FINRA Prioritizes Cryptocurrency Regulation in 2018

Last week, I posted a blog about the SEC’s increased focus on cryptocurrency and ICOs in the coming year.  It looks like that scrutiny will not be limited to the SEC.  In its 2018 Annual Regulatory and Examination Priorities Letter, the Financial Industry Regulatory Authority (FINRA) confirmed that Initial Coin Offerings (ICO’s) and Cryptocurrencies will be among its priorities.  FINRA is not a government agency, but rather a self-regulatory organization (SRO), like NASDAQ or the New York Stock Exchange, which is “dedicated to investor protection and market integrity through effective and efficient regulation of broker-dealers.”  And while FINRA is not a regulatory body like the SEC, it still writes and enforces rules that govern the activities of broker-dealers.  In its most recent annual regulatory and examination priorities letter, FINRA vows to “closely monitor developments in this area, including the role firms and registered representatives may play in effecting transactions in such assets and ICOs.”

While the increased attention is noteworthy, it is worth noting that FINRA’s concern with cryptocurrency is hardly new.  Given the market’s enthusiasm for cryptocurrency, the organization’s prioritization is hardly surprising, especially considering its recent alert cautioning investors against cryptocurrency-based scams.  FINRA previously restricted its efforts to cautioning investors about the perils of cryptocurrencies and ICOs.

This follows an international trend of increased government regulation of cryptocurrency. Chinese officials have also announced plans to limit cryptocurrency trading, and South Korea made a similar announcement last month. So far, India has only issued warnings about the possible risks associated with trading in cryptocurrency, likening it to a Ponzi scheme.  Needless to say, this is a very active and volatile industry that regulators are trying to better understand and monitor.  Many speculate that plans for increased governmental regulation are to blame for the recent 20% plunge in Cboe bitcoin futures.  True or not, one thing is for certain in 2018: regulators and other government agencies will be paying close attention to this industry.

SEC Cyber Unit Increases Efforts to Regulate Cryptocurrency

Based on how 2017 ended, entities and individuals in the cryptocurrency markets should expect increased scrutiny from the United States Securities and Exchange Commission (“SEC”) in 2018.  The SEC’s Cyber Unit commenced its first action on December 1, 2017, filing a complaint against defendants PlexCorps and individuals Dominic Lacroix and Sabrina Paradis-Royer.  The SEC’s suit was an emergency stop action, seeking to prevent the Defendants from “further misappropriating investor funds illegally raised through the fraudulent and unregistered offer and sale of securities” called “PlexCoin” or “PlexCoin Tokens” in a purported “Initial Coin Offering” or “ICO.”  On Monday, December 4, 2017, the SEC announced that it successfully obtained an emergency asset freeze to halt the defendants’ ICO.

An ICO, according to Investopedia, is “[a]n unregulated means by which funds are raised for a new cryptocurrency venture” and which “is used by startups to bypass the rigorous and regulated capital-raising process required by venture capitalists or banks.”

The Cyber Unit was announced on September 25, 2017, as a new initiative to “build on [the SEC’s] Enforcement Division’s ongoing efforts to address cyber-based threats and protect retail investors.”  The Cyber Unit was created to “focus on targeting cyber-related misconduct and the establishment of a retail strategy task force that will implement initiatives that directly affect retail investors…”

The Cyber Unit’s first complaint and emergency asset freeze came less than three months into its existence.  But the SEC has, for months before the Cyber Unit’s creation, expressed a concern with ICOs, taking the position that the virtual coins, or tokens, that are offered in an ICO may, “depending on the facts of circumstances” of the ICO, be securities that are “subject to the federal securities laws.”  The Cyber Unit’s first action coincides with a surge in cryptocurrency’s acceptance.

Later in December, the SEC suspended trading in shares of The Crypto Co., a California digital currency-oriented tech firm that had seen a major stock price surge in the previous month.  The reason given for the suspension was the SEC’s “concerns regarding the accuracy and adequacy of information in the marketplace…”  Considering this industry is in its infancy and dramatic stock swings appear to be commonplace, it would not be surprising to see similar actions taken by the SEC in the coming year.

Given the Cyber Unit’s first action against PlexCorp, and the suspension of trading for The Crypto Co., it seems obvious that ICO and cryptocurrency in general can no longer be considered “unregulated.”

The SEC Gets Hacked: What Now?

