On May 21, the North American Securities Administrators Association (NASAA)—an organization comprised of 67 securities regulators within the United States (all fifty states as well as districts and territories), Canada, and Mexico—released a model cybersecurity rule package governing state-registered investment advisors’ cybersecurity and privacy practices. The model rule package, which would need to be adopted by an individual state so as to become law in that jurisdiction, provides a structure for how state-registered investment advisers must design their information security policies and procedures.
Continue Reading North American Securities Administrators Association (NASAA) Releases Model Cybersecurity Rule
Alexander Madrid
Alex has a broad range of litigation and regulatory experience representing financial institutions and other corporate clients, with a specific focus on representing broker-dealers in regulatory and enforcement actions, arbitration, and litigation.
SEC OCIE Highlights Potential Deficiencies in Firm Privacy Policies
On April 16, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert highlighting Regulation S-P compliance deficiencies and issues it found in recent examinations of broker-dealers and investment advisers. Regulation S-P is the primary SEC rule detailing the safeguards these firms must take to protect customer privacy. The Risk Alert provides an important reminder for firms to assess their supervisory and compliance programs related to Regulation S-P and make any necessary changes to strengthen those systems. Indeed, in light of the substantial fines that can accompany a finding that Regulation S-P has been violated, firms must pay careful attention to the OCIE’s guidance regarding potential pitfalls.
Continue Reading SEC OCIE Highlights Potential Deficiencies in Firm Privacy Policies
Between a Rock and a Hard Place: SEC Disclosure Analysis in Light of Yahoo
On April 25, the Securities and Exchange Commission announced a settlement with Yahoo that constituted its first enforcement action against a public company for failing to disclose a data breach.
This settlement demonstrates that companies in post-data breach environments must engage in a thorough, fulsome analysis of whether to disclose the cybersecurity incident in their…
Your Credit Card Number’s Been Stolen. Have You Been Injured? Courts’ Answers Continue to Vary
Seemingly not a day goes by without news of another major data breach. In the past few weeks, Yahoo! announced that at least 500 million of its user accounts were stolen in 2014, hot on the heels of Dropbox’s announcement that more than 68 million of its accounts were compromised. Data breach announcements by major…
A Storm Brews: Retailers Push Back Against Payment Card Industry Data Security Standards
As businesses and financial institutions grapple with data security in the wake of high profile breaches, tensions between retailers and the credit card industry over the creation and implementation of security standards appear to be growing. The disagreements between these two groups manifested themselves on June 2, when the National Retail Federation (“NRF”), the world’s…
Vizio and Google Data Privacy Class Actions Illustrate Risks of Data Collection – And Defensive Value of Robust Disclosures
Two recent developments in data privacy litigation highlight the continuing challenges to companies that collect internet usage information without clearly disclosing the manner and method in which they are doing so to users. As these events demonstrate, plaintiffs’ attorneys are aggressively bringing actions against companies that collect user data, including through the invocation of California’s…