On October 16, 2018, the Securities and Exchange Commission (SEC) issued a report on the results of investigations made by the SEC’s Division of Enforcement into nine public companies that were victims of cyber-related frauds.  In each case, the SEC investigation focused on whether the target companies had complied with the applicable requirements of the Securities Exchange Act of 1934, as amended (Act). The Act requires public companies to devise and maintain a system of internal control over financial reporting designed to provide reasonable assurance that, among other things, transactions are executed in accordance with company management’s authorization, that transactions are properly recorded and that access to assets is permitted only with management’s authorization.

Ultimately, the SEC did not pursue enforcement actions against any of these companies, but released the report to advise public companies that cyber-fraud incidents must be taken into account when designing and maintaining internal control procedures.

In the latest sign of regulatory scrutiny of asset-advance companies offering consumers what regulators believe are in fact regulated “credit” under federal law and “loans” under state law, the Bureau of Consumer Financial Protection (BCFP) filed its first new lawsuit under Acting Director Mulvaney last Thursday. The complaint, filed in the Central District of California,

It seems that most employees and plan participants “think” their retirement money and data are not at risk.  This is due, in part, because:

  • there are few published incidents of breaches or potential hacks;
  • there has been not a single legal decision involving a cybersecurity breach and a retirement plan; and
  • there is no comprehensive federal regulation that protects qualified retirement plans and service providers.

This blog discusses whether retirement plans are really at risk; and if so why. It concludes with some helpful hints and practical advice to reduce such risks, some of which are tips employers (or plan sponsors) can share with retirement plan participants.

South Carolina has become the first state to enact cybersecurity legislation for the insurance industry.

On May 3, Governor McMaster signed a bill requiring South Carolina insurers to “develop, implement, and maintain a comprehensive information security program” for their customers’ data. 2017 SC H.B. 4655 (NS). Based on the insurance industry model rules, the South Carolina Insurance Data Security Act has three primary aims: it requires “licensees” to prevent, detect and remediate insurance customer data breaches.

On May 21, the North American Securities Administrators Association (“NASAA”) announced a massive and coordinated series of enforcement actions by U.S. state and Canadian provincial regulators to combat fraudulent practices involving cryptocurrency-related investment products.

As cryptocurrencies have gained in popularity, companies have increasingly turned to a method known as an initial coin offering (“ICO”) to

After 25 May 2018, data protection will be a high-risk issue for all retailers who fall within the scope of the GDPR. Organizations can be fined up to 4% of annual worldwide turnover or 20 million euros (whichever is greater) for violations of the GDPR. Moreover, the GDPR applies to any business that targets goods or services at individuals located in the EU – so retailers can be caught by the GDPR even if they have no physical presence in the Union.

Retailers should pay particular attention to how they obtain customers’ consent to marketing. The GDPR requires a high standard for consent to use personal data, and violation of the consent is a serious infringement.

In a statement on Thursday, April 26, a key House Republican on CFPB issues effectively admitted that despite his own efforts and those of the Trump Administration including Acting CFPB Director, Mick Mulvaney, Congress will almost certainly make no changes to the structure of the CFPB this year.  As a result, there will probably be