It was recently revealed that the Securities and Exchange Commission’s (“SEC”) EDGAR database, which is used by public companies to file official documents, was breached.  According to the SEC, trading off of that hacked information may have reaped millions of dollars for the hackers.  While discovering a hack is always startling for a private company, it is downright embarrassing for a government agency that purports to monitor cybersecurity.  As a result, the hack may have long-term impacts on the SEC’s role as a cybersecurity regulator and any litigation it may bring on this topic.

We have recently blogged about statements made by officials at the SEC concerning its plans to police this area.  The statements have been somewhat inconsistent.  At times, the SEC has indicated that they would be bringing enforcement actions against public companies for failures to make accurate cybersecurity disclosures.  Other times, officials have indicated they would take a more hands-off, company-friendly approach.

How will the SEC respond in the wake of its own data breach?  Currently, there remains a mishmash of rules and regulations governing cybersecurity and data breaches, and a void on who is leading the enforcement charge.  No federal regulator has yet stepped forward to firmly take the reins, although the Federal Communications Commission has filed some litigation, and at least one court has granted the Federal Trade Commission regulatory power to impose liability on companies who fail to implement reasonable security measures.  In light of the current breach, the SEC could be gun shy about taking the lead.  However, in time, we expect that the SEC will use this breach as the impetus for playing a bigger role, i.e., claiming that it understands this area better than any other public agency.   As any target of an SEC investigation can attest, the SEC feels strongly about its cybersecurity mission.

But, and it is a big but, the SEC’s credibility has undoubtedly been undermined by this breach, which may impact the SEC’s ability to pursue defendants going forward.  Targeted defendants may point to the SEC’s own data breach to bolster its defense.  What better guiding point to set the standard of care in this area than the SEC itself.  Usually, one of the most difficult aspects of litigating against a government agency is putting that agency on trial.  However, that problem decreases significantly when the government agency sues someone for the exact same wrong that it itself suffered.  Expect interesting evidentiary and discovery challenges as parties try to attack the SEC with this breach.

A Review of the OMB Guidelines Issued to Federal Agencies for Reporting Requirements to Congress That Redefined What Constitutes a “Major” Cybersecurity Incident

With the growing threat of cyberattacks, we thought it would be worthwhile to discuss a late 2016 change in reporting requirements for federal agencies that have suffered a data breach.  The Office of Management and Budget’s (OMB) Memorandum 17-05, issued November 4, 2016, significantly redefined what constitutes a “major” cybersecurity incident that would require federal agencies to notify Congress under the Federal Information Security Modernization Act of 2014 (FISMA).  Agencies are required to notify appropriate Congressional Committees of a “Major Incident” no later than seven days after the date on which the agency determines that it has a “reasonable basis” to conclude that a “Major Incident” has occurred.

Previously, OMB Memorandum 16-03, issued on October 30, 2015, defined a “Major Incident” as one which:

1) Involves information that is classified or otherwise protected under certain categories; and

2) Is not recoverable or not reasonably recoverable within a specified amount of time or is recoverable only with supplemental resources;

3) Has a high or medium functional impact to the mission of an agency; or

4) Involves exfiltration, modification, deletion or unauthorized access to either:

a) 10,000 or more records or users; or

b) any record of special importance.

The 2015 Guidelines enumerated a number of “factors” which would contribute to the determination of whether a breach would constitute a “Major Incident”.  However, this only led to confusion and uncertainty as to when an incident should properly be classified as “Major.”

In an apparent attempt to reduce the level of uncertainty, the 2016 Guidelines now define a “Major Incident” as:

Any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people. 

OMB did not provide guidance as to how an agency should determine whether an incident is likely to “result in demonstrable harm.”  However, the new Guidelines encourage agencies to reference the Department of Homeland Security’s United States Computer Emergency Readiness Team’s (DHS US-CERT) National Cybersecurity Incident Scoring System (NCISS), and other U.S. government publications, which use the following factors:

  • Functional Impact;
  • Observed Activity;
  • Location of Observed Activity on the network;
  • Actor Characterization;
  • Information Impact: the type of information lost, compromised, or corrupted;
  • Recoverability;
  • Cross-Sector Dependency; and
  • Potential Impact.

The new Guidelines also provide that an incident will be considered “Major” when there is the “unauthorized modification of, unauthorized deletion of, unauthorized exfiltration of, or unauthorized access to 100,000 or more individuals’ PII . . ..”  While there is some uncertainty, the 100,000 threshold is apparently to be considered in conjunction with the “demonstrable harm” analysis, rather than as a stand-alone test, to determine if an incident is “Major.”

