The Securities and Exchange Commission has been cracking down on companies who fail to disclose data breaches. With the recent Equifax breach, many are wondering how much more scrutiny companies will face.
The intuit data breach is a recent case of the FTC investigating a company for its lack of disclosure. Intuit was fined $16 million in total, and it must pay $5 million in restitution to affected consumers.
As authorities clamp down on false disclosures and Congress debates obligatory reporting of cybersecurity breaches, attorneys warn that companies must pay greater attention to what they say when hackers attack.
In recent weeks, many regulatory proceedings have focused on breach notifications, media comments, and investor communications made by firms after misleading events, according to watchdogs.
The Securities and Exchange Commission announced a settlement with five Cetera Financial Group Inc. business divisions on Monday, alleging inadequate controls and deceptive inaccuracies in breach notifications to certain customers. A $300,000 penalty must be paid by the Cetera entities, which provide brokerage services and financial advice.
Cetera did not reply to a request for comment right away.
In the case of a security breach, quick, accurate, and unambiguous updates are the gold standard, according to Seth DuCharme, a partner at law firm Bracewell LLP and the interim U.S. Attorney for the Eastern District of New York until March.
Subscribe to our newsletter
Cybersecurity WSJ Pro
WSJ’s worldwide team of reporters and editors provide cybersecurity news, analysis, and insights.
According to Mr. DuCharme, the SEC’s August 16 settlement with London-based educational publisher Pearson PLC over a 2018 data breach demonstrates how carefully authorities are examining incident communications.
Pearson was accused by the SEC with deceiving investors about the presence and scope of the data breach, which resulted in the theft of millions of student information. Pearson referred to a data security incident as a hypothetical risk in its 2019 semiannual report, didn’t accurately describe the scope of the breach in media statements, and failed to patch the software vulnerability hackers exploited for six months after being notified a patch was available, according to the SEC.
Pearson agreed to pay a $1 million penalty but did not acknowledge or deny the SEC’s allegations as part of the settlement. Pearson’s spokesperson said that the firm was delighted to reach an agreement with the SEC.
Cybersecurity failures resulting in data theft have also become a priority for European data protection authorities. According to Adolf Slama, a Swedish privacy regulator’s information technology advisor, half of the authority’s judgments under the General Data Protection Regulation have included cybersecurity concerns.
Tuesday, March 21, 2019
Pearson has discovered that a hacker exploited an unpatched vulnerability to obtain millions of rows of data from school administrators, teachers, and students. Pearson fixes the problem, establishes an incident-response team, and hires an outside investigator.
7th of May, 2019
If there are any questions from the media, Pearson prepares a statement.
19th of July, 2019
Pearson informs consumers that there has been a data breach.
26th of July, 2019
Pearson submits a regular financial form with the Securities and Exchange Commission (SEC) that cites the hypothetical risk of a data-privacy event, using the same broad risk-disclosure wording as previous similar forms.
31st of July 2019
Following a media inquiry, Pearson makes a public statement regarding the hack. Pearson provides the reporter a statement from May that doesn’t say how serious the incident was.
That same day –
Pearson issues a statement on its website regarding the incident, citing “unauthorized access” to data that “may” contain specific sensitive components. It doesn’t say whether or whether the burglar stole information, or how much or what type of information was taken.
1st of August 2019
Pearson’s stock has dropped by 3.3 percent.
Legislators in the United States have been looking at measures to enhance how businesses disclose cybersecurity issues. The House Homeland Security Committee will discuss a draft bill introduced by Rep. Yvette Clarke (D., NY) that would require critical infrastructure operators to disclose cybersecurity events on Wednesday.
Sen. Mark Warner (D-Va.) has introduced legislation in the Senate that would require federal agencies, contractors, and critical infrastructure operators to disclose events within 24 hours of detection. Industry organizations, in particular, are opposed to the 24-hour restriction, claiming that their members would need at least 72 hours to collect the necessary information.
According to Amy Keller, a partner at legal firm DiCello Levitt Gutzler LLP, how a business defines a cyberattack will be crucial.
Ms. Keller said that boilerplate wording may be confusing. Companies’ first announcements, for example, often claim that they were the victims of a “sophisticated” assault. This description may damage customers whose data has been compromised because they may believe the attack was perpetrated by a nation-state while, in reality, an identity-theft gang is more likely to be to blame.
“They give customers comfort that maybe this wasn’t such a huge issue, or maybe it was a state actor, and the information is going to be used for espionage, not to create accounts in my name or something,” Ms. Keller said. “That kind of corporate propaganda is very deceptive.”
James Rundle can be reached at [email protected]
Dow Jones & Company, Inc. All Rights Reserved. Copyright 2021 Dow Jones & Company, Inc. 87990cbe856818d5eddac44c7b1cdeb8
The data breach june 2021 is a problem that has been present for a while. Regulators are now tightening the scrutiny of companies when they disclose data breaches.
- vw data breach
- mcdonald’s cyber security
- audi data breach
- ea breach
- lastpass hack 2021