Last week, the Office of the Comptroller of the Currency (“OCC”) published the Spring 2018 Semiannual Risk Perspective (the “Report”), which uses up-to-date data to identify risks to U.S. banks and measure their compliance with applicable laws and regulations.  The Report concluded that some of the OCC’s primary concerns are with the elevation in operational risk “as banks adapt business models, transform technology and operating processes, and respond to evolving cyber threats.”  The Report also focused on elevated compliance risk associated with bank efforts to “manage money-laundering risks in a complex environment.”

Many of the OCC’s observations and recommendations remained the same from its Fall 2017 report, leaving readers to wonder what will spur less conversation and potentially more action among OCC-supervised banks or concrete guidance by the OCC.  Regardless, a common thread running throughout both reports is the potential risk presented to financial institutions by emerging technologies, which carry the simultaneous blessing and curse of greater business opportunities, but also greater operational and compliance risks. Continue Reading OCC Semiannual Risk Perspective Highlights Cybersecurity, Fraud, Money Laundering Concerns

Colorado has enacted groundbreaking privacy and cybersecurity legislation that will require covered entities to implement and maintain reasonable security procedures, dispose of documents containing confidential information properly, ensure that confidential information is protected when transferred to third parties, and notify affected individuals of data breaches in the shortest time frame in the country. The new law was spearheaded by the Colorado Attorney General’s office, which is charged with enforcing its requirements. As a result of the legislation, covered entities should consider implementing written information security programs, third party vendor management controls, and incident response plans to best position themselves against potential enforcement actions and civil litigation in the future.

Ballard Spahr attorneys David Stauss and Gregory Szewczyk will host a webinar on Monday, June 4, 2018, at noon PT/1 p.m. MT/3 p.m. ET to provide an in-depth analysis of the new law and to discuss what covered entities must do to ensure compliance. Messrs. Stauss and Szewczyk are uniquely situated to discuss the new law, having assisted in developing the legislation, including Mr. Stauss testifying on the bill in front of the House Committee on State, Veterans, & Military Affairs. Click here for more information and to register.

The most notable provisions of the new law are discussed below.

Continue Reading Colorado Enacts Groundbreaking Privacy and Cybersecurity Legislation

South Carolina has become the first state to enact a version of the Insurance Data Security Model Law, which was drafted by the National Association of Insurance Commissioners (NAIC) in 2017. Governor Henry McMaster signed the South Carolina Insurance Data Security Act into law on May 14, 2018. The Act will become effective on January 1, 2019.

South Carolina Insurance Director Raymond G. Farmer chaired the NAIC Cybersecurity Working Group that drafted the model law. The South Carolina Act appears to follow the Model Law closely, and bears similarities to cybersecurity laws and regulations enacted in other states and at the federal level – including the New York Department of Financial Services cybersecurity regulations, the new Alabama data breach law, and HIPAA/HITECH data security/breach notification requirements. Continue Reading South Carolina Enacts First Insurance Data Security Act

As part of the Rocky Mountain Information Security Conference hosted in Denver from May 8 to 10, 2018, Ballard Spahr Privacy and Data Security attorney David Stauss sat down with Robb Reck, Chief Information Security Officer for Ping Identity and Alex Wood, Chief Information Security Officer for Pulte Financial Services. The group discussed a wide-range on cybersecurity issues as well as Robb and Alex’s involvement with the RMISC and their weekly podcast Colorado = Security.

Continue Reading Ballard Spahr Interviews Two Leaders of the Colorado Information Security Community

The ACC Foundation will be hosting a second webcast on May 1, 2018 at 12:00 EDT to discuss the results of the Foundation’s State of Cybersecurity Report.  You can sign up for the webcast here.

The Report surveyed 600 in-house counsel from around the world on a range of cybersecurity issues including data breach response, information security standards, GDPR preparation, vendor management and cyberinsurance.  The Report provides valuable cybersecurity benchmarking in a range of industries and identifies hot button issues for in-house counsel with responsibility for managing their company’s cybersecurity programs to consider.

The second webcast will focus on how companies interact with law enforcement in the wake of a data breach, trends in the appointment of a DPO under the GDPR, respondents’ views on proposed breach legislation, and gaps in information security programs.

