Issue link: https://digital.shearman.com/i/1162884
Shearman & Sterling LLP Cybersecurity – Preparing for the Changing Landscape | 31 GDPR and the Increasing Importance of Data Security and Privacy In May 2018, the General Data Protection Regulation (GDPR) took effect in the European Union. The GDPR's reach is broad, affecting all companies operating in the European Union and those companies collecting personally identifiable information from people residing in the European Union. Not only does the GDPR require that companies implement certain information protection protocols and appoint a senior officer responsible for data protection, the GDPR also establishes a 72-hour cybersecurity breach notification framework. Failure to comply with the ongoing and incident response requirements of the GDPR can result in significant monetary sanctions. Through the experience with the GDPR and the growing scrutiny over how social media companies in the United States are collecting, storing and monetizing personal data they collect, calls have grown louder for similar protective legislation in the United States. Legislators, advocates and consumers are seeking national-level regulations that address the information that companies collect from consumers, including who owns it, what control consumers have over it once they share it and what responsibilities companies have to safeguard that information. In the absence of federal action, in 2018, California enacted the California Consumer Privacy Act, which some have called a precursor to a U.S. version of GDPR legislation. The California legislation is narrower in scope than the GDPR, as it does not address information protection requirements, or cross-border data transfers. It does, however, represent a first step into a more comprehensive data privacy and information security regulatory framework in the United States. Most directors are already aware of the critical importance of protecting personal data and customer information. The headlines of companies reporting theft of personally identifiable information due to a vulnerability in information security have become the norm. Directors should focus on the information that their companies collect from their customers, how that information is used and how much transparency the company provides to consumers regarding the use of the information. Given the microscope placed on social media companies and other information collectors, both consumers and regulators are intensely focused on privacy issues. As a result, the oversight of how a company handles these functions is becoming increasingly important for the board. Cybersecurity is a Financial Reporting Matter In October 2018, the SEC issued a report related to an investigation that it had conducted on nine companies that were victims of cybersecurity fraud. 1 The incidents that were the subject of the report were single-event business email compromises, and not headline-grabbing cybersecurity incidents where personal data of millions of customers is released on the dark web or ransomware attacks that shut down large public companies or metropolitan cities. The report focused on the intersection of financial reporting and cybersecurity, and made it clear that the SEC wants to make "issuers and other market participants aware that cybersecurity risks should be considered when devising and maintaining a system of internal accounting controls as required by the federal securities laws." More specifically, the report stated that "all public companies have obligations to maintain sufficient internal accounting controls and should consider cyber threats when fulfilling those obligations." The SEC's position, as stated in this report, clearly reinforces the view that cybersecurity is an enterprise-wide risk management issue, but it also adds a new layer of attention. Although the nine cases described in the report did not result in enforcement actions, the report is a warning to boards and management of public companies that the integrity of the financial reporting infrastructure will be another area of focus if and when the SEC calls following a cybersecurity event. Not only can a cybersecurity incident result in remediation costs, loss of business and reputational damage, but a company buffeting the storms of a cybersecurity event may also face an SEC enforcement investigation related to a failure to have adequate internal controls. 1 See SEC, Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements (SEC Release No. 84429) (October 16, 2018).