The last round of phase-in for interactive data is now just around the corner, with upcoming quarterly reports for companies below the large accelerated filer threshold now subject to XBRL reporting requirements. Over the last couple of years, the Staff of the Commission’s Division of Risk, Strategy and Financial Innovation (Risk Fin) has completed reviews of interactive data financial statement submissions and has published general observations about those reviews.
In the latest set of observations published June 15th, the Staff addresses a wide range of XBRL issues including negative values, extending elements when an existing US GAAP taxonomy element is appropriate, “axis” and “member” use, and tagging completeness in the context of using parenthetical amounts. All pretty techie stuff, but nonetheless worth checking out and reviewing XBRL practices accordingly.
No Sign of an Interactive Data Reprieve
There is no sign of any XBRL reprieve for smaller companies, or for the need to perform detailed tagging of financial statement notes for larger companies, so it remains full-steam ahead for interactive data implementation efforts, with heavy reliance placed on third-party service providers. Given the reliance on third parties, this upcoming quarter-end could present some challenges for companies, given that so many issuers are seeking to create interactive data files all at once, and many for the first time.
It is a good idea to build some extra time into the filing schedule to account for any potential delays in turning last minute changes to financial statements and notes to financial statements, even if you are an experienced XBRL filer. Also, first-time XBRL filers should not overlook the requirement to post the interactive data files on the company’s website on the same calendar day that the interactive data files are submitted with the periodic report.
First time XBRL filers can also take some comfort in the availability of a one-time, 30-day grace period to submit the interactive data files (as well as a 30-day grace period for the first detailed tagging of the financial statement notes by already phased-in filers), although avoiding having to be in a position to use the grace period is still the best bet.
The most common XBRL question that I receive is who uses the XBRL files that companies go to such great lengths to create? To this day, I still don’t have a good answer for that one.
More on “The Mentor Blog”
We continue to post new items daily on our blog – “The Mentor Blog” – for TheCorporateCounsel.net members. Members can sign up to get that blog pushed out to them via email whenever there is a new entry by simply inputting their email address on the left side of that blog. Here are some of the latest entries:
– Insider Trading Analysis of Sokol Charges
– When Should an Investment Relations Officer Just Quit?
– FASB and IASB Significantly Revise Lease Accounting Proposals
– SEC Extracts Fines, But Not Confessions
– Fourth Circuit Holds Partial Disclosures Must Relate to Misrepresentations to Satisfy Loss Causation
Starting today, due to an upgrade in our database, all individual login and passwords for our various sites have been reset. Your new username will be the email address that was in an email that was sent to on Friday. Your temporary password will be your five-digit, billing zip code. Beginning today, on your first login, you will be asked to reset your password as part of a simple process.
Once you have reset your password, it will automatically carryover to each of the following websites (if you’re a member of them):
Our HQ is handling questions on this (not me – I don’t even have access to our database) and their phone lines are open for extended hours this week: 925.685.5111. They have posted FAQs regarding this change.
If you use our popular Romeo & Dye’s Section 16 Filer software, you will need to download a new version of the software starting today and will automatically be prompted to do so.
Why Were the SEC’s New Whistleblower Rules Published Late in the Federal Register?
A member recently asked why the SEC’s new whistleblower rules were seemingly delayed in being published in the Federal Register until June 13th – since the agency issued its adopting release back in May after the Commission blessed them at a May 25th open Commission meeting (note: link to Fed Reg version is not yet posted on the SEC’s site)? To get something published in the Federal Register, the Office of Management & Budget (OMB) must conduct a review and then the adopting release moves to the Federal Register people (Government Printing Office).
Even though there seemed to be a delay for the whistleblower rules, it’s not really anything to complain about because it just pushed out the effective date for the rules. In other words, a delay would never have any bearing on whether an approved set of rules were indeed final – there would not be a reprieve from the Governor…
Gun-Jumping: Did Groupon Break SEC Rules?
