Happy New Year! We are beginning this week with a series of top Privacy and Security issues for 2013, as we see them. Let’s start with an issue of interest to publicly traded companies, or companies considering going public in 2013 – a reminder that cybersecurity issues are of interest to the Securities and Exchange Commission (SEC) and are a shareholder disclosure issue. We expect to see an increased focus in this area in 2013.
THE SEC WILL REQUIRE GREATER DISCLOSURE RELATED TO DATA SECURITY RISKS AND BREACHES
The amount of personal and confidential information maintained electronically by public companies increases every day. As a consequence of this increase, the likelihood that a given public company will suffer a data breach and that such breach will have a material adverse effect on the company’s business also increases. In response to this ever-increasing risk, the Securities and Exchange Commission (the “SEC”) is requiring greater disclosure related to data security and this trend will likely increase in 2013.
The SEC issued guidance relating to public company disclosure of data security in the end of 2011. Soon after the SEC issued this guidance, Facebook, Inc. (NASDAQ: FB) filed its Form S-1 Registration Statement and became one of the pioneers in data security and privacy disclosure. Since then, public and soon-to-be public companies have followed suit and more companies are including disclosure related to data security risks and breaches.
A recent example of this increased disclosure can be found in the risk factors of a prospectus filed by Michaels Stores, Inc. Specifically, Michaels Stores, Inc. included the following risk factor: “Failure to adequately maintain security and prevent unauthorized access to electronic and other confidential information and data breaches could materially adversely affect our financial condition and operating results.” This type of risk factor is becoming more and more common among public company filings, both in registration statements and annual and quarterly filings.
Companies that fail to include adequate disclosure about data security risks already began receiving SEC comments for 10-Ks filed at the end of 2011. One example of this occurred in the SEC’s review of Freeport-McMoRan Copper & Gold Inc.’s (“Freeport”) 10-K for Fiscal Year Ended December 31, 2011. In the SEC’s Comment Letter, it noted that Freeport failed to include any risk factors related to cyber attacks. The SEC commented that in Freeport’s next 10-Q, it should provide “risk factor disclosure describing the cybersecurity risks that you face or tell us why you believe such disclosure is unnecessary.” The SEC further referred Freeport to its Guidance Topic No. 2 at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. Sure enough, as Freeport promised in its response letter to the SEC, Freeport included this additional disclosure in its 10-Q filed for the Quarter Ended June 30, 2012.
In 2013, the SEC is likely to ramp up its cybersecurity risk disclosure requirements and will require all types of public companies to include additional disclosure regarding data security risks and breaches, not just internet-based public companies like Facebook, Inc.