Cybersecurity continues to be “top-of-mind” for the Security and Exchange Commission (SEC). That point couldn’t be made more clear than in comments and remarks made during the annual “SEC Speaks” conference in Washington, D.C. on February 23 and 24. Read more for a full summary of the conference, including the SEC’s discussion of cybersecurity-related risk and incident disclosures, the Enforcement division’s formation of a Cyber Unit in the fall of 2017, and the SEC’s increased emphasis on the need for insider trading policies that address the impact of cyber events.
Data is igniting a global, technological revolution. Increased collection, use, storage, and transfer of data has shifted the paradigm of innovation – and created a global security problem. Fortune 500 companies with large quantities of data, cities with vulnerable infrastructure, and every institution in between must manage that risk, without encumbering progress or technological advancement. To do so, they turn to Aravind Swaminathan, Global Co-chair of Orrick’s internationally recognized Cyber, Privacy & Data Innovation team.
As a strategic cybersecurity advisor, Aravind collaborates with his clients to proactively plan for a crisis and develop strategies to protect their business and brand. He guides everyone from large public company financial institutions to start-up technology companies to critical infrastructure providers through incidents, and develops business- and brand-centric tactics to mitigate and manage risk. He has directed more than 150 cybersecurity and data breach investigations, including those with national security implications. With extensive trial and litigation experience, he also defends his clients when cyber, privacy, and payments issues lead to regulatory investigations by the SEC, DOJ, FTC, and state Attorneys General and other litigation, including class action litigation and shareholder derivative suits.
Aravind’s background as an Assistant United States Attorney and Computer Hacking and Intellectual Property Section gives him first-hand understanding of federal agencies that allows him to swiftly navigate the system, partner with investigators and find creative solutions for his clients. As a federal cybercrime prosecutor, Aravind investigated and prosecuted a broad array of cybercrime cases, including hacking, phishing, trade secrets theft, click fraud, cyber threats, and identity theft. Aravind also led the cybercrime outreach program, where he worked with members of the Department of Justice, state and federal regulators, law enforcement and other organizations on cybersecurity and related privacy issues.
Aravind is a sought-after speaker by Boards of Directors and industry professionals on cybersecurity issues, including threat landscapes, incident response plans, compliance, and brand/reputational risk management.
Cybersecurity and Privacy Matters
- Represented computer hardware manufacturer in security breach affecting credit card information, and ensuing state and federal investigations
- Represented information security professionals in litigation and investigations in connection with large data breaches
- Represented major contracting company in national security-related cybersecurity breach that compromised of industrial control systems
- Represented enterprise software and information solutions company in breach of credit card and login/password information
- Represented IT management software company compromised by botnet that leveraged managed endpoints to mine for digital currency
- Represented digital currency security company in phishing attack directed at senior management that resulted in extortionate hacker threats
- Represented major city in connection with compromise of personal information of utility customers and citizens
- Represented industrial supply company in compromise of usernames and passwords for business to business customers
- Represented non-profit institutions in investigation of compromised social security information affecting its members and employees
- Directed cybersecurity assessments and planned remediation efforts for technology, financial services, and other companies
- Advised networking infrastructure company in developing technical global privacy compliance strategy
- Counseled companies in cybersecurity incident response planning, and facilitated tabletop exercises
- Advised boards of directors on corporate governance responsibilities relating to cybersecurity and data privacy
Privacy/Cybersecurity Class Action Litigation
- Represented major retailers in class action litigation alleging deceptive trade practices in connection with gift cards
- Represented payment processor litigation with acquiring bank and ISO in connection with processing of credit card transactions
- Represented application and software company in spyware and consumer protection investigation by Washington State Attorney General
- Represented company in data breach class action litigation affecting tens of thousands of employees' Social Security number and tax information.
- Represented numerous companies in class action litigation brought under the Telephone Consumer Protection Act
- Represented information solutions company against claims asserted under the Electronic Communications Privacy Act
- Served as General Counsel to Washington State Governor Jay Inslee's task force on drone legislation
- Served as member of City of Seattle Privacy Advisory Committee
White Collar and Investigation Matters
- Represented one of the nation's largest independent automobile dealerships in federal money laundering and tax investigation resulting in favorable non-prosecution agreement for individual company owners
- Represented individual in government procurement and false statements investigation and prosecution
- Represented healthcare provider in negligent homicide investigation
- Represented large healthcare provider and leading pharmaceutical company in separate false claims investigation by Washington State Attorney General
- Represented pharmacy chain in DEA diversion investigation
- Represented Japanese individuals in Department of Justice and Securities and Exchange Commission investigation arising out of cross-border healthcare receivables investment company
- Represented environmental technology solutions company in federal criminal grant fraud investigation, resulting in no charges brought
- Represented Hong Kong-based national in Foreign Corrupt Practices Act investigation
- Led internal investigation at public technology company of allegations of Wiretap and Washington State Recording Act violations
Posts by: Aravind Swaminathan
A recent skirmish about standing in data breach class actions (this time in the Eighth Circuit), involving securities and brokerage firm Scottrade, suggests that, even if plaintiffs win that limited question, there are other key battles that can win the war for defendants. As we reported with Neiman Marcus, P.F. Chang’s, Nationwide, and Barnes & Noble, the Eighth Circuit’s decision in Kuhn v. Scottrade offers important proactive steps that organizations should consider taking that can mitigate post-breach litigation exposure. READ MORE
This week, a high profile plaintiffs’ firm (Edelson) stated that “if done right,” the data breach class actions against Equifax should yield more than $1 billion in cash going directly to more than 143 million consumers (i.e., roughly $7 per person).
