Privacy & Information Security Law Blog

On May 21, 2024, staff of the U.S. Securities and Exchange Commission published additional interpretive guidance on reporting material cybersecurity incidents under Form 8-K. This blog entry provides highlights from the guidance.

As we pass the two-month anniversary of the effectiveness of the U.S. Securities and Exchange Commission’s (“SEC’s”) Form 8-K cybersecurity reporting rules under new Item 1.05, this blog post provides a high-level summary of the filings made to date.

As we previously reported, the U.S. Securities and Exchange Commission’s (“SEC”) new Form 8-K rules for reporting material cybersecurity incidents take effect today, December 18, for filers other than smaller reporting companies. The new rules require reporting to the SEC within four business days from the determination of materiality.

On October 30, 2023, the U.S. Securities and Exchange Commission (“SEC”) announced charges against SolarWinds Corporation and its Chief Information Security Officer (“CISO”), Timothy G. Brown, for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities. The SEC’s complaint alleges that, from SolarWinds’ October 2018 initial public offering through its December 2020 8-K filing, the company was the target of a massive, nearly two-year long cyberattack, known as SUNBURST, and defrauded investors by overstating its cybersecurity practices and understating or failing to disclose known risks. The SEC has alleged that SolarWinds (1) mislead investors by disclosing only generic and hypothetical risks when the company and Brown allegedly knew of specific deficiencies in SolarWinds’ cybersecurity practices; (2) issued public statements about its cybersecurity practices and risks that were allegedly at odds with its internal assessments; and (3) discussed internally in 2019 and 2020 questions regarding the company’s ability to protect its critical assets from cyberattacks; and (4) made an incomplete disclosure about the SUNBURST attack in the company’s Form 8-K filing on December 14, 2020. In addition, the SEC alleged that Timothy Brown was aware of SolarWinds’ cybersecurity risks and vulnerabilities but did not resolve the issues or sufficiently raise them further within the company.

On July 25, 2023, Hunton published a client alert discussing the importance of cyber and directors and officers (“D&O”) liability insurance for companies and their executives to guard against cyber-related exposures. In today’s ever-changing threat landscape, all organizations are at risk of damaging cyber incidents and resulting investigations and lawsuits, underscoring the importance of utilizing all tools in a company’s risk mitigation toolkit, including insurance, to address these exposures. 

On July 26, 2023, the U.S. Securities and Exchange Commission (“SEC”) adopted long-anticipated disclosure rules for public companies by a 3-2 party-line vote. The final rules apply both to U.S. domestic public companies, as well as any offshore company that qualifies as a “foreign private issuer” under SEC rules due to a strong nexus to the U.S. capital markets. The new rules are effective as soon as December 18, 2023, as detailed further below.

On March 15, 2023, the Securities and Exchange Commission (“SEC”) proposed three rules related to cybersecurity and the protection of consumer information.

On March 9, 2023, the U.S. Securities and Exchange Commission (SEC) announced settled administrative charges against Blackbaud Inc. The case stems from disclosures Blackbaud made to investors regarding a 2020 ransomware attack that targeted donor data management software the company provides to non-profit organizations.

On January 25, 2023, Hunton Andrews Kurth’s retail industry team released its annual Retail Industry in Review publication, which provides an overview of key issues and trends that impacted the retail sector in the past year, as well as a preview of relevant legal issues retailers can expect to arise in 2023. This year’s publication highlights key topics including cyber insurance, cybersecurity and privacy accountability, M&A activity, regulation and litigation related to PFAS, labor organizing, developments in ESG disclosure and more.

On September 20, 2022, the U.S. Securities and Exchange Commission announced that Morgan Stanley Smith Barney agreed to pay a $35 million fine for the firm’s alleged failure to adequately protect the personal information of approximately 15 million customers. Morgan Stanley settled the SEC’s claims without agreeing to or denying the agency’s findings. 

On August 16, 2022, the Securities and Exchange Commission (“SEC”) charged 18 individuals and entities in relation to their involvement in a fraudulent hacking scheme. The scheme targeted and hacked 31 online retail brokerage accounts and forced them to make large purchases of certain stocks from two public microcap companies: Lotus Bio-Technology Development Corp. (“LBTD”) and Good Gaming, Inc. (“GMER”). The owners of the accounts that purchased the shares did not authorize the purchases. Both LBTD and GMER already were controlled in large blocks by fraudsters who repeatedly took steps to conceal their ownership. In doing so, the fraudsters artificially inflated the trading price and volume of the stocks and then sold the shares they had acquired at the inflated prices, generating approximately $1.3 million in proceeds and creating substantial profits.

