On October 7, 2022, President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities.  The order aims to address concerns expressed by the Court of Justice of the European Union (CJEU) in the Schrems II case, in which it ruled the E.U.-U.S. Privacy Shield inadequate as a cross-border transfer mechanism.  The order aims to provide the European Commission with the basis to adopt a new adequacy determination.  In turn, this would restore the legal basis by which cross-border data flows can occur between the U.S. and the E.U., providing greater legal certainty for companies with respect to cross-border data transfers under GDPR.

Executive Requirements

Among other things, the Executive Order requires the following:

  • Further safeguards and consumer protections for US signals intelligence activities, specifically prioritizing targeted (over bulk) collection and restricting agencies’ processing of E.U. personal data to activities necessary and proportionate to advance a national security purpose.
  • A two-tier redress mechanism to address complaints, starting with the agency Civil Liberties Protection Officer (“CLPO”) with review by a newly created and independent Data Protection Review Court established by the Attorney General.
  • Updating of police and procedures by various US Intelligence Community elements, to be reviewed by the Privacy and Civil Liberties Oversight Board (“PCLOB”); and
  • A multi-layer mechanism for individuals from qualifying states and regional economic integration organizations, as designated under the Executive Order, to obtain independent and binding review and redress.

European Union Response

In response to the Executive Order, the European Commission announced it will now prepare a draft adequacy decision and launch adoption procedures, which could take up to six months. The European Commission confirmed that, prior to adopting an adequacy decision, it must obtain an opinion from the European Data Protection Board and receive approval from an EU Member State committee.  In addition, the European Parliament has a right of scrutiny over adequacy decisions.  Finally, the European Commission highlighted that an adequacy decision is not the only tool for international transfers and that all previously approved safeguards in the area of national security will be available for all transfers to the U.S. under the GDPR.

To view the Executive Order, click here.

To view the White House fact sheet, click here.

To view the EU Q&A, click here.

To view the U.S. Attorney General Final rule establishing the Data Protection Review Court, click here.

Yesterday, on August 24, 2022, California Attorney General Rob Bonta (“AG”) announced a settlement with Sephora, Inc., resolving allegations that the company violated the California Consumer Privacy Act (“CCPA”).  The order includes permanent injunctive relief as well as a $1.2 million fine. This action stems from a June 2021 enforcement sweep by the attorney general of large retailers to determine whether they continue to sell personal information when a consumer signals an opt out via the Global Privacy Control (“GPC”), a browser extension used to notify businesses of their privacy preferences, and which acts as a mechanisms that website can use to indicate they support the specification. This action is significant not only because it is the first CCPA enforcement action from the California AG’s office, but also because it hones in on the subject of much debate regarding what constitutes a “sale” of personal information under the CCPA.

Background

According to the AG’s complaint, Sephora installed third-party companies’ tracking software on its website and in its app so that third parties can monitor consumer as they shop. In this case, they would track data such as:

“whether a consumer is using a Macbook or Dell, the brand of eyeliner that a consumer puts in their ‘shopping cart,’ and even the precise location of the consumer. Some of these third party companies curate entire profiles of users who visit Sephora’s website, which the third parties then use for Sephora’s benefit.  The third party might provide detailed analytics information about Sephora’s customers and provide that to Sephora, or offer Sephora the opportunity to purchase online ads targeting specific consumers, such as those who left eyeliner in their shopping cart after leaving Sephora’s website. This data about consumer is frequently kept by companies and used for the benefit of other businesses, without the knowledge or consent of the consumer.”

The AG’s complaint calls the right to opt out as “the hallmark of the CCPA”, and states that if companies make consumer personal information available to third parties and receive a benefit from the arrangement such as in the form of ads targeting specific consumers – they are deemed to be “selling” consumer personal information under the law”, which triggers additional CCPA obligations, such as providing right to opt out and prominently displaying a “Do Not Sell My information” link and mechanisms on the website and mobile app. In contrast, the AG complaint states, Sephora’s privacy policy told consumers that “we do not sell personal information” and failed to provide the link.