This Forbes’ article notes how the timing of a lengthy NY Times piece on Groupon – that included behind-the-scenes access for the reporter – came out just a few days before Groupon filed a Form S-1 with the SEC for an IPO.
I haven’t seen any other commentary on this fact pattern – probably because most realize that the playing field has changed a bit due to the ’33 Act reform that took place in ’05. You may recall the infamous interview with the Google founders in Playboy a few days before that company filed its Form S-1 back in ’04. At first, Google was determined to fight the SEC regarding gun-jumping allegations – but the company ultimately backed down and included the entire Playboy interview in Google’s IPO prospectus.
Here’s an excerpt from the letter sent by SEC Chair Schapiro to Rep. Issa recently regarding more ’33 Act reform – the excerpt addresses this type of situation:
In April 2004, less than a week before Google initially filed its registration statement for its initial public offering, Google’s two founders were interviewed by Playboy magazine. Google informed the staff of the interview in August 2004 and advised the staff that the interview would appear in the September 2004 issue of Playboy, which was scheduled to hit newsstands after the offering period for Google’s innovative “Dutch auction initial public offering closed.
Under the rules in effect at the time of this offering, the publication of an article such as this in connection with an initial public offering could raise concerns about inappropriate market conditioning and the potential need for a cooling-off period. For a variety of reasons, primarily based on (l) the timing of the release of the article after the completion ofthe offering period for the auction; and (2) Google filing the article as an exhibit to its registration statement (thereby including it as part of its offering materials), the staff determined that the publication of the article would not inappropriately condition the market for Google’s initial public offering.
As such, the staff did not impose any cooling-off period or otherwise delay the offering as a result of the article. Beyond this, it is important to note that, had the 2005 communications rules described above been in effect at the time, even if the Playboy article was published before Google’s offering period for the auction had closed, Google’s initial public offering would not have been delayed.
By contrast, another initial public offering in 2004 had a different result under the rules in existence at the time. Salesforce.com, Inc. had planned to go effective on its registration statement in May 2004 when an article appeared in The New York Times featuring an interview with the company’s CEO. The CEO had invited a reporter to follow him for a day during the road show for the offering, and the article, which was published during the road show, included substantial information about the offering. It appeared to the staff that the interview was granted – and the reporter was given access to the road show process – in an effort for Salesforce.com or its CEO to communicate with prospective investors through the article, which was not permitted under the rules at that time.
To address gun-jumping concerns, the staff imposed a cooling-off period. Under the communications rules adopted in 2005, this media coverage would not have required delay of the offering if certain filings, such as filing a copy of the article or its contents as a free-writing prospectus, were made.
Webcast: “The Latest Compensation Disclosures: A Proxy Season Post-Mortem”
Tune in tomorrow for the CompensationStandards.com webcast – “The Latest Compensation Disclosures: A Proxy Season Post-Mortem” – to hear Mark Borges of Compensia, Dave Lynn of CompensationStandards.com and Morrison & Foerster and Ron Mueller of Gibson Dunn analyze what was (and what was not) disclosed this proxy season.
I’ve got a quote in this interesting column in yesterday’s NY Times by Gretchen Morgenson in which she analyzes a fascinating report that compares CEO pay with a number of different metrics. For example: “24 companies where cash compensation last year amounted to 2 percent or more of the company’s net income from continuing operations.”
On Monday, the US Supreme Court dealt a final blow to the SEC’s theory that third parties may be held to a standard of primary liability under the SEC antifraud rules (called “implied representation”) for statements in a prospectus (we are posting memos in our “Securities Litigation” Practice Area). In a 5-4 decision in Janus Capital Group v. First Derivative Traders, the Court rejected a shareholder class-action lawsuit that argued that Janus Capital Group and a subsidiary should be held liable under the SEC antifraud rules for allegedly false statements in the prospectuses of subsidiary mutual funds.
