Tag Archives: target

Healthcare Breaches: How to Respond

The news of a data breach at Premera Blue Cross, following on the heels of the recent announcements of large-scale,  healthcare breaches at Anthem, is another reminder that employers and other health plan sponsors, fiduciaries and insurers need to take immediate steps to assess and tighten up their privacy, data security and data breach compliance and risk management.

Health plans and their employers, administrators, insurers and other vendors and service providers need to take immediate steps to conduct documented investigations, provide mandated breach notifications and take other actions that are required by the Privacy, Security & Breach Notification Rules imposed by the Health Insurance Portability & Accountability Act and other potentially applicable laws.

Employers or other plan sponsors, fiduciaries, administrators and service providers also may be subject to additional responsibilities under the fiduciary responsibility requirements of the Employee Retirement Income Security Act of 1974 (ERISA), the Internal Revenue Code and a host of other laws. Whether they are subject to the additional responsibilities depends on the scope of data affected and their involvement with the affected plans,

Insurance industry or other vendors providing services to these plans also may face specific responsibilities under applicable insurance, health care, federal or state identity theft, privacy or data security or other federal or state laws. (See, e.g., Restated HIPAA Regulations Require Health Plans to Tighten Privacy Policies and Practices; Cybercrime and Identity Theft: Health Information Security Beyond; HIPAA Compliance & Breach Data Shares Helpful Lessons for Health Plans, Providers and Business Associates.)

The need for prompt assessment and action is not necessarily limited to health plans and organizations sponsoring, administering or doing business with the plans involved in the Premera or Anthem breaches. The report of these and other healthcare breaches, as well as recent reports of identity theft and other fraud affecting federal tax returns and other large data breach reports involving retailers and other prominent businesses are spurring recognition of the large risks and need for greater scrutiny and accountability to business collection, use and protection of sensitive personal and other data.

Of course, the risk is exploding largely in response to the continued evolution of electronic payment and other business operating systems coupled with the emergence of data harvesting and other capabilities at virtually every U.S. business. Cyber criminals seem to always be one step ahead of business and government in leveraging these emerging opportunities for their criminal purposes.

Everyone from the Internal Revenue Service, other federal and state government agencies and private business partners are pushing for electronic transactions and data. So, businesses are conducting more and more transactions electronically containing business and individual tax information, personal financial information, personal health information, confidential business and personal information. Meanwhile, “big data” and other business and marketing gurus also encourage businesses to use data from customers, prospects and other sources to benefit marketing and other parts of the business.

As these practices have taken hold over the past decade, data breaches, other cyber crimes and risks have also grown. Privacy, identity theft and other cyber crimes have led federal and state lawmakers to enact an ever-growing list of notice, consent, disclosure, security and other laws and regulations, including the Fair and Accurate Credit Transaction Act (FACTA),the Gramm-Leach-Bliley Act, the Privacy and Security Rules of the Health Insurance Portability and Accountability Act and state identity theft, data security and data breach and other electronic privacy and security laws.

As notorious breaches occur and judgments, penalties and other costs soar, federal and state regulators are looking at the need for expanded rules and penalties. (See Cybercrime Enforcement Statistics; DOJ Enforcement Priorities and Statistics.) Widening data privacy and security concerns from incidents like the recent reports of breaches at Anthem and elsewhere have prompted Congress and state regulators to hold hearings to consider the need for added reforms, and the Federal Trade Commission has just announced plans to host a workshop on Nov. 16, 2015, to look at the privacy issues around the tracking of consumers’ activities across their different devices for advertising and marketing purposes.

While these and other legal and enforcement developments promise new liabilities and expenses, the business losses and customer and business partner implications experienced by Target, Anthem and other businesses illustrate the severe business consequences that inevitably result if a business appears to have failed to take customer privacy or other data security concerns seriously.

The notorious Target hacking data breach event is illustrative. Target reported in late 2013 that credit and debit card thieves stole the name, address, email address and phone number from the credit and debit card records of around 70 million Target shoppers between Nov. 27 and Dec. 15, 2013. After announcing the breach, Target reported a 46% drop in profits in the fourth quarter of 2013, compared with the year before. The company announced plans to invest $100 million upgrading its payment terminals to support Chip-and-PIN-enabled cards and millions of dollars more in rectification efforts. Subsequently, Target’s losses have continued to mount, and it now faces lawsuits and other enforcement actions as a result of the breach.

