fall Security, Privacy, and Consumer Protection Conference

Photo of Event Speakers

Left to Right: James Haldin, Judy Titera, Melissa Harrup, Nicole Friedlander, and Avi Gesser (©Hollenshead: Courtesy of NYU Photo Bureau)

On November 17, 2023, the NYU Law Program on Corporate Compliance and Enforcement (PCCE) hosted a standing-room-only full-day conference on Security, Privacy, and Consumer Protection. The conference addressed issues such as managing effective cybersecurity and privacy compliance programs, the use of “dark patterns” to manipulate consumer choices, whether privacy regulation and enforcement actions actually prompt firms to update their privacy policies, and the new amendments to the New York Department of Financial Services cybersecurity rules. A full agenda of the conference, along with speaker bios, is available here. In this post, several participants from the panel on Managing an Effective Privacy Program in a Time of Increasing Regulatory and Legal Risk share further thoughts on the issue.

Continue reading

SEC Charges SolarWinds and Its CISO with Fraud and Internal Controls Failures

by Nicole Friedlander, Anthony J. Lewis, Robert W. Reeder, John B. Sarlitto, Michael S. Drell, and Paulena B. Prager

Photos of the authors

Left to right: Nicole Friedlander, Anthony J. Lewis, Robert W. Reeder, John B. Sarlitto, Michael S. Drell, and Paulena B. Prager (Photos courtesy of Sullivan & Cromwell LLP)

Complaint Alleges Knowledge and Concealment of Poor Cybersecurity Practices and Heightened Cyber Risks

SUMMARY

On October 30, 2023, the Securities and Exchange Commission (“SEC”) filed a complaint against SolarWinds Corporation (“SolarWinds”) and its Chief Information Security Officer (“CISO”), alleging securities fraud and failures of reporting, internal control over financial reporting, and disclosure controls and procedures, in connection with a compromise of the company’s software product that was publicly revealed in December 2020.[1] The complaint (“Complaint”), filed in the Southern District of New York, alleges that SolarWinds and its CISO misled investors and customers about known, material cybersecurity weaknesses and risks, including several that allegedly enabled the compromise, through which U.S. government networks and corporations were infiltrated in a cyber espionage campaign by the Russian government. The SEC alleges that the defendants made materially false and misleading statements and omitted material facts on SolarWinds’ website and in its blog posts, press releases, initial registration statement (“Form S-1”), quarterly and annual SEC reports, and the current report on Form 8-K in which SolarWinds first disclosed the compromise. The SEC seeks declaratory and injunctive relief, disgorgement, a civil monetary penalty in an unspecified amount, and an order permanently prohibiting the CISO from acting as an officer or director of a public company.

Continue reading

SEC Charges Issuer for Inadequate Cybersecurity Disclosure Controls: Action Suggests a More Active SEC Enforcement Role Concerning Disclosure Controls and Procedures for Cybersecurity

by Cathy Clarkin, Bob Downes, John Evangelakos, Nicole Friedlander, Tony Lewis, Sarah Payne, Steve Peikin, Kamil Shields and Rebecca Sobel

On June 15, 2021, the Securities and Exchange Commission (“SEC”) announced charges against First American Financial Corporation (“First American”) for failure to maintain adequate disclosure controls and procedures in violation of Exchange Act Rule 13a-15(a).[1]  The charges, which were simultaneously settled pursuant to a cease-and-desist order (the “Order”) imposing a $487,616 civil money penalty, related to a vulnerability in First American’s proprietary software application that caused tens of millions of document images—many containing consumers’ personal information—to be publicly accessible.  After being notified by a journalist about the vulnerability on May 24, 2019, First American issued a press release and subsequently filed a Form 8-K with the SEC.  According to the Order, however, the senior executives responsible for these disclosures were not informed prior to the time the disclosures were made that certain First American personnel had longstanding prior knowledge of the vulnerability, and that the vulnerability had not been remediated in accordance with the company’s policies.  In light of the action—and increased scrutiny by U.S. authorities concerning cybersecurity in the wake of nationally significant ransomware attacks and cyberattacks involving SolarWinds and Microsoft software—issuers should review and confirm the efficacy of their disclosure controls and procedures for analyzing and escalating key information about cybersecurity incidents and vulnerabilities.

Continue reading

Federal Banking Agencies Propose Cyber Incident Notification Requirements

by Nicole Friedlander, Jared Fishman, Ethan Chess, and Jonathan Silverstone

On December 18, the Board of Governors of the Federal Reserve System (the “Board”), Office of the Comptroller of the Currency (the “OCC”) and the Federal Deposit Insurance Corporation (the “FDIC,” and together, the “Agencies”) released a notice of proposed rulemaking (the “proposal”) regarding notification requirements for banking organizations and bank service providers related to significant cybersecurity incidents.[1] 

Under the proposal, a banking organization would be required to notify its primary banking regulator within 36 hours of a “computer-security incident” that it believes in good faith could materially disrupt, degrade, or impair (i) its ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base; (ii) any of its business lines, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or (iii) any operations, including associated services, functions and support, the failure or discontinuance of which would pose a threat to the financial stability of the United States. Additionally, bank service providers would have to notify at least two individuals at affected banking organization customers immediately of significant computer-security incidents.

Continue reading

SEC Issues Report of Investigation on Cyber-Related Frauds Perpetrated Against Public Companies

by Robert W. Downes, John Evangelakos, Nader A. Mousavi, Nicole Friedlander, and Sarah M. Cravens

Public Companies Should Implement Sufficient Internal Controls to Avoid Becoming Victims of Cyber-Related Frauds and to Comply With the Exchange Act

Summary

On October 16, the SEC issued a report on an investigation into whether nine public issuers that were victims of cyber-related frauds may have violated Sections 13(b)(2)(B)(i) and (iii) of the Exchange Act by failing to have a sufficient system of internal accounting controls to provide reasonable assurances that those frauds were detected and prevented.

The issuers, which the SEC stated represent a variety of industries, were victims of two types of “business email compromise” scams that resulted in mostly unrecovered losses ranging from $1 million to over $45 million.

While the SEC determined not to pursue enforcement actions against the issuers under investigation, it issued its report of investigation to make issuers aware that the cyber-related threats exist and concluded that all companies should reassess the sufficiency not only of existing internal controls, but also of policies and procedures that ensure employee compliance with controls. Continue reading