Privacy and Security Issues for 2013 (First of a series): The SEC Will Require Greater Disclosure Related to Data Security Risks and Breaches
Happy New Year! We are beginning this week with a series of top Privacy and Security issues for 2013, as we see them. Let’s start with an issue of interest to publicly traded companies, or companies considering going public in 2013 – a reminder that cybersecurity issues are of interest to the Securities and Exchange Commission (SEC) and are a shareholder disclosure issue. We expect to see an increased focus in this area in 2013.
The amount of personal and confidential information maintained electronically by public companies increases every day. As a consequence of this increase, the likelihood that a given public company will suffer a data breach and that such breach will have a material adverse effect on the company’s business also increases. In response to this ever-increasing risk, the Securities and Exchange Commission (the “SEC”) is requiring greater disclosure related to data security and this trend will likely increase in 2013.
The SEC issued guidance relating to public company disclosure of data security in the end of 2011. Soon after the SEC issued this guidance, Facebook, Inc. (NASDAQ: FB) filed its Form S-1 Registration Statement and became one of the pioneers in data security and privacy disclosure. Since then, public and soon-to-be public companies have followed suit and more companies are including disclosure related to data security risks and breaches.
The disclosure does not only effect companies dependent on technology as a core part of its business. Two recent examples of this increased disclosure can be found in the risk factors of a prospectus filed by Michaels Stores, Inc. and that filed by SeaWorld Entertainment, Inc. Specifically, Michaels Stores, Inc., a craft specialty retailer, included the following risk factor: “Failure to adequately maintain security and prevent unauthorized access to electronic and other confidential information and data breaches could materially adversely affect our financial condition and operating results.” This type of risk factor is becoming more and more common among public company filings, both in registration statements and annual and quarterly filings. Interestingly, Michaels was the victim of a large-scale hack attack on its POS system in 2011 and given that, and the resulting class action suits, we might have expected to see expanded disclosure. SeaWorld, the owner/operator of SeaWorld, Busch Gardens, Sesame Place , and other theme parks, filed its registration statement just after Christmas and includes the following risk factor:
Cyber security risks and the failure to maintain the integrity of internal or guest data could result in damages to our reputation and/or subject us to costs, fines or lawsuits.
We collect and retain large volumes of internal and guest data, including credit card numbers and other personally identifiable information, for business purposes, including for transactional or target marketing and promotional purposes, and our various information technology systems enter, process, summarize and report such data. We also maintain personally identifiable information about our employees. The integrity and protection of our guest, employee and Company data is critical to our business and our guests and employees have a high expectation that we will adequately protect their personal information. The regulatory environment, as well as the requirements imposed on us by the credit card industry, governing information, security and privacy laws is increasingly demanding and continue to evolve. Maintaining compliance with applicable security and privacy regulations may increase our operating costs and/or adversely impact our ability to market our theme parks, products and services to our guests. Furthermore, a penetrated or compromised data system or the intentional, inadvertent or negligent release or disclosure of data could result in theft, loss, fraudulent or unlawful use of guest, employee or Company data which could harm our reputation or result in remedial and other costs, fines or lawsuits.
Companies that fail to include adequate disclosure about data security risks already began receiving SEC comments for 10-Ks filed at the end of 2011. One example of this occurred in the SEC’s review of Freeport-McMoRan Copper & Gold Inc.’s (“Freeport”) 10-K for Fiscal Year Ended December 31, 2011. In the SEC’s Comment Letter, it noted that Freeport failed to include any risk factors related to cyber attacks. The SEC commented that in Freeport’s next 10-Q, it should provide “risk factor disclosure describing the cybersecurity risks that you face or tell us why you believe such disclosure is unnecessary.” The SEC further referred Freeport to its Guidance Topic No. 2 at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. Sure enough, as Freeport promised in its response letter to the SEC, Freeport included this additional disclosure in its 10-Q filed for the Quarter Ended June 30, 2012.
In 2013, the SEC is likely to ramp up its cybersecurity risk disclosure requirements and will require all types of public companies to include additional disclosure regarding data security risks and breaches, not just internet-based public companies like Facebook, Inc. Recommended action for 2013: If your company files reports with the SEC, you should be paying close attention to the SEC Cybersecurity Guidance and examining your own potential exposure to cybersecurity risks through a comprehensive risk assessment.
See part two of this series: Privacy and Security Issues for 2013 (Second of a series): What to Expect in the Employment Arena