According to a New York Times story this weekend, the Security Exchange Commission’s lawsuit against SolarWinds is driving discussions in boardrooms and corporate security departments of large organizations about the handling and reporting of cybersecurity breaches. It turns out that such boards and departments may not be the only ones following the SEC’s increased focus on cybersecurity and data breaches.

Criminal threat actor group, BlackCat, reportedly posted on its dark web leak site that its latest cyberattack victim failed to comply with the soon to apply SEC four-day rule for reporting data breaches. As reported by databreaches.net, the hackers also filed a report with the SEC. How these developments will shape corporate disclosures, incident response planning, and reporting is unknown.

On the one hand, the New York Times article suggests, the use of boilerplate language by public companies to describe cybersecurity risks may be insufficient where the company is aware of more specific risks. On the other hand, more specific disclosures about potential risks could expose companies to increased attacks (yes, the bad guys do their research). And, there is some question about whether a primary SEC objective would be served, namely whether the average investor would be able to grasp the impact of more granular reporting on the sheer number of vulnerabilities such organizations face.

Still others worry about a chilling effect. In the SEC’s fraud case against SolarWinds, the agency named the company’s CISO as well as the company. The NYT reminded readers that personal exposure for CISOs following a major data breach is not new. Whether these developments provide an incentive not to document vulnerabilities raises some concerns.

But there may not be a chilling effect at all. The potential for personal liability might push some CISOs to over disclose or at least diverge from the wishes of other executives to “paint a rosy or maybe rosier-than-aligned-with-reality picture.”

Of course, these are the kinds of reactions that might be expected following the SEC’s enforcement action – are our disclosures sufficient, we have to be careful about disclosing too much about our vulnerabilities, will the CISO share too much or not enough to avoid personal liability, etc. Reconciling these competing concerns will not be easy, particularly in the absence of clear agency guidance and the facts of a given situation. Further, they are concerns that should not be limited to public companies.

That challenge becomes intensely more complex when criminal threat actors unpredictably join the discussion. For anyone that has been through a significant security incident investigation, there are a myriad of decision points that have to be made along what often is a very short timeline. Each decision, particularly decisions dealing with communication and reporting, and even when well-intended, comes with multiple facets – report to whom, report when, what must be communicated, it is accurate, it is complete, what if facts change, what will the effects be, etc.

Now knowing that threat actors may be bold enough to report to relevant government agencies may change the calculus of these deliberations.

Facing these issues for the first time when your organization has been compromised and criminal threat actors are demanding millions in ransom while reporting to your primary government regulator(s) is not a good business strategy. No incident response plan will be perfect or prepare the organization for every curveball that will be thrown in a data breach matter, but actively planning for these situations can help. This includes aligning with the organization’s CISO on existing systems vulnerabilities, how best to communicate about them, and addressing potential business and personal exposure in an increasingly complex regulatory environment.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP)…

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Privacy and cybersecurity experience – Joe counsels multinational, national and regional companies in all industries on the broad array of laws, regulations, best practices, and preventive safeguards. The following are examples of areas of focus in his practice:

  • Advising health care providers, business associates, and group health plan sponsors concerning HIPAA/HITECH compliance, including risk assessments, policies and procedures, incident response plan development, vendor assessment and management programs, and training.
  • Coached hundreds of companies through the investigation, remediation, notification, and overall response to data breaches of all kinds – PHI, PII, payment card, etc.
  • Helping organizations address questions about the application, implementation, and overall compliance with European Union’s General Data Protection Regulation (GDPR) and, in particular, its implications in the U.S., together with preparing for the California Consumer Privacy Act.
  • Working with organizations to develop and implement video, audio, and data-driven monitoring and surveillance programs. For instance, in the transportation and related industries, Joe has worked with numerous clients on fleet management programs involving the use of telematics, dash-cams, event data recorders (EDR), and related technologies. He also has advised many clients in the use of biometrics including with regard to consent, data security, and retention issues under BIPA and other laws.
  • Assisting clients with growing state data security mandates to safeguard personal information, including steering clients through detailed risk assessments and converting those assessments into practical “best practice” risk management solutions, including written information security programs (WISPs). Related work includes compliance advice concerning FTC Act, Regulation S-P, GLBA, and New York Reg. 500.
  • Advising clients about best practices for electronic communications, including in social media, as well as when communicating under a “bring your own device” (BYOD) or “company owned personally enabled device” (COPE) environment.
  • Conducting various levels of privacy and data security training for executives and employees
  • Supports organizations through mergers, acquisitions, and reorganizations with regard to the handling of employee and customer data, and the safeguarding of that data during the transaction.
  • Representing organizations in matters involving inquiries into privacy and data security compliance before federal and state agencies including the HHS Office of Civil Rights, Federal Trade Commission, and various state Attorneys General.

Benefits counseling experience – Joe’s work in the benefits counseling area covers many areas of employee benefits law. Below are some examples of that work:

  • As part of the Firm’s Health Care Reform Team, he advises employers and plan sponsors regarding the establishment, administration and operation of fully insured and self-funded health and welfare plans to comply with ERISA, IRC, ACA/PPACA, HIPAA, COBRA, ADA, GINA, and other related laws.
  • Guiding clients through the selection of plan service providers, along with negotiating service agreements with vendors to address plan compliance and operations, while leveraging data security experience to ensure plan data is safeguarded.
  • Counsels plan sponsors on day-to-day compliance and administrative issues affecting plans.
  • Assists in the design and drafting of benefit plan documents, including severance and fringe benefit plans.
  • Advises plan sponsors concerning employee benefit plan operation, administration and correcting errors in operation.

Joe speaks and writes regularly on current employee benefits and data privacy and cybersecurity topics and his work has been published in leading business and legal journals and media outlets, such as The Washington Post, Inside Counsel, Bloomberg, The National Law Journal, Financial Times, Business Insurance, HR Magazine and NPR, as well as the ABA Journal, The American Lawyer, Law360, Bender’s Labor and Employment Bulletin, the Australian Privacy Law Bulletin and the Privacy, and Data Security Law Journal.

Joe served as a judicial law clerk for the Honorable Laura Denvir Stith on the Missouri Court of Appeals.