Insight Into Cybersecurity Regulations Is Critical for Today's Board Members
Recent regulatory developments make it clear that cybersecurity is a board-level issue, intimately tied to the stewardship and overall risk profile of an organization.
September 12, 2018 at 02:13 PM
5 minute read
Recent regulatory developments make it clear that cybersecurity is a board-level issue, intimately tied to the stewardship and overall risk profile of an organization.
|SEC Cybersecurity Disclosure Guidance
In 2011, the U.S. Securities and Exchange Commission issued guidance on cybersecurity incident disclosure. Earlier this year, on Feb. 26, the SEC updated its guidance to further emphasize the criticality of cybersecurity preparedness for public companies, advising corporate directors to consider “the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents.” The guidance also included reminders about applicable insider trading obligations related to disclosures of “material nonpublic information about cybersecurity risks or incidents.” While not explicitly calling for cybersecurity knowledge at the board level, the guidance does emphasize a growing list of cybersecurity topics directors must consider to effectively manage risk.
|General Data Protection Regulation (GDPR)
Another example of the increased focus on data protection and its implications for cybersecurity comes from the European Union (EU). Two years after its adoption, enforcement of the General Data Protection Regulation (GDPR) began on May 25, 2018. This means that many companies around the globe are now obligated to take additional steps to protect the data of their customers and employees. While this regulation is specific to companies dealing with personal data originating in the EU or European Economic Area (EEA), its extraterritorial reach is already transforming the cybersecurity posture of organizations worldwide.
GDPR stipulates principles not only for protecting commonly held personal data such as name, address and ID number, but, in fact, any unique identifier of a “natural person” (living human being) under the law. Depending on context, this may encompass geolocation, IP address and cookie information. Political, racial, sexual and genetic data points receive special protections under the regulation. Due to its breadth, companies are spending millions to comply by leveraging several variations of cybersecurity and privacy controls. Accordingly, it is important for a board to understand whether compliance money is being spent effectively and in a way that will help mitigate against the risks of being fined for GDPR noncompliance. Depending on the category and severity of a violation, penalties for noncompliance can be as significant as 20 million euros (close to $25 million in USD) or 4 percent of annual global turnover (revenue), whichever is higher.
Ultimately, the GDPR is principles-based rather than prescriptive, making it open for interpretation. There are six principles that must be followed when processing personal data, along with an underlying principle of accountability to demonstrate compliance. To prevent security breaches and lawfully process personal data, organizations must take into account the “state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk” when implementing safeguards to protect their personal data. Such language provides an opportunity for board members to offer guidance based upon experiences across multiple organizations to ensure that appropriate cybersecurity protections are adopted to meet ever-evolving threats.
|NIS Directive
Another cybersecurity regulatory development is the European Union's NIS Directive, which member states were required to implement as national legislation by May 9. Focused on critical industry sectors, rather than data types, the directive mandates heightened cybersecurity requirements for organizations in the energy, transport, water, health, finance and critical digital service sectors. This means that board members in such sectors must ensure that cybersecurity capabilities and practices meet these standards.
|Australian Data Breach Notification
Though not a holistic cybersecurity law, Australia recently implemented the Notifiable Data Breaches scheme, raising data breach notification requirements for companies that make $3 million (AUD) or more, as well as those in specific sectors, such as health care. This increases the impetus for Australian organizations to adopt cybersecurity measures to prevent data breaches, as well as to develop a plan for identifying, responding to, and reporting breaches when they occur.
|Canada's Breach of Security Safeguards Regulations
Earlier this year, Canada updated its existing Personal Information Protection and Electronic Documents Act (PIPEDA) to enhance breach reporting obligations. Where an organization experiences a personal data breach that is reasonably believed to pose a “real risk of significant harm” to individuals, it must notify the privacy commissioner and the individual “as soon as feasible.” This duty to inform requires that organizations provide information about the significance of the breach and recommended steps to mitigate harm. These new regulations go into effect on Nov. 1 and mean that boards should ensure that their organizations are able to adequately investigate and assess security incidents as part of a plan to report them, where appropriate.
|NACD Director's Handbook
One of the key realities of recent developments is that cybersecurity is no longer a suggestion—companies that do not protect personal data and make notifications in a timely manner are subject to substantial fines.
Appropriately, the National Association of Corporate Directors (NACD) released a Director's Handbook on “Cyber-Risk Oversight” just last year. In this 2017 document, one of the guiding principles states, “Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.” The remaining principles address the need to not merely understand cybersecurity as an IT risk, but to comprehend the legal implications of cyber risks, setting the expectation that cyber risk management frameworks are developed, and understanding the types of conversations related to cyber risks that should be happening at the board level.
Drew Bagley is vice president and counsel, privacy and cyber policy at CrowdStrike.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllA Blueprint for Targeted Enhancements to Corporate Compliance Programs
7 minute readThree Legal Technology Trends That Can Maximize Legal Team Efficiency and Productivity
Corporate Confidentiality Unlocked: Leveraging Common Interest Privilege for Effective Collaboration
11 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250