InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OFAC announces sanctions tied to drug trafficking
On November 9, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 14059 against three individuals and nine entities for supplying certain drugs to U.S. markets through internet sales and a host of shell companies. OFAC noted that the sanctions would not have been possible without collaboration with the Drug Enforcement Administration and Homeland Security Investigations. As a result of the sanctions, all property and interests in property belonging to the sanctioned persons subject to U.S. jurisdiction are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are also generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons. Persons that engage in certain transactions with the designated individuals or entities may themselves be exposed to sanctions or enforcement action, OFAC warned.
OFAC sanctions individuals associated with al-Qa’ida
On November 9, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13224 against two business associates of a previously sanctioned al-Qa’ida financial facilitator and external operations plotter. According to OFAC, the two designated individuals in the recent action conducted business activities to assist the previously designated individual for facilitating the international movement of individuals and finances in furtherance of al-Qa’ida’s objectives. As a result of the sanctions, all property and interests in property belonging to the sanctioned persons subject to U.S. jurisdiction are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more” by one or more blocked persons are also blocked. U.S. persons are also generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons. Persons that engage in certain transactions with the designated individuals or entities may themselves be exposed to secondary sanctions, OFAC warned, adding that foreign financial institutions that knowingly conduct or facilitate significant transactions to any of the sanctioned persons could also be subject to U.S. sanctions.
States reach multi-million dollar CRA data breach settlement
On November 7, a coalition of 40 state attorneys general, co-led by Massachusetts and Illinois, reached settlements with a credit reporting agency (CRA) and a telecommunications company related to data breaches in 2012 and 2015 that impacted the personal information of millions of consumers nationwide. According to the announcement, in 2012, an identity thief posing as a private investigator accessed and retrieved sensitive personal information, such as names, Social Security numbers, addresses, and/or phone numbers from a database company that the CRA purchased. The states claimed that the identity thief (who has since pleaded guilty to federal criminal charges for wire fraud, identity fraud, access device fraud, and computer fraud and abuse, among other charges) accessed the information prior to the acquisition and continued to do so afterwards. Affected consumers were allegedly never informed of the data breach. Later, in 2015, the CRA reported it experienced a data breach affecting personal information, including consumers’ driver’s license and passport numbers, as well as information used by the telecommunications company to make credit assessments, which the CRA stored on behalf of the telecommunications company. Following the breach, the CRA offered two years of credit monitory services to affected consumers.
Under the terms of the settlements (see here and here), the CRA has agreed to pay a combined total of $13.67 million to the states in connection with the 2012 and 2015 data breaches, and will strengthen its data security practices. According to the announcement, these measures will require the CRA to (i) maintain comprehensive incident response and data breach notification plans; (ii) strengthen the vetting and oversight of third parties that have access to consumers’ personal information; (iii) develop an Identity Theft Prevention Program to detect potential red flags in customer accounts; (iv) not misrepresent to consumers the extent to which the privacy and security of their personal information is protected; (v) strengthen due diligence provisions to ensure the CRA properly vets acquisitions and evaluates data security concerns prior to integration; and (vi) implement data minimization and disposal requirements, including undertaking specific efforts designed to reduce the use of Social Security numbers as an identifier. The CRA will also offer affected consumers five years of free credit monitoring services, during which time consumers will be able to receive two free copies of their credit report annually.
Separately, the telecommunications company agreed to pay more than $2.43 million to the states, and will maintain a written information security program, including vendor management provisions to ensure vendors take reasonable security measures to safeguard consumers’ personal information. This will involve, among other things, maintaining a third-party risk management team to oversee vendors’ security, outlining specific security requirements in vendor contracts, and employing a variety of security assessment and monitoring practices to confirm vendor compliance. The telecommunications company will also provide employee training on the requirements of its information security measures and implement a written cyber incident and response plan to prepare for and respond to security events.
District Court says blockchain network’s token is a security
On November 7, the U.S. District Court for the District of New Hampshire ruled that digital tokens sold by a blockchain network qualify as securities under the Securities Act of 1933. The SEC sued the company in 2021, claiming that by issuing the tokens, the company conducted an unregistered offering of securities. The company countered that its tokens are not securities because they are not being offered as an investment opportunity on its platform, but rather are designed to be used by content creators and users. The company also argued that the tokens are not securities because they function as “an essential component” of the company’s blockchain and that investors acquired them for use on the company’s network, rather than with the intention of holding them as an investment. Further, the company claimed that it did not receive fair notice that its token offerings are subject to securities laws.
