This month, the Securities and Exchange Commission (SEC) announced new rules requiring companies who experience a cybersecurity attack to publicly disclose the impact of the attack within four days. Hotel companies whose securities are registered with the SEC should take note of these regulations and develop a robust incident response plan.
Bob Braun, senior member of JMBM’s Global Hospitality Group® and Co-Chair of the Firm’s Cybersecurity & Privacy Group, outlines the new regulations below.
Time is Short – Reporting your Data Breach
by Bob Braun, Hotel Lawyer
Over the past years, hotel companies – including brands, managers and owners – have increasingly sought the benefit of access to public markets and, in doing so, have become subject to the registration and disclosure requirements of the United States Securities Act and Securities Exchange Act. In doing so, these companies need to comply with a broad variety of detailed regulations addressing their disclosure and reporting obligations. The Securities Exchange Commission recently adopted regulations which will have an impact on publicly traded hotel companies that suffer a data breach.
Breach Notifications for the Past 20 Years. Ever since California became the first state to require companies to notify their customers of data breaches in 2003, the time between the date a breach was discovered and the time the breach was reported has been an issue of contention. Early reporting gives consumers a leg up in protecting their personal information and lets investors, vendors and customers of companies know if key business information has been compromised. At the same time, companies want as much time as possible to investigate a breach, understand what happened, and provide accurate information – companies that give early notice often have to give multiple notices as more information becomes available, and may even find that the original notice wasn’t necessary. Regardless, lawsuits against companies that have suffered data breaches almost universally point to the gap in time between the discovery and notification of a breach.
The SEC Acts. Regulators have stepped in and identified time frames for public notification of a data breach. Most recently, the Securities Exchange Commission issued a final rule that reduces the time for reporting companies (companies whose securities are registered with the SEC) to disclose cyberattacks publicly. As has been widely reported, with some exceptions, a company that is the victim of a cyberattack now has four days to publicly disclose the impact of the attack. Cyberattacks that involve the theft of intellectual property, a business interruption or reputational damage will likely require disclosure under the regulations.
The rules were proposed last year and contested by trade organizations and businesses, arguing that four days is inadequate to identify the nature and scope of a breach, and would be as likely to disclose inaccurate information as it would to benefit consumers and shareholders.
In contrast, the SEC, in adopting the new regulation, cited the new rule as enhancing transparency into cyber threats after years of attacks against businesses by criminal gangs and, most significantly, groups backed by nation states. The SEC also saw this as an opportunity to address gaps in existing cybersecurity disclosures.
Gaps in Disclosure. Because there are a wide variety of laws and rules governing disclosure, there is little consistency in the timing or content of breach notifications. Companies that report incidents provide different amounts of detail about the impact and their response to it. Some cyber incidents aren’t reported in a timely manner, while others aren’t disclosed at all. Christopher Hetner, a former cybersecurity adviser at the SEC who provides guidance to the National Association of Corporate Directors, said, “The outcome of this rule will be to create more normalcy across disclosures.”
Arguments against the Regulation. The tight timeframe for disclosure raises concerns. The brief period for making incident disclosures could leave investors with information that isn’t accurate. The rules allow a company to update its incident disclosure with added information that was unavailable at first, but that also could create consumer and shareholder confusion.
The regulation is also unclear in defining how an incident would become material and how much detail will be required in public filings. This is a particular issue, since four days is unlikely to be adequate to collect and verify meaningful information about a security incident.
Third-Party Risks. The regulation also will require companies to create stronger reporting relationships with vendors. Over the past several years, the cyberattack risks raised in the supply chain of information management has become key, and unless vendors (and all of the parties in the vendors’ supply chain) cooperate promptly, a reporting company may be unable to meet the requirements of the new rule.
Annual Reporting. An issue that has not been widely reported is the requirement that companies must describe in their annual report what processes, if any, a company has in place to assess, identify and manage material risks from cybersecurity threats “in sufficient detail for a reasonable investor to understand those processes.” Combined with the SEC’s “plain language” mandate, this requirement alone might be a significant task.
Companies can deal with these new regulations by creating, implementing, testing and updating strong cybersecurity incident response plans. When a company has 96 hours to report publicly a cybersecurity incident, it cannot waste time trying to create a playbook to respond; the playbook must be in place and accurate. The necessary parties must have the “muscle memory” to know how to respond, not only to respond directly to the breach, but to comply with new and potentially burdensome regulations. The JMBM Global Hospitality Group® and Cybersecurity and Privacy Group work with hospitality clients to achieve these goals and prepare them for the challenges of an ever-changing cybersecurity landscape.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.
Further information about cybersecurity issues
If this article was of interest, you may also wish to read other articles by Bob Braun on “Data Technology, Privacy & Security,” which include the following:
Bob Braun is a Senior Member of JMBM’s Global Hospitality Group® and is Co-Chair of the Firm’s Cybersecurity & Privacy Group. Bob has more than 20 years of experience in representing hotel owners and developers in their contracts, relationships and disputes with hotel managers, licensors, franchisors and brands, and has negotiated hundreds of hotel management and franchise agreements. His practice includes experience with virtually every significant hotel brand and manager. Bob also advises clients on condo hotel securities issues and many transactional matters, including entity formation, financing, and joint ventures, and works with companies on their data technology, privacy and security matters. These include software licensing, cloud computing, e-commerce, data processing and outsourcing agreements for the hospitality industry.
In addition, Bob is a frequent lecturer as an expert in technology, privacy and data security issues. Bob is on the Advisory Board of the Information Systems Security Association, Los Angeles chapter, and a member of the International Association of Privacy Professionals. Contact Bob Braun at 310.785.5331 or [email protected].