Navigating the New Cybersecurity Rules: What Companies Need to Know

Public companies must report their cybersecurity risk management, governance and strategy on their annual filings for fiscal years ending on or after Dec. 15, 2023, to comply with the recently imposed Securities and Exchange Commission (SEC) rules.

In the U.S., almost all publicly traded companies with a focus on consumers and a large number of financial services corporations have experience in cybersecurity. This results from cybersecurity regulations being implemented by various federal agencies and all states. Specifically, the Safeguards Rule in Gramm-Leach-Bliley (GLB) requires the following types of  financial institutions to address cybersecurity to establish extensive measures:

 

  • Banks
  • Savings and loans
  • Insurance companies
  • Broker-dealers
  • Investment advisers

The SEC implemented a prior set of disclosure rules for reporting firms to give investors the necessary data to evaluate the impact of a cyberattack. Further, many other registered firms have enacted cyber procedures on their own initiative, based on responsible legal guidance.

As a result, following the introduction of the new law, financial services firms, consumer-oriented reporting firms and businesses that have independently implemented cyber policies shouldn’t have any significant implementation issues. However, those that haven’t will have a considerable undertaking to address these new requirements. Therefore, the 10K revisions will have an extensive impact on these companies.

The rule’s provisions will likely sanction those failing to comply with the change. This could involve letters of caution, fines and suspension.

 

Navigate the Cybersecurity Requirements by Taking Steps

Here are some steps to help your company navigate the new cybersecurity requirements:

Ensure a written information security policy (WISP) is in place. This creates a framework for cyber management and typically calls for creating and upkeeping a risk assessment manual and a written asset inventory.

The WISP also includes procedures addressing access controls, identity and access management, entitlement transparency, and other important topics listed below:

 

Access to Entitlement Transparency

Human Resources (HR) should be able to provide immediate access to your company’s entitlement transparency structure, including a complete listing of access by each employee to the firm’s system from initial employment to departure.

Upon employee advancement or transfer, the employee’s new superior, HR and an appropriate senior techie should reassess the employee’s access. This should be an established firm procedure and not a one-off. If an employee has been reprimanded in any way or has a questionable employment history, this should be maintained in their file.

 

Departure/Termination Procedures

Creating definitive procedures that can be immediately implemented upon termination plays a significant role in your company’s cybersecurity. These procedures should include immediate notification company-wide of an announced departure, especially if it’s a termination for cause.

Upon notification of an employee’s departure, immediately implement access restrictions. Upon departure, execute an immediate and complete access shutdown. It’s important to understand that current employee’s access to a former employee’s HR files is often a critical factor in illegal intrusions into the firm’s systems. In all of this, consider when a current or former employee is involved in a breach and what you would want to know about him/her to evaluate the situation properly.

 

Password Protection Policy

A strong password protection policy is mandatory for access security and should incorporate a requirement for multi-factor verification, including a user code and a password. The password should have eight alphanumeric characters with at least one symbol, should be changed every 90 days and not repeated for at least six months. Three errors in an attempted entry should suspend use for at least an hour and be reported to IT.


Data Loss Protection

One of WISP’s primary functions is to ensure that your company’s designated information requiring security is adequately protected in accordance with its degree of risk.

This review should be based on:

 

  • Guidance from National Institute of Standards and Technology (NIST) releases and guidelines
  • Relevant industry guidelines
  • Operational manuals
  • Data maps
  • Audits (internal and external)
  • Testing (internal and external)
  • Other appropriate mechanisms

 

Finally, determine if the company’s personal identifiable information (PII) and other designated data are being properly identified, maintained and protected within the firm’s systems.

 

Security Devices and Review

To accomplish compliant, sophisticated protection, the company should employ technology such as encryption, firewalls, intrusion detection and protection systems, as well as monitoring and auditing devices. One approach is to institute a defense-in-depth strategy using the devices above layered within the firm’s systems. This review’s determination is vital to your company and should be documented and maintained in the WISP Manual.

After an incident, the entire team should conduct follow-up reviews to make recommendations for corrective and remedial action, and it should then oversee and approve this action.

 

Training

In conjunction with legal, IT and outside IT forensic vendors, your company should develop cybersecurity training programs, including mock and tabletop sessions. Develop and provide regular cybersecurity awareness training for all personnel and regularly update this to reflect current risks.

The chief compliance officer (CCO), in conjunction with the chief information security officer (CISO), should conduct follow-up reviews. To establish an effective training program, they should work with legal and IT and outside legal and IT advisers.

Training should also discuss the appropriate handling of customer’s requests for username and password changes, wire transfers and identity verification—particularly those involving large money transfers to an overseas location or third parties. This should include sound practices regarding opening e-mail attachments and links, including using simulated phishing campaigns where the firm identifies and retests employees who failed the exercise.

