The government appears to be increasing its enforcement efforts regarding cybersecurity risks. A three-judge panel of the U.S Court of Appeals for the Third Circuit recently held the FTC may bring a claim that a company’s allegedly inadequate data security practices constitute an “unfair” business practice in violation of Section 5 of the Federal Trade Commission Act, despite the absence of formal rulemaking.
In addition to the FTC, the SEC has signaled that it is closely monitoring public companies’ disclosures about their cybersecurity. Although the SEC’s last formal guidance on cybersecurity disclosure issues for public companies was in 2011, since then it has held a major roundtable on the issue, and has issued specific cybersecurity guidance to registered advisers following an examination sweep. The SEC’s enforcement division also has launched investigations following major breaches, focused on whether the companies adequately disclosed risks of a cyber attack, had proper internal controls, and provided adequate disclosure following the breach. Following one of those investigations, into the breach of Target Corporation in 2013, the SEC concluded its investigation without charges, according to Target’s August 25, 2015 10‑Q filing.
Although the SEC has yet to bring an enforcement action against a public company for sub-par cyber disclosures, the enforcement division did recently bring a major case against 32 individuals who illegally profited by over $100 million by hacking into news wires and stealing advance copies of companies’ earnings releases. This action highlights the varied ways that cyber vulnerabilities can be used to harm public companies and investors, and demonstrates the SEC’s resolve to investigate and bring enforcement cases in the cyber space.
The Bottom Line: Recently, SEC Commissioner Luis Aguilar declared that “cybersecurity is one of the defining issues of our time.” With the FTC and the SEC each seeking to expand their reach in this area, companies should focus extra attention on ensuring that their organizations maintain the most up-to-date defenses against cyber criminals, and that any public disclosures before or after a breach incident are fully accurate.
