Happy New Year! We are beginning this week with a series of top
Privacy and Security issues for 2013, as we see them. Let's
start with an issue of interest to publicly traded companies, or
companies considering going public in 2013 – a reminder that
cybersecurity issues are of interest to the Securities and Exchange
Commission (SEC) and are a shareholder disclosure issue. We expect
to see an increased focus in this area in 2013.
THE SEC WILL REQUIRE GREATER DISCLOSURE RELATED TO DATA
SECURITY RISKS AND BREACHES
The amount of personal and confidential information maintained
electronically by public companies increases every day. As a
consequence of this increase, the likelihood that a given public
company will suffer a data breach and that such breach will have a
material adverse effect on the company's business also
increases. In response to this ever-increasing risk, the Securities
and Exchange Commission (the "SEC") is requiring greater
disclosure related to data security and this trend will likely
increase in 2013.
A recent example of this increased disclosure can be found in
the risk factors of a prospectus filed by Michaels
Stores, Inc. Specifically, Michaels Stores, Inc. included the
following risk factor: "Failure to adequately maintain
security and prevent unauthorized access to electronic and other
confidential information and data breaches could materially
adversely affect our financial condition and operating
results." This type of risk factor is becoming more and more
common among public company filings, both in registration
statements and annual and quarterly filings.
Companies that fail to include adequate disclosure about data
security risks already began receiving SEC comments for 10-Ks filed
at the end of 2011. One example of this occurred in the SEC's
review of Freeport-McMoRan Copper & Gold Inc.'s
("Freeport") 10-K for Fiscal Year Ended December 31,
2011. In the SEC's Comment Letter, it noted that
Freeport failed to include any risk factors related to cyber
attacks. The SEC commented that in Freeport's next 10-Q, it
should provide "risk factor disclosure describing the
cybersecurity risks that you face or tell us why you believe such
disclosure is unnecessary." The SEC further referred Freeport
to its Guidance Topic No. 2 at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.
Sure enough, as Freeport promised in its response letter to the
SEC, Freeport included this additional disclosure in its 10-Q filed for the Quarter Ended June 30,
In 2013, the SEC is likely to ramp up its cybersecurity risk
disclosure requirements and will require all types of public
companies to include additional disclosure regarding data security
risks and breaches, not just internet-based public companies like
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The U.S. Department of Justice (DOJ), Computer Crime and Intellectual Property Section (CCIPS) Cybersecurity Unit recently issued a comprehensive list of Best Practices for Victim Response and Reporting of Cyber Incidents.
In April 2015, the Department of Health and Human Services' Office for Civil Rights issued two "frequently asked questions" providing guidance on workplace wellness programs under the HIPAA Privacy, Security, and Breach Notification rules.
With all of the privacy and data security enforcement
actions brought by the Federal Trade
Commission in recent years, and with all of the
guidance distributed by the FTC in that time frame, it is
easy to get caught up in making sure your privacy and
data security practices are in order and compliant ...