Race to the Top – States Push to Broaden Breach Reporting Requirements

Facebook just reported a massive data breach impacting over 50 million user accounts. And while most investment advisers are not likely to experience a breach of that scale, what is likely is that a cyber incident will occur at some point. Consequently, state regulators continue to expand the protections they require for their residents through increasingly strict data breach reporting requirements, in some cases coming very close to the international requirements imposed by the European Union’s General Data Protection Regulation (GDPR).

During a panel discussion, “State of the Data Breach: Legislative Changes and the Impact of GDPR,” at the recent CSS compliance conference in San Diego, Andrew Hartnett, Officer at Greensfelder, Hemker & Gale, P.C., Ronan Brennan, Chief Product Officer at CSS, and E.J. Yerzak, Director of Cyber IT Services at CSS brought attendees on a legislative journey of all that has changed in 2018 on the breach reporting front – from Alabama and South Dakota becoming the 49th and 50th states to enact data breach laws to various states including Colorado and California amending theirs. Cynthia LaRose, Chair of the Privacy and Data Security Practices at Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C., supplemented the discussion with some helpful materials about GDPR myths and misconceptions compared to the reality of the regulation.

Mr. Brennan highlighted the operational challenges firms face in complying with GDPR, such as mapping a comprehensive inventory of data and data flows as well as the importance of vendor management.

The session concluded with Mr. Hartnett reminding attendees that despite all of the changes we have seen recently in data breach laws in 2018, at the end of the day what is really important is not to memorize the nuances of all 50 state breach laws and GDPR but rather to focus on improving our cybersecurity programs (policies, procedures, testing, and training) from the outset to hopefully avoid a breach from occurring in the first place. Lining up legal and forensics support in advance to assist with the breach investigation and reporting can help firms to save their energy and efforts for maintaining an effective cybersecurity program throughout the year.


For more information on the CSS Shield cybersecurity solution, or to set up a demo, click here.


Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Latest Content

Do You Feel Confident Your Password Hasn’t Been Hacked?

As a cybersecurity consultant, I am often asked if some of the threats we industry practitioners talk about are overstated. Hyped up fear as a sales tactic. The simple answer is no. The fear is not overstated, and the risks all too real – which helps to explain why cyber remains a top priority for … Continued

SEC’s New Committee Begins Review of Form CRS Filings

The SEC’s Divisional Standards of Conduct Implementation Committee launched its review of Form CRS from a cross section of RIAs and BDs to assess compliance with the content and format requirements. Initial observations from the Committee have identified examples of relationship summaries that may lack certain disclosures or could be clearer or otherwise improved. The … Continued

Proposed Amendment to 13F – What This Really Means?

The SEC released a proposed amendment to Form 13F on July 10 to update the reporting threshold for institutional investment managers and make other targeted changes. The threshold has not been adjusted since the Commission adopted Form 13F over 40 years ago. New Proposed Reporting Threshold: The proposal would raise the reporting threshold to $3.5 … Continued