The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Enforcement Actions

  • From Vol. 4 No.5 (Mar. 14, 2018)

    FTC Enters Into Stiff Settlement With PayPal for Venmo’s Deceptive Practices, but Eases up on a 2009 Sears Order 

    A pair of recent FTC orders demonstrate that despite aggressive action against businesses deemed to have made false or deceptive disclosures on privacy and cybersecurity matters, the Commission is also open to a more nuanced approach to disclosure and is willing to reconsider existing consent orders when circumstances change. This article analyzes (1) the recent settlement order with PayPal, whose Venmo unit misled users about the privacy of transactions and the availability of their funds and (2) the Order Reopening and Modifying a 2009 Order, which does away with a requirement that Sears make extensive disclosures on its mobile apps about how it tracks certain web browsing. See “Lessons and Trends From FTC’s 2017 Privacy and Data Security Update: Enforcement Actions (Part One of Two)” (Jan. 31, 2018).

    Read Full Article …
  • From Vol. 4 No.4 (Feb. 28, 2018)

    Financial Firms Must Supervise Their IT Providers to Avoid CFTC Enforcement Action

    The CFTC recently announced a settlement with futures firm AMP Global Clearing LLC (AMP), which had tens of thousands of client records compromised after its IT vendor unknowingly installed a backup drive on AMP’s network that included an unsecured port. The settlement order requires AMP to cease and desist from future violations, pay a civil penalty of $100,000 and report to the CFTC for the next year on its efforts to improve its digital security. “As this case shows, the CFTC will work hard to ensure regulated entities live up to that responsibility, which has taken on increasing importance as cyber threats extend across our financial system,” said CFTC Director of Enforcement James McDonald. In particular, it is a reminder of the importance of monitoring third-party service providers. In this article, we analyze the case and relevant remedial steps AMP agreed to take. For more from the CFTC, see “Virtual Currencies Present Significant Risk and Opportunity, Demanding Focus From Regulators, According to CFTC Chair” (Feb. 14, 2018).

    Read Full Article …
  • From Vol. 4 No.3 (Feb. 14, 2018)

    NY AG and HHS Flex Regulatory Muscles in Recent Protected Health Information Breach Settlements

    Recent enforcement actions against Aetna Inc. and Fresenius Medical Care Holdings, Inc. resulted in respondents agreeing to pay significant fines and to update their policies, procedure and training. These cases, brought by the Office of the Attorney General of the State of New York and the Office for Civil Rights of the U.S. Department of Health & Human Services, are an important reminder that human error is often a significant factor in data breaches and that physical security is a critical component of data privacy. In addition, the Aetna action is the most recent example of New York's active cybersecurity efforts. "New York has been on the leading edge of data security regulation. . . The Attorney General [] has been proactive," Patterson Belknap partner Craig A. Newman told The Cybersecurity Law Report. "It's fair to say that cyber is at the top of the state's regulatory agenda." We detail the breaches and settlement terms. See also “Takeaways From State AGs’ Record-Breaking Target Data Breach Settlement” (May 31, 2017).

    Read Full Article …
  • From Vol. 3 No.25 (Dec. 20, 2017)

    SEC Takes Aggressive Action Against Allegedly Fraudulent ICO

    As the prices of Bitcoin and other cryptocurrencies march relentlessly upward, regulators have been taking notice. The SEC recently filed a civil enforcement complaint against Quebec resident Dominic Lacroix, his company PlexCorps and his partner Sabrina Paradis-Royer in connection with an initial coin offering (ICO) of “PlexCoins.” Matthew Rossi, a Mayer Brown partner and former Assistant Chief Litigation Counsel in the SEC Division of Enforcement, told The Cybersecurity Law Report that the case illustrates the priorities of the recently formed SEC Cyber Unit. See also our three-part series on blockchain and the financial services industry: Basics of the Blockchain Technology (Jun. 4, 2017), Using Blockchain to Improve Operations and Compliance (Jun. 28, 2017) and Potential Impediments to Its Eventual Adoption (Jul. 12, 2017).

