News & Insights


May 29, 2018

Data, Privacy & Security Practice Report – May 29, 2018

Senate Committee Convenes Hearing Regarding Cybersecurity Risks To The Financial Services Industry And Its Preparedness – On May 24, 2018, the U.S. Senate Committee on Banking, Housing, and Urban Affairs (the “Committee”) held a hearing entitled, “Cybersecurity: Risks to the Financial Services Industry and Its Preparedness.”  Witnesses from a wide range of financial sector organizations provided testimony on the threats faced by the financial sector, collaboration and information sharing between the private and government sectors, and public disclosure requirements.

Senator Mike Crapo (R-ID), Chairman of the Committee, opened the hearing by noting as follows: As our society increases its reliance on technology and becomes accustomed to immediate access to information and services from companies, the risk of – and the potential damage caused by – data breaches continually increases. Americans are becoming more aware of the amount of information, including personally identifiable information or PII, that is stored by companies and there is a growing realization that this information can be stolen or misused.”

Senator Sherrod Brown (D-OH), Ranking Member of the Committee, questioned the adequacy of the current baseline of protection for consumer PII and public disclosure of breaches and whether additional controls should be added to the market governing how PII is used by the financial sector. Witness were in general agreement that more needed to be done – and is being done – across the board to address these issues.

Senators Mike Rounds (R-SD) and Heidi Heitkamp (D-ND) discussed the idea of a financial sector “umbrella” or “iron dome” of cyber readiness to serve as a means to deter threats. Senator Rounds offered the Department of Defense Science Board’s February 2017 Task Force on Cyber Deterrence report regarding cyber threats to critical infrastructure that explains an across-the-board need to identify where attacks are originating – whether by individuals, criminal organizations, or other nations. Senator Mark Warner (D-VA) suggested individuals with a security clearance be in place at every large and mid-size institution to facilitate better information sharing between the intelligence community and the financial sector. Witnesses were in agreement that increased collaboration and information sharing between the private sector and the government sector would greatly assist with cyber readiness and resiliency. Senator Catherine Cortez Masto (D-NV) asked for viewpoints on information sharing legislation, noting that she is interested in crafting legislation to promote real-time information sharing among financial institutions. While witnesses also agreed that real-time information sharing is critical, the financial industry generally does not share threats in real time due to confidentiality agreements and privacy requirements. Witnesses further discussed that privacy requirements are invaluable but also prevent industry participants from sharing information that could further protect consumers.

Senator Jack Reed (D-RI) discussed his legislation, S. 536, the Cybersecurity Disclosure Act of 2017, which would direct the Securities and Exchange Commission (“SEC”) to require a registered issuer to disclose in its annual filings whether any member of its governing body possesses cybersecurity expertise. The witnesses agreed that more disclosure should be expected from the financial sector, and that cybersecurity experts are critical to bridging the gap between the technological world and the business world. Senator Doug Jones (D-AL) questioned whether organizations should be rated on their level of cybersecurity risks and how to get this information to investors or into the marketplace. Senator Warner further discussed the lack of requirements to disclose a data breach on an SEC filing and noted that he intends to address this going forward. Witnesses offered that, while many disclosures are required in filings, existing requirements could be augmented and more standards are needed in the industry to assess the cybersecurity risks of financial institutions.

Similar hearings are expected in the near future. Indeed, Chairman Crapo stated that “[t]he collection and use of PII will be a major focus of the Banking Committee moving forward, as there is broad-based interest on the Committee in examining th[e topic].”

Reporter, Julie Crawford, Washington, D.C., +1 202 661 7814,

UK Government Has Six Months To Rewrite Investigatory Powers Act 2016 – The English High Court has held that Part 4 of the Investigatory Powers Act 2016 (the “IPA 2016”)  is incompatible with EU law in the area of criminal justice. Dubbed the “snooper’s charter” by its critics, the IPA 2016 has faced heavy opposition from both inside and outside Parliament. Indeed, it was following a case initiated by members of Parliament (Brexit Secretary, David Davis, and Deputy Labour Leader, Tom Watson) that the European Court of Justice declared that the powers afforded to the UK government under the IPA 2016 to order “general and indiscriminate retention” of emails were illegal in December 2016, less than a month after the IPA 2016 passed into law. Since then, human rights and privacy groups have waged war against the IPA 2016, describing it as “a surveillance law that is more suited to a dictatorship than a democracy” and calling on the public to donate to a crowdfunding campaign to bring the judicial review claim.

