Cybersecurity Update: Are Data Breach Disclosure Requirements on Target?

by Akin Gump Strauss Hauer & Feld LLP

As discussed in Akin Gump’s annual “Top Ten Topics for Directors in 2014,” cybersecurity and data privacy are indeed among the hottest topics in the boardroom this year due to the dramatic rise in cyber attacks and data breaches. As part of a board’s risk management oversight function, directors should assess the adequacy of their company’s data security measures. Among other things, boards should have a clear understanding of the company’s cybersecurity risk profile and who has primary responsibility for cybersecurity risk oversight and should ensure the adequacy of the company’s cyber risk management practices, as well as the company’s insurance coverage for losses associated with data breaches.

This week, Akin Gump delves further into cybersecurity risk factor disclosures as public companies head into annual reporting season, and takes a look at the renewed congressional interest in federal data security and breach notification legislation.

Recent Data Breaches

On December 19, 2013, Target issued a press release disclosing that approximately 40 million credit and debit card account numbers had been hacked from its system, a number that has since risen to potentially as many as 70 million accounts. The breach is currently being investigated by the U.S. Secret Service Electronic Crimes Task Force (ECTF). On New Year’s Eve, an anonymous group or person hacked into Snapchat’s servers and publicly released the usernames and phone numbers of more than 4.6 million Snapchat users. Additionally, on January 11, 2014, retailer Neiman Marcus confirmed that hackers had breached its servers and accessed customer payment information. The ECTF is also investigating the Neiman Marcus data breach, the extent of which is not yet known. The Senate Judiciary Committee announced yesterday that it has scheduled its hearing on data breaches for February 4, 2014.

Risk Disclosure Reminder

As calendar-year public companies approach annual reporting season, issuers should consider whether or not their current risk factor disclosures, as well as their “forward-looking statements” language, are adequate in light of these high-profile cybersecurity incidents. While there are currently no comprehensive federal laws explicitly mandating disclosure in connection with data security breaches, the emerging and existing business risks have not gone unnoticed by the Securities and Exchange Commission (SEC) or the Financial Industry Regulatory Authority (FINRA). In 2011 the SEC advised companies to approach cybersecurity as they would any other part of the business: if cybersecurity is a significant factor that makes an investment in the company speculative or risky, then issuers should address it in their risk factor disclosures. Similarly, if a past incident or current risk of cybersecurity is likely to have a material effect on operations or financial statements, then such incident or risk should be included in their Management’s Discussion and Analysis of Financial Condition and Results of Operations. FINRA has reiterated to broker-dealers that cybersecurity will remain a regulatory priority with a primary focus of firm policies, procedures and controls.

The recent incidents show just how relevant cybersecurity risks are to companies in the retail space. Target had previously disclosed data security risks in its 2012 annual report. In its discussion of risk factors, Target said that “[t]he nature of our business involves the receipt and storage of personal information about our guests . . . If we experience a significant data security breach or fail to detect and appropriately respond to a significant data breach, we could be exposed to government enforcement actions and private litigation.” Furthermore, Target disclosed that malicious attacks and security breaches could cause them to incur substantial costs and they could encounter a loss of guest confidence, which could adversely affect their results of operations.

Target is apparently trying to mitigate these post-incident risks and potential damage to its reputation with consumers by staying out in front of the problem: publicly announcing the data breach, establishing a dedicated webpage for resources related to the breach, and offering free credit monitoring and identity theft protection to all Target customers. Earlier this week, Target’s CEO Gregg Steinhafel posted an open letter on Target’s official blog offering an apology to customers and setting forth a numbered list of remedial steps the company is taking post-breach. Target is also using social media to interact with its affected customers; the company’s official Facebook and Twitter feeds have focused almost exclusively on the data breach since it was first publicly announced. Whether or not Target’s risk factor disclosure is sufficient to ameliorate government action and private lawsuits and whether or not Target’s handling of the breach can preserve its brand and reputation as well as manage the potentially substantial costs associated with the incident remain to be seen.

While not as robust as Target’s risk factor disclosure, Neiman Marcus’ identified cyber attacks and breach of information security as significant risks to the company’s operations. Neiman Marcus has apologized to its customers via Twitter, but so far provided few details of the attack as they continue to investigate.

In light of these recent high-profile cyber attacks, companies may want to take a fresh look at the SEC’s 2011 Disclosure Guidance to determine if their current risk factor disclosures should be supplemented to identify risks as technology evolves and more incidents occur. Companies should also review their standard “forward-looking statements” language to determine whether it needs refreshing. Target has already revised their forward-looking statements language to address the potential impacts of the data breach as factors which could cause its actual results to differ materially, including: “(i) loss of guest confidence in the Company’s ability to protect their information because of the data breach, and the adverse impact such loss of confidence may have on sales, (ii) the outcome of our pending and ongoing investigation, including our discovery of additional information relating to the data breach and our guests’ and other stakeholders’ reactions to that additional information, and (iii) costs related to our investigation and resulting liabilities.”

