The U.S. Securities and Exchange Commission’s focus on cybersecurity continues in its most recent effort to modernize financial privacy rules and emphasize transparency between SEC-regulated entities who suffer from a cyber breach and the individuals impacted by the breach. The SEC’s latest proposals focus on registrants including broker-dealers, investment advisors, and investment companies, and seek to impose cyberbreach disclosure requirements similar to those the SEC previously proposed for public companies.

On March 15, 2023, the SEC proposed amendments to current data privacy rules that would require covered firms to adopt written policies and procedures for incident response programs. Under the proposed amendments, such policies and procedures must address unauthorized access to or use of customer information, including procedures for providing timely notification to individuals affected by an incident involving sensitive customer information with details about the incident and information designed to help affected individuals respond appropriately. The proposed changes would come through amendments to rules under Regulation S-P.

Regulation S-P currently requires covered registrants to notify customers about how they use their financial information, but it does not require them to notify customers about breaches. The proposed amendments would also ensure that breaches are properly identified, and that sensitive customer data is monitored to determine whether it was accessed.

In announcing the proposed amendments, Chairman Gensler explained that investors would benefit from a financial privacy rule “more modern than the AOL era.” Continue Reading Highlighting Enforcement Focus on Cybersecurity, SEC Proposes New Disclosure & Incident Response Rules

The Supreme Court of the United States will decide an issue impacting charging decisions in criminal cases involving technology and where those cases are tried. Specifically, the Supreme Court will decide whether criminal defendants may be retried after they are convicted in the wrong “venue,” i.e., the location where the trial took place. This constitutional venue requirement—and the Supreme Court’s ultimate decision on the remedy for violating it—will influence future cases involving technology, where defendants, victims, servers, and resources used to commit the crime are often in different states or even nations.

In the case at issue, the defendant allegedly hacked into a company’s website, obtained certain trade secrets, and offered to sell those trade secrets through various posts on social media. As with many crimes involving technology today, numerous locations were involved: the defendant remained entirely within the Southern District of Alabama, the victim-company was in the Northern District of Florida, and the victim-company’s hacked servers were in the Middle District of Florida. But where to conduct the trial? Based on the location of the victim-company’s headquarters, the government decided (incorrectly) to indict the defendant in the Northern District of Florida, on three counts: violation of the Computer Fraud and Abuse Act, theft of trade secrets, and extortion. At the end of trial, the jury convicted the defendant of the latter two counts.

On appeal, the U.S. Court of Appeals for the Eleventh Circuit held that for the trade-secrets conviction “venue was not proper in the Northern District of Florida because [the defendant] never committed any essential conduct in that location.” To remedy this violation, the court had two options: (1) vacate the conviction, allowing the defendant to be retried in a (supposedly) proper forum, or (2) acquit the defendant of his conviction in the improper forum, which would bar his retrial in another forum under the U.S. Constitution’s Double Jeopardy Clause that prohibits giving “the government . . . a second chance at prosecution.” The 11th Circuit chose the first option, endorsing a remedy that effectively allows the government, when it chooses the wrong venue, to retry a defendant in  the correct venue.Continue Reading Venue Misstep Shows Complexity of Prosecuting Cybercrime: Supreme Court to Weigh In

On May 9, 2018, the Fourth Circuit Court of Appeals issued an opinion in United States v. Kolsuz, holding that the Fourth Amendment requires individualized suspicion for forensic searches of cell phones seized at the border.

In so holding, the Fourth Circuit provides important clarification about how the Fourth Amendment applies to border searches of electronic devices. But, both in the Fourth Circuit and in jurisdictions across the country, critical questions remain unanswered about the scope of the Fourth Amendment in this context.

Source: ACLU.org

The Decision

In United States v. Kolsuz, federal customs agents found firearm parts in the checked luggage of an airport traveler and then detained him as he was attempting to board an international flight. Subsequently, and without a warrant, agents seized his cell phone and “subjected it to a month-long, off-site forensic analysis, yielding a nearly 900-page report cataloging the phone’s data.” Based in part on this information, the traveler was eventually convicted of, among other things, attempting to smuggle firearms out of the country.

On appeal of his conviction, the traveler challenged the denial of his motion to suppress the forensic analysis of his cell phone as a violation of his Fourth Amendment rights.

In addressing the issue, the Fourth Circuit acknowledged that government agents may perform “routine” searches at international borders, or their functional equivalents, without a warrant or individualized suspicion consistent with the Fourth Amendment. But, the Court recognized that even at the border certain “non-routine,” “highly intrusive” searches require individualized suspicion.

Ultimately, the court held that forensic searches of digital devices, like the one at issue in that case, qualify as such “non-routine” searches and are thus prohibited absent some level of individualized suspicion.