 

Vendor Selection and Management

Vendors play an essential role in a company’s business and, as a result, have a significant involvement in cybersecurity. Vendors and employees are two major risk factors in cybersecurity breaches.

As such, have an established due diligence process for the selection of vendors, which should focus on cybersecurity awareness. As a part of your cybersecurity program, develop a strong vendor management plan. Finally, ensure all vendor contracts contain pertinent provisions and employ regular oversight practices.

 

Cyber-Insurance

Check your existing policies for their cyber insurance coverage. If appropriate, discuss with your insurer to address any areas requiring additional coverage. You don’t necessarily need to obtain a separate cybersecurity policy if you have proper coverage otherwise. Also, the employment of a WISP can significantly assist a firm in evaluating the need for and securing appropriate insurance.

 

Phishing

No U.S. business, small or large, can escape phishing attacks. These can result in the loss of substantial sums of money, often in six and seven figures, and valuable, susceptible company information. As a result, phishing problems can be reduced through training and testing, which includes demonstrations of various attacks experienced by peer firms. Although there’s no easy solution, regular and informed testing and training can effectively address this problem.

 

Testing

Regular testing is required of all WISPs and involves internal testing by firms and independent outside vendors. Most testing aims to ensure that key controls, systems and procedures of a WISP meet established standards.

One of the most important types of testing is third-party penetration testing. Penetration testing is an essential element in any cybersecurity program. It simulates an internal or external attack on a company’s computer network to detect its vulnerabilities and evaluate your firewall system’s effectiveness.

In conjunction with legal, compliance and a trusted outside vendor, IT should develop cybersecurity training and testing programs, including mock and tabletop sessions. These tests should be administered periodically (annually, quarterly and when necessary) by capable internal or outside technology experts and can be invaluable to your cybersecurity program.

 

Incident Response Plan

Lastly, a major element of a WISP is its Incident Response Plan, which provides a procedural structure for your company to respond to a cybersecurity incident expeditiously. The plan should contain specific policies and procedures for responding to a cyber incident with specific provisions.

 

The plan should require the firm to establish an incident response team (IRT) responsible for addressing all cyber incidents. Depending on the company and the cyber incident, the IRT can comprise members from IT, compliance, legal, HR and other relevant departments. Each member should be a seasoned officer sophisticated in the firm’s technical systems and operations.

 

Partner with Legal Experts for Assistance

A law firm with a sophisticated cybersecurity group can assist with all the undertakings described above and do so expeditiously and cost-effectively. Pastore LLC has a sophisticated group of seasoned counsel who can direct the development and completion of a WISP and be crucial players in effectively advising on any cyber incident.

 

This article is intended for informational purposes and does not constitute legal advice.

 

(Jack Hewitt is a securities lawyer and focuses on securities litigation and regulatory advice and counsel to broker-dealers, investment banks and investment advisers. His work involves virtually every aspect of the federal and state securities laws, including equity, fixed income and derivatives trading, market manipulation, net capital, short-selling, suitability, record retention, insider trading, cybersecurity and registration issues.)

SEC Proposes Two New Cybersecurity Regulations

What You Need to Know

 

Summary of New Proposed Rule 10

 

Proposed Rule 10 would require all Market Entities (everyone but small broker-dealers) – referred to in the Rule as Covered Entities – to adopt written policies and procedures to address cybersecurity risks.  These written policies and procedures must include the following:

  • Periodic assessments of cybersecurity risks associated with the Covered Entity’s information systems and written documentation of the risk assessments;
  • Controls designed to minimize user-related risks and prevent unauthorized access to the Covered Entity’s information systems;
  • Measures designed to monitor the Covered Entity’s information systems and protect the Covered Entity’s information from unauthorized access or use, and oversee service providers that receive, maintain, or process information or are otherwise permitted to access the Covered Entity’s information systems;
  • Measures to detect, mitigate, and remediate any cybersecurity threats and vulnerabilities with respect to the Covered Entity’s information systems; and
  • Measures to detect, respond to, and recover from a cybersecurity incident and procedures to create written documentation of any cybersecurity incident and the response to and recovery from the incident.[1]

Proposed Rule 10 would also require immediate written electronic notice of a significant cybersecurity incident to the SEC and the filing of a new form SCIR.  The SCIR form would gather information about the significant cybersecurity incident and the Covered Entity’s efforts to respond to and recover from the incident.

Finally, the proposal would require Covered Entities to publicly disclose summary descriptions of their cybersecurity risks and the significant cybersecurity incidents they experienced during the current or previous calendar year on Part II of proposed Form SCIR. A Covered Entity would need to file the form with the SEC and post it on its website. Covered Entities that are carrying or introducing broker-dealers would also need to provide the form to customers at account opening, when information on the form is updated, and annually.

