After many years of signaling potential expansion of cybersecurity rules, the Securities and Exchange Commission (SEC) has issued in the past month two new sets of proposed rules governing cybersecurity.  The more recent set of proposed rules governs the disclosure of unscheduled material cyber events by public companies.  These rules come on the heels of last month’s proposed cybersecurity risk management regulations, which affect registered investment advisers and registered funds.  The new rules for RIAs, in particular, represent a significant expansion of the SEC’s oversight and signal the Commission’s recognition that cybersecurity is a systemic risk to the markets, affecting firms of all sizes.

New Requirements for RIAs

Current SEC rules require SEC-registered investment advisers and registered funds (collectively “Covered Entities”) to implement procedures and policies that address individuals’ privacy and security.  The recently proposed updates would go beyond customer information to address cybersecurity preparedness gaps by regulating advisers’ and funds’ information systems and cybersecurity practices more generally.

The proposal would:

  • Require SEC-registered investment advisers and registered funds to adopt and implement written policies and procedures that are reasonably tailored to address cybersecurity risks;
  • Require SEC-registered investment advisers to report “significant cybersecurity incidents” to the SEC within 48 hours of discovery, including incidents related to the adviser or registered funds or private funds managed by the adviser;
  • Create enhanced adviser and fund disclosure requirements as they relate to cybersecurity risks and significant cybersecurity incidents; and
  • Require SEC-registered investment advisers to create, maintain, and retain certain cybersecurity-related books and records.

Cybersecurity Risk Management Rules. The proposal includes a new rule 206(4) under the Advisers Act and a new rule 38a-2 under the Investment Company Act, which would both require advisers and funds to adopt and implement written procedures and policies reasonably designed to address cybersecurity risks.  The proposed rules would require Covered Entities to conduct and document periodic risk assessments and implement access-minimization controls such as multi-factor authentication.  The proposed rules would also require each Covered Entity to incorporate measures to enhance information protection mechanisms, including oversight of service providers with access to the Covered Entity’s information or systems and contractually requiring the service providers to implement and maintain appropriate information protection mechanisms.  Additionally, the proposal would require Covered Entities to implement detection, mitigation, response, and remediation measures and policies against cybersecurity threats and vulnerabilities.  The rules would also require annual review and reports on the effectiveness of their cybersecurity policies and procedures.

Reporting of Significant Incidents to the SEC and Enhanced Disclosure Requirements.  The proposal also includes a new rule 204-6 under the Advisers Act that would require SEC-registered investment advisers to report “significant” cybersecurity incidents to the SEC.  The rule would require the entity to electronically report the incident within 48 hours after having a reasonable basis to conclude that a significant cybersecurity incident has occurred.  A “significant” cybersecurity incident—which includes “significant adviser cybersecurity incident” and “significant fund cybersecurity incident”—is a cybersecurity incident or group of related incidents that “significantly disrupts or degrades” the adviser’s or fund’s ability to “maintain critical operations.”  It also includes incidents that lead “to the unauthorized access or use of adviser information” where the access or use results in “substantial harm” to the adviser, a client, or an investor in a private fund whose information was accessed.

Additionally, the proposal would require advisers to disclose cybersecurity risks and significant cybersecurity incidents from the last two fiscal years to their clients and prospective clients. The proposed rules will undergo the notice and comment period, ending April 10, 2022 or 30 days after the proposal is published in the Federal Register, whichever is longer.

SEC Chair Gensler has repeatedly emphasized the significant risk that cyber incidents can have on the operation and integrity of the financial markets, and the SEC’s recent proposed rules are clearly meant to address the risk posed to all market participants.  It is highly likely that we will see additional rule making from the SEC in the near future.

