Information Security

Routine SEC examinations of investment advisers and investment companies this year will include scrutiny of these entities’ cybersecurity policies, an SEC official told attendees Thursday at a national agency-hosted compliance seminar.

The SEC’s Regulation S-P, which implements the federal Gramm-Leach-Bliley Act, requires brokers, dealers, investment companies, and registered investment advisers to “adopt policies and

Despite studies indicating that data security is a top concern for executives and corporate boards — a development we previously blogged about here — barely half of employees are familiar with their company’s information security policies, according to a survey by Forrester Research.  The report explains, “only 56 percent of information workers in North America and Europe say that they are aware of their organisation’s current security policies.” 

This lack of awareness and employee training undoubtedly contributes to the ongoing problem of data breaches, many of which are caused by employee carelessness.  According to the same Forrester study, 31% of data breaches are attributable to simple loss or theft, such as employees losing laptops or USB drives; another 27% are caused by employees inadvertently misusing corporate assets.  A Ponemon Institute survey of 49 U.S. companies similarly found that negligent insiders were the root cause of 39% of data breaches studied. 

The Forrester report and similar surveys have found other surprisingly common data security weaknesses:Continue Reading Surveys Reveal Surprisingly Common Data Security Shortcomings

By Brian Ryoo

The Federal Trade Commission (“FTC”) reached separate settlements with two companies it had accused of exposing sensitive personal information through peer-to-peer (“P2P”) file-sharing software installed on their corporate networks.  The complaints filed against the companies alleged that the companies failed to have in place adequate information security policies and procedures, risk assessment protocols, employee training, or other internal compliance measures.Continue Reading FTC Settles P2P-Related Data Breach Charges Alleging Failure to Provide Appropriate Security

Yesterday Senator John McCain (R-AZ) introduced the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012 (SECURE IT Act). The bill’s cosponsors include Senators Kay Bailey Hutchison (R-TX), Chuck Grassley (R-IA), Saxby Chambliss (R-GA), Lisa Murkowski (R-AK), Dan Coats (R-IN), Ron Johnson (R-WI), and Richard Burr (R-NC).
Continue Reading Republican Senators Introduce SECURE IT Act

Yesterday, the SEC’s Division of Corporation Finance issued a guidance document regarding public companies’ disclosure obligations relating to cybersecurity risks and breaches.  The guidance responds to a request by Sen. Jay Rockefeller that the SEC clarify its position on this increasingly important issue.

The Division noted that as companies have turned to digital technologies to conduct their operations, cybersecurity risks–and incidents–have increased.  Although there is no disclosure requirement under the federal securities laws that specifically addresses cybersecurity, the Division explained that existing regulations may require disclosure of cyber risk assessments and the costs stemming from incidents.  It is important to note, as the Division does, that this is guidance, not a rule, regulation, or order (as some headlines have suggested).

We provide an overview of the guidance after the jump.  For additional information please see this E-Alert prepared by members of our Global Privacy & Data Security and Securities & Corporate Finance practice groups.

Continue Reading SEC’s Division of Corporation Finance Issues Guidance on Disclosing Cybersecurity Risks

For the fifth consecutive session of Congress, Sen. Dianne Feinstein (D-CA) has introduced legislation that would establish a federal data breach notification standard.  Sen. Feinstein’s legislation — the Data Breach Notification Act of 2011 (S. 1408) — is one of a number of breach notice proposals circulating on Capitol Hill that would preempt state breach notice laws and replace them with a federal standard.  In the Senate alone, Sens. Jay Rockefeller (D-WV) and Mark Pryor (D-AR) have introduced the Data Security and Breach Notification Act of 2011 (S. 1207), and Sen. Patrick Leahy has introduced the Personal Data Privacy and Security Act of 2011 (S. 1151). 

We have heard from several sources that Sen. Rockefeller, Chairman of the Senate Committee on Commerce, Science & Transportation, is planning to markup S. 1207 in the near future.  And last week, the House Subcommittee on Commerce, Manufacturing, and Trade marked up and voted to report the SAFE Data Act (H.R. 2577) (introduced by Rep. Mary Bono Mack (R-CA)) to the full House Energy & Commerce Committee. 

Unlike many of the breach bills that are circulating, Senator Feinstein’s bill is limited to breach notification obligations and does not include information security requirements.  Generally, S. 1408 is much more similar to the breach notice provisions of S. 1151 (Leahy) than S. 1207 (Rockfeller/Pryor) or H.R. 2577 (Bono Mack).Continue Reading Feinstein Introduces Breach Notice Bill; Senate Committee May Consider Breach Notice Proposals Shortly