In the last few posts, we discussed the NYS Department of Financial Services (“DFS”) and its enforcement efforts. Specifically, NY DFS has been going after entities for failure to report prior breaches.
For example, DFS announced a $3 million penalty against National Securities Corporation (“NSC”) concerning such a failure. The DFS NSC announcement specifically cited that NSC failed to report prior breaches. “The Department’s investigation uncovered evidence that National Securities had been the subject of four cyber breaches between 2018 and 2020, two of which had not been reported to the Department as mandated by the Cybersecurity Regulation.” See Link– https://dfs.ny.gov/reports_and_publications/press_releases/pr202104141
Along the same lines, the SEC recently announced on August 16, 2021 that it settled charges against Pearson plc (“Pearson”) – a London based educational publishing and services company -for failure to disclose a cybersecurity breach. In addition, the SEC stated that Pearson misled investors involving the theft of millions of records and that it had inadequate disclosure controls and procedures. As with the above-referenced DFS action, the breach was from a few years ago (2018) and the failure to disclose was viewed by the SEC as misleading and the SEC cited a civil penalty of $1 million. See Link – https://www.sec.gov/enforce/33-10963-s. This follows a prior SEC enforcement action against another company for failure to timely disclose a cybersecurity vulnerability, which resulted in a half million dollar penalty.
As the cited SEC enforcement action demonstrates along with the aforementioned DFS enforcement actions, an entity can be subject to multi-million dollar penalties for simply not reporting breaches. In sum, it is critical that an entity properly assesses suspected breaches to determine whether they are reportable to the relevant agency. As they say, the cover-up is worse than the crime!