On March 1, 2022, the U.S. Department of the Treasury (“Treasury”) published its National Risk Assessment for Money Laundering, Terrorist Financing, and Proliferation Financing (the “NMLRA”), identifying the national threats, vulnerabilities, and risks facing the U.S. financial system.  The NMLRA is 74 pages long and comprehensively covers many different perceived threats and vulnerabilities, including the misuse of legal entitiesvirtual assetsreal estateinvestment advisors, and casinos.  This post therefore selects three key issues for closer analyses.

First, cybercrime (a topic we cover frequently) in the form of ransomware received the dubious honor of representing “a larger and growing share of the overall money laundering threat in the United States.”  Second, professional money laundering organizations (“PMLOs”) continue to peddle their illicit services internationally to launder the proceeds of cybercrime, narcotics trafficking, and other schemes on behalf of organized criminal enterprises.  Third, merchants and professionals, such as lawyers, real estate professionals, and financial services employees, continue to perform – knowingly or unknowingly – critical functions in support of money laundering schemes and obfuscating the source of ill-gotten gains.

Cybercrime

Partly due to the COVID-19 pandemic, cybercrime is on the rise.  Whereas the 2018 NMLRA reported that in 2016, the FBI received 298,728 internet-facilitated fraud complaints totaling over $1.3 billion in losses, in 2020, the FBI received 791,790 complaints totaling over $4.1 billion. As the NMLRA points out, those figures likely significantly underestimate the amount of loss, because only a fraction of cybercrime is reported to the FBI.

Ransomware, as current events suggest, sharply increased in the last year.  Suspicious Activity Report data analyzed by FinCEN revealed not only that the number of reported ransomware incidents increased 42% in the first half of 2021 compared to all of 2020, but that the median ransomware-related payout increased to $100,000.  Part of the surge in ransomware attacks could be attributable to the proliferation of “ransomware-as-a-service,” whereby ransomware developers market and sell their malware to bad actors without the technical know-how to perpetrate the attack themselves.  Additionally, municipalities, hospitals, and other critical infrastructure are now common ransomware targets.

In keeping with OFAC’s September 2021 advisory warning of potential sanctions for paying or facilitating ransomware payments to sanctioned entities (covered here), the NMLRA cautioned that “[t]he U.S. government continues to strongly discourage the payment of cyber ransom or extortion demands, which can be used to finance future attacks or other illicit activity,” and that “[r]ansomware payments may therefore not only fund activities that harm U.S. national security but also risk violating OFAC regulations.”

The NMLRA identified two additional cyber-threats: (1) business email compromise, in which bad actors pose as company officers via email and convince others in the company to transfer money to spoofed accounts; and (2) the compromise and sale of financial information, in which a bad actor harvests consumers’ personal information in large scale and sells it in online black markets to fraudsters.

Professional Money Laundering Organizations

The NMLRA pays special attention to PMLOs – groups that facilitate money laundering on behalf of other criminal enterprises continue to proliferate globally.  These entities, for a fee, transport money from illicit activities into the retail banking system or to other individuals or entities.  Two schemes highlight how PMLOs can both co-opt unsuspecting third parties into the money laundering process, and operate independently.

The first scheme is money-broker PMLOs, which purchase at a discount illicit proceeds from drug sales.  The money-broker PMLO then acts as an intermediary to exchange and transfer funds across international borders and obfuscate the funds’ sources.  In one example, the money-broker PMLO, in exchange for a commission, allegedly collected drug money in the United States and arranged for a corresponding amount of foreign currency to be transferred to the Drug Trafficking Organization (“DTO”).  As cover, the money-broker PMLO arranged for the delivery of electronics from the United States to Colombia.  This scheme avoided detection at customs because no physical money ever crossed the border.

The second scheme, dubbed Chinese Money Laundering Organizations (“CMLOs”), is a growing, if perhaps idiosyncratic, method by which wealthy Chinese nationals circumvent China’s capital flight restrictions and simultaneously facilitate money laundering on behalf of drug trafficking organizations in Mexico or elsewhere.  For example, a Mexican DTO in the United States will sell dirty dollars to the CMLO, which pays the DTO in pesos.  The CMLO then advertises the dirty money for sale to Chinese nationals via internet bulletin boards or private WeChat forums.  The Chinese nationals buying the dollars circumvent China’s strict limits on exporting capital, and use the dollars to fund their lifestyles in the United States, purchase real estate or pay school tuition.