Summary of Proposed Amendments to Regulation S-P

The second proposed rule would amend Regulation S-P covering almost all Market Entities to create additional protections for customer information and create a federal minimum standard for data breach regulations.  The proposed amendments would require covered institutions to adopt an incident response program as part of their written policies and procedures under the safeguards rule. The proposal would require an incident response program to be reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information, include procedures to assess the nature and scope of any such incident, and contain and control such incidents. The proposal would also apply certain requirements related to incident response to covered institutions’ relationships with third-party service providers.

The proposed amendments would require covered institutions to notify affected individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization. The proposal would require a covered institution to provide the notice as soon as practicable, but not later than 30 days after a covered institution becomes aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred. A covered institution would not need to provide the notification if the covered institution determines that the sensitive customer information was not actually and is not reasonably likely to be used in a manner that would result in substantial harm or inconvenience.

Additionally, the proposed amendments would enhance customer notification by:

  • Expanding the safeguards and disposal rules to cover “customer information,” a new defined term referring to a record containing “nonpublic personal information,” a term already in use for other components of Regulation S-P, about a customer of a financial institution. The proposed amendments would therefore apply both rules to both nonpublic personal information that a covered institution collects about its own customers and nonpublic personal information it receives from a third-party financial institution about customers of that financial institution;
  • Requiring covered institutions to make and maintain written records documenting compliance with the requirements of the safeguards rule and disposal rule;
  • Conforming Regulation S-P’s annual privacy notice delivery provisions to the terms of an exception added by the 2015 Fixing America’s Surface Transportation Act, which would provide that covered institutions are not required to deliver an annual privacy notice if certain conditions are satisfied; and
  • Extending the safeguards rule to transfer agents registered with the Commission or another appropriate regulatory agency. In addition, the proposed amendments would extend the disposal rule from covering only transfer agents registered with the Commission to also transfer agents registered with another appropriate regulatory agency.

What You Need to Know Right Now

 

First – the proposed cybersecurity regulations are not yet final.  Market Entities have the opportunity to comment on the proposals.  This is a chance for Market Entities to influence the future of cybersecurity in the industry.  Some of the concerns raised by the SEC include conflict with state data breach laws.  Mark T. Uyeda, an SEC Commissioner, noted:

 

“lack of an integrated regulatory structure may even weaken cybersecurity protection by diverting attention to satisfy multiple overlapping regulatory regimes rather than focusing on the real threat of cyber intrusions and other malfeasance.”

 

These are just a few of the many topics that the SEC has opened for comments.  Numerous other issues exist.  The attorneys at Pastore LLC are highly skilled in both the financial sector and cybersecurity.  Pastore LLC can help you draft and file comments before the proposals become final.  Comments are due 60 days after the proposed rules appear in the Federal Register, which is expected to occur in the next 4 weeks.

 

Second – it is inevitable that some form of cybersecurity enhancement rules will be enacted in the near future.  Now is the time to start planning compliance.  The attorneys at Pastore LLC can assist you in formatting written policies and procedures.  Pastore LLC attorneys are creative and understand the overall data privacy, data breach and cybersecurity landscape.  Pastore LLC attorneys can work with internal compliance and legal departments to develop the best plan for a Market Entity’s needs.

 

Don’t wait!  Change is coming and Market Entities need to plan for the future regulations now.  Pastore LLC can help.

[1] Fact Sheet – Addressing Cybersecurity Risk to the U.S. Securities Markets.

SEC Proposes Change to Cybersecurity Reporting Requirements for Public Companies

With the threat of irrevocable reputational harm and damage to consumer trust brought on by data breaches to public companies, the United States Security and Exchange Commission (“SEC”) recently proposed new cybersecurity reporting requirements. In March, SEC Chair Gary Gensler noted these new amendments will, “strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.”[1] If the proposed amendments pass, it would impose new requirements on board of directors, including management reporting, organization, and board composition.[2]

The proposals aim to promote incident disclosure and increase risk management, strategy, and governance disclosure of data breaches.[3] One amendment would require a company to notify shareholders and the SEC within four business days when a material cybersecurity incident occurs.[4] The SEC would also require standardized disclosure of a company’s cybersecurity risk management and strategy, management’s role in implementing cybersecurity policies, and the board of directors’ cybersecurity expertise.[5]

As the SEC signals the necessity of new disclosure policies, companies should assess their current cyber reporting practices and procedures. The proposals aim to bridge the gap between business executives and security executives to ensure cybersecurity is included in their everyday business conversations and reporting practices.[6] In preparation of these proposals, companies can educate their board on their policies and procedures regarding cyber security risks. It is no longer the sole job of the chief information security officer to translate technology risk to business risk.[7]

[1] SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies, SEC (Mar. 9, 2022), https://www.sec.gov/news/press-release/2022-39

[2] Id.

