When implementing breach response policies and enterprise-level security measures, companies always consider guidance. Historically, when responding to security breaches and engaging in advance breach remediation handling, companies have looked to the guidance issued by the applicable governmental authority. Medical device manufacturers look to guidance from the FDA; financial institutions look to the FDIC, Federal Reserve, and the OCC. Until two weeks ago, SEC enforcement actions for data breaches were not top of mind with most companies. However, that all changed this month when the SEC announced it had settled with a public company in connection with a data breach that exposed sensitive customer information. The charges brought by the SEC were not related to the breach itself but rather argued that the breach constituted a violation of Rule 13a-15 of the Exchange Act, which requires every issuer of a security registered under Section 12 of the Exchange Act to maintain disclosure controls and procedures.
Using a standard analysis, it appears that the affected company acted prudently and with good business judgment, based on the information they had. When senior executives learned of a system design defect that could result in a security compromise, they took immediate action. They immediately blocked external access to the vulnerable application, issued a press release, and filed a Form 8-K, as required by the SEC.
Notwithstanding the immediate response, the SEC still brought charges against the company. The charges were based on the fact that the vulnerability was identified several months prior to the disclosure but was not remedied nor reported to senior leadership. The SEC argued that this failure to report up the leadership chain was evidence that the related controls and procedures were deficient. Without admitting or denying the SEC’s findings, the affected company agreed to a cease-and-desist order and paid a penalty nearing half a million dollars.
This settlement underscores the need for companies to have strong corporate governance to ensure the complete accuracy of disclosures. When drafting and adopting security and breach policies and controls, public companies should ensure that controls are in place to ensure comprehensive and timely reporting up the chain.