The Securities and Exchange Commission (“SEC”) recently announced a $1 million settlement with Morgan Stanley Smith Barney LLC following a 2014 data breach in which an employee improperly downloaded information on about 730,000 customers to his personal server, which was subsequently breached by hackers. The SEC alleged that Morgan Stanley’s security program did not meet the requirements of the agency’s Safeguards Rule, which applies to investment advisers registered with the SEC, brokers, dealers, and other financial institutions subject to SEC jurisdiction. But just one year ago, the Federal Trade Commission (“FTC”) conducted a similar review based on the very same incident and announced that it would not pursue further action. This result illustrates the latest in a growing trend: When a data breach occurs, companies may face privacy or data security investigations by several enforcement agencies with disparate views and priorities. This article examines this trend and offers three practical steps to prepare.
Same Incident, Different Enforcement Results
The FTC’s review of Morgan Stanley focused on whether the company’s security was inadequate to a degree that would support a violation of Section 5 of the FTC Act, which prohibits unfair or deceptive trade practices. The FTC has used this same approach to reach more than 60 settlements related to data security shortcomings, including recent targets such as Oracle, Wyndham Hotels and Resorts, and Snapchat. In Morgan Stanley’s case, the agency closed its review without further action, noting that Morgan Stanley “promptly fixed the problem when it came to the company’s attention” and that the agency was otherwise satisfied with the comprehensive data security program Morgan Stanley had implemented.
The SEC’s review of the same incident led to a much different result. The agency alleged that employee access to customer data via two internal web applications was not monitored or restricted based on legitimate business need. Furthermore, the SEC charged that the portals lacked effective authorization modules for more than ten years. The SEC asserted that these shortcomings constituted a violation of the agency’s Gramm-Leach-Bliley Safeguards Rule, leading to the $1 million settlement with Morgan Stanley.
Why the differing results? We can only speculate, but there are several potential reasons. First, two agencies enforcing two similar but different standards without much precedent creates an opportunity for a disparate result. While the FTC has been fairly prolific in this space, the agency has not built such a body of settlements that it is clear whether a particular data breach should lead to a significant settlement. The SEC has far fewer actions under its belt by comparison. Second, both standards are very flexible and generally open to a subjective determination that a breach, by definition, means a violation occurred. It is fairly easy for a regulator to determine why the breach occurred, identify some missing security element that might have prevented it, and allege that the lack of that specific security element violated general and flexible security standards that use legal terms like “reasonable” and “appropriate.”
Multi-Regulator Enforcement Trend: The “Pile On” Effect
The Morgan Stanley case also shows how a single data incident can result in multiple enforcement actions by different agencies, enforcing different requirements, with different expectations and points of emphasis. This phenomenon is not limited to the financial services sector. For example, in the health care sector, a 2011 data breach attributed to Accretive Health resulted in a 2012 settlement with the Minnesota Attorney General (asserting alleged violations of HIPAA and state law that resulted in a $2.5 million settlement), a 2013 settlement with the FTC (asserting violations of Section 5 of the FTC Act, which led to a twenty-year consent judgment with biennial security audits), and a 2016 settlement with the U.S. Department of Health and Human Services against Accretive Health’s client, North Memorial Health Care of Minnesota (alleging HIPAA violations and resulting in a $1.55 million settlement).
In the retail sector, the TJX Company’s 2008 breach led to a settlement with the FTC (asserting violations of Section 5 of the FTC Act, which led to a 20-year consent judgment with biennial security audits), a $10 million settlement with 41 state attorneys general (proceeding on a variety of legal theories), and private plaintiffs, including a $40.9 million settlement with Visa. From the tech sector, Google provides two examples: First, the controversy over its circumvention of Safari browser privacy settings, which lead to a $17 million settlement with 37 states and the District of Columbia and a $22.5 million settlement with the FTC; and second, Google’s inadvertent capture of unencrypted wifi payload data during its Street View project, which lead to a $7 million settlement with 38 states and the District of Columbia, a modest $25,000 fine from the FCC for “willfully and repeatedly violating” a directive to cooperate with the agency in the matter, and (much like Morgan Stanley) a favorable resolution with the FTC.
Even companies purporting to act in the consumer protection space are not immune: LifeLock, which offers a variety of identity theft monitoring solutions to consumers, was alleged not to have secured consumer data appropriately. It agreed to pay $100 million to consumers to settle FTC charges and paid an additional $12 million to the FTC and 35 states to settle deceptive advertising charges related to the nature of its identity theft protection services. The settlement was so significant that LifeLock reported a loss for the year, despite achieving its 43rd consecutive quarter of growth.
These examples show multi-agency action on the same incident. In a related but different trend, the same company may face inquiries into different incidents by different regulators over the same timeframe. For example, in 2014, Verizon successfully emerged without penalty from an FTC data security review of the encryption standard employed by its routers. Only two months earlier, however, Verizon settled with the FCC for $7.4 million following allegations that it impermissibly used customer personal information to tailor marketing campaigns without notice or consent. And just two months ago, Verizon found itself back under the FTC’s microscope (along with eight other companies), as the agency conducts a detailed review of the companies’ approach to the data security audits they conduct under PCI DSS, the well-known data security standard enforced in the payment card industry.
Practical Tips to Address the “Pile On” Effect
These examples illustrate a valuable lesson: Data breaches can reveal underlying gaps in data security that signal legal noncompliance, drawing the attention of multiple regulators acting in the privacy and data security space. What can companies do to mitigate the risk of falling prey to this trend?
1. Know your regulator. Some of these actions are taken on specific, regulatory grounds (e.g., the Office of Civil Rights enforcement of HIPAA, federal financial regulators’ enforcement of the Gramm-Leach-Bliley Act, FCC enforcement of its Customer Proprietary Network Information regulations) while others are pursued under general authority (e.g., FTC and state attorneys general pursuing unfair or deceptive trade practice charges). In order to ensure full compliance and anticipate all sources of possible questions, companies must know the full cast of regulators with actual or apparent authority to evaluate their data breach response.
2. Drive consistency. Follow-up by an enforcement agency can mean a protracted and expensive investigation and, potentially, a costly settlement with a monetary payment and/or robust corrective actions. When several regulators engage on the same incident, it is critical that the enforcement target maintains a consistent response to disparate lines of questioning. Failure to do so can result in escalation by regulators and higher costs for the target company. If more than one formal settlement must be undertaken, target companies should try to ensure that the corrective actions arising under each settlement are consistent, if not entirely duplicative, to help control costs and produce a homogenous compliance program.
3. Remediate now, remediate later. The best strategy is simply to be proactive about identifying security or compliance gaps and to work toward mitigation both before and after a data breach. It simply is not adequate to address the root cause of a data breach after the fact, or only after a regulator asks. Regulators expect companies to undertake regular reviews and testing to identify and address gaps and vulnerabilities to help avoid data breaches. Once a breach is reported, a regulator is likely to ask not only about mitigation, but also about the process in place to identity such risks and remediate them.
Taking immediate steps to identify and address security risks and implementation gaps is critical to minimize the risk of a data breach, minimize the risk of enforcement if you have a breach anyway, and minimize the impact of enforcement if it occurs. Being mindful of all of your relevant regulators and their expectations and approaches in this space is also important. The Wyrick Robbins Privacy and Data Security team assists clients with these and other privacy and data security compliance matters, including advising on breach readiness, breach response, regulatory requirements, and enforcement actions by privacy regulators.