In July 2016, Verizon announced it would buy Yahoo! for an unprecedented $4.83 billion. Several months later, Yahoo! disclosed two massive data breaches that affected 1.5 billion people, threatening to scuttle the agreement. Although Verizon recently finalized the acquisition, the hack forced Yahoo! to accept a $350 million reduction in purchase price.
Within the last few years, publically held companies—including Sony, Target, and most recently, Chipotle Mexican Grill—have been infiltrated by hackers bent on stealing trade secrets and personal information. The efficacy of cloud computing has spawned a digital arms race between companies who attempt to safeguard customer information and private and state actors, who wish to obtain it. Given that large-scale data breaches are becoming the norm, companies need to be aware of reporting and disclosure obligations they may face in the event of a breach. While most companies recognize their obligations under state data breach laws and HIPAA, few publically traded companies consider what, if anything, they should disclose to the U.S. Securities and Exchange Commission (SEC) in the event of a breach. In failing to do so, they risk SEC sanctions and potential liability from class action lawsuits, either of which could result in significant losses.
In 2011, the SEC distributed guidance that told publically traded companies that they should report all hacking incidents that might have a “material adverse effect on the business.”[1] However, the agency failed to explain what constitutes a material incident. Following the release of information related to Yahoo!’s data breaches, the SEC launched an investigation into whether the company’s disclosures of the breaches complied with this requirement, meaning the agency seemingly views the $350 million drop in the purchase price as a material adverse effect. While this line in the sand will not help most companies determine whether a data breach has had a material adverse effect, the SEC’s ongoing investigation into the timeliness of Yahoo!’s disclosure filing is important because it may signal a shift in agency policy toward more aggressive enforcement of this rule. Up to this point, however, the SEC has yet to use its enforcement power against a company, including Yahoo!, for failure to disclose a data breach.
The other threat to companies who fail to properly disclose a data breach in their SEC filings is civil ligation. Although there is no federal securities law that requires disclosure of an actual or attempted data breach, failure to disclose could subject a publically traded company to civil liability under the Securities Exchange Act of 1934.[2] Specifically, Rule 10b-5 regulates fraud in connection with the purchase and sale of securities, making it unlawful to “directly or indirectly . . . make any untrue statement of material fact or omit . . .[a] material fact necessary in order to make [a] statement . . . not misleading.”[3] Thus, depending upon the severity of the data breach, a company should consider supplementing its annual 10-K form, which requires a company to report cyber-security risks that could affect the business, or filing an 8-K form, which is used to inform shareholders of material corporate events.
Whether to disclose a data breach to the SEC amounts to a judgment call that must be made by a company’s leadership. However, executives are often unsure as to what—and how much—information to disclose. Disclosing too little information, or acknowledging a breach long after it occurred, can make a company appear dishonest and unreliable to investors. Alternatively, disclosing too much information can decrease a company’s market value and make it vulnerable to future hacking attempts.
Understandably, many companies are unsure as to how to best tailor internal policy to comply with SEC guidelines, and, at the same time, reduce risk of monetary loss. A good rule of thumb is to disclose any breach to the SEC that a reasonable investor would expect to know about.[4] Such an assessment requires a careful review of the facts surrounding the breach and the inferences that an investor would draw from those facts.[5] Regardless of what a company decides to share with investors and the SEC, it is essential that it has a plan to follow in the hours and days after a breach. This plan should include fixing vulnerabilities, working with forensics experts, determining legal obligations under state and federal law, alerting law enforcement, and notifying businesses and individuals who were affected by the breach.
Without clear guidance from the SEC as to when disclosure is required, this will remain an evolving area of law for the foreseeable future. Nonetheless, publically traded companies would do well to review and update their internal policies in the event of a breach; otherwise, like Yahoo!, they risk exposing themselves to considerable liability and fiscal loss.
Special thanks to Sean Klammer for his assistance with this article.
[1] Securities and Exchange Commission Division of Corporate Finance, CF Disclosure Guidance: Topic No. 2: Cybersecurity (Oct. 13, 2011).
[2]. Securities Exchange Act of 1934, 17 C.F.R. § 240 (2016).
[4] See Basic Inc. v. Levinson, 485 U.S. 224, 231-32 (1988).
[5] Id. at 236.