    Read Full Article …
  • From Vol. 3 No.16 (Aug. 9, 2017)

    Nestlé Employee Convictions Highlight Interconnectivity of Chinese Data Privacy and Bribery Laws 

    The conviction of six Nestlé employees and three employees of state-run Chinese hospitals for crimes relating to the illegal distribution of personal information highlights the complicated nature of data privacy risk in China. The Nestlé employees were found guilty of illicitly obtaining personal information by providing bribes to foreign officials and members of the hospital staff were found guilty of providing that information. Notably, the charges were brought under laws relating to the distribution of breast milk substitutes, not anti-bribery, data privacy or cybersecurity laws. The Cybersecurity Law Report’s sister publication, PaRR, discussed the case with local experts who explained the intersecting risks, and how Nestlé escaped corporate liability. See our two-part series on data security in China: “Understanding Data Privacy and Cybersecurity in China (Part One of Two)” (Sep. 7, 2016); Part Two (Sep. 21, 2016).

    Read Full Article …
  • From Vol. 3 No.9 (May 3, 2017)

    SEC Officials Flesh Out Cybersecurity Enforcement and Examination Priorities (Part One of Two)

    While the SEC has provided some guidance and taken on a limited number of actions, the state of its cybersecurity enforcement program is still unclear to many companies. At the recent IAPP Global Privacy Summit, two SEC officials, Stephanie Avakian, Acting Director of the SEC Division of Enforcement, and Shamoil Shipchandler, SEC Regional Director for the Fort Worth Regional Office, spoke candidly on the agency’s plans and approach. This first part of our article series covering their discussion includes their views on which enforcement actions serve as the best guidance, how they identify new cases, enforcement trends and coordination with law enforcement and state regulators. Part two will include their insights on the SEC’s cybersecurity examination process and guidance on corporate disclosures. See “SEC Emphasizes Protecting Information From More Than Just Cyber Threats in Deutsche Bank Case” (Oct. 19, 2016).

    Read Full Article …
  • From Vol. 3 No.2 (Jan. 25, 2017)

    FINRA Emphasizes the Importance of Proper Electronic Record Storage in Enforcement Actions

    Accurate recordkeeping is one of the core duties of broker-dealers and investment advisers. As the number of electronic records has exploded in recent years, so have the risks of hacks or other malicious acts. FINRA recently settled enforcement actions against 12 of its members, imposing a total of $14.4 million in fines, for their failures to store electronic records in “write once, read many” (commonly referred to as “WORM”) format, as well as other violations of SEC recordkeeping rules. In its press release, FINRA emphasized that the deficiencies affected hundreds of millions of records, and the need to maintain records in the WORM format because “the volume of sensitive financial data stored electronically has risen exponentially and there have been increasingly aggressive attempts to hack into electronic data repositories, posing a threat to inadequately protected records.” This article explores the violations and key terms of the eight separate FINRA Letters of Acceptance, Waiver and Consent (AWCs). See also “FINRA Lays Out Cyber Expectations in Action Against Broker-Dealer” (Dec. 14, 2016).

    Read Full Article …
  • From Vol. 2 No.25 (Dec. 14, 2016)

    FINRA Lays Out Cyber Expectations in Action Against Broker-Dealer

    A recent FINRA action against Lincoln Financial Securities Corporation, a general securities business, involving the firm’s alleged failure to safeguard customer data, preserve customer records and implement an appropriate supervisory system sheds light on regulatory expectations for a range of sectors. This article explains the alleged misconduct, the terms of the settlement, the remedial measures the firm is implementing, and the cybersecurity measures FINRA expects firms to take. See also “How Financial Service Providers Can Address Common Cybersecurity Threats” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 2 No.21 (Oct. 19, 2016)

    SEC Emphasizes Protecting Information From More Than Just Cyber Threats in Deutsche Bank Case

    While regulators and companies have recently focused on cybersecurity efforts to keep data secure, the SEC’s recent administrative proceeding against Deutsche Bank Securities Inc. (DBSI) emphasizes that policies and practices to secure data must continue to safeguard nonpublic information from all types of dissemination methods, from emails and chats, to telephone calls and in-person meetings. The SEC announced last week that DBSI agreed to pay a $9.5 million penalty for (1) failing to properly safeguard material nonpublic information generated by its research analysts, (2) publishing an improper research report and (3) failing to properly preserve and provide electronic chat records sought by the SEC. The SEC emphasized that employees must receive clear definitions and training so that they understand what information should not be shared. See also “How Financial Service Providers Can Address Common Cybersecurity Threats” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 2 No.13 (Jun. 22, 2016)