The NMLRA describes these PMLOs as purely criminal organizations – they exist solely to provide and launder illicit cash to those that are cash-starved.  Further, the new PMLO trend is the co-opting of an array of third-party professionals.  These professionals’ roles are discussed below.

Complicit Merchants and Professionals

The NMLRA identifies four types of professionals posing a money laundering risk: (1) merchants; (2) attorneys; (3) real estate professionals; and (4) financial services professionals.  We repeatedly have blogged on money laundering concerns regarding third-party professionals, including herehere and here.

Unlike PMLOs, which the NMLRA considers a “threat,” these professionals represent vulnerabilities to the security of the financial system because they, wittingly or unwittingly, may become “complicit” and “help effectuate . . . money laundering schemes.”  This language is perhaps understated—the NMLRA provides a litany of examples of professionals’ alleged knowing and active engagement in a money laundering scheme.  For example, perfume store owners in Texas purportedly accepted loose bulk cash that was described to them as “narco dinero,” and for which the owners did not file the required Form 8300 to the Internal Revenue Service.  In another example, a real estate broker allegedly purchased residences for overseas buyers, knowing that the homes would be used to illegally grow cannabis and taking steps to disguise the source of the funds.

While these cases are clear examples of professionals abusing their positions, the NMLRA’s discussion of an attorney’s “representation” of a narcotics trafficking organization may be the strongest example of a professional service allegedly transforming into criminal assistance.  According to the superseding indictment filed in Baltimore, an attorney received drug proceeds from his client and the client’s associates, then used that money to promote the client’s unlawful business, pay for legal representation for his client’s co-conspirators, and pay himself commission for the laundering activities.

However, the NMLRA’s list regarding a few outlier prosecutions of knowingly complicit professionals does not address a much more difficult issue, which is the degree of due diligence that an average professional should conduct when onboarding a new client (and thereafter).  The vast majority of fact patterns confronting professionals are much less clear and dramatic than the examples set forth in the NMLRA – and what type of KYC steps professionals not directly regulated by the Bank Secrecy Act should take in a given case is often a challenging question.

Continue Reading U.S. Treasury Identifies Ongoing and Emergent Money Laundering Risks and Vulnerabilities

On March 9, 2022, the SEC proposed a new rule to enhance and standardize disclosures regarding cybersecurity incidents, risk management, strategy, and governance. If approved, public companies subject to the reporting requirements of the Securities and Exchange Act of 1934 will be subject to new disclosure requirements regarding (1) Cybersecurity Incidents, and (2) Cybersecurity Risk Management, Strategy, and Governance. Continue Reading SEC Proposes New Disclosure Rules for Cyber Incidents

Introduction

Section 230 immunity, which long has protected entities that host online platforms from liability for their users’ actions, may be significantly cut back. Although the U.S. Supreme Court recently declined to hear Doe v. Facebook, which would have given it an opportunity to clarify and/or narrow existing interpretations of Section 230, there are calls from members of Congress to amend the law, in addition to agreement from executive agencies to do so. Section 230 may be amended further to create a duty of reasonable care, particularly with respect to online trafficking and child exploitation. Even in the absence of legislative change, lower courts have begun and may continue to chip away at what previously was considered Section 230’s broad immunity. Continue Reading Trafficking and Child Exploitation Online: The Growing Responsibilities of Online Platforms

Following the lead of California, Colorado, and Virginia, Utah is set to become the fourth state to pass a comprehensive privacy law.