The Court stated that the “maker of a statement” that violates SEC Rule 10b-5 “is the person or entity with ultimate responsibility over the statement . . . ” and that “One who prepares or publishes a statement on behalf of another is not its maker.” The Court reached this determination despite the close affiliation of the defendants to the mutual funds and their involvement in the preparation of the prospectuses.
Suzanne Rothwell notes that while private investors may be limited in their ability to recover directly from third parties, broker-dealers that distribute offerings later found to be fraudulent nonetheless remain vulnerable to an enforcement action by FINRA (as indicated in Regulatory Notice 10-22) for failure to comply with FINRA product suitability standards and, if the broker-dealer assisted in the preparation of the offering document, the FINRA advertising regulations. In addition to sanctions such as fines and suspensions, FINRA has authority to require that a broker/dealer or a broker make restitution to investors.
If you’re a fan of “The Office,” this video is hilarious. It reengineers the standard opening of the show as if it was an old-fashioned sitcom…
SEC Continues Work on Section 13(d) & (g) Modernization Project
Last week, the SEC re-adopted changes to Rules 13d-3 and 16a-1 to preserve the application of the existing beneficial ownership rules to security-based swaps after July 16th, the effective date of new Section 13(o) that was created under Section 766 of Dodd-Frank. Thus, security-based swaps will remain subject to these rules following the July 16th effective date. As noted in the re-adopting release, the SEC continues to work on its modernization project for Section 13(d) and (g) – and as noted in this press release, the SEC will be “taking a series of actions in the coming weeks to clarify the requirements that will apply to security-based swap transactions as of July 16 – the effective date of Title VII of the Dodd-Frank Wall Street Reform and Consumer Protection Act – and to provide appropriate temporary relief.” This relief began to happen on Wednesday as noted in this press release.
Last Call: Early Bird Discount for our “Say-on-Pay Intensive” Pair of Conferences
There is only one week left for the early bird discount for our annual package of executive pay conferences to be held on November 1st-2nd in San Francisco and by video webcast: “Tackling Your 2012 Compensation Disclosures: 6th Annual Proxy Disclosure Conference” and “The Say-on-Pay Workshop Conference: 8th Annual Executive Compensation Conference.” Save by registering by Friday, June 24th at our early-bird discount rates. Note this early-bird discount will not be extended.
As you can see from our agendas, this year’s pair of Conferences (for one low price) will be workshop-oriented more than ever before in an effort to provide the practical guidance that you need in the new say-on-pay world that we live in:
1. November 1st’s “Tackling Your 2012 Compensation Disclosures: 6th Annual Proxy Disclosure Conference” includes:
– Say-on-Pay Disclosures: The Proxy Advisors Speak
– Say-on-Pay: The Executive Summary
– Drafting CD&A in a Say-on-Pay World
– The In-House Perspective: Changing Your Processes for ‘Say-on-Pay’
– Getting the Vote In: The Proxy Solicitors Speak
– Handling the New Golden Parachute Requirement
– The Latest SEC Actions: Compensation Advisors, Clawbacks, Pay Disparity & Pay-for-Performance
– Dealing with the Complexities of Perks
– Conducting – and Disclosing – Pay Risk Assessments
– Say-on-Frequency & Other Form 8-K Challenges
– How to Handle the ‘Non-Compensation’ Proxy Disclosure Items
2. November 2nd’s “The Say-on-Pay Workshop: 8th Annual Executive Compensation Conference” includes:
– SEC Chair Mary Schapiro’s Keynote (via pre-taped video)
– Say-on-Pay Shareholder Engagement: The Investors Speak
– Say-on-Pay: The Proxy Advisors Speak
– How to Work with ISS & Glass Lewis: Navigating the Say-on-Pay Minefield
– Putting Your Best Foot Forward: How to Ensure Your Pay Practices Pass
– Say-on-Pay: Director (and HR Head) Perspectives
– Failed Say-on-Pay? Lessons Learned from the Front
– Say-on-Pay: Best Ideas for Putting It All Together
Last week, a sixth company that failed to garner majority support for their say-on-pay was sued – Hercules Offshore in a district court in Texas (here’s the complaint). We continue to post pleadings from these cases in CompensationStandards.com’s “Say-on-Pay” Practice Area.
