Introduction
According to Javelin Strategy & Research, in 2017, there were 16.7 million victims of identity fraud and $16.8 billion was stolen.1 Even more shockingly, “30 percent of U.S. consumers were notified of a data breach last year.”2 With another large company being hacked seemingly every week,3 the SEC is feeling the pressure to do what they can to mitigate this, and as a result, they are becoming increasingly more active in their efforts to identify and manage growing cybersecurity risks.
SEC Chairman Jay Clayton has said that, in addition to maintaining proper internal procedures for data security at the SEC, “[p]romoting effective cybersecurity practices by market participants is critical to . . . the SEC’s mission.”4 In response to the relatively recent concerns over cybersecurity, the SEC has incorporated more data protection considerations into their regular efforts to promote effective disclosure and oversight of the markets.5 On this front, the SEC has three primary means of enforcing cybersecurity compliance: (1) Regulation S-ID; (2) Regulation S-P; and (3) entity-specific guidance.6
Ensuring compliance with Regulation S-ID and Regulation S-P is of paramount concern for financial companies with stores of customers’ personal data. Additionally, the SEC must contend with companies that either hide or fail to notice data breaches. However, since this typically amounts to fraud, they have plenty of traditional tools at their disposal.
While the SEC has been issuing guidance to companies under its purview since 2011, they have only recently escalated their efforts with the respect to “broker-dealers, investment advisers, investment companies, credit rating agencies and other market participants registered with the SEC.”7 The intensified use of Regulation S-ID and Regulation S-P to keep market participants in line was recently demonstrated in the case of Voya Financial Advisers (“Voya”), with whom the SEC agreed to a $1 million settlement.8 In 2014, the SEC settled charges against Morgan Stanley for violations of Regulation S-P.9 In one of the biggest penalties of all time, Altaba paid $35 million in fines for failure to disclose a data breach.10
The Voya, Morgan Stanley, and Altaba cases highlight growing concerns about cybersecurity nationwide and foreshadow the tightening of corporate cybersecurity regulation. In a recent public statement, the SEC made clear that companies “must take their periodic and current disclosure obligations regarding cybersecurity risks seriously, and failure to do so may result in an enforcement action.”11 If financial firms are going to avoid violations, they will need to strengthen their data protection programs and become much more familiar with Regulation S-ID and Regulation S-P.
Identity Theft Red Flags Rule
One of the newer ways that the SEC is attempting to control cybersecurity threats is by invoking Regulation S-ID, otherwise known as the “Identity Theft Red Flags Rule.” In late September of 2018, the SEC announced a settlement with Voya for violating the Identity Theft Red Flags Rule.12 According to the SEC’s order, “cyber intruders impersonated VFA contractors over a six-day period in 2016 by calling VFA’s support line and requesting that the contractors’ passwords be reset.”13 This maneuver allowed the intruders to gain access to the personal information of 5,600 VFA customers.14
Voya is the investment advisory unit of Voya Financial (NYSE:VOYA). Voya Financial is an American financial services company that provides retirement services, investment management, employee benefits, and insurance to millions of people nationwide.15 With “approximately $541 billion in total AUM,” or assets under management, it’s safe to say that they are a big player in the financial services industry.16 As a financial services company, Voya controls not only millions of Americans’ personal wealth, but also their personal information, such as home addresses, email addresses, credit card numbers, and social security numbers.
