In January 2018, at the Eleventh Annual International Conference on Computers, Privacy and Data Protection (the “Conference”) in Brussels, one panel that made some headlines centered around blockchain technology in the context of data protection. The core inquiry of the panel was two-fold: (1) whether blockchain technology can facilitate data protection regulatory objectives and (2) whether the same technology makes it more difficult to enforce data protection laws. Unsurprisingly, neither inquiry produces a … Continue Reading
One of the many difficult questions that companies face in the immediate aftermath of discovering a cyber breach is whether to inform their regulators or law enforcement. Assuming there is no mandatory disclosure obligation, some companies are reluctant to call the government because (1) they may not know all the facts yet, (2) they don’t want to waive privilege, and (3) they are worried that the company will become the target of an investigation into … Continue Reading
On February 21, 2018, the Securities and Exchange Commission (“SEC”) issued a statement and interpretive guidance on issuers’ cybersecurity disclosures. For a general discussion of the guidance, see Davis Polk’s recent Client Memorandum. Although the guidance does not impose any new requirements on issuers, the SEC’s emphasis on Board oversight of cybersecurity provides new meaning on existing requirements.
The SEC notes that “[t]o the extent cybersecurity risks are material to a company’s business,” its … Continue Reading
For the first time, the CFTC has fined a company for poor cybersecurity practices that resulted in a third-party breach of the company’s information systems. This development is consistent with an increasing trend of regulators holding companies responsible for the cybersecurity failures of third-party service providers.
AMP Global Clearing LLC (“AMP”) was fined $100,000 by the CFTC on February 12, 2018 for failing to diligently supervise its information technology provider’s implementation of certain … Continue Reading
Cryptojacking is the newest cyber threat that companies are facing. It involves hackers accessing company servers in order to steal processing power, which is then used to mine cryptocurrencies.
With the recent increase in value of digital assets such as bitcoin, Ether, and Monero, it is not surprising that criminal hackers and rogue states are looking for ways to acquire these currencies, which they can use anonymously for various legal and illegal purposes. One way … Continue Reading
One of many difficult decisions that companies face following a cyber breach is whether to disclose it to law enforcement. There are several advantages to involving the FBI in a breach response: they may (1) have seen this kind of hack before; (2) know the malware or persons involved; (3) be able to provide helpful information on the motivation for the attack; (4) tell you what else to look for on your systems; and (5) … Continue Reading
If you haven’t been closely following, you may be of the mistaken view that without evidence of actual harm, consumer plaintiffs in federal cyber breach cases have no standing. While that may have been roughly correct in 2016, the story in 2018 is more complicated, and getting better for plaintiffs.
Cyber threats remain a key operational concern for banks, which are otherwise experiencing “near-historic” capital and liquidity highs and improved returns on equity, according to the Office of the Comptroller of the Currency (the “OCC”). The regulator published its Fall 2017 Semiannual Risk Perspective on January 18th, stating that “operational risk remains elevated as banks adopt business models, transform technology and operating processes, and respond to increasing cybersecurity threats.” This conclusion is not new—since its … Continue Reading
Companies that experience a cyber breach face several immediate and difficult challenges: quickly getting a handle on the scope of the breach, making sure that the intruder is out of their system, remediating any vulnerability, assessing what data was accessed (if any), deciding whether to reach out to law enforcement, determining whether any mandatory notification obligations have been triggered, and weighing whether to make any voluntary notification to regulators, customers, investors, etc. One thing companies … Continue Reading
One of our cyber predictions for 2018 was that class action securities cases are going to become a major issue for companies involved in cyber events.
Large-scale data breaches often give rise to a variety of legal problems for the affected company, ranging from consumer class action litigation to congressional inquiries and state attorney general investigations. As we have discussed previously elsewhere, an additional emerging risk for breached companies is federal securities class action litigation… Continue Reading
The new year is fast approaching. 2017 has been a year of major cyber incidents, including the Equifax breach. Cybersecurity will continue to be a top concern for companies in the new year. Avi Gesser spoke with Markets Media about his outlook for cybersecurity law and regulation in 2018.
Which hot topics/hype should be retired at the end of 2017?
The idea from 2017 that should be retired is that some new software innovation is … Continue Reading
Cybersecurity regulators appear to be converging on 72-hour breach notification. First it was the European Union’s General Data Protection Regulation (“GDPR”), then it was the New York Department of Financial Services (“NYDFS”) cybersecurity rules, and now the National Association of Insurance Commissioners (“NAIC”) have adopted the Insurance Data Security Model Law (“Model Law”) – all with a 72-hour breach notification requirement.
Plaintiffs in data breach cases have tried many theories of recovery, including negligence, negligence per se, violations of state data protection statutes, violations of the Fair Credit Reporting Act, breach of fiduciary duty, and violations of the constitutional right to privacy, with mixed results.
