14 Los Angeles Lawyer September 2014

RICH

ARD

EW

ING

DATA BREACHES INVOLVING the personal information of consumershave recently appeared prominently in headlines. In California, for exam-ple, it is estimated that over 2.5 million residents were put at risk bydata breaches in 2012, including five major breaches that each affectedthe personal information of 100,000 or more people.1 California busi-nesses, which must give notice when a data breach results in unau-thorized access to the unencrypted personal information of consumers,are under siege. As recently highlighted by an SEC roundtable, cyber-security—including the issue of whether and how to disclose a breach—is receiving considerable scrutiny from legislators and regulators.

Disclosure of cybersecurity problems by public companies, forexample, presents an interesting confluence of policy considerationsfor which there is still no consensus. On the one hand, investors maybe interested in whether and to what extent a corporation may be bur-dened by cybersecurity expenses—whether they be the cost of build-ing defenses or the losses arising from a breach. On the other hand,detailed discussion of the value of vulnerable assets or the reasons fortheir vulnerability may attract predators.

So far, the SEC has been taking a measured approach to thecybersecurity disclosure issue. In October 2011, the staff of the SEC’sDivision of Corporate Finance published written guidance.2 Theguidance followed a May 2011 letter from five senators to then-SECChair Mary Schapiro requesting that the commission “develop andpublish interpretative guidance clarifying existing disclosure require-ments pertaining to information security risk, including materialinformation [about] security breaches involving intellectual propertyor trade secrets.”3 Although the guidance does not create any new ruleor regulation, it does respond to the senators’ request by offering theviews of the corporate finance staff on how public companies mayassess what disclosures should be provided about cybersecurity mat-ters. The staff discussed the need to disclose risks that have materi-alized into breaches and risks of future incidents.4

In the October 2011 guidance, the staff notes that while no exist-ing rules or regulations explicitly refer to the need for cybersecuritydisclosure, a number of existing SEC requirements are broad enoughto potentially encompass the issue. In particular, the staff opines thatvarious provisions of the SEC’s Regulation S-K5 could touch on theneed for cybersecurity disclosures in a company’s periodic reports filedwith the SEC. For example, citing Item 503(c) of Regulation S-K, thestaff suggests that a company may consider disclosing “the risk of cyberincidents if these issues are among the most significant factors that makean investment in the company speculative or risky.” In addition, cit-ing Item 303 of Regulation S-K, the staff indicates that a company maywant to address cybersecurity matters in the section of its periodic fil-ings devoted to “Management’s Discussion and Analysis of FinancialCondition and results of Operations.” The section covers knownincidents or risks of possible incidents that reach the level of a “mate-rial event, trend, or uncertainty that is reasonably likely to have a mate-rial effect on [a company’s] results of operations, liquidity, or finan-cial condition or would cause reported financial information not to

be necessarily indicative of future operating results or financial con-dition.” The staff also notes Item 103 of Regulation of S-K, whichrequires a brief description of material pending legal proceedings.6

Apart from the technical discussion of which existing rules and reg-ulations might be implicated by cybersecurity issues, the CorporateFinance staff made three general observations. First, the guidancerecognizes that an assessment of whether and to what extent cyber-security disclosures should be made in light of each company’s “spe-cific facts and circumstances.” There is no one-size-fits-all analysis.Second, the staff states that “we are mindful of potential concerns thatdetailed disclosures could compromise cybersecurity issues—for exam-ple, by providing a ‘roadmap’ for those who seek to infiltrate a [com-pany’s] network security” and, therefore, “we emphasize that disclo-sures of that nature are not required under the federal securities

practice tips BY HOWARD M. PRIVETTE, D. SCOTT CARLTON, AND SARAH KELLY-KILGORE

The SEC Guidance on Cybersecurity Measures for Public Companies

Howard M. Privette is a partner, and D. Scott Carlton and Sarah Kelly-Kilgoreare associates, in the Los Angeles office of Paul Hastings LLP, where they focuson securities litigation and enforcement matters for U.S. and global clients.

laws.” Third, in a related point, the staffexplains that while companies “should providedisclosure tailored to their particular circum-stances and avoid generic ‘boilerplate’ dis-closure, we reiterate that the federal securitieslaws do not require disclosure that itself wouldcompromise a [company’s] cybersecurity.”7

On this last point, the staff recommendsthat while companies should not make a dis-closure that would compromise cybersecurity,they “should provide sufficient disclosure toallow investors to appreciate the nature of therisks faced by the particular [company] in amanner that would not have that conse-quence.” The guidance does not explain howto do so. The tension between the risk ofdisclosure and the risk of nondisclosure mayhelp explain the SEC’s approach to cyberse-curity after the guidance was published, whichgenerally has been to evaluate the issue on acase-by-case basis.