Yesterday, I traded tweets with someone regarding the probability that all companies that fail to earn majority support will be sued. I’m not convinced that will happen since these cases are brought in such diverse venues and by different plaintiff’s firms. Does anyone know of any guiding hand behind the scenes of these six lawsuits?
It’s also interesting to note that I haven’t seen a single law firm memo yet about these say-on-pay lawsuits even though it appears they are the talk of the town whenever I am out and about. Let me know if you see one…
Let the Wild Rumpus Begin! Competing Bills to Upsize ’34 Act Registration Threshold
Yesterday, I blogged about a new House bill (HR 2167) that would raise the ’34 Act registration threshold to 1000 shareholders (from 500) and exclude employees and accredited investors. In doing so, I neglected to mention another recent House bill (H.R. 1965) that would raise the threshold to 2000 shareholders and also raise the deregistration threshold from 300 to 1200 shareholders. As noted in Jim Hamilton’s blog, there also is a Senate companion bill (S 556) for this one.
For a view questioning the wisdom of raising the threshold, check out Suzanne Rothwell’s entry yesterday on “The Mentor Blog.”
SEC Enforcement Director Receives Delegated Power to Immunize Witnesses
A few days ago, the SEC Commissioners gave delegated authority to the agency’s Enforcement Director to immunize witnesses. I’m not certain that immunization happens all that happen at the SEC – since these are just civil cases – and in conjunction with 18 U.S.C. sections 6002 and 6004, I think this essentially allows Rob Khuzami to immunize any witness who is “pleading the Fifth” in an SEC investigation, thereby disallowing them to continue to assert the Fifth Amendment with the caveat that their testimony can’t be used against them in any criminal case.
Because he can, Senator Vitter temporarily blocked the nominations of Luis Aguilar and Dan Gallagher yesterday during a Senate Banking Committee hearing because he doesn’t like the pace of recovery for victims of Allen Stanford’s fraud. Strike that. I’m not sure it was “during” the hearing because Senator Vitter didn’t bother to show up to it, as noted in this Reuters article.
Yes, a single senator can hold up a nomination – but just temporarily as the Senate Banking Committee can still advance the nominations to the full Senate (so is that really a “hold”?). Doesn’t this make for some great gaming (last year, one Senator put an extraordinary “blanket hold” on at least 70 nominations)? I’m not sure what parliamentary procedure allows a nomination to be blocked when the Senator doesn’t even attend the hearing, but that surely compounds the waste of time that insincere holds are…
House Bill: Upsizing the 500 Shareholder ’34 Act Registration Threshold
During the past few months, I’ve blogged several times about the SEC’s upcoming capital-raising reform efforts, particularly in the area of pre-IPOs. Perhaps that’s not good enough for Congress as this Fortune article tells of a bill in the House that would boost the number of shareholders that trigger registration to 1000 shareholders, up from 500 – and would exclude exempt employees and accredited investors from counting towards the threshold. The bill was introduced yesterday and has six sponsors from both sides of the aisle. There is no corresponding Senate bill at this time.
Webcast: “Deals: The Latest Delaware Developments”
Tune in tomorrow for the DealLawyers.com webcast – “Deals: The Latest Delaware Developments” – to hear Rick Alexander of Morris Nichols, Stephen Bigler of Richards, Layton & Finger and Kevin Shannon of Potter Anderson discuss all the latest from the Delaware courts and legislature.
