RSS Feed LinkedIn Twitter Facebook
FMG Law Blog Line

Archive for the ‘Cyber, Privacy, & Security’ Category

SEC Issues Risk Alert on the Cybersecurity Practices of Registered Broker-Dealers, Investment Advisers, and Investment Funds.

Posted on: August 11th, 2017

By: Jennifer Lee


The U.S. Securities and Exchange Commission (“SEC”) is becoming increasingly focused on cybersecurity issues in recent years as data breaches and ransomware attacks become more frequent and wide-spread across all industries. The most recent Risk Alert, issued on August 7, 2016 by the SEC’s Office of Compliance Inspections and Examinations (“OCIE”), shows that cybersecurity continues to be a high priority for the SEC in 2017.

The Risk Alert was based on an examination of the cybersecurity policies and practices of 75 broker-dealers, investment advisers, and investment funds over a nine-month period, from September 2015 to June 2016. The examinations focused on firms’ written policies and procedures regarding cybersecurity, including whether such policies were actually implemented and followed.

The 6-page report found that although most firms had cybersecurity policies in place, such policies were often too general and vague, as they did not articulate specific procedures for implementing the policies or examples of how employees can apply the policies in their daily work. In addition, even when firms had specific cybersecurity protocols in place, their actual practices were much more lax and did not reflect their stated policies and procedures. For example, firms often had policies requiring all employees to complete cybersecurity awareness training. However, they did not have a mechanism in place to enforce such requirements. The Risk Alert also pointed out that some firms were using outdated operating systems that were no longer supported by security patches and not taking measures to address the results of any penetrating testing.

In light of the findings, the report listed specific measures firms can take to ensure that their cybersecurity practice are “robust,” including:

  • Creating and maintaining an inventory of data and information, including classification of the risks of the disclosure of each category of data or information and business consequences in the event of such disclosures;
  • Tracking access and requests for access to data and information;
  • Following a regular schedule of system scans and updates, including security patches;
  • Establishing and enforcing controls concerning firm network and equipment, including protocols with respect to personal devices on firm networks; and
  • Requiring mandatory employee training on cybersecurity issues.

Cybersecurity incidents are a growing and costly problem for the financial services industry, and they do not appear to be going away anytime soon. The SEC has picked up on this and has begun to dedicate more resources to cybersecurity enforcement. In fact, last year, the SEC brought charges against Morgan Stanley Smith Barney LLC (“MSSB”) following a data breach involving customer data for failure to adopt written policies and procedures reasonably designed to protect customer records and information. MSSB, a dually registered broker-dealer and investment adviser, settled the matter by agreeing to a censure and a $1 million fine. With the release of the August 7, 2017 Risk Alert, it seems more likely now, more than ever, that firms will be held accountable for cybersecurity incidents, including data breaches and ransomware attacks, if they fail to implement the recommended measures and protocols contained in the Risk Alert.

However, SEC enforcement actions are not the only thing that broker-dealers and investment advisers need to worry about. As the public becomes more aware of cybersecurity issues, data breaches and ransomware incidents will result in the filing of customer claims. This may prove to be problematic as a single incident can affect thousands of customers, so a broker-dealer or an investment adviser may find itself trying to fight off thousands of individual actions or face a handful of actions involving a large number of customers, similar to a class action or a mass tort case.

To reduce the risk of an SEC enforcement action or customer actions based on cybersecurity incidents, broker-dealers and investment advisers should ensure that they are in compliance with SEC regulations and guidelines regarding cybersecurity, including but not limited to Regulation S-P, Exchange Act Rule 13n-6, and Exchange Act Rule 15c3-5—both on paper and in practice. Firms should also proactively implement any recommendations contained in OCIE’s Risk Alerts to the extent that they have not already.

If you have any questions regarding your firm’s compliance with SEC cybersecurity regulations or cybersecurity litigation in general, please contact the writer, Jennifer Lee, at [email protected].

An Exception to Florida Sunshine Laws – Helping Cybersecurity Secrecy

Posted on: August 9th, 2017

By: Jeremy W. Rogers

blogFor the legally uninitiated, in hearing the term “sunshine laws,” it would be easy to misunderstand what exactly that would entail. This is especially so in Florida where tourism boards and state marketing inundate the eyes and ears with all forms of advertising centered on the wonderful weather. Florida is, after all, known as the “Sunshine State.” Even when it rains, you may hear it referred to as “liquid sunshine.” What are sunshine laws, then? Obviously, there is no statute in Florida mandating that sunshine be the order of each day. Sunshine laws are, rather, statutes that govern public access to government records. They exist in a number of states, and are sometimes known as open records laws, public records laws, or FOIA laws (after the federal Freedom of Information Act).