SEC Practice after the Guidance

According to SEC Chair Mary Jo White, in the18 months following publication of the guid-ance, the Corporate Finance staff issued com-ments addressing cybersecurity matters toapproximately 50 public companies of vary-ing size and in a wide variety of industries.8

Many comments focus on disclosure of pastincidents.

For example, in a case in which a companystated that it “continue[s] to face increasingcyber security threats,” the staff requestedthat the company provide it information onwhether the company had experienced any“breaches, hacker attacks, unauthorized accessand misuse, computer viruses and other cyber-security risks and events in the past and, if so,what consideration you have given to dis-closing such events in your risk factors.”9 Ina similar case, the staff asked for informationabout whether a company had experiencedany security breaches or attacks, even if theyhad not resulted in an adverse effect. Thestaff indicated that if the company had expe-rienced such incidents, it should considermaking investors aware.10

In a somewhat different vein, the staff hasexpressed doubt when companies claim thataccess to their computer systems by unautho-rized users is unlikely. For example, in com-menting on a foreign company’s registrationstatement containing such an assertion, thestaff requested that “[g]iven the risks associ-ated with cybersecurity breaches,” the com-pany should “please consider revising” thisassertion and, “[f]urthermore, tell us whatconsideration you gave to including risk fac-tor disclosure.”11

Some have questioned whether more shouldbe done. In April 2013, Senator John D.Rockefeller IV wrote to White to urge that shemake cybersecurity one of her highest priori-

ties.12 Rockefeller explained that he“applauded” the October 2011 guidance “asan important first step in the right direction,”and noted that “it certainly made a positiveimpact on disclosures.” However, he opinedthat public company “disclosures are generallystill insufficient for investors to discern thetrue costs and benefits of companies’ cyberse-curity practices.”

Rockefeller tied his concerns about the suf-ficiency of corporate cybersecurity disclo-sures to his general concern that the UnitedStates is not adequately protecting itself withrespect to cybersecurity. He asserted that“[i]nvestors deserve to know whether com-panies are effectively addressing their cyber-security risks,” calling this information “indis-pensable to efficient markets.” He explainedhis belief that, “as a country, we need the pri-vate sector to make significant investments incybersecurity,” and suggested that “[f]ormalguidance from the SEC on this issue will bea strong signal to the market that the com-panies need to take their cybersecurity effortsseriously.” Thus, “given the growing signifi-cance of cybersecurity on investors’ and stock-holders’ decisions, the SEC should elevate[the staff’s] guidance and issue it at theCommission level as well.”13

In her letter responding to Rockefeller,White agreed that cybersecurity disclosure“is a very important issue that is of increas-ing concern for public companies, our finan-cial markets, and the nation.” However, shedemurred on the senator’s request that theSEC elevate the existing Corporate Financestaff guidance to the Commission level, equat-ing cybersecurity risks “with other businessrisks” that should be “among the factors apublic company would consider in evaluatingits disclosure obligations.” Nevertheless, shepraised the efforts of the SEC staff in pro-mulgating the October 2011 guidance and inreviewing companies’ disclosures, highlight-ing the number and breadth of the commentsprovided to individual companies on cyber-security issues. White emphasized that theSEC staff “continues both to prioritize thisimportant matter in its review of public com-pany disclosures and to issue comments con-cerning cybersecurity.” She also explainedthat the staff “is actively engaged in dis-cussing publicly both cybersecurity mattersand the guidance to remind public companiesof the staff’s view of the importance of cyber-security disclosure” and “is using the infor-mation gathered through these efforts to eval-uate the efficacy of the guidance.” Sheconcluded by telling the senator that she has“asked the staff to provide [her] with a brief-ing of the current disclosure practices andoverall compliance with the guidance, as wellas any recommendations they have regardingfurther action in this area.”14

