Data breaches may be nothing new, but they are certainly evolving into bigger and more notorious infractions. While the data breaches of yesterday may have involved accidental disclosure or disgruntled former employees, the data breaches of today are often carried out by outsiders and highly organized and sophisticated criminal groups. And hackers aren’t just after credit card information, they are often seeking proprietary information. In short: trade secrets, watch out.
And it’s not just trade secrets that are at risk; fiduciaries of public companies, or any entity regulated by the SEC, have a duty to protect the valuable assets of the company and may need to disclose material events regarding data breaches under certain circumstances. Victim companies facing the theft of valuable customer information or company assets in a data breach may also find themselves in difficult conversations regarding corporate duties and SEC disclosures.
With large-scale, high-profile data breaches becoming more common in recent years (think the infamous Target data breach during last year’s Christmas shopping season), the SEC has made clear that data privacy is a priority inspection area. A recently reported hedge fund attack presents an interesting situation that arises at the intersection of lost trade secret data and the regulatory oversight of regulated entities.
Late last month, BAE Systems Applied Intelligence reported a successful—and rare—criminal attack on an unnamed U.S.-based hedge fund that cost the hedge fund millions of dollars over the two-month span of the attack. The hack began with a successful phishing email sent to a member of the hedge fund’s staff. Once the attack commenced, the hackers lifted information about what trades were being made and when they were being made, before sending the details of the trades to external servers. Additionally, the hackers added slight time delays to the hedge fund’s trades, which could have provided an outsider time to make the same trade, thus gaining a trading advantage.
While the identity of the hackers is still unknown, the attack occurred in January 2013, and was brought to the attention of the hedge fund’s board soon after. Although a BAE representative was unable to confirm whether or not the hedge fund had reported the attack to the SEC or the FBI, the attack undoubtedly placed the hedge fund in a difficult situation.
In one sense, the hedge fund was a victim of a cyber attack on its confidential trading information. In this sense, the fund would be a “victim” and would seek help from law enforcement officials to identify (and prosecute) those who stole trade secrets in the form of trading decisions. On the other hand, such thefts raise concerns that other regulatory agencies might investigate the fund itself – looking for potentially deficient protocols or antiquated security systems. This dilemma is particularly relevant to public companies and mutual funds that have even more stringent SEC disclosure requirements than hedge funds. And, the fiduciaries of all of these organizations face important decisions about how to handle such attacks. Data breaches have become a much more high profile issue – both inside and outside of business of all sorts.