by Douglas Brent, Attorney at Stoll Keenon Ogden PLLC
Yogi Berra’s epigrams are all over the news today as Americans reflect on his amazing baseball career and his unforgettable imprint on our language. The Yogi-ism in our title came straight to mind after reading an announcement from the United States Securities and Exchange Commission, issued on the same day the great catcher passed away.
That’s because once again we’re seeing an American business breached by hackers, then besieged by federal regulators critical of its data privacy protection and breach response plans.
We discussed this a few weeks ago after a federal appeals court in Philadelphia upheld the Federal Trade Commission’s authority to pursue regulatory enforcement actions against the victim of a major cyber-attack. A few days later we wrote about the U.S. Department of Health and Human Services pursuing an Indiana medical practice over a breach of protected health information.
Now it’s the SEC’s turn to make an example of a regulated entity. On September 22, the agency announced that a St. Louis-based investment adviser has agreed to settle charges that it failed to establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information of approximately 100,000 individuals, including thousands of the firm’s clients. The SEC’s order finds that R.T. Jones violated Rule 30(a) of Regulation S-P (the “safeguards rule”) under the Securities Act of 1933. The firm agreed to be censured and pay a $75,000 penalty.
Check Your Protection Plan
As Yogi might say, when it comes to cybersecurity preparedness, 90 percent of the game is half mental. So whatever your business, if you handle personally identifiable information, credit cards or any other form of electronic payments, especially for consumers, it is critical to review your cybersecurity and privacy policies, in light of your actual business practices. A member of SKO’s Privacy and Information Security practice can advise in this effort by helping identify sector-specific regulatory requirements that apply to your own cyber-hygiene.
Cyber intrusions may seem inevitable. But, with proper legal planning, the fallout does not have to include being hauled before a regulatory agency.