Are You Another Target for Hackers? 2014 Cybersecurity Risk Disclosure Reminder

by Akin Gump Strauss Hauer & Feld LLP
Contact

As calendar-year public companies approach annual reporting season, issuers should consider whether or not their current risk factor disclosures, as well as their “forward looking statements” language, are adequate in light of recent high-profile cybersecurity incidents. While there are currently no comprehensive federal laws explicitly mandating disclosure in connection with data security breaches (a fact that several legislators are working to change), the emerging and existing business risks have not gone unnoticed by the Securities and Exchange Commission (SEC). In 2011 the SEC advised companies to approach cybersecurity as they would any other part of the business: if cybersecurity is a significant factor that makes an investment in the company speculative or risky, then issuers should address it in their risk factor disclosures. Similarly, if a past incident or current risk of cybersecurity is likely to have a material effect on operations or financial statements, then such incident or risk should be included in their Management’s Discussion and Analysis of Financial Condition and Results of Operations.

Recent incidents have highlighted just how relevant cybersecurity risks are to companies in the retail space. In December, Target Corporation announced that debit and credit card information for more than 40 million of its U.S. retail store customers was wrongfully accessed during the height of the holiday shopping season, a number that has since increased to as many as 110 million compromised accounts. Target had previously disclosed data security risks in its 2012 annual report. In its discussion of risk factors, Target said that “[t]he nature of our business involves the receipt and storage of personal information about our guests . . . If we experience a significant data security breach or fail to detect and appropriately respond to a significant data breach, we could be exposed to government enforcement actions and private litigation.” Furthermore, Target disclosed that malicious attacks and security breaches could cause them to incur substantial costs and they could encounter a loss of guest confidence, which could adversely affect their results of operations. Target is apparently trying to mitigate these post-incident risks and potential damage to its reputation with consumers by staying out in front of the problem: publicly announcing the data breach, establishing a dedicated webpage for resources related to the breach, and offering free credit monitoring and identity theft protection to all Target customers. Earlier today, Target’s CEO Gregg Steinhafel posted an open letter on Target’s official blog offering an apology to customers and setting forth a numbered list of remedial steps the company is taking post-breach. Target is also using social media to interact with its affected customers; the company’s official Facebook and Twitter feeds have been almost exclusively about the data breach since it was first publicly announced. Whether or not Target’s risk factor disclosure is sufficient to ameliorate government action and private lawsuits and whether or not Target’s handling of the breach can preserve its brand and reputation as well as manage the potentially substantial costs associated with the incident remain to be seen.

Another retailer, Neiman Marcus, confirmed on Friday that it was also subject to a data security breach in December. While not as robust as Target’s, Neiman Marcus’s most recent Form 10-K contained risk factor disclosure identifying cyber-attacks and breach of information security as significant risks to the company’s operations. Neiman Marcus has apologized to its customers via Twitter, but so far provided few details of the attack as they continue to investigate. The U.S. Secret Service is also investigating the Neiman Marcus information breach, the extent of which is not yet known.

In light of these recent high-profile cyber-attacks, companies may want to take a fresh look at the SEC’s 2011 Disclosure Guidance to determine if their current risk factor disclosures should be supplemented to identify risks as technology evolves and more incidents occur. Companies should also review their standard “forward looking statements” language to determine whether it could also use refreshing. In doing so, companies should consider whether or not cyber-attacks post a unique and material risk to their operations, and should discuss these risks in a way that avoids boilerplate language and statements of general risk applicable to all users of information technology. Although the disclosure should be tailored and company-specific and should provide enough information to allow investors to “appreciate the nature of the risks,” companies need not provide potential cyber attackers with a “road map” of their security flaws or vulnerabilities, according to the SEC. And as Target’s reaction to its data breach illustrates, disclosures may continue after a cyber incident, as the company continues to investigate and update affected parties and investors.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Akin Gump Strauss Hauer & Feld LLP | Attorney Advertising

Written by:

Akin Gump Strauss Hauer & Feld LLP
Contact
more
less

Akin Gump Strauss Hauer & Feld LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.
Feedback? Tell us what you think of the new jdsupra.com!