As of March 4, the Utah Consumer Privacy Act (SB 227) cleared both houses of the Utah legislature.  The UCPA closely resembles the Virginia Consumer Data Privacy Act, but with some interesting changes.  The law applies to controllers or processors that do business in Utah, or produce a product or service that is targeted to consumers who are Utah residents; have annual revenue of $25 million or more; and either (a) control or process personal data of 100,000 or more consumers in Utah during a calendar year, or (b) derive over 50% of the entity’s gross revenue from the sale of personal data and control or process the personal data of 25,000 or more consumers.  The law does not include a private right of action; rather, it will be enforced by the Utah AG.  If signed, the law will go into effect December 31, 2023.

The law would vest consumers with rights such as the right to confirm whether a controller is processing their personal data, access and deletion rights, and opt-out rights. The law would require controllers and processors to provide notice that (1) identifies categories of and purposes for which personal data are processed, (2) informs consumers how they may exercise a right, (3) categories of personal data the controller shares with third parties, and (4) the categories of third parties with whom the controller shares personal data.

The law also includes a 30-day right to cure.  Moreover, the law neither vests the AG with rulemaking authority, nor does it provide consumers the ability to opt-out of processing using a global privacy control.

While the Utah law will likely not significantly change compliance requirements for businesses subject to the California, Colorado, or Virginia laws, it will create new obligations for some companies.  It also serves as a reminder that states will continue to take different approaches, expanding the patchwork of varying legal requirements in the privacy field.

On February 3, the Illinois Supreme Court unanimously ruled in McDonald v. Symphony Bronzeville Park, LLC, 2022 IL 126511, that the exclusivity provisions of the Illinois Workers’ Compensation Act (WCA) do not preempt employees’ claims for statutory damages under the Illinois Biometric Information Privacy Act (BIPA).  The decision provides clarity for a number of similar lawsuits stayed in anticipation of the ruling from Illinois’ highest court and eliminates a key defense of defendant-employers hoping to stem the tide of BIPA litigation.

BIPA imposes restrictions on how private entities collect, retain, use, disclose, and destroy biometric identifiers (i.e., fingerprints, retinal or iris scans, voiceprints, or scans of hand or face geometry) or information based on such biometric identifiers used to identify an individual.  Among other obligations, before collecting such biometric data, covered entities must first notify the individual in writing and receive informed written consent via a “written release” of such collection or disclosure.

BIPA suits are often brought against employers who collect biometric data in the form of fingerprint scans, facial recognition software, and voiceprints in connection with timekeeping or security measures without obtaining the necessary consent.  However, in Illinois, the workers’ compensation process generally provides the exclusive means by which an employee can recover against an employer for a work-related injury.  This “exclusivity” requirement means that such injury claims are adjudicated before the Illinois Workers’ Compensation Commission rather than through a court.  Illinois courts have recognized several exceptions to the exclusivity provisions, including where the alleged injury is “not compensable” under the WCA.

In the case at hand, the plaintiff Marquita McDonald alleged that her employer Symphony Bronzeville Park LLC and several related entities violated BIPA by collecting employees’ fingerprints as part of their authentication and timekeeping systems without obtaining informed consent, as well as other BIPA requirements.  The defendants argued that because the plaintiff’s BIPA claims involve an injury that arose out of and in the course of her employment, the claims were barred by the WCA’s exclusivity provisions, and the issue ultimately made its way to the Illinois Supreme Court.

The Supreme Court sided with the plaintiff, holding that the WCA’s compensation scheme was created to address injuries that affect an employee’s capacity to perform employment-related duties and to provide financial protection for injured workers until they can return to the workforce.  The Court went on to explain that the “personal and societal injuries” allegedly sustained due to a BIPA violation are different in nature and scope from the physical and psychological work injuries that are compensable under the WCA.  Thus, because the plaintiff’s loss of the ability to maintain her privacy rights is not compensable under the WCA, her BIPA claims for statutory damages are not preempted by the WCA.

Although the Court recognized the “substantial potential liability” of class action BIPA lawsuits, it was not swayed by the argument that ruling in the plaintiff’s favor would “expose employers to potentially devastating class actions that can result in financial ruin” and deferred instead to the state legislature to determine “whether a different balance should be struck” under BIPA.

