Regulators have started cracking down on data breach disclosures, with the U.S. Securities and Exchange Commission recently fining several financial advisory firms for failed cybersecurity measures that led to the exposure of thousands of customers’ private data. In recent weeks, multiple regulatory actions have focused on breach notifications, media statements and investor communications, which watchdogs have called deceptive.
For example, in August 2021, the SEC finalized charges against Cetera Financial Group Inc., which offers brokerage services and investment advice, alleging that five of their business units had lax cybersecurity controls that led to a data breach in the first place. The SEC also found that Cetera had used misleading information in their breach disclosures to suggest that the disclosures were sent out earlier than they actually were after the breach was first discovered.
In June 2019, Cetera reported that a data breach had compromised nearly 2,000 clients’ data over two months earlier when hackers gained access to the email accounts of two employees. However, a separate investigation conducted by the SEC found that cloud-based email accounts of over 60 employees had been infiltrated for more than three years, exposing the private information of at least 4,388 clients.
After disclosing the breach, Cetera offered a complimentary, two-year membership to an identity theft and credit monitoring service to clients who might have been affected. None of the compromised email accounts had been protected according to Cetera policies, the SEC determined. In exchange for settling these claims without admitting or denying these allegations, Cetera will pay a $300,000 penalty.
This settlement is one of several between the SEC and two other financial advisory firms that were also recently sanctioned for failing to protect customer data and properly respond to cybersecurity threats. The SEC said that all three firms had violated a “safeguards rule,” which requires that broker-dealers and investment firms registered with the agency must have written policies and procedures in place to protect customer records.
Earlier in August of this year, educational publisher Pearson PLC and the SEC settled a charge for a 2018 data breach, with the company paying a penalty of $1 million. The SEC charged Pearson with misleading investors by denying the extent and even the existence of the breach, demonstrating a recent focus on incident communications.
The SEC found that in a 2019 annual report, Pearson had referred to a data security incident as a “hypothetical risk” despite knowing that a breach had already happened. Pearson did not accurately describe the breach in media statements and failed to patch the software vulnerability for six months, leaving hackers to exploit this weakness.
The United States is slowly catching up with higher standards for data privacy laws, particularly in comparison to the European Union, where the General Data Protection Regulation (GDPR) was designed to give individuals more control over their personal data. In the United States, lawmakers have proposed legislation to improve how companies report cybersecurity incidents. In recent months, mandatory reporting has moved to the forefront of discussion, since there is currently no federal law that requires companies to inform the federal government if they have been breached.
For example, the Cyber Incident Notification Act would require government agencies, federal contractors, and critical infrastructure groups — such as hospitals, utilities and financial services — to report cyber incidents to the Cybersecurity Infrastructure Security Agency (CISA) within 24 hours. However, the 24-hour limit has become a major point of contention with industry groups, which claim that organizations need at least 72 hours to gather information before reporting a breach.
With nearly 4,000 confirmed data breaches targeting major corporations like Microsoft, Zoom, and Spotify in 2020, we can expect to see more regulations tightening the requirements for how companies address cybersecurity incidents and prevent future breaches from exposing customer information.