The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Enforcement Actions

  • From Vol. 2 No.13 (Jun. 22, 2016)

    Morgan Stanley Action Signals SEC’s Continued Enforcement of Safeguards Rule

    Morgan Stanley Smith Barney may have escaped charges under Section 5 of the Federal Trade Commission Act, but it has agreed to pay $1 million to settle charges that it violated the Safeguards Rule. The settlement stems from allegations that employee Galen Marsh transferred data containing the PII of 730,000 customers to his personal server. That data later appeared on multiple internet sites. There was no harm alleged, and this settlement, coupled with the R.T. Jones and Craig Scott Capital actions, may show that the SEC is picking up enforcement of the Safeguards Rule. “Here, the SEC clearly is trying to make a statement to the broker-dealer and investment adviser community about how seriously it takes cyber. This also seems like a message to the FTC that the SEC intends to be the key cop on this part of the cyber beat,” Jeremy Feigelson, a partner at Debevoise, told The Cybersecurity Law Report. We analyze the settlement and its implications. See also “How Financial Service Providers Can Address Common Cybersecurity Threats” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 2 No.13 (Jun. 22, 2016)

    Assistant Attorney General Leslie Caldwell Addresses the Challenges of Cross-Border Cooperation and Electronic Evidence Gathering

    The emergence of new technologies that allow users to evade detection has expanded opportunities for criminals to victimize innocent people while avoiding identification and accountability. Combating these criminals, whose crimes often transcend borders, requires international cooperation. Assistant Attorney General Leslie R. Caldwell addressed how the U.S. is fighting cyber crime on the international stage, including how it is handling encryption technology, in a recent speech at the Cybercrime Symposium 2016, presented by the Center for Strategic and International Studies and the DOJ Computer Crime and Intellectual Property Section. We highlight the key points of her speech. See also “In a Candid Conversation, FBI Director James Comey Discusses Cooperation Among Domestic and International Cybersecurity Law Enforcement Communities (Part Two of Two)” (Jun. 17, 2015).

    Read Full Article …
  • From Vol. 2 No.10 (May 11, 2016)

    SEC Teaches Broker-Dealer a Lesson About Keeping Business Emails Secure

    In its continued enforcement of appropriate cybersecurity controls, the SEC initiated administrative proceedings against Craig Scott Capital, LLC (CSC), a broker-dealer based in Uniondale, New York, and its two principals for failing to protect confidential consumer information by using personal email addresses for business matters. “The enforcement action, including the fines imposed, reflects how seriously SEC takes the adoption of and compliance with proper policies and procedures,” Anastasia Rockas, a partner at Skadden, told The Cybersecurity Law Report. The SEC, alleging no harm to consumers, fined CSC $100,000 and its two principals $25,000 each. See also “Investment Adviser Penalized for Weak Cyber Polices; OCIE Issues Investor Alert” (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 2 No.9 (Apr. 27, 2016)

    Regulators Speak Candidly About Cybersecurity Trends, Priorities and Coordination

    Understanding the regulators’ priorities and concerns can help a company work effectively with them to investigate and respond to cybersecurity incidents. In a recent panel at the ABA National Institute on Cybersecurity Litigation, authorities from the DOJ, the SEC, the FCC and the Connecticut Attorney General’s office weighed in about the cyber threat landscape, their agencies’ enforcement priorities, strategies for collaboration (including when and how information shared with the government will remain confidential) and effective incident response. See also “Private and Public Sector Perspectives on Producing Data to the Government” (Jun. 3, 2015).

    Read Full Article …
  • From Vol. 2 No.8 (Apr. 13, 2016)

    Ten Steps to Minimize Data Privacy and Security Risk and Maximize Compliance

    Increasingly, general counsel, privacy officers and even CEOs are taking on more and more data privacy and security compliance burdens because of the significant legal implications of not just breaches, but failure to comply with a range of privacy and cybersecurity regulations. That applies to international transfers of data as well. In a guest article, Aaron Charfoos, Jonathan Feld and Stephen Tupper, members of Dykema, discuss recent global developments and ten ways companies can ensure compliance with new regulations to increase data security and minimize the risk of enforcement actions. See also “Liability Lessons From Data Breach Enforcement Actions” (Nov. 11, 2015).

    Read Full Article …
  • From Vol. 2 No.3 (Feb. 3, 2016)

    So, You Just Got a Letter From the FTC: A Guide for Attorneys (Part Two of Two)

    The receipt of a civil investigative demand from the FTC should not induce panic – a CID is “a vehicle for inquiry and we close far more [cases] than we bring,” Maneesha Mithal, Associate Director of the FTC’s Division of Privacy and Identity Protection, said during a panel at the recent IAPP Practical Privacy Series. Along with Mithal, the panel featured private outside counsel experts Stuart Ingis, a partner at Venable; and Hunton & Williams counsel Phyllis Marcus. They provided advice on how to handle a CID, from the first steps through requesting a closed case, including the view from behind the scenes at the FTC. In this second installment of our two-part series, we cover the FTC’s perspective on the CID process and how best to prepare for and conduct the meetings with the FTC staff and directors. Part one examined best practices for the first steps to take after receiving the CID, as well as strategies for setting up the client for a successful result. See also “FTC Director Analyzes Its Most Significant 2015 Cyber Cases and Provides a Sneak Peek Into 2016“ (Jan. 6, 2016).