In the months following the exchangebetween Rockefeller and White, a series ofhigh-profile data breaches rattled the public.In December 2013, for example, TargetCorporation announced a data breach result-ing in the theft of approximately 40 millioncredit and debit card account numbers. Then,in January 2014, the Neiman Marcus Groupconfirmed that a similar theft had occurred atits stores, resulting in a spike in fraudulentcredit and debit charges on cards that had beenused at those stores. In February, Las VegasSands Corporation, the world’s largest casinocompany, revealed a cybersecurity breach thatresulted in the theft of customer and employeedata. These breaches echo previous eventslike those at T.J. Maxx in 2006, which resultedin the theft of approximately 45 million creditand debit card account numbers. Overall,according to the Identity Theft ResourceCenter, 2013 was a record year, with morethan 600 breaches reported nationwide.

In the face of these events, in March theSEC hosted a roundtable to focus on cyber-security and the challenges it raises for Am -erican companies, regulators, and law enforce-ment agencies. Participants included all fiveSEC commissioners, high-ranking officialsfrom other government agencies, and indus-try leaders from the private sector. The issueof the disclosure obligations of public com-panies generated considerable discussion.Although the panelists participating in theroundtable seemed to agree that cybersecurityis of growing importance to market partici-pants, there was little consensus on how bestto address the issue of disclosure.15

Comments from the commissioners areillustrative. In her opening remarks, Whitefocused on the materiality standard that isapplicable generally to all financial disclo-sures. In contrast, the comments of Com mis -sioner Kara Stein suggested that cybersecu-rity matters may need to be disclosed evenabsent materiality.16 Other panelists, particu-larly those from the private sector, cautionedthat the SEC should tread lightly in consider-ing whether to change reporting requirements.Roberta Karmel, a former SEC commissionerand current law professor, suggested that dis-closure may not be in the public’s interest.Heavy-handed disclosure requirements couldexacerbate risk by bringing breaches to theattention of those who may seek to exploitthem, and, as the private sector participantsargued, greater disclosure obligations couldresult in greater litigation risk without anyincreased investor protection. CommissionerLuis A. Aguilar may have summarized best:“There is no doubt that the SEC must play arole in this area. What is less clear is what thatrole should be.”17

The SEC’s interest in cybersecurity dis-closures extends both to incidents that have

Los Angeles Lawyer September 2014 15

already occurred and to the risk of futureincidents. The staff’s comment letters, forexample, have pushed companies for moreinformation about the occurrence of pastincidents and questioned how this historymight reflect on the nature and scope of therisks that companies face.

Notably, public companies in the UnitedStates are already subject to a web of statelaws mandating notice of data breachesinvolving the personal information of con-sumers. In this regard, California has been aleader in the field and is generally regarded ashaving among the most comprehensiverules.18 Under California law, public and pri-vate companies doing business in Californiaor with California residents are required togive notice when a data breach results inunauthorized access to certain unencryptedpersonal information of consumers.19 If abreach triggers a company’s disclosure oblig-ations, the business must notify any and allCalifornia residents whose personal infor-mation was acquired, or is believed to havebeen acquired, “in the most expedient timepossible and without unreasonable delay.”20

While comprehensive, California’s notificationrequirement does not take into considera-tion the consequences resulting from the man-ner and timing of notification with respect tofederally regulated securities.

The confluence of state consumer notifi-cation requirements and federal securities lit-igation is illustrated by the case of Choice -Point. A spinoff from Equifax, the companyaggregated personal data sourced from multiplepublic and private databases for sale to the gov-ernment and the private sector. In 2005, itbecame the target of a shareholder securitiesclass action alleging that the company hadmisrepresented the security of the private datait collected and sold. According to the allega-tions of the shareholder complaint, Californialaw enforcement alerted Choice Point inSeptember 2004 that criminals had gainedaccess to its databases and were using stolenpersonal information. In turn, this triggeredCalifornia’s requirement to notify consumersof the theft of their personal information.21

