On April 18, 2018, government officials and cyber industry experts gathered in Washington, D.C., for the 2018 Incident Response Forum addressing legal and compliance challenges that arise following a data breach. At the conference, representatives from the SEC, DOJ, FTC, and other federal and state enforcement agencies discussed their top data breach-related concerns and enforcement priorities. Representatives spoke in their own capacity and were not making official agency statements, but their opinions can provide useful insight into agencies’ decision making processes and substantive views.
Robert Cohen, Chief of the Cyber Unit at the U.S. Securities and Exchange Commission (“SEC”) that launched in September 2017, identified three enforcement priorities for the new Unit, which were also discussed in detail in our recent memorandum: (1) initial coin offerings—or “ICOs”—and cryptocurrencies; (2) trading-related cybercrime, such as account takeovers and hacking in furtherance of insider trading; and (3) cybersecurity, including enforcement of SEC rules regulating the systems and information of certain regulated entities as well as public company disclosures of certain cyber risks and incidents. In discussing these priorities, which mirror enforcement actions by the Unit and other public statements about the Cyber Unit’s priorities since it launched, Cohen emphasized that the SEC’s touchstone when evaluating cybersecurity safeguards is reasonableness. He added that the SEC will not view a cyber incident as necessarily meaning that a rules violation has occurred—but also noted that a rules violation can occur absent a cyber incident. Finally, Cohen recommended engaging the SEC early on in the event of a cyber incident, and noted that the SEC works closely with partners such as the FBI when investigating a breach.
Scott Ferber, Counsel for Cyber Investigations at the National Security Division in the U.S. Department of Justice (“DOJ”), also emphasized cooperation and coordination with law enforcement following a breach. Ferber encouraged companies to consider the advanced capabilities of the government when deciding whether and when to disclose a data breach, particularly when breaches result from sophisticated state actors. Ferber explained that the government has provided assistance and non-public information to company counsel in certain circumstances.
Maneesha Mithal, Associate Director, Division of Privacy and Identity Protection at the U.S. Federal Trade Commission (“FTC”), addressed the FTC’s cyber enforcement priorities, including health data, financial data, Internet-connected devices, and issues surrounding children’s data.[1] In commenting on ways to successfully manage a data breach involving consumer information, Mithal echoed the emphasis on cooperation. She opined that attorneys can “over-lawyer” responses to subpoenas and other inquiries following breaches, cautioning that too-narrow responses can deprive companies of the opportunity to fully tell their “stories” that might be persuasive to the regulators.
Matthew Noyes, Cyber Policy Advisor at the U.S. Secret Service, identified an important benefit of contacting law enforcement or regulators in the immediate aftermath of a cyber incident. He explained that when financial frauds, such as social engineering scams, result in money being sent to a fraudulent account or recipient, the stolen money can potentially be clawed back by law enforcement later than the victim might assume is possible. Early outreach is critical, however, because the window in which law enforcement may be able to act could be a matter of hours.
Finally, several panelists suggested specific resources for large and small businesses looking to improve their cybersecurity practices and develop incident response plans. Two such resources were the DOJ’s Cybersecurity Unit’s Best Practices for Victim Response and Reporting of Cyber Incidents (2015), which identifies core principles to consider before and after a cyber intrusion, and FINRA’s Report on Cybersecurity Practices (2015), for financial services organizations looking to plan their response to a cyber incident.
On the whole, regulators and law enforcement officials encouraged cooperation with their agencies during cyber investigations, underscored their commitment to policing inadequate cyber practices and disclosures, and identified resources for both small and large organizations seeking to improve their cyber-incident preparedness and responses.
[1] Recent research concerning children’s toys and Internet-connected devices was presented at the FTC’s PrivacyCon in February 2018. See e.g., McReynolds, et al., Toys that Listen: A Study of Parents, Children, and Internet-Connected Toys (2017), https://www.ftc.gov/system/files/documents/public_comments/2017/11/00038-141895.pdf.