At the heart of this enforcement action is whether Sephora engaged in the “sale” of personal information, which is broadly defined in the CCPA as the sharing or exchange of data “for monetary or other valuable consideration.” Other similar state laws define sales more strictly as exchanges for “monetary consideration” only. What constitutes “valuable consideration” in this context has been the subject of much debate since the passage of CCPA, with little guidance until now. According to the AG:

“Sephora allowed the third party companies access to its customers’ online activities in exchange for advertising or analytics services. Sephora knew that these third parties would collect personal information when Sephora installed or allowed the installation of the relevant code on its website or in its app. Sephora also knew that it would receive discounted or higher-quality analytics and other services derived from the data about consumer’s online activities, including the option to target advertisements to customers that had merely browsed for products online.”

Most importantly, but buried in the middle of the AG Complaint, it says “Sephora also did not have valid service provider contracts in place with each third party, which is one exception to ‘sale’ under the CCPA.” Therefore, the AG complaint states, “[a]ll of these transactions were sales under the law.

When Sephora failed to cure within 30 days, the AG entered into a tolling agreement effective September 15, 2021, which led to the filing of the complaint in California Superior court, and ultimately the final order approving the final judgment and permanent injunction on August 24.

Analysis.

The complaint and the final judgment charge Sephora with several categories of violations, including failure to provide notice of sale, failure to honor opt out of sales, failure to provide the “Do Not Sell My Information” link to opt out of sales, and others. But the heart of this case is the statement that Sephora was, indeed, “selling” information as defined by the CCPA. All of the claimed violations – failing to disclose sales of information, failure to provide the “do not sell” link, failure to response to GPC signals opting out of the sale of information – they all stem from the premise that Sephora was, in fact, “selling” the information as defined, for valuable consideration.  The complaint suggests that targeted advertising could be a benefit constituting “valuable consideration”, and alleges that Sephora “gave companies access to consumer personal information in exchange for free or discounted analytics and advertising benefits”.  But this benefit would be irrelevant if the companies were service providers under the CCPA. Under the CCPA (Cal. Civ. Code 1798.140(v)), a service provider is defined as “a … legal entity … that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.” (emphasis supplied).

I suspect – although it is not clear from the documents – that Sephora may have assumed that it was not selling the information because it had determined the analytics companies fell under the “service provider” exemption. Had Sephora’s assumption been correct, it would not be required to assume all of the obligations they have now been found to have violated. However, in the AG’s words, Sephora “did not have valid service provider contracts” in place with the third parties, and thus did not fall under the service provider exemption. Thus, they were required to abide by the obligations associated with “sales” of personal information, which they did not.

Lessons Learned and Open Questions

Lessons Learned.

For other companies engaged in targeted advertising and analytics, a superficial reading of this settlement might lead to the conclusion that, simply by engaging third party web analytics providers, they must be “selling” data and thus must comply with the heightened “sales” obligations.    However, I believe a more careful reading reveals the true lesson — to make sure you have sufficient contracts in place with your third-party analytics providers that contain the necessary restrictions required by the CCPA (e.g., Cal Civ. Code 1798.140(v); Cal Code Regs. 11.7051) The CPRA adds two nearly identical categories of entities “contractors” and “service providers”, although their definitions are similar. It also includes new contractual requirements for sharing information with a service provider or contractors. By ensuring that sufficient contractual agreements are in place between companies and third-party analytics companies, companies can more assuredly rely on the service provider exemption from the definition of “sales”.

Open Questions.

However, this does beg the question as to what deficiencies may have existed in the arrangements between Sephora and its third-party providers to deem them insufficient and thus “sales” under the CCPA, as determined by the AG.  The AG Complaint states: “Sephora also did not have valid service provider contracts in place with each third party”.  But it is not clear whether the AG means that Sephora did not have contracts in place at all, or whether it did, but such contracts were not “valid”.

It seems doubtful that a large and sophisticated company such as Sephora would have no contract in place at all.  Thus, it may be that either: (a) there were formal contracts in place but they lacked the sufficient terms and conditions required by the CCPA and regulations; or perhaps (b) the company simply created user accounts pursuant to “clickwrap” terms and conditions that either similarly lacked such sufficient terms and conditions, or the nature of such clickwrap terms and conditions were deemed insufficient to be valid contracts by the AG (but see, e.g., B.D. v. Blizzard Entertainment, Inc., 76 Cal. App.5th 931 (March 29, 2022)).

