Professional Documents
Culture Documents
Copyright 2014 by
The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com
CYBE RS E CURI T Y
Public Company Directors Beware:
The SEC Says You Are Responsible for Data Privacy and Protection
BY TRAVIS P. BRENNAN AND KATIE BEAUDIN
A
ccording to recent statements from an SEC com-
missioner, directors of companies with reporting
obligations should play an active role in oversee-
ing how their organizations use cybersecurity to protect
personal or otherwise private customer information. In-
deed, per Commissioner Luis Aguilar, [e]ffective
board oversight of managements efforts to address
these issues is critical to protecting customer data and
ensuring the adequacy of related public disclosures.
1
He added that cybersecurity is of particular concern
because of the widespread and severe impact that
cyber-attacks could have on the integrity of capital mar-
kets infrastructure and on public companies and inves-
tors.
2
Commissioner Aguilar did not direct his com-
ments at any particular industry, but his words are in-
herently most relevant for organizations whose
operations require the receipt and storage of individu-
als personal or private information, such as those in the
healthcare, retail, social media or e-commerce spaces.
Mr. Aguilars recent comments follow the agencys
2011 issuance of disclosure guidance specific to data
breach and security issues,
3
and its 2001 promulgation
and later application of Regulation S-Ps Safeguard
Rule,
4
through which the SEC directly regulates finan-
cial services firms compliance with data security obli-
gations. These events provide important context for di-
rectors confronting whether their company is suffi-
ciently addressing compliance.
New Regulatory Initiatives and Past
Enforcement Efforts Provide Guidance
For Compliance Measures
The SEC held a cybersecurity roundtable on March
26, 2014 to address how public companies should pre-
pare for, and react to, data breaches. The gathering fo-
cused on the roles of directors and senior management
in disclosing data breaches and mitigating the risk of
future breaches. Panelists suggested having a cyberse-
curity expert accessible to the board and management
who can assist in the preparation of a cyber incident re-
1
Luis Aguilar, Commr, U.S. SEC. & EXCH. COMMN, Boards of
Directors, Corporate Governance and Cyber-Risks: Sharpen-
ing the Focus (June 10, 2014), available at http://www.sec.gov/
News/Speech/Detail/Speech/1370542057946#.U_JH3HPD-Uk.
2
Id.
3
U.S. SEC. & EXCH. COMMN, CF Disclosure Guidance, Topic
No. 2: Cybersecurity (Oct. 13, 2011), available at http://
www.sec.gov/divisions/corpfin/guidance/cfguidance-
topic2.htm.
4
17 C.F.R. 248.30 (2000); U.S. SEC. & EXCH. COMMN, Pro-
posed Rule, Regulation S-P: Privacy of Consumer Financial In-
formation and Safeguarding Personal Information (March 4,
2008), available at http://www.sec.gov/rules/proposed/2008/34-
57427.pdf.
Travis Brennan is a Shareholder in Stradlings
business litigation and securities litigation
practices. In addition to representing a variety
of companies and their ofcers in complex
legal disputes, Mr. Brennan counsels business
decision makers regarding risk and compli-
ance matters. Katie Beaudin is a student at
the University of Notre Dame Law School and
was a 2014 summer associate at Stradling.
COPYRIGHT 2014 BY THE BUREAU OF NATIONAL AFFAIRS, INC. ISSN 2330-6300
Corporate Law
& Accountability
Report