[3]  Public Company Cybersecurity, Proposed Rules, https://www.sec.gov/files/33-11038-fact-sheet.pdf (last visited Sep. 22, 2022).

[4] Id.

[5] Id.

[6] Insight Report, World Economic Forum Global Cybersecurity Outlook (January 2022), https://www3.weforum.org/docs/WEF_Global_Cybersecurity_Outlook_2022.pdf.

[7] Bob Ackerman, New SEC Cybersecurity Reporting Requirements: Three Things Companies Need To Do Now, Forbes (May 25, 2022) https://www.forbes.com/sites/forbesfinancecouncil/2022/05/25/new-sec-cybersecurity-reporting-requirements-three-things-companies-need-to-do-now/?sh=2d78e01e6f05.

Pastore Cybersecurity Client Defeats Travelers Insurance in Connection with Refusal to Honor Insurance Policies

On June 3, 2022, Pastore LLC won an important motion against Travelers Insurance and several of its affiliates. Pastore LLC is representing a company that provides cybersecurity education that brought an action against its insurance provider for its failure to defend it in a regulatory action, as specified by its insurance policy. Pastore worked to cite in the insurance’s company’s parent corporation and subsidiary and amend the complaint to add claims against the new parties. Pastore was able to show the court that the new parties had participated in the wrongs against its client and should not be allowed to hide behind corporate shell games to avoid liability.

Connecticut’s Data Privacy Breach Notification Law Gets a Facelift

As of October 1, 2021, Connecticut’s Data Privacy Breach Notification Act’s (“Act”) Amendments (“Amendments”) are in effect.  P.A. No. 21-59.  The Amendments:

Expand the definition of “personal information;”
Create extraterritorial jurisdiction;
Remove the safe harbor provision while conducting an investigation;
Lower the notification period from ninety to sixty days;
Further detail notification methods and procedures; and
Create safe harbors for those in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPPA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).

The new definition of personal information will require businesses to examine the types of data it stores and how it is stored.  The expanded definition of personal information now includes taxpayer identification numbers, IRS issued identity protection personal identification numbers, passport numbers, military identification numbers or any other commonly issued government identification numbers – in conjunction with the first name or initial and last name of the individual.

Businesses storing COVID-19 vaccination records will also need consider the new definition because it expands coverage to medical information.  The expanded definition now includes medical information regarding an individual’s medical history, conditions (mental or physical), treatment, diagnosis; identifiers used by Health Insurance companies and biometric data – in conjunction with the first name or initial and last name of the individual.

The Amendments also define a breach of security as including the disclosure of a username and password combination including an e-mail address or security question and answer that would provide online access to an account.  The Amendments require, in the event of a breach of login credentials, that (1) a notice informing the person whose information was breached to promptly change their credentials on other websites using the same credentials and (2) not to rely on an email account that was part of the breach to make such notice.

The Amendments remove the limitations that required that: (1) persons subject to the Act must conduct business in Connecticut and (2) that the information subject to the Act be maintained in the ordinary course of business.  Theoretically, any business that stores personal information of a Connecticut resident is now subject to the Act.

The Amendments remove the safe harbor provision allowing for an investigation after discovery of the breach before notification.  Companies now have only sixty-days from the discovery of the breach of security to notify Connecticut residents.   The Act also now includes an ongoing notification duty to Connecticut residents as well.

The notification of affected persons may be avoided if after an “appropriate investigation” the person covered by the Act determines that no harm will befall the individual whose personal information was either acquired or accessed.  However, the sixty-day notification period still applies and any “appropriate investigation” would need to be completed before the duty to notify is triggered.  Furthermore, the Act no longer requires that the information be both acquired and accessed.  Simple acquisition is enough as well as is a brief intrusion into unencrypted protected personal information stored on a secured network.

Finally, the Amendments create a safe harbor for persons in compliance with HITECH and HIPPA privacy and security standards so long as notice to the attorney general is provided.  Materials and information provided to the attorney general are exempt from public disclosure except when provided by the attorney general to third parties for the purpose of furthering an investigation.

The Amended Data Privacy Breach Notification Act is much more onerous to comply with and best practices include having a breach notification plan that can be used at a moment’s notice, creating an inventory of personal information stored by the entity and, encrypting all personal data.  Encrypting personal information remains the best way to comply with Act but the risk of non-compliance can be high since non-compliance is considered a Connecticut Unfair Trade Practices violation which can result in compensatory and punitive damages as well as attorney’s fees.

