Summer months, a pandemic and an economic slow-down may make it hard to stay engaged with regulatory and career developments. In this issue of the Warburton Report we present several podcasts and training videos to help you more easily stay on top of developments in compliance & data governance, asset management and ESG trends.
The DOJ Fraud Section has issued its’ first compliance guidance since 2015. See, here.The guidance emphasizes the crucial role in leadership in compliance and the importance of the company’s commitment to compliance. Prosecutors review the company implementation and enforcement policies of compliance including:
- Has the company performed a risk assessment and tailored their compliance program to their specific needs, risks, and challenges? (Section I)
- Is the company proactively addressing third-party risks? (Section I)
- What value does the company assign to compliance? (Section II)
- How much experience, resources and authority does the company grant compliance personnel? (Section II)
- What concrete actions have company leaders taken to demonstrate leadership in compliance and remediation? (Section II)
- Has the company re-evaluated its program following a compliance failure? (Section III)
New What’s Ethical podcasts on data analytics & family office trends
Data Privacy and Fintech
The Emergence of State Enforcement of Privacy Breaches
Around the country, states are enacting their own legislation governing use of data and privacy breaches. Among the leaders are California and NY.
On July 1, 2020 despite the Covid19 pandemic California has begun enforcement ofCalifornia Consumer Protection Act (CCPA). A quick 3-minute briefing about the CCPA is available from the National Law Review. See, here.
One of the initial CCPA lawsuits have been filed in California Atkinson v. Minted Inc. The class action litigation, filed in a California federal court, claims that Minted failed to implement “reasonable security measures” and to properly encrypt certain personal information. As a result, hackers allegedly accessed the company’s database that contained customers’ names and login credentials, including unredacted and unencrypted account information. Some 73.2 million records were allegedly stolen and included passwords, names, and other information. The putative class seeks compensatory damages, punitive damages, and penalties. Under the statute penalties, can range from $100 to $750 for each violation. In a breach involving 73.2 million records, these penalties can be significant.
On March 21, 2020, the NY Shield Act’s data security requirements took effect, like California’s CCPA, NY law require businesses that own or license private information of state residents, employ “reasonable” security protections, including:
- reasonable administrative safeguards such as: designation of employees to coordinate the security program, identifying internal and external risks, assessing safeguards to control the risks identified, training of workforce, and selecting 3rdparty vendors that maintain appropriate safeguards;
- reasonable technical safeguards such as: risk assessments of network, software design, information processing, transmission, and storage; measures to detect, prevent, and respond to system failures; and testing and monitoring of the effectiveness of key controls; and
- reasonable physical safeguards for storage and disposal of information, such as: risk assessments for storage and disposal; measures to detect, prevent, and respond to intrusions; and protections against unauthorized access to or use of private information
Training – Contact us if you would like a complimentary copy of these videos to distribute.
Data Protection and Cybersecurity
Join this Global Cybersecurity Webinar on August 5. Beth Haddock is presenting on a panel about “Better Together: Compliance Meets Managed Services.”
Recent SEC Risk Alerts & Enforcement Cases
Increased Phishing during COVID-19: Ransomware Risk Alert
Patterns in Examination Deficiencies: Private Fund Alert
Discontinuation of LIBOR: LIBOR Alternative Preparation Alert
Breach of Duty of Due Diligence: SEC v. Temenos Advisory Complaint alleged that Defendants George Taylor and his advisory firm, Temenos Advisory put $19 million in investment capital into four risky private security offerings without performing due diligence or disclosing risks and prospects of the investments. The Defendants consented to entry of permanent injunction prohibiting future violation of Advisers Act and agreed to pay disgorgement, prejudgment interest, and penalties in excess of $2 million.
Advertising: In the Matter of Raymond J. Lucia Companies, Inc. On remand from the Supreme Court, the proceeding which names Respondents as a registered investment adviser and its owner, centered on marketing efforts by Lucia and his company concerning his “Buckets of Money” investment program. At seminars, investors were shown a slide presentation with allocated assets to short, medium, and long term buckets. Part of the strategy involved reallocating the investments. The approach was supposedly based upon historical backtests. However, the SEC alleged that the backtests were materially misleading and did not follow the buckets of money approach, and failed to disclose key issues regarding fees and other matters in violation of Advisers Act Section 206(1), 206(2) and 206(4). The commission issued a cease and desist order, barred Lucia from securities business for a period of years and issued a penalty.