Lack of pro-active defenses throwing companies into legal trouble post-breach regardless if data stolen or not. The Securities and Exchange Commission is the latest federal agency turning up the heat on companies whose lax cybersecurity has contributed to breaches of user data.
The SEC’s action, along with those last month at the Federal Trade Commission and in federal courts, is starting to sketch out a pattern of dwindling tolerance for negligence by companies in protecting their computer systems. Last week, the SEC announced a settlement with St. Louis-based R.T. Jones Capital Equities Management, which lost the personally identifiable information (PII) of approximately 100,000 people.
The more interesting twist is that the firm was charged even though several cybersecurity-consulting firms hired by R.T. Jones could not determine the extent of the breach or whether PII had been accessed or compromised. And to date, none of the victims have reported any financial harm as a result of the attack.