Companies that face non-public government investigations frequently confront challenging questions regarding whether and when to disclose the existence of the investigation, how much to disclose, and any duty to update the disclosure as the investigation proceeds. On the one hand, regulatory investigations are generally confidential and it is axiomatic that the existence of an investigation does not reflect a conclusion of wrongdoing. The premature disclosure of what may turn out to be a baseless investigation (perhaps instigated by a person with a grudge or self-interest) can needlessly cause internal disruption, complicate an internal investigation, unnecessarily alarm current shareholders, and – … Read more
On September 25, 2017, the U.S. Securities and Exchange Commission (“SEC” or the “Commission”) announced the creation of a Cyber Unit within the Enforcement Division in order to further the Division’s “substantial expertise in the detection and pursuit of fraudulent conduct in an increasingly technological and data-driven landscape.”1 Commenting on the launch of the new unit, Enforcement Division Co-Director Stephanie Avakian described “[c]yber-related threats and misconduct” as “among the greatest risks facing investors and the securities industry.”2
In the six months since the Cyber Unit was launched, cybersecurity has remained at the forefront of the SEC’s priorities, repeatedly … Read more
On January 30, 2018, the U.S. Securities and Exchange Commission (SEC) announced that it had obtained an order from a U.S. District Court in Dallas, Texas, halting an allegedly fraudulent initial coin offering scheme. The SEC’s complaint alleges that defendants AriseBank and AriseBank founders Jared Rice Sr. and Stanley Ford violated the anti-fraud and registration provisions of the U.S. federal securities laws, including by falsely claiming that AriseBank’s customers’ accounts and transactions were FDIC insured, falsely claiming that AriseBank’s customers could spend 700 different virtual currencies using AriseBank’s Visa card, and failing to disclose the criminal history of two … Read more
Over the last year, the existential risk posed by cyberattacks and data security vulnerabilities has become one of the top concerns for boards of directors, management, government agencies, and the public. 2017 was punctuated by a series of headline-grabbing breaches affecting scores of companies and hundreds of millions of individuals. At the same time, there were fast-moving changes in the regulatory landscape as regulators across the globe tried to respond to the systemic threats and protect their constituents, while not imposing crippling costs on businesses. Of particular note, the New York Department of Financial Services (“DFS”) cybersecurity regulations went into … Read more
In late May, Target Corporation (“Target”) reached an $18.5 million settlement with the Attorneys General (“AGs”) of 47 states and the District of Columbia, resolving the AGs’ investigation into Target’s 2013 data security breach. Target, like other victims of cyber breaches, has faced intense regulatory inquiries based on the incident, along with extensive civil litigation by consumers, shareholders, and financial institutions.
Target’s multistate settlement with regulators – the largest such data breach settlement to date – brings the total amount paid by the company to settle legal claims arising out of the breach to over $130 million, including settlements paid … Read more