CYBER CORNER
SEC SUES TWO OF THE BIGGEST CRYPTO ASSET EXCHANGES IN THE WORLD
In its continuing crusade to bring cryptocurrency under its regulatory scope, the SEC filed actions against two of the largest cryptocurrency exchange platforms (the “Platforms”) in the world for operating unregistered trading platforms in violation of the securities laws. The SEC had previously filed actions against other high-profile cryptocurrency companies for failing to register their services with the SEC.
In its Complaint against the first Platform, the SEC alleged that the first Platform provided securities, brokerage exchange and clearing services to US customers without the requisite licenses and registrations. Further, the cryptocurrency products offered by that Platform constituted "securities" under federal securities law and as such, the Platform should have registered as a national securities exchange with the SEC.
Likewise, the Complaint against the second Platform alleged that it operated as an unregistered securities exchange depriving investors of “signification protections” afforded by the SEC’s disclosure requirements.
Both Platforms responded by criticizing the SEC for failing to provide clarity and guidance to the digital asset industry. The Judge agreed that the SEC’s use of its enforcement powers to regulate cryptocurrency were “inefficient and cumbersome” and ordered the parties to negotiate. An agreement was reached to avoid an asset freeze while ensuring U.S. customer assets remain in the United States and would be accessible only to the first Platform’s U.S. employees.
The Takeaway
If the SEC succeeds in its pursuit, cryptocurrency will be treated as securities and subject to security regulations or be banned from operating in the US.
EUROPEAN COMMISSION’S DECISION ON DATA TRANSFERS CREATES OPPORTUNITIES AND CHALLENGES
The European Commission recently issued an “Adequacy Decision” for the European Union’s Data Privacy Framework with the United States, ruling that the U.S. now offers an adequate level of protection for data transferred from the EU to U.S. under its Data Privacy Framework. This decision follows the White House’s Executive Order enhancing safeguards around American intelligence gathering activities, addressing concerns raised by European Court of Justice in its 2020 ruling known as Schrems II. These new safeguards were meant to limit such activities to what was necessary and proportionate for U.S. national security, and to provide an impartial method for resolving data privacy complaints by European citizens.
The EU’s General Data Protection Regulation (GDPR) has strict requirements around the transfer of personal data from the EU to other countries. Specifically, the non-EU country must have data protection standards that are comparable to those of the EU. As a result of this decision, data can be transferred from any public or private entity in the 27 member states covered by GDPR to U.S. companies participating in the EU-U.S. Data Privacy Framework.
Under this framework, residents of the EU have several new rights, including the right to obtain access to their data, to correct errors in their data, and delete data that has been improperly collected. Additionally, the framework offers a free-of-charge dispute resolution process for individuals who wish to file a complaint. U.S. companies that wish to participate in this framework must commit to complying with a detailed set of privacy obligations. These obligations include limiting the scope of the data collected, specifying the purposes for maintaining such data, and certain requirements around data security and the sharing of information with third parties. The U.S. Department of Commerce will review applications from American businesses for certification under this framework, and compliance will be enforced by the Federal Trade Commission.
The Takeaway
If your business plans to collect data on EU residents, you need to comply with this Data Privacy Framework. A qualified data privacy attorney can review your current practices and make recommendations for certification. Additionally, it is important to secure the broadest possible coverage for regulatory proceedings, especially for fines and penalties where these are insurable by law.
COURTS KEEP THIRD PARTY CLAIMS IN RANSOMWARE CASES ALIVE
Sheffler v. Americold Realty Tr., No. 22-11789, 2023 U.S. App. LEXIS 14458 (11th Cir. June 9, 2023)
Following a recent development covered in June’s issue of Executive Liability Insights, a federal court kept alive another class action brought by workers whose data was compromised following a ransomware attack.
Last month, the same federal court lowered the bar of specificity required for successful complaints by third parties in ransomware cases. Considering the new decision, this court reviewed another class action brought by several employees against their employer (the “Company”) following a ransomware attack that resulted in the exposure of personally identifiable information (“PII”) of its employees.
The lower courts ruled in favor of the Company on its motion to dismiss concluding that the employees’ allegation of negligence lacked specificity as to foreseeability. On appeal, the employees relied on the recent decision from this court noting that the decision created a new, more lenient legal standard for negligence claims following a data breach, and that the Company had failed to address. The employees also pointed out that the lower courts failed to address the substantive aspect of the proposed amendment to their complaint or state that allowing employees to amend their complaint would cause prejudice or undue delays. This court sided with the employees and stated that “the plaintiffs would have been hard-pressed to predict that they might need to amend their complaint and add more specific foreseeability allegations in response to [the Company’s] new motion to dismiss.” As a result, the employees were granted the right to leave to amend their complaint and gained another chance to succeed with their class action.
The Takeaway
This decision shows that courts may be inclined to support third parties, and not businesses, in the claims that follow ransomware attacks. Provided that such litigation can be costly, managing risk and purchasing cyber insurance can be vital for modern businesses that collect
and store PII.