Beyond a general need to tighten their defenses, health plans, their sponsors, fiduciaries, administrators and vendors have specific obligations that require immediate, well-documented action when an actual or potential breach happens. The Privacy, Security and Breach Notification requirements of HIPAA require that health plans adopt specific policies and maintain and administer specific safeguards. In the event of a breach, these rules require that the health plan, usually acting through its fiduciaries, and affected service providers that qualify as business associates both investigate and redress the breach, as well as provide specific notification as soon as possible, usually no later than 30 days after the health plan knows or has reason to know of the breach. Significant civil and even criminal penalties can apply.

Beyond the specific requirements of HIPAA, employers and other plan sponsors and others involved in the maintenance and administration of the health plan or the selection and oversight of its vendors often may have less-realized responsibilities. As health plan data often includes payroll and other tax data, employers, there may be specific responsibilities under the Internal Revenue Code or other laws. To the extent that the plan sponsor or another party is named as the plan administrator or otherwise exercises control over the selection of the insurer or other plan vendor or other plan operations, the fiduciary obligations of ERISA also may require a prudent investigation and other action. Brokers, insurers, third party administrators, preferred provider organizations or other managed care providers and others doing business with the health plan also may have specific responsibilities under state insurance, health care, data breach and identity theft or other laws. Under the provisions of most of these laws, leaving it to the insurer or other vendor involved in the breach generally will not suffice to fulfill applicable legal responsibilities, much less allay the fears of plan members, employees, healthcare providers and others involved with the health plan.

In the face of these developments, health plans and their sponsors, fiduciaries and others working with them must take immediate action in response to breaches. Businesses also should check the adequacy and defensibility of their current overall data collection, use and security practices while remaining ever-vigilant for new requirements, as well as weaknesses in their own practices.

Businesses need to build their defenses in anticipation of breaches both to withstand government and private litigation and enforcement, and the judgment of public opinion.

How Stolen Credit-Card Data Is Used

Reports of high-profile data breaches have been hard to miss over the past year. Most recently, it was a breach involving 56 million customers’ personal and credit card information at Home Depot.

This is just the latest volley in a wave of sophisticated electronic thefts including Target, Neiman Marcus, Michael’s, P.F. Chang’s and Supervalu. Much like in the other attacks, the suspected culprit in the Home Depot data breach is a type of malware called a RAM scraper that effectively steals card data while it’s briefly unencrypted at the point of sale (POS) to authorize a transaction.  Reports of this type of attack have become increasingly common in the months since the Target breach.

Whether the cause is a RAM scraper or an “older” threat like a physical skimmer placed directly on a POS machine used to swipe a credit or debit card, a phishing attack storing customers’ card information insecurely, the result is the same: Credit card data for millions of people winds up in the hands of criminals eager to sell it for profit. How does that process unfold? And how can you – or people you know – get sucked into it?

The Basic Process: The journey from initial credit card data theft to fraudulent use of that data to steal goods from other retailers involves multiple layers of transactions. The actual thief taking the card numbers from the victim business’ POS or database doesn’t use it him or herself.

First, a hacker – or a team of them – steals the credit card data electronically. Most of these schemes begin in Russia or other parts of Eastern Europe, and much of what you might call the “carding trade” is centered there.

Next, brokers (also referred to as “re-sellers”) buy the stolen card numbers and related information in bulk and trade them in online carding forums. A hacker may also sell the card data directly to keep more of the profits, though that’s riskier and more time-consuming than using a broker. These exchanges are found on the dark net (aka the dark web). That’s a part of the Internet you won’t find through Google, where all manner of illegal and unsavory things can take place. Online prices vary depending on:

  • The type of card,
  • Credit limit (if known),
  • How much additional data is available (CVV codes from the backs of cards and associated Zip codes make stolen cards more valuable),
  • The card owner’s geographic location (a fake card used in the vicinity of the legitimate card holder is less likely to raise suspicion), and
  • How recently the cards began appearing in the carding forums (which relates to the likelihood of card cancellation).

Prices for the individual cards have come down significantly in the past few years because of the sheer amount of records available, though brokers can still do quite well from bulk sales of card data. Despite being on the dark web, many of the brokers conduct themselves like regular online businesses and will provide replacements or the equivalent of store credit if cards purchased from them don’t work.

The people who buy the card data from the brokers are called “carders.” Once the carders have the stolen card data, there are at least two distinct variations on the scam:

1) Physical, in-store purchases using fake credit cards.

2) Stolen card numbers used to charge pre-paid credit cards that are, in turn, used to purchase store-specific gift cards (which are less suspicious than general gift cards). Purchases are made online.

Variant 1 (“Mystery Shopper”): This variation starts with carders printing up the fake credit cards for use in stores. Once they have the stolen card data, the equipment needed to make the fake cards isn’t that expensive. The carder then usually works with one or more recruiters to find people to use the fake cards (though a carder may do the recruiting himself). The enticement to get people to use the fake cards will generally be in the form of email spam and ads in Craigslist or similar sites offering easy money to be a “mystery shopper” or “secret shopper” as part of a “marketing study” or some other semi-plausible justification.

