ARCHIVED UPDATES TO THE FIRST EDITION, INCORPORATED INTO THE SECOND EDITION

11.2 Consumer Financial Protection Bureau

With the exception of the Dwolla and Equifax enforcement actions described in the book, the CFPB has been a no-show on cybersecurity. However, on August 11, 2022, the Bureau issued a circular in which it reiterated that inadequate security for the sensitive consumer information collected, processed, maintained, or stored by “covered persons” and “service providers” subject to the Consumer Financial Protection Act (CFPA) can violate the Act’s prohibition of unfair acts or practices, 12 U.S.C. 5536(a)(1)(B). In particular, the circular called out three sets of data security practices: Multi-factor authentication, adequate password management, and timely software updates: “Inadequate authentication, password management, or software update policies or practices are likely to cause substantial injury to consumers that is not reasonably avoidable by consumers, and financial institutions are unlikely to successfully justify weak data security practices based on countervailing benefits to consumers or competition. Inadequate data security can be an unfair practice in the absence of a breach or intrusion.” As relevant precedent for how it would view inadequate procedures in these three areas, the CFPB cited enforcement actions of the Federal Trade Commission, signaling that it would follow the FTC’s common law of data security.

[New subchapter:] 11.6.3  HIPAA Safe Harbor Rule

Public Law 116-321 became law on Jan. 5, 2021 and is codified at 42 U.S.C. § 17941. Sometimes referred to as the HIPAA Safe Harbor Act, it provides that the Secretary of HSS, when making determinations relating to (1) imposing HIPAA fines under 42 U.S.C. § 1320d-5 and 42 U.S.C. § 1320d-6, (2) decreasing the length and extent of an audit under 42 U.S.C. § 17940, or (3) other remedies otherwise agreed to by the Secretary, shall consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place that may mitigate fines under 1320d-5; result in the early, favorable termination of an audit; and mitigate the remedies that would otherwise be agreed to in any agreement with respect to resolving potential violations of the HIPAA Security Rule.

The term “recognized security practices” is defined as the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, 15 U.S.C. § 272(c)(15)) (most specifically the NIST framework for critical infrastructure, but maybe referring to additional NIST products); the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, 26 U.S.C. § 501; and “other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.” The section also states that “Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security rule,” apparently meaning that the regulated entity gets to pick and choose among applicable standards and guidelines. Like other safe harbor provisions, this one seems to be intended to shift the focus of any enforcement action from the specific cybersecurity failing that resulted in a breach to the broader cybersecurity posture of the regulated entity. Facing an enforcement action for an admitted breach or an audit, the regulated entity may argue that, overall, it had a very good program that just missed this one attack and therefore it should get a break on fines or other remedies.

[New subchapter:] 11.6.4 HIPAA Enforcement after MD Anderson 

In March 2022, HHS announced what may be its first cybersecurity settlement since MD Anderson. The matter began in January 2015, when the U.S. Department of Veterans Affairs reported a breach of unsecured protected health information (PHI) involving a telehealth program managed by a VA business associate called, after a subsequent merger, Peachstate. In August 2016, OCR initiated a compliance review of the company to determine its compliance with the Privacy and Security Rules related to the breach. The review, expanded to encompass the merged entity, found potential violations of the Security Rule. Notably, the HHS did not assert violation of the Privacy Rule, suggesting that it had accepted the ruling of the Fifth Circuit that a breach is not a disclosure in violation of the Privacy Rule. Peachstate settled, agreeing to pay $25,000 and to implement a corrective action plan similar to those imposed pre-MD Anderson.

11.7.1 Enforcement Actions Against Regulated Entities in the Financial Markets

Cetera, etc (2021)

In August 2021, the Securities and Exchange Commission sanctioned eight firms in three actions for failures in their cybersecurity policies and procedures that resulted in email account takeovers exposing the personal information of thousands of customers and clients at each firm. All eight firms were Commission-registered as broker dealers, investment advisory firms, or both. The SEC's orders against each of the firms found that they had violated Rule 30(a) of Regulation S-P, aka the Safeguards Rule. One set of respondents was also found to have violated Section 206(4) of the Advisers Act and Rule 206(4)-7 thereunder (17 C.F.R. § 275.206(4)-7). As always, the agency’s orders should be read closely to discern what kinds of failures it will focus on in an enforcement action. In these cases, they included failure to adopt sufficiently robust written policies and procedures to safeguard records and information of brokerage customers and advisory clients; failure to use multi-factor authentication to protect employee and customer accounts; failure to adopt a customized Incident Response Policy; and use of misleading language in breach notice letters.

