Article
The SEC Is Paying Close Attention to Whether and How Public Companies Disclose a Data Breach
Beyond the Breach series
12 Mar 2020
Keep up with the latest legal and industry insights, news, and events from MoFo
This article in our “Beyond the Breach” series was authored by Jina Choi, a partner in Morrison & Foerster’s Privacy + Data Security Group.
When giving advice to general counsel and in-house teams about dealing with a data breach, I’m always reminded of a quote attributed to President Eisenhower, a five-star general and Supreme Commander of the Allied Troops during World War II: “Plans are worthless, but planning is everything.”
In the wake of a crisis, even the best laid plans cannot foresee every situation. But the knowledge gained in formulating what to do in such an emergency will be invaluable.
I love checklists and many in-house counsel I work with depend on them. After suffering a data breach or similar cybersecurity incident, senior management at public companies will likely have a long list of things to do.
Determining whether the incident was material, and drafting a subsequent disclosure regarding it as part of a filing with the U.S. Securities and Exchange Commission (SEC), should most certainly be on that list.
That determination is necessary because the SEC, through recently issued guidance and
two enforcement actions against large issuers, has made it clear that the agency expects in-house counsel to seriously evaluate the materiality of their public companies’ cybersecurity incidents, and to disclose material events in a timely fashion.
The SEC’s 2018 Guidance: The Materiality of Cybersecurity Risks and Incidents
In February 2018, the SEC issued guidance for public companies on the disclosure of cybersecurity risks and incidents.
The SEC did not mince words. It began by stating that SEC staff “monitor[s] cybersecurity disclosures carefully.” It said that public companies “should consider the materiality of cybersecurity risks and incidents when preparing the disclosure that is required in registration statements” and in periodic and current reports. Moreover, it made it clear that an ongoing internal or external investigation into an incident is not, on its own, a basis for avoiding disclosure of that incident if it is material.
When considering the materiality of cybersecurity risks and incidents, the SEC noted that public companies may wish to consider:
- The importance of any compromised information;
- The impact of an incident on a company’s operations;
- The nature, extent, and potential magnitude of a risk or incident, “particularly as [it] relates to any compromised information or the business and scope of company operations;” and
- The range of harm a risk or incident could cause, such as reputational, legal, or financial harm.
According to the SEC, companies may need to disclose material cybersecurity risks and incidents, and their impact on companies’ operations, when companies report on their risk factors, their MD&A of Financial Condition and Results of Operations, their description of business, their legal proceedings, their financial statement disclosures, and the extent of their boards of directors’ role in the risk oversight of their companies.
Importantly, the SEC expects public companies to put into place disclosure controls and procedures (DCPs) that can help them determine the impact that cybersecurity risks and incidents may have on their companies, as well as a protocol for determining the materiality of the risks and incidents.
Finally, the SEC warned public companies about insider trading in connection with cybersecurity risks and threats that are undisclosed at the time of a trade, as well as selectively disclosing material nonpublic information about such risks and incidents.
Delayed Disclosures and DCPs
Soon after publishing this guidance, the SEC brought an enforcement action against an issuer alleging that the company misled investors by failing to disclose a data breach in which hackers stole personal data connected to hundreds of millions of user accounts.
According to the SEC, although the company knew about the breach soon after it occurred, the company allegedly waited more than two years before publicly disclosing it. The SEC’s position was that during those two years the company’s SEC filings misled investors because those filings spoke of the risk of a breach—not that one had already occurred.
The SEC also alleged that the company had failed to maintain DCPs that would have ensured that reports from the company’s information security team about cybersecurity risks and incidents were, properly and timely, reviewed for potential disclosure.
The company settled this action for an eight-figure amount without admitting or denying the SEC’s findings.
Misuse of Data and Hypothetical Risk
More than a year later, the SEC brought an action against another issuer for allegedly misleading investors and delaying disclosure about a third party misusing the company’s user data.
In this case, a third party had gained access to, and misused, the company’s user data. The SEC alleged that for two years after finding this out, the company described in its SEC filings the misuse of personal data as a potential risk. According to the SEC’s allegations, at the time each of these filings was made, the company knew the misuse had occurred.
The company’s presentation of a real incident as a hypothetical one was, according to the SEC, misleading. Like the company involved in the first enforcement action described above, the SEC also alleged that this company lacked the proper DCPs to assess whether it was making accurate disclosures about risks and incidents of data breaches in its SEC filings.
The company settled its action for a nine-figure amount without admitting or denying the SEC’s findings.
Takeaways for In-House Counsel
Taken together, the SEC’s 2018 guidance and the two enforcement actions I discussed reflect the SEC’s view that public companies have an obligation to, timely and adequately, disclose to their investors cybersecurity risks and incidents that could materially impact their operations. These obligations should be on in-house counsels’ list as they plan for such incidents.
To fulfill this obligation, it is incumbent upon in-house counsel at public companies to put into place, and frequently test, cybersecurity risk management and DCPs that ensure that information about cybersecurity risks and incidents is identified, collected, and reported to senior management. This will allow the appropriate personnel to promptly determine whether such risks and incidents should be publicly disclosed.
These controls and procedures should address both assessing risks and incidents, and responding to them. A close working relationship between a company’s information security team and its in-house legal team will be a key part of these policies and procedures. The exercise of developing DCPs will serve general counsel and senior management well in the wake of a data breach or cybersecurity incident.
The SEC has not suggested that every cybersecurity risk or incident is material, and thus, must be publicly disclosed. But the agency has made it clear that it expects public companies to make good faith efforts to determine whether particular risks or incidents are material as soon as they are known to exist, and to promptly disclose them if the companies determine them to be so.