In this episode of “Counsel That Cares,” privacy and
cybersecurity attorney Bess Hinson discusses the
shifting oversight by the U.S. Securities and Exchange Commission
(SEC) on cybersecurity requirements. This digital health
conversation focuses on the SEC’s proposed rule and provides
helpful steps companies can take to prepare.
Podcast Transcript
Morgan Ribeiro: Welcome to “Counsel That
Cares.” This is Morgan Ribeiro, the host of the podcast and a
director in the firm’s Healthcare Section. Today, we are
continuing our digital health series with a discussion on the
shifting oversight by the SEC on cybersecurity requirements. For
this conversation, I am joined by Bess Hinson, a partner in the
firm’s Data Strategy, Security and Privacy Practice. Welcome to
the show.
Bess Hinson: Thank you for having me, Morgan.
I’m happy to be here.
Morgan Ribeiro: Awesome. So before we get into
the meat of our discussion, which I think there’s a lot for us
to discuss and to describe to our listeners, can you just tell our
listeners first more about your practice and your background?
Bess Hinson: Absolutely. So I’m a privacy
and cybersecurity partner in Holland & Knight’s Atlanta
office, and the focus of my practice is cyber and data risk
management, as well as governance of those risks related to data,
breach readiness and response, crisis management, and I also handle
global data privacy compliance for various industries, including
the healthcare sector. In addition, I’ll oversee and coordinate
compliance assessment and implementation programs for clients as
they relate to HIPAA, the California Consumer Privacy Act and other
U.S. state privacy laws, the European Union’s General Data
Protection Regulation. And I also advise clients in various
industries on information governance, online advertising, consumer
policies, as well as website and mobile application policies and
vendor management. One of my specialties is really coaching clients
when they have a security incident or data breach, help them to
navigate investigations into those breaches, the notification
requirements and managing privacy class action risks.
Morgan Ribeiro: Excellent. That is super
helpful, and this is obviously a digital health related
conversation. And I know you mentioned in the description of your
practice that you do do a lot of work with healthcare organizations
or healthcare-related matters. What are you seeing as it relates to
cybersecurity with healthcare organizations, particularly providers
and payers?
Cybersecurity in the Healthcare Space
Bess Hinson: Sure. So first of all, I see
increased risk and frankly, significant vulnerabilities as it
relates to cyber attacks. Cybersecurity isn’t just an IT issue,
it is a patient safety issue, it’s an enterprise risk issue and
a strategic priority. The changes in the healthcare sector,
particularly as it relates to digital health, has integrated the
universal, nearly universal adoption of electronic records, and as
a result, that adoption makes healthcare a ripe target for
cybercriminals. The targeted data of cyber criminals includes
patients’ protected health information, or PHI, financial
information like credit card and bank account numbers, Social
Security numbers and also intellectual property related to medical
research and innovation. As our listeners may have heard in the
news, many healthcare systems have been targeted in ransomware
attacks or their third party service providers. And digital health
vendors have been caught up in ransomware attacks that immediately
go to the operations of the healthcare system or digital health
provider because when a ransomware attack occurs, typically the
cybercriminals encrypt all of the data on the systems that are
being used and then hold that data hostage, as well as hold your
access to all of your hardware and software hostage until you pay a
very large sum. And by large sum, I mean in the tens of millions of
dollars, so that is a huge risk, and because we are so dependent
upon various providers, many of our clients have recently expanded
their business into digital health, including telemedicine.
They’re partnering with new companies and organizations,
including hospitals and medical clinics. Everyone is
interconnected. And so cyber criminals access our IT networks and
systems, and that connectivity can be caught up in an attack such
that many different parties are impacted. The second concern that I
see an impact on healthcare organizations relates to just further
adoption of tech-enabled services, in part because the adoption of
those services exposes the healthcare industry to privacy claims
that extend beyond our traditional understanding of HIPAA. The
plaintiffs attorneys bar have become more and more active and have
developed quite novel claims in lawsuits. For instance, data
privacy lawsuits have just recently exploded in the digital health
and healthcare sectors due to the use of web trackers on
healthcare-related or digital health websites and mobile apps. You
know, most specifically, those lawsuits have focused on the use of
the meta pixel on a website or in an app or other platform
that’s being used. There have been lawsuits filed against
medical centers where they allege that the meta pixel is picking up
PHI about patients on these sites and these platforms, and then
sharing that with Facebook without patient permission, and
that’s a HIPAA violation. We’re also seeing just a lot of
activity by regulators. So we’re going to focus on the SEC
today, but I want to give you one other example. The Federal Trade
Commission recently entered into a settlement with a fertility
application known as Premom, and that settlement relates to sharing
of personal information that occurred when SDKs were installed in
the app. And those SDKs shared user data with Google, AppsFlyer,
some other providers. And as a result, the FTC alleged that the
parent company of Premom breached the health breach notification
rule and the FTC Act, resulting in a quite burdensome consent
decree as well as a $100,000 civil penalty.
