The FinTech Revolution: How Data Breaches Can Result in Regulatory Enforcement Actions
This is the fifth installment in a series of articles. For more background on this topic, please read our first article in the series, An Introduction to Financial Technology; our second article, The FinTech Revolution: Enforcement Actions Brought against FinTech Companies and Their Implications; our third article, The FinTech Revolution: The Impact of Blockchain Technology on Regulatory Enforcement; and our fourth article, The FinTech Revolution: Complying with Anti-Money Laundering Laws to Avoid Regulatory Enforcement Actions.
As news reports of corporate data breaches have become commonplace, companies must be proactive in preventing security breaches and prepared to take appropriate action in the event one occurs. This mantra is particularly true for FinTech companies that, by the very nature of their business, regularly collect customers’ personally identifiable information (“PII”) and other sensitive data. A failure to adequately protect this information, or to disclose the occurrence of a data breach, exposes companies to the very real possibility of government enforcement action.
We have noted previously that a FinTech company that falsely represents its data security practices is subject to an enforcement action by the Consumer Financial Protection Bureau for violation of the Dodd-Frank Wall Street Reform and Consumer Protection Act.1 In addition, FinTech companies that sell securities—whether publicly or in a private placement—must comply with applicable securities regulations when it comes to data breaches and their attendant disclosure.
Disclosure Requirements under the Securities Exchange Act
Section 10(b) of the Securities Exchange Act of 1934—the antifraud provision of the Exchange Act—and the Securities and Exchange Commission (“SEC”) Rule promulgated under this section, Rule 10b-5, broadly prohibit fraud in connection with the sale of securities.2 Rule 10b-5 specifically forbids using any “device, scheme, or artifice to defraud,” making any misstatement or omission of a “material fact,” or engaging in “any act, practice or course of business which operates … as a fraud or deceit upon any person,” in connection with the sale of any securities. Any company engaged in the sale of securities, whether public or private, is subject to this rule.3
A FinTech company that sells securities must disclose material information about cybersecurity risks and cyber incidents to prevent a misleading statement or omission about a material fact. For example, if a company expects to incur substantial costs as a result of a data breach that would be material for its financial condition or results of operations, it would need to disclose the breach and the risk of its adverse impact on the company’s financial position to avoid misleading investors about the company’s future financial performance.
Importantly, there is no bright-line rule for when information is considered “material,” such that it must be disclosed. Based on case law guidance, information is considered material if there is a substantial likelihood that a reasonable investor would view the information important in making an investment decision or if the information would significantly alter the “total mix” of the information available about a security.4 In 2011, the SEC issued guidance on “disclosure obligations related to cybersecurity risks and cyber incidents.” Although it principally applied to public company disclosure obligations, this guidance also offers useful best practices information for private entities involved in the sale of securities. In particular, the guidance provides general examples of what might constitute a material fact in certain circumstances, such as when the risk of cyber incidents is “among the most significant factors that make an investment in the company speculative or risky.”5 Again, the analysis is fact-specific and can be subjective.
Earlier this year, the SEC published additional guidance to further assist public companies in preparing SEC filings about cybersecurity risks and incidents.6 Besides reinforcing the 2011 guidance, the recent publication emphasized, among other things, the importance of implementing a framework of policies and procedures to address cybersecurity risks and incidents, and the obligations of public companies and their insiders to “refrain from making selective disclosures of material nonpublic information about cybersecurity risks or incidents.”7
The 2018 guidance also provided a helpful framework for analyzing the materiality of cyber incidents and risk. In determining disclosure obligations regarding cybersecurity risks and incidents, companies should generally “weigh, among other things, the potential materiality of any identified risk and, in the case of incidents, the importance of any compromised information and of the impact of the incident on the company’s operations.”8 The SEC also clarified that the materiality of cybersecurity risks or incidents depends upon their “nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations,” as well as “the range of harm that such incidents could cause,” which could include “harm to a company’s reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations or actions.”9
The SEC made it clear that it does not expect companies to disclose “specific, technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident.” However, when a company becomes aware of a cybersecurity incident or risk that would be material to its investors, the SEC expects it to make appropriate disclosures prior to the offer and sale of securities.10 Although the SEC understands that a company may require time to “discern the implications of a cybersecurity incident,” the SEC guidance makes it clear that “an ongoing internal or external investigation … would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.”11
Penalties for Failure to Comply with Rule 10b-5
The penalties for failure to comply with Rule 10b-5 are onerous. Companies or individuals that engage in a “willful” violation of Rule 10b-5 are subject to criminal prosecution by the U.S. Department of Justice. A resulting conviction carries with it a fine of up to $25 million for companies, and a period of incarceration of up to 20 years and a fine of up to five million dollars for individuals.12 In addition to seeking disgorgement of ill-gotten gains, the SEC also has the authority to impose a range of civil monetary penalties for “each act or omission” resulting in a violation of the securities laws, of up to $775,000 per act or omission by a company and up to $160,000 per act or omission by an individual.13 Importantly, each investor to whom a misleading statement or report was made constitutes a separate “act or omission.” The amount of the maximum fine the SEC may seek to impose is thus multiplied by the number of separate acts or omissions that have occurred, thereby exposing companies to substantial fines.
FinTech companies that fail to take seriously the proliferation of threats to data privacy and security operate at their own peril. In addition to taking steps to implement comprehensive data protection systems and policies, companies must be aware of their obligations to disclose material cyber risks and data breaches. FinTech companies should consult further with legal counsel to understand these obligations, so that they are fully equipped to confront risks to their data protection systems, to respond appropriately to the possibility of a data breach, and to avoid the risk of failure to comply with applicable laws and regulations. – ©2018 BLANK ROME LLP
- See In re Dwolla, Inc., File No. 2016-CFPB-0007 (Mar. 2, 2016).
- See 15 U.S.C. § 78j; 17 C.F.R. § 240.10b-5.
- See, e.g., SEC v. Stiefel Laboratories, Inc., Case No. 1:11-cv-24438 (S.D. Fla. Dec. 12, 2011) (private company).
- Matrixx Initiatives, Inc. v. Siracusano, 563 U.S. 27, 43 (2011).
- Division of Corporation Finance SEC, CF Disclosure Guidance: Topic No. 2 (Oct. 13, 2011), available at sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.
- Commission Statement and Guidance on Public Company Cybersecurity Disclosures (Feb. 26, 2018), available at sec.gov/rules/interp/2018/33-10459.pdf.
- Id. at 7.
- Id. at 10–11.
- Id. at 11.
- See id.
- Id. at 12.
- 15 U.S.C. § 78ff.
- 15 U.S.C. §§ 77h-1(g), 78u-2(b), 80a-9(d), 80b-3(i).
©2018 Blank Rome LLP. All rights reserved. Please contact Blank Rome for permission to reprint. Notice: The purpose of this update is to identify select developments that may be of interest to readers. The information contained herein is abridged and summarized from various sources, the accuracy and completeness of which cannot be assured. This update should not be construed as legal advice or opinion, and is not a substitute for the advice of counsel.