The Eighth Circuit held on August 21 that, in the absence of actual injury in a data breach case, “massive class action litigation should be based on more than allegations of worry and inconvenience.” The Court found that no customers of the defendant securities brokerage firm had suffered fraud or identity theft resulting in financial loss from a 2013 data security incident.* Kuhns v. Scottrade, Inc., Nos. 16-3426, 16-3542 (8th Cir. Aug. 21, 2017).
In a decision that is replete with great holdings and quotable language for defendants in data breach litigation, the Eighth Circuit demonstrated that even where constitutional standing is found, plaintiffs will not likely succeed if they can allege no real injury even years after the hack occurred. (more…)
On August 7, 2017, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a cybersecurity Risk Alert summarizing its observations from its second cybersecurity survey of financial services firms. Overall, OCIE observed increased cybersecurity preparedness since its first 2014 “Cybersecurity 1” Initiative, but also the SEC noted a number of areas where compliance and oversight merit attention. Perhaps the most general observation from the “Cybersecurity 2” risk alert is that, while the OCIE noted that most firms now have written policies and procedures, the message was clear that simply having a generic policy is not adequate. Firms must instead have policies that are adapted to their actual operations as well as procedures that demonstrate the implementation of these policies and documented results of compliance with those procedures. (more…)
On June 20, 2017, the New York State Department of Financial Services (“NYDFS”) expanded its set of frequently asked questions (“FAQs”) and answers concerning its recently finalized Cybersecurity Regulations (23 NYCRR 500.01), which set forth minimum requirements for NYDFS-regulated entities to address cybersecurity risk. The now 17 questions included in the release address the types of entities that fall within the scope of the Regulations, the notice requirements attending a Cybersecurity Event (as defined in the Regulations), the annual certification requirement, and additional specific elements of the rules. (more…)
On May 23, 2017, the Commodity Futures Trading Commission (CFTC) unanimously approved proposed amendments to the recordkeeping obligations set forth in CFTC Regulation 1.31 (Recordkeeping Rule) which is applicable to all CFTC registered entities and other persons required to maintain records under the Commodity Exchange Act (CEA). The final amendments are intended to modernize the Recordkeeping Rule by making the form and manner in which regulatory records must be kept technology-neutral. The amendments provide recordkeepers with greater flexibility regarding the retention and production of CFTC regulatory records. The CFTC indicated that it does not believe the amendments impose any new recordkeeping requirements on any recordkeeper, and existing recordkeeping methods remain valid for compliance with the amended Recordkeeping Rule should a recordkeeper choose not to take advantage of the less-prescriptive, principles based approach of the amended Recordkeeping Rule. The final amendments also reorganized the Recordkeeping Rule for ease of understanding, including by adopting new definitions. The amendments represent a long-awaited and generally positive modernization of important CFTC rules that have often frustrated market participants. The effective date for the amended Recordkeeping Rule is August 28, 2017. (more…)
The UK is expected to introduce its updated customer due diligence regime with effect from June 26 or shortly thereafter. The changes are wide-ranging and will affect virtually all financial services firms doing business in the UK.
The Government has published a near-final draft of the new legislation. To the extent they’ve not already started, affected firms should be planning for the changes that will be required to their existing policies, procedures and systems.
In this post, we highlight the key issues for financial services firms, and propose a series of action points that they may wish to consider over the next month as they move to implement the new requirements. (more…)
On May 17, 2017, the SEC’s Office of Compliance Inspections and Enforcement (OCIE) issued a cybersecurity alert to the securities firms it regulates. OCIE advised broker-dealers and investment companies to take certain actions in connection with the recent WannaCry and Wanna Decryptor ransomware attacks that affected numerous organizations in over one hundred countries. Specifically, OCIE encouraged firms as follows: (more…)
On February 2, the Italian Data Protection Authority, known as the “Garante,” imposed a fine of EUR 5,880,000 on a UK money transfer company that it found to be in violation of Italian data privacy rules. This is the largest ever publicly-known fine imposed by an EU data protection authority, and it approaches the level of fines that are likely to be imposed under the EU’s General Data Protection Regulation (“GDPR”) that will come into force in May 2018. Although the GDPR is not yet in force, the Garante’s enforcement action shows that European data protection authorities are willing to levy the kind of fines allowed by the GDPR.
On February 16, 2017, the New York State Department of Financial Services (the “NYDFS”) issued its final regulations setting forth minimum requirements for NYDFS-regulated entities to address cybersecurity risk (“Final Regulations”). The NYDFS issued the Final Regulations after considering feedback and criticism received during two comment periods — one following the NYDFS’s initial publication of the proposed regulation (on September 13, 2016) and a second comment period after the NY DFS published a revised version of the regulation (on December 28, 2016.)
The Final Regulations will be effective as of March 1, 2017, with a transitional period of 180 days from that date for Covered Entities to comply with the Final Regulations, except for certain enumerated provisions for which longer compliance periods are specified. The annual certification of compliance (covering the prior calendar year) will be required beginning on February 15, 2018.
On December 28, 2016, the New York State Department of Financial Services (the “NYDFS”) issued revised proposed regulations setting forth minimum requirements for NYDFS-regulated entities to address cybersecurity risk (“Revised Proposed Regulations”). The NYDFS issued the Revised Proposed Regulations after considering feedback and criticism submitted during a 45-day comment period to address the initial proposal, issued on September 13, 2016. The agency has announced an additional and final 30-day comment period from the date of publication to address new comments not previously raised in the original comment process.
After having received over 150 comments on proposed cybersecurity regulations, the New York Department of Financial Services will delay implementation and initiate a new round of notice and comment on a further revised version of cybersecurity regulations. As we reported previously, NYDFS proposed new cybersecurity regulations for the financial sector in September of this year, and the comment period closed mid-November. NYDFS previously announced that the new rules would be effective January 1, 2017 and that covered entities would have 180 days to comply. Reuters reports that NYDFS will now publish a further revised version of proposed regulations on December 28 for public comment with a new effective date of March 1, 2017.