Practicing Law Securely — Current Developments

Cybersecurity initiatives by the SEC and FTC deserve attention. Organizations must put security measures in place to avoid non-compliance and data exposure.

19 October 2015


Recent initiatives by the SEC and the FTC on cybersecurity deserve attention.

On September 15, the Office of Compliance Inspections and Examinations (OCIE) of the SEC issued a Risk Alert “to provide additional information on the areas of focus for OCIE’s second round of cybersecurity examinations, which will involve more testing to assess implementation of firm procedures and controls.” The OCIE’s examination of the securities industry will include “firm practices and controls related to vendor management, such as due diligence with regard to vendor selection, monitoring and oversight of vendors, and contract terms. Examiners may assess how vendor relationships are considered as part of the firm’s ongoing risk assessment process as well as how the firm determines the appropriate level of due diligence to conduct on a vendor.”

Outside counsel for the securities industry can be expected to be included within the range of those concerns. In the OCIE audits, securities firms may need to provide “Sample documents or notices required of third-party vendors, such as those required prior to any significant changes to the third-party vendors’ systems, components, or services that could potentially have security impacts to the firm and the firm’s data containing [personally identifiable information].”

The Third Circuit Court of Appeals decided in favor of the ability of the Federal Trade Commission to sue because poor cybersecurity is an unfair or deceptive trade practice under the 1914 Federal Trade Commission Act. Federal Trade Commission v. Wyndham Worldwide Corporation, et al. Wyndham’s privacy policy, as stated on its website, included this statement:

We safeguard our Customers’ personally identifiable information by using industry standard practices. Although “guaranteed security” does not exist either on or off the Internet, we make commercially reasonable efforts to make our collection of such [i]nformation consistent with all applicable laws and regulations. Currently, our Web sites utilize a variety of different security measures designed to protect personally identifiable information from unauthorized access by users both inside and outside of our company including the use of 128-bit encryption based on a Class 3 Digital Certificate issued by Verisign Inc.

Wyndham suffered three cybersecurity attacks with loss of data from over 600,000 accounts. The FTC alleged that despite the claims of the policy, “Wyndham did not use encryption, firewalls, and other commercially reasonable methods for protecting consumer data.” The FTC sought injunctive relief to stop the allegedly deceptive practices and unspecified damages. The complaint referenced at least $10.6 million in fraud losses, plus additional damages to customers to resolve fraudulent credit issues.

Whether or not this initiative by the FTC represents over-regulation, it indicates that cyberbreaches can result in significant exposure.

On the other side of the litigation front, several class actions have been filed against United States Office of Personnel Management (OPM) and KeyPoint Government Solutions for the massive breach of personal information from OPM, including ones filed by Labaton Sucharow on behalf of all affected employees and one filed by Girard Gibbs on behalf of the American Federation of Government Employees. The breach compromised information affecting up to 18 million federal job applicants. The law suits do not specify the amount of monetary damages sought.

Organizations need to put the proper security measures in place now to avoid risking non-compliance and data exposure. Continue to look here for monthly posts on current developments.

Robert L. Blacksberg Esq.

Robert L. Blacksberg Esq.

Bob’s experience spans more than two decades of technology leadership for lawyers, following a law practice that included partnerships at two Philadelphia law firms. Bob is principal of Blacksberg Associates, LLC and leads engagements with law firms in strategic technology planning and implementation, creates and delivers CLE training programs, and works with leading technology vendors to explain, promote and train leading-edge technology products for lawyers. An author and speaker, Bob has appeared at the International Legal Technology Association (ILTA) conference and on ILTA Roadshows.