In Florida, there are multiple statute sections covering open access to government records. The openness of records in Florida dates back to the original passage of Chapter 119 in 1909. Over the years, decisional law has interpreted Florida’s sunshine laws very liberally. Any question is answered in favor of openness, while exceptions are construed narrowly. This is particularly true in more recent years as technology has evolved at a tremendous pace. Seemingly every government related document, in any form including electronic, is open to review by anyone who goes through proper channels to obtain it. It is somewhat surprising to many, frankly, just how comprehensive and inclusive Florida’s open records laws are interpreted. They can include the more obvious records, such as official reports, down to the more questionable such as emails or texts, to the more personal such as personnel records. The records do, however, need to relate in some way or fashion to governmental official business, but, again, the laws are interpreted very broadly.

The exceptions to the laws are limited. They do cover, for example, information related to medical records, security, active criminal investigations, and some personal identification records. Importantly, the laws apply to all units of state, county, and local government as well as entities or individuals acting on behalf of any public agency.

The overarching policy of openness belies the necessity for comprehensive and strong security measures to combat and help prevent cyberattacks against government and government-related agencies and agents. As noted above, any independent contractor of a government entity or agency may fall within the definition of an agent working on behalf of a public entity, thus having the sunshine laws apply to its records. One can easily imagine the issues that may arise if records regarding cybersecurity, network breaches, detection methodology, response practices, security audits, etc. were available to the public. This would have the very real potential, and likelihood, of exposing information about vulnerable spots in the state’s or agent’s systems to cyberattackers. Once this information is obtained, there is untold havoc that could be inflicted.

Fortunately, this loophole in the sunshine laws was closed by § 282.318, Florida Statutes which exempts such information and records from Florida’s sunshine laws. This exemption would seem to go against what is the norm for public records in Florida. However, to its credit, the legislature has historically exempted from availability matters that may jeopardize public safety or may negatively affect personal privacy or security. The cyber matters discussed herein certainly fall within those categories. What is somewhat different, however, is that this particular potential loophole was closed proactively rather than reactively. In other words, this was addressed prior to the advent of significant security issues from disclosure under the sunshine laws. This is opposed to changing the laws afterward. These measures will certainly not prevent cyberattacks, but they help to avoid a situation where the key is being handed to them on a platter.

If you have any questions or would like more information, please contact Jeremy W. Rogers at [email protected].

FBI Issues Warning About the Dangers of Internet-Connected Toys

Posted on: July 21st, 2017

By: Jennifer Lee

The FBI is alerting parents to the risks and dangers associated with bringing an internet-connected smart toy into their homes and their children’s lives. Earlier this week, the Bureau’s Internet Crime Complaint Center (IC3) issued a consumer notice regarding internet-connected toys. It urges parents to “consider cyber security prior to introducing smart, interactive, internet-connected toys into their homes or trusted environments.”

Internet-connected toys can pose a privacy and cybersecurity threat to families who choose to bring such toys into their home as many of these toys are designed to be interactive and are increasingly incorporating technology that learn and tailor their behavior based on such interactions.

For example, most of these toys can carry a conversation, and in fact, this is one of the selling points of such internet-connected toys like CloudPets and Hello Barbie. But this feature requires a microphone. According to the IC3, it is very possible—and even likely—that the microphones are on all the time, listening to not only children’s chatter, but everything else that is happening in the background in its vicinity. Furthermore, it is also almost certain that the data the toys record get transmitted to a remote server. This is a cause for concern because most parents are unaware of what data is being transmitted, to whom the data is transmitted, or the cybersecurity practices, privacy policies, and data retention policies of its recipient.

Another risk that the IC3 warned parents of is that the personal identifiable information (PII) of their children could be collected in connection with their use of these toys. If the toy maker or the company responsible for collecting and maintaining the information suffers a data breach, such PII —including children’s names, physical addresses, and phone numbers —may be leaked, which could result in identity theft. If the leaked data contains GPS data, it could allow someone to pinpoint the child’s physical location.

The increase in popularity and sales of internet-connected toys and the ubiquity of data breaches pose a new set of potential lawsuits for toy-makers. Whereas before, toy makers mostly worried about product liability claims stemming from alleged manufacturing or design defects, now, toy makers face potential privacy and data breach litigation as well.

In fact, one such lawsuit was already filed against Mattel and ToyTalk for Mattel’s interactive doll, Hello Barbie, in December 2015. The purported class action complaint, filed in Los Angeles County Superior Court, alleged that the defendants did not disclose ToyTalk’s plan to and practice of using children’s conversation data for data mining and other purposes. The complaint further alleged that the defendants did not have sufficient cybersecurity protections in place to fend off attacks from hackers and to prevent them from gaining unauthorized access to the data collected and to the toys themselves, which would allow them to interact with children through the toys without anyone’s knowledge.

