On July 7, 2016, Judge Paul A. Magnuson of the United States District Court for the District of Minnesota granted Defendants’ Motions to Dismiss a shareholder class action that had been initiated following a 2013 holiday season data breach involving customers of Target Corporation (“Target,” or “the Company”). The data breach, which resulted in the release of information of approximately 70 million consumer credit and debit cards, made headlines as one of the biggest privacy hacks at the time. Initially disclosed to the public in December 2013, with an estimated 40 million credit and debit cards affected, Target subsequently revealed a little less than a month later that additional consumer data, including customers’ names, mailing addresses, phone numbers and email addresses, were also stolen, and increased its initial estimate to 110 million.
The leaders of the Securities and Exchange Commission (“SEC” or “Commission”) addressed the public on February 19-20 at the annual SEC Speaks conference in Washington, D.C. The presentations covered an array of topics, but common themes included the Commission’s ongoing effort to carry out the rulemaking agenda set forth in the Dodd-Frank Wall Street Reform and Consumer Protection Act, its increasing focus on cyber issues including its use of new technology to surveil and root out harmful practices in the modern and increasingly-complex market, and its continued focus on the conduct of gatekeepers. From a litigation and enforcement perspective, key takeaways from the conference include the following:
SEC Chair Mary Jo White began her remarks by touting the “unprecedented number of enforcement cases” brought by the Commission in 2015, which produced “an all-time high for orders directing the payment of penalties and disgorgement”—a trend that she stressed would continue in 2016. READ MORE
On August 11, 2015, the SEC announced that it was bringing fraud charges against 32 defendants for their alleged participation in a five-year, international hacking and insider trading scheme. According to the SEC, two Ukrainian men hacked into at least two major newswire services, stole non-public copies of embargoed corporate announcements containing quarterly and annual earnings data, and provided the announcements to 30 other defendants, who traded off the information. In parallel actions, the U.S. Attorney’s Offices for the District of New Jersey and the Eastern District of New York also announced criminal charges against some defendants named in the SEC’s action. The SEC’s enforcement action may be a harbinger of events to come. As we have written, cybersecurity is emerging as the SEC’s newest area of focus for enforcement actions.
Cloud computing may be the next shoe to drop. On the heels of Mary Jo White’s recent appointment as Chairman of the SEC and predictions that it may refocus enforcement on accounting fraud came word last week that the Commission is investigating IBM’s cloud-computing accounting. In an SEC filing, IBM defended its revenue accounting for cloud-based services, stating “[w]e are confident that the information we have provided has been consistently accurate.”
This may just be the tip of the iceberg for an industry estimated by some analysts to generate global revenues of $131 billion this year, 60% of which originate in the United States.
Cloud computing has no single definition but one basic expression would be the practice of storing and accessing information on servers accessed through the Internet. There are many cloud-computing business models, including Infrastructure as a Service (“IaaS”), in which customers access computing power, such as servers, through physical equipment owned by the provider; Platform as a Service (“PaaS”), in which customers use a provider’s computing environment—including operating systems, programming languages, and databases—to create applications remotely; and Software as a Service (“SaaS”), services that allows users to operate software remotely. Google Documents and the e-Discovery platform Relativity are just two cloud-based services that readers may be familiar with. READ MORE
Several weeks ago we asked whether directors of public companies face potential liability for not preventing cyber attacks. But what about liability for other acts of oversight? Can directors be held personally liable for money damages when they have done nothing affirmatively wrong?
Generally, the answer is no. Many states, like Delaware, allow corporate charters to include provisions that protect directors (and sometimes officers) from money damages for certain breaches of fiduciary duty. Acts that are not protected include breaches of the duty of loyalty, intentional misconduct, knowing violations of the law or receiving an improper personal benefit. But where plaintiffs seek money damages for breaches of the duty of care, exculpatory provisions in corporate charters typically provide directors a defense to the claims.
