A large publicly traded internet media company agreed to pay a $35 Million fine and cooperate with investigators for failing to timely disclose a hacker breach of more than 500 million client accounts. The SEC charges that the respondent waited nearly 2 years before disclosing the breach, during which time it filed misleading annual reports and Form 10-Ks and 10-Qs. Additionally, the SEC accuses the company with filing a stock purchase agreement (as part of Form 8-K) that included misrepresentations about security breaches, thereby leading to a $350 Million reduction in the purchase price. A senior SEC official advised: “Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.”
OUR TAKE: When it comes to cybersecurity incidents, time is not on your side. Because of the potential harm to clients and investors, it is better to provide immediate disclosure that will be followed up with additional information rather than waiting and thereby compounding the potential harm. Hacked firms must move quickly to investigate, assess, and remediate the harm to minimize damages.
A large insurance company agreed to pay a total of $5.5 Million to settle charges brought by 32 states resulting from the loss of critical consumer information attributable to a criminal data breach. According to the Settlement Agreement, the respondent lost the data for 1.27 million customer across the country when hackers exploited a security breach created when the respondent failed to implement a security patch. As part of the settlement, the insurance company agreed to appoint a security patch supervisor, implement security patch policies and procedures, and perform internal assessments. The New York State Attorney General criticized the respondent for its “true carelessness while collecting and retaining information from prospective customers, needlessly exposing their personal data in the process.” He warned, “This settlement should serve as a reminder that companies have a responsibility to protect consumers’ personal information regardless of whether or not those consumers become customers. We will hold companies to account if they don’t.”
OUR TAKE: The NYS Attorney General implies that companies can be held liable for data breaches that result from simple negligence rather than recklessness or intent. A solid compliance program that includes a robust cybersecurity assessment can help defend charges that a firm acted negligently.