Not surprisingly, the items purchased tend to have high resale value. After the physical purchases are made, the “mystery shopper” can either send items to the recruiter/carder (generally via a secure drop site like a vacant office) or directly to someone who has “purchased” an item via an auction site in response to a posting from the recruiter/carder. If sent straight to the carder, she then auctions the items directly on eBay, Craigslist or an underground forum on the dark web.

The people who actually make the purchases with the fake cards may have no clue what they’re involved in (though sometimes they’re active participants in the scheme or simply low-level criminals looking to use the cards for themselves). They are effectively the “drug mules” of the credit card scam, taking the most risk and getting paid the least.

You’ve probably seen one step retailers take to try and stop in-person card fraud. On a counterfeit credit card, the numbers on the magnetic strip and the front of the card generally don’t match — it’s too expensive to create individual fakes. Some retailers have their personnel type in the last four digits on the physical card into the register after the card is swiped. If the numbers don’t match, the card is rejected as a fake.

Variant 2 (“Re-shipping”): Rather than making physical cards, in this variation carders use the stolen card data to purchase pre-paid credit cards that are then used to buy store-specific gift cards (Amazon, Best Buy, etc.). As with the “mystery shopper” scheme, recruiters typically use ads and spam emails to entice people, though this time it’s people (especially in the U.S.) seeing “work from home” promises. Sometimes, the recruiters will employ a more personalized approach, even going so far as to start a fake “relationship” with the intended target. Then — wait, there’s more — the gift cards are used to purchase items online, and those items are shipped to the people responding to the ads, spam or “relationship” overtures. That’s where the “work from home” angle comes in.

The people initially receiving the packages directly from an online retailer are called “re-shippers.” People in the U.S. are used because U.S.-based addresses raise fewer red flags with the retailers. Like the “mystery shoppers,” the re-shippers are the drug mules here (and they are sometimes referred to as  “money mules” or “shipping mules”). And, as with the “mystery shopper” scheme, re-shippers can either send items to the recruiter/carder or directly to someone who has “purchased” the item through an auction site.

While this may sound a little convoluted, the shell game-like nature of using one card to buy another and then another makes it more difficult for stores to catch onto this scheme before the purchase has already been made and shipped out.  After that, it’s generally too late.

Data Breaches: Who Has Legal Liability?

Untold millions of people provide personal and private information on the Internet every day to pay their bills, to purchase a product, to post a picture and so on, even though data breaches have become practically a daily occurrence. The problem has focused attention on the lack of security by the companies that use the data, but consumers also need to take some responsibility.

The hacking of Target at the end of 2013 is the best-known of recent data breaches, but hackers know no bounds. Virtually every individual who uses the Internet—no matter who he is or what she does professionally—is at risk for a data breach.

For instance: In May 2014, three desktop computers were stolen from the California office of Bay Area Pain Medical Associates. About 2,780 patients were notified that their personal information was in a spreadsheet that could have been accessed by the thieves.

In March 2014, about 1,700 people in the employee wellness program for Virginia-based Dominion Resources had their personal records accessed by a hacker who gained entry to the systems of a subcontractor, Onsite Health Diagnostics. The personal information of their spouses and domestic partners was also hacked, if they had scheduled a health-screening appointment online.

In Encinitas, a California Public Employees’ Retirement System (CalPERS) payment document containing 615 current and former employees’ personal information—including Social Security numbers—was inadvertently made public on the city’s website from May 18, 2014, to July 3, 2014, and was accessed by 16 unauthorized individuals before the data breach was discovered.

In July 2014, Orangeburg-Calhoun Technical College in South Carolina had to notify 20,000 current and former students and faculty that their personal information—including Social Security numbers—was on a laptop that was stolen on July 7, 2014, from a staffer’s office.

In Texas, from Dec. 28, 2013, until June 20, 2014, the Houstonian Hotel Club & Spa’s payment processing systems were compromised when they were infected with malware. More than 10,000 customers had their payment card data exposed.

In April 2014, Park Hill School District in Missouri learned that before leaving the district an employee downloaded 10,210 current and former staffers’ and students’ personnel and student files that contained their personal information. The former employee made the files accessible to untold numbers on the Internet.

The Department of Managed Health Care (DMHC) discovered on May 16, 2014, that Blue Shield of California inadvertently made public the names, business addresses, business telephone numbers, medical groups, practice areas and Social Security numbers of about 18,000 doctors.

The list could go on and on, but you get the message. Data breaches can occur on any computer system, anywhere and any time.