    Morgan Stanley Action Signals SEC’s Continued Enforcement of Safeguards Rule

    Morgan Stanley Smith Barney may have escaped charges under Section 5 of the Federal Trade Commission Act, but it has agreed to pay $1 million to settle charges that it violated the Safeguards Rule. The settlement stems from allegations that employee Galen Marsh transferred data containing the PII of 730,000 customers to his personal server. That data later appeared on multiple internet sites. There was no harm alleged, and this settlement, coupled with the R.T. Jones and Craig Scott Capital actions, may show that the SEC is picking up enforcement of the Safeguards Rule. “Here, the SEC clearly is trying to make a statement to the broker-dealer and investment adviser community about how seriously it takes cyber. This also seems like a message to the FTC that the SEC intends to be the key cop on this part of the cyber beat,” Jeremy Feigelson, a partner at Debevoise, told The Cybersecurity Law Report. We analyze the settlement and its implications. See also “How Financial Service Providers Can Address Common Cybersecurity Threats” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 2 No.13 (Jun. 22, 2016)

    Assistant Attorney General Leslie Caldwell Addresses the Challenges of Cross-Border Cooperation and Electronic Evidence Gathering

    The emergence of new technologies that allow users to evade detection has expanded opportunities for criminals to victimize innocent people while avoiding identification and accountability. Combating these criminals, whose crimes often transcend borders, requires international cooperation. Assistant Attorney General Leslie R. Caldwell addressed how the U.S. is fighting cyber crime on the international stage, including how it is handling encryption technology, in a recent speech at the Cybercrime Symposium 2016, presented by the Center for Strategic and International Studies and the DOJ Computer Crime and Intellectual Property Section. We highlight the key points of her speech. See also “In a Candid Conversation, FBI Director James Comey Discusses Cooperation Among Domestic and International Cybersecurity Law Enforcement Communities (Part Two of Two)” (Jun. 17, 2015).

    Read Full Article …
  • From Vol. 2 No.10 (May 11, 2016)

    SEC Teaches Broker-Dealer a Lesson About Keeping Business Emails Secure

    In its continued enforcement of appropriate cybersecurity controls, the SEC initiated administrative proceedings against Craig Scott Capital, LLC (CSC), a broker-dealer based in Uniondale, New York, and its two principals for failing to protect confidential consumer information by using personal email addresses for business matters. “The enforcement action, including the fines imposed, reflects how seriously SEC takes the adoption of and compliance with proper policies and procedures,” Anastasia Rockas, a partner at Skadden, told The Cybersecurity Law Report. The SEC, alleging no harm to consumers, fined CSC $100,000 and its two principals $25,000 each. See also “Investment Adviser Penalized for Weak Cyber Polices; OCIE Issues Investor Alert” (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 2 No.9 (Apr. 27, 2016)

    Regulators Speak Candidly About Cybersecurity Trends, Priorities and Coordination

    Understanding the regulators’ priorities and concerns can help a company work effectively with them to investigate and respond to cybersecurity incidents. In a recent panel at the ABA National Institute on Cybersecurity Litigation, authorities from the DOJ, the SEC, the FCC and the Connecticut Attorney General’s office weighed in about the cyber threat landscape, their agencies’ enforcement priorities, strategies for collaboration (including when and how information shared with the government will remain confidential) and effective incident response. See also “Private and Public Sector Perspectives on Producing Data to the Government” (Jun. 3, 2015).

    Read Full Article …
  • From Vol. 2 No.8 (Apr. 13, 2016)

    Ten Steps to Minimize Data Privacy and Security Risk and Maximize Compliance

    Increasingly, general counsel, privacy officers and even CEOs are taking on more and more data privacy and security compliance burdens because of the significant legal implications of not just breaches, but failure to comply with a range of privacy and cybersecurity regulations. That applies to international transfers of data as well. In a guest article, Aaron Charfoos, Jonathan Feld and Stephen Tupper, members of Dykema, discuss recent global developments and ten ways companies can ensure compliance with new regulations to increase data security and minimize the risk of enforcement actions. See also “Liability Lessons From Data Breach Enforcement Actions” (Nov. 11, 2015).

