A number of well-known companies, including Zappos.com, Google, Quest Diagnostics, Eastman Chemcial and AIG, have recently experienced actual or potential intrusions into their computer systems and related confidential data. Some of these incidents have been active criminal attacks by sophisticated hackers, while others have resulted from situations such as lost or stolen laptops. The frequency and severity of hacking incidents have been steadily increasing. In fact, virtually all companies today are subject to the risks of such incidents due to the widespread use of Internet and information technology. The advent of a substantial mobile workplace with workers accessing data remotely through smartphones, tablets, laptops and other devices has also multiplied companies’ risks in this area.
As the risks have increased, the SEC has been recently increasing the pressure on public companies to disclose “hacking” and other cyberintrustion incidents in their regulatory filings. There are still no SEC rules governing such disclosure, but I believe that this has clearly become a high priority disclosure item. I also foresaw these increased cybersecurity disclosure requirements in my prior blog post (“Get Ready for Increased Cybersecurity Disclosure Requirements”). Public companies that experience a hacking or other cyberintrustion incident should carefully review the recent actions taken by the SEC and other public companies that have experienced these incidents.
The SEC took a major step in encouraging disclosure of hacking and other cybersecurity items with its issuance of “2011 CF Disclosure Guidance: Topic No. 2 (Cybersecurity)” (the “Release”) in October 2011. This Release only provided general guidance on disclosure of cyberincidents. The SEC has not yet developed any rules or regulations on cybersecurity or hacking incident disclosure, although we believe that such rules and regulations will be enacted at some point soon. In any case, based on recent events it appears that the Commission is strongly encouraging such disclosure despite the lack of existing rules and, in some cases, engaging in de facto rulemaking.
Companies tend to resist disclosure of hacking incidents for several reasons. The ability of hackers to penetrate a company’s cybersecurity systems and defenses is embarrassing and can damage a company’s brand and reputation. This is especially true for large e-commerce companies and technology companies. Companies also resist this disclosure because they feel that it may expose potential vulnerabilities in their in their information technology or cybersecurity systems and may thus encourage future hacking incidents. Such disclosure can also trigger shareholder criticism or litigation.
The recent incidents that I mention above clearly show the SEC’s desire for disclosure of such cyberincidents. In January 2012, hackers successfully breached the cybersecurity defenses of Zappos.com (a business unit of Amazon.com) and stole information regarding nearly 24 million customers. Amazon initially chose to not disclose this incident in the company’s securities filings on the basis that the Release did not require such disclosure. The SEC pushed Amazon to disclose this cyber incident, and the company eventually decided to comply. Amazon sent a response to the SEC’s comment letter on this matter that discusses the company’s decision to disclose this information even though it does not believe that the Release mandates such disclosure. In addition, Amazon’s Form 10-Q now discloses (on page 34) this situation as a risk factor.
The SEC has also pushed other companies to disclose similar cyberintrusion incidents in their public filings, and these companies have eventually agreed to do so. As I mentioned above, such companies as Google and Eastman Chemical have experienced cyberattacks and only subsequently agreed to disclose these situations in their public filings in response to the SEC’s involvement.
Companies should also take these situations as a warning in connection with their existing cybersecurity systems and defenses. The costs of an attack or a data breach are substantial and normally include a substantial amount of both cash and noncash costs, including brand damage. In the situations that I give above, it appears that the Zappos.com and Google attacks were the result of sophisticated hacker activity, but the Quest situation seems to have resulted solely from the loss or theft of some laptops. The consequences are no less severe in any of these cases, but the Quest situation shows how a bad situation can result in fairly simple circumstances without sophisticated hacker resources.
All public companies should prepare now. Before your company experiences a cyberattack, study the Release and the SEC’s responses to the actions of the companies that I described above to help plan your company’s potential disclosure requirements. Until the SEC publishes specific rules regarding cyberattacks and related incidents, this is the best guidance available.