Conclusion

In summary, the first CCPA enforcement action issued by the AG is significant in its own right, but also because it emphasizes the importance of the heightened obligations associated with selling personal information to third parties. It is also important because it raises questions about the important and much-debated topic of what constitutes “valuable consideration” and a “sale” under the CCPA. Although we shall see how many additional enforcement actions the AG takes while rulemaking and enforcement authority transitions to the CPPA under the CPRA, additional interpretations by the AG (as well as their consistency or deviations therefrom from the CPPA) will be informative as to how companies may comply with issues regarding sales of personal information.

To view the AG press release, click here.

To view the AG complaint, click here.

To view the settlement order, click here.

The Department of Justice (“DOJ”), on behalf of the Federal Trade Commission (“FTC”), filed a complaint and motion for entry of a stipulated order with the Northern District of California, which would require Twitter to pay civil penalties and take other corrective actions for their violation of the FTC Act and a previous 2011 FTC Order.  The complaint states that Twitter “represented to users that it collected their telephone numbers and email addresses to secure their accounts, [but] Twitter failed to disclose that it also used user contact information to aid advertisers in reaching their preferred audiences” dating from at least May 2013 to September 2019.  Moreover, the complaint alleges that Twitter’s ‘misrepresentation’ and ‘deceptive’ actions breach the Swiss-U.S. and EU-U.S. Privacy Shield Frameworks.

The proposed order would require Twitter to:

  • Pay a $150 million in civil penalties;
  • Allow users to use alternative multi-factor authentication methods (besides telephone numbers);
  • Refrain from profiting from using collected data in undisclosed manners;
  • Inform users that their information was misused;
  • Establish a privacy and information security program that oversees risks associated with current and existing products;
  • Disclose to the FTC any future data breaches; and
  • Limit employees’ access to user’s personal data.

Twitter is not an outlier.  Instead, it signals an increased focus on privacy enforcement at the state and federal levels going forward.  Many companies may expect fines and penalties for not complying with state, federal, and international data privacy laws.  For instance, California recently updated the California Consumer Privacy Act (“CCPA”) with the passing of Proposition 24, the California Privacy Rights Act (“CPRA”), which added additional consumer privacy rights and created a new state agency, the California Privacy Protection Agency (“CPPA”).  The CPPA recently took over rulemaking authority from the California Attorney General and is beginning the rulemaking process.

Moreover, within the next twelve months, similarly comprehensive state privacy laws in Virginia, Colorado, Utah, and Connecticut will also become effective.  To avoid expensive penalties, companies should consider reviewing their privacy policies and their internal controls surrounding customer’s nonpublic, personal information and customer’s privacy preferences.  Privacy policies should accurately and explicitly reflect current business practices, and most importantly, comply with the upcoming privacy laws.

For more information about current and upcoming privacy laws, and how your company may manage privacy compliance, please contact us.

To view a copy of the DOJ/FTC complaint, click here.

To view the motion and stipulated order, click here.

To view a joint statement issued by FTC Chair Lina Khan and Commissioner Rebecca Kelly Slaughter, click here.

To view a concurring statement issued by FTC Commissioners Christine S. Wilson and Noah Joshua Phillips, click here.

On May 19, 2022, the Federal Trade Commission voted 5-0 to adopt a policy statement regarding increased scrutiny of the Children’s Online Privacy Protection Act (COPPA) violations involving education technology companies.  The statement reaffirmed COPPA provisions around limiting educational technology’s collection, use, retention and security requirements for children’s data. The FTC stated:

“When Congress enacted the [COPPA], it empowered the Commission with tools beyond administering compliance with notice and consent regimes. The Commission’s COPPA authority demands enforcement of meaningful substantive limitations on operators’ ability to collect, use, and retain children’s data, and requirements to keep that data secure. The Commission intends to fully enforce these requirements—including in school and learning settings where parents may feel they lack alternatives.”