The changes in the healthcare sector, particularly as it
relates to digital health, has integrated the universal, nearly
universal adoption of electronic records, and as a result, that
adoption makes healthcare a ripe target for
cybercriminals.
Morgan Ribeiro: I think to your point too, I
mean just going back to your, I think kind of earlier on in your
comments around these healthcare organizations, I mean, these are
crippling events not only for a provider, particularly if
you’re a sole community provider or one of the few providers in
your community. I mean, if something, an event like this happens,
one, not being able to provide the care, I mean, if your systems
are shut down or locked down, which can often happen in these
ransomware attacks, but then also the financial impact, I mean, to
be able to pay that amount of money, it’s a big deal. And so I
think, you know, obviously a lot of what I think the counseling
that you do is sort of that front end of how do you even avoid
these situations from happening in the first place. And it’s a
lot I mean, I think it’s a, it’s a constant evolution and
learning curve, and it feels like just right when you feel like
you’ve kind of trained up your team, there’s another sort
of element to these cybersecurity issues. So as you mentioned
today, we’re really looking at the SEC’s oversight on
cybersecurity, and Gary Gensler, who is the chair of the SEC, has
given numerous speeches in recent years calling for greater
oversight of publicly traded companies, in particular, and their
cybersecurity efforts. And then in March of last year, in 2022, the
SEC issued a proposed rule amendments that would mandate certain
cybersecurity disclosures for public companies. So the finalized
rule amendments, we’re expecting that in April of this year,
2023, we’re still waiting on that. That could happen any day
now, but can you tell us more about the proposed rule?
A Look Inside the SEC’s Proposed Rule
Bess Hinson: Absolutely. So the SEC has
proposed just a broad suite of new cybersecurity rules for public
companies, as well as other specialized covered entities under the
SEC’s, their purview and oversight powers. So if adopted, these
new requirements would impose significant new costs and enforcement
risks for public companies. SEC wants businesses to have a mature
framework for cyber risk. They want businesses, including
healthcare organizations, to plan for periodic updates of their
cybersecurity programs, including performing regular cybersecurity
risk assessments and disclosing cyber incidents to the SEC and
other authorities within an incredibly short time frame, as soon as
four days, right, which is really nothing when you’re in the
midst of trying to investigate and determine the impact of a cyber
attack. So also, the rule would require organizations to include
updated disclosures in Forms 10-K and 10-Q and disclosures related
to their risk oversight policies and procedures. And the reason why
that’s so important is a lot of organizations have some written
policies and procedures, but they may not be all that detailed or
they may be in the process of being developed, right, but here
you’re going to be required to actually detail precisely what
type of program, including written policies and procedures you
have. And, you know, there’s a question in my mind of, these
are public disclosures, are cyber threat actors going to go through
them and begin to understand the maturity of the programs and
develop their target list accordingly? So there’s a lot to
consider.
So if adopted, these new requirements would impose
significant new costs and enforcement risks for public
companies.
Morgan Ribeiro: So I still find it surprising
we don’t have a federal breach notification law right now. So
it’s only state by state. Can you tell us what is the proposed
rule’s minimum standards for breach notifications?
Bess Hinson: Sure. So the SEC is proposing to
amend Form 8-K to require all registrants to disclose information
about a material — and I say material in quotes, because it
is a defined term in these proposed rules — cybersecurity
incident within four business days after the registrant determines
that it has experienced a material cybersecurity incident. So there
might be some wiggle room in that, companies need a little bit of
time to determine if it’s going to have a material impact on
the business, but four days is very short, and when you compare
that to current reporting requirements, such as in our state breach
notification laws, you know, in that set of statutes, really notice
to individuals is required within about 30 days, 45 days. The same
is true for regulators, although some regulators require notice
within 14 days. And then, you know, under HIPAA, your notice to OCR
is no later than 60 calendar days. So we’re going to, for
healthcare organizations, we’re going from sort of a 60
calendar day requirement down to four business days, so that is a
significant change, and it requires organizations to think very
carefully about their incident response plan and also the timeline
for escalation of discovery of the incident to leadership and also
to legal so that decisions can be made within that short four
business day timeline about whether or not, you know, a Form 8-K
needs to be filed.