We’re very excited to announce the addition of Suzanne Rothwell to our editor staff. Suzanne brings a wealth of experience to our team. She recently retired from Skadden Arps after a decade of service here in DC. Previously, she served for 20 years in increasingly responsible positions with FINRA, including Associate Director and Chief Counsel of the Corporate Financing Department. At Nasdaq, she served as Special Counsel on the PORTAL Market and the development of trade reporting for debt securities. You’ll be seeing Suzanne on this blog – and our other blogs – as well as other parts of our sites.
The On-Going IPO Pricing Discussion: The Issuer’s Responsibility
And here’s a blog from Suzanne:
There has been quite a bit of commentary on the pricing of the LinkedIn IPO, which went public at $45 a share and closed at $94 on the first day of trading (including this entry in our “Mentor Blog”). The stock has traded as high as $122.69 and has since declined to close on June 7th at $77.82. One columnist questioned whether the underwriters of the LinkedIn IPO severely and intentionally underpriced the public offering in order to benefit customers who then immediately sold the stock to lock in the profit. (“Was LinkedIn Scammed?,” Joe Nocera, NY Times).
Another view was that possibly the IPO price for LinkedIn was too high as it resulted in a valuation of $8 billion for a company that made only $15.4 million in 2010. (“Why LinkedIn’s Price May Have Been Right,” Andrew Ross Sorkin, NY Times). Mr. Sorkin correctly points to the inherent conflict of IPO underwriters in meeting the interests of the company they are taking public and of their customers. He states that this is an “untenable position” and asks for a conversation on developing a better method. These statements reflect an on-going disagreement expressed over many years about the IPO pricing process.
The underwriters’ balancing of interests of the issuer and the need to price in some relation to the intrinsic value of the company in the interests of their customers has worked effectively for many years except when the underwriters have decided to game the distribution process or the aftermarket. In my experience, the regulation of IPO pricing is a difficult matter and it is better that the regulators limit their involvement to oversight for possible manipulation of the distribution process and the aftermarket as well as ensuring appropriate disclosures. FINRA’s predecessor, NASD, requested comment in 2003 on recommendations of the NYSE/NASD IPO Advisory Committee on three possible alternative approaches to promote transparency in pricing offerings, including whether to use an auction system–which is an oft-mentioned alternative.
What was not mentioned in the discussions of the LinkedIn IPO pricing was the responsibilities of the LinkedIn board of directors for that pricing, since the general view is that the issuer will accept the pricing determinations of the underwriters. However, this is where a new FINRA rule will likely make changes. Instead of proposing rules to adopt any of the alternative pricing methods, FINRA recently implemented new FINRA Rule 5131, which (among other things) requires that underwriters provide the IPO issuer’s pricing committee or board of directors with a regular report of indications of interest in order to assist the issuer to make an informed decision as to the pricing of the offering. As stated by the NASD in 2003, “. . . greater participation by issuers in pricing and allocation decisions would better ensure that those decisions are consistent with the fiduciary duty of directors and management, and would provide management with more information to evaluate the underwriter’s performance.” Clearly, it was FINRA’s intention to enhance the corporate governance responsibilities of issuers in the setting of the IPO price for the company.
We shall see whether the new rule, which became effective at the end of May, will have an impact on IPO pricing. In any event, any future discussions of the IPO pricing issue will have to take into account the fact that the issuer’s board of directors was part of an informed decision on the final pricing determination.
Supreme Court Rules Loss Causation Need Not Be Proven at Class Certification Stage
In the midst of my computer meltdown last week, the US Supreme Court held that securities fraud plaintiffs need not prove loss causation at the class certification stage in Erica P. John Fund v. Halliburton. We have been posting memos on this decision in our “Securities Litigation” Practice Area.
We’ve now had four more companies file Form 8-Ks reporting failed say-on-pay votes: Nabors Industries (43%): Tutor Perini (49%); Cadiz (38%); and BioMed Realty Trust (46%) . I keep maintaining our list of Form 8-Ks for failed SOPs in CompensationStandards.com’s “Say-on-Pay” Practice Area.
