With more and more of our data moving to the cloud network security is becoming an increasingly mainstream issue. But, for all of the media attention that material network breaches have garnered as of late, there hasn’t been much in the way of disclosure. That may be about to change.
A Little Legislative Background
According to the National Conference of State Legislatures 46 states as well as the District of Columbia, Puerto Rico and the Virgin Islands have legislation in place requiring that companies notify affected individuals of security breaches involving their personal data.
As proposed the federal legislation would require a company that participates in interstate commerce and “uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information about more than 10,000 individuals during any 12-month period” to notify affected individuals following a security breach. The proposed legislation contains a safe harbor which would exempt a company from this notification requirement if, following a risk assessment, it concludes that there is no reasonable risk that the security breach has or will result in harm to the affected individuals and if it notifies the Federal Trade Commission of its risk assessment and safe harbor election.
A Request for Interpretive Guidance
Just prior to the White House’s release of its proposed cyber security legislation Senator Jay Rockefeller, Chairman of the Senate Committee on Commerce, Science and Transportation, who has previously introduced his own cybersecurity legislation, penned a letter to Chairman Schapiro requesting that the Securities and Exchange Commission issue interpretive guidance addressing when companies need to make information security disclosures regarding:
- material information security risks and actions taken to reduce those risks; and
- material network breaches.
Disclosure Regarding Material Information Security Risks
When does a company need to make disclosures regarding material information security risks?
While there are no disclosure obligations that specifically address information security risks, disclosure may still be appropriate under one or all of the following existing disclosure requirements:
- Risk Factors – Item 503(c) of Regulation S-K requires disclosure of the most significant factors that make an investment in a company speculative or risky. Risk factor disclosure should clearly state the risk and specify how the particular risk affects the company. The following are a sample of risk factors related to information security that have been culled from recent annual report filings:
If we experience significant service interruptions, which could require significant resources to resolve, it could result in a loss of customers or impair our ability to attract new customers, which in turn could have a material adverse effect on our business, results of operations and financial condition.
In addition, with the growth of wireless data services, enterprise data interfaces and Internet-based or Internet Protocol-enabled applications, wireless networks and devices are exposed to a greater degree to third-party data or applications over which we have less direct control. As a result, the network infrastructure and information systems on which we rely, as well as our customers’ wireless devices, may be subject to a wider array of potential security risks, including viruses and other types of computer-based attacks, which could cause lapses in our service or adversely affect the ability of our customers to access our service. Such lapses could have a material adverse effect on our business and our results of operations.
We may experience outages and disruptions of our online services if we fail to maintain adequate operational services and supporting infrastructure.
As we increase our online products and services, we expect to continue to invest in technology services, hardware and software — including data centers, network services, storage and database technologies — to support existing services and to introduce new products and services including websites, e-commerce capabilities and online communities. Creating the appropriate support for online business initiatives is expensive and complex, and could result in inefficiencies or operational failures, and increased vulnerability to cyber attacks, which could diminish the quality of our products, services, and user experience. Such failures could result in damage to our reputation and loss of current and potential users, subscribers and advertisers which could harm our business. In addition, we could be adversely impacted by outages and disruptions in the online platforms of our key business partners, who offer our products and services.
If we are unable to protect our information systems against data corruption, cyber-based attacks or network security breaches, or if we are unable to provide adequate security in the electronic transmission of sensitive data, it could have a material adverse effect on our business, financial condition and results of operations.
We are highly dependent on information technology networks and systems, including the Internet, to securely process, transmit and store electronic information. In particular, we depend on our information technology infrastructure for business-to-business and business-to-consumer electronic commerce. Security breaches of this infrastructure, including physical or electronic break-ins, computer viruses, attacks by hackers and similar breaches, can create system disruptions, shutdowns or unauthorized disclosure of confidential information. If we are unable to prevent such security or privacy breaches, our operations could be disrupted, or we may suffer loss of reputation, financial loss and other regulatory penalties because of lost or misappropriated information, including sensitive consumer data.
- Management’s Discussion and Analysis – Item 303 of Regulation S-K requires a broad range of disclosures necessary for an understanding of a company’s financial condition, changes in financial condition and results of operations.
Are there any known trends, events, demands, commitments or uncertainties related to network security that are reasonably likely to have a material effect on your liquidity, capital resources or financial condition? How might a network security breach impact your business? What are the costs associated with protecting personally identifiable information about your customers? What actions have you taken to mitigate the risks associated with a network breach? Do you have adequate network security in place? Do you carry insurance against cyber attacks? As the Commission has noted in its guidance on MD&A, disclosure of a trend, event, demand, commitment or uncertainty is required unless a company is able to conclude that it is not reasonably likely to come to fruition or that a material effect on the company’s liquidity, capital resources or results of operations is not reasonably likely to occur.
- Legal Proceedings – Item 103 of Regulation S-K requires disclosure of any material legal proceeding, other than ordinary routine litigation incidental to a company’s business.
Disclosures Regarding Material Network Breaches
One of the more prominent media examples of a material network breach is that of Sony Corporation, which has fallen victim to at least three different breaches in recent months, the first in late April, the second shortly thereafter in early May, and the most recent just last week. At least twenty-five lawsuits have been filed against Sony since its second network breach, one of which alleges that the company was aware of the possibility of a security breach, but failed to adequately warn consumers.
Sony is a foreign private issuer, however, and not the best example for purposes of our disclosure discussion because its reporting obligations are primarily governed by Japanese law. Some notable examples of domestic companies that have made headlines for material network breaches include:
- Lockheed Martin – which disclosed a May 21, 2011 network breach in a press release issued on May 28th and available on the company’s website. The release states, in relevant part, that “no customer, program or employee personal data” had been compromised in the attack.
- EMC Corporation – which disclosed a network breach in an open letter to customers posted on its website and in a Form 8-K, on March 17, 2011.
- Google – which disclosed a mid-December 2010 network breach in a post on its official blog and in a Form 8-K, on January 12, 2010 (there are estimates that over 200 companies were similarly targeted in the Google cyber attack). The most recent cyber attack concerning Google Gmail users did not involve a network breach but rather, as disclosed in a post on Google’s official blog on June 1, 2011, targeted users in a campaign to collect passwords through scams such as phishing.
- Nasdaq OMX Group – which confirmed its discovery of a network breach in October 2010 following a February 2011 Wall Street Journal report.
While both EMC and Google voluntarily disclosed their material network breaches on a Form 8-K filed in conjunction with their public response, most other companies don’t make such disclosures. But should they be required to? And what would trigger such an obligation? Perhaps, along the lines of the proposed federal cybersecurity legislation, a company should only be required to disclose a material network breach to the extent it is required to notify affected consumers?
Updated: June 9, 2011
Chairman Schapiro’s response letter to Senator Jay Rockefeller was made available yesterday: