CHAPTER MENU
As cybersecurity vulnerabilities increasingly have threatened companies' bottom lines and operational abilities, boards of directors and top executives understandably are concerned about the protection of confidential information and ensuring uninterrupted business operations. A number of federal laws, regulations, and guidelines also require top management to ensure adequate cybersecurity, both as an ongoing part of business operations and as a prerequisite for certain corporate events, such as securities offerings, obtaining foreign investments, and exporting goods.
This chapter reviews some of the legal issues that often arise in these scenarios. First, the chapter reviews the Securities and Exchange Commission's (SEC) expectations for cybersecurity of publicly traded companies, as well as the general fiduciary duty that companies have to shareholders, and how that applies to cybersecurity. The chapter then examines the cybersecurity expectations of the Committee on Foreign Investment in the United States (CFIUS), which reviews foreign investments in U.S. companies. Last, the chapter reviews how export controls restrict cybersecurity research and information sharing.
The laws and regulations discussed in this chapter affect different areas of corporate governance and in some cases are not directly related. SEC regulations require companies to be transparent to investors about cybersecurity challenges and incidents. A fiduciary duty is imposed by courts when companies harm shareholders by egregiously failing to protect against cyber threats. The CFIUS regulations restrict foreign investments that raise cybersecurity concerns. The export controls could limit companies' ability to share urgent cyber-threat information. In all of these areas, the unique, real-time nature of cybersecurity intersects with the slower-paced world of government regulation of large corporations. In all of these cases, the rules are far from settled, creating great uncertainty for executives and boards of directors.
The Securities and Exchange Act of 1934, a Depression-era law intended to regulate publicly traded companies, provides the Securities and Exchange Commission with great discretion. Among its comprehensive regulations for publicly traded companies is Regulation S-K, which sets forth the requirements for regular public filings that companies must make with the SEC. Such filings include the 10-Q, a quarterly financial report, the 10-K, a more comprehensive annual financial report, and 8-Ks, which are issued at any time to inform the SEC – and investors – about any material developments. The goal of Regulation S-K – and the SEC's requirement for such filings – is to increase transparency so that investors can make informed decisions.
The SEC has long required companies to make these annual filings in an effort to provide transparency to investors and potential investors. By understanding a company's finances – including its key risks, the SEC believes that investors can make more informed decisions. In a 2016 statement, SEC Chair Mary Jo White explained the rationale for the SEC's requirements for quarterly and annual filings:
The SEC's disclosure regime is central to our mission to protect investors and the integrity of our capital markets. Since 1934, our disclosure requirements have been designed to foster transparency, honesty, and confidence in the markets so that investors can make informed investment and voting decisions and companies can appropriately access the capital they need. In the modern era, Regulation S-K has become the key tool for furthering these goals and is a central repository for the Commission's rules covering the business and financial information that companies must provide in their filings, including information describing a company's business, risks that the company faces, and management's discussion and analysis of a company's financial condition and results of operations.1
In recent years, SEC officials have recognized that cybersecurity is among the risks that require greater transparency for investors. In a 2014 speech, White said that the “SEC's formal jurisdiction over cybersecurity is directly focused on the integrity of our market systems, customer data protection, and disclosure of material information.”2 SEC Commissioner Luis A. Aguilar, who has focused on the need for better cybersecurity among U.S. companies, encouraged companies to broadly disclose cybersecurity risks that could impact not only the company, but others. “It is possible that a cyber-attack may not have a direct material adverse impact on the company itself, but that a loss of customers' personal and financial data could have devastating effects on the lives of the company's customers and many Americans,” Aguilar said. “In such cases, the right thing to do is to give these victims a heads-up so that they can protect themselves.”3
Neither the Securities Exchange Act of 1934 nor Regulation S-K explicitly requires companies to disclose cybersecurity risks in their 10-Ks or other SEC filings. However, in October 2011, the SEC's Division of Corporation Finance issued CF Disclosure Guidance: Topic No. 2, Cybersecurity, nonbinding guidance in which it strongly encouraged companies to disclose a range of cybersecurity risks. In the Guidance, the SEC noted the many potential costs and negative consequences that could arise from a cyber incident, including increased costs resulting from remediation, cybersecurity incident preparation, litigation, and reputational harm. While the SEC does acknowledge that its regulations do not explicitly require cybersecurity disclosures, it nonetheless imposes a number of disclosure requirements that obligate registrants to disclose such risks and incidents, and that “material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.”4
In practice, companies typically disclose cybersecurity risks and vulnerabilities in four sections of their 10-K annual reports: (1) Risk factors; (2) Management's discussion and analysis of financial condition and results of operations (MD&A); (3) Description of business; and (4) Legal proceedings.
The commonly used 10-K section for cybersecurity disclosures is “Risk factors.” Regulation S-K requires publicly traded companies to provide a “concise” and logically organized list of “the most significant factors that make the offering speculative or risky.”5 Regulation S-K instructs companies to explain “how the risk affects the issuer or the securities being offered,” and to “[s]et forth each risk factor under a subcaption that adequately describes the risk.”6
In the 2011 Cybersecurity Guidance, the SEC stated that in determining whether to disclose a cybersecurity risk factor, companies should consider “all available relevant information, including prior cyber incidents and the severity and frequency of those incidents.”7 The SEC requires companies to consider the probability and magnitude of future cyber incidents. The Guidance instructs companies to consider not just the theft of consumer personal information, but also the loss of confidential corporate information and interruptions in business operations.8
The SEC's Guidance stated that disclosures under the Risk Factors section of the annual report can include the characteristics of the publicly traded company's business that causes significant cybersecurity risks. For instance, if a company regularly processes customer health information, it likely should note that fact in the Risk Factors section. If a company regularly uses outside service providers to process customer information, it also should consider noting that in the Risk Factors section, according to the SEC Guidance. Companies also should consider describing data breaches and other material cybersecurity incidents. The SEC instructs companies to consider describing “relevant insurance coverage,” such as the supplemental cyber insurance discussed in Chapter 2 of this book.9
The SEC's Guidance warns companies to avoid “boilerplate” language in their cybersecurity risk factor disclosures, though it noted that companies are not legally required to provide information that would compromise their cybersecurity to hackers. “Instead, registrants should provide sufficient disclosure to allow investors to appreciate the nature of the risks faced by the particular registrant in a manner that would not have that consequence,” the SEC wrote.10
The SEC's Guidance demonstrates the inherent conflict between the SEC's long-standing rule that companies should be transparent about risk factors, and the unfortunate reality in cybersecurity that information about vulnerabilities can quickly be used against companies by cybercriminals. Companies are still attempting to determine the necessary balance between the two demands, and as will be seen later in this section, companies have developed a fairly wide range of disclosure practices.
Regulation S-K also requires 10-K filings to include a section entitled “Management's discussion and analysis of financial condition and results of operations” (MD&A), in which the company discusses its changes in its financial condition and the results of its operations.11 Among the results that companies must describe are “any unusual or infrequent events or transactions or any significant economic changes that materially affected the amount of reported income from continuing operations[.]”12
In its Cybersecurity Guidance, the SEC states that companies should discuss cybersecurity in this section if cyber risks or incidents “represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant's results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.”13
Companies typically are much more likely to include information about such uncertainties in their discussions about risk factors, although the SEC has not explicitly stated which section should include information about cybersecurity. Often, companies that discuss cybersecurity threats in their MD&A section also have included similar information in the risk factors section.
Regulation S-K requires companies to describe the “general development” of their business over the past five years.14 In its Cybersecurity Guidance, the SEC states that companies should discuss cybersecurity here if “one or more cyber incidents materially affect a registrant's products, services, relationships with customers or suppliers, or competitive conditions[.]”15 For instance, the SEC states that if a company's soon-to-be-released product is subject to a cyber vulnerability, it should consider reporting that under “Description of business.” In practice, “Description of business” is a relatively rare 10-K section for cybersecurity disclosures, unless the company is in the technology sector and cybersecurity is an essential part of its business.
Regulation S-K requires companies to briefly describe “any material pending legal proceedings,”16 though companies are not required to report “ordinary routine litigation incidental to the business[.]”17 Regulation S-K states that companies must report legal proceedings if the total claim for damages (arising out of either a single lawsuit or multiple related lawsuits) exceeds 10 percent of the company's current assets.18 The SEC's Cybersecurity Guidance states that if a data breach compromises a significant amount of customer information, the company “should disclose the name of the court in which the proceedings are pending, the date instituted, the principal parties thereto, a description of the factual basis alleged to underlie the litigation, and the relief sought.”19
To provide a better understanding of how companies interpret the SEC's expectation for cybersecurity disclosures, below are excerpts from 10-K filings from large publicly traded companies. As you can see, companies take a wide range of approaches. Some disclose threats and potential threats in detail, while others provide general statements about threats to confidential information and business operations.
Wal-Mart, the largest company on the Fortune 500 list of publicly traded U.S. companies, provides unusually extensive disclosures about its cybersecurity vulnerabilities. In its “Risk factors” section, Wal-Mart describes the general steps that it takes to guard against various cyberattacks, the impact that disruptions of its primary and back-up computer systems would have on Wal-Mart's operations, potential disruptions to its important e-commerce business, and the costs and reputational harm of data breaches that reveal customer information.
We rely extensively on information systems to process transactions, summarize results and manage our business. Disruptions in both our primary and secondary (back-up) systems could harm our ability to conduct our operations.
Although we have independent, redundant and physically separate primary and secondary information systems, given the number of individual transactions we have each year, it is critical that we maintain uninterrupted operation of our business-critical information systems. Our information systems, including our back-up systems, are subject to damage or interruption from power outages, computer and telecommunications failures, computer viruses, worms, other malicious computer programs, denial-of-service attacks, security breaches (through cyberattacks from cyber-attackers and sophisticated organizations), catastrophic events such as fires, tornadoes, earthquakes and hurricanes, and usage errors by our associates. If our information systems and our back-up systems are damaged, breached or cease to function properly, we may have to make a significant investment to repair or replace them, and we may suffer interruptions in our operations in the interim. Any material interruption in both our information systems and back-up systems may have a material adverse effect on our business or results of operations. In addition, we are pursuing complex initiatives to transform our information technology processes and systems, which will include, for many of our information systems, establishing common processes across our lines of business. The risk of system disruption is increased when significant system changes are undertaken, although we believe that our change management process will mitigate this risk. If we fail to integrate our information systems and processes, we may fail to realize the cost savings anticipated to be derived from these initiatives.
If the technology-based systems that give our customers the ability to shop with us online do not function effectively, our operating results, as well as our ability to grow our e-commerce business globally, could be materially adversely affected.
Many of our customers shop with us over our e-commerce websites and mobile commerce applications, including walmart.com and samsclub.com in the U.S. and our retail websites in 10 other countries, which are a part of our multi-channel sales strategy. Increasingly, customers are using computers, tablets, and smart phones to shop online and through mobile commerce applications with us and with our competitors and to do comparison shopping. We are increasingly using social media to interact with our customers and as a means to enhance their shopping experience. As a part of our multi-channel sales strategy, we offer “Walmart Pickup” and “Club Pickup” and in a growing number of locations, “Online Grocery” programs under which many products available for purchase online can be shipped to and picked up by the customer at his or her local Walmart store or Sam's Club, which provides additional customer traffic at such stores and clubs. Multi-channel retailing is a rapidly evolving part of the retail industry and of our operations in the U.S. and in a number of markets in which our Walmart International segment operates.
We must anticipate and meet our customers' changing expectations while adjusting for new developments and technology investments by our competitors through focusing on the building and delivery of a seamless shopping experience across all channels by each operating segment. Any failure on our part to provide attractive, user-friendly e-commerce platforms that offer a wide assortment of merchandise at competitive prices and with low cost and rapid delivery options and that continually meet the changing expectations of online shoppers and developments in online and mobile commerce application merchandising and related technology could place us at a competitive disadvantage, result in the loss of e-commerce and other sales, harm our reputation with customers, have a material adverse impact on the growth of our e-commerce business globally and could have a material adverse impact on our business and results of operations.
Any failure to maintain the security of the information relating to our company, customers, members, associates and vendors that we hold, whether as a result of cybersecurity attacks on our information systems or otherwise, could damage our reputation with customers, members, associates, vendors and others, could cause us to incur substantial additional costs and to become subject to litigation, and could materially adversely affect our operating results.
As do most retailers, we receive and store in our digital information systems certain personal information about our customers and members, and we receive and store personal information concerning our associates and vendors. We also utilize third-party service providers for a variety of reasons, including, without limitation, encryption and authentication technology, content delivery to customers, back-office support, and other functions. In addition, our online operations at www.walmart.com, www.samsclub.com and our websites in certain of our foreign markets depend upon the secure transmission of confidential information over public networks, including information permitting cashless payments. Each year, cyber-attackers make numerous attempts to access the information stored in our information systems. We maintain substantial security measures to protect, and to prevent unauthorized access to, such information and have security processes, protocols and standards that are applicable to our third-party service providers to protect information from our systems to which they have access under their engagements with us.
However, we or our third-party service providers may be unable to anticipate one or more of the rapidly evolving and increasingly sophisticated means by which cyber-attackers may attempt to defeat our security measures or those of our third-party service providers and breach our or our third-party service providers' information systems. During fiscal 2016, we were notified that a third-party service provider that hosts the online photo center for Walmart Canada suffered a security breach that compromised information of users of that company's site, including some Walmart Canada customers, which we believe has not had a material impact on Walmart Canada or the Company. Walmart Canada discontinued use of this third-party service provider. Sam's Club in the United States also used the same third-party service provider to host its online photo center through a different system than the one used by Walmart Canada. After the breach in Canada, Sam's Club suspended the operation of the online photo center until a security review could be completed by the third-party service provider. Once the security review was complete and new technology with enhanced security measures was implemented by the third-party service provider, along with a determination that the information of Sam's Club members was not compromised by the security breach, Sam's Club resumed the operation of the online photo center through the same third-party service provider.
Cyber threats are rapidly evolving and are becoming increasingly sophisticated. As cyber threats evolve and become more difficult to detect and successfully defend against, one or more cyber threats might defeat our security measures or those of our third-party service providers in the future like the incident referenced above and obtain the personal information of customers, members, associates and vendors that we hold or to which our third-party service providers have access, and we or our third-party service providers may not discover any security breach and loss of information for a significant period of time after the security breach occurs. Moreover, associate error or malfeasance, faulty password management or other irregularities may result in a defeat of our or our third-party service providers' security measures and breach our or our third-party service providers' information systems (whether digital or otherwise).