Federal Jury Rules Four Cryptocurrency products are not Securities

A recent decision in the United States District Court for the District of Connecticut appears to be the first of its kind in the nation. In the case Audet et al v. Garza et al, a federal jury recently weighed in on whether cryptocurrency products were considered securities.[1] The jury held that four digital-asset products linked to cryptocurrency were not securities.[2]

In the case, a class of customers brought an action against GAW Miners LLC (“GAW Miners”) and ZenMiner LLC (“ZenMiner”) for running a cryptocurrency Ponzi scheme.[3] When GAW Miners and ZenMiner were faced with demands from customers for the physical cryptocurrency mining equipment which they could not meet, GAW Miners and ZenMiner turned to Hashlets, Hashpoints, Paycoin and HashStakers (collectively the “Digital Assets”). [4]  These Digital Assets provided customers with a portion of the computing power without owning the physical hardware.[5] Moreover, the Digital Assets served as virtual wallets for the promissory notes and virtual currency of GAW Miners and ZenMiner.[6] The plaintiffs argued that these Digital Assets were investment contracts and therefore were unregulated securities.[7]

The plaintiffs asked Judge Michael Shea to rule as a matter of law that the Digital Assets were securities under the Howey test. [8] The Supreme Court in Howey stated an investment contract exists when “a person invests his money in a common enterprise and is led to expect profits solely from the efforts of the promoter or a third party.” [9] However, in an unusual decision, Judge Shea declined to rule as a matter of law that the Digital Assets were securities.[10] Instead, the judge left the issue of how to classify the Digital Assets for the jury.[11] Despite the SEC previously referring to one of the Digital Assets, Hashlets, as a security in a case against one of the former defendants in this case,[12] the jury ruled that the Digital Assets were not investment contracts, and therefore, they were not securities.[13]

The issue of how to define cryptocurrencies is an ongoing debate, and the federal jury’s ruling in this case does not settle it.

[1] Elise Hansen, Crypto Mining-Linked Products Weren’t Securities, Jury Finds, Law360 (Nov. 2, 2021), https://www.law360.com/articles/1436790/crypto-mining-linked-products-weren-t-securities-jury-finds.

[2] Id.

[3] HHR Wins Groundbreaking Jury Verdict in Crypto Fraud Trial, HHR (Nov. 3, 2021), https://www.hugheshubbard.com/news/hhr-wins-groundbreaking-jury-verdict-in-crypto-fraud-trial.

[4] Id.

[5] Hansen, supra note 1.

[6] Id.

[7] Id.

[8] Alison Frankel, In apparent first, Conn. class action jury finds crypto products are not securities, Reuters (Nov. 3, 2021), https://www.reuters.com/legal/transactional/apparent-first-conn-class-action-jury-finds-crypto-products-are-not-securities-2021-11-03/.

[9] SEC v. W. J. Howey Co., 328 U.S. 293, 298­–99 (1946).

[10] Id.

[11] Id.

[12] HRR, supra note 3.

[13] Hansen, supra note 1.

Cryptocurrencies: Security, Currency, or None of the Above?

As interest in cryptocurrencies (“crypto”) continues to rise, businesses and investors are left wondering what regulations they must follow. While crypto may contain the word “currency” in its name, it is unclear whether it truly is a currency. There has been a lot of debate over which category it belongs to for regulatory purposes.1 Is it a currency or a security? The SEC has yet to provide guidance on this rapidly developing market.

Simply put, a currency is a store of value, unit of account, and medium of exchange, while a security is a tradable financial asset that has monetary value.2 The Securities Act of 1933 (“the ‘33 Act”) provides a list of what qualifies as a security, and crypto is not included. However, the list contains investment contracts, which is the category the SEC has openly debated whether cryptocurrencies belong.3 The Supreme Court in Howey stated an investment contract exists when “a person invests his money in a common enterprise and is led to expect profits solely from the efforts of the promoter or a third party.”4

The determination of which category crypto belongs in is essential for investors as it implicates which governing body has the authority to regulate the market. If crypto is categorized as a currency, the SEC lacks jurisdiction. If it is considered a security, it falls squarely in the SEC’s jurisdiction and becomes subject to the agency’s strict reporting and trading regulations.

The SEC is not the only government agency that has failed to provide clear guidance on what category crypto belongs in. The IRS still refers businesses to its 2014 Notice where it opined on the topic.5 The 2014 Notice stated it is “aware that ‘virtual currency’” exists and referred to “Bitcoin” as a convertible virtual currency because it has an equivalent value in real currency. However, in the same notice, it stated that virtual currency could be held as a capital asset like stocks and bonds.

Something that tends to complicate the classification of crypto even more is the fact that it seems a specific cryptocurrency’s classification may change over time. This happened in the case of the token ether, the primary token for Ethereum.8 The then SEC Chairman decided it no longer met the Howey test and declared it not a security. Then SEC Chairman Clayton also stated that Bitcoin was not a security due to its decentralized nature.10

Even though the SEC has stated Bitcoin and ether are not securities, the question remains on what the status is of the numerous other cryptos. A recent action brought by the SEC against Ripple Labs, Inc. (“Ripple”) in the U.S. District Court for the Southern District of New York could significantly impact how crypto is regulated and categorized. The SEC argues that XRP, Ripple’s cryptocurrency, is an investment contract under the Howey test, and therefore by not registering it, Ripple sold XRP as an unregistered security.11 While the parties have entered into settlement discussions, it is still a case to watch for potential regulatory impacts on cryptos.