So, who is ultimately responsible for data breaches? The company holding the data, because of its system’s vulnerability? Or the user/consumer, because we are responsible, through our passwords and PINs, for the security of all data we post? (If you read the privacy policies of the sites you use, the user is responsible.)

The answer is not an easy one.

If your information was hacked through an entity’s online systems, your answer most likely would be the entity, and you might participate in a class action. at least two dozen federal class actions have been filed against Target, alleging it did not adequately protect customer privacy. A class action has been filed against P.F. Chang’s China Bistro for a security breach that involved, according to the complaint, 7 million customers’ credit and debit card payment data stolen from its restaurants’ systems between March and May 2014. (It has been reported that the breach came to light only when a batch of card data was alleged to be up for sale at Rescator, an underground store best-known for selling customer data stolen in the Target breach.)

But is it that simple, that the sole responsibility lies with the entity that was hacked?

What about us, the consumers? Do we need to be part of the answer by accepting that we willingly create those passwords and PIN numbers and that we provide our personal and private information so we can shop on eBay (which just notified 145 million of us that a cyber attack may have compromised customers’ login information and other personal and private information) or pay bills online?

Should it be our responsibility to understand that online systems, or the strips on the back of our credit and debit cards, that store the data we provide are moving targets (no pun intended) for theft?

Saying “yes” would be the first step in the right direction. Everyone, user and organizations alike, is vulnerable, so the responsibility to protect our information lies with us all.

The second step is for each of us to do whatever we can to manage our vulnerability. Such as:

  • Making sure our anti-virus software is current, to prevent scammers from installing viruses on our computers that allow hackers to steal our personal and financial information. When the popular online ticket marketplace Stub Hub suffered a data breach, the hackers did not break directly into Stub Hub’s system; instead, they stole account information directly from the customer by downloading viruses onto each customer’s personal computer, or by collecting the information from data breaches of other websites.
  • Monitoring our bank and credit card accounts every day. If you see charges or withdrawals you did not authorize, contact the bank or credit card company immediately. (The liability is still yours until you report that your information has been compromised.)
  • Make sure your homeowner’s or renter’s insurance policy covers losses because of fraud, because, even if a class action is settled, there may be strings attached to how you can collect your share. For example: Vendini, another company that offers ticketing services to theaters and event venues, settled a class action in 2014 about compromised data. The settlement requires Vendini to pay as much as $3,000 a customer for identify theft losses. But here is the catch—you have to prove that the information used to make you a victim of identity theft actually came from Vendini’s systems.

Here is the bottom line:

The landscape on cybersecurity is shifting rapidly as data breaches are spiking. Congress, regulators and state attorneys general are taking a hard look at how companies, universities and governmental agencies are protecting consumer information from unauthorized access. Hearings have been held and new laws pushed. As a result, organizations are facing critical questions about what their responsibilities are to ensure consumers’ private and personal information is secure and in compliance with old as well as new laws.

But it is also imperative that you, the consumer, understand that you cannot depend on organizations to protect the information you provide to them. Rather, you need to take matters into your own hands and pose critical questions to yourself about how you use your own information online. You need to decide what information you are willing to turn over to be able to pay bills, make purchases or register for social media online.

It is after all, your information and your life. Think about it.

The information contained in this article is provided only as general information and may or may not reflect the most current developments legal or otherwise pertaining to the subject matter thereof. Accordingly, this information is not promised or guaranteed to be correct or complete and is not intended to create or constitute formation of an attorney-client relationship. The author expressly disclaims all liability in law or otherwise with respect to actions taken or not taken based on any or all of the content of this article.

Cybersecurity: Five Tips on Disclosure Requirements

With annual reporting season underway, C-suite executives wake to another day and another data breach. Target, Michael’s, Snapchat, Facebook, Twitter, Adobe — the list goes on and on. By now, all companies should appreciate that, notwithstanding the most robust and sophisticated network security, any company is a vulnerable next “Target” for a serious cybersecurity incident. Consequences typically include negative publicity, reputational damage that hurts customer and investor confidence, lost market capitalization, claims and legal disputes, regulatory investigations — and falling stock prices. In the wake of its high-profile data breach, Target’s directors and officers were hit on Jan. 29, 2014, with a shareholder derivative action alleging that “Target shares were trading above $63.50 on Dec. 18, 2013, before the news of the data breach and have fallen over 10.5% to $57.60” and that “Target … has suffered considerable damage from breach.”1

In view of the recent high-profile data breaches, and the pervasiveness of cybersecurity incidents in general, companies are well-advised to consider whether their current cybersecurity risk factor disclosures are adequate. Proper attention to cybersecurity risk factor disclosures may assist a company in avoiding a Securities and Exchange Commission (SEC) comment letter. Even more importantly, proper attention to cybersecurity risk factor disclosures may decrease the likelihood that a company will face securities class action litigation and shareholder derivative litigation in the wake of a cybersecurity incident that hurts the company’s stock price — or, at a minimum, may mitigate a company’s potential exposure in the event of such litigation.

