Cybersecurity, DFS, FTC, Regulatory Compliance

Recent Developments in Cybersecurity Enforcement

By Neil Bloomfield and Lindsey Frye.  This will be our first in a series of updates on the status of regulation and enforcement in the context of cybersecurity related issues.  Regulation and liability in the context of a cyber attack present complex questions.  The easy target is the individual or organization that committed that attack—the criminal hacker.  Unfortunately, the easy target is often beyond the jurisdiction of U.S. courts, and even if they are not, they lack the resources to provide a meaningful recovery.  Secondary targets, which have become the focus of litigation, legislation, regulation, and enforcement actions are the institutions that have been attacked.  Essentially the direct victims of the attack are asked to compensate other victims or pay fines because of they failed to prevent criminal activity. 

This complexity continues when attempting to identify the victims.  If we are going to treat the companies that are attacked as culpable parties, then the remaining victims are the individuals whose information was held by the hacked company.  These individuals; however, often have difficulty demonstrating traditional markings of harm because while hundreds of thousands, if not millions, of records have been stolen, most individuals experience no adverse action and any potential harm, such as false charges on a credit card, are never paid by these victims.

It is with this complex backdrop, that we will be providing updates on the state of legislative and regulatory updates, enforcement actions, and civil litigation dealing with cybersecurity breaches.

Who Will Lead Government Enforcement Remains Unclear

In its first nine months, the Trump administration’s cybersecurity focus has been preventative, not prosecutorial, in nature.  The President and certain regulatory agencies have shown awareness of the threat and are taking active steps to bolster the nation’s cyber infrastructure.

In May of 2017, President Trump signed an Executive Order on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.”  The order directs agency heads to institute uniform standards for managing cybersecurity risk.  Firms working with the federal government will also be expected to maintain similar cybersecurity protocols.  Trump’s FY2018 budget includes proposals to increase cybersecurity funding at the Department of Homeland Security ($1.5 billion) and the FBI ($41.5 million). And in May, the House of Representatives passed the Strengthening State and Local Cyber Crime Fighting Act of 2017.  The bill is designed to enable the National Computer Forensics Institute to assist state and local authorities in investigating cybercrimes. 

No federal agency has yet been given clear jurisdiction over cybersecurity events.  Prior to the Trump administration, the Federal Trade Commission (FTC) has been the leading enforcement agency for cybersecurity breaches practices. The FTC uses its authority under Section 5 of the FTC Act to exercise jurisdiction over cyberattacks and cyber breaches, asserting “unfair” cybersecurity practice claims against institutions that have been hacked.  The FTC’s jurisdiction went largely unquestioned until being challenged by Wyndham Hotels.  The Third Circuit upheld the FTC’s authority in 2015, but, an additional challenge to the FTC’s authority brought by LabMD is currently on appeal in the 11th Circuit.

In March 2016, the Consumer Finance Protection Bureau (CFPB) issued its first cyber-related enforcement action, in a move some thought indicated the CFPB’s intent to take the lead in the cyber space. But there have been no enforcement actions since, and considering Trump’s stated intention to overhaul Dodd-Frank, the future of the CFPB is unclear. Trump’s proposed budget significantly limited the CFPB’s 2018 funding; Senate Republicans have long advocated for the firing of the CFPB’s director, Richard Cordray.   

The new co-directors of the Securities and Exchange Commission (SEC’s) Division of Enforcement have both publicly referenced the cyber risk facing the markets.  On August 7, the SEC issued a risk alert highlighting cybersecurity observations from examinations of 75 firms.  The report identified issues in policies and procedures, including lack of enforcement, and insufficient system maintenance.

State authorities are also seeking to fill the void in cybersecurity enforcement.  In March of this year, the New York Department of Financial Services (DFS) announced new cybersecurity requirements for financial service companies.  The regulations require covered entities to establish and maintain a cybersecurity program, have a written cybersecurity policy, and establish and periodically review an access privilege protocol.  August 28, 2017 marked the 180-day transition period by which covered entities were required to be in compliance with the requirements.  Also, as of August 28, entities covered by the DFS cybersecurity protocol must provide 72-hour notice to DFS of any cybersecurity event.

