On July 7, 2016, Judge Paul A. Magnuson of the United States District Court for the District of Minnesota granted Defendants’ Motions to Dismiss a shareholder class action that had been initiated following a 2013 holiday season data breach involving customers of Target Corporation (“Target,” or “the Company”). The data breach, which resulted in the release of information of approximately 70 million consumer credit and debit cards, made headlines as one of the biggest privacy hacks at the time. Initially disclosed to the public in December 2013, with an estimated 40 million credit and debit cards affected, Target subsequently revealed a little less than a month later that additional consumer data, including customers’ names, mailing addresses, phone numbers and email addresses, were also stolen, and increased its initial estimate to 110 million.
For the last few years, the SEC has been issuing guidance as to appropriate cybersecurity policies and procedures for financial firms. In a move that signal’s the regulator’s willingness to put muscle into its cybersecurity guidance, the SEC announced an agreement with St. Louis-based investment company, R.T. Jones Capital Equities Management (“R.T. Jones” or “the company”), to settle charges that the company failed to adequately safeguard the personal information (“PI”) of approximately 100,000 individuals. Consistent with this trend, the SEC has announced that its Office of Compliance Inspections and Examinations (“OCIE”) would be conducting a second round of investigations into the cybersecurity practices of brokerage and advisory firms (the “Cybersecurity Examination Initiative”). These moves signal the SEC’s increasing scrutiny of investment firms’ information security practices and indicate the regulator’s willingness to enforce the guidance that it has issued.