Data Security Law Journal Focusing on legal trends in data security, cloud computing, data privacy, and anything E

The SEC Is Cracking Down on Companies That Do Not Disclose Cyber Incidents

Posted in Data Security, SEC

As I wrote in a previous post, the Securities and Exchange Commission’s (SEC) Division of Corporation Finance issued a Disclosure Guidance on October 13, 2011, that states publicly traded companies may be obligated to disclose cyber incidents and the risk of cyber incidents, depending on the application of various factors.

Now, according to a recent Bloomberg article, the SEC is cracking down on publicly traded companies’ failure to comply with the Guidance.  The SEC apparently sent “dozens” of letters to companies asking about their cybersecurity disclosures and pushing them to disclose.  Six of the companies who the SEC instructed to disclose included AIG, Amazon.com, Eastman Chemical Co., Google, Hartford Financial Services Group, and Quest Diagnostics, Inc.

With respect to Amazon.com, its Zappos.com unit was the victim of a cyber attack that resulted in the theft of addresses and credit card numbers belonging to 24 million of its customers.  In April, the SEC asked Amazon to disclose the attack, which, according to Bloomberg, Amazon now has, though not without objection.  Amazon initially resisted disclosing the cyber attack because, according to Amazon, Zappos did not contribute material revenue to Amazon.

Google, too, has now agreed to disclose a cyber attack that it had previously disclosed publicly in January 2010.  The SEC believed that disclosure in a formal SEC filing was necessary to “provide the proper context for your risk factor disclosures.”  Accordingly, Google agreed to repeat the information in its earnings report.

Hartford told the SEC that it hadn’t suffered a “material” cyber attack, but the SEC instructed it to disclose “any” attack.

AIG agreed to state in a future quarterly report that it had “from time to time, experienced threats to our data and systems, including malware and computer virus attacks, unauthorized access, systems failures and disruptions.”

The SEC’s action is significant because the Guidance is not technically a rule, though the SEC is effectively creating a rule by taking the position that these companies should have disclosed their breaches.  Failure to comply with an SEC letter can lead to fines amounting to hundreds of thousands of dollars; fighting the SEC in litigation could cost millions.  It will be interesting to see whether and to what extent the SEC will continue to crack down on companies that do not disclose cyber attacks and risks of cyber incidents.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.