Ballard Spahr served as a sponsor for the Report (as it did in 2015 for the first Report).  Phil Yannella, co-chair of Ballard’s Privacy & Data Security Group, served on the Advisory Board for the Report and will participate in the webcast.

South Dakota (site of Ballard’s newest office) has become the 49th State to enact a data breach notification law.  South Dakota Governor Dennis Daugaard signed SB 62 into law on March 21, 2018.  The law will take effect on July 1, 2018.

As with similar measures pending in other state legislatures, SB 62 was introduced in the South Dakota Senate on January 9, 2018, in the wake of the disclosures relating to the Equifax breaches. The law generally mirrors those of many other states, but includes a few new wrinkles. Continue Reading South Dakota Enacts Data Breach Notification Law

Mossack Fonseca, the beleaguered law firm at the center of the international Panama Papers scandal, has announced that it is closing its doors.  The firm cited “reputational deterioration” that has caused “irreversible damage.”

Founded in 1977 by Jurgen Mossack and Ramon Fonseca, Mossack Fonseca had been perched at the top of offshore legal services providers until April 2016, when it became ground zero for a global controversy because approximately 11.5 million of the firm’s internal legal and financial documents were leaked to the media. These leaked documents – publicized primarily by the International Consortium of Investigative Journalists (“ICIJ”) – allegedly reveal a global system of undisclosed offshore accounts, money laundering and tax evasion, and how the rich and powerful around the world use shell companies to conceal assets and possible illegal activity.

The incident is the largest publicly disclosed data breach involving a law firm. Following the April 2016 publication of data, founding partner Ramon Fonseca and other public sources claimed that the firm’s network had been compromised by hackers sometime in 2015.  Security researchers and other public sources identified numerous unpatched vulnerabilities in Mossack’s website and email server, which could have been very easily compromised by hackers. Approximately 2.6 terabytes of data – including 4.8 million emails, 3 million database files, and 2.1 million.pdf files – were leaked, including client documents dating back to the 1970s.  Approximately one year after the alleged data theft, ICIJ published the Mossack data and set off numerous investigations into the firm and its clients. Continue Reading “Panama Papers” Law Firm Announces Its Closure Due to Fallout from Massive Data Breach

On February 21, 2018, the U.S. Securities and Exchange Commission approved the release of Interpretive Guidance relating to public company disclosures of cybersecurity risks and incidents. This guidance replaces staff guidance from the Division of Corporate Finance issued way back in October 2011 – on the same day that iPhone 4 was released.

Although the Commission voted unanimously to release it, some Commissioners do not view the new guidance as going much beyond the 2011 staff guidance. In fact, Commissioner Kara Stein wondered whether the new guidance would cause public companies to step up their cybersecurity disclosures – or “will law firms simply produce a host of client alerts reaffirming their alerts from years past.” We sense a challenge. Continue Reading SEC Releases Guidance on Public Company Cybersecurity Disclosures

As we were the first in the nation to report, in January, Colorado lawmakers proposed legislation that would significantly change the way in which entities operating in Colorado must protect confidential information and disclose breaches involving same.

Last week, the bill’s sponsors submitted an amended bill that revises a number of key provisions. Among other changes, the amended bill would require entities to notify Colorado residents within 30 days of discovery of a data breach.  If enacted, Colorado would have the shortest time frame for disclosure in the country. Continue Reading Colorado Legislature Continues to Push Privacy and Data Security Legislation in Wake of Equifax

The SEC Office of Compliance Inspections and Examinations (OCIE) has announced its 2018 examination priorities. Unsurprisingly, cybersecurity remains among the key priorities. OCIE has included cybersecurity as an examination topic since at least 2014.

OCIE released its 2018 priorities to “improve compliance, prevent fraud, monitor risk, and inform policy.” OCIE conducts the SEC’s National Exam Program (NEP), whose mission is to protect investors, ensure market integrity and support responsible capital formation through risk-focused strategies that: (1) improve compliance; (2) prevent fraud; (3) monitor risk; and (4) inform policy. The results of the NEP’s examinations are used by the SEC to inform rulemaking initiatives, identify and monitor risks, improve industry practices and pursue misconduct. OCIE is responsible for conducting examinations of broker-dealers, investment advisers, transfer agents, and other SEC-regulated entities. Continue Reading SEC Continues to List Cybersecurity Among OCIE Examination Priorities