As companies collect growing amounts of data about their customers and other consumers, sophisticated adversaries, recognizing the value of this information, have increased their efforts to pilfer it. For publicly traded companies, the risk of an intrusion goes beyond the cost and reputational harm that result from a major breach: the SEC has become increasingly willing to pursue enforcement actions against companies that fail to make appropriate disclosures to investors regarding cyberattacks. And through their security disclosure requirements, the SEC has set a trap for the unwary who fall prey to data thieves.
Put simply, the SEC requires public companies to accurately disclose the risks they face related to cybersecurity and handling personal information. The trap? The SEC views as inaccurate a disclosure that characterizes a security breach as a mere possibility if the company has actually suffered a material security breach.
The SEC’s guidance on security breach disclosure leaves many questions unanswered about when and to what extent companies must disclose cyberattacks. The SEC has not clearly articulated whether public companies must file supplemental disclosures when breaches of credit card data occur. As a result, companies already dealing with the fallout of a cybersecurity incident are left unsure how to fulfill their legal obligations to investors and the government.
Within its general public company reporting scheme, the SEC has issued various guidance over the past decade regarding what sorts of reporting obligations exist regarding cybersecurity risks, policies and breaches. In 2011, as exfiltration of customer data began to grow into the issue it is today, the SEC’s Division of Corporation Finance issued guidance suggesting that publicly traded companies should, in some circumstances, disclose cybersecurity risks and related incidents. The SEC then furthered its advice in 2018 when it issued interpretative guidance on public companies’ cybersecurity disclosure obligations.
At its core, the SEC has instructed “public companies [to] take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion.” This means that public companies must not only timely disclose material cybersecurity breaches, but they must also disclose the mere risk of a cybersecurity incident if a breach would cause a material impact to the company’s functions, operations, profitability or performance.
To date, the SEC’s guidance has largely focused on annual and quarterly reporting using Forms 10-K and 10-Q, but the SEC has remained silent regarding the use of Form 8-K to make similar disclosures. In other words, the SEC may find that a public company has made material misstatements or omissions in its annual or quarterly disclosures if a company fails to accurately and timely disclose cybersecurity incidents to investors; but the SEC has not clearly articulated if or when a Form 8-K disclosure is required in the aftermath of a cybersecurity breach.
And the SEC has put teeth behind its cybersecurity disclosure requirement. In 2019, the SEC reached a $100 million settlement with Facebook for failure to properly disclose the company’s discovery of the misuse of users’ information associated with the Cambridge Analytica scandal. When Facebook discovered that user data had been misappropriated in 2015, the company did not disclose that information until March 2018. In the intervening years, investor disclosures in Facebook’s public filings simply referred to the possibility that “users’ data may be improperly accessed, used or disclosed” without disclosing that such an incident had in fact already occurred. The SEC viewed this as a material omission, which Facebook exacerbated in statements it made to the media in the wake of the Cambridge Analytica scandal becoming public. Announced the same day as Facebook’s much larger $5 billion settlement with the FTC, the SEC’s critical—and in any other context huge fine—was somewhat lost among coverage of the FTC deal.
But the SEC has not dropped enforcement of the issue. Pearson plc, a London-based publisher of school- and university-related educational materials, just learned a similar lesson when it reached a $1 million settlement with the SEC in August 2021. As with Facebook, the SEC determined that Pearson had failed to adequately disclose its actual knowledge of a data breach, that Pearson misrepresented the preventative cybersecurity measures it had in place, and that Pearson made misleading statements to the media about the scale and scope of the intrusion. Here again, the SEC took issue with a public company disclosing the hypothetical risk of a data privacy incident without revealing that a data breach had actually occurred.
According to the SEC, “[t]he materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations. . . . This includes harm to a company’s reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities.” This, taken together with the SEC’s enforcement actions against Facebook and Pearson, indicate that companies must make accurate Form 10-K disclosures following a cybersecurity incident. In both instances, the SEC took issue with what each company did or did not say in various annual reports. Neither enforcement action stated that the target companies should have issued supplemental disclosures via Form 8-K.
Indeed, in 2018, SEC Commissioner Robert J. Jackson Jr. conducted an analysis of disclosed and reported data breaches in 2017. Of 82 significant breaches involving public companies that year, only four companies filed a Form 8-K disclosing the breach to investors. As Commissioner Jackson put it, “in 2017, companies that suffered data breaches chose not to file an 8-K more than 97% of the time.”
The question of whether to file a Form 8-K implicates a number of complicated considerations, which further compounds the uncertainty faced by leaders of public companies. At the outset, companies must make a nuanced determination regarding whether the cybersecurity breach is itself material; but this consideration and the associated disclosure obligations also trigger other competing considerations.
Many states each have separate disclosure and reporting rules with respect to cybersecurity incidents; and these disclosure obligations usually operate on time frames other than the four-business-day rule usually applicable to Form 8-K disclosures. Furthermore, the SEC maintains strict rules against insider trading on material non-public information, which could well include a significant cybersecurity breach. On top of all of this, companies facing serious cybersecurity incidents are often busy addressing the breach itself, which usually involves identifying and closing any existing vulnerability or exploits, triaging ongoing data exfiltration, notifying affected customers, and instituting costly and invasive cybersecurity audits. Indeed, if a Form 8-K disclosure is required within four business days of a triggering event, how should a public company disclose a data breach if determining the nature and scope of the breach takes more than four business days?
As the scale of cybersecurity breaches continues to grow by magnitudes, public companies face unique pressures when dealing with the consequences of a data breach. While the SEC has provided certain useful data points regarding how public companies should disclose cybersecurity incidents using annual and quarterly reporting mechanisms, the SEC has remained conspicuously silent on the issuance of Form 8-K disclosures following serious data breaches. This creates significant uncertainty for companies, which is multiplied by the other obligations these companies face when a data breach is discovered. The SEC would do well to address this significant gap in its regulatory guidance.
A data breach triggers myriad legal duties and can lead to significant and costly consequences for the affected company. At the outset, companies must identify the source of the breach and patch vulnerabilities; but affected companies must simultaneously identify legal obligations triggered by the breach, while also planning ahead of regulatory action, litigation and investigations by vendors and business partners, including banks and payment card issuers.
Both the Pearson and the Facebook enforcements identified a secondary issue that is fundamental to properly responding to a data breach: in both cases, the SEC also found that each company lacked an effective mechanism for communicating information about the data incidents to the persons responsible for making public disclosures. In other words, the SEC found additional misconduct because incident response teams and regulatory disclosure teams failed to adequately communicate. These enforcement actions should serve as a lesson to companies impacted by data breaches: while addressing the immediate consequences of a breach are paramount, leadership must ensure that all relevant internal groups remain informed regarding incident-related developments. Doing so helps ensure that other internal specialists bring their experience to bear in helping the affected company fulfill its obligations to customers, vendors and investors.
From the first moment a data breach is identified, an affected company should immediately seek legal counsel to help them guide through the pitfalls created through a cybersecurity incident, including how best to manage required disclosures. The attorneys at Brownstein Hyatt Farber Schreck have significant experience dealing with every aspect of cybersecurity breaches, including congressional investigations, actions by state attorneys general, private litigation, PCI investigations and reputational damage control. Our experienced team of legal professionals are prepared to assist when the need arises.