Morgan Ribeiro: OK, and then some of the
requirements reflect what some industries already consider best
practices, but it certainly has more bite to it because it’s
enforceable now. Can you tell us more about what you know about the
enforceability of this and how does that actually play out when we
talk about enforcement?
Bess Hinson: Sure. So to start, understand
these new requirements would greatly increase the SEC’s
management of regulated entities approach to cybersecurity and
system integrity. The SEC’s oversight of that has really just
been developing in recent years, and current SEC regulation is
really targeted at certain risks, such as protecting customer
information under Regulation S-P, or preventing identity theft
under Regulation S-ID, and it’s focused on select market
participants of significant market importance, such as entities
covered by regulation SCI. So these proposed rules really bring
under the umbrella, right, of the SEC’s focus. Everyone, just a
much larger portion of public companies in that the SEC is now
dictating the precise elements required for a comprehensive
cybersecurity program. And for the first time SEC mandated incident
response reporting requirements. So just to give you some context
here, it was only in 2022 that the SEC really took steps to begin
to protect investors from significant cyber incidents at public
companies. To start, in May of 2022, the SEC nearly doubled the
size of its Enforcement Division’s Cyber and Crypto Assets
Unit. You know, we’ve not really seen the full impact of that
newly sort of strengthened unit, but we’re starting to see
signs of of their activity. For instance, over the past year, the
unit has brought enforcement actions against several SEC regulated
entities for failing to maintain adequate cybersecurity controls
and failing to disclose cyber-related risks as well as cyber
incidents. And part of the violations that the SEC has alleged
against these companies include failure to adopt written policies
and procedures that protect customer records and information. So
SEC is very focused on this concept of written policies and
procedures that are thoughtfully created and tailored to the
business holding that information. A few other examples of
enforcement actions. We’ve seen many more charges, fines and
settlements from the SEC in recent years related to cyber. For
instance, in July of 2022, the SEC charged JPMorgan Securities and
UBS Financial Services and TradeStation Securities for deficiencies
in their cybersecurity programs, and ultimately the penalties
ranged from $425,000 to $1.2 million. Then in September 2022, the
SEC ordered Morgan Stanley to pay $35 million for failing to
appropriately protect the records and information of customers,
including their personal information. And another trend that has
arisen that I think is frankly somewhat alarming, and yeah, I think
we want to be concerned about this as we are engaging and hiring
information security professionals in the C-suite and understand
the risk they are taking on professionally. For instance,
SolarWinds, who had a massive data breach several years ago, but
they recently disclosed that the SEC notified top executives of
legal action related to that data breach. And one of the executives
to receive that notice was the chief information security officer.
And this might have been, I believe, is the first time a CISO has
ever received one of these, just not customary that a CISO would be
held accountable for decisions that were made, right, at a public
company. So that’s an indication that the SEC is really focused
on who you have in leadership over your information security
program. Who’s going to the bucks, who does the buck stops
with. When we think about information security and this SolarWinds
sort of notice follows behind a criminal sentencing of Uber’s
former chief security officer related to his involvement in a cover
up of a 2016 cyber attack at the company, and that conviction was
unprecedented and also caused alarm in the cybersecurity world. So
I think those actions really underscore just how seriously the SEC
is taking this.
So SEC is very focused on this concept of written policies
and procedures that are thoughtfully created and tailored to the
business holding that information.
Morgan Ribeiro: Kind of piggybacking on that,
company boards are also bracing for new SEC cybersecurity
regulations. The rule would also require an annual report on
corporate boards, cybersecurity expertise. So who’s sitting on
the board that has this area of expertise? Can you talk more about
the role of boards and cybersecurity, and how they should go about
identifying those with this area of expertise?
