As cybersecurity regulatory frameworks mature, the move has been toward risk-adjusted security requirements rather than prescriptive controls mandated by a legislature or administrative agency. This makes sense, of course, for two primary reasons.
So far 2018 has been a whirlwind of cyber regulatory activity, from the commencement of GDPR to new state-law data breach requirements to the New York State Department of Financial Services first compliance self-certification deadline. The complexity of the cyber legal landscape is only increasing, and in an effort to keep our clients ahead of the regulatory curve, the HSE Privacy and Data Security team has been on the road, spreading the word about cyber regulatory risk.
On April 24, 2018 the Securities and Exchange Commission (“SEC”) announced a settlement with Altaba, Inc., formerly Yahoo! Inc., for misleading investors by failing to disclose a data breach in which Russian hackers stole data for hundreds of millions of Yahoo accounts. This settlement and penalty, the first by the SEC following a data breach, comes in the wake of recent SEC guidance on cybersecurity risks and disclosures.
On March 14, 2018, the Department of Justice (“DOJ”) and Securities and Exchange Commission (“SEC”) announced parallel criminal and civil charges against Jun Ying, the former Chief Information Officer of Equifax’s United States Information Systems, for selling his shares of Equifax stock before Equifax publicly announced that it had suffered an immense data breach. These charges come in the wake of recent SEC guidance on ensuring corporate insiders do not trade in securities while in possession of material nonpublic information about cybersecurity incidents.
Adding to the chorus (or cacophony) of regulatory voices on the cybersecurity front, the SEC has recently issued new interpretive guidance concerning cybersecurity-related disclosures that public companies are required to make under federal securities laws.