In determining whether the tokens are securities, the court relied on the U.S. Supreme Court’s definition of an investment contract in SEC v. W.J. Howey Co., focusing on the issue of “whether the economic realities surrounding [the company’s] offerings of [the tokens] led investors to have a ‘reasonable expectation of profits to be derived from the entrepreneurial or managerial efforts of others.’” According to the court, multiple statements made by the company led potential investors to reasonably expect the tokens to grow in value as the company continued to oversee the development of its network. “[P]otential investors would understand that [the company] was pitching a speculative value proposition for its digital token,” the court said, rejecting the company’s argument that it had informed some potential investors that the company was not offering its token as an investment. “[A] disclaimer cannot undo the objective economic realities of a transaction,” the court stated, adding that “[n]othing in the case law suggests that a token with both consumptive and speculative uses cannot be sold as an investment contract.” Additionally, the court explained that, while this may be the first instance where securities laws are being “used against an issuer of digital tokens that did not conduct an ICO, [the company] is in no position to claim that it did not receive fair notice that its conduct was unlawful.”
OFAC updates FAQs related to sanctioned virtual currency “mixer”
On November 8, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) published one new and three amended cyber-related FAQs related to sanctions issued in August against a virtual currency mixer accused of allegedly laundering more than $7 billion. As previously covered by InfoBytes, OFAC claimed the company “repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis.” Newly added FAQ 1095 clarifies that a designated “person” under Executive Order 13722 or 13694 is a “partnership, association, joint venture, corporation, group, subgroup, or other organization.” Amended FAQs 1076, 1078, and 1079 (i) explain how persons can complete transactions or withdraw virtual currency without violating U.S. sanctions regulations; (ii) clarify whether OFAC reporting obligations apply to “dusting” transactions (wherein “certain U.S. persons may have received unsolicited and nominal amounts of virtual currency or other virtual assets from [the sanctioned company’s] smart contracts”; and (iii) outline prohibitions resulting from the sanctions.
OFAC sanctions individuals connected to DPRK
On November 8, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions against two individuals for engaging in activities related to transportation and procurement activities on behalf of the Democratic People’s Republic of Korea (DPRK). According to OFAC, these individuals acted on behalf of an entity previously designated by OFAC for operating in the transportation industry in the DPRK economy (covered by InfoBytes here). OFAC also noted that the designation is a part of continuing efforts by the U.S. to limit DPRK’s ability to advance its unlawful weapons of mass destruction and ballistic missile programs, and follows numerous recent DPRK ballistic missile launches. As a result, all property, and interests in property of the designated persons that are in the U.S. or in the possession or control of U.S. persons, must be blocked and reported to OFAC. OFAC regulations generally prohibit all dealings by U.S. persons or within the U.S. (including transactions transiting the U.S.) that involve any property or interests in property of blocked or designated persons. OFAC further warned that engaging in certain transactions with the designated individuals and entities entails risk of designation. Additionally, OFAC warned that a foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the designated individuals or entities could be subject to U.S. correspondent or payable-through account sanctions.
OFAC announces sanctions involving Burma’s military regime
On November 8, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 14014 against an individual and an entity that facilitate weapons purchases for Burma’s military regime. According to OFAC, the designation is in conjunction with newly issued European Union sanctions. OFAC also noted that “Burma’s military regime has continued to oppress and deny the will of the people to chart an inclusive, democratic future for their country,” and that the sanctions are not targeted toward the people of Burma but at “those who profit from the oppressive actions of the regime by operating in the defense sectors of Burma’s economy and by enabling Burma’s military connections to foreign militaries.” As a result of the sanctions, all property and interests in property belonging to the sanctioned persons that are in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons, unless authorized by a general or specific OFAC license, or if otherwise exempt.
District Court preliminarily approves $2.35 million settlement for card data breach
On November 8, the U.S. District Court for the Northern District of Texas issued an order accepting a magistrate judge’s report preliminarily approving a consolidated class action settlement related to a restaurant chain’s payment card data breach. Class members alleged that hackers gained unauthorized access to the restaurant chain’s computer servers and payment card environment between April 2019 and October 2020, resulting in hundreds of thousands of consumers’ financial information, including credit and debit card numbers, expiration dates, cardholder names, and internal card verification codes, being compromised. Hackers then allegedly advertised the stolen information for sale on the dark web. Several lawsuits were filed alleging violations of numerous state laws that were eventually consolidated with this action. The parties negotiated a settlement prior to class certification, which would require the restaurant chain to provide a $2.35 million all-cash non-reversionary qualified settlement fund and adopt several data-security measures. Class members also would be able to file claims for out-of-pocket losses, elect for a cash payments, and request credit monitoring services.