    Read Full Article …
  • From Vol. 2 No.5 (Mar. 2, 2016)

    Prosecuting Borderless Cyber Crime Through Proactive Law Enforcement and Private Sector Cooperation

    Identifying, locating and prosecuting cyber criminals is a complex operation that takes coordination efforts among various law enforcement agencies as well as the private sector. David Hickton, the U.S. Attorney for the Western District of Pennsylvania, spoke with The Cybersecurity Law Report in advance of the Financial Times Cyber Security Summit on March 16, 2016 in Washington, D.C., where he will participate as a panelist. An event discount code is available to CSLR readers inside the article. In our interview, Hickton addresses the challenges, changes, and private sector cooperation within cybersecurity law enforcement. See also our series featuring FBI Director James Comey’s discussion of the “‘Evil Layer Cake’ of Cybersecurity Threats” (Jun. 3, 2015); and “Cooperation Among Domestic and International Cybersecurity Law Enforcement Communities” (Jun. 17, 2015).

    Read Full Article …
  • From Vol. 2 No.1 (Jan. 6, 2016)

    FTC Director Analyzes Its Most Significant 2015 Cyber Cases and Provides a Sneak Peek Into 2016

    The FTC’s Bureau of Consumer Protection was hard at work in 2015, reaching settlements with a wide range of companies on a variety of privacy and data security issues.  During the recent IAPP Practical Privacy Series 2015, Jessica Rich, Director of the Bureau of Consumer Protection and an architect of the FTC’s privacy program, reflected on the agency’s major enforcement actions, reports and relationships in 2015 and what businesses should expect in the coming year.  See also “The FTC Asserts Its Jurisdiction and Provides Ten Steps to Enhance Cybersecurity” (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 2 No.1 (Jan. 6, 2016)

    Cybersecurity and Whistleblowing Converge in a New Wave of SEC Activity

    The SEC has long-prioritized incentivizing corporate whistleblowers to report violations of the securities laws, and protecting them when they do.  Increasingly, the federal agency also has vigorously enforced certain key aspects of cybersecurity, as its importance has permeated every facet of the way registered entities operate.  In a recent webinar, Orrick attorneys Mark Mermelstein, Jill Rosenberg and Renee Phillips examined how these two formerly disassociated areas of regulatory enforcement are converging in a new wave of SEC guidance and enforcement.  This article discusses the practitioners’ insights on the SEC’s recent initiatives and enforcement actions both in cybersecurity and whistleblowing contexts; the applicable regulations; and how companies can address and mitigate the risks of cybersecurity whistleblower actions.  See also “The SEC’s Updated Cybersecurity Guidance Urges Program Assessments” (May 6, 2015).

    Read Full Article …
  • From Vol. 1 No.18 (Dec. 9, 2015)

    How the Financial Services Sector Can Meet the Cybersecurity Challenge:  A Snapshot of the Regulatory Landscape (Part One of Two)

    The cyber focus has become increasingly intense for the financial services sector.  Industry compliance personnel are challenged to keep up with cybersecurity requirements in this area, with new major regulatory developments occurring on a regular basis.  In a guest article, the first in a two-part series, Moshe Luchins, the deputy general counsel and compliance officer of Zweig-DiMenna Associates LLC, explores the current cybersecurity regulatory expectations applicable to the financial services sector.  The second article will provide a practical blueprint for building a cyber compliance program.  See also “Debunking Cybersecurity Myths and Setting Program Goals for the Financial Services Industry,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.13 (Sep. 30, 2015)

    Investment Adviser Penalized for Weak Cyber Polices; OCIE Issues Investor Alert

    So far, the SEC’s focus on cybersecurity has largely been relegated to providing guidance to registrants and learning about the state of cybersecurity preparedness through focused examinations.  One sign that the SEC will go further and take action against firms that fail to follow that guidance, regardless of whether harm is alleged, is the recent settlement with investment adviser R.T. Jones Capital Equities Management, Inc.  The firm suffered a cybersecurity breach that compromised information of over 100,000 retirement plan participants and has agreed to pay a $75,000 fine to settle the charges that it violated the Safeguards Rule.  The SEC released a related Investor Alert that offers guidance to individual investors who believe that their personally identifiable information has been compromised.  We provide the highlights.  See also “The SEC’s Two Primary Theories in Cybersecurity Enforcement Actions,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 1 No.10 (Aug. 12, 2015)