Attention now turns to other cases pending before the state’s highest court that will have further significant implications that could expose employers to potentially devastating class actions that could result in financial ruin, especially Cothron v. White Castle System, Inc.  In Cothron, the Seventh Circuit recently certified to the Illinois Supreme Court the question of whether BIPA claims accrue each separate time a defendant collects biometric information in violation of the statute or only at the first instance of collection.  With statutory damages ranging from $1,000 to $5,000 per violation, the ruling will have enormous impacts on employers who have been using biometric data technology with employees, especially if the practices have been occurring for years.

Given the potentially staggering amount of damages resulting from BIPA violations, companies should take care to both reevaluate the biometric data policies and procedures they currently have in place, as well as perform thorough company audits to determine whether any such collection is taking place that has not been fully considered.

On January 28, 2022 the Consumer Protection Section of the Colorado Attorney General’s Office issued guidance regarding data security best practices.  Businesses subject to the Colorado Privacy Act can look to these best practices as a roadmap for the technical and organizational data security safeguards the law requires businesses to implement.

The guidance instructs covered entities to incorporate the following best practices:

  1. Inventory the types of data collected and establish a system for how to store and manage that data;
  2. Develop a written information security policy;
  3. Adopt a written data incident response plan;
  4. Mange vendor security;
  5. Train employees to prevent and respond to cybersecurity incidents;
  6. Follow the Department of Law’s ransomware guidance to improve cybersecurity and resilience against ransomware and other attacks;
  7. Timely notify victims and the authorities (when required) in the event of a security breach;
  8. Protect individuals affected by a data breach from identity theft and related harms; and
  9. Regularly review and update security policies.

The guidance in its entirety is available here.

While many companies may already follow these practices as part of the data security regime, their publication shows the increased focus on privacy and data security in Colorado in the run up to the Colorado Privacy Act going into effect in 2023.

2021 proved to be a momentous year for privacy and data security law.  The scourge of ransomware continued last year, leading to record-setting ransomware payments, a muscular response from the federal government, a hardening insurance market, and significant corporate anxiety.  Two more U.S. states passed comprehensive data privacy laws in 2021.  The FTC was very active, issuing new guidance for artificial intelligence (AI), publishing revisions to the GLBA Safeguards Rule, and bringing new enforcement actions.  The U.S. Supreme Court issued a number of opinions that had the effect of narrowing the scope of key privacy statutes while biometric litigation in Illinois exploded.  The European Commission promulgated new rules for cross-border transfers, and U.S. state regulatory enforcement activities ramped up.  Continue Reading Predictions for Privacy & Data Security in 2022

As anticipated, the Department of the Treasury’s Office of the Comptroller of the Currency (“OCC”), the Board of Governors of the Federal Reserve System (“Federal Reserve”), and the Federal Deposit Insurance Corporation (“FDIC”) recently approved and released the Final Rule Requiring Computer-Security Incident Notification (“Final Rule”). This Final Rule is designed to promote early awareness and stop computer security incidents before they become systemic.  It places new reporting requirements on both U.S. banking organizations, as well as bank service providers.     Continue Reading Federal Financial Regulators Tighten Timelines for Reporting Ransomware Attacks

On October 27, the Federal Trade Commission (FTC) announced a final rule (Final Rule) and supplemental notice of proposed rulemaking (NPRM) to amend the Safeguards Rule promulgated under the Gramm-Leach-Bliley Act (GLBA), which requires covered financial institutions to implement certain security safeguards to protect their customers’ financial information against data breaches and cyberattacks. The FTC also issued another rule adopting largely technical revisions to the scope of its Privacy Rule, a separate GLBA rule that requires financial institutions to inform customers about their information-sharing practices and allow customers to opt out of having their information shared with certain third parties. Continue Reading FTC Strengthens GLBA Financial Safeguards and Privacy Rules