Categories & Search

Search Results

418 results found for: sec

SEC Signals Renewed Interest in Cybersecurity Disclosure Enforcement

The SEC is ramping up its cybersecurity disclosure enforcement.  While the agency had made significant efforts relating to cybersecurity disclosure previously, there has been surprisingly little SEC activity in this area since 2018—even though the last three years has seen an explosion of high-profile data security incidents.  That changed in June of this year, however, with the SEC taking three major actions that demonstrate a renewed interest in such enforcement.  First, the SEC announced its intention to issue a new rule regulating cybersecurity risk governance disclosure.  Second, it announced its first charges and settlement for cybersecurity disclosure violations since 2018.  And third, it revealed a significant cybersecurity disclosure investigation relating to the recent SolarWinds supply-chain attack.  In light of these developments, now would be a good time for issuers and registered entities to review the SEC’s expectations for cybersecurity disclosure, and implement any necessary changes to their respective policies and procedures, and disclosure practices.

Go

SEC Continues Pursuit of Cybersecurity Enforcement

Last month, we wrote about three actions taken by the SEC signaling a renewed interest in cybersecurity disclosure enforcement.  In keeping with this theme, the SEC announced a number of significant new cybersecurity actions just last week.  On August 30, the SEC disclosed enforcement actions against eight brokerage firms for failing to implement adequate cybersecurity policies and procedures, as required by the SEC’s “Safeguards Rule.”  All eight firms agreed to settle with the SEC and will collectively pay hundreds of thousands of dollars in fines.  These most recent actions underscore that companies should be mindful of whether their cybersecurity policies and procedures comply with SEC requirements and expectations.

Go

Cyber Lessons From the SEC?

Public companies worried about cybersecurity risk would be well served to pay attention to a recent crackdown by the U.S. Securities and Exchanges Commission on the use of automated technology to detect investment advisor fraud.

A recent settlement with Ameriprise Financial Services Inc., a registered investment adviser and broker dealer, suggests that the Commission isn’t inclined to look the other way when a technology failure goes undetected. In the world of cybersecurity, does this mean that a company’s blind faith in technology to safeguard its network and sensitive information might open it up to liability?

Go

SEC Cyber Briefing: Investigation into Wire Fraud and a Look at 2019 Regulatory Initiatives

Wire fraud committed by cybercriminals is not a new phenomenon. The FBI and other government agencies have regularly warned against wire fraud scams—called “business email compromises” or BECs—where criminals pose as vendors or company executives and use email to dupe company insiders into wiring money into bank accounts controlled by the perpetrators. And in some instances, the amounts involved are staggering.

Go

The SEC Issues Observations on Cybersecurity and Resiliency Measures

Last week, the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) issued a list of recommendations for institutions to enhance their cybersecurity preparedness and operational resiliency.  These observations – based upon the examination of thousands of SEC registrants – serve as a lens into the likely subjects of future SEC examinations.

Go

Does Yahoo’s SEC Cyber Disclosure Settlement Set Enforcement Bar?

The U.S. Securities and Exchange Commission’s $35 million settlement announced this week over the Yahoo! data breach provides an object lesson in the consequences of failing to publicly disclose a major cyber-attack.

The nation’s top securities regulator imposed the fine on Altaba Inc. — formerly Yahoo! — for not disclosing in a timely manner one of the largest reported hacks in U.S. history, the first action by the Commission for a cybersecurity disclosure violation.  Yahoo! was charged with misleading investors by waiting for almost two years to disclose the fact that hackers associated with the Russian Federation stole the personal information of hundreds of millions of Yahoo! users.

Go

SEC Fines Mizuho for Failing to Protect Customer Data

It is not enough for companies to establish policies and procedures designed to prevent the misuse of material nonpublic information. Companies must also enforce those policies and procedures.

That’s the lesson from the U.S. Securities and Exchange Commission's recent settlement with Mizuho Securities USA LLC (“Mizuho”), a broker-dealer, for the firm’s failure to safeguard customer information.

Go

SEC Watch: “Observations” from SEC’s Cybersecurity 2 Initiative

Last week, the U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released its “Observations from Cybersecurity Examinations” conducted pursuant to OCIE’s “Cybersecurity 2 Initiative.”  A copy of the summary is available here.  This is a follow-on to an earlier series of examinations (the “Cybersecurity 1 Initiative”) conducted in 2014.