    Navigating the Evolving Mobile Arena Landscape (Part Two of Two)

    Mobile devices, and their constantly changing technology, present unique cybersecurity and privacy issues.  In the second installment of our coverage of a recent panel at PLI’s Sixteenth Annual Institute on Privacy and Data Security Law, Aaron P. Simpson, a partner at Hunton & Williams and H. Leigh Feldman, global chief privacy officer at Citi, discuss these challenges and contextualize relevant policy and regulatory landscapes in the U.S. and Europe, including enforcement activity.  The first article in the series explained the specific challenges related to mobile and wearable technology and presented best practices for stakeholders as consumers demand control of their information.  See also “Tackling Privacy and Cybersecurity Challenges While Fostering Innovation in the Internet of Things,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015). 

    Read Full Article …
  • From Vol. 1 No.9 (Jul. 29, 2015)

    Analyzing and Complying with Cyber Law from Different Vantage Points (Part Two of Two)

    As breaches proliferate, civil litigations related to breaches have too – and some of them can become “bet the company” cases.  In our continued coverage of a recent conference hosted by Georgetown Law’s Cybersecurity Law Institute, panelists discuss the compliance lessons from shareholder derivative suits and class actions that have followed breaches, as well as how companies should use government cybersecurity guidance in their programs.  The moderator and panelists come to cybersecurity and data privacy with different perspectives – the panel included plaintiffs’ counsel from Edelson PC; principal for reliability and cybersecurity for Southern California Edison; in-house counsel at IT company CACI International; and defense counsel from Alston & Bird.  The first article of this two-part series contained the panelists’ insights on the sources of liability for companies, best practices when collecting personal data and takeaways from government enforcement actions.

    Read Full Article …
  • From Vol. 1 No.8 (Jul. 15, 2015)

    The FTC Asserts Its Jurisdiction and Provides Ten Steps to Enhance Cybersecurity

    In its new guidance, “Start with Security,” the Federal Trade Commission is “stating its case why it should be recognized as the preeminent authority in this area,” Stephen Newman, a partner at Stroock, told The Cybersecurity Law Report.  The FTC makes clear in the guidance that it expects companies to put strong cybersecurity practices in place and will hold the companies responsible for lax security measures if a breach does occur.  The guidance also provides valuable compliance advice – it articulates the FTC’s thoughts on how to reduce risk with “fundamentals of sound security” based on “the lessons learned from the more than 50 law enforcement actions the FTC has announced so far.”  We discuss the ten steps the FTC has put forward to enhance cyber compliance, with input from experts.  See “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.8 (Jul. 15, 2015)

    Understanding and Mitigating Liability Under the Children’s Online Privacy Protection Act

    Faced with the threat of steep civil penalties that can arise from active FTC enforcement, operators of commercial websites must exercise caution when collecting personal information from children under the age of 13.  The long reach of the Children’s Online Privacy Protection Act (COPPA) applies not only to first-party website operators but also extends to third parties that collect personal information on behalf of first-party operators in certain circumstances.  In a recent presentation, attorneys Julia Siripurapu and Ari Moskowitz of Mintz Levin discussed key provisions and implementation of COPPA, including compliance, enforcement and applicability to third parties.  They also provided advice on best practices for websites and online services regarding the collection and use of children’s personal information, and for educational institutions as parental agents.

    Read Full Article …
  • From Vol. 1 No.7 (Jul. 1, 2015)

    Regulatory Compliance and Practical Elements of Cybersecurity Testing for Fund Managers (Part Two of Two)

    Cybersecurity is one important element of an investment manager’s overall regulatory compliance responsibilities.  Although not explicitly required by SEC regulations, it is clear that the SEC and other regulators expect fund managers to test for cybersecurity vulnerabilities and preparedness.  A recent program sponsored by K&L Gates and the Investment Advisors’ Association featuring experts from those entities as well as BNY Mellon and Nth Generation explored the most effective and efficient testing methods   This article, the second in a two-part series, discusses testing approaches; vulnerability assessments; penetration testing; and recent SEC and private litigation on cybersecurity matters.  The first article summarized the panelists’ discussion of the legal and compliance framework for cybersecurity testing; testing considerations; and how to leverage OCIE’s recent cybersecurity examination initiative to improve cybersecurity compliance and testing.  See also “The SEC’s Two Primary Theories in Cybersecurity Enforcement Actions,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 1 No.7 (Jul. 1, 2015)