Under the Identity Theft Red Flags Rule, certain financial companies are required to have in place a written identity theft program that enables them to detect the occurrence of “red flags” and respond appropriately.17 While Voya settled without admitting or denying the charges, an SEC press release announced that “VFA failed in its obligations when its deficiencies made it vulnerable to cyber intruders accessing the confidential information of thousands of its customers.”18
The Identity Theft Red Flags Rule was designed to secure confidential customer information and protect customers from identity theft.19 More specifically, it requires financial institutions and creditors to “develop and implement a written identity theft prevention program designed to detect, prevent, and mitigate identity theft in connection with certain existing accounts or the opening of new accounts.”20 The Identity Theft Red Flags Rule came into the SEC’s purview on May 20th, 2013 as the implementation of several provisions in the Dodd-Frank Wall Street Reform and Consumer Protection Act.21 Before Voya, the Identity Theft Red Flags Rule had never been used before.22 After Voya, Robert A. Cohen, chief of the SEC enforcement division’s cyber unit, warned that “[t]his case is a reminder to brokers and investment advisers that cybersecurity procedures must be reasonably designed to fit their specific business models.”23
Safeguard Rule
The Identity Theft Red Flags Rule, also known as Regulation S-ID, is not the only way that the SEC is empowered to combat identity theft. Additionally, there is Regulation S-P, sometimes called the “Safeguards Rule.”24 The Safeguards Rule was promulgated under the Gramm-Leach-Bliley Act and came into force in 2000.25 It requires that financial institutions “provide its customers with a notice of its privacy policies and practices, and must not disclose nonpublic personal information about a consumer to nonaffiliated third parties unless . . . the consumer has not elected to opt out of the disclosure.”26 The Safeguards Rule further requires the every broker-dealer or investment advisor that’s registered with the SEC to establish “written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.”27
Two years before the Voya settlement, in 2016, Morgan Stanley (NYSE:MS) had also agreed to a settlement of $1 million with the SEC.28 At issue were the unauthorized transfers of personal data from 730,000 accounts over the period from 2011 to 2014.29 An employee of Morgan Stanley downloaded personal information from these accounts to his personal server.30 It’s unclear what he planned to do with it, but his personal server was then hacked by a third party who began to sell the information online.31
That the employee was able to get ahold of the information in the first place demonstrated grossly inadequate policies and procedures. According to the SEC press release announcing the settlement, Morgan Stanley “did not have effective authorization modules for more than 10 years to restrict employees’ access to customer data based on each employee’s legitimate business need.”32 Additionally, Morgan Stanley did not “audit or test the relevant authorization modules, nor did it monitor or analyze employees’ access to and use of the portals.”33
According to John Reed Stark, who runs a digital compliance firm, the Safeguards Rule is the cornerstone of the SEC’s cybersecurity platform.34 Just as the Internal Controls Provision of the Securities Exchange Act is something like a “standard minimum charge” in accounting-related enforcement actions, the Safeguards Rule is one of the SEC’s most easily accessible policing tools.35 And just like the accounting standards established for Sarbanes-Oxley, some experts suggest that there may soon be similar regulations for cybersecurity controls that require individual officers or directors to sign off and assume responsibility.36
Reporting Breaches
The Identity Theft Red Flags Rule and the Safeguards Rule are useful for policing the companies’ policies and procedures, but another major problem for the SEC is the nondisclosure of the breaches once they occur. Earlier this year, Altaba, which was formerly known as Yahoo! Inc. paid a $35 million penalty to the SEC for failing to disclose “one of the world’s largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts.”37 On top of that, they also settled a class action with private litigants for $47 million.38 Instead of using the Identity Theft Red Flags Rule or the Safeguards Rule, the SEC was able to charge them under Section 17 of the Securities Act of 1933.39 Section 17 is the key enforcement provision of the act and prohibits fraud and misrepresentations in the offer or sale of securities.40
Unlike in the Altaba case, the Morgan Stanley breach was self-reported to the SEC upon discovery.41 However, this is unfortunately not the standard course of events for data breaches.42 The situation that unfolded with Altaba is much more common. While there have been 4,732 cyberattacks on American businesses since 2011, only 106 companies have reported these incidents to the SEC.43
It’s important to note that public companies have an obligation to disclose information to their investors if it is material.44 In practice, this means that the information would be considered significant to a reasonable investor in their decision-making.45 Given the magnitude of the most recent breaches and the public relations effects, data breaches are almost always material. If these laws have been in place for a while now, why do so few public companies report breaches?
One could hypothesize that the companies are just trying to save their own skins, especially if upper management was directly or indirectly involved. Additionally, it seems only logical that a company would want to suppress information that could sink their stock price or worry investors. However, Craig Newman, a partner with Patterson Belknap Webb & Tyler in New York, suggested in March that it has a lot to do with companies’ desire to cooperate with law enforcement.46 Sometimes, going public with the information can risk the criminal investigation itself, but the company also owes a duty to its shareholders and the law. This tension can make it very difficult for companies to know what to do.
To combat this, the SEC published an update to a 2011 cybersecurity statement explaining that public companies “take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion.”47 Importantly, this applies only to publicly traded companies. Additionally, the SEC’s statement is not legally binding.48 However, we can be sure that going against the SEC’s interpretations of the law is asking for a lawsuit.