Any breach of our security measures or those of our third-party service providers and loss of our confidential information, which could be undetected for a period of time, or any failure by us to comply with applicable privacy and information security laws and regulations could cause us to incur significant costs to protect any customers and members whose personal data was compromised and to restore customer and member confidence in us and to make changes to our information systems and administrative processes to address security issues and compliance with applicable laws and regulations.
In addition, such events could materially adversely affect our reputation with our customers, members, associates, vendors and shareholders, as well as our operations, results of operations, financial condition and liquidity, could result in the release to the public of confidential information about our operations and financial condition and performance and could result in litigation against us or the imposition of penalties, fines, fees or liabilities, which may not be covered by our insurance policies. Moreover, a security breach could require us to devote significant management resources to address the problems created by the security breach and to expend significant additional resources to upgrade further the security measures that we employ to guard such important personal information against cyberattacks and other attempts to access such information and could result in a disruption of our operations, particularly our digital retail operations.
We accept payments using a variety of methods, including cash, checks, credit and debit cards, our private label cards and gift cards, and we may offer new payment options over time, which may have information security risk implications. By accepting debit and credit cards as a retailer for payment, we are subject to the Payment Card Industry Data Security Standard (“PCI DSS”), issued by the Payment Card Industry Security Standards Council. PCI DSS contains compliance guidelines and standards with regard to our security surrounding the physical and electronic storage, processing and transmission of individual cardholder data. The payment card industry set October 1, 2015 as the date on which it will shift liability for certain transactions to retailers who are not able to accept Europay, MasterCard, Visa (EMV) chip card credit and debit transactions. While we already accept many EMV cards, if we are unable to fully implement EMV as planned, we may incur increased costs associated with the liability shift. By accepting debit cards for payment, we are also subject to compliance with the American National Standards Institute encryption standards and payment network security operating guidelines. Even though we comply with these guidelines and standards and other information security measures, we cannot be certain that the security measures we maintain to protect all of our information technology systems are able to prevent, contain or detect any cyberattacks, cyber terrorism, or security breaches from known malware or malware that may be developed in the future. To the extent that any disruption results in the loss, damage or misappropriation of information, we may be materially adversely affected by claims from customers, financial institutions, regulatory authorities, payment card networks and others. In addition, the cost of complying with stricter privacy and information security laws and standards could be significant to us.
Wal-Mart's extensive disclosures reflect, in part, the large amount of sensitive consumer data that it handles on a regular basis. Some large companies that do not deal directly with consumers tend to have more abbreviated cybersecurity disclosures. For instance, consider investment firm Berkshire Hathaway's “Risk factors” disclosure, which focuses primarily on potential harms to its operations.
We rely on information technology in virtually all aspects of our business. A significant disruption or failure of our information technology systems could result in service interruptions, safety failures, security violations, regulatory compliance failures, an inability to protect information and assets against intruders, and other operational difficulties. Attacks perpetrated against our information systems could result in loss of assets and critical information and exposes us to remediation costs and reputational damage.
Although we have taken steps intended to mitigate these risks, including business continuity planning, disaster recovery planning and business impact analysis, a significant disruption or cyber intrusion could lead to misappropriation of assets or data corruption and could adversely affect our results of operations, financial condition and liquidity. Additionally, if we are unable to acquire or implement new technology, we may suffer a competitive disadvantage, which could also have an adverse effect on our results of operations, financial condition and liquidity.
Cyber attacks could further adversely affect our ability to operate facilities, information technology and business systems, or compromise confidential customer and employee information. Political, economic, social or financial market instability or damage to or interference with our operating assets, or our customers or suppliers may result in business interruptions, lost revenue, higher commodity prices, disruption in fuel supplies, lower energy consumption, unstable markets, increased security and repair or other costs, any of which may materially adversely affect us in ways that cannot be predicted at this time. Any of these risks could materially affect our consolidated financial results. Furthermore, instability in the financial markets as a result of terrorism, sustained or significant cyber attacks, or war could also materially adversely affect our ability to raise capital.
Companies that have experienced high-profile data breaches are more likely to report significant cybersecurity vulnerabilities in their 10-K reports. For instance, Target, which experienced a large data breach during the 2013 holiday shopping season, was still discussing the impact of the incident in the 10-K report that it filed in March 2016. In light of the high profile of the data breach, Target acknowledged that cybersecurity could affect not only costs of litigation and remediation, but also could reduce revenues by harming the retailer's reputation. Due to the high stakes of the various lawsuits that arose from the data breach, Target discussed cybersecurity not only in its “Risk factors” section, but it also specifically discussed the ongoing cost of the legal proceedings in a note to its consolidated financial statements.
If our capital investments in technology, supply chain, new stores and remodeling existing stores do not achieve appropriate returns, our competitive position, financial condition and results of operations may be adversely affected.
