This post was originally published on March 2, 2018.
The U.S. Securities and Exchange Commission (SEC) recently updated guidance for public companies to adopt a more straightforward approach when disclosing information on cyber attacks, data breaches, or any material security risks or weaknesses.
The SEC's interpretive guidance is an update to information released in 2011 and is a reminder to companies to account for these security risk and incident considerations when preparing documents to file the with securities regulator. The SEC says companies need to disclose the following:
- Material Risks: Items are considered "material" and necessary to disclose if a reasonable investor would consider the information important in making an investment decision.
- Not Just Data Breaches: Companies should inform investors about cybersecurity risks and incidents in a timely fashion, even if they may not yet have been the target of a cyber attack.
- Items that Impact Investors: They don't have to disclose details that might compromise cybersecurity efforts (such as technical specifics about their infrastructure), but they do need to disclose cybersecurity risks and incidents that may impact investors—financial, legal, or reputational consequences.
The SEC also stated that companies should consider the following cybersecurity risk factors in disclosure:
- Previous cybersecurity incidents (including severity and frequency)
- Probability of another cybersecurity incident
- Preventative actions taken to reduce cybersecurity risks and the associated costs
- Potential costs of a cybersecurity incident and costs associated with maintaining cybersecurity protections
- Potential for reputational harm
- Existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybersecurity and the associated costs to companies
- Cybersecurity incident costs from litigation, regulatory investigation, or remediation costs
"This action by the SEC is a positive step towards creating further accountability and needed transparency in the wake of headlining breaches these days," said Michael Bruemmer, vice president of Experian Data Breach Resolution. "Companies should start from the assumption that they will be attacked and have a comprehensive incident response plan in place.
That plan needs to include a consumer notification process, especially when sensitive data such as Social Security numbers and financial information is corrupted. Regulation or industry standards, like what the SEC is doing, helps all stakeholders from experiencing material damage and ensuring transparency from company officers."
The new update is a timely cue for companies as 70% of company executives said their company had multiple data breaches last year according to "The Fifth Annual Study: Is Your Company Ready for a Big Data Breach?," sponsored by Experian Data Breach Resolution and conducted by the Ponemon Institute.
The same survey also found that 66% of companies had not scheduled time to update or review their data breach plan, despite more than half of those companies (56%) reporting that they experienced a breach.
What Else Are Companies Required to Do after a Data Breach?
Currently, 48 states, including the District of Columbia, Guam, Puerto Rico and the Virgin Islands have laws in place that require companies to send data breach notifications to consumers when their personally identifiable information may have been compromised. (Alabama and South Dakota are the two states that currently don't have any laws on the books related to data breach notifications.)
Consumers should be aware of their rights under the Fair Credit Reporting Act and the data breach notification laws by state.
Typically, the state laws have conditions around who must comply and what information must be shared with consumers, such as:
- Businesses (public and private) including government entities
- Definition of "personal information" involved such as name, Social Security number, Driver's license or State ID and account numbers
- What constituted a breach or unauthorized acquisition of data
- Requirements for sending notices to consumers such as timing, the method of notice, and who must be notified
- Potential exemptions over whether the information was encrypted
New Guidelines for International Companies
The European Union (EU) agreed to a new set of data protection regulations, known as the General Data Protection Regulation (GDPR). It goes into effect on May 25, 2018, and the purpose, according to the European Commission, is to give control of personal data back to consumers and unify data protection regulations across the EU.
This new framework lays out guidelines for businesses on how to manage their data assets moving forward. The main themes from the GDPR concern consumer consent and making sure that companies do not use confusing language when they are asking for permission to use your data.
Additional Data Subject Rights were created and they address the following:
- Breach Notification: Under the GDPR, breach notification is mandatory and companies must notify individuals impacted in a data breach within 72 hours of first having become aware of it.
- Data Control: Consumers must have the right to access their personal data free of charge, in an electronic format.
- Data Erasure: Also known as ‘the right to be forgotten,' this lets a person revoke their consent and the organization must recall data they've shared, and erase any related data.
- Data Portability: Consumers must have the ability to access any personal data concerning them, and it must be provided in a 'commonly used and machine-readable format'.
- Privacy by Design: Data protection must be part of the design of systems from the onset, rather than be added at a later date.
- Data Protection Officers (DPO): A DPO has the responsibility for data protection compliance for the business. Under the new GDPR guidelines, a DPO appointment is mandatory if the business is a public authority or when the core business activities consist of data processing operations that require regular monitoring of data subjects on a large scale and if they are handling large-scale processing of sensitive data such as health, religion, race, sexual orientation along with personal data relating to criminal convictions and crimes.
What to Do If You're the Victim of a Data Breach
For consumers, getting caught up in a data breach can start a long journey of trying to protect their identities and personal information that can last years. If you are a data breach victim, here are some resources to help recover and protect yourself from additional damage: