Articles Posted in Boards of Directors

The SEC warns public companies that lax cybersecurity practices could violate rules governing internal accounting controls, and offer nine scams as cautionary tales.

The SEC has become increasingly active when it comes to cybersecurity. Last month, it issued an investigative report about Business Email Compromises (BCEs) involving nine public companies that lost nearly $100 million when they wired funds to thieves impersonating corporate executives or vendors. While the SEC did not take action against the companies, it noted that policies and procedures that allowed for the thefts, accomplished via simple means of email and wire transfers, could leave a company in violation of accounting rules requiring that public companies safeguard corporate assets. The report makes a strong case that all companies, not just the boards of public companies, need to be aware of and protect against scams of these sorts.

The Commission considered whether the victimized companies complied with the requirements of Sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934. Those provisions require certain issuers to devise and maintain a system of internal accounting controls that provide reasonable assurances that management authorizes corporate transactions and access to company assets. “While the cyber-related threats posed to issuers’ assets are relatively new, the expectation that issuers will have sufficient internal accounting controls and that those controls will be reviewed and updated as circumstances warrant is not,” the report stated.

The Commission chose to issue the report as guidance and declined to bring charges against the companies. While these companies dodged a second bullet, all companies should take this opportunity to benefit from the SEC’s analysis, and how important it is that board members understand the multiple aspects of cybersecurity, cyber risk, and related compliance.

Some directors may still assume that a cybersecurity breach is one that involves hackers infiltrating a company’s computer systems and stealing the customer data. With this preconception, an enterprise will focus on hardware, software, and firewalls and other technical solutions, which can lull management into thinking that increasing the data security budget is enough to address security threats. But almost all breaches have a human element – these losses cited in the SEC report were based on social engineering,” which we’ve written about – exploiting human weakness, not technological failures. The only thing “hacked” was what should have been the proper level of suspicion of the employee targeted, and lax internal controls. So how should companies respond, and what do board members and top executives need to do to avoid problems?  Continue reading

human-firewall-superhero-300x166One of the great frustrations in contemplating a data security program is that there is no such thing as a one-size-fits-all solution.  There is no law or regulation that specifies the exact steps a company needs to take in order achieve data security.  While there are some regulatory and industry recognized compliance programs – like health law requirements under HIPPA and the data security standards established by the Payment Card Industry – these provide compliance guidelines, not actual data security.  And these compliance guidelines themselves emphasize that each firm must establish security standards which meet the requirements of their business operations.

The fact is that data security, like any kind of security, requires a clear understanding of the unique needs and operations of a company.  Every company has different information requirements and standards as to the information it collects, how it retains and how it uses that information.  Consequently, data security can only be achieved by understanding what a particular firm does, not what is common or typical in an industry.

Assessment Defines Approach

Another factor is that while it is common to look at data security as a technical issue, technical compliance addresses only part of the goal; any review of data breaches will show that individuals – the human factor – are the most common source of insecurity.  This is not just due to the possibility of an employee clicking on the wrong website or responding to the wrong email; human error can start at the point that a data security plan, and its technical components, are contemplated.  Without understanding the scope of the company’s data security requirements, those selecting and implementing the “solution” will find that they have not addressed the security challenges.

Continue reading

I’m attending the Arthur J. Gallagher Risk Management Roundtable on September 12 and 13 at the Intercontinental Hotel  in New Orleans, where Alex Ricardo of Beazley and I will be speaking on Cybersecurity in the Hospitality Industry tomorrow morning.  I’ll be leading a discussion of the unique privacy and security issues facing hotels, managers and owners, the legal issues facing hotels, director and officer concerns, and the importance of preparing for the inevitable breach.

Cybersecurity is one of the biggest issues facing hotels – barely a day goes by without the report of another hotel chain being targeted, and for good reason; hotels have many of the openings that hackers look for, including multiple systems, wide access to WiFi (with limited or no security), valuable data, large numbers of employees and vendors with access to hotel systems, and customers that, unwittingly, can aid in carrying out a breach.

If you are interested in a copy of my presentation, you can reach me at


Businessmen superheros and tearing shirts off with c

This article, written by Michael A. Gold, Partner at Jeffer Mangels Butler & Mitchell, was originally published by Bloomberg BNA Corporate Governance Report on October 7, 2013 and articulates the responsibility that corporate boards must own in order to protect the electronic assets of their organization. Read Cyber Risk and the Board of Directors –Closing the Gap.

The term ‘corporate assets’ may conjure up thoughts of mechanical equipment, financial instruments, computer hardware, and even personnel. Often overlooked in this terminology are an organization’s digital information assets, which may include high-value trade secrets, sensitive digital correspondence, business strategy information, or the financial and personally identifiable information of consumers.

Corporate directors have a duty to protect all organizational assets. While the assumption is that cybersecurity threats are only a problem for hi-tech companies, the truth is that the potential for a data breach poses a significant risk for any company that stores any of its data electronically. Threats to a company’s sensitive digital information can include cyber-attacks, hacking, phishing, and ransomware scams, to name a few.

“Corporate boards can be timid about engaging cyber risk because the nature of these risks has no real parallel in the experience of most corporate directors.”

– Michael A. Gold

Due to the seemingly massive volume of information and lack of time or personnel, Cyber Security Fatigue besets many corporate boards. Corporate directors may focus their efforts on other priorities that are more closely related to their areas of expertise, believing that cyber security is being managed by their corporate information technology department.

It’s a common misconception among many organizational leaders that the corporate IT department is responsible for managing a company’s cybersecurity shield. Often, the truth is that IT departments are, in general, not experts in cybersecurity; in fact, many of the directives of IT professionals is counter to encouraging good cybersecurity practices in favor of speed of access, simplified password protocols, or rushing to get a product or service to market quickly.

This article, written by Michael A. Gold, Partner at Jeffer Mangels Butler & Mitchell, was originally published by Bloomberg BNA Corporate Governance Report on October 7, 2013 and articulates the responsibility that corporate boards must own in order to protect the electronic assets of their organization.

Also covered in this article is the role that corporate directors play in addressing cybersecurity risks, preparing for the possibility of a cyber-attack, and responding to data breaches, should one occur. Possible legal implications for the board and its members, as well as reports from Lockton Companies, a major insurance broker regarding the “increasing trend in D&O Claims filed as a result of data breach events, and lack of adequate disclosure surrounding such events,” are included.

Reproduced with permission from Corporate Governance Report, 16 CGR 120, 10/07/2013. Copyright 2013 by The Bureau of National Affairs, Inc. (800-372-1033)

Michael A. Gold is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Known for both legal expertise and an understanding of technology, he works with Boards of Directors, C-Suite executives and IT directors to address cyber risks. He advises clients on domestic and international requirements for information privacy and security. He represents companies in complex litigation and arbitrations, including class action defense actions connected with data breach and privacy claims. He is also a co-author of Bloomberg BNA’s Corporate Practice Series Portfolio 86, Records Retention for Enterprise Knowledge Management, which is available for purchase at  Contact Mike at or +1 310.201.3529.

Web analytics concept - Multicolor version

On February 10, 2011, the California Supreme Court held in Pineda v. Williams Sonoma that ZIP codes are considered “personal identification information” under the Song-Beverly Credit Card Act, California Civil Code § 1747 et seq. (the “Act”). As previously discussed in our January and March 2009 client alerts, the Act is intended to protect consumer privacy rights by restricting the type of information retailers can request from consumers in connection with credit card transactions. At the same time, the Act also makes it difficult for retailers to collect information from their customers that could help them offer services and goods on a competitive basis.


The Act provides in part that retailers shall NOT do any of the following:

1. Request or require the cardholder to write any personal identification information on the credit card transaction form as a condition to accepting the credit card as payment in full or in part for goods or services.

2. Request or require the cardholder to provide personal identification information, which company personnel writes or otherwise records on the credit card transaction form as a condition to accepting the credit card as payment.

3. Use a credit card form which contains preprinted spaces specifically designated for filling in any personal identification information of the cardholder in any credit card transaction.

See Cal. Civ. Code § 1747.08(a).

Under the Act, personal identification information is “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.” Id. at § 1747.08(b).

On December 19, 2008, in Party City Corp. v. The Superior Court of San Diego County, the California Court of Appeal held that ZIP codes did not fall within the definition of personal identification information.

This ruling allowed retailers to request ZIP code information prior to a credit card transaction provided that such information is not requested in connection with other personal information (i.e., name, phone number, address, etc.), and the customer is not required to give this information in order to consummate the transaction.

The trial court in Pineda applied Party City’s logic, and concluded that a ZIP code, without more, did not constitute personal identification information. The Court of Appeal affirmed the trial court’s decision in all respects, in large part because a ZIP code pertains to a group of individuals, unlike an address or telephone number that is “specific in nature regarding an individual.”

The California Supreme Court, however, rejected this reasoning and relied on the Act’s protective purpose and expansive language by holding that the word “address” should be construed as “encompassing not only a complete address, but also its components.” The court expressed misgivings  about Williams-Sonoma’s “reverse append” practices and the potential for retailers to circumvent the Act by collecting indirectly what they cannot legally collect directly. In reversing Party City, the Supreme Court pointed out that Williams-Sonoma had the following intention by requesting plaintiff’s ZIP code:

“[Williams-Sonoma] subsequently used customized computer software to perform reverse searches from databases that contain millions of names, e-mail addresses, telephone numbers, and street addresses, and that are indexed in a manner resembling a reverse telephone book. The software matched plaintiff’s name and ZIP code with plaintiff’s previously undisclosed address, giving defendant the information, which [Williams-Sonoma] now maintains in its database. [Williams-Sonoma] uses its database to market products to customers and also sell the information it has compiled to other businesses.”

Although the Supreme Court may have had this particular fact-pattern in mind in overturning Party City, the Court’s language does not appear to be limited to collecting and using ZIP codes to perform such reverse appends. Rather, the decision broadly states that “[i]n light of the statute’s plain language, protective purpose, and legislative history, we conclude that a ZIP code constitutes ‘personal identification information’ as that phrase is used in section 1747.08.”

Penalties for Violation

The penalties for violating the Act can be significant, and can include a civil penalty not to exceed two hundred fifty dollars ($250) for the first violation and one thousand dollars ($1,000) for each subsequent violation. The fines can be assessed and collected in a civil action by the Attorney General, or by the district attorney or city attorney of the county or city in which the violation occurred. In addition, more than a dozen national retail chains operating in California have been hit with lawsuits since the Pineda decision, setting off a flurry of litigation with most of the lawsuits being filed in San Francisco or Los Angeles courts.

Future Questions

One potential question that Pineda raises is whether ZIP codes are the end of the line or whether other “non-traditional” forms of personal identification information, such as emails and/or IP addresses could be treated as personal identification information for purposes of the Act. In light of the court’s decision in Pineda, it seems possible that plaintiff and consumer advocacy groups may wish to revisit the Symantec holding (discussed in our March 2009 Client Alert) in order to try to eliminate the “online” vs. “offline” distinction between retailers.

Suggested Actions

JMBM represents many retailers, and we strongly recommend that our clients implement written policies and procedures that comply with the aforementioned requirements of the Act. We would be happy to assist you if you require additional information on these recent developments, the Act or preparing policies and procedures.

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at or +1 310.785.5331.