US regulators fine security companies for cyber, data and privacy breaches

US regulators have doled out some hefty fines to security companies for cyber and data security failures and privacy breaches.

Fines from the Federal Trade Commission (FTC), FINRA, and the New York State Department of Financial Services (NYDFS) reflect regulators’ concerns globally about cyber risk and the threat to financial services firms posed by third-party vendors.

The biggest penalty for a financial services firm was a $10 million settlement with the Intercontinental Exchange (ICE) for failing to disclose a hack to the SEC. Almost all the fines handed to financial services firms were for actual breaches that led to customer data losses and in the case of Equiniti Trust Company, the net loss of about $4 million in client funds.

Meanwhile, the Securities and Exchange Commission (SEC) has taken innovative steps to hold companies accountable for breaches and misleading statements about security policies, systems and controls.

SolarWinds hack

The SEC fined four companies in October for “with making materially misleading disclosures regarding cybersecurity risks and intrusions” related to the SolarWinds Orion hack in 2021. Unisys, Avaya, and Check Point learned in 2020, and Mimecast in 2021, that the threat actor likely behind the SolarWinds Orion hack had accessed their systems without authorisation, but each negligently minimised its cybersecurity incident in its public disclosures, the SEC said.

“The SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents,” Sanjay Wadhwa, acting director of the SEC’s division of enforcement, said in a statement.

Unisys attracted the biggest fine, $4 million. The SEC order found the company “described its risks from cybersecurity events as hypothetical despite knowing that it had experienced two SolarWinds-related intrusions involving exfiltration of gigabytes of data”.

Another Swiss Army tool

In June, the SEC fined RR Donnelley & Sons, a marketing and communications company in Chicago, $2.1 million for insufficient cybersecurity controls. The company “failed to execute a timely response to a ransomware network intrusion that occurred between November 29, 2021, and December 23, 2021, which culminated in encryption of computers, exfiltration of data, and business service disruptions”, the SEC said.

SEC commissioners Hester Peirce and Mark Uyeda noted the SEC’s novel use of the Exchange Act Section 13(b)(2)(B)’s internal accounting controls provision in the Donnelly case.

“Eliding the distinction between administrative controls and accounting controls has utility for the commission. As this proceeding illustrates, a broad interpretation of Section 13(b)(2)(B) to cover computer systems gives the commission a hook to regulate public companies’ cybersecurity practices. Any departure from what the commission deems to be appropriate cybersecurity policies could be deemed an internal accounting controls violation,” they said.

However, Peirce and Uyeda’s comments included a note of caution about the SEC’s use of 13(b)(2)(B) as a “Swiss Army knife” statute to “compel issuers to adopt policies and procedures the commission believes prudent”.

“The commission’s assurances in connection with the recent cyber-disclosure rulemaking ring untrue if the commission plans to dictate public company cybersecurity practices indirectly using its ever-flexible Section 13(b)(2)(B) tool.

“Also concerning is the commission’s decision to stretch the law to punish a company that was the victim of a cyberattack. While an enforcement action may be warranted in some circumstances, distorting a statutory provision to form the basis for such an action inappropriately amplifies a company’s harm from a cyberattack,” they added.

The US District Court for the Southern District of New York (SDNY) dismissed the SEC’s internal accounting controls claim against SolarWinds in July. In 2023 the SEC brought a claim against SolarWinds and its chief information security officer, Timothy Brown, seeking to hold them accountable for the large-scale hack in 2020.

The court dismissed most of the claims and charges against Brown, but allowed claims about the company’s security statement to proceed. The SEC claimed SolarWinds’ statements about access controls and password protections were materially misleading to investors.

Health data breaches

The FTC has acted against several healthcare providers for serious failings related to biometric and sensitive health data. Monument, an addiction treatment company in New York, disclosed users’ personal health data without consent to third-party advertising platforms, including Meta and Google, after it promised to keep sensitive information confidential. The breach cost the company $2.5 million.

Verkada, a California security camera company, failed to use appropriate information security practices to protect consumers’ personal information, which enabled a hacker to access internet-connected security cameras and view patients in psychiatric hospitals and women’s health clinics. Verkada paid a $2.95 million fine and was ordered to develop and implement a comprehensive information security programme.

“This settlement underscores the importance of robust data security measures, especially for companies that are themselves in the security industry. Failure to protect sensitive information puts consumers at risk,” said Brian Boynton, principal deputy assistant attorney general of the Department of Justice’s civil division, in a statement.