Our business is becoming increasingly reliant on technology investments, and the returns on these investments can be less predictable than building new stores and remodeling existing stores. We are currently making, and will continue to make, significant technology investments to support our efforts to provide a consistent guest experience across all sales channels, implement improvements to our guest-facing technology, and evolve our supply chain and our inventory management systems, information processes, and computer systems to more efficiently run our business and remain competitive and relevant to our guests. These technology initiatives might not provide the anticipated benefits or may provide them on a delayed schedule or at a higher cost. We must monitor and choose the right investments and implement them at the right pace, which depends on our ability to accurately forecast our needs and is influenced by the amount and pace of investments by our competitors. In addition, our growth also depends, in part, on our ability to build new stores and remodel existing stores in a manner that achieves appropriate returns on our capital investment. We compete with other retailers and businesses for suitable locations for our stores. Many of our expected new store sites are smaller and non-standard footprints located in fully developed markets, which require changes to our supply chain practices and are generally more time-consuming, expensive and uncertain undertakings than expansion into undeveloped suburban and ex-urban markets. Targeting the wrong opportunities, failing to make the best investments, or making an investment commitment significantly above or below our needs could result in the loss of our competitive position and adversely impact our financial condition or results of operations.
A significant disruption in our computer systems and our inability to adequately maintain and update those systems could adversely affect our operations and our ability to maintain guest confidence.
We rely extensively on our computer systems to manage and account for inventory, process guest transactions, manage and maintain the privacy of guest data, communicate with our vendors and other third parties, service REDcard accounts, summarize and analyze results, and on continued and unimpeded access to the Internet to use our computer systems. Our systems are subject to damage or interruption from power outages, telecommunications failures, computer viruses and malicious attacks, security breaches and catastrophic events. If our systems are damaged or fail to function properly or reliably, we may incur substantial repair or replacement costs, experience data loss or theft and impediments to our ability to manage inventories or process guest transactions, engage in additional promotional activities to retain our guests, and encounter lost guest confidence, which could adversely affect our results of operations.
We continually make significant technology investments that will help maintain and update our existing computer systems. Implementing significant system changes increases the risk of computer system disruption. The potential problems and interruptions associated with implementing technology initiatives could disrupt or reduce our operational efficiency, and could negatively impact guest experience and guest confidence.
If our efforts to protect the security of information about our guests, team members and vendors are unsuccessful, we may face additional costly government enforcement actions and private litigation, and our sales and reputation could suffer.
An important component of our business involves the receipt and storage of information about our guests, team members, and vendors. We have programs in place to detect, contain and respond to data security incidents. However, because the techniques used to obtain unauthorized access, disable or degrade service, or sabotage systems change frequently and may be difficult to detect for long periods of time, we may be unable to anticipate these techniques or implement adequate preventive measures. In addition, hardware, software, or applications we develop or procure from third parties may contain defects in design or manufacture or other problems that could unexpectedly compromise information security. Unauthorized parties may also attempt to gain access to our systems or facilities, or those of third parties with whom we do business, through fraud, trickery, or other forms of deceiving our team members, contractors, vendors, and temporary staff.
Until the data breach in the fourth quarter of 2013, all incidents we experienced were insignificant. The data breach we experienced in 2013 was significant and went undetected for several weeks. Both we and our vendors have experienced data security incidents subsequent to the 2013 data breach; however, to date these other incidents have not been material to our consolidated financial statements. Based on the prominence and notoriety of the 2013 data breach, even minor additional data security incidents could draw greater scrutiny. If we or our vendors experience additional significant data security breaches or fail to detect and appropriately respond to significant data security breaches, we could be exposed to additional government enforcement actions and private litigation. In addition, our guests could lose confidence in our ability to protect their information, which could cause them to discontinue using our REDcards or loyalty programs, or stop shopping with us altogether.
As previously reported, in the fourth quarter of 2013, we experienced a data breach in which an intruder stole certain payment card and other guest information from our network (the Data Breach), which resulted in a number of claims against us, several of which have been finally or preliminarily resolved as follows:
Actions related to the Data Breach that remain pending are: (1) one action previously filed in Canada; (2) several putative class action suits brought on behalf of shareholders; and (3) ongoing investigations by State Attorneys General and the Federal Trade Commission.
Our accrual for estimated probable losses is based on actual settlements reached to date and the expectation of negotiated settlements in the pending actions. We have not based our accrual on any determination that it is probable we would be found liable for the losses we have accrued were these claims to be litigated. While our estimates may change as new information becomes available, we do not believe any adjustments will be material.
We recorded $39 million of pretax Data Breach-related expenses during 2015. Along with legal and other professional services, expenses included an adjustment to the accrual based on refined estimates of our probable exposure. We recorded $191 million of Data Breach-related expenses, partially offset by expected insurance proceeds of $46 million, for net expenses of $145 million during 2014. These expenses were included in our Consolidated Statements of Operations as SG&A, but were not part of segment results.
Since the Data Breach, we have incurred $291 million of cumulative expenses, partially offset by expected insurance recoveries of $90 million, for net cumulative expenses of $201 million.
