In late October, I participated in a panel discussion at the Association of Corporate Counsel Conference 2011 in Denver, Colorado—the topic was Protecting Your Company from WikiLeaking. A portion of my presentation focused on ways in which corporations can develop a repeatable process to identify where sensitive data should and should not be.
I became particularly interested in partaking in the panel discussion on WikiLeaks, not only because it is a timely topic, but also because it encompasses aspects of information governance, privacy and security. WikiLeaks recently announced it was going to temporarily cease operations to raise money to finance the website. However, the issues at the heart of the WikiLeaks discussion, such as security and data breaches, continue to grow in scope and severity.
When WikiLeaks first drew media attention, the stories focused on leaks pertaining primarily to the U.S. government. There had been a few leaks posted on the site that dealt with private companies, but nothing largely significant. Then in November 2010, WikiLeaks founder Julian Assange said in an interview in Forbes Magazine that he planned to release thousands of documents on his site at the beginning of 2011, and that the information would turn an American bank “inside out.” Those plans never came to fruition because of the destruction of the files containing the “bombshell” information by a former colleague of his. Although the company involved dodged a major bullet, the incident brought the issue of the corporate information compromise to national attention.
The federal government is now also taking action on WikiLeaks-like cyber threats to corporate America. On October 13, the Division of Finance at the Securities Exchange Commission released “CF Disclosure Guidance: Topic No. 2 – Cybersecurity” representing the culmination of an effort on behalf of a group of senators led by Jay Rockefeller to establish a set of guidelines for publicly traded companies to consider when faced with data security breach disclosures.
The concern from the senators is that investors are having difficulty evaluating cybersecurity risks faced by organizations and that corporations are not making sufficient disclosures as to such information in their public filings. According to the SEC in issuing the guidelines, “We have observed an increased level of attention focused on cyberattacks that include, but are not limited to, gaining unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data, or causing operational disruption.” The guidelines lay the groundwork for future shareholder suits based on failure to disclose such attacks.
The guidelines come on the heels of a number of recent high-profile, large-scale data security breaches involving Citicorp, Sony, NBC and others – many of which have affected organizations around the world. A catalyst for the regulations is found in the perceived failure of many organizations to report such breaches in a timely manner, or to take affirmative practical steps to address and mitigate the risks of a significant breach. To address any future disclosure failures, the SEC released the guidelines ordering companies to reveal the details of their data security breaches and steps taken to mitigate such risks.
As stated in the CF Disclosure Guidance:
- “Cyber incidents may result in losses from asserted and unasserted claims, including those related to warranties, breach of contract, product recall and replacement, and indemnification of counterparty losses from their remediation efforts.”
- “Cyber incidents may also result in diminished future cash flows, thereby requiring consideration of impairment of certain assets including goodwill, customer-related intangible assets, trademarks, patents, capitalized software or other long-lived assets associated with hardware or software, and inventory.”
Consistent with other SEC forms and regulations, organizations are not being advised to report every cyber incident. To the contrary, registrants should disclose only the risk of cyber incidents “if these issues are among the most significant factors that make an investment in the company speculative or risky.” If an organization determines in its evaluation that the incident is material, they should “describe the nature of the material risks and specify how each risk affects the registrant.” Generic disclosures are not sufficient.
The SEC indicated that in evaluating the risks associated with cyber incidents and determining whether those incidents should be reported, organizations should consider:
- Prior cyber incidents and the severity and frequency of those incidents
- The probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption
- The adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware
Rather than exposing new obligations for organizations, the SEC guidance highlights what company executives already knew about their obligations to report cyber incidents but may not have fully appreciated. The true lynch pin for every organization will be the determination of materiality and making the decision on which breaches get reported and which do not.
The threat of exposure of confidential corporate information is growing, and organizations must take steps to help minimize the risk of their data becoming part of the next “mega leak.” When I consult with attorneys and information technology professionals about building a defensible, repeatable, in-house e-discovery process, one of the things that I tell them is they need to be proactive in doing so. Many of the same principles apply when it comes to protecting an organization from data or security breaches. You cannot just stick your head in the sand and hope for the best—you have to confront the threat head-on.
Cybersecurity and data breach threats will continue to proliferate for companies of all sizes around the world. Failing to protect sensitive company data will pose an even greater risk going forward, as will the legal implications for failing to disclose material cyber incidents. A proactive approach to prevention of cyber and data breach incidents represents the best case scenario for all organizations.