…….Shareholder Proposals on Cybersecurity and Privacy: Another Country Heard From 

As the holiday season slips into the rear view mirror, another season looms large for public companies —- proxy season.  Adding to the ever-growing chorus of demands for increased transparency by public companies on cybersecurity and privacy matters, institutional shareholders have recently begun to contribute their own distinctive voices to the discussion. One powerful tool being deployed in this regard by institutional shareholders is the ability to require public companies to include certain shareholder proposals in proxy statements for shareholder meetings.   This right allows public company shareholders who jump through the procedural and substantive hoops created by Rule 14a-8 under the Securities Exchange Act of 1934, as amended, to air their concerns publicly and directly through the company’s own proxy statement, and to require that a vote be taken at the meeting on their proposals, alongside the company’s own proposals. 

Rule 14a-8(i)(7) allows public companies to exclude shareholder proposals from their proxy statements if the proposal “deals with a matter relating to the company’s ordinary business operations.” Recipients of shareholder proposals on cybersecurity and privacy matters have frequently taken the position that these proposals are properly excludable on these grounds. However, the fact that a proposal arguably relates to ordinary business matters is not the end of the analysis. The SEC has indicated that “…proposals that relate to ordinary business matters but that focus on ‘sufficiently significant social policy issues . . . would not be considered to be excludable because the proposals would transcend the day-to-day business matters.’” Shareholder proponents have locked on to the “transcendent and significant social policy” theme to make their case for inclusion of these proposals.

For example, in a letter sent to the SEC’s Division of Corporation Finance in February 2014 by shareholder proponents arguing in favor of the inclusion of a proposal to Cerner Corporation, which would have required Cerner to “…publish a report…explaining how the Board is overseeing privacy and data security risks…,” the shareholders argued:

“The Company asserts that the Proposal is excludable pursuant to Rule 14a-8(i)(7), as addressing the Company’s ordinary business – the policing of privacy and data security.  Although prior Staff decisions have allowed similar exclusions, this Proposal addresses a transcendent social policy issue. Under the Staff’s decision-making process, an issue may not be considered a significant policy issue one year, but can rise to such a status if the issue has congressional, public and media attention, and a clear nexus to the company.

Privacy and data security have become the focus of national and international discussion and debate, addressed as top-level priorities by heads of government and legislatures around the world.  They are also the focus of national and international lobbying campaigns, investigation by numerous non-governmental organizations, and an extraordinary amount of media attention.  In this instance, the issue of board oversight of privacy and data, and the catastrophic risks associated with a failure of such oversight, is a very significant social policy issue

The shareholder proponents in the Cerner matter ultimately withdrew their petition, because Cerner’s audit committee amended its charter to add references to privacy and data security as risk-related topics to be reviewed and overseen by the audit committee, and the proponents were satisfied with that action as a means of addressing their concerns.

Some shareholder proposals on cybersecurity and privacy have been voted on at shareholder meetings. For example, the American Express Company’s proxy statement for its May 2014 shareholder meeting included the following shareholder proposal:

“Resolved, shareholders request that the Company publish an annual report explaining how the Board is overseeing privacy and data security risks, providing metrics and discussion, subject to existing laws and regulation, regarding requests for customer information by U.S. and foreign governments, at reasonable cost and omitting proprietary information.”

In response to the shareholder proposal, AMEX argued in its proxy statement that it had already implemented extensive programs and policies relating to privacy and data security, and that as a result the shareholder’s proposal would not “add any additional value.” AMEX’s shareholder base was apparently persuaded by the company’s argument, as the proposal only garnered 21.3% of the vote at the meeting.

Apple was one of the first companies faced with a shareholder cybersecurity proposal in 2013 put forward by Trillium Asset Management:

Resolved, that the Board of Directors publish a report, at reasonable expense and excluding confidential or proprietary information, explaining how the Board is overseeing privacy and data security risks.

Interestingly, in its supporting statement, Trillium said:

It should be emphasized that the Proposal is not asking the Company to disclose risks, specific incidents, supplier relationships or legal compliance procedures, but rather, we believe investors need to understand more fully how the Board is overseeing the concerns described above. It is likely that, as greater scrutiny is placed on these issues by regulators and the general public, shareholder proposals in this area will only increase. Below are some steps to consider to ensure that your company is well-positioned to respond to such a proposal.

It is likely that, as greater scrutiny is placed on these issues by regulators and the general public, shareholder proposals in this area will only increase. Below are some steps to consider to ensure that your company is well-positioned to respond to such a proposal.

So, for this third day of privacy, we have three takeaways for the upcoming proxy season: 

  • Engage with your institutional shareholders to assure them that you are addressing the issue and have made it a priority. Productive dialogue can go a long way towards avoiding a public fight (and the associated expense) over whether the company is doing enough.
  • Review your Board’s committee charters to assess whether they address this issue adequately and reflect the Board’s commitment to getting it right.
  • Take, and disclose, a proactive stance on privacy and cybersecurity issues. AMEX was able to make a compelling argument that the shareholder proposal would not add to the comprehensive steps that the company had already taken (1) to ensure that its board was kept apprised of potential issues in this area, (2) to adopt privacy and data protection principles, and (3) to comply with new and evolving standards of good privacy and data protection practices. Without the company being able to point to these extensive measures, the shareholder proposal may have had a higher chance of success.