GUEST BLOG: New SEC disclosure guidance about cyber security risks

Posted on October 28, 2011 by Peter S. Vogel

GUEST BLOG FROM JIM BRASHEAR

I welcome Jim Brashear as a Guest Blogger with his blog concerning cyber security risks. Jim is Vice President, General Counsel and Corporate Secretary of Nasdaq-traded Zix Corporation, the market leader in email encryption services. He frequently appears as a public speaker on corporate governance, data security and information technology legal topics. You may want to follow him on Twitter. I’m sure we will see more Guest Blogs from him in the future. 

New SEC disclosure guidance about cyber security risks

The SEC recently issued new disclosure guidance about cyber security risks. In summary, the SEC is directing public companies to review, on an ongoing basis, the adequacy of their disclosure relating to cyber security risks and cyber incidents. The disclosure guidance does not create new standards, but reminds public companies of existing disclosure requirements that may apply to cyber security risks and cyber incidents.

The bottom line is that this guidance should cause public companies, including their senior management and boards of directors, to give more attention to assessing cyber security as part of their enterprise risk assessments, because a discussion of cyber security risks and cyber incidents may become expected in public company financial disclosure. It should also prompt public companies to include these issues in their disclosure controls processes.

The SEC provides more specific guidance about disclosure in six areas of public company financial reports: Risk Factors, Management’s Discussion and Analysis (MD&A), Business Description, Legal Proceedings, Financial Statement Disclosure, and Disclosure Controls and Procedures.

On the latter point, public companies will need to assess and disclose conclusions about the impact of cyber security risks and cyber security incidents on the effectiveness of the organization's controls over financial disclosure, including whether there are any deficiencies that would render those controls ineffective. Additionally, public companies should supplement their disclosure controls checklists, so that their disclosure controls processes will include consideration of possible disclosure about cyber risks and cyber incidents.

Companies are not required to disclose any or all of the issues that are identified for consideration and discussion by their disclosure controls committees. In fact, the SEC recognizes that detailed disclosures of these issues could increase the cyber risks. The organization may have concerns about what personnel can be involved in IT security discussions or receive any report about those issues, based on individual security clearances, etc. The process might, therefore, require that those discussions occur in a smaller group.

The list of questions below is intended to (a) prompt a discussion in the disclosure committee of any meaningful changes in the company’s cyber risk profile and whether additional disclosure (or other action) is warranted, and (b) create a written record that management thoughtfully considered the principal data security and privacy risks facing the company in order to determine whether additional disclosure (or other action) is warranted.

1.         Any significant change to the nature or level of cyber security risks facing the company or affecting the company’s services to customers [such as any meaningful increase in actual or threatened penetration attempts, spear phishing or other advanced persistent threats (APT), or denial of service (DOS) attacks]

2.         Any significant cyber incident [such as malware embedded in any company system which may have exposed or compromised any of the company’s confidential or proprietary information, or the transmission or other exposure via the internet of unencrypted personal information of any customer, employee or other individual]

3.         Any significant cyber security risk deficiency that was identified in any review or audit of the company’s information security or data privacy practices

4.         Any significant change to the company’s expenses or capital costs of mitigating cyber security risks, such as an increase in cyber risk insurance premiums or services purchased to avoid system penetration

5.         Any significant change in the company’s ability to promptly respond to, and promptly resume operations after, a cyber incident or damage or loss of power to the company’s principal data center or any other systems important to maintaining operations

Tags: , , ,

GPS Data Will be Considered by the US Supreme Court

Posted on October 26, 2011 by Peter S. Vogel

Today everybody carries GPS devices in their phones (and tablets), but few people consider that our personal privacy may be compromised as a result. In November the US Supreme Court will hear argument (US v. Jones) as to whether the drug suspect’s Constitutional right to privacy was violated since a GPS device was attached to his vehicle without a warrant. As a matter of fact, Roger L. Easton, the principle inventor of GPS technology, has joined the Electronic Frontier Foundation to urge the Supreme Court to require warrants before using GPS tracking systems.

GPS data is retained by phone service providers and may become a larger part of litigation (and eDiscovery) which will allow parties in litigation to track parties’ location at specific times.

Our personal privacy may be a stake if the Supreme Court writes a broad opinion about how much personal privacy we can expect from GPS data since our phones (and tablets) contain GPS devices.