Go

SEC Warns of Ransomware Attacks

The U.S. Securities and Exchange Commission is asking broker-dealers, investment advisers and funds to redouble their cybersecurity efforts in wake of the global cyber-attack of the WannaCry virus that has spread to more than 150 countries, disrupting critical sectors of the world economy – from transportations systems to healthcare.

Go

An Old Hack Comes Back to Haunt (Newly-Public) Slack

Last Thursday, Slack Technologies, Inc. (Slack) announced that it would reset passwords for a number of accounts compromised by a security breach that occurred more than four years ago, in March 2015. Slack—a fast-growing messaging service that launched in 2014 and went public last month—provided little explanation for its delay in action and minimized the scope of the incident, claiming that it only affected a small percentage of current Slack users. The narrow scope and timing of Slack’s disclosure raise interesting questions about the heightened scrutiny public companies now face when dealing with cybersecurity incidents.

Go

Texting Clients and Using Social Media? SEC Issues Compliance Reminder to Investment Advisers

Investment advisers may want to think twice before texting clients any advice in the New Year.

In a recently issued Risk Alert, the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) reminded investment advisers of their obligations under the Investment Advisers Act of 1940 (Advisers Act) when they or their personnel use electronic messaging for business-related communications.

Go

SEC’s Proposed Revisions to Regulation S-K Will Minimally Impact Cybersecurity Disclosure Requirements

It has been thirty years since the Securities and Exchange Commission (the “SEC”) significantly revised Regulation S-K, which sets forth reporting requirements for public companies. The SEC is now taking a fresh look at the rules, proposing for public comment amendments to modernize the description of business, legal proceedings, and risk factor disclosures that public companies must make. This represents a good opportunity to revisit key disclosure requirements—including Items 503(c) (now Item 105), 101, and 103—that are the subject of the revised guidance and that potentially impact reporting obligations associated with cybersecurity.

Go

SEC Steps Up Enforcement on Registered Investment Advisers

On September 22, the Securities and Exchange Commission (SEC) announced that it had entered into a settlement order with R.T. Jones Capital Equities Management, Inc., a St. Louis-based registered investment adviser, over the firm’s failure to establish cybersecurity policies and procedures.  This investigation and settlement are the latest in the Commission’s ongoing efforts to regulate cybersecurity for investment advisers.    

Go

SEC Fines Morgan Stanley For Failure to Safeguard Customer Data

Morgan Stanley Smith Barney LLC has agreed to pay $1 million to settle U.S. Securities and Exchange Commission charges that it failed to protect customer information.  In an Order issued today, Morgan Stanley agreed to settle charges – without admitting or denying them – that a former employee accessed and transferred data regarding 73,000 accounts to his personal server.  The SEC Order states that the former employee’s server was hacked by a third-party and that some of the customer information was offered for sale online. 

Go

PayPal Shareholders’ Data Breach Stock-Drop Suit Dismissed

Among other things, 2018 was the year of the shareholder data breach stock-drop lawsuit. As we’ve previously reported, it was the year that shareholders began routinely suing companies after an announcement of a data breach, seeking damages for a hit to the company’s stock price. 

Go

SEC Chair Warns: Cyber Biggest Threat to Global Financial System

The chair of the U.S. Securities and Exchange Commission warned that cybersecurity is the biggest risk facing our financial system today.  At an industry conference yesterday, SEC Chair Mary Jo White said that major exchanges, clearing houses and other players in the financial system did not have cyber defenses in place that aligned with the risks they faced.

Go

Another Court Says Data Breach Investigation Report Is Fair Game

In a recent ruling with important consequences for data breach litigation, a federal court in Pennsylvania ruled that Rutter’s—a Pennsylvania convenience store chain that suffered a data breach—must disclose the investigative report it commissioned from a third-party after the breach. This is a recurring issue in data breach litigation and one that has far-reaching implications for how companies respond to data breaches or other security incidents.  This is also the latest entry in an evolving, and not entirely consistent, line of cases that are broadly chipping away at the attorney-client privilege and the work-product doctrine protections companies argue should apply to their investigative reports.

Go

Former Equifax Exec Charged with Insider Trading: Underscores Need for Trading Halt Plans

The Equifax hack has taken another twist – one that raises questions that every public company should consider.

Last week, federal prosecutors charged Equifax’s former Chief Information Officer, Jun Ying, with insider trading for allegedly dumping nearly $1 million in stock before the massive Equifax breach went public. He also faces civil charges filed by the U.S. Security and Exchange Commission (SEC).

Go

Yet Another Proposal to Require Disclosure of Board’s Cyber Expertise

Before investing in a company, would you want to know whether the board of directors had cybersecurity expertise?

