Time is Short – Reporting your Data Breach

Companies that are subject to the registration and disclosure requirements of the United States Securities Act and Securities Exchange Act face the challenge of complying with a broad variety of detailed regulations addressing their disclosure and reporting obligations. The Securities Exchange Commission recently adopted regulations which will have an impact on publicly traded companies that suffer a data breach. Because the SEC’s standards for disclosure often set a standard for private companies as well, the regulations are likely to have an impact on other companies.

Breach Notifications for the Past 20 Years.  Ever since California became the first state to require companies to notify their customers of data breaches in 2003, the time between the date a breach was discovered and the time the breach was reported has been an issue of contention. Early reporting gives consumers a leg up in protecting their personal information, and lets investors, vendors and customers of companies know if key business information has been compromised. At the same time, companies want as much time as possible to investigate a breach, understand what happened, and provide accurate information – companies that give early notice often have to give multiple notices as more information becomes available, and may even find that the original notice wasn’t necessary. Regardless, lawsuits against companies that have suffered data breaches almost universally point to the gap in time between the discovery and notification of a breach.

The SEC Acts.  Regulators have stepped in and identified time frames for public notification of a data breach. Most recently, the Securities Exchange Commission issued a final rule that reduces the time for reporting companies (companies whose securities are registered with the SEC) to disclose cyberattacks publicly. As has been widely reported, with some exceptions, a company that is the victim of a cyberattack now has four days to publicly disclose the impact of the attack. Cyberattacks that involve the theft of intellectual property, a business interruption or reputational damage will likely require disclosure under the regulations.

The rules were proposed last year and contested by trade organizations and businesses, arguing that four days is inadequate to identify the nature and scope of a breach, and would be as likely to disclose inaccurate information as it would to benefit consumers and shareholders.

In contrast, the SEC, in adopting the new regulation, cited the new rule as enhancing transparency into cyber threats after years of attacks against businesses by criminal gangs and, most significantly, groups backed by nation states. The SEC also saw this as an opportunity to address gaps in existing cybersecurity disclosures.

Gaps in Disclosure.  Because there are a wide variety of laws and rules governing disclosure, there is little consistency in the timing or content of breach notifications. Companies that report incidents provide different amounts of detail about the impact and their response to it. Some cyber incidents aren’t reported in a timely manner, while others aren’t disclosed at all. Christopher Hetner, a former cybersecurity adviser at the SEC who provides guidance to the National Association of Corporate Directors, said, “The outcome of this rule will be to create more normalcy across disclosures.”

Arguments against the Regulation.  The tight timeframe for disclosure raises concerns. The brief period for making incident disclosures could leave investors with information that isn’t accurate. The rules allow a company to update its incident disclosure with added information that was unavailable at first, but that also could create consumer and shareholder confusion.

The regulation is also unclear in defining how an incident would become material and how much detail will be required in public filings. This is a particular issue, since four days is unlikely to be adequate to collect and verify meaningful information about a security incident.

Third Party Risks.  The regulation also will require companies to create stronger reporting relationships with vendors.  Over the past several years, the cyberattack risks raised in the supply chain of information management has become key, and unless vendors (and all of the parties in the vendors’ supply chain) cooperate promptly, a reporting company may be unable to meet the requirements of the new rule.

Annual Reporting.  An issue that has not been widely reported is the requirement that companies must describe in their annual report what processes, if any, a company has in place to assess, identify and manage material risks from cybersecurity threats “in sufficient detail for a reasonable investor to understand those processes.” Combined with the SEC’s “plain language” mandate, this requirement alone might be a significant task.

Companies can deal with these new regulations by creating, implementing, testing and updating strong cybersecurity incident response plans. When a company has 96 hours to report publicly a cybersecurity incident, it cannot waste time trying to create a playbook to respond; the playbook must be in place and accurate. The necessary parties must have the “muscle memory” to know how to respond, not only to respond directly to the breach, but to comply with new and potentially burdensome regulations. The JMBM Cybersecurity and Privacy Group works with hospitality clients to achieve these goals and prepare them for the challenges of an ever-changing cybersecurity landscape.

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Clients engage Bob to develop and implement privacy and information security policies, data breach response plans, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. Bob manages data breach response and responds quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels’ clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, crisis management and artificial intelligence implementation. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.