May 24, 2012

Recent SEC Guidance and Upcoming Amendments to California and Illinois Statutes Affect Data Breach Disclosure Obligations

Morgan, Lewis & Bockius LLP.
Ron N. Dreben
W. Reece Hirsch
Kenneth M. Kliebard
Gregory T. Parks
Morgan, Lewis & Bockius LLP
Thursday, November 17, 2011
Administrative & Regulatory / Communications, Media & Internet / Financial Institutions & Banking / Securities & SEC
All Federal / California / Illinois
Printer-friendly
Email this Article
Download PDF
Reprints & Permissions

Recognizing that business entities now conduct a majority of their operations with the assistance of electronic programs and databases, and that a significant amount of business and personal information may be stored electronically in those systems, state legislatures and financial regulators are taking steps to identify the risks inherent in such computer-driven operations. Covered companies that are registered with the SEC and that collect or electronically store their clients' and employees' personal information run the risk of experiencing an unauthorized breach of that data by hacking, inadvertent dissemination, loss or theft of portable devices containing such information, or other unauthorized disclosure. If a data breach occurs, a covered company's responsibility to disseminate information about the breach may be broadened under the SEC's recent guidance.

SEC Releases Guidance Outlining Disclosure Obligations

On October 13, the Securities and Exchange Commission (SEC) released guidance[1] relating to a covered business entity's obligations to disclose cybersecurity risks and data breach incidents within SEC registrants' already-required SEC disclosures and filings. The SEC provided this guidance in an effort to instruct business entities on what situations call for disclosure of information about potential and/or actual data security breaches in public filings, and what amount of detail should be provided. 

Currently, 46 states plus the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have enacted laws requiring companies to notify individuals within their jurisdiction if their personal information has been implicated in a data security breach incident. While each state's threshold requirements for notification vary, notification is typically required when information such as a person's Social Security number, driver's license number, or bank account number, in conjunction with other personal identifying information, has been or is "reasonably believed" to have been breached. While the new SEC guidance does not add any requirements to a company's state-by-state obligations to notify affected individuals in these situations, companies should consider the SEC's current position when considering whether similar disclosures about the breach must be included in SEC filings. 

In the event that a covered company experiences what the SEC terms a "material cyber attack," in the form of a data breach incident requiring notification, the SEC guidance indicates that the following factors associated with the breach may require disclosure in SEC-required filings:

  • Financial disclosures regarding the remediation costs incurred or expected to be incurred by the business entity. Such costs could include the costs of credit monitoring for affected individuals, costs of preparing and disseminating the data breach notifications, and costs associated with use of notification vendors.
  • Financial disclosures regarding the cost of a business entity's increased cybersecurity aimed at preventing future data breach incidents.
  • Financial disclosures regarding actual or potential loss in revenue due to reputational damage stemming from the data breach incident or actual revenue loss due to the effects of the data breach.
  • Legal disclosures regarding filed litigation stemming from the data breach, if the potential litigation would be material.

Additionally, if a business entity concludes that there is a risk of future cybersecurity/data breach incidents due to its systems not rigorously protecting data, the SEC guidance indicates that a business entity must disclose those facts if they make "investment in the company speculative or risky." 

The SEC guidance stops short of requiring registrants to modify or enhance the notifications and disclosures that are already mandated by each state's data breach statutes, in part because it is cognizant that "detailed disclosures could compromise cybersecurity efforts-for example, by providing a 'roadmap' for those who seek to infiltrate a registrant's network security." 

Nevertheless, the SEC guidance makes it clear that, in addition to compliance with state data breach notification requirements, various existing SEC requirements may necessitate additional disclosure of a data breach incident or its aftereffects in a business entity's public filings. Business entities must therefore not only follow the letter of each state's notification laws, but also consider whether and how each data breach incident should be disclosed in their regular public filings

California and Illinois Data Breach Requirements

In other news occurring in the data breach realm, California, the original data breach statute state, and Illinois have both amended their data breach statutes.

