No Trespassing: Can Public Websites Ever Be Off Limits?

The concept of trespass may seem strange when it comes to public websites. If visiting a public (not password-protected) site is as simple as clicking on a link from a search engine or typing in a web address, one would think the site is presumptively open to the public, like a park, library, or mall. It’s unclear whether that’s the case. The Ninth Circuit – the federal appellate court with jurisdiction over Silicon Valley and Seattle – passed on this basic question. The court did, however, explain that it can be a crime to access a computer after being instructed not to do so. CONTINUE READING...

Cybersecurity – Global Ransomware Attack is Top of Mind with U.S. Securities Regulator

On Friday, May 12, 2017, governments, businesses and individuals were shocked when a ransomware attack known as WannaCry rapidly spread through cyberspace like a global pandemic.  Businesses and individuals in more than 100 countries experienced compromised systems, with ransom demands ranging $300 to $600. The WannaCry malware infection has a unique method of propagation, targeting the Server Message Block protocol and exploiting known vulnerabilities in Microsoft Windows, which allowed it to rapidly spread like a worm. Ransomware – a form of malware that encrypts critical data and systems with a ransom demand for virtual currency in exchange for encryption release – often is deployed through a weaponized phishing e-mail. The WannaCry attack demonstrates the critical importance of cyber awareness training and system maintenance, including ensuring that anti-virus software is up-to-date, implementing a data back-up and recovery plan, scrutinizing links contained in emails, not opening attachments included in unsolicited emails, downloading software only from sites you know and trust, and enabling automatic patches for your operating system and web browser. Just five days after the WannaCry outbreak, on May 17, 2017, the U.S. Securities and Exchange Commission (SEC) issued a Cybersecurity Ransomware Alert. The SEC emphasized the importance for broker-dealers, investment advisers, and investment companies to review U.S. Department of Homeland Security Guidance. Transparently, the SEC revealed that it recently completed 75 cybersecurity examinations and found deficiencies with cyber-risk assessments, penetration tests, and system maintenance.  The SEC emphasized these [...]

Cybersecurity – a Top Operational Risk in FINRA’s 2017 Regulatory and Examination Priorities Letter

In its January 4, 2017 Regulatory and Examination Priorities Letter, FINRA identified cybersecurity as a top priority, stating it is “one of the most significant risks many firms face.” Firms, be prepared, FINRA is expected to execute more cybersecurity examinations than in years past. CONTINUE READING...

Following Intense Industry Criticism, New York Overhauls Cybersecurity Requirements for Financial Services Companies

In response to intense industry criticism, on December 28, 2016, the New York State Department of Financial Services relaxed its approach and announced its updated cybersecurity regulation. The updated cybersecurity regulation is under a 30-day notice and comment period, which expires later this month. CONTINUE READING...

FINRA Imposes Fines Against 12 Firms for Cybersecurity Violations

Today, FINRA fined 12 firms $14.4 million for failing to maintain millions of electronic records in “write once, read many” (WORM) format. FINRA’s recent flurry of enforcement activity is a clear signal that regulators will amplify their focus on firms to ensure the safeguarding of confidential customer data and the integrity of electronic records. CONTINUE READING...

OCC Announces Long-Awaited Fintech Charter Decision

On December 2, 2016, the Office of the Comptroller of the Currency announced that it will be moving forward with considering applications from financial technology (fintechs) companies to become special purpose national banks. Jennifer Newton explains what this decision means for fintechs. CONTINUE READING...

FCC Adopts New Consumer Privacy Rules for Internet Service Providers

The ability of internet service providers to track what consumers do online will become more difficult in the years ahead. On October 27, 2016, the Federal Communications Commission (“FCC”) delivered a major victory to internet privacy by adopting new privacy and data security rules that will require telecommunications carriers to take measures to protect the privacy of their customers. CONTINUE READING...

New York Announces Proposed “Groundbreaking” Cybersecurity Regulation for Financial Institutions

The New York Department of Financial Services (the “DFS”) recently announced a wide-reaching proposed cybersecurity regulation for the financial services industry (the “Proposed Regulation”). The Proposed Regulation generally would apply to any institution supervised by the DFS, which ranges from multinational banks and life insurance companies to relatively small money transmitters. CONTINUE READING...

Cybersecurity Programs at Securities Firms under Increasing Scrutiny by the Financial Industry Regulatory Authority (FINRA)

This year, FINRA issued its 2016 Regulatory and Examination Priorities Letter and announced that it would review firms’ approaches to cybersecurity risk management. FINRA will undoubtedly raise intensity on cybersecurity compliance, likely resulting in increased disciplinary actions and sanctions for violations of FINRA and SEC rules. Are firms ready? CONTINUE READING...

Is Your Business Subject to the HITECH Act?

Companies that do business with health care providers may be subject to the HITECH Act and the potential civil and criminal penalties that may be imposed under the Act. In order to avoid and/or mitigate those penalties, it is imperative that companies understand the requirements of the HITECH Act and tailor their policies and procedures to comply with those requirements. CONTINUE READING...