Wednesday, November 8th, 2023
The Federal Trade Commission (FTC) announced on October 27th that it has expanded the scope of its financial data security rule, which will now require nonbank financial institutions – like vehicle dealers and mortgage brokers – to report data breaches. This new amendment to the FTC Safeguards Rule imposes similar reporting requirements to those already applicable to banks.
Specifically, the amendment will require nonbank financial institutions to report to the FTC any data breach affecting 500 or more consumers’ data. The rule gives financial institutions 30 days to report the breach, however the FTC encourages reporting as soon as possible. Importantly, the reporting requirement applies only to breaches of unencrypted data, underscoring the importance of implementing sound cybersecurity protocols like end-to-end encryption of data.
In his statement announcing the amended rules, Samuel Levine, the director of the FTC’s Bureau of Consumer Protection, emphasized the importance of corporate transparency and rapid disclosure of incidents, even before the 30 day timeline when possible. The new requirements will take effect in approximately six months, according to the FTC.
This new reporting requirement places a significant new burden on affected financial institutions, as reporting an incident to the FTC will trigger an investigation into the company’s cybersecurity practices and compliance with the Safeguards Rule. Failure to report an incident will put the offending company into the far more precarious position of being the subject of not only an FTC investigation, but also an enforcement action accompanied by hefty fines and the potential for criminal penalties.
In light of the massive financial and reputational risk posed by increasingly active threat actors and the government’s corresponding regulation of corporate cybersecurity, it has never been more important for companies to develop and implement robust cybersecurity and data privacy policies. It is equally crucial to consult with experienced legal counsel for assistance developing these proactive policies and, when necessary, responding to cyber incidents.
If you have any questions about this update, please reach out to John Danyluk at danyluk@gentrylocke.com.
Monday, November 6th, 2023
The Securities and Exchange Commission (SEC) announced charges against SolarWinds Corp. and its chief information security officer (CISO), accusing the publicly traded company of misleading investors as to its vulnerability to cyberattacks. SolarWinds is accused of defrauding investors by overstating its cybersecurity practices, while failing to implement appropriate internal digital safeguards and ignoring red flags for years before announcing that it was the victim of a two-year long cyber attack in December 2020.
This landmark lawsuit represents the first time in an SEC cyber case that the commission has alleged that an organization intended to deceive investors. Perhaps even more alarming for information security executives performing an increasingly difficult corporate function, it is the first time in an SEC cyber case that the commission has brought action against an individual.
The SEC alleged that SolarWinds and CISO Timothy Brown, who is individually named in the lawsuit, knew as early as 2018 that software it sold to the federal government was, in the words of one company engineer quoted in the complaint, “not very secure.” According to the complaint, SolarWinds’ poor security practices were not a secret within the company, prompting several employees to express their concerns.
According to the director of the SEC’s enforcement division, “[r]ather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”
The SEC’s complaint, filed in the Southern District of New York, alleges that SolarWinds and Brown violated the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934; SolarWinds violated reporting and internal controls provisions of the Exchange Act; and Brown aided and abetted the company’s violations. The complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown.
The SEC’s aggressive enforcement of the massive SolarWinds breach reflects the tremendous impact that a breach can have to a company’s value and stock prices. Further, by placing the company’s CISO squarely in the SEC’s crosshairs, CISOs and other cyber executives are now on notice that they may be held personally responsible for security and disclosure failures. On the heels of the criminal sentencing of former Uber CSO, Joseph Sullivan, for his role in the company’s 2016 data breach, these executives are predicted to become increasingly risk-averse and choose self-preservation over corporate profits by proactively report vulnerabilities and breaches. The government’s willingness to go after individual employees means that those employees have even greater motivation to become whistleblowers and report perceived cybersecurity failures within the company, thereby protecting themselves while potentially securing a sizable relator settlement under the False Claims Act.
If you have any questions concerning your company’s cybersecurity, please reach out to John Danyluk at danyluk@gentrylocke.com.