The FTC states that the development and proliferation of more sophisticated technologies has raised concerns that businesses might engage in harmful conduct, which led to the FTC’s 2013 revisions to the COPPA Rule, including provisions to hold third party advertising networks liable for collection of children’s personal information from child-directed sites in violation of the Rule and to expand the definition of personal information to include persistent identifiers used to target advertising to children. The FTC further cited online learning devices and services during the COVID-19 pandemic as making concerns about data collection in the educational context “particularly acute.”

In a separate statement, President Joe Biden applauded the FTC, stating that children and families “shouldn’t be forced to accept tracking and surveillance” to access online educational products.  Biden said the FTC “is making it clear that such requirements would violate the [COPPA], and that the agency will be cracking down on companies that persist in exploiting our children to make money.”

The FTC intends to scrutinize compliance with the “full breadth” of the COPPA rules and statute, focusing particular emphasis on:

  • Prohibitions Against Mandatory Collection. Prohibitions against businesses requiring collection of personal information beyond what is reasonably needed for the child to participate in the activity.
  • Use Prohibitions. Restrictions and limitations on how COPPA-covered companies can use children’s personal information, such as for marketing, advertising, or other commercial purposes unrelated to the provision of the school-requested online service.
  • Retention Prohibitions. COPPA-covered companies must not retain personal information longer than reasonably necessary to fulfill the purpose for which it was collected (e.g., for speculative future potential uses).
  • Security Requirements. COPPA-covered companies must have procedures to maintain the confidentiality, security, and integrity of children’s personal information. A COPPA-covered company’s lack of reasonable security can violate COPPA even absent a breach.

The Policy Statement concludes that:

“Children should not have to needlessly hand over their data and forfeit their privacy in order to do their schoolwork or participate in remote learning, especially given the wide and increasing adoption of ed tech tools. Going forward, the Commission will closely scrutinize the providers of these services and will not hesitate to act where providers fail to meet their legal obligations with respect to children’s privacy.”

To view the FTC policy statement, click here.

To view President Biden’s statement, click here.

In November 2021, non‑state issued digital assets reached a combined market capitalization of $3 trillion, up from approximately $14 billion in early November 2016.  Several global monetary authorities are exploring, and in some cases introducing, central bank digital currencies (CBDCs).  On March 9, 2022, President Biden issued an executive order to mandate multiple reports and studies by various agencies around digital asset policy and regulation.

Goals of Executive Order

The goals of the order emphasize:

  • Protecting U.S. consumers, investors and businesses
  • Protecting US and global financial stability and mitigating system risk
  • Mitigating illicit finance and national security risks posed by misuse of digital assets
  • Reinforcing US leadership in the global financial system and in technological and economic competitiveness
  • Promoting access to safe and affordable financial services; and
  • Supporting technological advances that promote responsible development and use of digital assets.

Agencies Involved

A number of government agencies are given roles and responsibilities for these efforts, including 13 Cabinet departments (including Treasury, DOJ, State, and Homeland Security), all major financial services regulators, several science and technology offices, economic and policy officials, intelligence agencies, and even agencies such as the Department of Energy (DOE) and the Environmental Protection Agency (EPA).

In addition the breadth of content of such reports vary widely, from considering privacy/consumer protection, to reporting on energy and climate change to creating a framework for international engagement. Each of the over 20 agencies tasked with reports under this order has a role and assignment.

Key Directives of Executive Order

The executive order:

  • Establishes a comprehensive federal framework to ensure the U.S. continues to play a leading role in the innovation and governance of digital assets domestically and abroad.
  • Directs relevant departments and agencies to initiate research into the merits of a U.S. Central Bank Digital Currency (USBDC). This includes agency participation in international efforts and projects; a strategic Federal Reserve plan for potential implementation; and a proposal for dollar CBDC legislation to be developed by the Attorney General in consultation with Treasury and the Federal Reserve.
  • Calls for the development of a plan to mitigate the illicit finance and national security risks posed by the misuse of digital assets. This adds to previous work to align departments and agencies to combat misuse of digital assets enabling the rise and spread of ransomware.

What Is a “Digital Asset”?

