As businesses collect increasing amounts of data on their customers and other consumers, sophisticated adversaries, recognizing the value of this information, have stepped up efforts to steal it. For publicly traded companies, the risk of intrusion goes beyond the costs and reputational damage resulting from a major breach: the SEC is increasingly willing to pursue enforcement actions against companies that fail to disclose not appropriately investor cyber attacks. And through its security disclosure requirements, the SEC has set a trap for the unwary who fall prey to data thieves.
Simply put, the SEC requires state-owned companies to accurately disclose the risks they face in cybersecurity and the handling of personal information. The trap? The SEC views as inaccurate a disclosure that characterizes a security breach as a mere possibility if the company has indeed suffered a material security breach.
The SEC’s security breach disclosure guidelines leave many unanswered questions about when and to what extent companies should disclose cyber attacks. The SEC has not made it clear whether state-owned companies must file additional information in the event of a credit card data breach. As a result, companies already dealing with the fallout from a cybersecurity incident do not know how to meet their legal obligations to investors and government.
As part of its SOE reporting system, the SEC has issued various guidelines over the past decade regarding the types of reporting obligations that exist regarding cybersecurity risks, policies, and breaches. In 2011, as the exfiltration of customer data began to become the problem it is today, the SEC’s Division of Corporation Finance issued guidance suggesting that publicly traded companies should, under certain circumstances, disclose cybersecurity risks and related incidents. The SEC then deepened its advice in 2018 when it issued interpretive guidance on public companies’ cybersecurity disclosure obligations.
Basically, the SEC asked “state-owned companies [to] take all necessary measures to inform investors of significant cybersecurity risks and incidents in a timely manner. This means that SOEs not only need to timely disclose material cybersecurity breaches, but they should also disclose the simple risk of a cybersecurity incident if a breach would have a significant impact on functions, operations, profitability. or the performance of the company.
To date, the SEC guidelines have largely focused on annual and quarterly reports using Forms 10-K and 10-Q, but the SEC has been silent on using Form 8-K to make similar disclosures. . In other words, the SEC may find that a public company has made material inaccuracies or omissions in its annual or quarterly disclosures if a company fails to accurately and timely disclose cybersecurity incidents to investors; but the SEC has not made it clear if or when a disclosure of Form 8-K is required as a result of a cybersecurity breach.
And the SEC has stepped up its cybersecurity disclosure requirement. In 2019, the SEC reached a $ 100 million settlement with Facebook for failing to properly disclose the company’s discovery of the misuse of user information associated with the Cambridge Analytica scandal. When Facebook discovered that user data had been hijacked in 2015, the company only disclosed that information in March 2018. In the meantime, investor disclosures in Facebook’s public documents simply referred to the possibility that “user data may being inappropriately accessed, used or disclosed âwithout revealing that such an incident had in fact already occurred. The SEC viewed this as a significant omission, which Facebook exacerbated in statements it made to the media following the publication of the Cambridge Analytica scandal. Announced on the same day as Facebook’s much larger $ 5 billion settlement with the FTC, the critical SEC fine – and in all other contexts – has been somewhat lost in coverage of the FTC deal .
But the SEC has not abandoned enforcement of the matter. Pearson plc, a London publisher of educational materials related to schools and universities, just learned a similar lesson when it struck a million dollar deal with the SEC in August 2021. As with Facebook, the SEC has determined that Pearson had failed to disclose actual knowledge of a data breach, that Pearson misrepresented the preventative cybersecurity measures it had in place, and that Pearson made misleading statements to the media about the magnitude and the scope of the intrusion. Here again, the SEC opposed a state-owned company revealing the hypothetical risk of a data privacy incident without revealing that a data breach had actually occurred.
According to the SEC, â[t]he materiality of cybersecurity risks or incidents depends on their nature, extent and potential magnitude, in particular with respect to any compromised information or the activity and scope of the company’s operations. . . . This includes damage to a company’s reputation, financial performance, and relationships with customers and suppliers, as well as the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal government authorities and non-US authorities. This, combined with SEC enforcement action against Facebook and Pearson, indicates that companies must provide specific information on Form 10-K following a cybersecurity incident. In both cases, the SEC took issue with what each company said or did not say in various annual reports. None of the enforcement actions indicated that the target companies should have published additional information via Form 8-K.
Indeed, in 2018, SEC Commissioner Robert J. Jackson Jr. conducted an analysis of data breaches disclosed and reported in 2017. Of 82 material breaches involving public companies that year, only four companies reported. filed a Form 8-K disclosing the violation to investors. As Commissioner Jackson said, “In 2017, companies that experienced data breaches chose not to file 8-K more than 97% of the time.”
The question of whether to file a Form 8-K involves a number of complex considerations, which further compound the uncertainty faced by executives of public companies. At the outset, organizations need to carefully consider whether the cybersecurity breach itself is material; but this consideration and the associated disclosure obligations also trigger other competing considerations.
Many states each have separate disclosure and reporting rules for cybersecurity incidents; and these disclosure obligations generally apply to time limits other than the four business day rule usually applicable to Form 8-K disclosures. Additionally, the SEC maintains strict rules against insider trading on material non-public information, which may well include a material cybersecurity breach. On top of all this, companies with serious cybersecurity incidents are often busy remedying the breach itself, which typically involves identifying and shutting down any existing vulnerabilities or exploitation, sorting out data exfiltration. ongoing, inform affected customers and institute costly and invasive cybersecurity audits. Indeed, if a Form 8-K disclosure is required within four business days of a triggering event, how should a SOE disclose a data breach if determining the nature and extent of the breach takes? more than four working days?
As the scale of cybersecurity breaches continues to grow dramatically, state-owned companies face unique pressures when facing the consequences of a data breach. While the SEC has provided some useful data points on how state-owned companies should disclose cybersecurity incidents using annual and quarterly reporting mechanisms, the SEC has been patently silent on the release of Form 8 disclosures. -K as a result of serious data breaches. This creates significant uncertainty for businesses, which is multiplied by the other obligations these businesses face when a data breach is discovered. The SEC would do well to fill this important gap in its regulatory guidance.
A data breach triggers a myriad of legal obligations and can lead to significant and costly consequences for the business concerned. Initially, companies must identify the source of the vulnerability and fix the vulnerabilities; But affected businesses must simultaneously identify the legal obligations triggered by the breach, while planning in advance for regulatory actions, litigation, and investigations of vendors and business partners, including banks and payment card issuers.
Both Pearson and Facebook’s enforcement actions identified a secondary issue that is fundamental to properly responding to a data breach: In both cases, the SEC also found that not every company had a effective mechanism for communicating information about data incidents to those responsible for making public disclosures. In other words, the SEC found additional misconduct because incident response teams and regulatory disclosure teams failed to communicate adequately. These enforcement actions should serve as a lesson for businesses affected by data breaches: While addressing the immediate consequences of a breach is paramount, management should ensure that all relevant internal groups remain informed of developments. related to incidents. This ensures that other in-house specialists bring their experience to help the affected business meet its obligations to customers, suppliers and investors.
From the first moment a data breach is identified, an affected business should immediately seek legal counsel to help them overcome the pitfalls created by a cybersecurity incident, including how best to handle required disclosures. Brownstein Hyatt Farber Schreck attorneys have considerable experience dealing with all aspects of cybersecurity breaches, including Congressional investigations, actions of state attorneys general, private litigation, PCI investigations, and the reputational damage control. Our experienced team of legal professionals are ready to assist you when the need arises.