The 113th Congress will bring new leadership to the House Homeland Security Committee and the Senate Homeland Security and Government Affairs Committees — all responsible for cybersecurity issues.  President Obama is expected to release an Executive Order (based on the draft circulated in late November 2012) very soon, perhaps before the State of the Union address.  House Speaker Boehner extended an invitation to the President last week to deliver the SOTU address on February 12th.  Add to that the fact that online and mobile privacy remain priorities in the 113th Congress, and we should have a very busy session.

A look at upcoming cybersecurity and data privacy issues in the 113th Congress has been prepared by our colleagues at ML Strategies.  You can read it at ML Strategies Legislative Alert Telecommunications in the 113th Congress.

Happy New Year!   We are beginning this week with a series of top Privacy and Security issues for 2013, as we see them.   Let’s start with an issue of interest to publicly traded companies, or companies considering going public in 2013 – a reminder that cybersecurity issues are of interest to the Securities and Exchange Commission (SEC) and are a shareholder disclosure issue.   We expect to see an increased focus in this area in 2013.

By Adam Veness

THE SEC WILL REQUIRE GREATER DISCLOSURE RELATED TO DATA SECURITY RISKS AND BREACHES

The amount of personal and confidential information maintained electronically by public companies increases every day.  As a consequence of this increase, the likelihood that a given public company will suffer a data breach and that such breach will have a material adverse effect on the company’s business also increases.  In response to this ever-increasing risk, the Securities and Exchange Commission (the “SEC”) is requiring greater disclosure related to data security and this trend will likely increase in 2013.

The SEC issued guidance relating to public company disclosure of data security in the end of 2011.  Soon after the SEC issued this guidance, Facebook, Inc. (NASDAQ: FB) filed its Form S-1 Registration Statement and became one of the pioneers in data security and privacy disclosure.  Since then, public and soon-to-be public companies have followed suit and more companies are including disclosure related to data security risks and breaches.

The disclosure does not only effect companies dependent on technology as a core part of its business.  Two recent examples of this increased disclosure can be found in the risk factors of a prospectus filed by Michaels Stores, Inc. and that filed by SeaWorld Entertainment, Inc.  Specifically, Michaels Stores, Inc., a craft specialty retailer, included the following risk factor: “Failure to adequately maintain security and prevent unauthorized access to electronic and other confidential information and data breaches could materially adversely affect our financial condition and operating results.”  This type of risk factor is becoming more and more common among public company filings, both in registration statements and annual and quarterly filings.   Interestingly, Michaels was the victim of a large-scale hack attack on its POS system in 2011 and given that, and the resulting class action suits, we might have expected to see expanded disclosure.   SeaWorld, the owner/operator of SeaWorld, Busch Gardens, Sesame Place , and other theme parks, filed its registration statement just after Christmas and includes the following risk factor:

Cyber security risks and the failure to maintain the integrity of internal or guest data could result in damages to our reputation and/or subject us to costs, fines or lawsuits.

We collect and retain large volumes of internal and guest data, including credit card numbers and other personally identifiable information, for business purposes, including for transactional or target marketing and promotional purposes, and our various information technology systems enter, process, summarize and report such data. We also maintain personally identifiable information about our employees. The integrity and protection of our guest, employee and Company data is critical to our business and our guests and employees have a high expectation that we will adequately protect their personal information. The regulatory environment, as well as the requirements imposed on us by the credit card industry, governing information, security and privacy laws is increasingly demanding and continue to evolve. Maintaining compliance with applicable security and privacy regulations may increase our operating costs and/or adversely impact our ability to market our theme parks, products and services to our guests. Furthermore, a penetrated or compromised data system or the intentional, inadvertent or negligent release or disclosure of data could result in theft, loss, fraudulent or unlawful use of guest, employee or Company data which could harm our reputation or result in remedial and other costs, fines or lawsuits.

Companies that fail to include adequate disclosure about data security risks already began receiving SEC comments for 10-Ks filed at the end of 2011.  One example of this occurred in the SEC’s review of Freeport-McMoRan Copper & Gold Inc.’s (“Freeport”) 10-K for Fiscal Year Ended December 31, 2011.  In the SEC’s Comment Letter, it noted that Freeport failed to include any risk factors related to cyber attacks.  The SEC commented that in Freeport’s next 10-Q, it should provide “risk factor disclosure describing the cybersecurity risks that you face or tell us why you believe such disclosure is unnecessary.”  The SEC further referred Freeport to its Guidance Topic No. 2 at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.  Sure enough, as Freeport promised in its response letter to the SEC, Freeport included this additional disclosure in its 10-Q filed for the Quarter Ended June 30, 2012.

