“Emerging SEC guidance and enforcement regarding data privacy and breach disclosures”
InsideCounsel 06/25/15 Joseph D. Masterson
For many companies — especially in the defense, critical infrastructure, retail, financial, or healthcare industries — cyber risks have been top-of-mind for directors and key officers for the past several years. What may not be fully appreciated, however, is that nearly all companies and their directors and officers are at increasing risk. Regulatory enforcement actions from an array of federal and state agencies and private lawsuits from customers, shareholders, and others are increasing rapidly, claiming that the officers and directors were insufficiently focused on preventing a breach or mitigating its consequences, including breaches involving suppliers and other third parties.
SEC Historical Approach
For at least the last five years, beginning with CF Disclosure Guidance: Topic No. 2—Cybersecurity (Oct. 31, 2011), the Securities and Exchange Commission (SEC) has applied general securities law principles to explicitly encourage or require public companies to adopt and apply best practices to preventing, detecting, and responding to data security incidents. That cybersecurity guidance references risk factor disclosure requirements, financial statement and MD&A requirements, required disclosures of material pending legal proceedings, and required evaluations of the effectiveness of disclosure controls and procedures, among other principles. It also encourages thoughtful consideration and discussion of cybersecurity protection costs, remediation costs, insurance costs, litigation costs, reputational damage, and the potential for lost revenues.
Within two years after that guidance was published, SEC comment letters increasingly encouraged or required public companies to enhance disclosures about cyber risks and incidents. Robust disclosure about these matters became the norm. An SEC cybersecurity roundtable was held with great fanfare in 2014 to discuss the challenges to public companies, broker-dealers and investment advisers, and the role that the SEC should play to protect investors and others. A similar cybersecurity conference was hosted by the Securities Industry and Financial Markets Association in early 2015. This emphasis has resulted in cybersecurity becoming one of the top corporate governance, disclosure, and risk management issues among large U.S. companies.
Current SEC Enforcement Trends
In addition to improving securities industry awareness, an extensive SEC cybersecurity enforcement effort is now underway. Publicly available settlement agreements have been forced upon a growing number of SEC-registered broker-dealers, investment advisers, and investment companies that are subject to controls-related compliance requirements. The very public OCIE Cybersecurity Initiative (announced April 15, 2014) and the Cybersecurity Examination Sweep Summary (published February 3, 2015) emphasize that these financial entities should expect increased SEC scrutiny of the security and confidentiality of customer records and information. The Regulation Systems Compliance and Integrity rule, available here, also requires securities exchanges and clearing agencies (among others) to have systems in place to prevent and detect cyber attacks. Enforcement actions are expected.
The SEC is now broadening this effort to include possible enforcement actions against a much wider range of companies. In a series of public statements, SEC officials have emphasized the risks that cyber attacks pose for the capital markets, public companies, and investors, and have indicated that the agency will investigate and take enforcement action whenever it considers that appropriate. Several statutes and regulations, including the Foreign Corrupt Practices Act of 1977, Exchange Act Section 13(b)(2), and SEC Regulations S-K 307 and 308, could provide the legal basis of an SEC enforcement action against a public company that has inadequate cyber controls. Those provisions require publicly traded companies to maintain systems of internal control over financial reporting and effective disclosure controls with respect to other public disclosures. Other legal theories may also be possible. Although no SEC actions of this type have yet been publicly disclosed, they are increasingly likely.
Even if the SEC does not undertake enforcement actions against a particular company and its officers and directors following a cyber incident, other federal and state regulators and class action plaintiffs often do so. Enforcement actions have been completed and publicly announced by the Office for Civil Rights (primarily relating to protected health information), the Federal Trade Commission (primarily involving payment card information and deceptive privacy policies or personal information), and attorneys general in several states, and many more are believed to be pending. High-profile consumer and securities class action lawsuits, such as the suits against Barnes & Noble Inc., eBay Inc., Wyndam Worldwide Corporation, and Target Corporation, have become increasingly common. The expected increase in SEC enforcement will likely encourage even more consumer and shareholder lawsuits.
The impacts of increased cyber-related lawsuits and enforcement actions are not limited to the brokers, investment companies, and public companies themselves. Key private third-party suppliers, customers, and vendors — especially if they interact electronically with SEC-regulated financial entities or public companies or deal with sensitive information — are finding that those companies increasingly insist upon rigorous cyber security, breach detection, compliance, disclosure, and insurance to protect the integrated enterprise. In this way, "best practices" are swiftly becoming a practical necessity for even private companies that may be third- or fourth-tier suppliers to public companies and others sensitive about cyber attacks, and for other businesses that aspire to become their suppliers.
So what is a company to do? The cyber security framework developed by the National Institute of Standards and Technology (NIST) in 2013 is a good starting point. The next article in this series will discuss steps that directors should take to ensure that the board and management are equipped to respond efficiently and effectively to a data breach at the company or a third party.