The 10-K is an annual report that requires publicly traded companies to disclose significant events of the past year and forward-looking risks. However, a data breach could have immediate consequences for a company's finances and, in some cases, viability. It is becoming increasingly common for companies to file an “8-K” form (known as a “current report”) to notify investors soon after a data breach occurs.
In its cybersecurity guidance, the SEC provided little direction as to when such updates are necessary, merely stating that companies should consider whether it is necessary to file 8-K reports “to disclose the costs and other consequences of material cyber incidents.”20 The form 8-K merely states that companies may choose to file 8-K's of “other events” that the company “deems of importance to security holders.”
In many cases, investors already are well aware of high-profile data breaches, due to the state data breach reporting requirements discussed in Chapter 1 of this book. Without any clear guidance on the topic from the SEC, companies have developed different approaches. Some do not disclose cyber incidents on separate 8-K's, either mentioning the incidents in their 10-K report or determining that the incidents are not material. Some companies file 8-K reports around the same time that they disclose incidents to state regulators and consumers. And other companies delay their notifications.
Target, for instance, publicly disclosed its large data breach on December 19, 2013. It did not immediately file an 8-K report, and began to receive substantial criticism. On January 30, 2014, lawyers published a commentary piece in which they questioned the lack of an 8-K, writing, “Target's securities lawyers may believe that the breach is not ‘important to security holders,’ or is not sufficiently material enough to the roughly $38 billion company to warrant an 8-K filing, but 70 million to 110 million affected customers is hardly immaterial, even for Target.”21 Sen. Jay Rockefeller chimed in, sending a letter to Target's chief executive, asking why the company “appears to be ignoring SEC rules that require you to disclose to the SEC and your investors the costs and business consequences of this recent data breach.”22
On February 26, 2014 – more than two months after the initial public disclosure – Target filed an 8-K in which it disclosed the breach to investors. The filing amended the risk factors section of its 10-K, and stated, in part:
The data breach we experienced in 2013 has resulted in government inquiries and private litigation, and if our efforts to protect the security of personal information about our guests and team members are unsuccessful, future issues may result in additional costly government enforcement actions and private litigation and our sales and reputation could suffer.
A significant disruption in our computer systems and our inability to adequately maintain and update those systems could adversely affect our operations and our ability to maintain guest confidence.
We experienced a significant data security breach in the fourth quarter of fiscal 2013 and are not yet able to determine the full extent of its impact and the impact of government investigations and private litigation on our results of operations, which could be material.23
The widespread criticism of Target's failure to more promptly notify investors has caused an increasing number of companies to file 8-Ks soon after they publicly report data breaches. Although the SEC has not explicitly stated that companies must do so, there always is a risk that regulators may eventually expect such reporting, as the 8-K requirements are ambiguous. Moreover, prompt disclosure of cyber incidents to shareholders weakens potential claims in shareholder derivative lawsuits, as discussed below.
Some companies file 8-Ks about major data breaches in a much more expeditious manner. For instance, on September 2, 2014, Home Depot began investigating blog reports of a data breach on its systems. Home Depot soon discovered that hackers accessed approximately 56 million payment card numbers of its retail customers from April to September 2014.24 On September 18, 2014, Home Depot publicly announced its findings. On the same day, Home Depot filed an 8-K with the SEC, in which it stated, in part:
The investigation into a possible breach began on Tuesday morning, September 2, immediately after The Home Depot received reports from its banking partners and law enforcement that criminals may have breached its systems.
Since then, the Company's IT security team has been working around the clock with leading IT security firms, its banking partners and the Secret Service to rapidly gather facts, resolve the problem and provide information to customers.
The Company's ongoing investigation has determined the following:
To protect customer data until the malware was eliminated, any terminals identified with malware were taken out of service, and the Company quickly put in place other security enhancements. The hackers' method of entry has been closed off, the malware has been eliminated from the Company's systems, and the Company has rolled out enhanced encryption of payment data to all U.S. stores.
There is no evidence that debit PIN numbers were compromised or that the breach has impacted stores in Mexico or customers who shopped online at HomeDepot.com or HomeDepot.ca.
The Home Depot is offering free identity protection services, including credit monitoring, to any customer who used a payment card at a Home Depot store in 2014, from April on.25
Home Depot's filing is a model for prompt and responsible disclosure of a cybersecurity incident. Although the SEC does not have a threshold requirement for 8-K filings regarding data breaches, it is clear that the breach of more than 50 million customers' credit and debit card information will lead to significant legal liability (and Home Depot quickly faced multiple lawsuits). Home Depot's 8-K clearly describes what its investigation uncovered, and the steps that Home Depot has taken to mitigate damage. Home Depot provided enough detail to paint a useful picture of the situation for investors, but it did not “over-disclose” and provide information that hackers could use to further exploit its network and systems.
If a data breach causes significant harm to a company, shareholders may attempt to bring a suit, known as “derivative litigation,” against company officers who they allege were responsible for the harm. The lawsuits often arise under the state laws of Delaware, where many large U.S. corporations are incorporated.