Conclusion
While we can’t prevent all data breaches, companies should be taking cybersecurity much more seriously. While the Identity Theft Red Flags Rule and the Safeguards Rule apply primarily to financial institutions with vast stores of customer information, all companies should be taking notice of the SEC’s fervor. As cyber security becomes more mainstream, more industries will be affected. Additionally, even these financial-focused rules may touch companies in unexpected ways. The Safeguards Rule, for example, doesn’t apply just to traditional financial institutions, but also to untraditional ones like auto dealerships that receive customer information from financial institutions.49
There are several things that companies can do to bolster their cybersecurity systems. First, they should be regularly auditing and the effectiveness of their systems and monitoring their employees’ access to sensitive information. They can also engage experts to conduct what’s known as “penetration testing,” whereby the consultants attempt to hack into the company and discover vulnerabilities.50 Lastly, companies need to be prepared to quickly disclose any material cybersecurity incidents that do occur to their shareholders and the SEC.
On October 16th, the SEC revealed an investigation of nine unidentified, publicly-listed companies in a variety of industries for failure to maintain proper cybersecurity.51 Combined, employees were defrauded of almost $100 million.52 The failures to disclose frauds aren’t going to stop unless companies are proactive about preventing the fraud in the first place with adequate monitoring systems. As one law firm partner noted, “[t]his is the shot across the bow, a warning for everyone.”53
Facts + Statistics: Identity Theft and Cybercrime,Ins. Info. Inst., https://www.iii.org/fact-statistic/facts-statistics-identity-theft-and-cybercrime (last visited Nov. 2, 2018). ↩
Id. ↩
See Russel Brandom, Facebook Hacker Accessed Personal Details for 29 Million Accounts,Verge (Oct. 12, 2018, 12:48 PM), https://www.theverge.com/2018/10/12/17968302/facebook-hacker-personal-details-29-million-accounts. ↩
Jay Clayton, Statement on Cybersecurity,U.S. Sec. & Exchange Comm’n (Sept. 20, 2017), https://www.sec.gov/news/public-statement/statement-clayton-2017-09-20. ↩
See id. ↩
Id. ↩
Id. ↩
See Craig A. Newman, The S.E.C. Dusts Off a Never-Used Cyber Enforcement Tool,N.Y. Times (Oct. 8, 2018), https://www.nytimes.com/2018/10/08/business/dealbook/voya-sec-cyber.html?rref=collection%2Fsectioncollection%2Fbusiness. ↩
See Jonathan Stempel, Morgan Stanley Pays $1 Million SEC Fine over Stolen Customer Data,Reuters (Jun. 8, 2016, 1:11 PM), https://www.reuters.com/article/us-morgan-stanley-sec/morgan-stanley-pays-1-million-sec-fine-over-stolen-customer-data-idUSKCN0YU27J. ↩
See Altaba, Formerly Known as Yahoo!, Charged With Failing to Disclose Massive Cybersecurity Breach; Agrees To Pay $35 Million,U.S. Sec. & Exchange Comm’n (Apr. 24, 2018), https://www.sec.gov/news/press-release/2018-71. ↩
Id. ↩
Newman, supra note 8. ↩
SEC Charges Firm with Deficient Cybersecurity Procedures,U.S. Sec. & Exchange Comm’n (Sep. 26, 2018), https://www.sec.gov/news/press-release/2018-213. ↩
Id. ↩
See Company Profile,Voya Fin., http://corporate.voya.com/company-overview/company-profile (last visited Nov. 2, 2018). ↩
Why Voya?,Voya Financial, http://investors.voya.com/why-voya/default.aspx (last visited Nov. 2, 2018). ↩
See SEC Fines Broker-Dealer $1 Million in First Enforcement Action Under Identity Theft Rule,Hunton Andrews Kurth (Oct. 5, 2018), https://www.huntonprivacyblog.com/2018/10/05/sec-fines-broker-dealer-1-million-first-enforcement-action-identity-theft-rule. ↩