    SEC Commissioner Says Public-Private Partnership Is Key to Effective Cybersecurity

    In a speech at this year’s SINET Innovation Summit, SEC Commissioner Luis Aguilar emphasized the “scope and urgency” of cybersecurity threats and the ineffectiveness of many network security programs, citing a multitude of studies.  He also called for more formalized information-sharing between private sector companies and the government.  See also “In a Candid Conversation, FBI Director James Comey Talks About the ‘Evil Layer Cake’ of Cybersecurity Threats,” The Cybersecurity Law Report, Vol. 1, No. 5 (Jun. 3, 2015).

    Read Full Article …
  • From Vol. 1 No.4 (May 20, 2015)

    After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?

    Recent reports detail a breathtaking and unrelenting rise in cyber breaches, with five malware events occurring every second, and 60% of successful attackers able to compromise an organization within minutes.  But the law has not kept pace with technological innovation.  There is no single uniform law protecting individual privacy, nor one that governs all of a company’s obligations or liabilities regarding data security and privacy.  As Jenny Durkan and Alicia Cobb, a partner and associate, respectively, at Quinn Emanuel Urquhart & Sullivan, detail in a guest post, any business that suffers a significant cyber breach almost certainly will face not only multiple civil suits, but multiple investigations by federal and state authorities.  The authors provide a roadmap to the key authorities and the patchwork of relevant rules and regulations.

    Read Full Article …
  • From Vol. 1 No.3 (May 6, 2015)

    The SEC’s Updated Cybersecurity Guidance Urges Program Assessments 

    With its new Investment Management Guidance Update on cybersecurity, the SEC is “now looking at more comprehensive assessment of controls and threats, not just from external sources but also internal sources,” Marc Lotti, a partner at ACA Aponix, told The Cybersecurity Law Report.  “Right now, investors and SEC don’t see [disregarding technology risk] as ignorant, they see it as negligent.”  The Guidance discusses actions that investment advisers and companies should consider to mitigate those risks and enhance their cybersecurity programs.

    Read Full Article …
  • From Vol. 1 No.2 (Apr. 22, 2015)

    FCC Makes Its Mark on Cybersecurity Enforcement with Record Data Breach Settlement

    With its $25 million settlement with AT&T, the “FCC has now planted its flag, and sent the message that it will use its powers to protect consumers,” Jenny Durkan, a partner at Quinn Emanuel Urquhart & Sullivan, told The Cybersecurity Law Report.  The FCC’s decision earlier this year to classify Internet providers as public utilities under the FCC’s jurisdiction has caused a broad range of companies to follow the agency’s actions closely.  The record AT&T settlement resolves an investigation into the theft of information by employees of a vendor call center in Mexico and requires AT&T to, among other things, overhaul its compliance program, provide free credit-monitoring services for affected customers and meet certain compliance benchmarks at intervals for the next seven years. 

    Read Full Article …
  • From Vol. 1 No.1 (Apr. 8, 2015)

    The SEC’s Two Primary Theories in Cybersecurity Enforcement Actions

    When a data security incident has been identified, a company’s initial priorities include understanding, containing and remedying the vulnerabilities.  In the aftermath of a data security incident, however, companies often have to focus nearly as quickly on responding to inquiries from an expanding array of federal, state, and local regulators and law enforcement agencies, including state attorneys general and the FTC.  The SEC is a more recent entrant into the cybersecurity enforcement arena.  It has dramatically increased its focus on these issues in the last four years, and it has signaled an intent to continue to expand its efforts.  This is true not only for financial institutions subject to extensive SEC oversight – such as broker-dealers and investment advisers – but for all publicly-traded companies.  In a guest article, Daniel F. Schubert and Jonathan G. Cedarbaum, partners at WilmerHale, and Leah Schloss, a WilmerHale associate, explain the SEC’s role in cybersecurity enforcement, the SEC’s two primary theories in cyber-related enforcement actions and another theory that the SEC may use to broaden its cyber enforcement authority.

    Read Full Article …