Over the last few years, the creation of new cybersecurity regulations has been robust, but actual enforcement has been tepid. This is understandable in any new regulatory regime, especially one where the standards are vague, the conduct is evolving, and therefore, there is considerable uncertainty on the part of the regulated as to what is required. In addition, companies that experience data breaches are often the victims of a crime (rather than the perpetrators), so regulators don’t want to be seen as piling on and further punishing victims. But, after years of conducting cybersecurity exams, speaking on panels, issuing guidance, encouraging best practices, and publicly warning companies, there are signs that 2019 was a transition year, and 2020 is likely to be a time when cybersecurity enforcement leans more towards the stick side of the equation. There are several explanations for this development.
First, there is a sense among regulators that companies have now had sufficient time (and warnings) to understand what reasonable cybersecurity measures looks like, and to implement them. For example, the final sets of DFS Cyber Rules relating to vendor management have been effective since March 2019, and companies will certify compliance with all of the DFS Cyber Rules for the first time in February 2020.
Second, successful attacks are putting significant funds into the hands of cybercriminals, which not only incentivize more attacks, but also allow the criminals to invest in better tools and talent to further their illegal trade.
Third, there is growing consensus as to which security measures are essential to protecting the confidential data of customers, employees, and partners, and to limiting the potential ripple effects that a cybersecurity incident can have on entire business ecosystems.
Finally, after conducting cybersecurity exams of hundreds of companies and investigating dozens of breaches, the regulators are better able to differentiate (a) companies that made reasonable efforts to protect their data but were nonetheless breached (and therefore should not face any enforcement action) from (b) companies that fell far below the reasonable standard in their preparation for, and/or response to, the cyber-attack.
Some of the signs that the days of mostly-carrot cyber enforcement may be coming to an end include:
- The New York DFS has hired a former federal cyber prosecutor to head its cyber enforcement group.
- FINRA recently sent a notice to regulated entities warning them about business email compromise scams (BECs), and reminding them that under SEC Reg. S-P, they are required to have policies and procedures that address the protection of customer information and records. The SEC provided a similar warning late last year that cyber incidents may lead to enforcement action.
- The CFTC recently fined a futures commission merchant $1.5M for failure to have adequate employee training for cybersecurity in connection with a breach that resulted from a phishing email.
- The California AG’s office issued its much-anticipated guidance on the CCPA on October 10, 2019, and stressed that businesses should not consider the period between the CCPA’s effectiveness on January 1, 2020 and the start of enforcement on July 1, 2020 as any type of safe harbor.
As we have discussed here, the New York Shield Act, which includes substantive cybersecurity requirements, came into effect on October 23, 2019. But the New York AG didn’t wait for the Shield Act to step up cyber enforcement. She recently filed a suit against Dunkin’ Donuts using the AG’s general consumer protection powers. The Complaint alleges failures of Dunkin to undertake appropriate actions to investigate, notify, and remediate in the aftermath of a series of brute force attacks targeted at Dunkin’s customer accounts and used primarily to steal from customers’ DD cards, which are Dunkin-specific stored value cards. The AG’s causes of action include Fraudulent Business Conduct, Deceptive Business Practices, and False Advertising, for misrepresenting to consumers that it provided reasonable safeguards to protect their personal information, as well as violations of the General Business Law for failing to meet its breach notification obligations. The Dunkin case serves as a reminder to companies of ways they can reduce their cybersecurity enforcement risk, including:
- Avoiding overly positive and unqualified statements in privacy policies and other public statements about cybersecurity measures;
- Developing a realistic incident response plan and following it during an actual incident;
- Conducting regular assessments and updates of cybersecurity capabilities and infrastructure;
- Remediating vulnerabilities promptly after an incident;
- Complying with breach notification obligations; and
- Ensuring the accuracy and proper characterization of incidents in notifications to customers and regulators.
But the Dunkin case is also a sign that, even in the absence of cybersecurity-specific regulations, with growing political and consumer pressure to do more to protect personal data, cybersecurity enforcement appears to be on the rise.