Litigating Privacy, Data Breach and Cybersecurity Issues in 2014: The SEC View on Disclosure Obligations

Transcription

1 Litigating Privacy, Data Breach and Cybersecurity Issues in 2014: The SEC View on Disclosure Obligations American Bar Association Section of Litigation Annual Conference 2014 Spring Program Scottsdale, Arizona Richard H. Herold Snell & Wilmer Phoenix, Arizona

2 Disclosure of Material Information Information is considered material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision or if the information would significantly alter the total mix of information available. Basic v. Levinson, 485 U.S. 224 (1988) 2

3 Division of Corporate Finance of the SEC Seeks to ensure that investors are provided with material information in order to make informed investment decisions, both when a company initially offers its securities to the public and on an ongoing basis as it continues to give information to the marketplace. Through the Division s filing review process, we selectively review filings made under the Securities Act of 1933 and Securities Exchange Act of 1934 both to monitor and to enhance compliance with disclosure and accounting requirements. In the course of a review, the staff may issue comments to a company to elicit better compliance with applicable disclosure requirements. In response to those comments, a company may revise its financial statements or amend its disclosure to provide additional or enhanced information, or may undertake to revise its financial statements or other disclosures in future filings. This comment process deters fraud and facilitates investor access to information necessary to make informed investment decisions, thus enhancing the efficiency of the capital markets. 3

4 Securities & Exchange Commission Rules Addressed Specifically to Cybersecurity None 4

5 Division of Corporation Finance Disclosure Guidance: Topic No. 2 (Cybersecurity), October 13, 2011 The primary adverse consequences of concern to the SEC: Remediation costs Increased cybersecurity protection costs Lost revenues Litigation Reputational damage 5

6 CF Disclosure Guidance: Topic No. 2 Registrants should consider the probability of cyber incidents and the quantitative and qualitative magnitude of those risks Appropriate disclosures may include: Discussion of aspects of the registrant s business or operations that give rise to material cybersecurity risks and the potential costs and consequences; To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses. 6

7 CF Disclosure Guidance: Topic No. 2 Appropriate disclosures may include: Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of costs and other consequences; Risks related to cyber incidents that may remain undetected for an extended period; and Description of relevant insurance coverage. 7

8 Not Required by the CF Guidance No. 2 [F]ederal securities laws do not require disclosure that itself could compromise a registrant s cybersecurity. There is some tension between disclosure guidance and permissible self-protection allowing registrants to withhold some detail. 8

9 Corporation Finance Cybersecurity Comments Since companies have received comments about cybersecurity disclosures in SEC filings since the 2011 Guidance Fortune 500 and beyond 9

10 Cybersecurity Litigation Risks 1. SEC Enforcement Actions 2. Securities Class Actions 3. Derivative Lawsuits 10

11 One Example: Target s December 19, 2013 Data Breach & Resulting 8-K SEC Filing we experienced a data breach in which certain payment card and other guest information was stolen through unauthorized access to our network we have a program to detect and respond to data security incidents the techniques used to obtain unauthorized access change frequently hardware, software or applications we develop or procure from third parties may contain defects all incidents we experienced were insignificant until Q4 13 the breach we experienced was significant and went undetected for several weeks we experienced weaker than expected U.S. Segment sales immediately following the announcement of the 2013 data breach we are currently facing more than 80 civil lawsuits filed on behalf of guests, payment card issuing banks and shareholders state and federal agencies, including State Attorneys General, the Federal Trade Commission, and the Securities and Exchange Commission, are investigating which may have an adverse effect Worse yet: we re not sure how bad it is, and it could get worse Target s Form 8-K, February 26,

12 Questions? Richard H. Herold Snell & Wilmer