On January 30, 2019, the Office of the New York Attorney General (“NY AG”) and the Office of the Florida Attorney General (“Florida AG”) announced settlements with Devumi LLC and its offshoot companies (“Devumi”), which sold fake social media engagement, such as followers, likes and views, on various social media platforms. According to the NY AG, such social media engagement is fake in that “it purports to reflect the activity and authentic favor of actual people on the platform, when in fact the activity was not generated by actual people and/or does not reflect genuine interest.”

These settlements are the first in the United States to find that selling fake social media engagement constitutes illegal deception and that using stolen social media identities to engage in online activity is illegal. The NY AG emphasized that the New York settlement sends a “clear message that anyone profiting off of deception and impersonation is breaking the law and will be held accountable.”

Uncertainty regarding the compatibility of blockchain technology and the European Union’s General Data Protection Regulation (GDPR) has often been highlighted as a potential obstacle to the development and widespread implementation of blockchain systems involving personal data.

To address tensions between blockchain technology and the GDPR, Commission Nationale de l’Informatique et

In September 2018, the Securities and Exchange Commission (“SEC”) announced that broker-dealer and investment adviser Voya Financial Advisors Inc. (“VFA”) agreed to pay $1,000,000 to settle charges related to alleged failures in its cybersecurity policies and procedures relating to a data breach that compromised the personal information of 5,600 customers.

The New York Department of Financial Services cybersecurity regulation 23 NYCRR 500 (the “Regulation”) came into effect in March 2017 and established four staggered compliance deadlines for its various requirements.

By the third deadline of September 3, 2018, Covered Entities are required to be in compliance with sections 500.06 (audit trails), 500.08 (application security), 500.13 (limitations on data retention), 500.14(a) (training and monitoring), and 500.15 (encryption of nonpublic information).

On March 21, 2018, South Dakota Governor Daugaard signed S.B. 62, enacting the state’s first data breach notification law, which will go into effect July 1, 2018. Previously, Alabama and South Dakota were the only U.S. states without data breach notification. As of July 2018, Alabama will be the

State financial regulators in Colorado and Vermont recently adopted cybersecurity rules that apply to broker-dealers and investment advisers regulated by those states as well as certain other “securities professionals” in Vermont.

The broad definition of “securities professional” in Vermont’s regulation (“any person providing investment-related services in Vermont”) could include entities that do not generally consider themselves to be regulated by Vermont’s financial regulator.

Colorado’s and Vermont’s cybersecurity rules require covered entities to implement certain practices including: authentication practices for employee access (which could include multi-factor or two-factor authentication), procedures for authenticating client instructions received via electronic communication, and an annual cybersecurity risk assessment. Notably, Vermont’s regulation also requires that covered entities maintain cybersecurity insurance and provide identity restoration services in the event of a breach.

In April 2017, the New York Department of Financial Services (the “DFS”) released guidance on interpreting 23 NYCRR Part 500, its recently promulgated regulation that requires banks, insurance companies and other financial services institutions regulated by the DFS to adopt broad cybersecurity programs (the “Regulation”), in the form of