The Role of Corporate Boards and Cybersecurity
Bess Hinson: So the proposed rule is dictating
that public company boards have a board member with cybersecurity
expertise. And the reason this is so interesting to me is for over
a decade now, we have had a shortage of cybersecurity professionals
in the United States and throughout the world. Now, that’s due
in part to the fact that this is a relatively new field, and
schools and universities only in recent years have begun to develop
programs and certificates and degrees in cybersecurity and
information security and related fields. But I think that public
boards are really going to struggle to identify those experienced
professionals, and it’s going to be incumbent upon them to find
those individuals and then develop sort of the appropriate
committees to exercise oversight. Now, that’s not to discredit
the work boards have been doing to really learn and become educated
about cyber risks and their work and liaising with existing
security officers within their organizations, but I think boards
historically have really struggled to understand the threat
landscape. It’s a fast-moving and evolving area and involves a
lot of very new and recent technology that is a lot to keep up
with, and I think boards sometimes will look for scapegoats right
after a major incident as opposed to saying, OK, this was really a
part of our oversight responsibility at the organization. But, you
know, we do see some signs that boards are starting to incorporate
at least one cyber expert, so that’s good. And many of the very
largest publicly traded companies do now have a former CISO or
chief technology officer or government official on their board to
help fill in those gaps. And I do think CISOs themselves have
gotten better at communicating the threat landscape to their boards
just through regular reporting opportunities so that boards and the
C-suite can just be prepared for incidents and increased scrutiny
that may come from the SEC and other regulators.
But I think that public boards are really going to struggle
to identify those experienced professionals, and it’s going to
be incumbent upon them to find those individuals and then develop
sort of the appropriate committees to exercise oversight.
Morgan Ribeiro: And so I know there may not be
any hard data on this, but just your sense of sort of the current
landscape, are most companies prepared for these changes?
Bess Hinson: Yeah, that, that’s a great
question. You know, in some ways, the maturity of a cybersecurity
program, one, it’s never mature enough. We are always having to
reassess new threats, new vulnerabilities that exist and software
that is used almost universally by organizations as we await for
certain tech companies and software developers to issue a patch.
Threat actors are working to exploit those vulnerabilities and
issues before they can be fixed. And so I think that cybersecurity
programs are certainly top of mind for general counsel and legal
departments, and are also becoming more top of mind for other
members of the C-suite, particularly when they have the luxury of
resources to support such a program. I still worry that there are
some organizations that are in growth mode. And there might be
corners that are being cut, which frankly can create significant
risk and diminished value for the business. You know, as the
company grows and looks to continue to invest or raise funds for
their growth. But I do want to comment on the healthcare industry.
I do think that the healthcare sector may be at an advantage
because for so long they have been required to address HIPAA
security standards and have built out programs that speak to and
comply with HIPAA compliance security program. But it’s
important for healthcare organizations to understand that the HIPAA
security program alone is not enough, given what the SEC is
dictating. The SEC is wanting you to develop and have in place a
mature security program that applies not only to HIPAA-covered
information, but all of the other personal information that the
business is collecting, as well as your entire IT network, software
platforms and just digital systems that are supporting your
business operations.
We are always having to reassess new threats, new
vulnerabilities that exist and software that is used almost
universally by organizations as we await for certain tech companies
and software developers to issue a patch.
Morgan Ribeiro: So I guess just more generally,
you’ve talked about the healthcare entities and kind of their
position, and this is all under the assumption that this rule goes
into effect. It seems like things are heading in that direction or
at least we will have an answer to that soon, but what steps can
companies take now to prepare, assuming that this all does go into
effect?
What Steps Can Companies Take to Prepare?
Bess Hinson: Sure. So I think it’s very
important for companies to take a step back and really think
critically about what regulations apply to them and the varying
reporting standards and responsibilities they have. So now I was
just talking about the HIPAA Security and Privacy Compliance
program versus your overall security compliance program, and the
HIPAA standard, for instance, reporting out on a data breach.
You’re going to be concerned about that 60-day deadline, but
the SEC standard is going to be four days. So you need your
policies to speak to both requirements and the revamping or the
modification of existing policies so that everyone knows what to do
when there there is an incident to report. That’s going to take
a lot of work. And we’re already into 2023. These rules are
likely to go into effect soon. I’m not sure all businesses have
budgeted for these changes. So now is the time to really think
carefully about what budget is needed going into the next year so
that to the extent you are not in compliance, you are ready to
really kick off that process in January, if you can’t do so
sooner. I think it’s important to review if you haven’t
done so already, just your current information security
preparedness and any cybersecurity assessments that have been
conducted recently, whether those assessments are against the ISO
standard or NIST standard, and see what gaps exist, what medium
risk gaps exist, or high-level risk gaps exist, where can you put
those risks and gaps on your roadmap so that you can remediate
those issues sooner rather than later. Businesses have information
technology policies, disaster recovery plans, business continuity
plans. How confident are you in the level of detail in those plans,
and how confident are you that your teams can execute on those
plans? I mean, if you are not operational tomorrow because all of
your devices and systems are locked up due to a ransomware attack,
how long is it going to take you for your teams to restore all of
those systems, recover your data backups and be back to business?
