In between sessions at ATAP? Need to fill an awkward lull in the conversation at Happy Hour? We’ve got you covered. Take 3-5 minutes and get the latest Digital Privacy Recap from the Digital Executive Protection experts.
Summer 2023 Digital Privacy Recap
Despite what the calendar may say, this summer has been anything but ‘slow.’ Our corporate partners have been reflecting on (and adjusting to) the official adoption of SEC rules on Cybersecurity Risk Management, intricacies of ‘working condition fringe benefits’ provided under IRS § 1.132-5, and the new adequacy decision guideline for transferring data between the EU and US, dubbed the Data Privacy Framework. Below we breakdown the latest and greatest pertaining to each, and how it may impact internal discussions within private and publicly traded companies.
SEC Ruling
On July 26th, the SEC issued a final rule requiring all public company registrants to provide timely disclosures (“four business days”) for “material cybersecurity incidents.” Disclosures are to be made via amendment to Form 8-K, and an exclusion can apply to the “four business day” rule if the US Attorney General “determines immediate disclosure would pose a substantial risk to national security or public safety.” This is a substantial change from the previous “interpretative” guidance given by the SEC back in 2018 (and 2011 before that). On June 26th we published an article discussing one of the items in the originally proposed guidelines, which called for a requirement to disclose cybersecurity expertise of the Board of Directors. While the newly passed rule removed this requirement, the demand for expertise at the strategic level will likely persist for several reasons. First: issues pertaining to cybersecurity, data privacy, and data regulation effect virtually every department within an organization. Second: understanding the flow of data is more important now than ever; the US, from a legal perspective, follows a sectoral model of data privacy, while the European Union follows a ‘comprehensive’ model under GDPR. Costs to the company and shareholders, due to lack of understanding and compliance, are not insignificant. Third: this framework for publicly traded companies may serve as the foundation with which private companies follow suit, especially those who have filed an S-1 in the past 30 days, or those considering doing so in the near future. In search for more on the topic? Sign up for Blue Ocean Digital’s webinar on Aug 22nd.
Executive Compensation Committee Update
‘Operating efficiency’ is almost always a top priority for enterprise program managers, and we find this especially true during uncertain and volatile macroeconomic conditions. For our ‘cost-conscious warriors’, we oftentimes discuss the benefits afforded to executive security programs under IRS § 1.132-5; specifically, ‘Working Condition Fringe Benefits’. Under §132(d), the term ‘working condition fringe’ means, any property or services provided to an employee of the employer to the extent that, if the employee paid for such property or services, such payment would be allowable as a deduction under section 162 or 167. Being able to identify proactive, professional, ‘force-multiplier’ partners is both rare and paramount in today’s risk-management environment. When identified, ensure to research, and utilize programs like §132 prior to engaging with your Executive Compensation Committee. The benefits of digital and physical protection programs may be excluded from gross income and wages as a fringe benefit, thus reducing overall visible costs to shareholders. When it comes to SEC disclosure of “reportable vs. non-reportable” spend, we strongly advise our partners to lean on internal counsel and accounting teams, as well as industry best-practices and peer groups.
International Privacy
Lastly, and for all our partners with an international footprint, the month of July also brought final guidance on the ‘reciprocal’ nature of privacy protections between the US and EU. For those unfamiliar, this decision provides a legal framework for the “adequacy” of data protections afforded to citizens of both the US and member nations of the EU. Programs like Safe Harbor were called into question following the information divulged by former NSA employee Edward Snowden. That program was replaced by the Privacy Shield, which was then called into question by the international community (before giving way to the DPF). In the latest announcement, the EU issued its final decision that the US provides “adequate” protection of privacy, making it lawful for firms to send personal data from the EU to the US. On the US side, the US Attorney General found that intelligence services in the EU provided sufficient privacy protections for Americans. Regardless of personal beliefs, we continue to recommend the use of end-to-end encryption for all personal data transfers, administrative privileges, and controls such as ‘need-to-know’, timely updates to personal and corporate software, and use of multi-factor authentication.
By Tom Aldrich
Tom joined 360 Privacy in 2022 after having worked at Goldman Sachs as a private wealth advisor. He came to Goldman from the US Army, where he served as a Green Beret from 2010-2018 and functioned as both a communications and intelligence subject matter expert. He deployed overseas four times during his tenure with 3rd Special Forces Group, where he was responsible for tactical and strategic targeting and digital exploitation. Tom is a Certified Ethical Hacker and obtained his CIPP/US Certification from International Association of Privacy Professionals.