The term “digital asset” is defined in the executive order to refer to:

“all CBDCs, regardless of the technology used, and to other representations of value, financial assets and instruments, or claims that are used to make payments or investments, or to transmit or exchange funds or the equivalent thereof, that are issued or represented in digital form through the use of distributed ledger technology.  For example, digital assets include cryptocurrencies, stablecoins, and CBDCs.  Regardless of the label used, a digital asset may be, among other things, a security, a commodity, a derivative, or other financial product.  Digital assets may be exchanged across digital asset trading platforms, including centralized and decentralized finance platforms, or through peer-to-peer technologies.”

While this definition appears to be focused on financial services applications, it is unclear whether such a broad definition intends to cover other aspects of the cryptoverse, such as non-fungible tokens (NFTs) for example.

Timing and Deadlines

The executive order requires an array of reports from various agencies with differing deadlines, ranging from 90 days (e.g., report on intentional law enforcement) to 210 days (e.g., CBDC legislative proposal, financial stability report) including deadlines in between. Other reports have deadlines that are determined based on the submission of other reports.

To view the executive order, click here.

If you have questions about the executive order or a particular task, please contact a member of our Data Privacy and Security Team.

On December 20, 2021, The National Institute of Standards and Technology (NIST) released its draft interagency report 8403 on “Blockchain for Access Control Systems”.  As the report’s abstract states:

“Protecting system resources against unauthorized access is the primary objective of an access control system. As information systems rapidly evolve, the need for advanced access control mechanisms that support decentralization, scalability, and trust – all major challenges for traditional mechanisms – has grown.

Blockchain technology offers high confidence and tamper resistance implemented in a distributed fashion without a central authority, which means that it can be a trustable alternative for enforcing access control policies. This document presents analyses of blockchain access control systems from the perspectives of properties, components, architectures, and model supports, as well as discussions on considerations for implementation.”

This public review also include a call for information on essential patent claims (see page iv of the draft report). For more information regarding inclusion of patents in Information Technology Laboratory (ITL) publications, click here.

The draft NISTIR discusses, among other things: (a) blockchain system component and advantages for access control systems, (b) access control functions of blockchain access control systems; (c) access control model support, and (d) other considerations.

The public comment period lasts from December 20, 2021 through February 7, 2022.

To view the draft report, click here.

Comments, including patent statements from patent holder or their agents, should be emailed to ir8403-comments@nist.gov.

On November 18, 2021, the Federal Reserve, Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) approved a new final rule regarding reporting of cyber incidents for U.S. banks and service providers.

Under the new rule, a banking organization must notify its primary federal regulator of “any significant computer security incident” as soon as possible as no later than 36 hours after the organization determines that a cyber incident has occurred.  Notification is required for incidents “that have materially affected – or are reasonably likely to materially affect – the viability of a banking organization’s operations, its ability to deliver banking products and services, or the stability of the financial sector.”

A “computer-security incident” is defined as an occurrence that: (i) results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits; or (ii) constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.”

A “notification incident” is defined as a “computer-security incident” that a banking organization believes in good faith could materially disrupt, degrade, or impair –

  • The ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
  • Any business line of a banking organization, including associated operations, series, functions and support, and would result in a material loss of revenue, profit, or franchise value; or
  • Those operations of a banking organization, including associated services, functions, and support, as applicable, the failure or discontinuance of which would post a threat to the financial stability of the United States.

One commenter requested clarification as to whether a “near miss” incident would constitute a computer-security incident under the rule. In response, the rule states, in a footnote:

A “near-miss” incident would constitute a computer-security incident only to the extent that such a “near-miss” results in actual harm to an information system or the information contained within it. Another commenter stated that the definition of “computer-security incident” should be limited to information systems that can cause a “notification incident.” For clarification, the definition of “computer-security incident” includes all occurrences that result in actual harm to an information system or the information contained within it. However, only those computer-security incidents that fall within the definition of “notification incident” are required to be reported. Two commenters advocated for excluding computer-security incidents due to non-security and nonmalicious causes. For clarity, the definition includes incidents from whatever cause.

The final rule also requires that a bank service provider notify its affected banking organization customers as soon as possible when the provider determines that it has experienced a computer-security incident that “has materially affected or is reasonably likely to materially affect banking organization customers for four or more hours.” The bank service provider would be required to notify at least one bank-designated point of contact at each affected banking organization customer. If the customer has not previously provided a point of contact, such notification shall be mead to the CEO and CIO of the customer or two individuals of comparable responsibilities “through any reasonable means.”