In 2013, the SEC is likely to ramp up its cybersecurity risk disclosure requirements and will require all types of public companies to include additional disclosure regarding data security risks and breaches, not just internet-based public companies like Facebook, Inc.      Recommended action for 2013:  If your company files reports with the SEC, you should be paying close attention to the SEC Cybersecurity Guidance and examining your own potential exposure to cybersecurity risks through a comprehensive risk assessment.  

With a victory in last week’s election for President Obama, there is an increased chance for an Executive Order on Cybersecurity before the end of the year.   Our colleagues at ML Strategies have published a post-election analysis of telecommunications issues, including cybersecurity and privacy and that analysis is available here – ML Strategies Legislative Alert Telecommunications in the Lame Duck and 113th Congress.

Written by Adam Veness

Senator John D. Rockefeller IV (D., W.Va.) recently sent a letter to the CEOs of all Fortune 500 companies asking the companies for more information about their cybersecurity practices.  The letter comes a month after Senate Republicans filibustered and blocked a bill that would have established voluntary computer security standards for companies running critical infrastructure system, including the electric grid and Wall Street. 

 In the letter, Senator Rockefeller asks the companies to provide the Senate Commerce Committee with answers to eight questions about their cybersecurity needs, as well as their views on the Cybersecurity Act of 2012, by October 19th. 

These questions are as follows: 

  • Has your company adopted a set of best practices to address its own cybersecurity needs?
  •  If so, how were these cybersecurity practices developed?
  •  Were they developed by the company solely, or were they developed outside the company? If developed outside the company, please list the institution, association, or entity that developed them.
  • When were these cybersecurity practices developed? How frequently have they been updated? Does your company’s board of directors or audit committee keep abreast of developments regarding the development and implementation of these practices?
  • Has the federal government played any role, whether advisory or otherwise, in the development of these cybersecurity practices?
  •  What are your concerns, if any, with a voluntary program that enables the federal government and the private sector to develop, in coordination, best cybersecurity practices for companies to adopt as they so choose, as outlined in the Cybersecurity Act of 2012?
  •  What are your concerns, if any, with the federal government conducting risk assessments, in coordination with the private sector, to best understand where our nation’s cyber vulnerabilities are, as outlined in the Cybersecurity Act of 2012?
  •  What are your concerns, if any, with the federal government determining, in coordination with the private sector, the country’s most critical cyber infrastructure, as outlined in the Cybersecurity Act of 2012?

 Although the companies receiving the letter are not legally obligated to respond, the letter is further evidence that, even though Congressional action has ground to a halt, the quest for cybersecurity legislation is not going away.   According to a report in The Hill, two U.S. Senators have called on President Obama to issue an executive order to address urgent action and a critical need to fill the cybersecurity void. 
Companies should be proactive and implement cybersecurity safeguards and policies now so that these protections are already in place by the time any regulatory action is taken.

It’s that time of year again – and not just the kiddies are headed back to school.

We’re co-sponsoring a free cybersecurity event with a panel of experts to discuss risk management and risk transfer in the privacy/security world.   More information, including registration link, is posted here.

Watch this blog for announcement of a webinar series discussing privacy and security issues in business verticals such as retail and hospitality, not-for-profit, health care technology/business associates and insurance/financial services.

The Securities and Exchange Commission (SEC) has issued guidance to public companies with respect to disclosure relating to cybersecurity and data breach risks.    This release is from the Commission’s Division of Corporation Finance and is not a rule or regulation — but it is clear that public companies that ignore the advice in the Disclosure Guidance and fail to assess and disclose material cybersecurity risks could face regulatory and legal action.

A full discussion of the Disclosure Guidance has been prepared in a Mintz Levin Client Advisory and is here.

A key point from an information management perspective is that the plain language of the Guidance can only be interpreted as calling for particular and specific (non-generic) disclosure if the risk of cyber attack or data breach is reasonably likely to be material to a public company.   The Guidance discusses not only what is thought of in terms of privacy and data breaches, but also cyber attacks that could result in the theft of material intellectual property.  The SEC staff gave as an example: 

if material intellectual property is stolen in a cyber attack, and the effects of the theft are reasonably likely to be material, the registrant should describe the property that was stolen and the effect of the attack on its results of operations, liquidity, and financial condition and whether the attack would cause reported financial information not to be indicative of future operating results or financial condition.

