Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How to shield your company from cyber enforcement

Evan Bundschuh, partner and commercial lines head at GB&A | Oct. 7, 2016
Regulators and regulations are getting more stringent. You need a living, breathing and constantly evolving governance framework, but insurance is also critical


This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

A lot has changed in the world of cyber regulation. September 2015 saw the widely reported SEC administrative proceeding against RT Jones for violating the “Safeguard Rule” in failing to establish and implement written cyber protection policies. Next was Morgan Stanley. And this past March the Consumer Financial Protection Bureau (CFPB) brought a pre-emptive action against a company that hadn’t even had a breach.

At this stage, it’s safe to assume the list of regulators and their security requirements will continue to grow and fines and penalties will become more severe. In fact, just last week the New York Department of Financial Services (DFS) proposed new cyber guidelines for financial institutions.

In order to protect themselves, organizations need to develop cyber frameworks and internal security environments that are living, breathing and constantly evolving, both to adequately protect against outside threats and in order to meet the increasing demands of regulators. They must also ensure their cyber insurance policies provide sufficient coverage for regulatory proceedings and associated penalties.

When controls fail and security incidents occur, it goes without saying that investigations and fines are close behind. A review of the FTC’s cyber enforcement actions, demonstrate that regulatory enforcement is not limited solely to Fortune 500 companies – there are many “smaller” companies included on that list. The most common causes of enforcement actions revolve around:

  • Security failures, and failure to protect employee data: The most commonly referenced violations included: misleading statements and misrepresentations regarding the adequacy or extent of security measures taken, failure to properly secure data, security vulnerabilities related to mobile applications, failing to encrypt data and/or employ SSL, and failure to adopt written policies.
  • Deceptive privacy practices and unauthorized collection of information. The most commonly cited wrongful actions related to privacy policies includes improper use of cookies to track or gather information, blatant disregard of published policies, privacy policies that did not adequately reflect actual usage, and inadequate software descriptions, among others.  In terms of data acquisition/usage and violations involving deceptive practices related to that information, violations tended to revolve around: deceptive collection of information and misrepresentations, including collection of information without disclosing the intent or scope of collection, deceptive “opt-in” practices, and improper usage of software or software “extensions.”
  • Failure to abide by foreign and cross-border privacy rules: Cross Border and foreign cyber regulation appears to be a growing area of interest for the FTC. Since the FTC’s initial action against American Apparel in May of 2014, the agency immediately followed with enforcement against an additional 14 companies, with violations against another 15 companies a few months later. Most of those actions were for violations of the US-EU safe harbor rule.


1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.