 11.7.2 SEC Enforcement Actions Against Publicly Traded Companies

In June 2021, the SEC entered into an Order Instituting Cease-and-Desist Proceedings Pursuant to Section 21C of the Securities Exchange Act of 1934, Making Findings, and Imposing a Cease-and-Desist Order, In the Matter of First American Financial Corporation, File No. 3-20367 (June 14, 2021). The matter began in May 2019 when a cybersecurity journalist notified First American that its application for sharing document images related to title and escrow transactions had a vulnerability exposing over 800 million document images dating back to 2003, including images containing sensitive personal data such as social security numbers and financial information. In response, First American issued a statement for inclusion in the journalist’s report and furnished a Form 8-K to the Commission. However, First American’s senior executives responsible for the press statement and Form 8-K were not informed that the company’s information security personnel had identified the vulnerability several months earlier in a January 2019 manual penetration test of the relevant application or that the company had failed to remediate the vulnerability in accordance with its policies.

This indicated that First American had not maintained disclosure controls and procedures designed to ensure that senior management had the relevant information about the January 2019 Report prior to issuing the company’s disclosures about the vulnerability. Exchange Act Rule 13a-15(a), 17 C.F.R. § 240.13a-15, requires issuers of registered securities to maintain disclosure controls and procedures designed to ensure that information required to be disclosed by an issuer in reports it files or submits under the Exchange Act is recorded, processed, summarized, and reported within the time periods specified in the Commission’s rules and forms. The respondent agreed to cease and desist from committing any future violations of Exchange Act Rule 13a-15 and to pay a civil money penalty in the amount of $487,616.

Whereas the SEC focused in the First American case on the company’s failure to ensure that senior management were aware the vulnerability, a case settled in August 2021 suggests that the Commission will come down much harder on a company when senior management did know of a breach and nevertheless filed a 6-K that spoke only hypothetically of the risk of breaches and, when contacted by the media, made statements that understated the nature and scope of the incident and overstated the company’s data protections. Order Instituting Cease-and-Desist Proceedings, Pursuant to Section 8a of the Securities Act of 1933 and Section 21c of the Securities Exchange Act of 1934, Making Findings, and Imposing a Cease-and-Desist Order, In the Matter of Pearson plc, File No. 3-20462. For example, the company stated to the media that the breach may have included dates of births and email addresses, when, in fact, it knew that such records were stolen. And it said that it had had “strict protections” in place, when, in fact, it failed to patch the critical vulnerability for six months after it was notified. This, the SEC found, violated Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933 and Section 13(a) of the Exchange Act of 1934 and Rules 12b-20, 13a-15(a), and 13a-16 thereunder. The company agreed to pay a civil money penalty in the amount of $1,000,000.

The SEC’s heightened interest in cybersecurity disclosure was confirmed in June 2021, when the staff of the SEC initiated an investigation regarding the compromise of software made by the SolarWinds Corp. As part of this investigation, the staff issued a letter to public companies they thought might have been affected by the SolarWinds vulnerability, asking them to provide information to the staff on a voluntary basis. The SEC offered amnesty to companies for disclosure of matters within the scope of the inquiry. According to Reuters, the SEC sent letters to “hundreds of companies, including many in the technology, finance and energy sectors.” It seems there could be two separate questions in such an inquiry involving a supply chain attack: (1) did the company install the compromised version of the SolarWinds product and if so did it report and disclose that fact, and (2) did the company experience a data breach as a result of the Solar Winds vulnerability and if so did it report and disclose the breach?  As to the first question, it would be quite remarkable if every company were expected to report every time it learned it was using a vulnerable third-party product. Moreover, it would seem to be unwise to require companies to disclose use of a vulnerable product before the vulnerability could be patched or the reliance otherwise mitigated. And if a vulnerability has been found and patched before it could be exploited, why make a disclosure that could be misleading? Answers await further clarification from the SEC on the disclosure obligations of public companies regarding vulnerabilities in third-party software or services they use. But the foundational point is that companies need to have a sound policy (and follow it) for identifying cyber risks and cyber incidents and then deciding which deserve to be disclosed. For that, it is worth returning to the SEC’s 2018 guidance:

Controls and procedures should enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company's business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents.

Last updated: August 31, 2022.

Photo: “The Allegory of Good Government," by Ambrogio Lorenzetti, 1338, Museo Civico, Siena, (c) Erik Törner, CC BY-NC-SA 2.0.