While it is still unclear whether cryptos are securities or currency for regulatory purposes, one thing is clear: the market is only continuing to grow, and the SEC and other government agencies are taking notice of the unregulated area. Common sense, sound legal advice, and diligence will help any business or investor navigate this market despite the uncertainty surrounding crypto.

1. SEC Reckons With Crypto’s Currency And Security Conundrum, PYMNTS (Apr. 20, 2021).
2. Public Statement, Bill Hinman, Dir. Of Div. of Corp. Fin., SEC; Valerie Szczepanik, Senior Advisor for Digital Assets & Innovation, SEC, Statement on “Framework for ‘Investment Contract’ Analysis of Digital Assets” (Apr. 13, 2019).
3. Public Statement, Chair Gary Gensler, SEC, Remarks Before the Aspen Security Forum (Aug. 3, 2021).
4. SEC v. W. J. Howey Co., 328 U.S. 293, 298­–99 (1946).
5. I.R.S. Notice 2014-21, 2014-16 I.R.B. 938 (Apr. 14, 2014).
6. Id.
7. Id.
8. David Borsack & Cole Schotz, Cryptocurrencies And The Security And Exchange Commission, JDSUPPRA (Aug. 4, 2021).
9. Aaron Hankin, SEC’s Jay Clayton says Ether isn’t a security, reiterating the regulator’s stance, MarketWatch (Mar. 12, 2019).
10. Is Crypto A Commodity or Security?, SoFi (Apr. 27, 2021).
11. Press Release, SEC, SEC Charges Ripple and Two Executives with Conducting $1.3 Billion Unregistered Securities Offering (Dec. 22, 2020).

Working Remote Without Privacy Violations

COVID-19 revolutionized the need for remote work by employees.  And the trend toward working remote likely will continue after the outbreak is a distant memory. However, the privacy and cybersecurity implications surrounding these remote workers are often either unknown and/or ignored.  So now what?  With more of your employees working off-site, how do you protect your company against privacy violations of state, federal and international law?

The first step is to review your privacy policy.  Is it too lax?  Is it too strict?  Either extreme creates its own issues such as inefficiency for remote workers or potential data breaches.  The policy must contain clear penalties for violations.  Violations must be tracked and the penalties enforced for the privacy policy to fulfill its purpose.

The second step is to make sure that every employee, vendor and client, is aware of the privacy policy and where appropriate, commits to the privacy policy with either a physical or digital signature.  These acknowledgements must be stored and organized by privacy policy version. As the privacy policy is amended from time to time, it is important to determine whether an additional acknowledgement is required from your employees, vendors and clients.

The third step is to train employees on how to abide by the privacy policy.  A policy is useless if no one understands it or is unsure how to apply it to their employment duties. With remote workers, this becomes even more critical as data that may permissibly be left on a desk or sent in an email on a secure network, may not be appropriate in a remote working environment.  Remote workers need to use Virtual Private Networks (VPN) to access company systems.  Companies should verify that each remote worker is using a VPN while working remotely.

The final step requires taking a second look at your data, the processing of the data and specific business sector regulations such as the Graham-Leahy Bliley Act in the financial sector.  During this review it is important to identify new risks posed by remote workers.  One way of achieving this review is to either assign or hire a Chief Information Officer (CIO) to coordinate and stay abreast of the latest trends and developments.

Another aspect of cybersecurity and privacy that must be evaluated and implemented wherever possible is Privacy Enhancing Technology (PET).  These various technologies (there are five) allow for a greater use of data while removing all identifiable information and resisting attempts to reconstruct personal information by combining an anonymous data set with a data set that “decodes” the first set, such as Census data or voter registration databases.  More information on PET can be found here.

P&D attorneys can assist with all these recommendations with a cost effective and pragmatic approach.  Our attorneys routinely handle the most challenging privacy and cybersecurity issues and are ready and eager to help your company during these uncertain times.

When It Rains, It Pours: The Psychology that Makes Us More Vulnerable During a Crisis

I received the following email alert from a cybersecurity client of mine:

“6x increase in cyber attacks over the last 4 weeks.”

“Information about COVID-19 should only come from a legitamate source. Don’t trust unsolocited emails or open unknown links”

“Really?,” I thought to myself; “We’re on lock-down, stressed about family and friends, not to mention business and jobs, and I’m getting cybersecurity alerts?” Frankly, I usually ignore them when I’m not distracted, but who has time for this now? 

