Thursday, May 26, 2022

A Cautionary Tale About Secondary Use

Twitter has agreed to pay a $150,000,000 fine (13% of revenue) to settle FTC allegations that it enticed consumers into sharing personal information under false pretenses.

Twitter began asking people to provide emails and phone numbers in 2013, explaining that the information would help them reset accounts or enable two-factor authentication. However, over the years, the company used those email addresses and phone numbers as identifiers, sharing them with media agencies and ad networks to create audiences for online advertising.  The Federal Trade Commission viewed this as a "bait-and-switch" tactic in violation of Section 5 of the FTC Act.

When companies tell consumers they need data for certain reasons, and later use it for other reasons, it's called "secondary use," and it's frowned upon by regulators around the globe. Regulators insist on "purpose limitation," meaning that companies should only use personal data for the purposes that were described to the consumer at or before the time the data was collected or used. 
A new purpose that is very closely related to the original purpose might be acceptable, but it's a gray area that requires careful legal judgment. 

This is a good reminder that companies' consumer privacy disclosures should describe *every* likely use of personal data, *before* the data is collected or used.

If additional uses are later identified but are not closely related to the original purposes disclosed to consumers, companies must notify consumers of the new use (or ask for permission, depending upon the type of data and the jurisdiction) before using the data for the additional purpose.

 

image of the Federal Trade Commission Building

 

Thursday, March 10, 2022

The SEC wants companies to disclose data incidents almost immediately

 


Sometimes the life of an in-house cybersecurity lawyer is stressful.  The SEC is not making it any easier. 

Yesterday, the US Securities and Exchange Commission proposed a new rule amendment that would require publicly-held companies to file an 8-K to (publicly) disclose a material data incident within four business days of determining it is material.

What would companies be required to disclose?

The proposal calls for the following information to be included in the Current Report on Form 8-K:

  1. When the incident was discovered and whether it is ongoing;
  2. A brief description of the nature and scope of the incident;
  3. Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
  4. The effect of the incident on the registrant’s operations; and
  5. Whether the registrant has remediated or is currently remediating the incident.
  6. ...in an Interactive Data File (XBRL).

That's a lot of detail to collect, confirm, and craft into a coherent report in just four days.

This would dramatically accelerate the reporting timeline for most US companies. State data breach notification laws often give companies 30 or 45 days after discovery of a breach to notify authorities and affected individuals. The SEC notes that "it took on average 44 days for companies to discover breaches, and then in addition, it took an average of 53 days and a median of 37 days for companies to disclose a breach after its discovery." In the wake of a serious breach, most companies would be focused on detecting the compromise, isolating the threat; ejecting the malicious actor or code; protecting their customers, employees, and property; and mitigating risk. Reporting is not usually the most immediate consideration. Unlike most state breach notification laws, however, the proposed rule makes no allowance for delay, even if law enforcement requests a delay in reporting.

What if a company doesn't know those things within four days?

In the days and weeks following an incident, the "facts" tend to evolve and become more clear. Companies rarely are able to describe with great accuracy the nature and effect of a serious, sophisticated cyberattack within four days. The proposed rule calls for updates to be included in the next quarterly report (on Form 10-Q) or annual report (on Form 10-K)...unless the update is so substantial that the original Form 8-K is inaccurate, in which case an amended Form 8-K must be filed.

What is a considered a "cybersecurity incident"?

The term is defined as “an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” The term probably covers privacy violations as well as incidents that do not constitute a "breach" under most state data breach notification laws. Examples from the SEC are:
  • An unauthorized incident that has compromised the confidentiality, integrity, or availability of an information asset (data, system, or network); or violated the registrant’s security policies or procedures. Incidents may stem from the accidental exposure of data or from a deliberate attack to steal or alter data;
  • An unauthorized incident that caused degradation, interruption, loss of control, damage to, or loss of operational technology systems;
  • An incident in which an unauthorized party accessed, or a party exceeded authorized access, and altered, or has stolen sensitive business information, personally identifiable information, intellectual property, or information that has resulted, or may result, in a loss or liability for the registrant;
  • An incident in which a malicious actor has offered to sell or has threatened to publicly disclose sensitive company data; or
  • An incident in which a malicious actor has demanded payment to restore company data that was stolen or altered.

If a series of incidents collectively become material, they too would be required to be disclosed.

Other risk and risk management disclosures are also proposed.

The proposal also calls for regular reporting about a company's policies and procedures to identify and manage cybersecurity risks, the board's oversight of cybersecurity risk, and executive management’s role in cybersecurity risk, policies and procedures.

You can read the entire proposal yourself here, and consider submitting a comment.

_______


Press release: https://www.sec.gov/news/press-release/2022-39

Fact sheet: https://www.sec.gov/files/33-11038-fact-sheet.pdf