According to the shareholder complaint,after receiving this alert from California lawenforcement but before sending out the req-uisite consumer notices, ChoicePoint con-tinued to issue press releases and file reportswith the SEC that contained rote statementsconcerning the company’s commitment toprotecting private information. In addition, anumber of senior officers sold millions of dol-lars of stock. Then, in early February 2005,without making any other public statement orannouncement, the company began mailingthe consumer notices required by Californialaw. Within a week, the media began report-ing on the matter, and soon there was a series

16 Los Angeles Lawyer September 2014

GL Howard and Company CPAs, LLPLITIGATION SUPPORT TAX CONTROVERSY INTERNATIONAL TAX

ACCOUNTING SERVICES TAX COMPLIANCE & PLANNING

of news items and statements by the com-pany that eventually disclosed that the breachcovered by the California notices extendednationwide and had been preceded by similarbreaches in the past. The private shareholderlitigation commenced after an announcementof investigations by both the SEC and theFTC, and a drop in the company’s stock price.After the company’s motion to dismiss theshareholder litigation was denied, the caseeventually settled for $10 million.22

Securities Litigation Considerations

At the March 2014 SEC roundtable, private-sector panelists expressed concern that requir-ing increased disclosure of cybersecurity mat-ters may lead to more shareholder class actionsand derivative lawsuits. As an example,between 2005 and 2007, infamous hackerAlbert Gonzalez and his accomplices targetedmultiple companies, including TJX Companies(T.J. Maxx, Marshalls, and other retail chains)and Heartland Payment Sys tems.23 The databreaches caused by Gon zalez’s group ulti-mately resulted in the theft and sale of morethan 90 million credit and debit card accountnumbers.24 While TJX disclosed the databreach, other companies did not. As a result,according to Douglas Meal, a panelist at theSEC’s cybersecurity roundtable, TJX experi-enced “all kinds” of litigation burdens while

other companies that had been breached by thesame hacking group did not.25

However, it is a dubious proposition thatthe absence of cybersecurity disclosures willinsulate a company from shareholder litiga-tion. As the SEC’s staff guidance and ongo-ing review of cybersecurity issues make clear,the SEC considers these issues to be within thescope of existing disclosure requirements.Therefore, a public company that fails toaddress cybersecurity adequately in its fil-ings will very likely find itself to be the sub-ject of SEC scrutiny and, if a cyber incidentoccurs, the lack of disclosure itself may resultin private shareholder litigation.

This point is illustrated by the case ofWyndham Worldwide Corporation. WWCwas the target of a series of data breachesfrom April 2008 to January 2010. Thesebreaches resulted in an investigation and ahigh-profile lawsuit by the FTC, alleging thatWWC’s security practices were unfair anddeceptive.26 In 2014, a shareholder derivativelawsuit was filed, piggybacking on these alle-gations and seeking to bring breach of fidu-ciary duty claims against WWC’s board ofdirectors and several of its executives (includ-ing the general counsel).27 The shareholderalso complained that the company did not dis-close the data breaches until it announced thefiling of the FTC’s lawsuit in a Form 10-Q

with the SEC in July 2012, more than twoand-a-half years after the occurrence of thelast breach.28 That disclosure was also thesubject of a comment letter sent by the SECa week after the Form 10-Q was filed. Notingthat WWC’s filing included a discussion of therisk of future cyber incidents, and referring tothe October 2011 Corporate Finance disclo-sure guidance, the August 1, 2012, commentletter requested that, “[b]eginning with yournext Form 10-Q, please state that you haveexperienced data breach incidents in the pastin order to provide the proper context foryour risk factor disclosure.”29

Ultimately, the question is not whether apublicly held company should provide cyber-security disclosures, but how it should do soeffectively. Heartland’s experience provides anexample of how disclosures can help defeatshareholder litigation. In 2009, a group ofinvestors sued Heartland in the District Courtof New Jersey, alleging that Heartland hadfraudulently concealed the occurrence of thedata breach and fraudulently misrepresentedthe general state of Heartland’s cybersecu-rity.30 The court, evaluating Heartland’smotion to dismiss, explained that omissionsare “only fraudulent in the presence of aduty to disclose, which usually arises onlywhen there is insider trading, a statute requir-ing disclosure, or an inaccurate, incomplete,

Los Angeles Lawyer September 2014 17

or misleading prior disclosure.”31

Further, the court explained, “[T]here is nogeneral duty on the part of issuers to discloseevery material fact to investors.”32 Findingthat Heartland had no duty to disclose thedata breach when it occurred, the court deter-mined that Heartland’s subsequent statementsregarding the general state of its security didnot amount to fraudulent concealments ormisrepresentations.33 In effect, the court rec-ognized that there is no statute expressly requir-ing the disclosure of cybersecurity incidentsand, so long as a company has not otherwisemade an inaccurate, incomplete, or misleadingdisclosure on cybersecurity matters, no legal lia-bility should attach to the failure to disclose.

