Senators Ask SEC for Guidance on Information Security Risk Disclosure
While my computer recovers from a meltdown, here is a guest blog courtesy of Jim Brashear, General Counsel, Zix Corporation:
Spate of Data Security Incidents
The news media recently have reported many high-profile breaches of corporate data security. These incidents should prompt securities lawyers to focus on the potential materiality of public companies' risks concerning data security, data privacy and data breaches and the necessary disclosures when those risks are material.
Most of the recent data breach reports have focused on incidents in which consumers' personal information was exposed. In perhaps the most egregious example, Sony Corporation experienced multiple instances of hackers breaching several of its databases, potentially exposing the personal information of more than 100 million users, some of it in unencrypted plain text files. In another recent example, hackers targeting marketing services company Epsilon accessed email addresses for customers of dozens of major consumer brands.
Other data breaches indicate that hackers were looking for trade secrets or other valuable corporate information. Earlier this year, hackers targeted five multinational oil companies, apparently seeking proprietary data about global oil discoveries. Data security firm RSA was hacked, putting at risk the SecurID token security used by the firm's clients. That incident apparently allowed hackers to attempt to penetrate networks at Lockheed. Moreover, Google reported this month that hackers accessed personal email accounts of senior White House officials, which was likely an attempt to penetrate sensitive U.S. Administration systems.
Confidential information is not only at risk on companies' own internal networks. Companies and government agencies are increasingly storing confidential data with third party "cloud" services providers. A recent Trend Micro survey reportedly shows that nearly half of IT executives have reported a security lapse or issue with their cloud services provider in the last year. There are also indications that law firms are becoming targets for hackers, because those firms hold confidential data of many clients and may use relatively less-sophisticated data security procedures - potentially making them a weak link in the cybersecurity chain. The same may be true of other corporate advisors and business partners. So, companies evaluating data security risks need to consider "Who else has our confidential data and where is it?"
Potential Materiality of Data Security
Why are data breaches potentially material? As the Inside Investor Relations blog points out, "hackers can bring down your networks - and your stock price." A data breach can remove an competitive advantage, through the loss of proprietary information. A data breach can seriously impair a company's brand and reputation. If consumers or business partners lose confidence in the ability of a company to protect information, they may move their data and business elsewhere.
A data privacy breach can expose companies to significant disclosure and remediation costs, averaging over $7 million per incident and over $200 per individual whose personal data is compromised. A data breach can subject companies to fines and penalties, such as the $4.3 million HIPAA fine imposed on Cignet Healthcare. Last month, the White House issued its U.S. cybersecurity legislative proposal, which promotes a federal standard for data breach notification to individuals.
Letter Seeks SEC Guidance on Cybersecurity Disclosure
In a May 11th letter to SEC Chair Mary Schapiro, five Democrat members of the Senate Committee on Commerce, Science & Transportation asked the SEC to "issue guidance regarding disclosure of information security risk, including material network breaches." The letter opines that "Federal securities law obligates the disclosure of any material network breach, including breaches involving sensitive corporate information that could be used by an adversary to gain competitive advantage in the marketplace, affect corporate earnings, and potentially reduce market share." [Original emphasis]
The letter cites a 2009 survey by Hiscox which concluded that 38% of Fortune 500 companies made a "significant oversight" by not mentioning privacy or data security exposures in their public filings. The letter criticizes the lack of disclosure about steps being taken by companies to reduce those risk exposures.
One might expect the SEC Staff to be particularly sensitive to the adverse impacts of a data breach that exposes consumers' personal information. After all, the SEC's own employees were recently affected by a data breach when the Department of the Interior's National Business Center sent out SEC employees' social security numbers and other payroll information in unencrypted emails. In response to the Senators' request, an SEC spokesperson reportedly said "companies do have a disclosure obligation when it comes to events such as cyber security or cyber vulnerabilities just like any other events that face a company in the normal course of business."
[News coverage did not disclose the identity of the of the contractor whose software failed to encrypt the Interior Department's email, but we can confirm that it was not Zix Corporation, which provides automated email encryption for SEC staff.]
Considerations in Improving Cybersecurity Disclosure
In light of the potential materiality of these issues, forward-thinking securities counsel have already been advising clients about the need to include in their public disclosure discussions about material data security, privacy and data breach risks. See, for example, the client advisory by Sullivan & Worcester, which provides several examples of SEC rules applicable to data security, privacy and data breach risk disclosure. We expect that more firms will begin advising public company clients to focus on the potential materiality of their risks concerning data security, data privacy and data breaches and to craft necessary disclosures when those risks are material.
Last year, the SEC Staff issued interpretive guidance regarding disclosure related to climate change. Based on the approach taken in that guidance, the SEC Staff may now suggest that companies must consider in their disclosure:
- The impacts of compliance with privacy and data security legislation and regulation, including federal, state, foreign and international rules,
- The indirect consequences of data privacy regulations or business trends (e.g., the implications of Do Not Track on web marketing),
- The impacts of mitigating data security, privacy and data breach risks, such as systems costs and training,
- The potential impacts of data breaches on the company's business,
- The steps that the company is taking to identify and mitigate those risks.