Reproduced with permission from Corporate Accountability Report, 12 CARE 35, 09/05/2014.

Copyright 2014 by
The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com
CYBE RS E CURI T Y
Public Company Directors Beware:
The SEC Says You Are Responsible for Data Privacy and Protection
BY TRAVIS P. BRENNAN AND KATIE BEAUDIN
A
ccording to recent statements from an SEC com-
missioner, directors of companies with reporting
obligations should play an active role in oversee-
ing how their organizations use cybersecurity to protect
personal or otherwise private customer information. In-
deed, per Commissioner Luis Aguilar, [e]ffective
board oversight of managements efforts to address
these issues is critical to protecting customer data and
ensuring the adequacy of related public disclosures.
1
He added that cybersecurity is of particular concern
because of the widespread and severe impact that
cyber-attacks could have on the integrity of capital mar-
kets infrastructure and on public companies and inves-
tors.
2
Commissioner Aguilar did not direct his com-
ments at any particular industry, but his words are in-
herently most relevant for organizations whose
operations require the receipt and storage of individu-
als personal or private information, such as those in the
healthcare, retail, social media or e-commerce spaces.
Mr. Aguilars recent comments follow the agencys
2011 issuance of disclosure guidance specific to data
breach and security issues,
3
and its 2001 promulgation
and later application of Regulation S-Ps Safeguard
Rule,
4
through which the SEC directly regulates finan-
cial services firms compliance with data security obli-
gations. These events provide important context for di-
rectors confronting whether their company is suffi-
ciently addressing compliance.
New Regulatory Initiatives and Past
Enforcement Efforts Provide Guidance
For Compliance Measures
The SEC held a cybersecurity roundtable on March
26, 2014 to address how public companies should pre-
pare for, and react to, data breaches. The gathering fo-
cused on the roles of directors and senior management
in disclosing data breaches and mitigating the risk of
future breaches. Panelists suggested having a cyberse-
curity expert accessible to the board and management
who can assist in the preparation of a cyber incident re-
1
Luis Aguilar, Commr, U.S. SEC. & EXCH. COMMN, Boards of
Directors, Corporate Governance and Cyber-Risks: Sharpen-
ing the Focus (June 10, 2014), available at http://www.sec.gov/
News/Speech/Detail/Speech/1370542057946#.U_JH3HPD-Uk.
2
Id.
3
U.S. SEC. & EXCH. COMMN, CF Disclosure Guidance, Topic
No. 2: Cybersecurity (Oct. 13, 2011), available at http://
www.sec.gov/divisions/corpfin/guidance/cfguidance-
topic2.htm.
4
17 C.F.R. 248.30 (2000); U.S. SEC. & EXCH. COMMN, Pro-
posed Rule, Regulation S-P: Privacy of Consumer Financial In-
formation and Safeguarding Personal Information (March 4,
2008), available at http://www.sec.gov/rules/proposed/2008/34-
57427.pdf.
Travis Brennan is a Shareholder in Stradlings
business litigation and securities litigation
practices. In addition to representing a variety
of companies and their ofcers in complex
legal disputes, Mr. Brennan counsels business
decision makers regarding risk and compli-
ance matters. Katie Beaudin is a student at
the University of Notre Dame Law School and
was a 2014 summer associate at Stradling.
COPYRIGHT 2014 BY THE BUREAU OF NATIONAL AFFAIRS, INC. ISSN 2330-6300
Corporate Law
& Accountability
Report

sponse plan. Panelist Mary E. Galligan, director of cy-

ber risk services at Deloitte & Touche LLP, stated that
larger companies should consider having separate cy-
ber risk committees on their boards to deal with these
issues.
5
Panelists also noted that boards and managers
should become aware of how data can leave their com-
panies, and what kind of data is at risk.
On June 10, 2014, the SEC again affirmed its intent
to play a role in monitoring cybersecurity measures,
with a clear emphasis on directors obligations. In a
speech at a Cyber Risk and the Boardroom confer-
ence at the New York Stock Exchange, Commissioner
Aguilar explained how public companies should be pre-
paring for and responding to the increasingly frequent
and complex threats to the safety and security of the
data they hold.
6
Aguilar stressed that [e]ffective board
oversight of managements efforts to address these is-
sues is critical to preventing and effectively responding
to successful cyber-attacks and, ultimately, to protect-
ing companies and their consumers, as well as protect-
ing investors and the integrity of the capital markets.
7
Mr. Aguilar echoed the comments of panelists at the cy-
bersecurity roundtable about the need for cybersecurity
experts to advise boards and for establishing cyber risk
management teams to provide regular reports to board
members.
These public comments already have spurred new
regulatory action. The roundtable led to the SECs Of-
fice of Compliance Inspections and Examinations
(OCIE) decision to examine the cybersecurity poli-
cies and procedures of more than 50 registered broker-
dealers and investment advisors.