Derivative lawsuits often arise when shareholders claim that directors breached their “fiduciary duty” of care to the company by allowing serious harm to occur. Delaware courts have stated that such a breach occurs when the directors caused or “allowed a situation to develop and continue which exposed to corporation to enormous legal liability and that in doing so they violated a duty to be active monitors of corporate performance.”26 The Delaware Court of Chancery stated that among the harms that could be the basis of derivative suits are: “regulatory sanctions, criminal or civil fines, environmental disasters, accounting restatements, misconduct by officers or employees, massive business losses, and innumerable other potential calamities.”27 Typically, boards of directors will not approve a lawsuit against their own officials. In that case, plaintiffs file a derivative lawsuit, seeking permission to sue the officials on behalf of the company.
Shareholders must meet a high hurdle before being permitted to sue on behalf of the company, as courts typically presume that directors and officers make decisions that they believe, in good faith, to be in the companies' best interests.28 To defeat this presumption, known as the business judgment rule, plaintiffs must demonstrate that the board's refusal to sue was made in “bad faith” or “based on an unreasonable investigation.”29
To demonstrate that a board refused to bring a suit in bad faith, the plaintiffs must establish that the board utterly failed to meet its obligations to the corporation and shareholders. Among the scenarios that Delaware courts have concluded would constitute bad faith:
The third scenario could be the basis of a data breach related derivative lawsuit. Shareholders claim that the directors failed to adequately monitor a company's data security, therefore causing harm to the company.31
There have been few published court opinions regarding derivative lawsuits arising from data breaches. In 2014, a New Jersey federal court (applying Delaware law) dismissed a lawsuit against Wyndham Worldwide Corporation officials arising from the data breach discussed in Chapter 1.32 The court rejected two attempts by the plaintiffs to overcome the business judgment rule. First, the plaintiffs argued that the board did not act in good faith because it was represented by the same counsel in the FTC action and the shareholder demand for a lawsuit.33 The court held that counsel's duties were not conflicting; rather, in both instances, it was responsible for acting in Wyndham's best interests.34 Second the plaintiffs argued that the board failed to reasonably investigate the demand to bring a lawsuit. The court similarly rejected this argument, reasoning that board members had discussed the breaches at fourteen board meetings between October 2008 and August 2012, and that the board's audit committee routinely discussed the breaches, and therefore, those investigations alone “would indicate that the Board had enough information when it assessed Plaintiff's claim.”35 The Wyndham case demonstrates the difficulty of bringing a viable shareholder derivative claim even in cases in which the company likely was not providing adequate oversight of its cybersecurity.
Although shareholders have not yet been successful in data breach-related derivative lawsuits, that very well may change as data breaches increasingly put the viability of publicly traded companies at risk. While cybercrime and breaches were at one point a minor annoyance that resulted in some negative publicity, they now can put a company's future at risk, due to the sophistication of the attacks. Accordingly, companies should be aware of the very real possibility that, in the future, shareholders could succeed in a lawsuit against corporate officials due to a serious data breach.
Cybersecurity also has become a significant concern when foreign investors seek to invest money in U.S. companies. Policy makers worry that foreign control of U.S. technology companies could expose the United States to national security vulnerabilities.
All investments that would result in foreign control of a U.S. business must first be reviewed by the Committee on Foreign Investment in the United States (CFIUS). CFIUS is an interagency committee that is chaired by the Secretary of Treasury, and also includes the Attorney General, Secretary of Homeland Security, Secretary of Commerce, Secretary of Defense, Secretary of State, Secretary of Energy, U.S. Trade Representative, and Director of the White House Office of Science and Technology Policy.
In recent years, Congress and CFIUS have been concerned that the attempts of investors in some countries – in particular, China – to acquire U.S. technology companies could undercut U.S. security. In a report to Congress for 2014, CFIUS wrote that it believes that “there may be an effort among foreign governments or companies to acquire U.S. companies involved in research, development, or production of critical technologies for which the United States is a leading producer.”36
Among the highest profile cybersecurity-related concerns in a CFIUS matter was Japan-based SoftBank's acquisition of a majority interest in Sprint Nextel Corp. Congressman Mike Rogers, then-Chairman of the House Intelligence Committee, raised concerns that Softbank would require Sprint to use equipment from China-based Huawai Technologies in its U.S. telecommunications network, a move that could compromise the security of U.S. communications.37 In a report issued by Rogers' committee the previous year, his staff investigated national security concerns related to Huawei and ZTE, the two largest China-based telecommunications equipment makers. The report concluded that the “risks associated with Huawei's and ZTE's provision of equipment to U.S. critical infrastructure could undermine core U.S. national-security interests.”38 The House Committee urged CFIUS to block any acquisitions involving Huawei and ZTE. To obtain CFIUS approval, Sprint and SoftBank agreed that they would not use Huawei equipment, and that the U.S. government could veto any new equipment purchased by Sprint for use on its network.39 The quick response and agreement to provide the U.S. government such leeway over the company's operations demonstrated a renewed focus on cybersecurity by CFIUS, as well as a recognition by industry that CFIUS has significant leverage in such deals.