SEC Brings “Blue Ribbon” Enforcement Proceeding Against “Crowdsourcing” Offering
With thanks – and permission to blog – from the ABA’s State Regulation of Securities Committee:
This recent press release announcing the SEC’s entry into a cease and desist order with two individuals who attempted to raise $300 million via a website, a Facebook page and a Twitter account, to finance a company which would purchase the Pabst Brewing Company. While the respondents purportedly raised over $200 million in pledges from more than 5 million pledgors, they never collected any monies. A unique feature of the offering was the respondents’ promise that investors would not only receive a certificate of ownership in the acquisition company, but beer of a value equal to the amount invested (at least the SEC didn’t allege that the beer was a “security,” too – note, however, the old “whiskey warehouse receipt” cases).
One interesting point not mentioned in the press release – but raised in the actual Order – is that the SEC describes the offering as being effected “via crowdsourcing” (see paragraphs 3 and 5). Query whether this is the first enforcement proceeding by any securities regulator against a “crowdsource” offering? In any event, it sounds like the respondents never consulted with a reputable securities (or any?) attorney before commencing their offering; I would hope that any member of our Committee would have dissuaded them from attempting this venture in the chosen manner.
Here is a pun related to this case that I received: “I understand that the SEC went after the respondents when they heard that this offering was brewing on the Internet. Unfortunately for the SEC staff, they were only able to bottle up the respondents with their cease-and-desist order, the Justice Department decided the case wasn’t worth throwing them in the can with a criminal action.”
And another member noted: My foggy memory thinks that the Boston Beer Company tried to do something that was the then-equivalent of that back in the (maybe?) early 1990s when it was organized. I think they had “solicitation” language on their labels or something goofy like that…
Senator Grassley: How Does the SEC Treat Enforcement Referrals from Fellow Agencies?
As noted in this Reuters article, Senator Grassley’s recent investigation of SAC Capital Advisors is not really about the private investment firm but rather is a look into how the SEC treats referrals from other agencies. Here’s a letter from Grassley to reporters about how he believes that this response from the SEC into questions about how the SEC handled a referral from FINRA about suspicious trades by SAC Capital.
There are two Congressional hearings this week related to the SEC. Tomorrow, the Senate Banking Committee takes up the Commissioner nominations of Luis Aguilar and Dan Gallagher.
And then on Thursday, the House Transportation Committee hearing is holding a hearing entitled “The SEC’s $500 Million Fleecing of America” regarding the SEC leasing a building after it was directed to hire many more Staffers under Dodd-Frank – and then Congress reversed ship on the SEC’s budget (and is now blaming the SEC for thinking it was staffing up). This briefing memo relies heavily on the SEC Inspector General report about the lease that has been mentioned in the mass media lately. Note that it’s pretty rare that this House Committee gets involved with SEC affairs…
In the wake of the SEC’s new whistleblower rules, we are posting dozens of memos analyzing them in our “Whistleblowers” Practice Area. We also are addressing some questions on the new rules in our “Q&A Forum,” including this one:
Question #6531: As a result of the SEC adopting final rules implementing the whistleblower provisions of Dodd-Frank, does anyone find it necessary or prudent to amend an issuer’s Whistleblower Policy accordingly? Because the final rules will not be effective until probably later this summer, figure it isn’t too early to start thinking about this.
Steve Pearlman of Seyfarth Shaw noted: I’m not aware of any publicly available. But my knee-jerk is that the potential down-sides of amending a whistleblower policy to take changes in the legal landscape into consideration are not readily apparent and likely well outweighed by the advantages. For example, it generally would be unreasonable for an employee to argue that a change in the policy amounts to an admission that the prior policy was ineffective or not legally sufficient and thus yields liability. Plus, it is worth noting that subsequent remedial measures generally are not appropriate evidence of liability.
Caveat: any revision to the policy needs to be carefully crafted so that it does not inadvertently invite or condone any sort of retaliation or otherwise run afoul of the new law (or any other laws for that matter).
