Enforcement - Federal Agency and State AG Action

On December 20, 2018, the Financial Industry Regulatory Authority (FINRA) released a report on cybersecurity practices for broker-dealers. This post is the first of a series of summaries sharing essential, timely insight on how these practices impact your business. The Report follows close on the heels of FINRA’s annual Report on Examination Findings issued Dec. 14, 2018. Now we know why Cybersecurity, a top regulatory and examination priority for FINRA in 2018, was not included in their examination findings report. Not surprising, albeit somewhat unusual, the importance of the topic and FINRA’s insights warranted a separate communication.
Continue Reading FINRA Issues 2018 Report on Selected Cybersecurity Practices

In August, the Federal Trade Commission (FTC) approved changes to a video game industry program in an effort to ensure compliance with the Children’s Online Privacy Protection Act (COPPA). This comes after a 2017 study finding that YouTube, the video platform owned by Google, is the most popular online media platform among children, with as many as 80% of children ages 6-12 using it daily. Yet YouTube claims in its Terms of Service that the platform is not intended for anyone under the age of 13, and by agreeing to the terms, consumers affirm that they are indeed at least 13 years old. Users also agree to Google’s privacy policy, which details how Google collects data such as a viewer’s device, location, or phone number, and tailors advertisements and services based on that data.


Continue Reading FTC Under Pressure from Congress to Investigate Violations of Child Privacy Laws

Beginning in 2020, California residents will have the right to opt out of the sale of their personal information under the California Consumer Privacy Act of 2018 (CaCPA or also called CCPA). It is time to revisit your third-party service provider agreements.  Companies now have two reasons to ensure that service provider agreements restrict the use or sale of personal information: to comply with CaCPA and to reduce risk of an FTC enforcement action.
Continue Reading Preparing for 2020: Check In On Your Vendors

2018 Best Legal Blog Contest - Click to Vote

On October 16, 2018, the Securities and Exchange Commission (SEC) issued a report on the results of investigations made by the SEC’s Division of Enforcement into nine public companies that were victims of cyber-related frauds.  In each case, the SEC investigation focused on whether the target companies had complied with the applicable requirements of the Securities Exchange Act of 1934, as amended (Act). The Act requires public companies to devise and maintain a system of internal control over financial reporting designed to provide reasonable assurance that, among other things, transactions are executed in accordance with company management’s authorization, that transactions are properly recorded and that access to assets is permitted only with management’s authorization.

Ultimately, the SEC did not pursue enforcement actions against any of these companies, but released the report to advise public companies that cyber-fraud incidents must be taken into account when designing and maintaining internal control procedures.
Continue Reading SEC Report Reiterates Cybersecurity Implications for Internal Control Requirement

In the matter of LabMD Inc. v. Federal Trade Commission, case number 16-16270, the U.S. Court of Appeals for the Eleventh Circuit ruled against the FTC, finding that the order against LabMD for lax data security measures was not enforceable.

The FTC’s original order against LabMD was due to a 2008 security incident where a LabMD employee downloaded a program which exposed customer information over the internet. Although customer harm was never shown by FTC, in 2016 the agency issued a Final Order against LabMD for unreasonable data security practices. The case was eventually brought before the Eleventh Circuit by LabMD to determine if the alleged failure to implement reasonable data security measures in 2008 was an unfair practice under Section 5(a) of the FTC Act.


Continue Reading FTC’s Loss in the Eleventh Circuit Will Not Impede Data Security Enforcement

This post originally appeared in our sister publication, Subject To Inquiry.

On May 21, the North American Securities Administrators Association (NASAA) announced a massive and coordinated series of enforcement actions by U.S. state and Canadian provincial regulators to combat fraudulent practices involving cryptocurrency-related investment products.

As cryptocurrencies have gained in popularity, companies have increasingly turned to a method known as an initial coin offering (ICO) to raise capital. ICOs, however, are ripe for potential fraud. As the Washington Post has explained, “consumers face higher risks of being misled at a time when the intense demand for bitcoin has prompted many retail investors to take extreme steps to gain exposure to the currency…”


Continue Reading State Regulators Announce Cryptocurrency Crackdown

On April 25, the Securities and Exchange Commission announced a settlement with Yahoo that constituted its first enforcement action against a public company for failing to disclose a data breach.

This settlement demonstrates that companies in post-data breach environments must engage in a thorough, fulsome analysis of whether to disclose the cybersecurity incident in their

The 2018 Regular Session of the Virginia General Assembly recently concluded after considering approximately 3700 bills and resolutions during the 60-day session. Several privacy-related bills were on the legislative agenda, but few were enacted into law.

Tax Return Data

As highlighted in January, the General Assembly this year continued its efforts to address the

U.S. Senate leaders may be close to reaching an agreement on a legislative proposal that would establish a national data breach notification and security standard (the Data Acquisition and Technology Accountability and Security Act) which would streamline nationwide reporting requirements for businesses.  However, there are a plethora of reasons it may not make

A “white hat” is an ethical computer hacker who specializes in penetration testing and other testing methodologies to ensure the security of an organization’s information systems. According to the Ethical Hacking Council, “The goal of the ethical hacker is to help the organization take pre-emptive measures against malicious attacks by attacking the system himself