Happy New Year! We are beginning this week with a series of top
Privacy and Security issues for 2013, as we see them. Let's
start with an issue of interest to publicly traded companies, or
companies considering going public in 2013 – a reminder that
cybersecurity issues are of interest to the Securities and Exchange
Commission (SEC) and are a shareholder disclosure issue. We expect
to see an increased focus in this area in 2013.
THE SEC WILL REQUIRE GREATER DISCLOSURE RELATED TO DATA
SECURITY RISKS AND BREACHES
The amount of personal and confidential information maintained
electronically by public companies increases every day. As a
consequence of this increase, the likelihood that a given public
company will suffer a data breach and that such breach will have a
material adverse effect on the company's business also
increases. In response to this ever-increasing risk, the Securities
and Exchange Commission (the "SEC") is requiring greater
disclosure related to data security and this trend will likely
increase in 2013.
A recent example of this increased disclosure can be found in
the risk factors of a prospectus filed by Michaels
Stores, Inc. Specifically, Michaels Stores, Inc. included the
following risk factor: "Failure to adequately maintain
security and prevent unauthorized access to electronic and other
confidential information and data breaches could materially
adversely affect our financial condition and operating
results." This type of risk factor is becoming more and more
common among public company filings, both in registration
statements and annual and quarterly filings.
Companies that fail to include adequate disclosure about data
security risks already began receiving SEC comments for 10-Ks filed
at the end of 2011. One example of this occurred in the SEC's
review of Freeport-McMoRan Copper & Gold Inc.'s
("Freeport") 10-K for Fiscal Year Ended December 31,
2011. In the SEC's Comment Letter, it noted that
Freeport failed to include any risk factors related to cyber
attacks. The SEC commented that in Freeport's next 10-Q, it
should provide "risk factor disclosure describing the
cybersecurity risks that you face or tell us why you believe such
disclosure is unnecessary." The SEC further referred Freeport
to its Guidance Topic No. 2 at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.
Sure enough, as Freeport promised in its response letter to the
SEC, Freeport included this additional disclosure in its 10-Q filed for the Quarter Ended June 30,
In 2013, the SEC is likely to ramp up its cybersecurity risk
disclosure requirements and will require all types of public
companies to include additional disclosure regarding data security
risks and breaches, not just internet-based public companies like
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The National Institute of Standards and Technology has released the fourth revision of its standard-setting computer security guide, Special Publication 800-53 titled Security and Privacy Controls for Federal Information Systems and Organizations, and this marks a very important release in the world of data privacy controls and standards.
The obligations of hedge funds, investment managers and service providers to protect confidential information relating to investors and avoid breaches of data privacy legislation is increasingly in focus.
In a recently released decision from the U.S. District Court for the Southern District of Florida, Mais v. Gulf Coast Collection Bureau, et al., Judge Robert N. Scola, Jr., granted in part and denied in part cross motions for summary judgment in a putative class action before considering the issue of class certification.
The report also found that most utilities only comply with mandatory cybersecurity standards, and have not implemented voluntary NERC recommendations regarding general or specific threats (e.g., Stuxnet).