Companies must pay closer attention to what they say after hackers strike, lawyers warn, as regulators crack down on inaccurate disclosures and Congress debates mandatory reporting of cybersecurity breaches.
Several regulatory actions in recent weeks have focused on breach notifications, media statements and investor communications issued by companies after incidents that watchdogs say were deceptive.
On 30 August, the US Securities and Exchange Commission settled charges against five Cetera Financial Group business units alleging lax controls and misleading errors in breach notifications to some clients. The Cetera units, which offer brokerage services and investment advice, must pay a $300,000 penalty.
Cetera didn’t immediately respond to a request for comment.
Quick, precise and clear updates are the gold standard in the event of a security breach, said Seth DuCharme, a partner at law firm Bracewell who until March was the acting US Attorney for the Eastern District of New York.
A 16 August settlement between the SEC and London-based educational publisher Pearson over a 2018 data breach shows how closely regulators are scrutinising incident communications, according to DuCharme.
The SEC charged Pearson with misleading investors over the existence and extent of the breach, in which millions of student records were stolen. The SEC found Pearson in its 2019 semiannual report referred to a data security incident as a hypothetical risk when it knew one had occurred, didn’t accurately describe the extent of the breach in media statements and failed for six months to patch the software vulnerability hackers exploited after being notified a patch was available.
Pearson neither admitted nor denied the SEC’s findings as part of a settlement in which the company paid a $1m penalty. A spokesman for Pearson said the company was pleased to resolve the matter with the SEC.
European data protection authorities have also become stricter about cybersecurity lapses resulting in data theft. Half of the Swedish privacy regulator’s decisions under the General Data Protection Regulation, for example, have involved cybersecurity issues, said Adolf Slama, an information technology adviser for the authority.
In the U.S., lawmakers have been exploring ways to improve how companies report cybersecurity incidents. On Wednesday, the House Homeland Security Committee will debate a draft bill sponsored by Yvette Clarke that would compel critical infrastructure operators to report cybersecurity incidents.
In the Senate, a bill sponsored by Senator Mark Warner proposes requiring government agencies, contractors and critical infrastructure operators to report incidents within 24 hours of detecting an attack. The 24-hour limit, in particular, faces stiff opposition from industry groups, which say their members would need at least 72 hours to gather required details.
How a company characterises a cyberattack will also be important, said Amy Keller, a partner at law firm DiCello Levitt Gutzler.
Boilerplate language can be ambiguous, Keller said. Early statements from companies, for example, often say they were the victim of a “sophisticated” attack. This description can harm consumers whose data was exposed because they may assume a nation-state carried out the hack when an identity-stealing gang was more likely to blame.
“They allow consumers to have a certain amount of confidence that maybe this wasn’t such a big deal, or it was a state actor and the information is going to be used for espionage, not to open up accounts in my name or something,” Keller said. “That kind of corporate spin is very misleading.”
Write to James Rundle at [email protected]
This article was published by Dow Jones Newswires