At a recent meeting of the Twin Cities Chapter of the Society for Corporate Governance, Dorsey’s Bob Cattanach shared details on California’s Consumer Privacy Act – or as he called it, “the single most difficult cyber development in the US over the last decade.”
With the legislation set to become effective next January, Bob & other litigators are predicting a surge in class actions for companies that do business in that state. That’s because the provision that allows consumers to recover up to $750 in damages per incident makes it much easier to show that the breach caused injury (and as this Womble Bond Dickinson chart says, a pending amendment may even allow consumers to sue for violations other than data breaches). So plaintiffs’ firms are lining up – and there’s reason to think twice about automatically treating any cyber incident as a “breach,” before you’re certain that breach notification & disclosure requirements have been triggered.
Bob noted that practicing mock breach scenarios under your “incident response plan” is now all the more important. With so much more soon to be at stake, you will need to anticipate the challenges of assessing your many overlapping disclosure obligations, and the likely lack of sufficient & reliable information necessary to make decisions under increasingly shortened time periods, in advance.
Cyber Breach Disclosure: 90% of Incidents Aren’t “Material”?
One of the many things that makes cyber breach disclosure a tricky issue is that the market can get info from notices that are required by state law, even if a company doesn’t disclose the incident in a press release or 8-K. Last summer, I blogged that SEC Commissioner Rob Jackson was concerned that this creates an opportunity for “arbitrage” – and market overreactions.
Disclosure of cyber incidents seems to be trending up, but it’s still rare. That’s according to this WSJ article, which says that Rob is still focused on the issue – and that he thinks companies might benefit from a bright-line disclosure rule. According to his latest research, 10% of known cyber incidents were disclosed in SEC filings in 2018. That compares to 3% in 2017, before the SEC issued its disclosure guidance.
Consistent with those findings, this Audit Analytics blog reports that 121 breaches were disclosed in SEC filings last year – compared to the thousands of breaches & “incidents” identified in Verizon’s latest “Data Breach Investigations Report.” Audit Analytics also found that it takes companies a little over a month to discover a breach and another 4-6 weeks to report it – i.e. 2-5 months between the time of the initial breach and the time of disclosure – and companies vary widely in the level of detail they disclose about the breach.
Meanwhile, this blog says that the SEC’s Enforcement Division remains focused on cybersecurity controls & inadequate disclosure. Relevant factors for investigations include “how the information was accessed, whether there were sufficient walls in place, when the company knew about the intrusion, what the company did in response to the intrusion, and when the company came forward.”
Cybersecurity: When the Threat Comes From Inside
A significant number of cybersecurity incidents & breaches are the result of “privilege misuse” by employees and independent contractors, according to Verizon’s 11th annual “Data Breach Investigations Report.” It also says that “miscellaneous errors” are the second-most common cause of breaches! Hacks can happen if an employee or director is using a personal email account to send confidential documents, or faxing information to an unconfirmed number.
This “Insider Threat Report” – also from Verizon – suggests ways to minimize these internal risks through internal controls. The report’s sample fact patterns could serve as “table top exercises” to help you simulate all of the issues that arise when a data breach happens – including the need to make disclosure & insider trading decisions. Note that Verizon recommends limiting employee access to sensitive data (pg. 9), which is a step some companies are also taking to prevent insider trading. Also see this blog about how law firms can help clients address the risk of internal threats.
– Liz Dunshee