Cybersecurity

Incident Response Experience

• FTX chapter 11 debtors in responding to a breach resulting in unauthorized transfers of hundreds of millions of dollars’ worth of crypto assets on the date of FTX’s bankruptcy filing, coordinating complex efforts to identify and secure billions of dollars’ worth of crypto assets that remained at risk following the breach, investigating the breach, and cooperating in related law enforcement and regulatory investigations.
• A multibillion-dollar public company experiencing a ransomware attack and data extortion (customer PII and financial information), including advising on communications with the Board of Directors and ransom negotiations, providing SEC disclosure advice, coordinating recovery and forensic review with outside experts, crafting and coordinating a communications plan with a PR firm, notifying over 50 thousand affected customers, assisting in responding to reporters, and coordinating insurance approvals.
• A Fortune 500 public company experiencing a ransomware attack and data extortion (company IP and data), including advising on risks of payment and law enforcement notifications, providing SEC disclosure advice, and assisting with guidance on recovery and forensic review.

• A Fortune 500, publicly-traded financial services firm acquiring a company that experienced a ransomware attack at signing. We advised on ransom negotiations, recovery, and forensic review in coordination with external forensics experts, and revisions to M&A agreements to allocate risk and cost, and require certain remedial measures. The deal successfully signed and closed.
• Scottrade with respect to the exposure of unencrypted files containing customers’ personal data, including on state privacy law issues and nationwide customer notification.
• Popular in responding to a criminal cyber breach of company systems, including on state privacy issues, nationwide customer notification, and coordinating with their prudential banking regulator.
• A technology company in responding to the cyber theft of its source code and attempted extortion, including notification to millions of customers, coordination with law enforcement, and conducting an internal investigation.
• A major, publicly-traded financial institution on responding to the data extortion of a vendor that, through the compromise, lost hundreds of thousands of bank customers’ sensitive personal data and voluminous SAR information. We provided SEC disclosure advice; assisted in drafting notice and updates to federal and state bank regulators and answering questions from the bank regulators; assisted in drafting notice and updates, and coordinating with, FinCEN regarding the loss of SAR data; drafted and coordinated notice to Attorneys General in many states; crafted and coordinated a communications plan with no assistance from a PR firm; notified over 400,000 bank customers; arranged for call centers and credit monitoring for customers; assisted in crafting call center and website communications; and assisted in coordinating with insurers and the affected vendor.
• A public company regarding a potential breach of its network by a hostile nation-state, including coordinating with federal law enforcement and intelligence agencies.
• Numerous companies and individuals victimized in cyber-fraud and phishing schemes, including coordination with federal and international law enforcement and of overseas litigation resulting in substantial recoveries for our clients. We have secured substantial and complete recoveries for clients, and recovered millions of dollars on numerous occasions. In one instance, as a result of our work, our client recovered almost the entirety of more than $20 million diverted by cybercriminals to Hong Kong.
• More than a dozen public companies in responding to SEC requests concerning the SolarWinds breach and related matters.
• A retailer in connection with a cybersecurity breach at its third-party e-commerce platform.
• A retailer regarding an ongoing breach of customer credit card information.

Preparedness, Data Privacy and Cyber Advisory Experience

• Regional, national and international financial institutions, and public and private corporations across industries on cyber governance responsibilities, including advice to boards of directors and senior management on incident response planning, disclosure controls and procedures, director duties related to cybersecurity risks, and the coordination and implementation of cybersecurity “tabletop exercises.”
• Numerous public companies and financial institutions on potential sanctions risks associated with paying ransom in connection with ransomware attacks.
• Several major financial institutions on the legality and legal risks associated with particular transfers they are asked to make for customers to facilitate the purchase of cryptocurrency to pay ransom. We advise on OFAC and FinCEN requirements (including MSB and SAR-filing issues).
• The Bank Policy Institute, a consortium of the nation’s leading banks, on the legal and regulatory implications of paying or facilitating the payment of ransom in response to ransomware attacks.
• The Bank Policy Institute, SIFMA, the American Bankers’ Association and the International Bankers’ Association in drafting a comment letter, on behalf of hundreds of financial institutions, regarding the notice of proposed rulemaking by the federal bank regulators concerning computer security incident notification requirements.
• Drafting amicus briefs for the U.S. Chamber of Commerce on behalf of Marriott in the Fourth Circuit and Alphabet in the U.S. Supreme Court concerning disclosures required by public companies regarding cybersecurity risks.
• A major real estate company and commercial landlord on the legal and regulatory implications of the installation of thermometer readers in commercial lobbies across multiple states in response to COVID-19. S&C is also advising this client on CCPA compliance and the use of biometric data in connection with this matter.
• A multinational mining, metals and petroleum company on privacy matters in connection with its investment in a company engaged in analyzing geolocation data.
• Multiple companies on use of customer information for data analytics purposes, including whether certain uses would comply with federal and state privacy and other laws.

Cybersecurity, Data Privacy and Class Action Litigation

• Airbnb in obtaining a preliminary injunction preventing the City of New York from implementing a new ordinance intended to collect personal data about the users of short-term rental platforms, which Airbnb argues is invalid under the Fourth Amendment of the U.S. Constitution. This case has significant implications, not just for Airbnb, but potentially for any business concerned about protecting the privacy of its users.
• A healthcare technology company whose computer system was hacked, and fraudulent health care benefit debit cards were issued as a result without necessary geographical, merchant or monetary restrictions. As a result, the client lost millions of dollars through fraudulent debit cards that were used like legitimate credit cards with virtually unlimited credit limits. We advised and represented the client in connection with successful settlement negotiations with its insurer despite numerous allegedly applicable policy exclusions.

For additional details on S&C’s litigation experience, please visit our litigation practice page.