There are a few interesting takeaways from the 2016 Guidelines.  First, it is interesting that OMB concluded that it was necessary to revise the 2015 guidelines, as Memorandum 16-03 had been only released a year earlier.  Second, the new Guidelines increased the threshold for affected user records from 10,000 to 100,000.  OMB likely recognized that some breaches could affect thousands of records, and the smaller threshold might have triggered reporting to Congress for incidents that truly were not “Major”.  Finally, in an effort to clarify the standards for a “Major Incident”, the new Guidelines rely on an undefined term – “demonstrable harm” – and a list of factors just like the earlier Guidelines.  That provides some indication that there is no clear and easy way to determine whether a data breach is a “Major”.  Hopefully, these changes will help provide some clarity for federal agencies and their employees in the long run, but we are left to wait and see if that will be the case.

Two Court Rulings Show Coverage Difficulties for “Fake President” Fraud

A few weeks back, the Insurance Recovery report posted a blog about the difficulty obtaining insurance coverage for “fake president” fraud, which is also known as business e-mail compromise, or social engineering fraud.   Two courts have recently reached opposite holdings on this exact topic, which highlight the difficulty policyholders face when they have been victimized by Fake President Fraud.

The policyholder-favorable of those rulings came out of a New York District Court, where the judge found in favor of coverage for this type of fraud under a crime policy issued by Federal Insurance Company.  Medidata Solutions, Inc. v. Federal Ins. Co., Case No. 15-CV-907 (S.D.N.Y. July 21, 2017). Docket No. 32.  The case was typical of fake president fraud.  In 2014, a fraudster imitating the president of Medidata Solutions, Inc. directed an employee in the accounts payable department to wire money overseas for a company acquisition.  The e-mail included the president’s e-mail address and picture, and copied a fake attorney.  The employee performed some degree of due diligence, corresponding with the fake attorney by e-mail and phone before wiring the money.  However, that employee ultimately wired $4.8 million dollars to a fraudulent account.  Fortunately, the company discovered the fraud before a request to wire another $4.8 million was completed.  Medidata sought coverage under its Federal Insurance Company crime policy, but Federal denied the claim.  Medidata filed suit in February 2015.

The scope of coverage under the policy turned on a computer fraud provision in the crime policy that covered losses that occurred as a result of the “fraudulent entry” or changing of data in the policyholder’s computer system.”  The question then arose: was this a fraudulent entry?  Some courts had previously determined that fake president fraud does not result in a fraudulent entry or act because the company employee voluntarily makes those changes (although at the direction of a fraudulent actor).  Here, though, Judge Andrew Carter Jr. disagreed, holding that the entry was indeed fraudulent because the fraudster used a computer code to alter a series of email messages to make them appear as if they originated from the company’s president.   In that regard, Judge Carter followed the decision in Universal American Corp. v. National Union Fire Ins. Co. of Pittsburgh, Pa., which found such entries to be fraudulent because they violated the integrity of the computer system.  To Judge Carter, it seemed implausible that one would ever find coverage under the narrow view other courts have taken because it would require the fraudster to break into the computer system and wire the money.

But then yesterday, a Michigan District Court reached the exact opposite ruling in American Tooling Center Inc. v. Travelers Casualty and Surety Co., Case No. 5:16-cv-12108, 2017 U.S. Dist. LEXIS 120473 (E.D. Mich. Aug. 1, 2017).  There, the fraudster sent e-mails posing as a vendor of the Michigan-based company, asking to forward payments due under a contract between the parties.  The company sent the money, only to discover the money was lost forever.  American Tooling Center sought coverage under its Travelers’ crime policy because it constituted computer fraud, but Travelers denied the claim, arguing that there was not a “direct loss” that was “directly caused by” the use of a computer.

The relevant policy definition defined computer fraud as the use of “any computer” to “fraudulently cause” a “direct loss” by money transfer.  American Tooling and Travelers obviously disagreed about those terms, but the Judge found in favor of Travelers because the term “direct loss” was synonymous with the term immediate, and there were steps in between the fraudulent e-mails and the wiring of money.  In short, the Michigan court would require the exact thing – a fraudster hacking into the computer and sending the money directly – that the New York court found implausible.