Tags: ,

Cloud Computing - Ancient Technology Solution with a New Name

Posted on October 21, 2011 by Peter S. Vogel

Use of remote computers has been around since at least 1964, but the current marketing buzz called Cloud Computing might make you think there’s something new. However Cloud Computing is merely the newest label for the 1964 remote computing service called "Time-Sharing" at Dartmouth College using a General Electric 235 computers (and dumb terminals -Teletype 33/34). Since 1964 the same idea of using remote computing as "Time-Sharing" has a number of labels including:

ASP -Application Service Provider
SaaS – Software as a Service
PaaS –Platform as a Service

A recent legal conference included a panel discussion about Cloud legal issues, however not once did the panel ever refer to any of these prior names, and in fact the panel members acted as if the technology and legal issues included in the Cloud Computing were something new. In fact the technology and legal issues are really very old news!

What is different about Cloud Computing is that all the Internet powerhouse players offer Cloud Computing services including IBM, Microsoft, Amazon, Google, Salesforce, and many more.
 

Tags: ,

Are Privacy Policies Being Enforced?

Posted on October 17, 2011 by Peter S. Vogel

My eCommerce Times column for October is entitled “Shore Up Your Privacy Policy Before Disaster Strikes” and I encourage you to read it. Actually it was published the same day as my blog that more than 7.5 million children under 13 are on Facebook. Since the Federal Trade Commission regulates Internet privacy in the US and particularly the 1998 Children’s Online Privacy Protection Act , it’s only a matter of time before we can expect some action.

Facebook’s latest user statistics are that more than 75% of Facebook users are outside the US.  So it seems likely that the EU, Japan, Canada, and many other countries will inquire about what Facebook intends to do about children using Facebook!

Tags: , , ,

More than 7.5 Million Facebook Users are Younger than 13

Posted on October 12, 2011 by Peter S. Vogel

The June 2011 issue of Consumer Reports included an article that Facebook has more than 7.5 million children as users which apparently is violating the 1998 Children’s Online Privacy Protection Act (COPPA) which precludes children under 13 from using websites and in particular to join Facebook. The Consumer Reports article stated that:

  • Of the 20 million minors who actively used Facebook in the past year, 7.5 million—or more than one-third—were younger than 13 and not supposed to be able to use the site.
  • Among young users, more than 5 million were 10 and under, and their accounts were largely unsupervised by their parents.
  • One million children were harassed, threatened, or subjected to other forms of cyberbullying on the site in the past year.

These facts reinforce the fact that it is impossible to know who is actually using the Internet websites as highlighted by one of my most favorite New Yorker cartoons from 1993 where two dogs are sitting in front of a computer and one dog says to the other “On the Internet nobody knows you’re a dog.”

COPPA was enacted to protect children under 13, but if children under 13 lie about their age what is Facebook (or any other site) to do? This is a most perplexing problem and hopefully we can solve this problem to protect children.
 

Tags:

FCC $8 Billion Plan to Expand Broadband

Posted on October 7, 2011 by Peter S. Vogel

The FCC plans to spend $8 billion to expand broadband service to more than 18 million citizens in rural America who lack high speed Internet access. In a speech, Julius Genachowski (FCC chairman) called access to broadband “a necessity”:

“Broadband has gone from being a luxury to being a necessity for full participation in our economy and society,” Mr. Genachowski said. “This plan will bring enormous benefits to individual consumers, our national economy and our global competitiveness.”

Walter B. McCormick Jr., (President and Chief Executive of USTelecom) a broadband industry trade association said: “We applaud Chairman Genachowski for his commitment to connecting all Americans to high-speed broadband”

When more details are revealed we will learn if this new plan will truly help citizens in rural America. Since the National Broadband Plan has been under way for many years it is not entirely clear why more Americans do not already have high speed Internet access.

Tags: ,

Privacy Concerns if Chinese Ownership of Yahoo!

Posted on October 4, 2011 by Peter S. Vogel

A report in the Financial Times that Alibaba might take over Yahoo! has raised privacy fears. Jack Ma's (Alibaba founder & former Google employee) recent comment about the prospect that Alibaba was interested in Yahoo! set off privacy group alarms as reported by the Financial Times:

"Lawmakers should oppose a deal where the data of Americans come under the control of a foreign company with links to the Chinese government,” said Jeff Chester, head of the Center for Digital Democracy. “Instead of stealthfully spying on Google users, which Chinese officials have been alleged to have done, an Alibaba takeover of Yahoo would sanction the surveillance of millions of Americans."

Ironically Yahoo! uses Microsoft's Bing these days for it search engine....so this privacy concern is much larger than it seems on the surface. As well Alibaba is the most popular search engine in China, and with Google's departure it seems that Alibaba is as strong as ever notwithstanding that Bing has entered the Chinese search engine market.

This will be of great interest to follow for the search engine wars and privacy concerns!

Tags: , , ,