A bipartisan group of senators have proposed a bill, Senate Bill 592, that would require every public company to disclose the cybersecurity background of its directors, and, if none exists, explain why the company doesn’t believe it is necessary.

Go

For $80 Million, Yahoo! Settles Shareholder Class Action Claiming Stock Price Losses from Data Breaches

It’s become almost routine. A public company suffers a data breach at the hands of hackers, its stock price slides and the securities fraud class action lawsuits pile on.

As we recently reported, it’s a new trend in securities fraud class actions. Shareholders claim that public companies have improperly inflated their stock value either by failing to timely disclose data security incidents or latent vulnerabilities that rendered the company’s systems susceptible to a cyberattack.

Go

D.C. Circuit Breathes New Life into OPM Data Breach Litigation

The U.S. Office of Personnel Management (“OPM”) made headlines when several hacks of confidential data came to light in 2015, intrusions that compromised the personal data of over 20 million individuals. On July 21, 2019, in AFGE v. OPM (In re United States OPM Data Sec. Breach Litig.), Nos. 17-5217, 17-5232, 2019 U.S. App. LEXIS 18609 (D.C. Cir. June 21, 2019), a divided panel of the United States Court of Appeals for the D.C. Circuit breathed new life into litigation stemming from those breaches and injected yet another piece into the growing puzzle surrounding constitutional standing in breach litigation. The case had previously been dismissed after a district court held that the plaintiffs lacked standing based on their failure to allege concrete injuries. In a divided opinion, the D.C. Circuit panel reversed, holding that the plaintiffs’ allegations of potential future harm were sufficient for the case to move forward.

Go

New York DFS Proposals Focus on Third-Party Vendor Risk

Earlier this month, the New York State Department of Financial Services (“DFS”) announced that it will propose new cybersecurity regulations for financial institutions.  The DFS made the announcement in a letter to the Financial and Banking Information Infrastructure Committee — an eighteen member organization headed by the Treasury Department that has already begun tackling cybersecurity issues.  

Go

The CFTC Proposes Enhanced Cybersecurity Testing Rules

On February 22, 2016, the Commodity Futures Trading Commission (“CFTC”) closed the public comment period on its recently proposed enhanced cybersecurity rules for derivatives clearing house organizations, trading platforms, designated contract markets, and swap data repositories.

Go

Managing Cybersecurity Risk for Nonprofit Organizations: A Fiduciary Duty?

We live in an era of increasingly prevalent cybercrime, and nonprofits are in the crosshairs.  Harvard University, Penn State University and two BlueCross BlueShield entities are just a few nonprofit organizations that reported cyberattacks in 2015, breaches to their data security systems ultimately compromising thousands of personal, confidential and proprietary records.

Go

Bennek v. Home Depot and the future of Cybersecurity-related Derivative Suits

On September 2, 2015, a Home Depot shareholder sued Home Depot and twelve of its officers and directors, claiming that the Company and the directors and officers knowingly failed to ensure that Home Depot reasonably protected its customers’ personal and financial information.

Go

SEC’s New Cybersecurity Guidance Sets Regulatory Expectations for Investment Advisers and Broker Dealers

The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) recently issued a Risk Alert announcing the second round of examinations under its cybersecurity examination initiative.  The Risk Alert details areas of focus for the next wave of examinations of investment advisers and registered broker-dealers.  In 2014, OCIE launched its cybersecurity exam initiative to better understand the cybersecurity practices in the securities industry.  The findings were released in February 2015 in OCIE’s Cybersecurity Examination Sweep Summary.

Go

Re-Thinking “Substantial Injury”: The FTC’s Potential New Need for Victims

Last month, the Federal Trade Commission’s Chief Administrative Law Judge dismissed the Commission’s long-running data security case against LabMD because it failed to prove that there was an actual or reasonably imminent threat of injury to consumers.  In the matter of LabMD, Dkt. No. 9357, Initial Decision (Nov. 13, 2015).  The issue of consumer “injury” has loomed large in the world of data privacy litigation since private plaintiffs began bringing class action lawsuits arising from data breaches.  Whether those cases are brought by individuals in their own name or on behalf of a putative class, courts have struggled with the question of what constitutes injury sufficient to successfully prosecute a claim. 

