Cybersecurity is a team sport and many people within a business must work together to help effectively manage their businesses’ cyber risk. In-house counsel plays a critical role in this process. A recent Law360 article (subscription required) identified the following key things they can do:
Develop, implement, and table-top test an incident response plan
In my latest article in Ethical Boardroom article, I explain some of the not-so-obvious reasons why you need an experienced cyber attorney on your team: Why you need a cyber attorney (Spring 2018)
Here are other Ethical Boardroom (@EthicalBoard) articles that I have written or contributed to that are also available for free:
“Corporate insiders who learn inside information, including information about material cyber intrusions, cannot betray shareholders for their own financial benefit.” Richard R. Best, SEC – Atlanta Division
For years many in the cybersecurity/data breach space have been saying that somebody is going to have to go to jail before corporate decision-makers begin to take cybersecurity as seriously as they should. Many thought the Department of Justice’s focus on individual accountability through the “Yates Memo” may be the vehicle but that has not yet happened.
With the Equifax breach and revelations that three executives had sold stock in the company before the breach was announced publicly, we saw an outcry against what was believed to be insider trading and calls for the executives to face jail time:
Thirty-six U.S. senators on Tuesday called on federal authorities to investigate the sale of nearly $2 million in shares of credit bureau Equifax Inc by company executives after a massive data breach, and one compared their actions to insider trading.
The lawmakers signed a letter asking the U.S. Department of Justice, the Securities and Exchange Commission and the Federal Trade Commission to look into about $1.8 million in stock sales by three executives between July 29 – the day Equifax said it learned that its systems were hacked in mid-May – and when they made it public last week.
“If that happened, somebody needs to go to jail,” Senator Heidi Heitkamp, a Democrat on the Senate Banking Committee, said at a credit union industry conference in Washington. “It’s a problem when people can act with impunity with no consequences. How is that not insider trading?”
Criminal Charges Filed Against Former CIO of Equifax Unit
For one former Equifax executive, however, his actions were not quite so innocent and may now give rise to the closest chance yet of someone actually getting jail time as a consequence of a data breach:
The criminal charges were filed in federal court by the United States Department of Justice and the United States Securities and Exchange Commission is also pursuing claims against Ying.
The basis for the charges are the allegations that Ying,
learned of the potential Equifax data breach,
texted a colleague stating that it “Sounds bad. We may be the one breached.”,
If these allegations are true, this certainly sounds like insider trading. As stated by Richard R. Best, Regional Director of the Atlanta Regional Office of the SEC, “Corporate insiders who learn inside information, including information about material cyber intrusions, cannot betray shareholders for their own financial benefit.”
Best’s sentiments were echoed by David J. LeValley, Special Agent in Charge of FBI Atlanta: “By prosecuting cases like this, the FBI and the U.S. Securities and Exchange Commission are sending a strong message to company insiders that they must follow the same rules that govern regular investors. Otherwise, they face the severe consequences for failing to do so.”
Severe consequences can mean many things. What everyone is really wanting to know is whether Ying actually serve any jail time. If he does, this case will be a game-changer that moves the needle of data breach consequences significantly upward. We will not know the answer to that question until he is convicted (or enters a plea agreement) and sentenced. Some articles state that Ying is facing up to 25 years in jail on the charges. Neither the SEC nor DOJ press releases state how long of a sentence is being sought.
As far as real-life insider trading cases where people have actually been sentenced to jail go, a Wall Street Journal post from 2014 discussing the longest insider trading sentences has the top 5 longest sentences ranging from 12 years down to 7 years. Comparing the amount of money involved in those cases to the $117,000 in losses that Ying avoided makes this cases relatively small. I doubt we will see anything approaching those sentences.
If the question, however, is not how much jail time will Ying get but whether he will get any jail time, I think both the SEC and DOJ have been looking for the right poster child to make an example out of and Ying may have drawn the short straw. Let’s see …
______________________
Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.
In the last quarter of 2017, I have observed a cybersecurity trend that has given me more hope than any that I have seen previously. Let me explain.
As an attorney, I have been practicing what can generally be described as cyber law or cybersecurity law since 1999, which means that my practice has evolved a lot over the years. It also means that I have seen a lot over the years.
My practice has been divided into three distinct areas over the last several years:
Proactively, by helping clients assess and understand their overall cyber risk and then developing, implementing, and maturing a strategic cyber risk management program that prioritizes their efforts to help minimize their cyber risk.
Reactively, by leading companies through the cyber incident response and data breach response process (e.g., as a “breach guide” or “breach quarterback”) and regulatory investigations and enforcement actions.
Reactively, by representing clients in litigation involving cyber-related claims like data loss, data theft, computer hacking, and business to business disputes concerning responsibility for cyber incidents.
For nearly twenty years, the number of clients that have hired me to help in a reactive role, such as with incident response and litigation of cyber claims, has towered above those who have sought my help for proactively assessing their cyber risk and developing and implementing a cyber risk management program. It has not even been close.
This has not been due to a lack of effort on my part. I have always done my best to encourage clients to be responsible when it comes to cybersecurity by being proactive and focusing first on risk management and prevention but this has generally fallen on deaf ears. They did not want to be cyber responsible — or, even if they did want to be, they were not willing to invest resources into being cyber responsible.
But in the last quarter of 2017, this has changed.
The trend that I have observed developing over the last Quarter of 2017 is outstanding! For the last few months I have had substantially more clients hire our firm for helping them with a proactive cyber risk management program than we have ever seen in the past, so much so that the amount of work we are now doing on these programs is equal to or greater than the amount of work we are doing on incident response and litigation.
What makes this trend so great? The answer is simple: it shows that companies are finally starting to get it! They are finally seeing that it is better for them to invest resources into proactively preventing cyber incidents and data breaches from happening than it is to sit back and wait with the only strategy being to hope that it will not happen to them — because it will happen to them if they do nothing to stop it.
I hope that the trend that I am seeing is consistent across the industry. If it is, we just may be turning the corner in the war on cybercrime that is destroying our companies and decimating our individual privacy.
______________________
Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.
Countdown to GDPR Compliance is a complimentary webinar that I will be moderating on Thursday, December 7, 2017, at 12:00 PM Central. This is the second webinar in a three-part series sponsored by Mackrell International and will focus on Compliance for Non-EU Companies. You don’t want to miss it!
Moderator: Shawn Tuma
Presenter: Marta Stephanian, Ten Holter/Noordam
Presenter: Henrik Nilsson, Wesslau Söderqvist Advokatbyrå
COUNTDOWN TO GDPR COMPLIANCE: Compliance for Non-EU Companies
Sponsored by Mackrell International
Thursday, December 7, 2017 @ 12:00 PM CT LINK for more information
Register via email: GDPR@hogefenton.com
I hope you are able to attend the webinars and find the information helpful in your business. As always, please let me know if you have any questions or if I can help you.
In my latest article in Ethical Boardroom article, I explain some of the not-so-obvious reasons why you need an experienced cyber attorney on your team: 
As it turned out, however, the sale of stock by those Equifax executives 
In the last quarter of 2017, I have observed a cybersecurity trend that has given me more hope than any that I have seen previously. Let me explain.
