In their second article for Corporate Board Member, Bass, Berry & Sims attorneys Joe Crace and Margaret Dodson continued their discussion on high-profile cyber breaches and the liability directors and officers of affected corporations could face, especially given recent interpretive guidance released by the SEC and proposed legislation on data breach notification standards. This second article was a follow-up to the earlier article, “Is Data Breach Liability Inching Toward the Board Room,” that was published on June 11.

After Yahoo! reached a settlement in a federal securities fraud action filed by shareholders as a result of its data breaches, the SEC announced that Yahoo! paid $35 million to settle claims that it failed to promptly disclose these massive data breaches in its public filings. This marked the first time the SEC brought an enforcement action alleging that a company’s failure to quickly disclose a data breach violated federal securities laws, and the SEC claimed that Yahoo!’s investors were blindsided by the breach and public companies must disclose these incidents to investors. 

Yahoo!’s settlement with the SEC could indicate that the agency plans to boost its enforcement efforts on cyber breach disclosures, especially coupled with SEC guidance issued on February 21, 2018, that companies, through their directors and officers, must “establish and maintain appropriate and effective disclosure controls and procedures that enable them to make accurate and timely disclosures of material [cybersecurity] events.” The guidance also stressed that insiders who trade on material, nonpublic information concerning cybersecurity risks or events violate the general antifraud provisions of federal securities laws as well as insider trading rules. 

Additionally, boardrooms should be aware of the Data Security and Beach Notification Act legislation introduced in November 2017 that would impact D&O liability for data breaches. This legislation aims to simplify consumer notification standards for companies that are data breach victims and require companies to promptly notify consumers if their information was involved, which is likely the result of last year’s hearing with current and former Yahoo! and Equifax executives establishing that companies should embrace additional protections to secure consumer information. With this in mind, companies should lookout for the Data Security and Breach Notification Act and any other related legislation seeking to establish federal D&O penalties to solve a perceived lack of accountability for data breaches. 

The full article, “Familiarize Yourself with SEC Guidance on Data Breach Disclosures,” was published by Corporate Board Member on June 20, 2018, and is available online.