Practically speaking, these provisions protect directors against claims of negligence, and some courts have held the provisions even go so far as to protect against “reckless indifference.” The protection stops, however, when a director consciously disregards his or her duties. For example, and with reference to the earlier discussion on cyber attacks, an exculpatory provision might not shield a director from money damages where (i) a damaging cyber attack occurred, and (ii) it could be proven that the director exhibited a “sustained or systematic failure to exercise reasonable oversight” over the company’s cybersecurity, such that it evidenced the director’s conscious disregard of cybersecurity. READ MORE
In the past weeks, we’ve reported that while most companies are properly disclosing their exposure to cybersecurity threats, the increasing occurrence and severity of cyber attacks has the SEC considering even more stringent cybersecurity disclosure requirements. Now, another study reports that while 38% of Fortune 500 companies have disclosed that a potential cyber event would “adversely” impact their business, only six percent of those companies purchase cyber security insurance.
What of the other 94%? Should they be doing more to protect themselves against the growing cyber threat? Do their directors have a fiduciary obligation to do more?
In re Caremark International Inc. Derivative Litigation, a Delaware decision from 1996, sets forth a director’s obligations to monitor against threats such as cyber attacks. In short, as long as a director acts in good faith, as long as she exercises proper due care and does not exhibit gross negligence, she cannot be held liable for failing to anticipate or prevent a cyber attack. However, if a plaintiff can show that a director “failed to act in the face of a known duty to act, thereby demonstrating a conscious disregard for [her] responsibilities,” it could give rise to a claim for breach of fiduciary duty. READ MORE
Hackers aren’t the only ones after company information. Earlier this week, Wills Fortune 500, a unit of Wills Group Holdings, a global insurance broker providing insurance and risk management services, made available its own report tracking the response by Fortune 500 companies to the SEC’s October 2011 guidelines for cybersecurity disclosures. The report’s key findings include that, as of April 2013, 85% of Fortune 500 companies were following the SEC guidelines and providing some level of disclosure of cyber exposures. However, close to 40% of the companies failed to provide details on the size of their exposure, stating only that the risk would have an impact on the company without further discussing the extent of the impact. As such, the report concluded that the question whether company disclosures rise to the level mandated by the SEC is debatable, given the paucity of information regarding the probability of incidents and their quantitative and qualitative magnitude.
In light of the findings of the Willis Fortune 500 report, it’s not surprising that SEC Chairman Mary Jo White had previously asked the Commission to evaluate compliance with current guidelines for cybersecurity disclosures, assemble a report on the general practice and compliance with the existing guidelines, and make recommendations for further guidance.
Following up on clues earlier this year that the SEC may increase its scrutiny of cybersecurity disclosures, SEC Chairman Mary Jo White has asked the Commission to evaluate current guidance for cybersecurity disclosures and to consider whether more stringent requirements are necessary. White asked the Commission to assemble a report on general practice and compliance with existing guidelines, and to make recommendations for future guidance. White did not yet commit to changes to the current guidelines, issued in October 2011, pending issuance of the report.
Senator Jay Rockefeller, who disclosed the Chairman’s directive, has recently encouraged the SEC to provide further guidance on cybersecurity disclosures. He has already sponsored legislation in this arena, including the Cybersecurity Act of 2012, which would have pushed the private sector to share internal information within the industry and with government agencies. The proposed legislation in 2012 would have also encouraged the enactment of protective measures for computer networks. Senator Rockefeller has expressed concern about the lack of information regarding cybersecurity risks, and appears poised to push for additional disclosures. READ MORE
Cybersecurity may be the SEC’s newest area for enforcement actions. While the SEC first released Disclosure Guidance concerning cybersecurity in 2011, the recent media attention surrounding significant cybersecurity breaches at a number of U.S. companies may cause the SEC to renew interest in the issue, and may result in enforcement actions, as well as shareholder class actions and derivative lawsuits. Companies that fail to disclose cybersecurity events in their public filings may find themselves on the wrong end of an SEC investigation and enforcement action.
Companies may also see an increase in class actions where there is a significant stock drop following disclosure of a cybersecurity breach—however, to date, there is little evidence to suggest the market reacts in a negative way following disclosure of a cybersecurity breach, leaving questions about whether plaintiffs could prove materiality and causation in a securities fraud case. Finally, increased focus on cybersecurity disclosures may result in an increase in shareholder derivative actions against officers and directors, with shareholders alleging that the company breached their fiduciary duties by failing to ensure adequate security measures. READ MORE