Over the past years, hotel companies – including brands, managers and owners – have increasingly sought the benefit of access to public markets and, in doing so, have become subject to the registration and disclosure requirements of the United States Securities Act and Securities Exchange Act. In doing so, these companies need to comply with a broad variety of detailed regulations addressing their disclosure and reporting obligations. The Securities Exchange Commission recently adopted regulations which will have an impact on publicly traded hotel companies that suffer a data breach.
Breach Notifications for the Past 20 Years. Ever since California became the first state to require companies to notify their customers of data breaches in 2003, the time between the date a breach was discovered and the time the breach was reported has been an issue of contention. Early reporting gives consumers a leg up in protecting their personal information, and lets investors, vendors and customers of companies know if key business information has been compromised. At the same time, companies want as much time as possible to investigate a breach, understand what happened, and provide accurate information – companies that give early notice often have to give multiple notices as more information becomes available, and may even find that the original notice wasn’t necessary. Regardless, lawsuits against companies that have suffered data breaches almost universally point to the gap in time between the discovery and notification of a breach.
The SEC Acts. Regulators have stepped in and identified time frames for public notification of a data breach. Most recently, the Securities Exchange Commission issued a final rule that reduces the time for reporting companies (companies whose securities are registered with the SEC) to disclose cyberattacks publicly. As has been widely reported, with some exceptions, a company that is the victim of a cyberattack now has four days to publicly disclose the impact of the attack. Cyberattacks that involve the theft of intellectual property, a business interruption or reputational damage will likely require disclosure under the regulations.
The rules were proposed last year and contested by trade organizations and businesses, arguing that four days is inadequate to identify the nature and scope of a breach, and would be as likely to disclose inaccurate information as it would to benefit consumers and shareholders.
In contrast, the SEC, in adopting the new regulation, cited the new rule as enhancing transparency into cyber threats after years of attacks against businesses by criminal gangs and, most significantly, groups backed by nation states. The SEC also saw this as an opportunity to address gaps in existing cybersecurity disclosures.
Gaps in Disclosure. Because there are a side variety of laws and rules governing disclosure, there is little consistency in the timing or content of breach notifications. Companies that report incidents provide different amounts of detail about the impact and their response to it. Some cyber incidents aren’t reported in a timely manner, while others aren’t disclosed at all. Christopher Hetner, a former cybersecurity adviser at the SEC, who at the National Association of Corporate Directors, said, “The outcome of this rule will be to create more normalcy across disclosures.”
Arguments against the Regulation. The tight timeframe for disclosure raises concerns. The brief period for making incident disclosures could leave investors with information that isn’t accurate. The rules allow a company to update its incident disclosure with added information that was unavailable at first, but that also could create consumer and shareholder confusion.
The regulation is also unclear in defining how an incident would become material and how much detail will be required in public filings. This is a particular issue, since four days is unlikely to be adequate to collect and verify meaningful information about a security incident.
Third Party Risks. The regulation also will require companies will also have to create stronger reporting relationships with vendors. Over the past several years, the cyberattack risks raised in the supply chain of information management has become key, and unless vendors (and all of the parties in the vendors’ supply chain) cooperate promptly, a reporting company may be unable to meet the requirements of the new rule.
Annual Reporting. An issue that has not been widely reported is the requirement that companies must describe in their annual report, what processes, if any, a company has in place to assess, identify and manage material risks form cybersecurity threats “in sufficient detail for a reasonable investor to understand those processes.” Combined with the SEC’s “plain language” mandate, this requirement alone might be a significant task.
Companies can deal with these new regulations by creating, implementing, testing and updating strong cybersecurity incident response plans. When a company has 96 hours to report publicly a cybersecurity incident, it cannot waste time trying to create a playbook to respond; the playbook must be in place and accurate, and the necessary parties must have the “muscle memory” to know how to respond, not only to respond directly to the breach, but to comply with new and potentially burdensome regulations.