Which In-House Department Should Handle Whistleblower Complaints?
In this podcast, Steve Pearlman of Seyfarth Shaw describes how companies are grabbling with who handles whistleblower complaints under the new Dodd-Frank framework adopted recently by the SEC, including:
– Historically, which departments within a company handled whistleblower complaints?
– Is that changing and how?
– Can you give a specific example of how a company may create a hybrid model involving multiple departments?
– What factors should companies consider to determine what is the best model for them?
Delaware: Strine Nominated as New Chancellor; Glasscock as New Vice Chancellor
Yesterday’s breaking news that I blogged on the DealLawyers.com Blog: Delaware Chancery Court VC Leo Strine tapped as the new Chancellor and Sam Glasscock, a long-time court master, nominated for Strine’s VC slot. They now need to be confirmed by the Delaware State Senate. Here’s articles from:
While my computer recovers from a meltdown, here is a guest blog courtesy of Jim Brashear, General Counsel, Zix Corporation:
Spate of Data Security Incidents
The news media recently have reported many high-profile breaches of corporate data security. These incidents should prompt securities lawyers to focus on the potential materiality of public companies’ risks concerning data security, data privacy and data breaches and the necessary disclosures when those risks are material.
Most of the recent data breach reports have focused on incidents in which consumers’ personal information was exposed. In perhaps the most egregious example, Sony Corporation experienced multiple instances of hackers breaching several of its databases, potentially exposing the personal information of more than 100 million users, some of it in unencrypted plain text files. In another recent example, hackers targeting marketing services company Epsilon accessed email addresses for customers of dozens of major consumer brands.
Other data breaches indicate that hackers were looking for trade secrets or other valuable corporate information. Earlier this year, hackers targeted five multinational oil companies, apparently seeking proprietary data about global oil discoveries. Data security firm RSA was hacked, putting at risk the SecurID token security used by the firm’s clients. That incident apparently allowed hackers to attempt to penetrate networks at Lockheed. Moreover, Google reported this month that hackers accessed personal email accounts of senior White House officials, which was likely an attempt to penetrate sensitive U.S. Administration systems.
Confidential information is not only at risk on companies’ own internal networks. Companies and government agencies are increasingly storing confidential data with third party “cloud” services providers. A recent Trend Micro survey reportedly shows that nearly half of IT executives have reported a security lapse or issue with their cloud services provider in the last year. There are also indications that law firms are becoming targets for hackers, because those firms hold confidential data of many clients and may use relatively less-sophisticated data security procedures – potentially making them a weak link in the cybersecurity chain. The same may be true of other corporate advisors and business partners. So, companies evaluating data security risks need to consider “Who else has our confidential data and where is it?”
Potential Materiality of Data Security
Why are data breaches potentially material? As the Inside Investor Relations blog points out, “hackers can bring down your networks – and your stock price.” A data breach can remove an competitive advantage, through the loss of proprietary information. A data breach can seriously impair a company’s brand and reputation. If consumers or business partners lose confidence in the ability of a company to protect information, they may move their data and business elsewhere.
A data privacy breach can expose companies to significant disclosure and remediation costs, averaging over $7 million per incident and over $200 per individual whose personal data is compromised. A data breach can subject companies to fines and penalties, such as the $4.3 million HIPAA fine imposed on Cignet Healthcare. Last month, the White House issued its U.S. cybersecurity legislative proposal, which promotes a federal standard for data breach notification to individuals.
Letter Seeks SEC Guidance on Cybersecurity Disclosure
In a May 11th letter to SEC Chair Mary Schapiro, five Democrat members of the Senate Committee on Commerce, Science & Transportation asked the SEC to “issue guidance regarding disclosure of information security risk, including material network breaches.” The letter opines that “Federal securities law obligates the disclosure of any material network breach, including breaches involving sensitive corporate information that could be used by an adversary to gain competitive advantage in the marketplace, affect corporate earnings, and potentially reduce market share.” [Original emphasis]
The letter cites a 2009 survey by Hiscox which concluded that 38% of Fortune 500 companies made a “significant oversight” by not mentioning privacy or data security exposures in their public filings. The letter criticizes the lack of disclosure about steps being taken by companies to reduce those risk exposures.
