Regulators Tighten Scrutiny of Data Breach Disclosures by Companies
Companies must pay closer attention to what they say after hackers strike, lawyers warn, as regulators crack down on inaccurate disclosures and Congress debates mandatory reporting of cybersecurity breaches.
Several regulatory actions in recent weeks have focused on breach notifications, media statements and investor communications issued by companies after incidents that watchdogs say were deceptive.
On Monday, the U.S. Securities and Exchange Commission settled charges against five Cetera Financial Group Inc. business units alleging lax controls and misleading errors in breach notifications to some clients. The Cetera units, which offer brokerage services and investment advice, must pay a $300,000 penalty.
Cetera didn’t immediately respond to a request for comment.
Quick, precise and clear updates are the gold standard in the event of a security breach, said
Seth DuCharme,
a partner at law firm Bracewell LLP who until March was the acting U.S. Attorney for the Eastern District of New York.
An Aug. 16 settlement between the SEC and London-based educational publisher
Pearson
PLC over a 2018 data breach shows how closely regulators are scrutinizing incident communications, according to Mr. DuCharme.
The SEC charged Pearson with misleading investors over the existence and extent of the breach, in which millions of student records were stolen. The SEC found Pearson in its 2019 semiannual report referred to a data security incident as a hypothetical risk when it knew one had occurred, didn’t accurately describe the extent of the breach in media statements and failed for six months to patch the software vulnerability hackers exploited after being notified a patch was available.
Pearson neither admitted nor denied the SEC’s findings as part of a settlement in which the company paid a $1 million penalty. A spokesman for Pearson said the company was pleased to resolve the matter with the SEC.
European data protection authorities have also become stricter about cybersecurity lapses resulting in data theft. Half of the Swedish privacy regulator’s decisions under the General Data Protection Regulation, for example, have involved cybersecurity issues, said
Adolf Slama,
an information technology adviser for the authority.
In the U.S., lawmakers have been exploring ways to improve how companies report cybersecurity incidents. On Wednesday, the House Homeland Security Committee will debate a draft bill sponsored by Rep.
Yvette Clarke
(D., N.Y.) that would compel critical infrastructure operators to report cybersecurity incidents.
In the Senate, a bill sponsored by Sen.
Mark Warner
(D., Va.) proposes requiring government agencies, contractors and critical infrastructure operators to report incidents within 24 hours of detecting an attack. The 24-hour limit, in particular, faces stiff opposition from industry groups, which say their members would need at least 72 hours to gather required details.
How a company characterizes a cyberattack will also be important, said
Amy Keller,
a partner at law firm DiCello Levitt Gutzler LLP.
Boilerplate language can be ambiguous, Ms. Keller said. Early statements from companies, for example, often say they were the victim of a “sophisticated” attack. This description can harm consumers whose data was exposed because they may assume a nation-state carried out the hack when an identity-stealing gang was more likely to blame.
“They allow consumers to have a certain amount of confidence that maybe this wasn’t such a big deal, or it was a state actor and the information is going to be used for espionage, not to open up accounts in my name or something,” Ms. Keller said. “That kind of corporate spin is very misleading.”
Write to James Rundle at [email protected]
Copyright ©2021 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
For all the latest Technology News Click Here
For the latest news and updates, follow us on Google News.