California's amendments, which go into effect on January 1, 2012, incorporate many of the recent developments in other states. In data breach situations where more than 500 people are affected, for example, California's statute will require companies to "electronically submit a single sample" of the notification letter to the state's attorney general, excluding any personally identifiable information. The new law amends the substitute notice provisions, and addresses the relationship with federal requirements for companies subject to HIPPA.

The California amendments also clarify that data breach notices to affected individuals must be written in "plain language" and include the following:

  • A general description of the breach
  • The name of and contact information for the reporting entity
  • The types of personal information that were "or are reasonably believed" to have been part of the breach
  • The date or estimated date of the breach, and the length of the breach
  • Whether notification was delayed by law enforcement
  • Toll-free telephone numbers and addresses of the credit reporting agencies (CRAs), only if the breach included Social Security numbers, driver's license numbers, or California ID card numbers

Illinois has also amended its data breach notification requirements, with the amendments likewise going into effect on January 1, 2012. Illinois's amendments also mainly concern the content of a data breach notification. The state will require data breach notifications to include the toll-free numbers and addresses for the CRAs and the Federal Trade Commission, as well as "statement that the individual can obtain information from these sources about fraud alerts and security freezes." Of note, the Illinois amendments specifically state that notifications to affected individuals shall not include the number of Illinois residents affected by the breach.

Implications

Companies regularly collect and store personal information from both their clients and their employees, creating a risk that this sensitive information could be inadvertently disclosed or accessed without authorization. In the case of a data breach, companies should not only be prepared to follow each state's requirements regarding notification and remediation of the breach and their contractual obligations to their customers, but also consider the implications of the breach upon their SEC filing requirements. These considerations should be included in a data breach incident response plan that the company follows if a breach occurs.

Copyright © 2012 by Morgan, Lewis & Bockius LLP. All Rights Reserved.

About the Author

Ron N. Dreben
Partner

Ron N. Dreben is a partner in Morgan Lewis's Intellectual Property Practice.Mr. Dreben focuses on integrated brand advertising, sponsored entertainment, and technology, as well as all areas of trademark, copyright, trade secret, licensing, and related intellectual property law.

rdreben@morganlewis.com
202.739.5213
www.morganlewis.com

About the Author

W. Reece Hirsch
Partner

W. Reece Hirsch is a partner in Morgan Lewis's FDA and Healthcare Practice. Mr. Hirsch focuses his practice on healthcare law regulatory and transactional matters. He counsels and represents hospitals, health plans and insurers, physician organizations, healthcare information technology companies, pharmaceutical and biotech companies, and other healthcare organizations on transactional and regulatory matters, including Medicare, fraud and abuse, self-referral, and privacy issues.

rhirsch@morganlewis.com
415-442-1422
www.MorganLewis.com

Contributors

Kenneth M. Kliebard
Partner

Kenneth M. Kliebard is a partner in Morgan Lewis's Litigation Practice and co-chair of the firm's Financial Services Litigation Group. Mr. Kliebard focuses his practice on complex commercial litigation, with a particular emphasis on class action matters and financial services litigation.

.
 

kkliebard@morganlewis.com
312-324-1774
www.morganlewis.com

About the Author

Gregory T. Parks
Partner

Gregory T. Parks is a partner in Morgan Lewis's Litigation Practice, with a focus on commercial, privacy and consumer matters for retailers, financial services organizations, and other businesses. Mr. Parks counsels and represents clients in a wide variety of matters, including consumer class actions, data privacy class actions, privacy and data security compliance, litigation involving retailers, disputes arising from mergers and acquisitions, contract and indemnification matters, and fraud lawsuits.

gparks@morganlewis.com
215-963-5170
www.MorganLewis.com

Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. NLR does not accept advertising from attorneys or law firms. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be an advertisement or a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.