Happy New Year! We are beginning this week with a series of top
Privacy and Security issues for 2013, as we see them. Let's
start with an issue of interest to publicly traded companies, or
companies considering going public in 2013 – a reminder that
cybersecurity issues are of interest to the Securities and Exchange
Commission (SEC) and are a shareholder disclosure issue. We expect
to see an increased focus in this area in 2013.
THE SEC WILL REQUIRE GREATER DISCLOSURE RELATED TO DATA
SECURITY RISKS AND BREACHES
The amount of personal and confidential information maintained
electronically by public companies increases every day. As a
consequence of this increase, the likelihood that a given public
company will suffer a data breach and that such breach will have a
material adverse effect on the company's business also
increases. In response to this ever-increasing risk, the Securities
and Exchange Commission (the "SEC") is requiring greater
disclosure related to data security and this trend will likely
increase in 2013.
A recent example of this increased disclosure can be found in
the risk factors of a prospectus filed by Michaels
Stores, Inc. Specifically, Michaels Stores, Inc. included the
following risk factor: "Failure to adequately maintain
security and prevent unauthorized access to electronic and other
confidential information and data breaches could materially
adversely affect our financial condition and operating
results." This type of risk factor is becoming more and more
common among public company filings, both in registration
statements and annual and quarterly filings.
Companies that fail to include adequate disclosure about data
security risks already began receiving SEC comments for 10-Ks filed
at the end of 2011. One example of this occurred in the SEC's
review of Freeport-McMoRan Copper & Gold Inc.'s
("Freeport") 10-K for Fiscal Year Ended December 31,
2011. In the SEC's Comment Letter, it noted that
Freeport failed to include any risk factors related to cyber
attacks. The SEC commented that in Freeport's next 10-Q, it
should provide "risk factor disclosure describing the
cybersecurity risks that you face or tell us why you believe such
disclosure is unnecessary." The SEC further referred Freeport
to its Guidance Topic No. 2 at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.
Sure enough, as Freeport promised in its response letter to the
SEC, Freeport included this additional disclosure in its 10-Q filed for the Quarter Ended June 30,
In 2013, the SEC is likely to ramp up its cybersecurity risk
disclosure requirements and will require all types of public
companies to include additional disclosure regarding data security
risks and breaches, not just internet-based public companies like
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
On Friday, November 13, Federal Trade Commission ("FTC" or the "Commission") Chief Administrative Law Judge ("ALJ") D. Michael Chappell issued an Initial Decision in In the Matter of LabMD, Inc. (FTC Docket No. 9357), dismissing the Commission's Complaint against LabMD, Inc. ("LabMD"), upon a finding that the FTC had failed to "demonstrate a likelihood that [LabMD's] computer network will be breached in the future and cause substantial computer injury."
Whether you are in-house counsel or external counsel, upon first hearing of a massive data breach affecting your client, your first reaction will likely be at least a twinge of panic. So first, take a deep breath and calm down.
Anthony Albanese, the head of the New York Department of Financial Services, issued a letter to more than 20 federal and state regulators outlining proposed cybersecurity regulations for banks and insurance companies operating in New York.
High-profile data breaches seem to hit the headlines almost every day. These breaches have proved terrifying for many companies, particularly as the attackers release embarrassing emails and other information.