When to Disclose Data Breaches under Federal Securities Laws

Source: CNBC

By Steven Wittenberg

Download full article here.

Hacking and cybercrime are on the rise.[1] From 2013 to 2015, twenty major data breaches were reported at Fortune 100 companies.[2] Publicly traded companies who have securities disclosure obligations should be aware of their duties under the federal securities laws when it comes to data breaches and hacks.[3]

In 2011, the SEC Division of Corporation Finance issued guidelines for cyber incidents.[4] The SEC stated, “[A] number of disclosure requirements may impose an obligation on registrants to disclose such [cyber] risks and incidents,” although there are no explicit requirements referring to data breaches.

While major data breaches may be material to reasonable investors of public companies, there is no duty to promptly disclose the occurrence of cyber incidents unless there have been selective disclosures, previous misstatements or circumstances making the omission of the hack misleading.[5] The federal securities laws also impose periodic disclosure duties on public companies.

[1] The Rise of the Hacker, Economist (Nov. 7, 2015), http://www.economist.com/news/business/21677638-rise-hacker.

[2] How to Disclose a Cybersecurity Event: Recent Fortune 100 Experience, Debevoise & Plimpton (Sept. 12, 2016), http://www.debevoise.com/~/media/files/insights/publications/2016/09/20160912_how_to_disclose_a_cybersecurity_event_recent_fortune_100_experience.pdf.

[3] Hacking, data breaches and cyber incidents are used synonymously here. They are incidents that cause personal information to be improperly taken without the individuals’ consent.

[4] CF Disclosure Guidance: Topic No. 2, S.E.C., https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.

[5] Insider trading and fraud may also create an obligation to disclose data breaches, but are not discussed here.