October 7, 2016

Yahoo! Hack: How the Fortune 100 Discloses Data Breaches

Recently, Senator Mark Warner wrote this letter (also see this article) to the SEC asking the agency to investigate whether Yahoo! adequately informed investors about its massive data breach – this focuses even more attention on a hot topic: cybersecurity disclosure. This Debevoise memo reviews the disclosure practices of Fortune 100 companies for data security breaches.  Here are some of the key findings:

– Most Fortune 100 companies make initial disclosures about a cyber incident through their periodic reports, rather than on a current report Form 8-K.

– Periodic reports typically reflected the cybersecurity event in updated risk factors, sometimes by directly calling out the event and other times by revising risk factors in light of it, though without specific reference to the event.

– Disclosures were typically contained in the “risk factors” section of periodic filings.  When disclosures did appear elsewhere, they were usually made in the financial statement footnotes, in MD&A, or – occasionally – in the discussion of legal proceedings or the business.

Board & CEO Views: What Makes a Good GC?

Recently, KPMG published these survey results that reveal how CEOs & boards perceive what makes a good general counsel. The answers suggest that the job requires a lot more than just being the company’s chief lawyer. Here are the five attributes that characterize a top GC:

– Business leader providing insightful commercial advice to the other senior executives and the board, based on sound legal principles.

– Risk manager being constantly alert to – and vigilant against – an increasingly broad array of global threats to the company, and handling them accordingly.

– Technology champion leading the change in mindset – from technology as a stand-alone, isolated specialism to the all-pervasive reality of doing business in the digital age.

– Key communicator adeptly handling communications with key stakeholders such as the board and investors, as well as effectively communicating with regulators and internal teams.

– Builder of corporate culture setting a tone of trust at the top & building a risk-aware culture in which compliance is not seen as a straitjacket, but as a source of competitive advantage.

If a GC’s Profile Increases, A Greater Risk to Privilege?

The changing role of today’s GC increases the risk to the attorney-client privilege. This recent blog by McDermott Will’s Michael Peregrine & Bill Schuman notes that the emerging best practice of giving the general counsel greater organizational prominence may create attorney-client privilege issues. Here’s an excerpt:

Despite its organizational benefits, the transformation of the general counsel’s role carries with it a significant potential cost. The challenges of attempting to attach the protections of the attorney-client privilege to business advice provided by the general counsel have long been acknowledged.

These challenges become more consequential as the general counsel’s internal communications increasingly extend to operational or strategic considerations, and not just purely legal matters. And the stakes are even higher now that the Justice Department and other enforcers have said they will hold accountable more individuals, for whom the privilege may be unavailable.

John Jenkins