The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Safeguards Rule

  • From Vol. 4 No.5 (Mar. 14, 2018)

    FTC Enters Into Stiff Settlement With PayPal for Venmo’s Deceptive Practices, but Eases up on a 2009 Sears Order 

    A pair of recent FTC orders demonstrate that despite aggressive action against businesses deemed to have made false or deceptive disclosures on privacy and cybersecurity matters, the Commission is also open to a more nuanced approach to disclosure and is willing to reconsider existing consent orders when circumstances change. This article analyzes (1) the recent settlement order with PayPal, whose Venmo unit misled users about the privacy of transactions and the availability of their funds and (2) the Order Reopening and Modifying a 2009 Order, which does away with a requirement that Sears make extensive disclosures on its mobile apps about how it tracks certain web browsing. See “Lessons and Trends From FTC’s 2017 Privacy and Data Security Update: Enforcement Actions (Part One of Two)” (Jan. 31, 2018).

    Read Full Article …
  • From Vol. 3 No.9 (May 3, 2017)

    SEC Officials Flesh Out Cybersecurity Enforcement and Examination Priorities (Part One of Two)

    While the SEC has provided some guidance and taken on a limited number of actions, the state of its cybersecurity enforcement program is still unclear to many companies. At the recent IAPP Global Privacy Summit, two SEC officials, Stephanie Avakian, Acting Director of the SEC Division of Enforcement, and Shamoil Shipchandler, SEC Regional Director for the Fort Worth Regional Office, spoke candidly on the agency’s plans and approach. This first part of our article series covering their discussion includes their views on which enforcement actions serve as the best guidance, how they identify new cases, enforcement trends and coordination with law enforcement and state regulators. Part two will include their insights on the SEC’s cybersecurity examination process and guidance on corporate disclosures. See “SEC Emphasizes Protecting Information From More Than Just Cyber Threats in Deutsche Bank Case” (Oct. 19, 2016).

    Read Full Article …
  • From Vol. 3 No.2 (Jan. 25, 2017)

    FINRA Emphasizes the Importance of Proper Electronic Record Storage in Enforcement Actions

    Accurate recordkeeping is one of the core duties of broker-dealers and investment advisers. As the number of electronic records has exploded in recent years, so have the risks of hacks or other malicious acts. FINRA recently settled enforcement actions against 12 of its members, imposing a total of $14.4 million in fines, for their failures to store electronic records in “write once, read many” (commonly referred to as “WORM”) format, as well as other violations of SEC recordkeeping rules. In its press release, FINRA emphasized that the deficiencies affected hundreds of millions of records, and the need to maintain records in the WORM format because “the volume of sensitive financial data stored electronically has risen exponentially and there have been increasingly aggressive attempts to hack into electronic data repositories, posing a threat to inadequately protected records.” This article explores the violations and key terms of the eight separate FINRA Letters of Acceptance, Waiver and Consent (AWCs). See also “FINRA Lays Out Cyber Expectations in Action Against Broker-Dealer” (Dec. 14, 2016).

    Read Full Article …
  • From Vol. 2 No.21 (Oct. 19, 2016)

    SEC Emphasizes Protecting Information From More Than Just Cyber Threats in Deutsche Bank Case

    While regulators and companies have recently focused on cybersecurity efforts to keep data secure, the SEC’s recent administrative proceeding against Deutsche Bank Securities Inc. (DBSI) emphasizes that policies and practices to secure data must continue to safeguard nonpublic information from all types of dissemination methods, from emails and chats, to telephone calls and in-person meetings. The SEC announced last week that DBSI agreed to pay a $9.5 million penalty for (1) failing to properly safeguard material nonpublic information generated by its research analysts, (2) publishing an improper research report and (3) failing to properly preserve and provide electronic chat records sought by the SEC. The SEC emphasized that employees must receive clear definitions and training so that they understand what information should not be shared. See also “How Financial Service Providers Can Address Common Cybersecurity Threats” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 2 No.13 (Jun. 22, 2016)

    Morgan Stanley Action Signals SEC’s Continued Enforcement of Safeguards Rule

    Morgan Stanley Smith Barney may have escaped charges under Section 5 of the Federal Trade Commission Act, but it has agreed to pay $1 million to settle charges that it violated the Safeguards Rule. The settlement stems from allegations that employee Galen Marsh transferred data containing the PII of 730,000 customers to his personal server. That data later appeared on multiple internet sites. There was no harm alleged, and this settlement, coupled with the R.T. Jones and Craig Scott Capital actions, may show that the SEC is picking up enforcement of the Safeguards Rule. “Here, the SEC clearly is trying to make a statement to the broker-dealer and investment adviser community about how seriously it takes cyber. This also seems like a message to the FTC that the SEC intends to be the key cop on this part of the cyber beat,” Jeremy Feigelson, a partner at Debevoise, told The Cybersecurity Law Report. We analyze the settlement and its implications. See also “How Financial Service Providers Can Address Common Cybersecurity Threats” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 2 No.10 (May 11, 2016)

    SEC Teaches Broker-Dealer a Lesson About Keeping Business Emails Secure

    In its continued enforcement of appropriate cybersecurity controls, the SEC initiated administrative proceedings against Craig Scott Capital, LLC (CSC), a broker-dealer based in Uniondale, New York, and its two principals for failing to protect confidential consumer information by using personal email addresses for business matters. “The enforcement action, including the fines imposed, reflects how seriously SEC takes the adoption of and compliance with proper policies and procedures,” Anastasia Rockas, a partner at Skadden, told The Cybersecurity Law Report. The SEC, alleging no harm to consumers, fined CSC $100,000 and its two principals $25,000 each. See also “Investment Adviser Penalized for Weak Cyber Polices; OCIE Issues Investor Alert” (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 1 No.13 (Sep. 30, 2015)

    Investment Adviser Penalized for Weak Cyber Polices; OCIE Issues Investor Alert

    So far, the SEC’s focus on cybersecurity has largely been relegated to providing guidance to registrants and learning about the state of cybersecurity preparedness through focused examinations.  One sign that the SEC will go further and take action against firms that fail to follow that guidance, regardless of whether harm is alleged, is the recent settlement with investment adviser R.T. Jones Capital Equities Management, Inc.  The firm suffered a cybersecurity breach that compromised information of over 100,000 retirement plan participants and has agreed to pay a $75,000 fine to settle the charges that it violated the Safeguards Rule.  The SEC released a related Investor Alert that offers guidance to individual investors who believe that their personally identifiable information has been compromised.  We provide the highlights.  See also “The SEC’s Two Primary Theories in Cybersecurity Enforcement Actions,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).

    Read Full Article …