One might expect the SEC Staff to be particularly sensitive to the adverse impacts of a data breach that exposes consumers’ personal information. After all, the SEC’s own employees were recently affected by a data breach when the Department of the Interior’s National Business Center sent out SEC employees’ social security numbers and other payroll information in unencrypted emails. In response to the Senators’ request, an SEC spokesperson reportedly said “companies do have a disclosure obligation when it comes to events such as cyber security or cyber vulnerabilities just like any other events that face a company in the normal course of business.”
[News coverage did not disclose the identity of the of the contractor whose software failed to encrypt the Interior Department’s email, but we can confirm that it was not Zix Corporation, which provides automated email encryption for SEC staff.]
Considerations in Improving Cybersecurity Disclosure
In light of the potential materiality of these issues, forward-thinking securities counsel have already been advising clients about the need to include in their public disclosure discussions about material data security, privacy and data breach risks. See, for example, the client advisory by Sullivan & Worcester, which provides several examples of SEC rules applicable to data security, privacy and data breach risk disclosure. We expect that more firms will begin advising public company clients to focus on the potential materiality of their risks concerning data security, data privacy and data breaches and to craft necessary disclosures when those risks are material.
Last year, the SEC Staff issued interpretive guidance regarding disclosure related to climate change. Based on the approach taken in that guidance, the SEC Staff may now suggest that companies must consider in their disclosure:
– The impacts of compliance with privacy and data security legislation and regulation, including federal, state, foreign and international rules,
– The indirect consequences of data privacy regulations or business trends (e.g., the implications of Do Not Track on web marketing),
– The impacts of mitigating data security, privacy and data breach risks, such as systems costs and training,
– The potential impacts of data breaches on the company’s business,
– The steps that the company is taking to identify and mitigate those risks.
Last year, I blogged about the results of a biannual government-wide “Federal Human Capital Survey” as it pertained to the SEC. Now, a new government-wide survey is out – and here is the SEC’s 2010 Federal Employee Viewpoint Survey. Overall, the SEC did not fare well compared to the other 36 federal agencies included in the survey – coming in 35th on Job Satisfaction; 33rd on Talent Management; 33rd on Results-Oriented Performance Culture and 26th on Leadership & Knowledge Management.
There are a lot of interesting items in this new Survey – enough to dribble out blogs for weeks – but I take it all with a grain of salt. Case in point: in the “Private Sector Comparison” on page 16, 86% of the respondents in the private sector replied that they like the work they do. That’s certainly not the case when I talk to people. Talk someone out of going to law school today!
Webcast: “Yes, It’s Time to Update Your Insider Trading Policy”
Tune in tomorrow for the webcast – “Yes, It’s Time to Update Your Insider Trading Policy” – to hear Alan Dye of Hogan Lovells and Section16.net, Sean Dempsey of Sealed Air, Keith Higgins of Ropes & Gray, Isobel Jones of Del Monte Foods and Dave Lynn of TheCorporateCounsel.net and Morrison & Foerster provide practical guidance on revisiting your insider trading policy, as well as your insider trading training program for officers, employees and directors.
Trading Blackouts: Not Taken Seriously in Australia?
I recently received this from a member:
I pass this item on just for its “that’s unbelievable” factor. The Australian government has asked a private sector advisory group to look into assorted matters that they think detract from the integrity of their market. One item is director trading during black-out periods. See Section 2.4 of this report, which indicates that there is a lot of trading by directors during blackout periods in that country, some approved by the CEO and some not – directors just ignoring the blackout period. Can you imagine that happening in the US? Just hang out a sign that says “Sue me, please.”