Go

Beeple, Top Shots, and the Blockchain of Collectibles: Securing the Value of an Original Digital Asset

A cryptocurrency entrepreneur recently paid $69.3 million for Beeple’s Everydays: The First 5,000 Days at a Christie’s auction.  That record-breaking price purchased a work of art that can be seen only on a computer and the image of which, in large part, is available for use and enjoyment by anyone with an internet connection because the work is a non-fungible token, or NFT.  NFTs have quickly caught the attention of the art world and beyond, touching the mainstream with the NBA Top Shot craze and its $250 million plus marketplace for visual highlights of NBA games.  The company behind NBA Top Shot, Dapper Labs, recently raised $250 million at a $2 billion valuation.  And the larger market for NFTs has grown from $42 million in 2017 to $338 million by the end of 2020.  But for intangible assets whose value is largely driven by the creation of an original work only in cyberspace, owners and investors need to think carefully about what they own and how to protect their digital acquisitions.

Go

Supreme Court Clarifies Standing Requirements – Implications for Class Action Defendants in Data Security, Privacy, and False Advertising Cases

On June 25, the Supreme Court held in a 5-4 decision that Article III prohibits certification of a class and a damages award where the majority of class members lack actual injury.  In TransUnion v. Ramirez, the Ninth Circuit Court of Appeals had previously concluded that a class of over 8,000 individuals who could prove violations of the Fair Credit Reporting Act—and had actually proved them at trial—had standing to pursue damages at trial, even if they had not demonstrated that they had suffered concrete harm.  The Ninth Circuit reasoned that violations placed the class members at sufficient risk of harm to confer standing.  The Supreme Court reversed, and in so doing, reinforced its earlier holdings that Article III compels each plaintiff to show concrete harm.

Go

Massive T-Mobile Data Breach Reignites Calls for National Privacy and Data Security Law

A little over two weeks ago, T-Mobile became the latest victim of a cyberattack when more than 50 million of their customers’ data was stolen.  In the ensuing weeks, three class action suits have been filed against the telephone carrier alleging a range of violations.  Included in two of them are alleged violations of the California Consumer Privacy Act, one of them includes alleged violations of the Washington State Consumer Protection Act, and the third fails to allege any violations of state data security laws.  Three House Representatives pointed to the breach as a reminder as to why there needs to be a national privacy and data security law.  One such bill is the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act.

Go

Second Circuit Affirms Dismissal of Class Action Based on Claimed “Increased Risk” of Harm

Is there standing to bring a lawsuit when an employee’s personal information is mistakenly circulated to all employees at the company?  A recent decision addressed exactly this question. In McMorris v. Carlos Lopez & Assocs.LLC, No. 19-4310, 2021 WL 1603808 (2d Cir. Apr. 26, 2021), the Second Circuit affirmed the district court in finding that the harm plaintiffs alleged (an increased risk of identity theft) was too speculative and remote to satisfy the injury-in-fact requirement of Article III standing.  However, the court did not completely shut the door on this theory of harm, holding that an “increased risk” of identity theft could, under certain circumstances, qualify as an injury-in-fact for purposes of Article III standing. In doing so, the Second Circuit aligned with a number of its sister circuits which had previously recognized the potential validity of this approach.

Go

Another Hack in the Education Sector: 40 Million Records Exposed

A recent data breach at Chegg Inc., the online educational technology company, serves as the most recent reminder that the education sector remains a target for hackers.

Last month, Chegg reported, on a Form 8-K disclosure filed with the Securities Exchange Commission, that it had experienced a security breach in which an “unauthorized party gained access to a Company database that hosts user data for chegg.com.”

Go

COVID-19 Cybersecurity Threats Spiral as Businesses Implement Prophylactic Security Measures

As businesses increasingly shift to remote working environments, the COVID-19 public health pandemic presents new cybersecurity challenges each day.  As we discussed in our earlier post, hackers are actively targeting companies’ cloud-based remote connectivity, lack of multi-factor authentication, and potentially insecure digital infrastructure to exploit lax cyber-hygiene.  As companies struggle to maintain business continuity, the need for robust cyber security measures is more pressing than ever.

Go

A (Secondary) Education in Data Security

On January 18, 2018, the New York State Education Department (“NYSED”) announced that one of its vendors, Questar Assessment, experienced a data breach resulting in the unauthorized disclosure of personal information from students in five different New York schools. While the data breach reportedly affected only a small number of students that had registered for online testing in spring 2017, it nonetheless exposed sensitive personally identifiable information from those students.  And despite its narrow scope, this breach potentially threatens public (and parent) confidence in the security of sensitive student information at a time when New York schools are moving more and more of their activities online.

Go