On July 22, 2022, T-Mobile entered into an agreement to settle a class action lawsuit stemming from its 2021 data breach. The breach involved the personal information of 76.6 million U.S. residents and was T-Mobile’s fifth breach over a four year period. The proposed settlement will require T-Mobile to pay $500 million to settle customers’ claims and to bolster its cybersecurity practices.  

On March 9, 2022, the Biden Administration released its much-anticipated “Executive Order on Ensuring Responsible Development of Digital Assets” (“Executive Order”). The White House describes the Executive Order as the “first whole-of-government strategy” on digital assets and attempts to strike a balance between encouraging innovation and U.S. leadership in the digital asset space, while signaling an appetite to protect against a variety of stated risks through additional regulation and legislation.

On March 9, 2022, the Securities and Exchange Commission (“SEC”) held an open meeting and proposed new cybersecurity disclosure rules for public companies by a 3-1 vote. If adopted, the new rules would impose substantial new reporting obligations with respect to material cybersecurity incidents and cybersecurity risk management, strategy, and governance for both domestic and foreign private issuers subject to the reporting requirements under the Securities Exchange Act of 1934.

On February 9, 2022, the SEC proposed new cybersecurity compliance and disclosure rules for the investment management industry in a three to one vote. If adopted, the proposed rules would apply to registered investment advisers (“RIAs”), certain registered investment companies (“RICs”) and business development companies (“BDCs,” together with RICs, “registered funds”).  Notably, the proposal would require RIAs to notify the SEC on a confidential basis within 48 hours of discovering a significant cybersecurity incident. The proposed rules represent the first of several rule proposals on cybersecurity that SEC Chair Gensler has indicated are forthcoming from the agency.

On October 6, 2021, Deputy Attorney General Lisa Monaco announced the launch of the new Civil Cyber-Fraud Initiative. Led by the Department of Justice (“DOJ”) Civil Division’s Commercial Litigation Branch, Fraud Section, the initiative will seek to “utilize the False Claims Act (“FCA”) to pursue cybersecurity related fraud by government contractors and grant recipients.”

On September 14, 2021, the Securities and Exchange Commission (“SEC”) announced that analytics firm, App Annie Inc., and its co-founder and former CEO and Chairman Bertrand Schmitt, agreed to pay approximately $10 million to settle securities fraud charges for engaging in deceptive practices and making material misrepresentations about “alternative data” sold by the company. Notably, this is the SEC’s first enforcement action charging an alternative data provider with securities fraud.

On August 30, 2021, the U.S. Securities and Exchange Commission (“SEC”) announced that it had settled three administrative cases involving a total of eight registered broker-dealers and investment advisers for failures in their cybersecurity policies and procedures. These failures led to email account takeovers that exposed personal information of thousands of customers at each firm. The cases are In the Matter of Cetera Advisor Networks LLC, Release No. 34-92800; In the Matter of Cambridge Investment Research, Inc., Release No. 34-92806; and In the Matter of KMS Financial Services, Inc., Release No. 34-92807, August 30, 2021.

On August 16, 2021, the U.S. Securities and Exchange Commission (“SEC”) announced that Pearson plc (“Pearson”), a publicly traded British multinational educational publishing and services company, agreed to pay a $1 million civil penalty in a settlement related to charges that Pearson misled investors about a 2018 data breach resulting in the theft of millions of student records. The SEC’s order found that Pearson made material misstatements and omissions about the data breach in a report furnished to the SEC and in a media statement.

On June 15, 2021, the SEC announced it settled charges against real estate services company First American Financial Corporation (“First American”) for alleged violation of Rule 13a-15(a) of the Exchange Act. The SEC charged First American with failure to maintain disclosure controls and procedures designed to ensure that all available, relevant information concerning a software vulnerability that led to a cybersecurity incident was filed with the Commission.

On January 19, 2021, the UK Information Commissioner’s Office (“ICO”) published its analysis of the application of the UK General Data Protection Regulation (the “UK GDPR”) to transfers from UK-based firms or branches that are registered, required to be registered or otherwise regulated by the U.S. Securities and Exchange Commission (“SEC”).

In part 2 of an S4x20 video on Cybersecurity Law and Governance, Lisa Sotto, Chair of Hunton Andrews Kurth’s Privacy and Cybersecurity practice, addresses the U.S. Securities and Exchange Commission’s (“SEC’s”) expectations of public companies with respect to robust and timely disclosures of cyber incidents and risks. Despite being inactive in the early years of cybersecurity incidents, the SEC is now quite active in pursing appropriate cybersecurity disclosure, and the agency formed a cyber unit in 2018. In this video, Sotto highlights the uptick in enforcement ...

The Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) recently announced the publication of a report entitled “Cybersecurity and Resiliency Observations.” The report summarizes the observations gleaned from OCIE’s cybersecurity examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges and other SEC registrants.

In addition to Facebook’s record-breaking Federal Trade Commission penalty and settlement order, on July 24, 2019, the Securities and Exchange Commission announced charges against Facebook for inadequate and misleading disclosures over its privacy practices. Facebook, without admitting or denying the SEC’s allegations, has agreed to the entry of a final judgment ordering a fine of $100 million.

The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP recently published a white paper on Organizational Accountability’s Existence in U.S. Regulatory Compliance and its Relevance for a Federal Data Privacy Law (the “White Paper”).

On July 9, 2019, the UK Information Commissioner’s Office (“ICO”) announced its intention to fine Marriott International, Inc. (“Marriott”) £99,200,396 (approximately $124 million) for infringements of the EU General Data Protection Regulation (“GDPR”). The ICO’s announcement followed Marriott’s notification of the proposed fine to the U.S. Securities and Exchange Commission (“SEC”).

On September 26, 2018, the SEC announced a settlement with Voya Financial Advisers, Inc. (“Voya”), a registered investment advisor and broker-dealer, for violating Regulation S-ID, also known as the “Identity Theft Red Flags Rule,” as well as Regulation S-P, the “Safeguards Rule.” Together, Regulations S-ID and S-P are designed to require covered entities to help protect customers from the risk of identity theft and to safeguard confidential customer information. The settlement represents the first SEC enforcement action brought under Regulation S-ID.

On March 14, 2018, the Department of Justice and the Securities and Exchange Commission (“SEC”) announced insider trading charges against a former chief information officer (“CIO”) of a business unit of Equifax, Inc. According to prosecutors, the CIO exercised options and sold his shares after he learned of a cybersecurity breach and before that breach was publicly announced. Equifax has indicated that approximately 147.9 million consumers had personal information that was compromised.

On March 7, 2018, Hunton & Williams LLP hosted a webinar with partners Lisa Sotto, Aaron Simpson and Scott Kimpel, and senior associate Brittany Bacon on the Securities and Exchange Commission’s (“SEC’s”) recently released cybersecurity guidance. For the first time since its last major staff pronouncement on cybersecurity in 2011, the SEC has released new interpretive guidance for public companies that will change the way issuers approach cybersecurity risk.

On February 21, 2018, the U.S. Securities and Exchange Commission (“SEC”) published long-awaited cybersecurity interpretive guidance (the “Guidance”). The Guidance marks the first time that the five SEC commissioners, as opposed to agency staff, have provided guidance to U.S. public companies with regard to their cybersecurity disclosure and compliance obligations.

On August 7, 2017, the Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert examining the cybersecurity policies and procedures of 75 broker-dealers, investment advisers and investment companies (collectively, the “firms”). The Risk Alert builds on OCIE’s 2014 Cybersecurity Initiative, a prior cybersecurity examination of the firms, and notes that while OCIE “observed increased cybersecurity preparedness” among the firms since 2014, it “also observed areas where compliance and oversight could be improved.”

In 2017, over $1.3 billion has been raised by start-ups through Initial Coin Offerings (“ICOs”), a relatively new form of financing technique in which a company (typically one operating in the digital currency space) seeking to raise seed money makes a “token” available for sale, and the token gives the purchaser some future right in the business or other benefit. Amidst much anticipation, on July 25, 2017, the Securities and Exchange Commission (“SEC”) released a Report of Investigation (“Report”) under Section 21(a) of the Securities Exchange Act of 1934 ...