Although the Hello Barbie case was dismissed with prejudice at the plaintiff’s request, it is not a one-off situation. Because more and more toys are becoming internet-connected and data breaches are on the rise, a new wave of privacy and data breach lawsuits involving internet-connected toys, especially in the form of class actions, are on the horizon.

To minimize the risk of becoming embroiled in such expensive litigation, makers of internet-connected toys should be intentional about the quality and quantity of data they collect from children to ensure that they only collect data that is absolutely necessary for the proper function of the toy, and if it must collect PII, anonymize any PII collected. In addition, toy makers should audit their privacy policies and data retention policies to confirm compliance with applicable federal and state regulations, such as COPPA. Finally, toy makers should enact and adopt adequate cybersecurity measures and protocols to prevent any unauthorized access to the data collected and to the toys themselves.

If you have any questions regarding privacy and data breach litigation or how your business can be prepared for and respond to a cyberattack, please contact Jennifer Lee at [email protected].


Class Action Lawsuit Filed Against Tempur Sealy and Aptos for Payment Card Data Breach

Posted on: July 12th, 2017

By: Agne Krutules

A putative consumer class action lawsuit arising from a large data breach was recently filed in the U.S. District Court for the Northern District of Georgia against Tempur Sealy International, Inc. and Aptos, Inc.

Tempur Sealy is a mattress, bedding, and pillow retailer based in Lexington, Kentucky. Aptos is based in Atlanta, Georgia, and formerly hosted and maintained Tempur Sealy’s website and online payment system. The complaint alleges that Aptos discovered a data breach involving the theft of customers’ personal information in November 2016. However, after removing the malicious software that caused the data breach in December 2016, the complaint alleges that Aptos waited two months to disclose the breach to its clients, which included Tempur Sealy and 48 other online retailers. In turn, the complaint alleges that Tempur Sealy, after learning about the breach, also waited nearly two months to notify its customers about the data breaches. 

The named plaintiff alleges that the breach compromised her and other Tempur Sealy customers’ name, address, telephone number, payment card account number, and card expiration date. The complaint asserts violations of 49 jurisdictions’ consumer protection laws, 39 jurisdictions’ breach notification laws, as well as causes of action for negligence, breach of implied contract, and unjust enrichment. The complaint alleges that the breach was caused by Aptos’s and Tempur Sealy’s knowing violation of their obligations to abide by best practices and industry security standards in protecting personal information, and requests injunctive relief and various forms of monetary damages.

Neither Aptos nor Tempur Sealy have filed an answer or other response to the complaint, but a motion to dismiss is likely. As we have written about before, although some courts have found standing to exist in payment card data breach cases like this, the majority of courts still find that, absent an actual, tangible harm to the plaintiffs, the mere loss of their credit card information does not result in an injury that gives plaintiffs standing to file a lawsuit because their cards are typically replaced at no cost to them and they are not responsible for any fraudulent charges that may have been made.

For example, the U.S. District Court for the Northern District of Illinois recently dismissed with prejudice a putative consumer class action filed against Barnes & Nobles for the third time. The lawsuit was first filed after Barnes & Noble’s September 2012 announcement that “skimmers” had tampered with PIN pad terminals in 63 of its stores and exposed payment card information. Although the court eventually found that the plaintiffs’ amended complaint sufficiently alleged Article III standing under the U.S. Constitution, it concluded that none of the alleged damages, including injuries stemming from emotional distress, loss of PII value, expended time spent with bank and police employees, used cell phone minutes, inability to use payment cards during the replacement period and the cost of credit monitoring services were cognizable injuries.

For any questions, please contact Agne Krutules at [email protected].

Target Pays Largest Ever Data Breach Settlement

Posted on: June 2nd, 2017

By: Amy C. Bender

Target has agreed to pay $18.5 million to settle claims by almost all 50 states – the largest multistate settlement and largest data breach settlement in history – arising from the 2013 incident where hackers accessed Target’s gateway server through credentials stolen from a third-party vendor and then used malware to acquire personal information from over 40 million credit and debit card accounts and contact information for more than 60 million customers. As part of the settlement, Target is required to adopt a comprehensive information security program, employ an executive to implement the changes, retain an independent third party to conduct a security assessment, and encrypt customer card and personal information, among other measures. Target separately has agreed to pay another $10 million settlement to consumers affected by the breach.

This is yet another cautionary tale of the pitfalls of a business failing to maintain and monitor effective data security measures. FMG’s Cyber team is available to help your organization be prepared for and respond to such an attack.