What are the major takeaways from these rulings?  First, it is always critical to carefully review the language in insurance policies.  The American Tooling Center court distinguished the ruling in Medidata by contrasting the policy language because the Medidata policy did not include the term “direct loss” in its definition of fraud.  To many people, that would be a minor distinction.  But to the Michigan court it meant the difference between there being coverage or not.  We believe that the Medidata court had the proper holding, that the Michigan court should have followed suit, and that Judge Carter’s belief that a computer fraud coverage requirement that a fraudster perform a transfer for there to be coverage is too draconian. And because rulings on this subject have come down all over the place, policyholders that frequently conduct transfers via computer should consider contacting insurance professionals, be it an attorney to interpret the policy, or a broker to determine whether there might be a policy endorsement available specifically aimed at this type of event.

The Remedy for the New Cyber Threat Posing Major Coverage Problems: “Fake President” E-mails

In the last few weeks, we have seen yet another widespread ransomware attack that hit nearly one hundred companies around the world.  It reminded me of a recent request from a client, made just after news broke of the WannaCry ransomware attacks, to review its insurance portfolio to confirm that it was covered for ransomware attack.   The client had that coverage, but I noticed that there was a gaping hole in the policy for another type of common attack that goes by a variety of names – business e-mail compromise, social engineering fraud, and fake president fraud.  What is critical for companies to understand, and few do, is that they must purchase a specific endorsement to obtain this kind of coverage.

These types of attacks are as much identity fraud as they are a cyberattack.  In these kinds of cases, an impostor will pose as a high ranking executive at a company, and command a lower level employee via email to wire money to a client or vendor account.  The employee, so diligently trained to follow orders, will then complete the transaction, unwittingly transferring company funds into a fake account.  After all, what employee would question the company’s CEO, CFO, President, or other superior?

This crime poses significant challenges from a coverage perspective.  The act does not fit cleanly within the typical first party coverages included in cyber policies – it isn’t a data breach, in which information is stolen or compromised and needs to be repaired, and it isn’t a ransomware attack, in which a company has its business shut down.  These types of attacks also aren’t covered by modern crime policies because the action taken – the wiring of money by an employee – is voluntary.  There is no extortion, and no money is stolen.

Courts recently confronted with these situations have routinely denied coverage.  One example can be seen in Aqua Star (USA) Corp. v. Travelers Cas. & Sur. Co. of Am., No. C14-1368RSL, 2016 U.S. Dist. LEXIS 88985 (W.D. Wash. July 8, 2016).  There, a hacker impersonating a vendor of the policyholder directed an employee to change the bank account for future payments to that vendor.  The employee dutifully did so, and the policyholder lost over $700,000 when money was wired to the fraudster’s account.  The crime policy covered computer fraud, but contained an exclusion for “loss resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System.”  Travelers denied coverage because the employee had authorization to input the new bank information to the account, and the District Court agreed, finding that the loss – the transfer of money to the new account – indirectly resulted from the inputting of the new bank information.

In Taylor & Lieberman v. Fed. Ins. Co., 2017 U.S. App. LEXIS 4205 (9th Cir. Mar. 9, 2017), the Ninth Circuit was faced with a similar situation.  There, an accounting firm handled payments and transfers for its clients.  An impostor took control of a client’s e-mail account and sent multiple wire payment instructions to the accounting firm.  The employee wired the money, and did not discover the fraud until the third request to wire money.  The accounting firm sought coverage under its crime policy, which provided coverage for “direct loss sustained by an Insured.”  The Court denied coverage because it determined the accounting firm was seeking recovery for third party losses – those of its clients – and not its own.  That the company might have to indemnify that client for the fraudulent payments was immaterial.

Fortunately, not all cases end with an insurer victory.  But the uncertainty of these results begs the question: how do you insure for these attacks?  The answer is a policy endorsement targeted at these types of attacks.  It is usually added to a company’s crime policy, and will include language such as “the Company will reimburse the Insured for Loss sustained by the Insured Person as a direct or indirect result of Business E-mail Compromise.”  The Policy will then define Business E-mail Compromise, and within that definition it should include reference to coverage for voluntary actions of the insured (who is wiring money under false pretenses).  The policy limits for these endorsements tend to be lower than the policy it is attached to, but any coverage an insured can obtain for this kind of fraud is better than none.