Because every day that your systems are locked up, you’re not
doing business, you’re losing money. You know, I think it’s
really important to ensure that internal teams that have
responsibility for these public disclosures, for incident response,
know how to communicate effectively, right? You’ve designated a
point person within different stakeholders in the company who will
communicate among teams because the SEC is likely to take action if
a company fails to report a breach in a timely manner. It’s
just a very bright line in these proposed rules. Testing of
policies and procedures is key. If your C-suite has not gone
through tabletop exercise, which is when we pretend there’s
been a cyber attack and your executives are forced to make
decisions very quickly, you know, think about holding one of those
with your outside counsel or another consultant being involved.
And, you know, I think that businesses can also just begin to
strategize, perhaps with their internal communications teams or PR
teams around and go, “OK, if we had to file a disclosure about
a material cybersecurity incident, what type of other language
would we use externally, how would we respond to media inquiries
and requests related to that disclosure,” so that you’re
prepared. Again, with that four-day time window, no one is going to
have a lot of time to sit around sort of drafting PR comms
responses. So it’s important to just go ahead and have some
template language ready.
So I think it’s very important for companies to take a
step back and really think critically about what regulations apply
to them and the varying reporting standards and responsibilities
they have.
Morgan Ribeiro: All of those are very good
tips. And I know, just kind of wrapping things up in terms of the
proposed rule, the comment period has ended and we expect it to be
finalized this summer. And so at this point, we’re just kind of
in a wait and see mode. But companies should prepare and, you know,
take a lot of the advice that you just provided. Anything else in
terms of timing and next steps that you can provide?
Next Steps and Closing Comments
Bess Hinson: Yes. So the proposed rule would
require companies to provide updates on previously reported
cybersecurity incidents. So if you’re not sure what
cybersecurity instance you’ve had in the past or you don’t
have a method to record those incidents and the details, you go
ahead and institute that process because that is going to be a
piece of these new reporting requirements. I also think, you know,
figure out who you’re going to consult with in terms of legal
counsel, either internally or externally, when preparing those
disclosures so you know that they are ready to help you on a short
timetable. I think that’s significant. I also think that
organizations should consider the fact that the SEC’s recent
moves really reflect an understanding at the SEC that massive data
breaches can affect a company’s stock price or value. So you
may want to think back to the Colonial Pipeline attack, right, when
we were all lining up for gas and it wasn’t available. I mean,
those are systemic attacks that just don’t impact those
companies. You know, the same is true in a healthcare organization.
You think about a hospital. If a hospital serves a particular
community and has the only ER within 60 miles, 120 miles, and they
then are subject to a ransomware attack and cannot operate or
access medical records, they’re having to turn patients away.
And so these events have impacts that stretch beyond this idea of
just reporting a breach or issuing a notice to affected persons
because data was impacted. You know, these events impact the
ability for basic services to be provided, which can really have a
devastating effect on a business’s value and and frankly, just
on human life.
I also think, you know, figure out who you’re going to
consult with in terms of legal counsel, either internally or
externally, when preparing those disclosures so you know that they
are ready to help you on a short timetable. I think that’s
significant.
Morgan Ribeiro: Absolutely. Well, thank you for
that. And any wrap up comments before we close out?
Bess Hinson: No, it’s been a pleasure to
speak with you, Morgan, and I hope that our listeners have gained
some insights and I hope they know that we, at Holland &
Knight, are here for them. If they ever have any questions,
we’d be happy to assist.
Morgan Ribeiro: Yeah. I mean, it truly, really
is, as we talked about earlier, an evolving landscape. I know
it’s a lot to keep up with, and I think, you know, having
resources like you to be able to just kind of break it down and
really define it in a step-by-step way of how to prepare, and then
if an incident does happen, you know how to respond to those, you
know, and keep up with both the federal level policy and oversight,
as well as the state by state applicable law. Appreciate your time
today and look forward to further conversations.
Bess Hinson: Sounds good. Thank you,
Morgan.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Click Here For The Original Source.
