The guidance also focuses on the need for companies to develop disclosure controls and procedures, to allow them to responsibly discern the impact that cybersecurity risks or events may have on the company and determine whether they are material to investors. It also emphasized the Commission’s view that directors, officers and other persons in positions of high-level responsibility need to be informed about the cybersecurity risks and incidents that a company encounters.
PUTTING IT INTO PRACTICE: The new guidance does not so much break new ground as re-emphasize and reinforce existing principles. Indeed, SEC Commissioner Kara Stein criticized it for not going far enough to respond to cybersecurity risks and the need for public companies to disclose them. However, if you work for a public company facing cybersecurity risk, or you advise one, the new guidance contains useful principles and examples to consider in determining what information your company should disclose, when to do so, and how to avoid allegations of insider trading on cybersecurity information that is not yet public. The document also signals growing vigilance by the SEC in policing public company behavior relating to cybersecurity.
Privacy, Data Security, and Your Board – Day One
Posted on February 26, 2018
This week we are focusing on how to talk to boards about privacy and data security issues. Typically a starting point for lawyers is convincing those in a corporation why a board should care about privacy and data security. Or a board member about why she should care about privacy and data security. There are several reasons, but a few that have resonated the most when we talk to board members are the following. Namely, that regulators require or expect Board oversight, and board members can face potential liability for oversight failures. Board members generally have a fiduciary duty of care, which requires them to be informed by asking the right questions and requesting the right information. How can board members best manage these responsibilities? They can consult with counsel and other experts, when needed, and take sufficient time during meetings to discuss and understand the company’s approach to data privacy and security and consider alternative courses of action, if necessary.
PUTTING IT INTO PRACTICE: Companies should keep in mind that board members are getting a lot of advice about privacy and data security, and will often ask many questions to ensure that they are living up to their duty of care. Are you ready to respond to and address those questions?
                    49 Eye on Privacy 2018 Year in Review