There are a few important takeaways on this issue.  First, check your insurance policies for language that may suggest coverage in this area, and read the language closely.  You will want to make sure your company is covered when money is sent by employees as a result of fraud.  If you do not see such language, ask your broker to get you options to add this endorsement to one of your policies.  Second, confirm that the policy endorsement you obtain is broad enough to subsume the acts you are seeking to cover.  The worst case scenario would be purchasing an endorsement that fails to cover the fraudulent actions for which you are hoping to obtain insurance.  Finally, train your employees for these types of situations.  A simple 30 minute training on how to identify tells that reveal these schemes may help your company avoid hundreds of thousands of dollars in losses by avoiding this situation altogether.

The Ninth Circuit Holds that California’s Anti-Hacking Law, Penal Code Section 502, does not Proscribe Unauthorized “Access” to a Database; Rather, the Section Prohibits Unauthorized Use, Copying, or Manipulation of Information in the Database

California’s Computer Data Access And Fraud Act, Cal. Pen. Code, § 502 (“CDAFA”) is a state law analog to the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq. (“CFAA”).  Both are aimed at fighting unauthorized intrusions into electronic data (for a primer on these statutes, see “Strategies For Businesses Protecting Electronic Data Within California” here).  (See Craigslist Inc. v. 3Taps Inc. (N.D. Cal. 2013) 942 F.Supp.2d 962, 968 [identifying the CDAFA as a state law corollary to the federal statute].)

However, at least according to one federal court, there is a significant difference between the California and federal statute.  (United States v. Christensen (9th Cir. 2016) 828 F.3d 763, 789.)  By way of background, the CFAA requires that a defendant access a protected computer “without authorization.”  (18 U.S.C. § 1030(a)(5)(A)-(C); see also LVRC Holdings LLC v. Brekka (9th Cir. 2009) 581 F.3d 1127, 1133.)  Thus, the focus of a purported violation of the CFAA is whether an alleged hacker has accessed a computer without authorization or has exceeded a specific authorized access.  The CFAA is not applicable to a person who is authorized to access a computer or parts of the computer but who, in so doing, misuses or misappropriates information.  (United States v. Nosal, (9th Cir. 2012) 676 F.3d 854, 863-864.)

Section 502(c) of the CDAFA lists a number of violations with the following language as a precondition:  “[k]nowingly accesses and without permission . . . .”  Thus, the section provides that a person who commits, inter alia, any of the following acts is guilty of a public offense:

(1)       [k]nowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data;

(2)       [k]nowingly accesses and without permission takes, copies, or makes use of any data from computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network;


(4)       [k]nowingly accesses and without permission adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a computer, computer system, or computer network, computer system, or computer network;  . . .

(Emphasis added.)

In United States v. Christensen, supra, 828 F.3d 763, concerning particular identity theft jury instructions, the criminal defendant relied upon United States v. Nosal, supra, 676 F.3d at pp. 864, and claimed that a section 502(c)(2) violation requires that use of a computer or database be “unauthorized.”  The defendant asserted error because the trial court did not so instruct the jury.  However, the court of appeals rejected the argument.

The federal court ruled that “access,” as used throughout California’s section 502(c), in contrast to the federal CFAA, does not require “unauthorized” access to a computer, but merely requires knowing access.  (Id. at p. 789.)  According to the court, what makes access unlawful under section 502(c)(2), is that an alleged hacker “without permission takes, copies or makes use of” data on the computer.  (Ibid.)  “A plain reading of the statute demonstrates that its focus is on unauthorized taking or use of information.”  (Ibid.; emphasis added.)  It does not criminalize unauthorized access to a computer, database or data.  In sum, the court held:  “We conclude that the term ‘access’ as defined in the California statute includes logging into a database with a valid password and subsequently taking, copying or using the information in the database improperly.”  (Ibid.)

There is currently a split of authority in the California courts on the issue which Christensen addressed.  Christensen itself acknowledged this split.  (Ibid.)  On the one hand, there is Chrisman v. City of Los Angeles (2007) 155 Cal.App.4th 29, 34-35, in which the Court of Appeal held that unauthorized “access” meant “breaking into a computer.”  On the other hand, there is Gilbert v. City of Sunnyvale (2005) 130 Cal.App.4th 1264, 1281, in which the Court of Appeal emphasized that “[k]nowingly accessing and without permission making use of any data from a computer system” is a crime under section 502.  The Gilbert court did not discuss unauthorized access to a computer or database.

Christensen rejected Chrisman and ruled consistently with Gilbert.  It seems that the Christensen holding (as well as Gilbert) is the more textually grounded ruling.  The statutory phrase in section 502 “without permission” modifies the taking or use of information in a database and not the initial access of the computer or database itself.  How the California Supreme Court may resolve the issue, if and when presented, remains to be seen.