The Form 10-Ks that public companies are preparing to file in the coming weeks present a significant opportunity for companies to review and strengthen their cybersecurity risk factor disclosures. Below are five tips that companies may wish to consider in reviewing the adequacy of their existing cybersecurity disclosures:

SEC Disclosure Guidance

By way of background, companies must keep in mind that, although existing disclosure requirements do not (yet) expressly reference “cybersecurity,” the SEC’s Division of Corporation Finance (SEC staff) has emphasized the importance of appropriate cybersecurity disclosures. In the wake of what it termed “more frequent and severe cyber incidents,” the SEC issued cybersecurity disclosure guidance,2 which advises companies to review, on a continuing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.3

While acknowledging that no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, the SEC’s guidance stresses that existing requirements oblige companies to make appropriate cybersecurity disclosures. 

SEC Chairwoman Mary Jo White reaffirmed a company’s current cybersecurity disclosure obligations in response to an April 9, 2013, letter received from Senate Commerce Chairman Jay Rockefeller.4 In his letter, Chairman Rockefeller urged the SEC to “elevate [its] guidance,” noting that “investors deserve to know whether companies are effectively addressing their cybersecurity risks.” In response, Chairwoman White emphasized that “[e]xisting disclosure requirements … impose an obligation on public companies to disclose risks and events that a reasonable investor would consider material” and that “cybersecurity risks are among the factors a public company would consider in evaluating its disclosure obligations.”5 Chairwoman White also highlighted that cybersecurity risk “is a very important issue that is of increasing concern” and stated that the SEC “continues both to prioritize this important matter in its review of public company disclosures and to issue comments concerning cybersecurity.”

In its guidance, the SEC staff advises companies to disclose cybersecurity risks consistent with the Regulation S-K Item 503(c) requirements for risk factor disclosures generally, such that the disclosure provided must adequately describe the nature of the material risks and specify how each risk affects the company. The guidance proceeds to advise that appropriate disclosures may include the following:

  • Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
  • To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
  • Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
  • Risks related to cyber incidents that may remain undetected for an extended period; and
  • Description of relevant insurance coverage.6

Although the guidance does not add cybersecurity disclosure obligations, it is abundantly clear that failure to make adequate cybersecurity disclosures may subject a company to increased risk of enforcement actions and shareholder suits in the wake of a cybersecurity incident that hurts a company’s stock price.

The Five Tips

The following five tips may assist companies in reviewing the adequacy of their existing cybersecurity disclosures based on the SEC’s disclosure guidance as well as comments issued to approximately 55 companies over the last two years.

1. Perform a cybersecurity risk asssessment. The SEC staff states in its guidance that it expects companies to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents as well as the adequacy of preventive actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware. To facilitate adequate disclosures, companies should consider engaging in a thorough assessment concerning their current cybersecurity risk profile and the impact that a cybersecurity breach may have on the company’s business. In addition to positioning the company to provide adequate cybersecurity risk factor disclosures, the undertaking of a risk assessment is consistent with the National Institute of Standards and Technology’s recently released Preliminary Cybersecurity Framework.7 At a high level, it provides a framework for critical infrastructure organizations to achieve a grasp on their current cybersecurity risk profile and risk management practices and to identify gaps that should be addressed to progress toward a desired “target” state of cybersecurity risk management.8 Although the Cybersecurity Framework is voluntary, organizations are advised to keep in mind that creative class action plaintiffs (and even some regulators) may nevertheless assert that the Cybersecurity Framework provides a de facto standard for cybersecurity and risk management.

2. Consider disclosing prior — and potential — breaches. To the extent a company or one of its subsidiaries has suffered a reported or known cybersecurity event, the company should anticipate that the SEC may issue a comment letter if the event is not disclosed. The following comments are typical of what a company might expect to see: 

  • We note that [your subsidiary] announced on its website that a cyber attack occurred during which millions of user accounts were compromised. Please tell us what consideration you gave to including expanded disclosure consistent with the guidance provided by the Division of Corporation Finance's Disclosure Guidance Topic No. 2.
  • We have read several reports of various cyber attacks directed at the company. If, in fact, you have experienced cyber attacks, security breaches or other similar events in the past, please state that fact to provide the proper context for your risk-factor disclosure. 