SEC Charges Firm with Deficient Cybersecurity Procedures, supra note 13. ↩
See id. ↩
See Regulation S-ID: Identity Theft Red Flags, 17 C.F.R. §§ 248.201-248.202 (2013). ↩
See SEC Release No. 34-69359 (Apr. 10, 2013), Identity Theft Red Flag Rules, 78 Fed. Reg. 23,638 (Apr. 19, 2013). ↩
Newman, supra note 8. ↩
Ryan W. Neal, Voya Pays $1 Million to Settle SEC Charges over Cybersecurity Breach,InvestmentNews (Sep. 26, 2018, 2:31 PM), https://www.investmentnews.com/article/20180926/FREE/180929934/voya-pays-1-million-to-settle-sec-charges-over-cybersecurity-breach. ↩
See SEC Fines Broker-Dealer $1 Million in First Enforcement Action Under Identity Theft Rule, supra note 17. ↩
See Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information, 17 C.F.R. §§ 248.1-248.100 (2000). ↩
Id. ↩
US SEC Highlights Focus on Cybersecurity in Enforcement Action for Safeguards Rule Violations,Mayer Brown (Jul. 13, 2016), https://www.mayerbrown.com/US-SEC-Highlights-Focus-on-Cybersecurity-in-Enforcement-Action-for-Safeguards-Rule-Violations-07-13-2016/. ↩
See Stempel, supra note 9. ↩
Id. ↩
US SEC Highlights Focus on Cybersecurity in Enforcement Action for Safeguards Rule Violations, supra note 27. ↩
See id. ↩
SEC: Morgan Stanley Failed to Safeguard Customer Data,U.S. Sec. & Exchange Comm’n (Jun. 8, 2016), https://www.sec.gov/news/pressrelease/2016-112.html. ↩
Id. ↩
John Reed Stark, 8 Critical Lessons From Morgan Stanley Cybersecurity Case,Law360 (Jun. 24, 2016, 11:54 AM), https://www.law360.com/articles/810323/8-critical-lessons-from-morgan-stanley-cybersecurity-case. ↩
Id. ↩
See White and Williams LLP, Trick or Treat: Does the SEC’s October Report Signal a New Shift in Cybersecurity Enforcement?,Law360 (Oct. 29, 2018), https://www.jdsupra.com/legalnews/trick-or-treat-does-the-sec-s-october-32432/. ↩
Altaba, Formerly Known as Yahoo!, Charged With Failing to Disclose Massive Cybersecurity Breach; Agrees To Pay $35 Million, supra note 10. ↩
Zack Whittaker, Altaba to Settle Lawsuits Relating to Yahoo Data Breach for $47 Million,TechCrunch, https://techhttps://techcrunch.com/2018/09/17/altaba-to-settle-lawsuits-relating-to-yahoo-data-breach-for-47-million/ (last visited Nov. 2, 2018). ↩
Altaba, Formerly Known as Yahoo!, Charged With Failing to Disclose Massive Cybersecurity Breach; Agrees To Pay $35 Million, supra note 10. ↩
See Section 17(a) of the Securities Act of 1933: Unanswered Questions,Keker, Van Nest & Peters (Jul. 8, 2013), https://www.keker.com/news/news-items/Section-17-a-of-the-Securities-Act-of-1933-Unanswered-Questions-. ↩
See US SEC Highlights Focus on Cybersecurity in Enforcement Action for Safeguards Rule Violations, supra note 27. ↩
See Craig A. Newman, When to Report a Cyberattack? For Companies, That’s Still a Dilemma,N.Y. Times (Mar. 5, 2018), https://www.nytimes.com/2018/03/05/business/dealbook/sec-cybersecurity-guidance.html?module=inline. ↩
Id. ↩
See 17C.F.R. § 240.10b-5. ↩
See Basic, Inc. v. Levinson, 485 U.S. 224 (1988). ↩
See Newman, supra note 42. ↩
Commission Statement and Guidance on Public Company Cybersecurity Disclosures, 83 Fed. Reg. 8166 (issued Feb. 26, 2018) (to be codified at 17 C.F.R. pts. 229, 249). ↩
See id. ↩
See Tony Argiz and Phil Villegas, Complying With the Safeguards Rule of the Gramm-Leach-Bliley Act, MBAF Certified Pub. Acct. & Advisors (Feb. 1, 2004), https://mbafcpa.com/advisories/complying-with-the-safeguards-rule-of-the-grammleachbliley-ac/. ↩
Stark, supra note 34. ↩
See Tom Zanki, SEC Looks Set to Bring New Wave of Cyber-Fraud Cases,Law360 (Oct. 25, 2018, 9:24 PM), https://www.law360.com/cybersecurity-privacy/articles/1095614/sec-looks-set-to-bring-new-wave-of-cyber-fraud-cases. ↩
See id. ↩
Id. ↩