In doing so, companies should consider whether or not cyber attacks post a unique and material risk to their operations and should discuss these risks in a way that avoids boilerplate language and statements of general risk applicable to all users of information technology. Although the disclosure should be tailored and company-specific and should provide enough information to allow investors to “appreciate the nature of the risks,” companies need not provide potential cyber attackers with a “road map” of their security flaws or vulnerabilities, according to the SEC. And as Target’s reaction to its data breach illustrates, disclosures may continue after a cyber incident as the company continues to investigate and update affected parties and investors.

Renewed Congressional Interest in Legislation

Meanwhile in Washington, legislators are renewing the call for new federal laws that would strengthen data security and notification requirements. Citing the Target data breach, last week Senate Judiciary Committee Chairman Patrick Leahy (D-VT) introduced the Personal Data Privacy and Security Act (S. 1897). The bill would create a national standard for data breach notification, require that companies engaging in interstate commerce keep consumer data they collect secure from outside intrusion or public release and allow the assessment of potential criminal and civil penalties. Additionally, Sen. Edward J. Markey (D-MA), a member of the Senate Commerce Committee, released a statement saying that the Target breach illustrates the need for stronger data security standards.

Sen. Tom Carper (D-DE) also announced that he plans to reintroduce similar legislation that would create a national reporting standard for data breaches that would apply to both retailers and financial institutions. Sen. Pat Toomey (R-PA) has had a similar bill, the Data Security and Breach Notification Act of 2013 (S. 1193), pending before the Senate Commerce Committee since June 2013. That bill would grant the Federal Trade Commission (FTC) new authority to establish and enforce regulations requiring companies to protect consumer data and notify consumers in the event of a breach.

Additionally, some lawmakers are calling on the FTC to investigate. In a letter to the FTC on December 22, 2013, regarding the recent Target breach, Sen. Richard Blumenthal (D-CT) wrote that “it appears Target may have failed to employ reasonable and appropriate security measures to protect personal information.” Further, state attorneys general across the country said they will examine whether Target provided enough protection for its customers.

While the introduction of new legislation amid the Target and Snapchat breaches increases the likelihood that data breach notification requirements will gain some traction on Capitol Hill this year, it remains to be seen whether broader, more comprehensive action on consumer privacy rights and data security will occur. A broader privacy bill pitched by the Obama Administration, known as the “Consumer Privacy Bill of Rights,” is also unlikely to see significant legislative action. That proposal would focus on giving consumers individual control of how their data is collected and used while requiring companies that collect consumer data to be more transparent about their use and protection of the data. The proposal would rely on a combination of increased FTC enforcement authority, along with new legislation to accomplish those goals.

So far, Congress’s focus in this area in 2014 is centered on data protection and breach notification, as opposed to other topics, such as consumer privacy rights. Indeed, the House passed a bill on January 10, 2014, that focuses on data security rules for, the federal government website where the public can sign up for health insurance coverage under the Affordable Care Act. The bill, sponsored by Rep. Joe Pitts (R-PA), would require the Obama Administration to notify federal and state exchange users within two days if their personal data has been breached. While the bill was supported by 67 House Democrats, it is being seen more as a political measure than a policy shift toward support for a uniform federal breach notification standard for private companies. The bill is not expected to be taken up in the Senate.

Whether Congress will or should act on consumer data protection and breach notification remains open for debate. Given the current patchwork of state regulations concerning breach notification, some companies may welcome a single, reasonable federal standard. Some stakeholders argue, however, that such federal standards are unnecessary given companies’ self-interest in protecting their customers’ personal information. Indeed, in response to the December breach, Target has offered all of its customers free credit monitoring and identity theft protection for one year. While some federal legislation may call for such a remedy, Target is not currently required to do so by federal law.

As the Snapchat breach has shown, data protection and breach notification issues are not isolated to retailers and financial institutions that handle sensitive consumer and financial data, but also social media companies that harvest troves of personal data.

According to a statement by the Snapchat hacker(s), the breach was made in order to raise public awareness about Snapchat’s inadequate privacy protections and force the company to fix the security flaws the hacker(s) exploited. Snapchat has apologized to its users and promised to remedy the security flaws that allowed the breach. Snapchat, whose focus is the sharing of photographs between mobile devices which are then automatically deleted after a user-specified amount of time, faced earlier scrutiny in May 2013, when the Electronic Privacy Information Center (EPIC) filed a complaint with the FTC, alleging that Snapchat misled its customers when it claimed their photos would “disappear forever.” In practice, EPIC argued, the photos remain stored on users’ phones and could potentially be accessed by someone with specialized knowledge.

While there will always be the threat of malicious actors seeking to obtain and manipulate personal, private data collected by companies for legitimate business purposes, it will ultimately remain in the self-interest of companies to try and stay as far ahead of the hackers as possible, whether or not federal lawmakers ultimately enact comprehensive data protection laws or some form of breach notification requirements. As the old adage goes, “an ounce of prevention is worth a pound of cure.” Congress may decide to legislate greater preventative measures, and if it does, should do so in a way that gives companies the flexibility needed to respond to new threats.

Written by:

Akin Gump Strauss Hauer & Feld LLP

Akin Gump Strauss Hauer & Feld LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.