This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, chief information security officers, chief information officers, chief technology officers, corporate counsel, internet and tech practitioners, in-house counsel. Visit the website to learn more.
Colorado recently adopted a new law expanding companies’ obligations in the event of a cybersecurity incident, and establishing new data security and disposal obligations. Recent announcements by the SEC likewise emphasize important responsive points for both companies and their personnel in the wake of an incident.
Five key takeaways from these developments are highlighted below. In brief, proactively updating company policies, remediation plans, and disclosure and trading practices before a cybersecurity incident arises can go a long way towards efficiently working through a situation when it arises.
Colorado’s new breach and data security provisions
Colorado’s new law, which goes into effect on Sept. 1, 2018, contains several provisions that warrant proactive attention by companies and their personnel.
1. Update cybersecurity incident response procedures and ensure key stakeholders are well informed and prepared in advance
The new Colorado breach provisions impose quick response timelines on entities that identify a potential incident. Specifically, the provisions require that “covered entities” (any type of business or agency that maintains, owns, or licenses “personal information” about Colorado residents) must “conduct in good faith a prompt investigation to determine the likelihood that personal information has been or will be misused” when it becomes aware that a security breach “may have occurred.”
Related: Cybersecurity insurance: popular but poorly understood
Entities then must notify all affected Colorado residents within 30 days of the date of determination that a security breach occurred, unless the investigation determines that the misuse of information about a Colorado resident has not occurred and is not reasonably likely to occur. Entities also must notify the Colorado Attorney General if the incident is reasonably believed to affect 500 or more Colorado residents, and must tell credit reporting agencies about incidents reasonably believed to affect 1,000 or more Colorado residents.
Numerous types of organizations that interact with Colorado residents may constitute “covered entities,” since “personal information” comprises a broad swath of data — including:
- a Colorado resident’s first name or first initial and last name in combination with other unencrypted/un-redacted/usable information (e.g., passport, drivers’ license, military, student, or other identification numbers);
- medication information;
- biometric information; or
- other information that would permit a third party to access an individual’s user account (e.g., username plus security questions or password).
Moreover, the notifications must contain specific information:
- The date (or date range) of the breach;
- A description of the personal information that was acquired or is believed to have been acquired;
- Contact information for an individual’s further inquiries;
- Contact information for consumer reporting agencies;
- Contact information for the FTC; and
- A statement that the individual may obtain information about fraud alerts and security freezes from the FTC or credit reporting agencies.
As a result of these rigorous obligations, and the likelihood that events will continue to move quickly after public notice of a cybersecurity incident, entities covered by the Colorado provisions should proactively review existing incident response plans to ensure efficient identification of potential issues, prompt involvement of necessary players (including counsel), and timely notification in compliance with Colorado’s (and, of course, other domestic or foreign jurisdictions’) notice timeline and content requirements.
2. Update current data protection and destruction policies and practices
Two additional provisions of Colorado’s new law may necessitate updates to pre-existing data management policies and practices.
First, Colorado requires “covered entities” with “personal identifying information” — a subset of “personal information” — to implement certain security procedures. “Personal identifying information” includes:
- a social security number;
- a personal identification number;
- a password;
- a pass code;
- an official state or government-issued driver’s license or identification card number;
- a government passport number;
- biometric data;
- an employer, student, or military identification number.
Specifically, entities must “implement and maintain reasonable security procedures and practices that are appropriate to the nature of the … information and the nature and size of the business.” Covered entities must also ensure that third parties reasonably protect personal identifying information when disclosed to the third-party.
Related: How to respond and recover quickly from a cyber event
Second, covered entities located in Colorado — even if headquartered or primary operations are elsewhere — must create a written policy for the destruction or disposal of documentation containing “personal identifying information” including requiring that such information be destroyed when it is “no longer needed.”
Due to these new data handling requirements, entities and their personnel are well advised to reassess their data protection and destruction standards and practices to ensure that they keep pace with current industry and technological standards, as well as ensure the practices are attuned to the nature and size of the business as it evolves over time. Moreover, contracts with third-party providers should be revisited to ensure that vendors also take reasonable steps to protect information received from covered entities.
3. Review (and if needed, increase) insurance coverages for investigating and litigating potential incidents
Colorado’s Attorney General has the authority to bring an action to ensure compliance with, and recover direct economic damages resulting from, violations of any of the above provisions. Yet since these provisions were added to the Colorado Consumer Protection Act, which allows recovery of treble damages and attorneys’ fees, it also seems likely that enterprising plaintiffs’ attorneys would soon attempt to fashion private claims for alleged violations of the requirements. As a result, reviewing whether the entity and personnel have sufficient insurance coverage to cover the requisite internal or regulatory investigations, as well as litigation, in the event of an incident may be another wise precautionary step.
