In Case You Missed It: The SEC fined Morgan Stanley $1 million for a 2014 data breach. While the FTC had declined to pursue an enforcement action, blaming the breach on technical issues rather than any actions or omissions on the part of Morgan Stanley, the SEC reached a different conclusion. The SEC faulted Morgan Stanley for, among other things, failing to have adequate and up-to-date cybersecurity policies and for failing to correct gaps and flaws in its security systems. This fine is a reminder of two important things: first, that the SEC is going to be an increasingly active player in the cybersecurity space; and second, that companies are well-advised to audit their policies and procedures on a regular basis and train their employees on security protocols.
News of Note: A National Cybersecurity Intelligence Center is set to open in the fall in Colorado Springs. A public-private collaboration with a strong assist from the University of Colorado, it will focus on educating public officials and executives, provide support to organizations facing a cyber attack through a Rapid Response Center, and act as a research hub on cyber crimes through its Cyber Research, Education and Training Center.
Practice Tip of the Week: Line up your vendors before a breach! When your company has discovered that a breach has occurred, you then need to investigate how the breach occurred, fix it, and see what other vulnerabilities you might have. You will almost certainly want to hire an outside vendor with significant expertise to do this work. Likewise, sometimes you have to deal with the press; hiring an expert to manage your PR might be the wisest thing to do. When you’re in the middle of handling a data breach, the last think you want to be doing is adding days, even sometimes weeks, to locate, vet, and contract with a vendor. Take these actions now, while things are relatively calm, so that when a breach does happen your vendors are under contract, and just a phone call away from springing into action.