8
For other public com-
panies, however, there will be broader developments,
both in regulation and enforcement, that are worth
close attention. In anticipating those further develop-
ments, guidance can be drawn from previous enforce-
ment efforts involving the Safeguard Rule and the
SECs disclosure guidance specific to data security.
The Safeguard Rulepromulgated via the authority
to regulate the financial industrys protection of per-
sonal, nonpublic information under 504 of the
Gramm-Leach-Bliley Actbecame effective on Nov. 13,
2000.
9
The Rule requires registered brokers, dealers, in-
vestment companies and investment advisers to main-
tain policies and procedures that address the protection
of customer information. These policies and procedures
must: (i) ensure the security and confidentiality of cus-
tomer information; (ii) protect against any anticipated
threats to the security or integrity of customer informa-
tion; and (iii) protect against unauthorized access to, or
use of, customer information that could result in sub-
stantial harm or inconvenience to any customer. The
Rule, however, provides little if any practical guidance
on what companies must do to achieve these goals or to
meet regulatory expectations.
In 2008, the SEC proposed amendments to Regula-
tion S-P that were never adopted, but provide more spe-
cific guidance on what the SEC thinks is important for
data security policies and procedures.
10
The proposed
amendments expanded requirements to include details
about what policies and procedures must encompass,
including administrative, technical and physical safe-
guards for protecting personal information and for re-
sponding to unauthorized access to, or use of, personal
information. The amendments also stressed that poli-
cies must be proportionate to company size and com-
plexity, the nature and scope of operations, and the sen-
sitivity of any personal information at issue.
Although a board member has yet to be sanctioned
under the Safeguard Rule, high-level managers have,
and application of the rule offers some lessons. En-
forcement action has shown that both companies and
their top-level executives can face sanctions in the form
of monetary penalties, public censure, industry bars or
injunctive relief if they fail to establish protocols for ad-
dressing known threats to data security, even if the
threat is non-specific, such as general deficiencies con-
cerning user passwords, or if they fail to ensure an ad-
equate response to an actual data breach.
11
Even if poli-
cies to protect records are in place, firms and individu-
als still face sanction if they do not anticipate and
address specific cyber threats, such as computer
viruses.
12
This enforcement activity, in addition to the SECs
public statements, should inform directors assessments
of the adequacy and particularity of company disclo-
sures about the risk of data breaches, actual data
breaches, data security policy and any need for changes
to such policy.
13
The SECs Disclosure Guidance on Data
Security and Its Subsequent Comments on
Public Filings Highlight Specic Areas
That Companies Should Address
In 2011, the SEC expanded its data privacy and secu-
rity focus to include all public companies, not just finan-
cial services firms, by issuing disclosure guidance spe-
5
Transcript, U.S. SEC. & EXCH. COMMN, Cybersecurity
Roundtable at 38 (Mar. 26, 2014), available at http://
www.sec.gov/spotlight/cybersecurity-roundtable/
cybersecurity-roundtable-transcript.txt.
6
Luis Aguilar, Commr, U.S. SEC. & EXCH. COMMN, Boards of
Directors, Corporate Governance and Cyber-Risks: Sharpen-
ing the Focus (June 10, 2014), available at http://www.sec.gov/
News/Speech/Detail/Speech/1370542057946#.U_JH3HPD-Uk.
7
Id.
8
Risk Alert, OCIE Cybersecurity Initiative (Apr. 15, 2014),
available at http://www.sec.gov/ocie/announcement/
Cybersecurity+Risk+Alert++%2526+Appendix+-
+4.15.14.pdf.
9
17 C.F.R. 248.30 (2000).
10
U.S. SEC. & EXCH. COMMN, Proposed Rule, Regulation S-P:
Privacy of Consumer Financial Information and Safeguarding
Personal Information (March 4, 2008), available at http://
www.sec.gov/rules/proposed/2008/34-57427.pdf.
11
LPL Financial Corp., Exchange Act Release No. 58515,
Investment Advisers Act Release No. 2775 (Sept. 11, 2008);
Marc A. Ellis, Exchange Act Release No. 64220 (Apr. 7, 2011).
12
Commonwealth Equity Servs., Exchange Act Release No.
60733, Investment Advisers Act Release No. 2929 (Sept. 29,
2009).
13
The OCIEs new initiative following the March 2014
roundtable provides some similarly useful detail. For example,
the OCIE released a sample list of requests for information it
intends to use, including identification of risks and cybersecu-
rity governance, procedures for protecting firm networks and
information, and detection of unauthorized activity. Proposed
requests range from [p]lease indicate whether the Firm
makes use of encryption to [h]ow does the Firm identify rel-
evant best practices regarding cybersecurity for its business
model?
2
9-5-14 COPYRIGHT 2014 BY THE BUREAU OF NATIONAL AFFAIRS, INC. CARE ISSN 2330-6300
cific to cybersecurity.
