Familiarize Yourself with SEC Guidance On Data Breach Disclosures

Securities and Exchange Commission, SEC, Building in Washington DC. The SEC plans to step up enforcement efforts related to corporate disclosures concerning cybersecurity incidents.
Securities and Exchange Commission, SEC, Building in Washington DC. The SEC plans to step up enforcement efforts related to corporate disclosures concerning cybersecurity incidents.

Part 1 of this article can be found here.

Regulatory and Legislative Changes Impacting D&O Liability

In May, the SEC announced that Yahoo! had agreed to pay a $35 million penalty to settle claims that the company had failed to timely disclose massive data breaches in its public filings.  As discussed in our previous article, Yahoo!’s $80 million settlement in its related federal securities fraud action marked the first notable payout in a data breach-related securities lawsuit.  Now, Yahoo!’s settlement with the SEC marks the first time the agency has brought an enforcement action alleging that a company’s failure to timely disclose a data breach (or breaches) violated federal securities laws.

In announcing the settlement, one SEC official stated that “Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach.  Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.”

Yahoo!’s SEC settlement may indicate that the SEC plans to step up enforcement efforts related to corporate disclosures concerning cybersecurity incidents, and follows on the heels of new interpretative guidance issued by the agency on this topic. The guidance, issued by the SEC on Feb. 21, 2018,  serves two primary purposes. First, the SEC stressed that companies, through directors and officers, must “establish and maintain appropriate and effective disclosure controls and procedures that enable them to make accurate and timely disclosures of material [cybersecurity] events” in order to comply with their disclosure obligations under the federal securities laws. In discussing the timing and scope of disclosures, the SEC explained that its guidance “is not intended to suggest that a company should make detailed disclosures that could compromise its cybersecurity efforts – for example, by providing a ‘roadmap’ for those who seek to penetrate a company’s security protections.” However, the SEC emphasized that companies should disclose cybersecurity risks and incidents that are material to investors, “including the concomitant financial, legal, or reputational consequences.” Furthermore, the SEC cautioned that “an ongoing internal or external investigation–which often can be lengthy–would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.”

“’Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.’”

Second, the updated guidance explained that insiders who trade on material, nonpublic information regarding cybersecurity risks or incidents violate the general antifraud provisions of federal securities laws, as well as related insider trading rules. The SEC further explained that companies should avoid making selective disclosures under Regulation FD about material cybersecurity risks or incidents. Under Regulation FD, “when an issuer, or person acting on its behalf, discloses material nonpublic information to certain enumerated persons it must make public disclosure of that information.” With respect to cybersecurity events, the SEC commented that “[c]ompanies and persons acting on their behalf should not selectively disclose material, nonpublic information regarding cybersecurity risks and incidents to Regulation FD enumerated persons before disclosing that same information to the public.”

As mentioned above, directors and officers should become familiar with their obligations under the SEC’s updated guidance, especially as the agency may be taking a closer look at the timing and efficacy of corporate disclosures surrounding cybersecurity incidents post-Yahoo!. In addition, while this updated guidance does provide some clarification for companies as to their disclosure obligations under the federal securities laws, it may also be used by shareholder-plaintiffs as a means to bolster inadequate disclosure claims against directors and officers concerning cybersecurity risks or events. The guidance may also provide additional ammunition for shareholder-plaintiffs who wish to bring insider trading or selective disclosure claims against a company’s directors.

Boardrooms should also be aware of legislation introduced in November 2017 by Senate Democrats that could impact D&O liability for data breaches. The legislation, known as the Data Security and Breach Notification Act, would impose new penalties of fines and up to five years imprisonment on anyone convicted of “intentionally and willfully” concealing a data breach. The bill’s larger purpose aims in pertinent part to simplify consumer notification standards for companies that are victims of a breach, and would require companies to quickly notify consumers if their information is compromised.

The legislation was reintroduced before Congress after news broke that Uber had been the target of a breach in 2016 and paid the hackers $100,000 for their silence. While the bill currently only has Democratic co-sponsors, Senators from both sides of the aisle at a hearing with current and former Yahoo! and Equifax executives last year appeared resolute that companies should be required to adopt additional protections to safeguard consumer information. With cybersecurity sure to remain a hot topic in 2018, companies should keep an eye on the Data Security and Breach Notification Act and any related legislation that could seek to introduce federal D&O penalties to remedy a perceived lack of accountability for breaches based on existing law.