Last month’s case is the first part of the legal challenge brought by the human rights group, Liberty, which argues that indiscriminately retaining data under the IPA 2016 violates the UK public’s right to privacy. The case focused on Part 4 which allows the UK government to order private communications companies to store data relating to who their customers call, text, and email, from where, when, and how often, and their internet browsing history. The information can then be accessed by public bodies, such as the police and regulators.

The Court held that, in the area of criminal justice, Part 4 was incompatible with EU law because: (1) it authorises the UK government to issue retention notices with no prior independent checks, such as review by a court or other body, and for the purpose of investigating crime that is not “serious crime”; and (2) subsequent access to any retained data was similarly not subject to any independent authorisation and not limited to the purpose of combating “serious crime.”  The Court decided not to make an order for disapplication, but instead granted a declaration that the relevant sections of the IPA 2016 must be amended by 1 November 2018. The Court declined to rule on whether retaining data for the purposes of protecting health, in tax matters, the regulation of financial services and markets, and for financial stability were lawful, on the grounds that the UK government has already announced plans to amend this part of the legislation. Other parts of Liberty’s challenge which concern provisions of the IPA 2016 relating to hacking, bulk warrants, and bulk personal data, remain to be determined at a later date.

The judgment can be found here.

Reporter, Jessica Trevellick, London, +44 20 7551 7505,

SEC Chairman Encourages ICO Issuers To Contact Agency – On May 22, at a conference of the Financial Industry Regulatory Authority (“FINRA”), U.S. Securities and Exchange Commission (“SEC” or the “Agency”) Chairman Jay Clayton urged digital token issuers to contact the SEC to look into whether their initial coin offerings (“ICO”) are subject to regulation by the Agency.

Since Chairman Clayton undertook his leadership role at the SEC, the Agency has given particular attention to cryptocurrencies and has released several warnings on the topic through statements, an investigative report, and bulletins. According to the Chairman, ICOs should be registered with the SEC and meet certain disclosure regulations. Chairman Clayton articulated at the recent FINRA conference, and in several other instances in his role as Chairman, that he believes the sale of cryptocurrencies triggers these requirements because it represents the sale of a security intended to create a profit for the purchaser. Accordingly, Chairman Clayton indicated that preemptively approaching the SEC prior to a company’s ICO is the best method for ensuring compliance with any applicable SEC guidelines for issuing securities.

In his recent remarks, Chairman Clayton also recollected that a key observation from his first year as Chairman was related to the number of ICOs and the volume of ICO issuers that sought to sell cryptocurrencies without registering them with the SEC. According to the Chairman, this could allow those companies to raise substantial funds without providing the protections to investors that typically accompany an SEC registration.

Unless there is more clarity on cryptocurrency offerings provided by Congress or a guiding court decision, Chairman Clayton stated that the SEC plans to handle ICOs on an individual basis, looking to the particular “facts and circumstances” to determine whether each is subject to SEC regulation.

Reporter, Wintta M. Woldemariam, Washington, D.C., +1 202 626 5502,

Also in The News

The K&S FinTech and Beyond Summit – The K&S FinTech and Beyond Summit will be held on the afternoon of June 14, 2018, at the Palace Hotel in San Francisco.  The Summit is titled “The Regulation of Payments, Cryptocurrencies and the Blockchain,” and will include a dialogue between business, legal, and regulatory stakeholders to examine the opportunities and challenges recent developments in these sectors are presenting to regulatory compliance and product innovation.  Additional details about the upcoming Summit can be found here.