​Notably, the guidance states that appropriate disclosures may include a description of cybersecurity incidents that are material individually or in the aggregate. And the comments issued to date indicate that where a company states that it has not been the victim of a material cybersecurity event, the SEC nonetheless has requested that the company’s risk-factor disclosure be expanded to state generally that the company has been the victim of hacking — regardless of the fact that prior events were immaterial. A few of the SEC comments to date include (in summary form):

  • We note your response that the incident did not have a material impact on the company’s business. To place the risks described in this risk factor in appropriate context, in future filings please expand this risk factor to disclose that you have experienced cyber attacks and breaches.
  • You state that you have not experienced a material breach of cybersecurity. Your response does not appear to address whether you are experiencing any potential current business risks concerning cybersecurity. For example, despite the fact you believe you have not experienced a material breach of your cybersecurity, are you currently experiencing attacks or threats to your systems? If you have experienced attacks in the past, please expand your risk factor in the future to state that.
  • We note that your response suggests that you have, in fact, experienced third-party breaches of your computer systems that did not have a material adverse effect on the company’s operations. To place the risks described in your current risk factor in appropriate context, in future filings please expand your disclosure to state that you have experienced cyber attacks and breaches.

​In addition, the SEC’s guidance advises that companies may need to disclose known or threatened cyber incidents together with known and potential costs and other consequences. Companies in targeted industries that have not yet suffered a cybersecurity incident (or are not yet aware that they have suffered an incident) should consider disclosing how the company might be affected by a cybersecurity incident — even if no specific threat has been made against the company. Below are sample summary comments received by companies based on their particular industry or peer disclosures:

  • We note press reports that hotels and resorts are increasingly becoming a target of cyber attacks. Please provide risk -actor disclosure describing the cybersecurity risks that you face. If you have experienced any cyber attacks in the past, please state that fact in the new risk factor to provide the proper context.
  • Given that other companies in your industry have actually encountered such risks from cyber attacks, such as attempts by third parties to gain access to your systems for purposes of acquiring your confidential information or intellectual property, including personally identifiable information that may be in your possession, or to interrupt your systems or otherwise try to cause harm to your business and operations and have disclosed that such risks may be material to their business and operations, please tell us what consideration you gave to including disclosure related to cybersecurity risks or cyber incidents.
  • We note that the incidences of cyber attacks, including upon financial institution or their service providers, have increased over the past year. In future filings, please provide risk-factor disclosure describing the cybersecurity risks that you face. In addition, please tell us whether you have experienced cyber attacks in the past. If so, please also disclose that you have experienced such cyber attacks to provide the proper context for your risk-factor disclosure.

3. Be specific. The SEC staff has advised that companies should avoid boilerplate language and vague statements of general applicability. In particular, the guidance states that companies should not present risks that could apply to any issuer or any offering and should avoid generic risk-factor disclosure. In addition, the guidance states that companies should provide disclosure tailored to their particular circumstances and avoid generic boilerplate disclosure. Companies that offer generally applicable statements may expect to receive comments such as the following:

  • You state that, “Like other companies, our information technology systems may be vulnerable to a variety of interruptions, as a result of updating our SAP platform or due to events beyond our control, including, but not limited to, natural disasters, terrorist attacks, telecommunications failures, computer viruses, hackers and other security issues.” Please tell us whether any such events relating to your cybersecurity have occurred in the past and, if so, whether disclosure of that fact would provide the proper context for your risk-factor disclosure.
  • We note that you disclose that you may be vulnerable to breaches, hacker attacks, unauthorized access and misuse, computer viruses and other cybersecurity risks and events. Please tell us whether you have experienced any breaches, hacker attacks, unauthorized access and misuse, computer viruses and other cybersecurity risks and events in the past and, if so, whether disclosure of that fact would provide the proper context for your risk-factor disclosures. 

4. Remember that a vulnerability “road map” is not required. Although the SEC seeks disclosures that are sufficient to allow investors to appreciate the nature of the risks faced by a company, it has made clear that the SEC does not seek information that would create a road map or otherwise compromise a company’s cybersecurity. At the outset of its guidance, the SEC staff states that it is mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts — for example, by providing a “road map” for those who seek to infiltrate a company’s network security — and that disclosures of that nature are not required under the federal securities laws. The SEC guidance later reiterates that the federal securities laws do not require disclosure that itself would compromise a company’s cybersecurity.