Addressing recent SEC enforcement activity
Recent announcements by the SEC this year highlight two additional considerations for entities and their personnel facing possible data security breaches.
4. Remain attuned to potential SEC/investor disclosures
Public companies, as well as private companies that may be providing disclosures to existing or prospective investors, should also consider the potential disclosure obligations of a data security incident to the investing public and in SEC filings. Thus, in conjunction with implementing the items highlighted above, entities and their personnel should also ensure a comprehensive company-wide process that provides relevant cybersecurity information to disclosure decision-makers on a timely basis.
Earlier this year, the SEC released guidance on cybersecurity disclosures for public companies that updated the SEC’s prior 2011 guidance. This guidance reminded issuers that cybersecurity matters may impact entities’ public disclosures in multiple ways, including the management discussion and analysis, risk factor, legal proceeding, and business and operation disclosures in public filings. Incidents may also impact a company’s financial statement items.
The SEC’s recent guidance also encourages companies “to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly.” Companies should examine their disclosure controls and procedures to ensure that relevant information about cybersecurity risks and incidents is timely reported “up the corporate ladder” to officers and directors who make disclosure decisions and certifications.
Hammering these recommendations home, earlier this year the SEC also announced that the company formerly known as Yahoo! had agreed to pay a $35 million civil penalty to resolve claims that it failed to appropriately and timely disclose a 2014 data breach involving hundreds of millions of its user accounts. This announcement marked the first SEC public enforcement action and fine based on allegations that a public company misled investors by failing to disclose a cybersecurity attack.
The SEC recognized that its case was unique. In a contemporaneous press release, the SEC stated: “We do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.”
Even without SEC enforcement action, however, multiple other entities have faced public-relations concerns and private litigation after suffering incidents and perceived disclosure missteps.
5. Minimize individual liability risks
Companies and their personnel should consider appropriate preventative steps designed to help avoid misuses of material nonpublic information in the event of a cybersecurity incident. Designing and implementing strict policies to ensure a clear, deliberate, and coordinated disclosure of incidents to the public are crucial, since the situation after a breach can be chaotic.
Likewise, ensuring policies that allow for the imposition of trading blackouts when special circumstances arise may help reduce improper trading by employees. Indeed, personnel who solely trade their company’s securities pursuant to a properly adopted Rule 10b5-1 plan provide themselves with very important safeguards in the event of an unexpected situation.
The SEC’s recent cybersecurity guidance addressed insider trading and selective disclosure considerations in the event of a cybersecurity incident. The SEC reminded entities and their personnel that information about a cybersecurity incident — particularly in the early stages of the situation — might constitute material, nonpublic information.
The SEC thus cautioned entities and their personnel against making selective disclosure of material, nonpublic information related to cybersecurity risks to investment professionals or other investors before such information is made public, in violation of Regulation FD.
Moreover, the SEC’s guidance encourages companies to update insider trading policies to account for, and prevent trading on, material, nonpublic information related to cybersecurity risks and incidents. Specifically, companies should consider whether it may be appropriate to implement restrictions on insider trading while companies are investigating potentially significant cybersecurity incidents and determining facts, ramifications, and materiality of such incidents. Entities and individuals should also consider ways to avoid the appearance of improper trading during the period following an incident and prior to public disclosure of that incident.
Related: The Equifax breach: Here’s what insurers should o next
Again, recent SEC enforcement activity highlights the very real risks in this area. Specifically, the SEC and DOJ filed parallel criminal and civil actions against two different former Equifax employees who allegedly traded in the company’s securities after the company suffered its recent cybersecurity breach, but before the incident was publicized.
In one, the authorities alleged that the company’s chief information officer for the U.S. business unit was part of the team working on a project related to the breach, during which work he allegedly figured out that the company had suffered a breach and days later exercised and sold certain of his stock options before Equifax publicly announced the incident. Several months later, civil and criminal authorities alleged a generally similar fact pattern against a former Equifax software developer.
These recent developments in the Colorado and SEC regulatory cybersecurity landscape provide helpful reminders to entities and their personnel about additional focus that should be provided to cybersecurity issues. And these takeaways operate in conjunction with other preventative steps that companies can take that may help avoid issues in the first instance.
Related: 5 things to know about the NAIC’s new cybersecurity model law
Brian Neil Hoffman is of counsel with Holland & Hart LLP. A former SEC enforcement attorney, Brian defends clients in government and SRO investigations and litigates shareholder disputes. He can be reached at email@example.com.