A company can only make accurate disclosure of risks if a risk assessment is undertaken to determine if, and what, disclosure is required.   Directors and officers outside the traditional information technology/security management circle will need to pay greater attention to these potential disclosure issues.

The Guidance may impact the traditional breach notification process as well.  Companies may now need to analyze not only whether notice to impacted individuals is necessary, but also whether shareholders should be getting a disclosure in financial statements and whether other SEC filings (such as a Form 8-K) should be made in connection with a data breach.

“In a single intrusion this March, 24,000 files were taken.”   

Chilling words yesterday from Deputy Defense Secretary William J. Lynn in a speech revealing the nation’s strategy for cyberspace.

Last night, CBS News Pentagon Correspondent David Martin got an unprecedented look inside the command center at the Pentagon and filed a report worth watching:   CBS  News Report

 

Privacy and security has become a major focus of the Department of Commerce.  The Department’s Internet Policy Task Force has issued its second green paper, this one proposing the creation of nationally recognized voluntary codes of conduct to help strengthen cybersecurity.  Comments will be accepted on “Cybersecurity, Innovation and the Internet Economy” through August 1, 2011.

For several months now, hacks of major commercial computer systems, including that of Citigroup and the International Monetary Fund, have been front page news.   The latest green paper from Commerce discusses how to improve the Internet security practices of companies in the Internet and Information Innovation Sector (called “I3S”) other than those classified as part of  “critical infrastructure.”   The I3S encompasses business that utilize the Internet or networking services and have a large potential economic impact, including e-commerce, social media, cloud computing, and other online providers.

As with the Department’s first green paper released last December, the Department has asked interested parties to comment on the recommendations, as well as to provide responses to specific questions it posed to help develop the recommendations.  Some of these questions include:

  • What kinds of entities should be included or excluded from the covered businesses?  How can the the covered businesses’ functions and services be clearly distinguished from critical infrastructure?
  • Should covered businesses that also offer functions and services to covered critical infrastructure be treated differently than other covered businesses?
  • Are there existing codes of conduct that covered businesses can utilize that adequately address these issues?
  • What process should the Department of Commerce use to work with industry and other stakeholders to identify best practices, guidelines, and standards in the future?
  • What are the right incentives to (a) gain adoption of best practices; (b) ensure that the voluntary codes of conduct that develop from best practices are sufficiently robust; and (c) ensure that codes of conduct, once introduced, are updated promptly to address evolving threats and other changes in the security environment?
  • How can the Department of Commerce work with other federal agencies to better cooperate, coordinate, and promote adoption and development of cybersecurity standards and policy internationally?

Stakeholders should consider providing comment to the Department to help inform the process.  Green papes on copyright and the global free flow of information are expected soon.

We will post a link to the amended legislation as soon as it is released by the Committee.

The Senate Commerce Committee press release —

WASHINGTON, D.C.—Senator John D. (Jay) Rockefeller IV, Chairman of the U.S. Senate Committee on Commerce, Science, and Transportation, and Senator Olympia J. Snowe (R-ME), a senior member of the committee, issued the following statements today after the Commerce Committee favorably reported out the Rockefeller-Snowe Cybersecurity Act.

“Our future is literally being stolen from us. Cyber attacks and hackers are at work raiding property and proprietary information from U.S. companies and innovators,” said Chairman Rockefeller. “The status quo is not sustainable. We need a new model for the 21st century. We must secure America’s critical networks, innovation and competitiveness in the global market. The Rockefeller-Snowe Cybersecurity Act provides a framework for a fundamentally new approach to combating cyber attacks. Today, we took another big step in moving this enormously important legislation forward.”

“It is simply undeniable that cyber intrusions and attacks represent both a potential national security and economic catastrophe as our vital information infrastructure – nearly 90 percent of it – is owned and operated by the private sector,” said Senator Snowe. “Without adequate cooperation between the public and private sectors to protect our critical infrastructure information systems – our strategic national assets – we risk a cyber-calamity of epic proportions with devastating implications for our nation. Our initiative, which is the culmination of a year’s worth of consultation and input from across the spectrum, streamlines cybersecurity-related functions and clarifies the responsibilities of government and private sector stakeholders.”