On January 9, 2017, Representatives Kevin Yoder (R-KS) and Jared Polis (D-CO) reintroduced the Email Privacy Act, which would amend the Electronic Communications Privacy Act (“ECPA”) of 1986. In particular, the legislation would require government entities to obtain a warrant, based on probable cause, before accessing the content of any emails or electronic communications stored with third-party service providers, regardless of how long the communications have been held in electronic storage by such providers. Although ECPA currently requires law enforcement agencies to obtain a warrant to search the contents of electronic communications held by service providers that are less than 180 days old, communications that are more than 180 days old can be obtained with a subpoena.

On December 21, 2016, the Financial Industry Regulatory Authority (“FINRA”) announced that it had fined 12 financial institutions a total of $14.4 million for improper storage of electronic broker-dealer and customer records. Federal securities law and FINRA rules require that business-related electronic records be kept in “write once, read many” (“WORM”) format, which prevents alteration or destruction. FINRA found that the 12 sanctioned firms had failed to store such records in WORM format, in many cases for extended periods of time.

On December 27, 2016, the Securities and Exchange Commission (“SEC”) announced charges against three Chinese traders who allegedly made almost $3 million in illegal profits by fraudulently trading on nonpublic information that had been hacked from two New York-based law firms. This is the first action in which the SEC has brought charges in connection with an incident involving hacking into a law firm’s computer network.

Recently, Aegerion Pharmaceuticals announced that it will enter into several settlements and plead guilty to two misdemeanors in connection with alleged violations of HIPAA, drug marketing regulations and securities laws. The criminal charges stem from the company’s marketing of a cholesterol drug called Juxtapid. Aegerion allegedly failed to comply with risk evaluation and management strategies and marketed Juxtapid (which is labeled with a warning about liver toxicity) without proper directions for use. 

• How are the company’s cyber risks communicated to the board, by whom and with what frequency?
• Has the board evaluated and approved the company’s cybersecurity strategy?
• How does the board ensure that the company is organized appropriately to address cybersecurity risks? Does management have the skill sets it needs?
• How does the board evaluate the effectiveness of the company’s cybersecurity efforts?
• When did the board last discuss whether the company’s disclosure of cyber risk and cyber incident is consistent with SEC guidance?

On September 22, 2015, the Securities and Exchange Commission (“SEC”) announced a settlement order (the “Order”) with an investment adviser for failing to establish cybersecurity policies and procedures, and published an investor alert (the “Alert”) entitled Identity Theft, Data Breaches, and Your Investment Accounts.

On September 15, 2015, the Office of Compliance, Inspections and Examinations (“OCIE”) at the U.S. Securities and Exchange Commission (“SEC”) issued a Risk Alert outlining its latest cybersecurity examination priorities for SEC-registered broker-dealers and investment advisers.

Hunton & Williams LLP partners Lisa J. Sotto, Scott H. Kimpel and Matthew P. Bosher recently published an article in Westlaw Journal’s Securities Litigation & Regulation entitled SEC Cybersecurity Investigations: A How-to Guide. The article details the U.S. Securities and Exchange Commission’s (“SEC’s”) role in cybersecurity regulation and enforcement, and offers best practice tips for navigating the investigative process. In the article, the authors note that the threat of an SEC enforcement investigation must be considered an integral part of cybersecurity ...

On February 3, 2015, the Securities and Exchange Commission (“SEC”) released a Risk Alert, entitled Cybersecurity Examination Sweep Summary, summarizing observations from the recent round of cybersecurity examinations of registered broker-dealers and investment advisers under the Cybersecurity Examination Initiative. Conducted by the SEC Office of Compliance Inspections and Examinations (“OCIE”) from 2013 through April 2014, the examinations inspected the cybersecurity practices of 57 registered broker-dealers and 49 registered investment advisers through interviews and document reviews. The examinations evaluated the institutions’ practices in key areas such as risk management, cybersecurity governance, network security, information protection, vendor management and incident detection.