14
That guidance focused on ex-
panding the areas of disclosure when companies face
data breach issues. The guidance directs companies to
highlight cybersecurity breaches and risks in the fol-
lowing standard reporting obligations: (1) risk factors;
(2) managements discussion and analysis of financial
condition and results of operations (MD&A); (3) de-
scription of business; (4) legal proceedings; (5) finan-
cial statement disclosures; and (6) disclosure controls
and procedures. Risk factors that companies are obli-
gated to disclose include aspects of their business or op-
erations that give rise to material cybersecurity risks
and descriptions of cyber insurance. Registrants also
should assess potential costs associated with an attack
and disclose whether an attack led them to materially
increase cybersecurity protection expenditures.
Since the 2011 guidance, the SEC has released more
than 50 comments on company filings, including those
on Forms 10-K, 8-K, 10-Q and 20-F, asking that compa-
nies broaden the information provided in their filings as
related to disclosure of recent data breaches.
15
These
disclosures require: (1) an acknowledgement of past
breaches, regardless of materiality; (2) a reference to
the potential for future breaches; and (3) a statement
outlining efforts to mitigate or insure against the risk of
greater threats. The SEC has asked large companies
like Amazon and The New York Times Co. to amend
their disclosures by expanding on current measures be-
ing taken to mitigate risk after a data breach and to ac-
knowledge the possibility of additional breaches in the
future.
16
The mere specter of enforcement action focusing on
data security-related disclosure deficiencies has en-
couraged significant and detailed disclosures in at least
one more high-profile instance. After a November 2013
data breach, Target Corp. devoted an entire portion of
its 2013 annual Form 10-K report to discussing details
of a significant data breach, the amount of expenses in-
curred in investigating the breach and the resulting liti-
gation.
17
It continued to disclose resulting costs and
pending litigation in its May 2014 Form 10-Q filing.
18
Although there has been no enforcement action related
to the breach, Target has admitted that it ignored early
signs of the security breach by not following up on
some criminal activity within its networks before the
breach.
Heres What to Do
So what to derive from all of this activity?
Key action items for boards of directors whose orga-
nizations receive and store individuals private and per-
sonal information in the ordinary course of business
should include at least the following:
(a) adding data privacy and security to the boards
agendas for annual or semi-annual risk
assessments;
(b) assigning more-frequent data security oversight
to a sub-committee and adding such oversight as
a line item to that committees charter;
(c) adding data security background or expertise to
the list of criteria used to evaluate board
nominees;
(d) engaging an expert consultant to conduct a risk
assessment and report results to the board or the
relevant committee; and
(e) developing and maintaining adequate policies
and procedures to safeguard data and take
prompt action when a breach is detected.
It is also critical that companies with reporting obli-
gations disclose data breaches and related risks timely
and in sufficient detail. In the event a data breach oc-
curs, directors and senior management must be pre-
pared to act in accordance with their policies, disclose
the breach and then amend the policies if necessary to
prevent further breaches. To further minimize
disclosure-related exposure, boards also must ensure
that each material step taken to protect data is docu-
mented in board minutes and other company records.
Finally, and more generally, in light of the SECs
onus on directors, companies should not delay in mak-
ing data security a regular component of risk manage-
ment and the reporting process. The SECs recent pub-
lic discussion of the issue is not academic or unmoored
from the agencys current work on the ground. The
SECs public comments often reflect concerns arising
from ongoing investigations in this area, some of which
will give rise to new enforcement action.
14
U.S. SEC. & EXCH. COMMN, CF Disclosure Guidance, Topic
No. 2: Cybersecurity (Oct. 13, 2011), available at http://
www.sec.gov/divisions/corpfin/guidance/cfguidance-
topic2.htm.
15
Letter from Mary Jo White, Chairman, U.S. SEC. & EXCH.
COMMN, to John D. Rockefeller IV, Chairman, U.S. Senate
Comm. on Commerce, Sci. & Transp. (May 1, 2013), available
at http://op.bna.com/pl.nsf/r?Open=dapn-97qfyd.
16
See Letter from William H. Thompson, Accounting
Branch Chief, U.S. SEC. & EXCH. COMMN, to Shelly Reynolds,
Vice Pres. & Worldwide Controller, Amazon.com Inc. (Mar. 12,
2012), available at http://www.sec.gov/Archives/edgar/data/
1018724/000000000012012577/filename1.pdf; see also Letter
from Linda Cvrkel, Branch Chief, U.S. SEC. & EXCH. COMMN, to
James M. Follo, Chief Fin. Officer, The N.Y. Times Co. (Dec. 5,
2013), available at http://www.sec.gov/Archives/edgar/data/
71691/000000000013066300/filename1.pdf.
17
Target Corp., Annual Report (Form 10-K), at 5 (Mar. 13,
2014).
18
Target Corp., Quarterly Report (Form 10-Q) (May 29,
2014).
3
CORPORATE LAW & ACCOUNTABILITY REPORT ISSN 2330-6300 BNA 9-5-14