The Securities and Exchange Commission (the “SEC”) requires companies to disclose the most significant factors that make investments in the company speculative or risky. Private Placement Memorandums (“PPMs”) are often used to give investors the full picture of a potential investment opportunity, especially the risks. As an increasing amount of businesses continue to fall prey to data breaches, risk factor disclosures related to data privacy and cybersecurity are becoming a necessity. The inclusion of cyber-related disclosures to the Risk Factors section of a PPM ensures that investors are aware of the company’s treatment of and attitude toward its data and technology to better assess the potential risk and cost related to the consequences of experiencing and recovering from a data breach.
So, for your next PPM, consider including adding several data privacy and cybersecurity risk factors that deal with the following:
- Impact of Breach of Personally Identifiable Information. A risk factor section of the PPM should identify the potential liability and damage to the company’s reputation that would occur upon an unauthorized breach of the personally identifiable information of the company’s employees and customers/clients.
- Technology. Despite training employees on how to use technology and hiring well-vetted IT experts, reliance on vulnerable or outdated technology and computer systems puts a company at risk of a data breach. Disruptions to a company’s information technology systems and replacement of those systems can be costly. There should therefore be a risk factor that describes the potential consequences that would result from disruptions or failure of these technologies or systems or any failure on the company’s part to implement any new technologies or systems.
- Regulatory Compliance. A company’s business practices with respect to the collection, use, sharing, or selling of certain data could give rise to liabilities, restrictions on its business, or reputational harm as a result of evolving governmental regulation, legal requirements, or industry standards relating to consumer privacy and data protection. Depending on where a company does business and what data it collects or processes, it may need to be in compliance with numerous laws and regulations such as the European Union’s General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act (“CCPA”), the California Privacy Rights Act (“CPRA”), and Virginia’s new Consumer Data Protection Act (“CDPA”) may be required.
These laws and regulations are continuously evolving and developing, with proposed legislation pending in several additional states. As a result, the scope and interpretation of the laws that may be applicable to the company are often uncertain and may be conflicting. Since it is possible that certain new obligations may be difficult to meet and any failure by the company to meet its obligations could result in legal claims or proceedings, liability, or regulatory penalties, there should be a specific risk factor to highlight these issues
- Malware, viruses, hacking, and phishing attacks. Computer malware, viruses, and computer hacking and phishing attacks have become more prevalent and may occur on the company’s systems at any time. Though it is difficult to determine what, if any, harm may directly result from any specific interruption or attack, the failure to maintain performance, reliability, security, and availability of the company’s products and technical infrastructure to the satisfaction of its clients/customers may harm the company’s reputation and ability to retain existing clients/customers and attract new clients/customers, the PPM should include a risk factor highlighting the possibility of such attacks.
- COVID-19. Since the onset of the COVID-19 pandemic, companies around the world are facing increased cybersecurity risks due to the number of employees that are working remotely in regions impacted by stay-at-home orders. The increase of employees working remotely due to the COVID-19 pandemic creates additional opportunities for cybercriminals to exploit vulnerabilities in technology systems. In addition, the company’s employees may be more susceptible to phishing and social engineering attempts due to increased stress caused by the crisis and from balancing family and work responsibilities at home. Therefore, the PPM should include a risk factor highlighting these increased risks.