Civil Litigation Remains Focused on Standing

The Supreme Court’s May 2016 decision in Spokeo, Inc. v. Robins addressed whether a violation of a statutory right is sufficient to satisfy the standing requirement of “injury in fact.”  The Court ruled that a “bare, procedural violation, divorced from any concrete harm” will not grant standing.  Data breach actions include claims for violations of state statutes and claims arising under common law.   Spokeo does provide some guidance to data breach claims brought under state statutes, but does not solve the larger question of whether the threat of future harm meets the concreteness requirement. To date, the Supreme Court has not squarely addressed the specific issue of standing outside of the statutory violation context.

As a result, a circuit split persists on the question of standing for class action data breach plaintiffs.  The First, Third, and Fourth Circuits have found that an increased risk of future identity theft does not satisfy Article III standing requirements.  The Sixth, Seventh, and Ninth Circuits have found that this potential future harm does.    

Institutions continue to face significant exposure in civil litigation.  In June of this year, Anthem agreed to settle litigation over its 2015 hack for $155 million, which will be the largest ever settlement for a data breach if approved by the court.  In July, Ruby Corporation, the owners of the Ashley Madison website, agreed to pay $11.2 million to settle two dozen lawsuits as a result of a 2015 incident involving as many as 37 million members’ personal identifying information being exposed online.

Looking Forward

Cyberattacks continue to be a topic of significant interest for regulators, prosecutors, and class action attorneys.  This interest is only going to increase as breaches become more frequent and larger in scale such as the recently disclosed hack at credit reporting firm Equifax, which announced that data on 143 million U.S. customers was obtained in a breach discovered on July 29. We will continue to bring you updates as government authorities, companies, and courts struggle with these complex issues. 

 

Neil Bloomfield

About Neil Bloomfield

Neil Bloomfield has more than a decade of experience advising major financial institutions, and other highly regulated entities in responding to government investigations, including responding to global investigations into LIBOR and other reference rates, foreign exchange trading, and the allegations raised by the Panama Papers.  He also frequently advises clients as they implement programs to comply with regulatory requirements, including requirements created by Recovery and Resolution Planning and CCAR.

Discussion

No comments yet.

Leave a comment

Your email address will not be published. Required fields are marked *

Welcome to the Regulatory Advice and Enforcement Defense Blog!

As government authorities around the world create a constantly evolving regulatory environment and conduct overlapping investigations, companies are facing perhaps the most challenging environment. Moore & Van Allen has created this blog to help keep our clients up to date in these fast-moving areas and to serve as a thought leader as regulations and enforcement policy continue to develop. Our blog is a combined effort of Moore & Van Allen’s White Collar, Regulatory Defense, and Investigations team and our Financial Regulatory Advice and Response team.

Our Practices

MVA’s White Collar, Regulatory Defense, and Investigations team services clients in some of the most heavily regulated and scrutinized industries in the U.S. and abroad. This team is made up of former government attorneys from the DOJ, EPA, and OCC as well as private practitioners with decades of experience representing Fortune 100 institutions in international inquires in the United States, European Union, United Kingdom, Singapore, Thailand, Hong Kong, Argentina, Brazil, Chile, Uruguay, and Canada.

Our Financial Regulatory Advice and Response Team combines the experience of former general counsels from some of the largest international financial institutions with that of our seasoned regulatory attorneys to advise clients complex multi-regulator environment on a wide variety of complex regulatory compliance matters, including Comprehensive Capital Analysis and Review (CCAR), Recovery and Resolution Planning, Risk Data Aggregation, the Volcker Rule, consumer finance regulations, and bank secrecy and anti-money laundering regulations. Read More About the MVA Investigations and MVA Financial Regulatory Response Practices. Meet Our Investigations and Financial Regulatory Response Teams.

Follow MVA

Facebooktwitterlinkedinrss

Subscribe to Blog via Email

Disclaimer

No Attorney-Client Relationship Created by Use of this Website: Neither your receipt of information from this website, nor your use of this website to contact Moore & Van Allen or one of its attorneys creates an attorney-client relationship between you and Moore & Van Allen. As a matter of policy, Moore & Van Allen does not accept a new client without first investigating for possible conflicts of interests and obtaining a signed engagement letter. (Moore & Van Allen may, for example, already represent another party involved in your matter.) Accordingly, you should not use this website to provide confidential information about a legal matter of yours to Moore & Van Allen.


No Legal Advice Intended: This website includes information about legal issues and legal developments. Such materials are for informational purposes only and may not reflect the most current legal developments. These informational materials are not intended, and should not be taken, as legal advice on any particular set of facts or circumstances. You should contact an attorney for advice on specific legal problems. (Read All)