5. Consider insurance. Network security alone cannot entirely address the issue of cybersecurity risk; no firewall is unbreachable, and no security system is impenetrable. Insurance can play a vital role in a company’s overall strategy to address, mitigate and maximize protection against cybersecurity risk. Reflecting this reality, the SEC guidance advises that appropriate disclosures may include a description of relevant insurance coverage that a company has in place to cover cybersecurity risks. The SEC’s guidance provides another compelling reason for companies to carefully evaluate their current insurance program and consider purchasing cyber and data privacy-related insurance products, which can be extremely valuable.9 In the wake of a data breach such as at Target, for example, a solid cyber insurance policy may cover not only liability arising out of potential litigation, such as defense costs, settlements and judgments, but also breach-notification costs and other “crisis management” expenses, including forensic investigation, credit monitoring, call centers and public relations efforts, as well as potential regulatory investigations, fines and penalties. Recent SEC comments have requested information regarding both whether the company has obtained relevant insurance coverage as well as the amount of the company’s cyber liability insurance.

Considering these five tips may assist companies in minimalizing the likelihood of receiving an SEC comment letter (and possibly multiple rounds of comments) and, even more importantly, the likelihood of lawsuits alleging inadequate disclosure in the event of a cybersecurity incident.

1 Collier v. Steinhafel et al., No. 0:14-cv-00266 (D. Minn.) (filed Jan. 29, 2014), at ¶ 76.

2The guidance defines “cybersecurity” as “body of technologies, processes and practices designed to protect networks, systems, computers, programs and data from attack, damage or unauthorized access.”

3SEC Division of Corporation Finance, Cybersecurity, CF Disclosure Guidance: Topic No. 2 (Oct. 13, 2011), available at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm

4The April 9, 2013 letter is available at http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=49ac989b-bd16-4bbd-8d64-8c15ba0e4e51

5Chairman White’s May 1, 2013 letter is available at http://articles.law360.s3.amazonaws.com/0441000/441415/512013%20Letter%20from%20SEC%20Chair%20White. pdf

6While the majority of the guidance is focused on risk factors, the SEC also advises that cybersecurity disclosures may be appropriate in other areas of a company’s filings, including management’s discussion and analysis “if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.”

7The Cybersecurity Framework, available at http://www.nist.gov/itl/upload/preliminary-cybersecurity-framework.pdf.

8Roberta D. Anderson, NIST Unveils Preliminary Cybersecurity Framework, Cybersecurity Alert (Nov. 25, 2013), available at http://www.klgates.com/nist-unveils-preliminary-cybersecurity-framework-11-22-2013/

9 Roberta D. Anderson, Before Becoming The Next Target: Recent Case Highlights The Need To Consider Insurance For Data Breaches, Insurance Coverage Alert (Jan. 16, 2014), available at http://www.klgates.com/before-becoming-the-next-target–recent-case-highlights-the-need-to-consider-insurance-for-data-breaches-01-16-2014/

How Data Breaches Affect More Than Cyberliability

You’ve probably seen the recent headlines about the Target retail chain being hacked, resulting in approximately 40 million customer credit and debit card numbers being stolen by hackers. It would be easy to write another article about the importance of cyberliability insurance, but we’d like to go a step further. While it is true that a breach of this magnitude will be incredibly expensive and could strain the total limit capacity available in the cyber insurance marketplace, other insurance products that could possibly be triggered shouldn’t be ignored.

On October 13, 2011, the Securities and Exchange Commission’s (SEC) Division of Corporate Finance published the Cybersecurity Disclosure Guidance. Among other recommendations, the guide contained the SEC’s views on the type and extent of cyberliability risks and exposures that public companies should consider disclosing to investors. The guidance was issued to help investors understand the nature of a company’s cybersecurity risks. In quarterly and annual filings with the SEC, companies disclose risk factors that can have a material impact on their operations. When investors sue a corporation for actions that have harmed the company, and in turn their investments, that is a claim typically addressed by a Directors and Officers (D&O) Liability policy. In certain instances, they also might be covered by a dedicated cyber insurance policy or a Side-A excess policy (or both), to the extent the company has purchased such products, which are separate and distinct from a D&O form.

Like other public companies, Target has sought to abide by the SEC’s cybersecurity disclosure recommendations, most recently including cyber risk as one of 17 risk factors in the MD&A section of its February 2013 10-K:

If our efforts to protect the security of personal information about our guests and team members are unsuccessful, we could be subject to costly government enforcement actions and private litigation and our reputation could suffer.

The nature of our business involves the receipt and storage of personal information about our guests and team members. We have a program in place to detect and respond to data security incidents. To date, all incidents we have experienced have been insignificant. If we experience a significant data security breach or fail to detect and appropriately respond to a significant data security breach, we could be exposed to government enforcement actions and private litigation. In addition, our guests could lose confidence in our ability to protect their personal information, which could cause them to discontinue usage of REDcards, decline to use our pharmacy services, or stop shopping with us altogether. The loss of confidence from a significant data security breach involving team members could hurt our reputation, cause team member recruiting and retention challenges, increase our labor costs and affect how we operate our business.

