Customer information has become an increasingly valuable business asset.  And, the volume and detail of other available information about consumers has increased along with it, well beyond mere customer names and addresses to preferences, purchasing history, and online activity.  This means that when a business is sold, customer information is often sold along with it.  But careful diligence is required in handling this intangible asset, and the recent settlement in the RadioShack bankruptcy case is instructive.

First CAN-SPAM Jury Conviction

On January 12, 2007, Jeffrey Brett Goodin became the first person convicted by a jury of violating the CAN-SPAM Act of 2003. Using several compromised Earthlink accounts, Goodin perpetrated a phishing scheme by sending thousands of e-mails to America Online Users and requesting personal and credit card information. He and others then used that information to make unauthorized charges on his victims’ credit cards. Goodin is scheduled to be sentenced in the Central District on June 11. He faces up to 101 years in prison.

Repurposing old laws to challenge new technologies has become the new normal in the privacy space. Plaintiffs continue to bring a kaleidoscope of privacy claims against companies in the tech age, reviving laws like the California Invasion of Privacy Act of 1994 (“CIPA”), Video Privacy Protection Act (“VPPA”), Telephone Consumer Protection Act (“TCPA”), Pennsylvania Wiretapping and Electronic Surveillance Control Act, and Arizona Telephone, Utility, and Communication Service Records Act.

In September 2018, the Securities and Exchange Commission (“SEC”) announced that broker-dealer and investment adviser Voya Financial Advisors Inc. (“VFA”) agreed to pay $1,000,000 to settle charges related to alleged failures in its cybersecurity policies and procedures relating to a data breach that compromised the personal information of 5,600 customers.

The dream of hack-proof communication just got a little closer to reality. On August 16, 2016, China launched the world’s first “quantum satellite,” a project the Chinese government hopes will enable it to build a communication system incapable of being hacked. Such a system, if perfected, would allow for encrypted communications between any two devices with absolute certainty that the encryption could not be broken, and with a built-in mechanism for alerting the sender/receiver if someone tried.

Results from the SEC’s First Round of Cybersecurity Examinations. On February 3, 2015, the OCIE published a risk alert summarizing its findings from its examinations of over 100 registered investment advisers and broker-dealers. The examinations were conducted as part of the OCIE’s cybersecurity examination initiative, announced in April 2014, to assess cybersecurity preparedness in the securities industry and gather information on common practices and trends among registered firms. The OCIE interviewed key personnel and reviewed documents at 49 registered investment advisers and 57 registered broker-dealers. The OCIE’s findings focused on how registered investment advisers and broker-dealers:

  • Identify cybersecurity risks;
  • Establish cybersecurity policies, procedures and oversight processes;
  • Protect their networks and information;
  • Identify and address risks associated with remote access to client information, funds transfer requests and third-party vendors; and
  • Detect and handle unauthorized activities and other cyber-attacks.