The Court’s holding was based, in part, upon its determination that forensic analysis of a digital device can “reveal an unparalleled breadth” of “private,” “sensitive” information. It was also based on the Supreme Court’s 2014 decision in Riley v. California, which recognized the strong privacy interests associated with electronic devices. There, the Supreme Court held that a warrant is required to search a cell phone seized incident to arrest because of the private, extensive information contained on such devices.

Notably, however, the Fourth Circuit did not decide whether the requisite level of suspicion for such forensic searches is reasonable suspicion, or something more (like a warrant supported by probable cause). It also had no occasion to decide the requisite level of suspicion for officers to conduct “manual” searches, where agents review the content of electronic devices without the help of forensic technology.

Other Case Law, Open Questions
Continue Reading Courts Continue to Grapple with Border Searches of Electronic Devices: Fourth Circuit Rules Forensic Searches Require Individualized Suspicion

The air of uncertainty was palpable as current and former members of the U.S. Securities and Exchange Commission’s (SEC) Division of Enforcement spoke at the Securities Regulation Institute’s 44th Annual Conference in Coronado, California earlier this week.  Important questions went largely unanswered about the impact of the recent resignations of both SEC Chair Mary Jo White and Enforcement Director Andrew J. Ceresney, and the future direction of the enforcement program under the new presidential administration and proposed SEC Chair Jay Clayton.  SEC Enforcement staff in attendance steered clear of prognostications, and instead used the conference as an opportunity to reiterate the agency’s ongoing enforcement initiatives and successes from the past year.
Continue Reading Uncertainty Looms Over SEC Enforcement Staff

Technician replacing the screen of a used smartphone

At various times over the last several years, the DOJ has pushed for updates to the Electronic Communications Privacy Act (ECPA) that would include greater access to encrypted information stored on electronic devices. This week, FBI Director James Comey once again pressed for changes that would provide law enforcement with greater access to encrypted data,

U.S. companies of all sizes in recent months have lost millions of dollars to a simple yet highly effective and increasingly common cyber scam.  Dubbed the ‘‘business email compromise’’ by federal investigators, the scam is prevalent among companies with foreign suppliers or frequent financial wire transfers. In this Client Update, we summarize how the

Last week, DOJ’s Assistant Attorney General Leslie Caldwell took to the Justice Department’s blog to rally support behind recent White House proposals that would bolster law enforcement tools for prosecuting those who create, sell or advertise malicious “spyware.”  Spyware refers to software that allows users to surreptitiously intercept communications on their victims’ electronic devices such as smartphones and computers.  Although prosecutors in the Eastern Division of Virginia recently brought criminal charges against a spyware seller—a case DOJ characterized as the first of its kind—Caldwell states that prosecutorial efforts have been hamstrung by an inability to seize criminal proceeds resulting from sales of spyware, as well as an inability to utilize money laundering charges to go after those who transfer funds across multiple overseas accounts in order to conceal profits from criminal spyware sales.  
Continue Reading Call to Arms from White House and DOJ on Spyware Sanctions

Recent high profile cyberattacks and data breaches like those suffered by Sony Pictures Entertainment and Target Corporation have prompted many companies to begin reevaluating their own vulnerabilities.  Target’s 2013 data breach alone resulted in more than 80 lawsuits and investigations by state and federal agencies, including State Attorneys General, the Federal Trade Commission and the Securities and Exchange Commission.  Given the heightened enforcement environment, companies assessing their data-breach response readiness should also have a basic understanding of the various tools that governmental entities can use to investigate data breaches, including the ability to access electronic company data stored by third parties.
Continue Reading Government Investigations in the Wake of Data Breaches

The U.S. Judicial Conference recently received public comments on proposed amendments to Federal Rule of Criminal Procedure 41 (the “Rule”), which would enlarge DOJ’s ability to remotely access, search, and seize electronically stored information (“ESI”).  Under the current Rule, a magistrate judge’s authority to issue warrants is limited to persons or property located within the district where the court sits, with few narrow exceptions.  Given the Rule’s territorial limit, DOJ has faced barriers in investigating and prosecuting Internet-based crimes where the computer’s location was unknown because of anonymizing tools, or where media and ESI were located in multiple districts or in the Cloud.

Under the proposed Rule, a magistrate judge would be authorized to issue warrants permitting the government to “use remote access to search electronic storage media and seize or copy electronically stored information located within or outside” the district where the court sits, in two possible scenarios.  One of these scenarios is DOJ investigations under the Computer Fraud and Abuse Act where the media to be searched are computers protected under the statute that are located in five or more districts.  The second scenario is where the location of the media or information has been “concealed through technological means.”  In these scenarios, the proposed Rule would allow the government to obtain warrants authorizing it to hack into computers and access ESI saved virtually anywhere in the United States, including in the Cloud.Continue Reading Expanded warrants to let DOJ remotely search and seize electronically stored information saved anywhere?