Happy New Year! We are beginning this week with a series of top
Privacy and Security issues for 2013, as we see them. Let's
start with an issue of interest to publicly traded companies, or
companies considering going public in 2013 – a reminder that
cybersecurity issues are of interest to the Securities and Exchange
Commission (SEC) and are a shareholder disclosure issue. We expect
to see an increased focus in this area in 2013.
THE SEC WILL REQUIRE GREATER DISCLOSURE RELATED TO DATA
SECURITY RISKS AND BREACHES
The amount of personal and confidential information maintained
electronically by public companies increases every day. As a
consequence of this increase, the likelihood that a given public
company will suffer a data breach and that such breach will have a
material adverse effect on the company's business also
increases. In response to this ever-increasing risk, the Securities
and Exchange Commission (the "SEC") is requiring greater
disclosure related to data security and this trend will likely
increase in 2013.
A recent example of this increased disclosure can be found in
the risk factors of a prospectus filed by Michaels
Stores, Inc. Specifically, Michaels Stores, Inc. included the
following risk factor: "Failure to adequately maintain
security and prevent unauthorized access to electronic and other
confidential information and data breaches could materially
adversely affect our financial condition and operating
results." This type of risk factor is becoming more and more
common among public company filings, both in registration
statements and annual and quarterly filings.
Companies that fail to include adequate disclosure about data
security risks already began receiving SEC comments for 10-Ks filed
at the end of 2011. One example of this occurred in the SEC's
review of Freeport-McMoRan Copper & Gold Inc.'s
("Freeport") 10-K for Fiscal Year Ended December 31,
2011. In the SEC's Comment Letter, it noted that
Freeport failed to include any risk factors related to cyber
attacks. The SEC commented that in Freeport's next 10-Q, it
should provide "risk factor disclosure describing the
cybersecurity risks that you face or tell us why you believe such
disclosure is unnecessary." The SEC further referred Freeport
to its Guidance Topic No. 2 at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.
Sure enough, as Freeport promised in its response letter to the
SEC, Freeport included this additional disclosure in its 10-Q filed for the Quarter Ended June 30,
In 2013, the SEC is likely to ramp up its cybersecurity risk
disclosure requirements and will require all types of public
companies to include additional disclosure regarding data security
risks and breaches, not just internet-based public companies like
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
On February 12, the National Institute of Standards and Technology (NIST) released a voluntary cybersecurity framework designed to address the heightened business and security risks that come from increased reliance on information technology and industrial control systems.*
In the wake of recent highly publicized consumer data breaches, the California Senate has passed S.B. 383, a bill that restricts the personal identification information that retailers can collect from consumers making online credit card purchases of downloadable content.
Remember that scene from Minority Report? The one where John Anderton (Tom Cruise) takes a trip to GAP, virtual billboards call out his name and bombard him with offers as he walks through the mall, retinal scanners flash left and right, an AI hologram offers up his own personal greeting – "Welcome Back to the Gap!"
One day after retailer Target confirmed hackers had penetrated its computer systems, compromising the personal information of up to 110 million people, the company offered customers free credit-monitoring services and identity-theft insurance.