Courts have rejected many of these claims, but plaintiffs and regulators are increasingly having success with allegations of unfair business practices. At the federal level, the Federal Trade Commission (“FTC”) has … Continue Reading
Companies and law enforcement are increasingly turning to white hat hackers for help. The FBI apparently paid consultants over $1,000,000 to unlock an iPhone used by one of the shooters in the San Bernardino attacks, and companies such as Microsoft, Uber, Facebook, and Google are paying hackers tens of thousands of dollars to find vulnerabilities in their systems. Davis Polk’s recent cybersecurity webcast discusses why companies are using pools of white hat hackers for certain … Continue Reading
Appleby, a multi-national law firm known for its tax planning services, is the latest law firm to suffer a major cyber breach in an event that has been dubbed the “Paradise Papers.” This breach mirrors the Panama Papers leak from two years ago, which exposed millions of documents from the Mossack Fonseca law firm.
Appleby, like Mossack Fonseca, is known for its high-net-worth clients and its use of offshore entities to assist them in tax … Continue Reading
On Halloween, the New York and Vermont attorneys general obtained a $700,000 settlement from Hilton for, among other violations, late breach notification. Earlier this week, we noted that the Reserve Bank of India (“RBI”) imposed a $1 million USD fine on India’s Yes Bank for violating RBI’s 2 to 6 hour data breach notification requirement. So, as we have been predicting for some time, it seems that regulators are starting to step up enforcement and … Continue Reading
The $1 million fine that was recently levied against Yes Bank shows the increasing risks of failing to provide timely breach notification. On October 23, 2017, the Reserve Bank of India (“RBI”) announced that it was fining India’s Yes Bank $1 million USD for failing to comply with RBI’s breach notification requirement, among other violations. Yes Bank experienced a cyber breach around May 2016, but did not become aware of the incident until September 2016. … Continue Reading
Please join us on November 15, 2017, 12:00 pm to 1:00 pm ET for a discussion on cyber vulnerability assessments and the evolving law on hacking and/or extortion, including:
- Why companies are turning to pools of hackers to test their cyber defenses.
- The line between lawful and unlawful conduct for white hat hackers trying to uncover a company’s cyber vulnerabilities.
- The new DOJ guidelines on these kinds of vulnerability assessments.
- How to
In our cybersecurity and data management webcast now available below, Davis Polk partners Avi Gesser, Gabe Rosenberg, and associate Matt Kelly, recently discussed getting rid of old documents to reduce cyber risk.
To avoid ending up in the news as the latest victim of a cyber-attack, companies are looking to improve their data security. One way is data reduction─getting rid of old data that you don’t need for business purposes and you … Continue Reading
During congressional hearings earlier this month, senators grilled Richard Smith, the former Equifax CEO, on the company’s reporting structure for cybersecurity; specifically, on the appropriateness of Equifax’s CISO reporting to the general counsel. This has caused several companies to question their own reporting structures for cybersecurity issues. So what is the right structure for CISO reporting? As usual, there is no one right or wrong answer.
We have seen many different reporting structures for CISOs … Continue Reading
The Davis Polk Financial Regulation Reform Team recently blogged about the breach of the SEC’s EDGAR database and how that breach impacts the Consolidated Audit Trail (“CAT”)
“In the wake of a highly-publicized cybersecurity breach involving the SEC’s EDGAR system, SEC Chairman Jay Clayton has been in the hot seat at recent congressional hearings, fielding pointed questions as to whether the SEC should delay implementation of the Consolidated Audit Trail (“CAT”). The SEC has not … Continue Reading
In a statement issued on Wednesday, September 20th, the U.S. Securities and Exchange Commission (SEC) revealed that it was investigating a 2016 data breach of its Electronic Data Gathering, Analysis, and Retrieval (EDGAR) database. The SEC does not believe that personally identifiable information was exposed, but the investigation is still ongoing and raises questions regarding government agencies’ obligations to protect sensitive information, and the potential litigation challenges facing individuals who are impacted by hacks of … Continue Reading
Regulators in almost every U.S. state have the authority to enforce cybersecurity compliance under their state’s laws, but until recently, they have rarely exercised this power, leaving enforcement mostly to federal agencies like the FTC. With the recent Equifax breach, this appears to be changing.
The Massachusetts Attorney General filed a complaint against Equifax on September 17, 2017, asserting that Equifax violated Massachusetts Data Security Regulations by failing to safeguard personal information of credit applicants. … Continue Reading
Please join us on October 11, 2017 from 12:00 pm to 1:00 pm ET for a discussion on the evolving law and practice on the document management aspects of cyber security, including:
- Regulators’ expectation for companies regarding deleting old non-public data to reduce cyber risk.
- The interactions between the Federal Rules of Civil Procedure on electronic document spoliation and responsible cyber security data management.
- Using predictive coding and data analytics to identify