No defendant to date has paid anything close to $1 billion. In fact, the largest class settlements in breach cases hardly get close: Target Stores paid $10 million (cash reimbursement for actual losses) and The Home Depot paid $13 million (cash reimbursement for actual losses + credit monitoring). Will Equifax be different?
Part of the answer revolves around the increasingly debated role and importance of “consumer harm” in resolving data breach disputes. READ MORE
In the latest sign that data breach class actions are here to stay—and, indeed, growing—the D.C. Circuit resuscitated claims against health insurer CareFirst BlueCross and Blue Shield, following a 2015 breach that compromised member names, dates of birth, email addresses, and subscriber identification numbers of approximately 1.1 million individuals. The decision aligns the second most powerful federal appellate court in the nation with pre-Spokeo decisions in Neiman Marcus and P.F. Chang and post-Spokeo decisions in other circuits (Third, Seventh, and Eleventh). In short, an increased risk of identity theft constitutes an imminent injury-in-fact, and the risk of future injury is substantial enough to support Article III standing.
The D.C. Circuit’s holding is an important development. First, the D.C. Circuit went beyond credit card numbers and social security numbers to expand the scope of data types that create a risk to individuals (i.e., names, birthdates, emails, and health insurance subscriber ID numbers). Second, the decision makes clear that organizations should carefully consider the interplay between encryption (plus other technical data protection measures) and “risk of harm” exceptions to notification, including exceptions that may be available under HIPAA and GLBA statutory regimes. READ MORE
Today, Orrick announced the launch of our automated General Data Protection Regulation (GDPR) Readiness Assessment Tool, which makes the EU’s new, complex, data privacy law, the GDPR, more accessible. The free tool is available to all organizations and allows businesses to stress test their compliance against the upcoming GDPR. It segments the GDPR into 14 workable themes and guides the user through a series of dynamic questions relating to each theme. Upon completion of the assessment, the tool provides a complimentary tailored report summarizing the likely key impacts of the GDPR for an organization. READ MORE
August 28, 2017 marks the end of the initial 180-day grace period for compliance under the New York Department of Financial Services’ “first-in-the-nation” cybersecurity regulations (the “Rules”). The initial regulations were proposed last year, but NY DFS received robust public comments that led to significant amendments. While the proposed regulations set out proscriptive, one-size-fits-all requirements, the final Rules align more closely to flexible federal, financial sector guidance, captured in the NIST cybersecurity framework and the FFIEC cybersecurity assessment tool. Accordingly, the final Rules require that cybersecurity programs be calibrated to periodic “risk assessments” that give entities discretion to specify the criteria used to identify, evaluate, and remediate risks, in the context of technological developments and corporate controls.
While covered entities are technically required to be in compliance with the Rules as of Monday, there are additional transitional periods for certain items (see below), and entities have until February 15, 2018 to submit their first certifications to NY DFS. For organizations still working through compliance requirements, the below steps may help to prioritize and implement a work plan. READ MORE
Shortly after the new year, the Federal Trade Commission filed suit in the Northern District of California against D-Link Corporation, a Taiwan-based maker of wireless routers, Internet Protocol (IP) cameras, and software used in consumer electronics (such as baby monitors). The complaint alleges that D-Link failed to reasonably secure its products from hackers. Notably, the FTC has not alleged that D‑Link products were exploited by hackers or that a data breach or cyberattack resulted from any alleged security vulnerabilities. Rather, the action is based squarely on security vulnerabilities that “potentially compromis[ed] sensitive consumer information, including live video and audio feeds from D-Link IP cameras” and marketing statements made by D-Link that touted the products’ security features.
We at Trust Anchor have our ears to the ground. Here are some of the most important things we heard regulators, courts, and legislatures say about cybersecurity in 2016, and what they mean for you and your organization
There is no such thing as compliance with the NIST Cybersecurity Framework (FTC). In September, the FTC dispelled a commonly held misconception regarding the NIST Framework: It “is not, and isn’t intended to be, a standard or checklist. . . . there’s really no such thing as ‘complying with the Framework.'” The Framework provides guidance on process. It does not proscribe the specific practices that must be implemented. Rather, the NIST Framework lays out a risk-based approach to assessment and mitigation that is “fully consistent” with the concept of “reasonableness” embedded in the FTC’s Section 5 enforcement record. Takeaway: Organizations should consider using the NIST Framework—or another framework—to guide their cybersecurity investments and program development. Use of the NIST Framework alone does not signal that an organization is secure.
States were busy updating their data breach notification statutes in 2016. With 2016 in the rear view, let’s take a look back at the legislative changes that will impact corporate incident response processes and what those trends portend going forward.
Expanded Definition of “Personal Information”
Login Credentials. In 2016, Rhode Island, Nebraska and Illinois (effective January 2017), joined the ranks of states that include usernames (or email addresses) and passwords in the definition of “personal information” that triggers notification obligations. As of this writing, the following eight states may require notification when login credentials are compromised: California, Florida, Illinois, Nebraska, North Dakota, Nevada, Rhode Island and Wyoming.
For businesses that work with the U.S. Department of Defense (“DoD”), two important rules for safeguarding certain categories of sensitive information and reporting cyber incidents were recently finalized, updating the interim rules promulgated in late 2015. The first rule amends the Defense Federal Acquisition Regulation Supplement (“DFARS Rule”) and went into effect on October 21, 2016. The second rule modifies the previously voluntary DoD cybersecurity information-sharing program in connection with the Defense Industrial Base (“DIB Rule”) and went into effect on November 3, 2016.
We previously explained the changes brought about by the interim rules. Here, we explain what changed after the rules’ comment periods, and provide suggestions for compliance.