*This blog post was assisted by Gabriella S. Perez, a 3rd year student at Loyola Law School

SEC Urges Investment Firms to Better Prepare for Ransomware Attacks

On May 17, 2017, the SEC’s Office of Compliance Inspection and Examination (“OCIE”) issued a risk alert urging broker-dealers, investment advisors and investment companies to safeguard themselves against ransomware in light of the recent global “WannaCry” ransomware attack that impacted entities in over one hundred countries, including Britain’s health system and major companies such as FedEx and Telefonia.

The OCIE examined 75 SEC registered firms to assess “industry practices and legal, regulatory, and compliance issues associated with cybersecurity preparedness.”  The OCIE focused on these firms’ cyber-risk assessment, penetration testing, and system maintenance, and found that:

  • 5% of the broker-dealers and 26% of advisers and funds did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and potential business consequences;
  • 5% of broker-dealers and 57% of investment advisers and funds did not conduct penetration tests and vulnerability scans on critical information systems;
  • 10% of the broker-dealers and 4% of investment advisers and funds had not updated a number of critical and high-risk patches to maintain the integrity and security of their information systems even though these firms had a process in place for regular system maintenance.

Given that the WannyCry ransomware attack might have been conducted by a breach via Microsoft Desktop Protocol or Windows Server Message Block version 1, the alert encouraged firms to evaluate whether applicable Microsoft patches for Windows XP, Windows 8, and Windows Server 2003 operating systems are properly and timely installed.  The OCIE alert also directed firms to review the alert published by the U.S. Department of Homeland Security’s Computer Emergency Readiness Team, U.S. Cert Alert TA 17-132A, about actions firms might consider in reaction to the latest ransomware incident.

The OCIE’s risk alert and examination of 75 SEC registered firms underscores the fact that the SEC is making cybersecurity and cybersecurity practices (and thus cybersecurity disclosures) undertaken by public companies one of its primary focuses.  As Nossaman reported in its May 11, 2017 blog, “because cybersecurity issues remain relatively new and regulators are eager to catch up with emerging technologies, this area could be low hanging fruit” for the SEC.

Settlement in Home Depot Class Action Provides Data Security Corporate Governance Framework for Companies

The latest settlement in Home Depot’s data breach litigation provides a data security framework for corporate governance that may be used by other companies as a template.  Based on claims arising from a massive data breach in 2014 involving 56 million credit cards, Home Depot Inc. recently settled both a shareholder derivative action and a class action filed by financial institutions.  Both settlements were filed and approved by the U.S. District Court for the Northern District of Georgia.  As part of a third settlement of a direct consumer class action in 2016, Home Depot had already agreed to set up a $19.5 million fund to reimburse its affected consumers, and to hire a chief information security officer (CISO).

The recent settlement in In re: The Home Depot Inc. S’holder Derivative Litig., N.D. Ga., No. 15-cv-02999 provided nine corporate governance provisions that focus on corporate reform in data security, and were designed to improve Home Depot’s ability to prevent and respond to future attacks.  Home Depot and its board of directors agreed to:

(i) document the duties and responsibilities of the newly-hired CISO;

(ii) periodically conduct tabletop cyber exercises to validate the Home Depot’s processes and procedures, test the readiness of its response capabilities, raise organizational awareness and train its personnel, and create remediation plans for issues and problem areas;

(iii) monitor and periodically assess key indicators of compromise on computer network endpoints;

(iv) maintain and periodically assess the Company’s partnership with a dark web mining service to search for confidential Home Depot information;

(v) maintain an executive-level committee focused on the Company’s data security;

(vi) receive periodic reports from management regarding the amount of the Company’s IT budget and what percentage of the IT budget is spent on cybersecurity measures;

(vii) maintain an incident response team and an incident response plan;

(viii) maintain membership in at least one information sharing program; and

(ix) retain their own IT, data and security experts and consultants as they deem necessary.

The Home Depot shareholder derivative settlement agreement offers a valuable example of cybersecurity-focused corporate governance practices to all companies, including consumer-facing retailers, for implementing data breach protections and conducting post-breach remedial actions.  Additionally, companies should consider using tools such as Privacy Impact Assessments (PIA) and Data Protection Impact Assessments (DPIA), designed to assess privacy and security frameworks, are also important in identifying risks and implementing necessary processes to meet regulatory and business expectations.