As cybersecurity becomes a more criticalpart of modern business, the laws and regu-lations addressing cybersecurity will continueto evolve. Whether this will lead to specificnew disclosure standards and requirements forpublic companies in the United States, how-ever, remains an open question. In the mean-time, companies addressing these issues shouldpay careful attention to the October 2011guidance before deciding whether and how tomake disclosures. A step in the wrong direc-tion—which could be either too much or toolittle disclosure—may lead to greater litigationrisks or greater scrutiny from the SEC. �

1 KAMALA D. HARRIS, DATA BREACH REPORT 2012(2012), available at http://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/2012data_breach_rpt.pdf.2 SEC, DIV. OF CORP. FIN., CF DISCLOSURE GUIDANCE:TOPIC NO. 2: CYBERSECURITY (2011) [hereinafterGUIDANCE], available at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.3 See Letter from Sens. John D. Rockefeller IV, RobertMenendez, Sheldon Whitehouse, Mark Warner &Rich ard Blumenthal, to Mary Schapiro, Chair, SEC(May 11, 2011), available at http://www.commerce.senate.gov.4 See GUIDANCE, supra note 2.5 Standard Instructions for Filing Forms under SecuritiesAct of 1933, Securities Exchange Act of 1934 and En -er gy Policy and Conservation Act of 1975—RegulationS-K, 17 C.F.R. §229.10-.1208 (2011).6 The staff also indicated that cybersecurity issues maybe considered under Items 101 and 307 of RegulationS-K and cited several specific accounting standardsapplicable to corporate financial statements that may beimplicated by costs incurred as a result of cyber incidents.See Regulation S-K, 17 C.F.R. §§229.10-1208 (2011). 7 See GUIDANCE, supra note 2.8 See Letter from Mary Jo White, Chair, SEC, to Sen.John D. Rockefeller, IV, Chairman, Comm. on Com -merce, Sci., & Transp. (May 1, 2013), available athttp://www.commerce.senate.gov.9 See Letter from Suzanne Hayes, Assistant Dir., SEC,to James J. Malerba, Exec. Vice President, CorporateController & Chief Accounting Officer, State StreetCorp. (Apr. 9, 2012), available at http://www.sec.gov.10 See DELOITTE & TOUCHE, SEC COMMENT LETTERS—INCLUDING INDUSTRY INSIGHTS: CONSTRUCTING CLEAR

DISCLOSURES 67 (7th ed. 2013).11 See Letter from Maryse Mills-Apenteng, SpecialCounsel SEC, to Dana Gallovicova, Chief EnforcementOfficer, Zlato Inc. (June 11, 2013), available athttp://www.sec.gov.

18 Los Angeles Lawyer September 2014

ESTABLISHED 1985 ~ EXCELLENT RATESSales Dept. 310.829.0741 x304 • 800.951.5020 • translation@alsglobal.net • alsglobal.net