Cyber incidents have become more common — and more severe — in recent years. Like other federal agencies, the Securities and Exchange Commission (“Commission”) has recently been analyzing the applicability of its existing regulations relating to cybersecurity risks. The Commission’s efforts are focused on maintaining the integrity of market systems, protecting customer data and the disclosure of material information. We provide an overview of recent developments in public company cybersecurity disclosure of particular interest to public companies.

On April 21, 2014, the Securities and Exchange Commission’s Division of Corporation Finance published new Compliance and Disclosure Interpretations (“C&DIs”) concerning the use of social media in certain securities offerings, business combinations and proxy contests. Notably, the C&DIs permit the use of an active hyperlink to satisfy the cautionary legend requirements in social media communications when the social media platform limits the text or number of characters that may be included (e.g., Twitter). The C&DIs also clarify that postings or messages re-transmitted by unrelated third parties generally will not be attributable to the issuer (so issuers will not be required to ensure that third parties comply with the guidance). In addition, requirements regarding cautionary legends contemplated by the C&DIs apply to both issuers and other soliciting parties in proxy fights or tender offers. Accordingly, although the new guidance will allow issuers to communicate with their shareholders and potential investors via social media, it also may prove useful to activists in proxy fights and tender offers.

Triple-S Management Corporation reported in the 8-K it recently filed with the U.S. Securities and Exchange Commission that its health insurance subsidiary, Triple-S Salud, Inc. (“Triple S”), which is Puerto Rico’s largest health insurer, will be fined $6.8 million for a data breach that occurred in September 2013. The civil monetary penalty, which is being levied by the Puerto Rico Health Insurance Administration, will be the largest fine ever imposed following a breach of protected health information.

On April 10, 2013, the Securities and Exchange Commission (“SEC”) and the Commodity Futures Trading Commission (“CFTC”) jointly adopted rules that require broker-dealers, mutual funds, investment advisers and certain other regulated entities to adopt programs designed to detect “red flags” and prevent identity theft. These rules implement provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act, that amended the Fair Credit Reporting Act (“FCRA”) to direct the SEC and the CFTC to adopt rules requiring regulated entities to address risks of identity theft. The 2003 amendments to the FCRA required other regulatory authorities to issue identity theft red flags rules, but did not authorize or require the SEC or the CFTC to issue their own rules.

On April 2, 2013, the Securities and Exchange Commission issued a report regarding the investigation of a prominent public company and its CEO over disclosures made on the CEO’s personal social media page. The Commission did not bring enforcement charges in this case, but the report set forth the Commission’s view that, under certain circumstances, issuer-sponsored social media can be a permissible channel of dissemination of information under Regulation FD.

Adopted in 2000, Regulation FD generally prohibits public companies and personnel acting on their behalf from ...

As reported in The Washington Post, large financial institutions are increasingly disclosing cyber attacks, and potential vulnerability to cyber threats, in their annual reports filed with the Securities and Exchange Commission. Numerous banks disclosed such attacks in their 2012 reports, even in cases where the ongoing threat of the attacks did not result in any material harm to the institution. For example:

On October 13, 2011, the Securities and Exchange Commission Division of Corporation Finance issued disclosure guidance (“Guidance”) regarding cybersecurity matters and cyber incidents. While the Guidance does not change existing disclosure requirements, it does add specificity to existing requirements. In some respects, that specificity is helpful, but the Guidance fails to take into account the uncertainty that inevitably accompanies efforts to assess and disclose cybersecurity matters and incidents.

Read a detailed summary of the Guidance and analysis regarding ...

On April 7, 2011, the Securities and Exchange Commission announced a settlement involving three former brokerage firm executives charged with “failing to protect confidential information about their customers.”  According to the announcement, “this is the first time that the SEC has assessed financial penalties against individuals charged solely with violations of Regulation S-P.”  Regulation S-P mandates that financial firms safeguard their customers’ confidential information and prevent its release to unaffiliated third parties without authorization.

As reported in BNA’s Privacy Law Watch on July 29, 2010, three bills were introduced by House Republicans to repeal Section 929I of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”).  Section 929I of the Dodd-Frank Act has been a source of controversy because it gives the SEC significant latitude to sidestep FOIA requests by providing that the SEC "shall not be compelled to disclose" certain information it obtains pursuant to the '34 Act when conducting surveillance, risk assessments or other regulatory and oversight activities.