However, the more I thought about it, the more I realized that’s exactly what cybercriminals are thinking too and why people need to stay alert and resist the temptation to click on those compelling links.

The truth is, despite the fancy hardware and software solutions available, most cybersecurity breaches occur due to human error or phishing attacks. Unless you have relatively sophisticated automated solutions, the people IN your organization may represent your greatest internal threat.

While companies see high risks from external threat actors, such as unsophisticated hackers (59%), cyber criminals (57%), and social engineers (44%), the greatest danger, cited by 9 out of 10 firms, lies with untrained general (non-IT) staff. In addition, more than half see data sharing with partners and vendors as their main IT vulnerability. Nonetheless, less than a fifth of firms have made significant progress in training staff and partners on cybersecurity awareness (ESI ThoughtLab/WSJ Pro Cybersecurity, 2018).

And this was before COVID hit us between the eyes. Let’s take a quick look at the psychology at play that makes us even more vulnerable during a crisis.
The Neuroscience of Crisis

As humans, we are prewired for crisis. 

Whether you think of this brain system as the “reptilian brain,” attributed to Paul MacLean and his Triune Theory (Sagan, 1977), or the fight-flight reaction of the sympathetic nervous system (System 1) which is our immediate, emotional reaction (Kahneman, 2011), it is clear that our brain protects us in times of danger. 

This system, which is buried deep in the interior of the human brain, is both evolutionarily older and more immediate than simple cognitive thought; it is pre-cognitive. When the danger is ambiguous, System 2 thinking (which, in contrast with System 1 is slower, more deliberative and more logical) is nice; go through your options, take your time, don’t rush. 

But when there is a perception of crisis, the need to ACT is immediate. 

The fight-flight response makes us want to DO something, and now! From an evolutionary point of view, in times of danger, those who acted first were often safer than those who took their time.

The COVID-19 pandemic is, of course, a crisis. 

Have people noticed how much more tired they are these days, even though we aren’t even leaving the house? It’s because crisis mode requires more energy. During a crisis, the thoughtful, reflective parts of our brain shut down. In other circumstances, we might hover over a suspicious link, while we process whether it seems risky or not. 

But that requires fully functional frontal lobes, or executive functioning, which need time and undivided attention to work properly. In crisis mode, frontal lobe functioning is significantly diminished, or may go offline altogether, in favor of a quick (albeit less considered) action or reaction. 

To make matters worse, cybercriminals know this: They know what emotional buttons to push to make you afraid (just click the link) or try to help (just click the link), or maybe even register your opinion (just click the link). 

But if you do click that unfamiliar or disguised link, you may have just let criminals into your personal computer and, by default, into your company’s IT system. 

Wait, consider, relax. Let System 2 kick in before you commit yourself, your computer, and your company to whatever those “black hat” cybercriminals have in mind.

Motivation During a Crisis

After the fear comes a desire to help. 

This is one of the ways that cybercriminals trick well-meaning people. Whether it’s a donation, or a message of support, or some other activity to help, we are again motivated in ways that leave us open to online criminal behavior. 

McClelland’s Social Motive Theory suggests there are three primary social motives: Achievement, Affiliation, and Power (McClelland, 1987). 

We all have the capacity for all three, and genetics and socialization as well as cognitive choice determine which motive wins the day in a given situation. In times of individual crisis, needs for achievement (e.g., successful social distancing) or needs for power (e.g., controlling the situation) may come to the fore. 

But in a social crisis, many of us are “hard-wired” to help, triggering a need for affiliation. 

That desire to help may cause people to act impulsively in what they believe is a pro-social, affiliative manner. Just click the link to make your donation, just click the link to show your support, and on and on, the cybercriminals never stop trying. Like the very best advertisers, they are clever about pushing your emotional (non-cognitive, pre-cognitive) buttons to get you to act in ways that benefit them.

I am assuming everyone reading this has the best of motives. Those very motives make you susceptible to the manipulation of cybercriminals. 

If your current impulse is to put this away, turn to something else, then you have experienced exactly what cybercriminals are counting on. 

Information fatigue, too much bad news, or just a desire to put some positive energy back out into the world, may all leave you vulnerable. 

Don’t click suspicious links, or even links that look well-meaning, without doing some simple checks and reviews first. 

  • Hover over a link and see if the URL is the same as whom the email purports to be from. 
  • Don’t provide any information, on any social media, whether at work or elsewhere, that can be used against you. 
  • Hackers are clever and unscrupulous so check and double-check links that looks suspicious in any way. 
  • Do a bit of research before you agree to anything and certainly before sending money or private information.
What’s Your Story?

Narrative is the final pillar in this little tripartite approach to cybercrime. I have come to believe that personality is a story we tell ourselves (and the world) about ourselves (Bruner, 1985). 

This story comprises our identity, it is who we think we are and often these beliefs about who we are dictate how we behave in the world and how we process information. 