Compliance is required by May 1, 2022.

To view the final rule, click here.

A new bill introduced by the Senate (S. 2666), the “Sanction and Stop Ransomware Act of 2021”, would require a strict 24-hour limit for reporting ransomware payments for businesses with more than 50 employees. The bipartisan bill, put forward by leaders of the Senate Homeland Security and Governmental Affairs Committee, also focuses on critical infrastructure, non-profit organizations, state/local government agencies, regulation of cryptocurrency exchanges, and more.

Specifically, a Federal agency or covered entity that discovers “a ransomware operation that compromises, is reasonably likely to compromise, or otherwise materially affects the performance of a critical function by a Federal agency or covered entity” must report the discovery within 24 hours.  Additionally, a federal agency or covered entity that issues a ransomware payment must submit details of the payment, including the method of payment, the amount, and the recipient.  Reporting shall be done through an established system to the Cybersecurity and Infrastructure Security Agency (CISA). Failure to report risks being subpoenaed and referred to the Department of Justice (DOJ).

Several industry groups have opposed the bill, stating that the 24-hour window is not feasible, and that a 72-hour window is more realistic. (Incidentally, a 72-hour data breach notification is included in the European privacy law, the General Data Protection Regulation (GDPR), which is one of the strictest and comprehensive global privacy laws in the world, and after which the California privacy law (“CCPA”) was modeled.)  Some agencies, including CISA itself, have also spoken out against subpoena power, and would prefer to impose fines instead.

Other legislative proposals, which may be ultimately merged with this one, introduce different measures. For instance, the Cyber Incident Notification Act, introduced by the Senate in July 2021, establishes a similar 24-hour reporting window for any business that supports a national security function.

Other enforcement terms would include barring federal government contractors from the Federal Contracting Schedule if they fail to comply, or penalties of up to 0.5% of gross annual revenue. (GDPR allows fines of up to €10 million or 2% of the company’s global annual revenue, whichever is higher.)

A 24-hour window for reporting ransomware payments could be difficult for covered entities to comply.  Reporting a breach, much less a payment, within 72 hours can be difficult, as sufficient time is needed to determine the nature, scope, and degree of the breach itself. However, this legislation, however, it turns out, underscores the need for companies to have well established incident response plan and reporting procedures in place to act swiftly and decisively in the event of a suspected breach or ransomware attack.

To view the language of the legislation, click here.

Background

Yesterday, on September 22, 2021, the California Privacy Protection Agency (“CPPA”) — the new privacy regulatory agency created by the California Privacy Rights Act of 2020 (“CPRA” or “CCPA 2.0”) — issued an invitation for public comment on its proposed rulemaking.  Such comments “will assist the Agency in developing new regulations, determining whether changes to existing regulations are necessary, and achieving the law’s regulatory objectives in the most effective manner.” Thus, the CPPA invites stakeholders to propose specific language for new regulations or changes to existing ones.

This invitation for comments is not a proposed rulemaking, but an invitation for comment generally as a part of the agency’s preliminary rulemaking activities. Stakeholders will have additional opportunities to comment on any specific proposed rulemaking actions that may be issued in the future.

Topic Areas for Comment

The CPPA’s invitation includes several pages of specific questions, each categorized under the following topic areas:

  1. Processing that Presents a Significant Risk to Consumers’ Privacy or Security: Cybersecurity Audits and Risk Assessments Performed by Businesses
  2. Automated Decisionmaking
  3. Audits Performed by the Agency (CPPA)
  4. Consumers’ Right to Delete, Right to Correct, and Right to Know
  5. Consumers’ Rights to Opt Out of the Selling or Sharing of Their Personal Information and to Limit the Use and Disclosure of their Sensitive Personal Information
  6. Consumers’ Rights to Limit the Use and Disclosure of Sensitive Personal Information
  7. Information to Be Provided In Response to a Consumer Request to Know (Specific Pieces of Information)
  8. Definitions and Categories
  9. Additional Comments
How to Submit Comments

Interested parties must submit comments by Monday, November 8, 2021.  Comments may be submitted via mail or via email to regulations@cppa.ca.gov as specified in the invitation.

