New Bipartisan Bill Shows Renewed Congressional Attention to Data Privacy and Security

On April 23, 2018, Senators Klobuchar (D-Minn.) and Kennedy (R-La.) introduced the Social Media Privacy Protection and Consumer Rights Act of 2018 (“the Act”), which was referred to the Senate Commerce Committee. Like the CONSENT Act introduced by Senators Markey (D-Mass.) and Blumenthal (D-Conn.)—discussed in detail in our recent client alert, The CONSENT Act and Renewed Congressional Data Privacy Interest—the Act would, if enacted, enhance the Federal Trade Commission’s (“FTC”) … Continue Reading

Blockchain for Data Protection: A Double-edged Sword or a Techno-regulatory Oxymoron?

In January 2018, at the Eleventh Annual International Conference on Computers, Privacy and Data Protection (the “Conference”) in Brussels, one panel that made some headlines centered around blockchain technology in the context of data protection. The core inquiry of the panel was two-fold: (1) whether blockchain technology can facilitate data protection regulatory objectives and (2) whether the same technology makes it more difficult to enforce data protection laws. Unsurprisingly, neither inquiry produces a … Continue Reading

Had a Cyber Breach? The FBI Really Wants To Hear From You!

One of the many difficult questions that companies face in the immediate aftermath of discovering a cyber breach is whether to inform their regulators or law enforcement.  Assuming there is no mandatory disclosure obligation, some companies are reluctant to call the government because (1) they may not know all the facts yet, (2) they don’t want to waive privilege, and (3) they are worried that the company will become the target of an investigation into … Continue Reading

2018 SEC Cybersecurity Guidance on Board Oversight

On February 21, 2018, the Securities and Exchange Commission (“SEC”) issued a statement and interpretive guidance on issuers’ cybersecurity disclosures.   For a general discussion of the guidance, see Davis Polk’s recent Client Memorandum.  Although the guidance does not impose any new requirements on issuers, the SEC’s emphasis on Board oversight of cybersecurity provides new meaning on existing requirements.

The SEC notes that “[t]o the extent cybersecurity risks are material to a company’s business,” its … Continue Reading

Delegation, Not Abdication: The CFTC Fines AMP Global Clearing LLC for Failing to Supervise a Third-Party Service Provider

For the first time, the CFTC has fined a company for poor cybersecurity practices that resulted in a third-party breach of the company’s information systems.  This development is consistent with an increasing trend of regulators holding companies responsible for the cybersecurity failures of third-party service providers.

AMP Global Clearing LLC (“AMP”) was fined $100,000 by the CFTC on February 12, 2018 for failing to diligently supervise its information technology provider’s implementation of certain … Continue Reading

Cryptojacking – A Real Cyber Threat, Even If You Don’t Have To Tell Anyone

Cryptojacking is the newest cyber threat that companies are facing.  It involves hackers accessing company servers in order to steal processing power, which is then used to mine cryptocurrencies.

With the recent increase in value of digital assets such as bitcoin, Ether, and Monero, it is not surprising that criminal hackers and rogue states are looking for ways to acquire these currencies, which they can use anonymously for various legal and illegal purposes.  One way … Continue Reading

Cyber Breach Disclosure Now Comes With Limited Privilege Waiver Protection, If You’re Careful

One of many difficult decisions that companies face following a cyber breach is whether to disclose it to law enforcement.  There are several advantages to involving the FBI in a breach response: they may (1) have seen this kind of hack before; (2) know the malware or persons involved; (3) be able to provide helpful information on the motivation for the attack; (4) tell you what else to look for on your systems; and (5) … Continue Reading

Still Standing—The Road for Plaintiffs in Consumer Cyber Breach Class Actions May Be Getting Smoother

If you haven’t been closely following, you may be of the mistaken view that without evidence of actual harm, consumer plaintiffs in federal cyber breach cases have no standing.  While that may have been roughly correct in 2016, the story in 2018 is more complicated, and getting better for plaintiffs.

On January 22, 2018, the U.S. Supreme Court denied Spokeo Inc.’s petition for writ of certiorari to review the Ninth Circuit’s most recent decision in … Continue Reading

OCC Says Cyber Threats Continue to Elevate Banks’ Operational Risk

Cyber threats remain a key operational concern for banks, which are otherwise experiencing “near-historic” capital and liquidity highs and improved returns on equity, according to the Office of the Comptroller of the Currency (the “OCC”).  The regulator published its Fall 2017 Semiannual Risk Perspective on January 18th, stating that “operational risk remains elevated as banks adopt business models, transform technology and operating processes, and respond to increasing cybersecurity threats.”  This conclusion is not new—since its … Continue Reading

Cybersecurity Whistleblowers – Another Thing to Consider Following a Breach

Companies that experience a cyber breach face several immediate and difficult challenges: quickly getting a handle on the scope of the breach, making sure that the intruder is out of their system, remediating any vulnerability, assessing what data was accessed (if any), deciding whether to reach out to law enforcement, determining whether any mandatory notification obligations have been triggered, and weighing whether to make any voluntary notification to regulators, customers, investors, etc.  One thing companies … Continue Reading

LexBlog