CFIUS conducts much of its review proceedings confidentially, so therefore there is not significant guidance as to exactly what cybersecurity measures U.S. companies must take in order to satisfy CFIUS. However, in November 2008, CFIUS revised its operating regulations to require applicants to include a copy of its cybersecurity plan, if any, “that will be used to protect against cyber attacks on the operation, design, and development of the U.S. business' services, networks, systems, data storage, and facilities.”40 In its commentary to the 2008 regulations, CFIUS noted that this requirement applies to all companies – not just technology businesses – and that the regulations do not require a particular form of cybersecurity plan to satisfy CFIUS.
In practice, companies are less likely to face cybersecurity-related obstacles with CFIUS if they provide a thorough description of their access and authorization procedures, cybersecurity safeguards, internal security organization, incident response plan, and other standard cybersecurity safeguards. Moreover, companies are more likely to face CFIUS-related cybersecurity scrutiny if they provide critical infrastructure (e.g., a cellular phone carrier or electric utility) or have a direct relationship to national security (e.g., a defense contractor).
Countries around the world have long participated in informal agreements to control the export of guns, military aircraft, missiles, and other weapons that can harm national security. In recent years, there has been growing concern that these controls could constrain companies' ability to implement cybersecurity protections and share information about vulnerabilities.
The United States and forty other nations participate in the Wassenaar Arrangement, under which they agree to broad categories of export controls. The Wassenaar Arrangement is not a formal treaty, and nations are not legally bound by its terms. However, the United States and other participating nations traditionally have enacted regulations to comply with the Wassenaar Arrangement, in an effort to create an international set of norms for this important national security issue.
In recent years, many participating nations have been concerned about dictatorial governments' use of surveillance technology to suppress dissenting voices. In December 2013, to address these concerns, the United Kingdom successfully led a campaign to amend the Wassenaar Arrangement to add certain types of “intrusion software” to the list of technologies that should be subject to export controls.41
The Wassenaar Arrangement's 2013 amendments broadly define “intrusion software” in this way:
“Software” specially designed or modified to avoid detection by ‘monitoring tools', or to defeat ‘protective countermeasures', of a computer or network capable device, and performing any of the following:a.
The Wassenaar Arrangement then adds the following types of technologies to the export control list:
The Wassenaar Arrangement notes that the export controls do not apply to technology that is “the minimum necessary for the installation, operation, maintenance (checking) or repair of those items which are not controlled or whose export has been authorized,” nor do they apply to technology that is in the public domain or for “basic scientific research.” Despite these exceptions, a number of advocacy groups worried that this definition of “intrusion software” is so broad that it could effectively prohibit the international sharing of tools that are used in cybersecurity research.42
The advocacy groups – and many large technology companies – became even more concerned in 2015, when the U.S. Department of Commerce proposed rules to implement the 2013 amendments to the Wassenaar Arrangement. The U.S. proposal would have added the following technologies to the list of U.S. export controls:
Systems, equipment, components and software specially designed for the generation, operation or delivery of, or communication with, intrusion software include network penetration testing products that use intrusion software to identify vulnerabilities of computers and network-capable devices.
Technology for the development of intrusion software includes proprietary research on the vulnerabilities and exploitation of computers and network-capable devices.43
Advocacy groups and technology companies united in fierce opposition to the U.S. proposal, stating that it was even more sweeping than the Wassenaar Arrangement, and would effectively prohibit technology companies from sharing legitimate information about emerging cybersecurity threats.44 Rather than collaborating in real time to fight urgent cybersecurity threats, the companies and researchers would be required to seek a license from regulators. A Microsoft attorney told a congressional committee that, due to the Wassenaar Arrangement, a cybersecurity conference in Japan was canceled.45
In light of the strong opposition to the Wassenaar Arrangement and the U.S. proposal to implement the controls on intrusion software, the Obama administration announced in February 2016 that it would attempt to renegotiate the Wassenaar Arrangement to prevent a negative impact on cybersecurity research.46 In light of the widespread concern about authoritarian regimes' surveillance, it is unclear as of the publication of this book whether U.S. efforts to renegotiate the Wassenaar Arrangement will be successful.
The widespread concern over the Wassenaar Arrangement – and the strong opposition of consumer advocacy groups and technology companies – demonstrates the difficulty that governments and companies have when attempting to fight real-time cybersecurity threats while at the same time preserving national security. Perhaps more than most other national security threats, cybersecurity relies heavily on the private sector – including large corporations – to develop solutions. Such reliance requires trust, and, in some cases, a relaxation on onerous regulations that could prevent the private sector from doing its job. As seen in the heated battle over export controls, governments around the world are having a difficult time adjusting to this new view of national security in the cyber age. Moreover, companies must pay careful attention to government regulations and proposals that could undermine their legitimate and important cybersecurity activities.
18.225.209.250