To view the invitation for comment and the specific questions listed in the categories above, please click here.

Background

On August 30, 2021, the Securities and Exchange Commission (SEC) sanctioned eight firms in three actions for cybersecurity failures in their policies and procedures that exposed the personal information of thousands of customers at each firm. These firms included: Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers LLC (collectively, the Cetera Entities); Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. (collectively, Cambridge); and KMS Financial Services Inc. (KMS).  All were registered with the SEC as broker dealers, investment advisory firms, or both. These failures violated Regulation S-P, also known as the Safeguards Rule.

SEC Prioritizes Cybersecurity

This action occurred in the midst of repeated indications from the SEC that cybersecurity is a top priority for them.  On September 14, 2021, SEC Chair Gary Gensler told a Senate Committee that:

“Today’s investors are looking for consistent, comparable, and decision-useful disclosures around climate risk, human capital, and cybersecurity. I’ve asked staff to develop proposals for the Commission’s consideration on these potential disclosures. These proposals will be informed by economic analysis and will be put out to public comment, so that we can have robust public discussion as to what information matters most to investors in these areas.

Companies and investors alike would benefit from clear rules of the road. I believe the SEC should step in when there’s this level of demand for information relevant to investors’ investment decisions.”

Details of Incidents

Alleged details of the incidents are contained in the three orders:

  • Cetera Entities Order. Between November 2017 and June 2020, cloud-based email accounts of over 60 Cetera Entities’ personnel were taken over by unauthorized third parties, exposing personally identifying information (PII) of at least 4,388 customers and clients. None of the accounts were protected in a manner consistent with the Cetera Entities’ policies. The order also finds that Cetera Advisors LLC and Cetera Investment Advisers LLC sent breach notifications that included misleading language suggesting that the notifications were issued much sooner than they actually were after discovery of the incidents.
  • Cambridge Order. Between January 2018 and July 2021, cloud-based email accounts of over 121 Cambridge representatives were taken over by unauthorized third parties, exposing PII of at least 2,177 customers and clients. The order finds that although Cambridge discovered the first email account takeover in January 2018, it failed to adopt and implement firm-wide enhanced security measures for cloud-based email accounts of its representatives until 2021, resulting in the exposure and potential exposure of additional customer and client records and information.
  • KMS Order. Between September 2018 and December 2019, cloud-based email accounts of 15 KMS financial advisers or their assistants were taken over by unauthorized third parties, exposing the PII of approximately 4,900 KMS customers and clients.  The order finds that KMS failed to adopt written policies and procedures requiring additional firm-wide security measures until May 2020, and did not fully implement those additional security measures firm-wide until August 2020, placing additional customer and client records and information at risk.

In the SEC’s press release, Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit, stated:

“Investment advisers and broker dealers must fulfill their obligations concerning the protection of customer information. It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”

SEC Findings

The Commission’s orders find that each firm violated Rule 30(a) of Regulation S-P.  The orders also find that Cetera Advisors LLC and Cetera Investment Advisers LLC violated Section 206(4) of the Advisers Act and Rule 206(4)-7 in connection with their breach notifications to clients. Without admitting or denying the findings, each firm has agreed to cease and desist from future violations of these provisions, to be censured, and to pay a penalty. The Cetera Entities will pay a $300,000 penalty, Cambridge will pay a $250,000 penalty, and KMS will pay a $200,000 penalty.

Lessons Learned

As the SEC continues to prioritize cybersecurity and issue enforcement actions, regulated entities should be taking the time and effort to assess the maturity of their cybersecurity governance and their compliance with the requirements of Regulation S-P. This means:

  • Understanding the information that the entity (and its vendors) process and who has access this data;
  • Protecting data through administrative, physical, technical and other safeguards;
  • Conducting risk assessments to identify those systems and assets warranting enhanced protections;
  • Implementing and testing incident detection and response capabilities and processes; and
  • Assigning clear responsibility for maintenance, periodic review, and updates with respect to the entity’s cybersecurity governance program as well as the information included in initial, annual, and revised privacy notices required to be provided under Regulation S-P.

To view the order against the Cetera Entities, click here.

To view the order against Cambridge, click here.

To view the order against KMS, click here.