TRANSLATING & INTERPRETING ALL LANGUAGESCERTIFIED PROFESSIONALS

Making the World Smaller

AMERICAN LANGUAGE SERVICES

LEGAL CORPORATETRANSCRIPTIONSEXPERT WITNESS TESTIMONYNATIONWIDE OFFICESWORLDWIDE COVERAGE

12 See Letter from Sen. John D. Rockefeller IV, Chair,Comm. on Commerce, Sci. & Transp., to Mary JoWhite, Chair, SEC (Apr. 9, 2013), available athttp://www.commerce.senate.gov.13 Letter from John D. Rockefeller IV to Mary Jo White,Chair, SEC (Apr. 9, 2013), available at http://www.privacyandsecuritymatters.com/files/2013/04/Rockefeller-SEC-letter.pdf.14 Letter from Mary Jo White, Chair, SEC, to Sen. JohnD. Rockefeller, IV, Chairman, Comm. on Commerce,Sci., & Transp. (May 1, 2013), available at http://www.commerce.senate.gov.15 Following the SEC’s roundtable in March 2014,the SEC has received several comment letters fromacademics, software companies, and other interestedparties generally expressing support for the SEC’sefforts to provide guidance to public companies. SeeComments on Cybersecurity Roundtable, available athttp://www.sec.gov/comments/4-673/4-673.shtml.16 See Susan D. Resley et al., SEC Hosts Roundtableon Cybersecurity Issues and Challenges (Mar. 31,2014), http://www.lexology.com.17 Commissioner Aguilar has also indicated that direc-tors of public company boards should more proactivelyconfront the risks of cyber-attacks, including by encour-aging boards to follow the guidelines set forth by theNational Institute of Standards and Technology regard-ing best practices for managing cybersecurity risks.See Luis A. Aguilar, Commissioner of the U.S. Securitiesand Exchange Commission, Cyber Risks and theBoardroom, Conference at the New York StockExchange (June 10, 2014).18 See CIV. CODE §§1798.80-1798.84. Effective Jan. 1,2014, Civil Code §§1798.80-1798.84 were amendedto include a “user name or email address, in combi-nation with a password or security question and answerthat would permit access to an online account” in thedefinition of electronic personal information. See CIV.CODE §§1798.82(h)(2).19 See CIV. CODE §§1798.82.20 SeeCIV. CODE §§1798.82(a). California’s Office of Pri -v acy Protection recommends that notice be providedwith in 10 business days of an organization’s determina-tion that personal information was, or is reasonably be -lieved to have been, acquired by an unauthorized person.21 See In re Choicepoint, Inc., Sec. Litig., No. 1:05-cv-00686-JTC, 2006 U.S. Dist. LEXIS 97903, at *3-7(N.D. Ga. Nov. 19, 2006).22 Stipulation of Settlement, In re Choicepoint, Inc., Sec.Litig., No. 1:05-cv-00686-JTC (N.D. Ga. Mar. 7,2008) (No. 66).23 See Kim Zetter, TJX Hacker Gets 20 Years in Prison,WIRED (Mar. 25, 2010), http://www.wired.com/2010/03/tjx-sentencing.24 See id.25 Joel Schectman, When to Disclose a Data Breach:How about Never?, WALL ST. J. (Mar. 27, 2014),http://blogs.wsj.com/riskandcompliance/2014/03/27/when-to-disclose-a-data-breach-how-about-never.26 There is considerable controversy over the FTC’sclaim of statutory authority to regulate cybersecuritymatters. However, U.S. District Judge Esther Salas’sdecision in Wyndham upheld the FTC’s authority inthat case. See FTC v. Wyndham Worldwide Corp., No.2:13-cv-01887-ES-JAD, ____ F. Supp. 2d ____, 2014WL 1349019, at *6-7 (D. N.J. Apr. 07, 2014).27 Complaint at 1-4, Palkon v. Homes, No. 2:14-cv-01234-SRC-CLW (D. N.J. May 2, 2014) (No. 12).28 See id. at 3.29 Id. at 25.30 See In re Heartland Payment Sys., Inc. Sec. Litig., No.09-1043 (D. N.J. Dec. 7, 2009).31 Id. at 10 (internal quotation marks and citationsomitted).32 Id. at 11.33 See id.

Los Angeles Lawyer September 2014 19

LEADERSHIP

LEGACYASouthwestern Law School

The Southwestern Community is proud to salute

PROFESSOR ROBERT E. LUTZselected as the 2014 Warren M. ChristopherInternational Lawyer of the Yearby the California State Bar International Law Section

SOUTHWESTERN LAW SCHOOLLos Angeles, Cal i fornia www.swlaw.edu

One of legal education’s foremost authorities on

international public and private law, Professor Lutz has held the top posts in the most in!uentialorganizations in the international law community, including Chair of the International Law Sections of the American Bar Association, Association of American Law Schools and Los Angeles County Bar Association,and was co-founder of the State Bar of California International Law Section.

OF