    Read Full Article …
  • From Vol. 2 No.2 (Jan. 20, 2016)

    So, You Just Got a Letter From the FTC: A Guide for Attorneys (Part One of Two)

    Receiving a civil investigation demand (CID) from the FTC can be nerve-wracking, but there are ways to make the process smoother. During the recent IAPP Practical Privacy Series 2015, a panel of government and private outside counsel experts provided advice on how to respond to written requests and steps companies can take to best position themselves in front of the agency, starting with the first telephone call. The panel featured Maneesha Mithal, FTC Associate Director, Division of Privacy and Identity Protection; Venable partner Stuart Ingis; and Hunton & Williams counsel Phyllis Marcus. Part one in this two-part series examines best practices for first steps after receiving the CID, including the first call with the client and the initial contact with the FTC, as well as strategies for setting up the client for a successful result. Part two will cover the FTC’s perspective on the CID process and how best to prepare for and conduct the meetings with the FTC staff and directors. See also “FTC Director Analyzes Its Most Significant 2015 Cyber Cases and Provides a Sneak Peek Into 2016” (Jan. 6, 2016).

    Read Full Article …
  • From Vol. 2 No.1 (Jan. 6, 2016)

    Cybersecurity and Whistleblowing Converge in a New Wave of SEC Activity

    The SEC has long-prioritized incentivizing corporate whistleblowers to report violations of the securities laws, and protecting them when they do.  Increasingly, the federal agency also has vigorously enforced certain key aspects of cybersecurity, as its importance has permeated every facet of the way registered entities operate.  In a recent webinar, Orrick attorneys Mark Mermelstein, Jill Rosenberg and Renee Phillips examined how these two formerly disassociated areas of regulatory enforcement are converging in a new wave of SEC guidance and enforcement.  This article discusses the practitioners’ insights on the SEC’s recent initiatives and enforcement actions both in cybersecurity and whistleblowing contexts; the applicable regulations; and how companies can address and mitigate the risks of cybersecurity whistleblower actions.  See also “The SEC’s Updated Cybersecurity Guidance Urges Program Assessments” (May 6, 2015).

    Read Full Article …
  • From Vol. 1 No.13 (Sep. 30, 2015)

    Investment Adviser Penalized for Weak Cyber Polices; OCIE Issues Investor Alert

    So far, the SEC’s focus on cybersecurity has largely been relegated to providing guidance to registrants and learning about the state of cybersecurity preparedness through focused examinations.  One sign that the SEC will go further and take action against firms that fail to follow that guidance, regardless of whether harm is alleged, is the recent settlement with investment adviser R.T. Jones Capital Equities Management, Inc.  The firm suffered a cybersecurity breach that compromised information of over 100,000 retirement plan participants and has agreed to pay a $75,000 fine to settle the charges that it violated the Safeguards Rule.  The SEC released a related Investor Alert that offers guidance to individual investors who believe that their personally identifiable information has been compromised.  We provide the highlights.  See also “The SEC’s Two Primary Theories in Cybersecurity Enforcement Actions,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 1 No.8 (Jul. 15, 2015)

    The FTC Asserts Its Jurisdiction and Provides Ten Steps to Enhance Cybersecurity

    In its new guidance, “Start with Security,” the Federal Trade Commission is “stating its case why it should be recognized as the preeminent authority in this area,” Stephen Newman, a partner at Stroock, told The Cybersecurity Law Report.  The FTC makes clear in the guidance that it expects companies to put strong cybersecurity practices in place and will hold the companies responsible for lax security measures if a breach does occur.  The guidance also provides valuable compliance advice – it articulates the FTC’s thoughts on how to reduce risk with “fundamentals of sound security” based on “the lessons learned from the more than 50 law enforcement actions the FTC has announced so far.”  We discuss the ten steps the FTC has put forward to enhance cyber compliance, with input from experts.  See “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.8 (Jul. 15, 2015)

    The Challenge of Coordinating the Legal and Security Teams in the Current Cyber Landscape (Part Two of Two)

    Legal and security teams each play a crucial role in cybersecurity and data protection, but working together to understand the most pressing threats and shifting regulatory landscape can be challenging.  In this second article of our two-part series covering a recent panel at Practising Law Institute’s Sixteenth Annual Institute on Privacy and Data Security Law, Lisa J. Sotto, managing partner of Hunton & Williams’ New York office and chair of the firm’s global privacy and cybersecurity practice, and Vincent Liu, a security expert and partner at security consulting firm Bishop Fox, give advice on how to prepare for and respond to a cyber incident and how security and legal teams can effectively work together throughout the process.  The first article in this series discussed the current cyber threat landscape and the relevant laws and rules.

    Read Full Article …
  • From Vol. 1 No.2 (Apr. 22, 2015)

    FCC Makes Its Mark on Cybersecurity Enforcement with Record Data Breach Settlement

    With its $25 million settlement with AT&T, the “FCC has now planted its flag, and sent the message that it will use its powers to protect consumers,” Jenny Durkan, a partner at Quinn Emanuel Urquhart & Sullivan, told The Cybersecurity Law Report.  The FCC’s decision earlier this year to classify Internet providers as public utilities under the FCC’s jurisdiction has caused a broad range of companies to follow the agency’s actions closely.  The record AT&T settlement resolves an investigation into the theft of information by employees of a vendor call center in Mexico and requires AT&T to, among other things, overhaul its compliance program, provide free credit-monitoring services for affected customers and meet certain compliance benchmarks at intervals for the next seven years. 

    Read Full Article …