State attorneys general have already initiated demands for information and protection for state residents. The Connecticut attorney general is asking for two years of credit monitoring and identity theft protection for state residents, along with more details on the breach and security protocols. Not surprisingly, there have been threats of consumer class actions against Target. It will also be interesting to see if shareholders, or more importantly the plaintiffs bar, think that the disclosure of the risk was adequate. Given the size of the breach, it would not be surprising to see any number of such suits filed against Target.

In the meantime, certain banks are advising consumers that the consumer will not be held responsible for fraudulent charges on their credit cards.

If we look back at the 2007 breach at TJ Maxx (TJX), which affected more than 90 million credit cards, we could gain insight into how MasterCard and Visa might respond to the Target breach. They sued TJX and collectively recovered over $60 million. Other banks, such as Fifth Third Bancorp, Amerifirst Bank, Eagle Bank and SaugusBank, also made claims against TJX. Media reports indicate that TJX paid in excess of $250 million to resolve the myriad claims against it as a result of the 2007 breach. We would expect that number includes crisis management expenses, such the costs of forensic analyses, public relations expenses, notification expenses and other remedial costs. It also likely accounts for regulatory fines and penalties from the government, PCI fines paid to credit card companies, damages paid to both credit card companies and banks, cash and merchandise vouchers for harmed customers, and probably even credit monitoring. It would be challenging to quantify the lost revenue from jilted customers who chose to shop elsewhere following the breach, but we suspect it was meaningful.

Impact on Investors

A key question is, can investors still sue if the stock doesn’t have a precipitous drop? The answer is probably yes. Typical allegations in a securities claim allege that: 1) the management misled investors; 2) the truth came out; 3) the stock dropped as a result; and 4) the investors suffered financial loss. The damage valuation might be determined by comparing the price of the stock prior to the date the “truth” came out and the price after it had been disclosed. That’s an oversimplification of a securities claim, but still reflects the typical pattern.  For something like the Target breach, shareholders could argue that Target failed to fully disclose the potential cyber-related problems, lost business opportunities which kept the stock from rising and therefore caused the loss of future gains, mismanaged and failed to properly oversee its cybersecurity protection program, and other assorted alleged improprieties.

Other Claims

Apart from securities-related disclosure lawsuits, a company like Target also will likely be subject to consumer class actions and regulatory actions. Such lawsuits could lead to sizeable settlements, which could have an impact on the stock price and raise investor concerns. Target’s earnings similarly could be impacted by the costs of breach remediation and associated expenses. It also stands to lose significant opportunity costs, to the extent its management and staff becomes distracted by the post-breach activities. Whatever surfaces will require a lot of money spent in legal and forensic bills.

It is well-known that litigation naming a company’s directors and officers can arise from a variety of alleged misdeeds. Like other entrepreneurs, the plaintiffs are always exploring new legal theories to establish liability and recover damages in order to collect higher fees. When that happens, you can bet those defendants will quickly be looking to their D&O policy for assistance. For every cyberliability underwriter expressing relief that they aren’t insuring Target for this breach, there are likely two D&O underwriters concerned about their policy limit – assuming, of course, that Target has a sizeable D&O insurance tower in place.

Companies like Target likely employ a robust cybersecurity program to protect consumers’ personal and financial information.  But breaches aren’t limited to large multinational operations. According to cyberlaw expert Richard J. Bortnick of Christie Pabarue and Young, and publisher of the blog Cyberinquirer.com, small- and medium-sized public companies are just as much at risk, perhaps even more at risk, than companies like Target. “Every company of every size is at risk,” Bortnick said. “And if you think of it logically, small- and medium-sized companies are likely more at risk, and subject to greater residual financial harm, than the bigger firms. And in the cyber realm, that means small- and medium-sized companies that almost certainly have not invested the resources necessary for proper cybersecurity.” According to Bortnick, “regrettably, oftentimes clients call me in after a breach, not before. And on each occasion, I tell them that the cost to remediate a breach can be multiples of what it would have cost if I had been brought in before the breach and been able to work with the company to plan and implement a cost-effective, best practices cybersecurity regime. Not only does this approach discourage or even prevent hackers, it provides a company with a ‘best practices’ defense to a privacy suit and, potentially, to a shareholder lawsuit.”

As mentioned in the introduction of this advisory, the risks facing your clients following a data breach go beyond the obvious cyberliability insurance policy. How a company has prepared for a breach, what steps have been taken to prevent a breach and what plans are in place to deal with a breach are all executive-level decisions. Regardless of the size of the company, a data breach can be a significant threat to the survival of a company. Companies should buy a cyberliability policy to help respond to a data breach and a D&O policy to protect the management and board for their plans and decisions.