For example, as a psychologist (not to mention a human being), I think of myself as a helpful person. I try to be kind and considerate. I don’t like to walk past beggars without giving them something (yes, yes, I know that would cause me to lose points on the WAIS IQ test but there you go, despite my cognition telling me this could be a trick, he or she will just buy cigarettes and beer, I often give in anyway). 

Cybercriminals will use these ideal images we have of ourselves to manipulate our thoughts, emotions, and purse-strings. 

  • I am good, so I give to the sick and needy. 
  • I love children, so I’ll give to those orphaned by COVID. 
  • I support healthy behaviors, so I’ll do most anything to protect my health. 
  • I’m a good parent, so I will click the link that shows me 10 ways to protect my family from infection. 

Your personal narrative is the core of your personal identity. We sometimes value it more than life itself (think of martyrs). 

If a clever cybercriminal hacks your social media, understands what makes you “tick,” that information can be used against you in a cybercrime.

The threats are real and so are the psychological levers cybercriminals pull to manipulate your fear. 

We are all overwhelmed, trying our best to hang in there, and help each other where we can. Don’t let your best intentions, and fatigue, allow you to be manipulated to behave unsafely online. COVID is real, and so is cybercrime. We must be alert to both.

Written by: Dr. Mark Sirkin, CEO at Sirkin Advisors

References

Bruner, J. (1986). Actual minds, possible worlds. Cambridge, MA: Harvard University Press.

ESI ThoughtLabs/WSJ Pro Cybersecurity (2018). The cybersecurity imperative: Managing cyber risks in a world of rapid digital change. New York: Author.

Kahneman, D. (2011). Thinking, fast and slow. New York: Farrar, Straus and Giroux.

McClelland, D. (1987). Human motivation. New York: University of Cambridge.

Sagan, C. (1977). The dragons of Eden. New York: Penguin Random House.

 

Connecticut’s New Insurance Data Security Law: The Costs and Benefits of Compliance

An important section of the recent budget bill adopted by the state of Connecticut demonstrates that regulatory fever has become contagious, at least as far as data security is concerned. Section 230 of the recently adopted bill sets forth a comprehensive set of cybersecurity regulations for the state’s insurers, requiring them to comport with guidelines modeled after those developed by New York State’s Department of Financial Services (DFS).1 Connecticut insurers will now have to develop a “comprehensive written information security program,” evaluate the efficacy of that program “not less than annually,” and periodically aver to the state’s Insurance Commissioner that the law’s provisions are being followed.2 In addition, the law requires that insurers establish strict cybersecurity regulations for third parties and develop “incident response plan[s]” to recover in the wake of a cyberattack.3

The data security law also establishes a comprehensive enforcement regime to investigate and punish noncompliance. Under the provisions of Section 230, the state’s Insurance Commissioner has a broad investigative power to verify compliance with the new regulations.4 Furthermore, the Commissioner retains the power to punish recalcitrant insurers by revoking business licenses and issuing fines of up to fifty thousand dollars (provided that the offending firms have not shown themselves to be exempt in an evidentiary hearing).5 The law does contain some exceptions, however. For a one-year period between 2020 and 2021, insurers with fewer than twenty employees will be exempt from the law’s requirements, and from 2021 on insurers with fewer than ten employees will be exempt.6 Moreover, those firms already compliant with the requirements set forth in the Health Insurance Portability and Accountability Act of 1996 (a federal statute)7 are exempted from the Connecticut law if they can certify their compliance to state regulators.8 Nevertheless, compliance figures to be costly for Connecticut insurers.

As discussed on this blog previously, however, the cost of a cyberattack can often far outstrip the cost of compliance with cybersecurity regulations. This goes double for insurance companies, especially because such firms often possess “high-value consumer information, such as sensitive personal information, health information and payment card information.”9 Thanks to the creation of cybersecurity insurance, insurers are often left holding the bill in the wake of a devastating cyberattack elsewhere. Because they have presumably processed numerous such claims, they should know better than anyone else the true cost of a data breach. The aid of knowledgeable legal professionals and a healthy dose of common sense are all that stand in the way of cost-saving compliance with Connecticut’s new cybersecurity regulations.

 

  1. https://www.natlawreview.com/article/connecticut-budget-includes-insurance-data-security-law
  2. https://www.cga.ct.gov/2019/act/pa/pdf/2019PA-00117-R00HB-07424-PA.pdf
  3. Ibid
  4. Ibid
  5. Ibid
  6. Ibid
  7. Better known as HIPAA
  8. https://www.cga.ct.gov/2019/act/pa/pdf/2019PA-00117-R00HB-07424-PA.pdf
  9. https://www.stradley.com/-/media/files/publications/2017/05/landon—cyber-attacks-targeting-insurers.pdf