The magistrate judge’s report recommended that the proposed class settlement be preliminarily approved as it “will likely be found fair at the final approval stage” and the offered relief “is both procedurally and substantively adequate.” The magistrate judge disagreed with objections raised by certain plaintiffs who argued, among other things, “that the proposed settlement is ‘substantively inadequate’ because the amount of funds available per potential class member is ‘far too low.’” However, according to the magistrate judge’s report, when compared to other settlements approved in other data breach cases, it is “clear that the proposed settlement is at least in line with if not better than what any proposed plaintiff could have expected coming into the litigation.” The magistrate judge also refuted the objecting plaintiffs’ assertion that the proposed settlement treats class members differently by providing plaintiffs who can establish out-of-pocket losses with up to $5,000, California residents without losses with $100, and non-California residents without losses with $50. “The Settling Plaintiffs have adequately demonstrated why this extra recovery for California class members [is] equitable, if not equal. Namely, class members from California could bring California state law claims which provide for $100-$750 in statutory damages,” the report said, adding that “class members from California have a stronger basis for damages than do class members from outside the state—who may only be able to show nominal or incidental damages as a result of [the restaurant chain’s] breach of contract—and so their modestly increased recovery is justified.”
District Court: Unclear when networking site became aware of data scraping
On November 3, the U.S. District Court for the Northern District of California issued an order ruling on cross-motions for summary judgment in an action concerning whether a now-defunct plaintiff data analytics company breached a user agreement with a defendant professional networking site by using an automated process to extract user data (a process known as “scraping”) for the purposes of selling its analytics services to businesses. The defendant claimed that the user agreement prohibits scraping, and sent the plaintiff a cease-and-desist letter demanding it stop and alleging violations of the Computer Fraud and Abuse Act (CFAA) as well as various state laws. In response, the plaintiff sued the defendant, arguing that it had a right to access the public pages, and later sought a preliminary injunction, which the district court granted.
As previously covered by InfoBytes, earlier this year, the U.S. Court of Appeals for the Ninth Circuit, on remand from the U.S. Supreme Court, affirmed the district court’s order preliminarily enjoining the defendant from denying the plaintiff access to publicly available member profiles. The 9th Circuit had previously affirmed the preliminary injunction, but was called to further consider whether the CFAA applies to the plaintiff’s data scraping after the U.S. Supreme Court vacated the appellate court’s judgment in light of its ruling in Van Buren v. United States. The 9th Circuit found that the ruling in Van Buren, in which the Supreme Court suggested the CFAA only applies in cases where someone is accused of hacking into or exceeding their authorized access to a network that is protected, or in situations where the “gates are up,” narrowed the CFAA’s scope and most likely did not apply to cases involving data scraped in bulk by automated bots from public websites. The appellate court concluded, among other things, that the defendant showed that it “currently has no viable way to remain in business other than using [the networking site’s] public profile data” for its analytic services and “demonstrated a likelihood of irreparable harm absent a preliminary injunction.” Moreover, the 9th Circuit rejected the defendant’s claims that the plaintiff violated the CFAA.
In partially granting the defendant’s motion and denying the plaintiff’s, the district court ruled that the plaintiff breached its user agreement by directing the creation of fake accounts and copying of url data as part of its scraping process. Nonetheless, the district court noted there remains a legitimate dispute over whether the defendant waived its right to enforce the user agreement after the plaintiff openly discussed its business model, including its reliance on scraping, at conferences it organized that were attended by defendant’s executives. Moreover, questions remain for trial as to when the defendant became aware of the plaintiff’s scaping, whether it should have taken “steps to legally enforce against known scraping” sooner, and whether the defendant can raise certain defenses to its breach of contract claim tied to the plaintiff’s data scraping and unauthorized use of data.
SBA seeks to end SBLC moratorium
On November 7, SBA published a proposed rule in the Federal Register seeking to lift the moratorium on licensing new small business lending companies (SBLCs) and adding a new type of entity called a “Mission-Based SBLC.” The moratorium was imposed in 1982, after the agency lacked adequate resources to effectively service and supervise additional SBLCs participating in SBA’s 7(a) loan program beyond the 14 it was authorized to approve. According to SBA, while the majority of 7(a) lenders are federally-regulated depository institutions, “SBLCs are regulated, supervised, and examined solely by SBA” and “are subject to specific regulations regarding formation, capitalization, and enforcement actions.” SBA explained that there are capital market gaps in certain markets that “continue to struggle to obtain financing on non-predatory terms.” The proposed rule seeks to lift the licensing moratorium and further create the Mission-Based SBLC to help bridge the financing gap. Mission-Based SBLCs will be nonprofit entities that will help SBA meet the needs of underserved communities and increase opportunities for access to capital in precisely targeted capital market gaps. Comments on the proposed rule are due January 6, 2023.