Investors and corporations alike have become increasingly concerned about the dramatic uptick in widespread data breaches.
“We’ve been hacked!”
The cry is increasingly heard in the board rooms and C-suites of even major tech-savvy corporations. The non-profit Identity Theft Resource Center recorded 5,754 data breaches between 2005 and 2015, which compromised more than 856 million records. And while the directors and executives have seen many kinds of harm flow from cybersecurity breaches – loss of trade secrets, consumer class actions, shareholder derivative litigation – thus far, securities fraud class action settlements have been relatively uncommon. That may be about to change.
As of 2016, it is beyond dispute that cybersecurity must be a significant part of any publicly traded company’s risk management strategy. Many factors have raised the profile of cybersecurity risk, such as companies centralizing operational data in enterprise management systems like those of Oracle and SAP and customers’ data becoming an asset in and of itself. These trends, along with specific legislation such as HIPAA (the Health Insurance Portability and Accountability Act of 1996), have made companies not only their clients’ and suppliers’ business partners but also the stewards of their data.
In general, though, failing in this capacity to prevent even very large breaches does not often give rise to claims under the Securities Exchange Act of 1934 (the “Exchange Act”). The reason lies in the pleading burden for plaintiffs under the federal securities laws.
To trigger Exchange Act liability, a plaintiff must demonstrate a number of elements: a false statement or omission in connection with the purchase or sale of securities that was material, made with scienter, the correction of which caused economic losses and that investors relied on the statements. Each presents plaintiffs with hurdles they must overcome.
Economic Loss & Causation
The most common – and perhaps most obvious – impediment to Exchange Act class actions is that the disclosures of even some of the worst data breaches have not been accompanied by the sharp share price declines that one might expect. Without a prompt and significant market reaction, investors will find it almost impossible to demonstrate the requisite economic harm.
This somewhat counter-intuitive phenomenon, however, is actually a function of rather mundane market forces. The economic losses that companies can be expected to suffer from data breaches have largely been perceived by the markets in terms of resolving consumer claims and the costs of improving security systems. In fact, in one recent industry survey of 750 companies by data security firm CyberArk, approximately one of five respondent companies did not include regulatory fines or legal fees when estimating the cost of a breach. Although these expenses may in the end be material, they have not been viewed as presenting either a sufficient one-time injury or the type of long-term change in profitability to depress stock values.
The risks in this area, however, are evolving. The increasing importance that client and partner relationships attach to information security are making investors ever more sensitive to a company’s ability to prevent, detect, and mitigate infiltration. For many public companies whose revenues come from one or a handful of clients, such as governments and their contractors, these prime customers are growing more demanding when it comes to the protection of their proprietary information. In the wake of a major data breach, the loss of these key relationships is exactly the type of damage to a company’s business model that can force a wholesale revaluation of share prices.
Consequently, the harm to investors may not be inflicted immediately upon the announcement of a data breach, but rather the losses may occur in connection with the later disclosure of loss of customers, weak earnings, or sharply reduced guidance. These types of company updates are what equity analysts and investors are traditionally attuned to, and when these metrics go sour, the news is commonly met with prompt negative stock reactions. If investors can link these developments and results to the earlier cybersecurity breach, this can give rise to a powerful Exchange Act claim if management was not sufficiently forthcoming about the scope and harm.
False Statements & Omissions
Of equal importance is a plaintiff’s ability to identify a false statement or actionable omission on the part of the company. Traditionally, this element has also presented a stumbling block in the context of cybersecurity failures, but here too, we see the potential for change as the understanding of what disclosures are required matures.
In 2011, the Securities and Exchange Commission issued guidance specifically addressing how existing disclosure requirements apply to cybersecurity risks, breaches, and effects. Although the SEC did not announce any new rules, the agency reaffirmed that existing reporting obligations offer the same protections for investors regarding data breach risks and events as with any other corporate development. Consequently, companies must be sure to “disclos[e] timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.”
In practice, this means that an Exchange Act plaintiff needs to establish that a company had a duty to disclose some fact about a data breach and failed to do so or that some statement about a data breach was misleading. These statements will inevitably pertain to one of two categories: risk disclosures prior to a breach, and post-breach disclosures regarding the scope, severity, remediation progress, and effects.
- Cybersecurity Risks
Before any data breach occurs, a reporting company should be periodically assessing whether risks of a breach merit discussion as a risk factor, and if a risk factor disclosure is appropriate, the Company must provide a meaningful discussion. This would be particularly relevant where the company’s value depends upon intellectual property susceptible to a cyber attack, such as a trade secret or proprietary software code.
Of greater concern for the evolution of Exchange Act claims based on cybersecurity risk disclosures is a company’s discussion of its key business relationships – most commonly clients but also suppliers and service partners. Public companies regularly disclose key relationships based on revenue, volume, or other operational metrics. However, such disclosures are less frequently paired with a discussion of the extent to which relationships include heightened contractual assurances that data be protected. To the extent that the relationship implicates a substantial amount of revenue or is otherwise material, a strong argument may be made in favor of an affirmative obligation to disclose such a risk.
- Cybersecurity Incidents and Effects
Whereas risk factors may be drafted in a considered manner, once a company has realized it is the victim of an attack, the natural confluence of a desire to reassure markets and the brief amount of time available to formulate responses means that companies with weak internal controls and questionable cultures are less likely to comply with disclosure requirements properly. The SEC’s 2011 guidance indicates that if a cyber incident “materially affect[s] a registrant’s products, services, relationships with customers or suppliers, or competitive conditions,” the incident should be disclosed.
Once a company determines that a data breach is material, this determination triggers the requirement to provide more than a simple passing mention of the occurrence itself. As the SEC has made clear, investors are entitled to more detailed discussions by management regarding the effects of the breach on the company based on a segment-by-segment analysis, and reasonably likely projected effects on revenues, costs, and litigation. These requirements, however, commonly meet countervailing pressure on managers to simultaneously minimize the gravity of the incident, present the company as in control of the situation, and downplay the future effects on the company.
Case Study: Wong v. Accretive Health, Inc., No. 12-cv-03102 (N.D. Ill.)
Accretive Health, Inc. is a hospital revenue cycle management company, contracting to provide finance services to hospitals including patient registration and insurance verification, billing, and collections. In its normal course of business, Accretive Health had access to thousands of patient medical records and other confidential data.
Despite assuring its business partners, regulators, and investors that all client data on Accretive Health’s computers was encrypted, a laptop computer with unencrypted patient data was stolen from an employee’s vehicle. Accretive Health failed to inform investors and the resulting investigation revealed nine laptop thefts in 2011 and at least 30 company laptops that lacked required encryption.
Accretive Health’s data security problems were revealed in a series of disclosures, including the loss of clients, an investigation and settlement with the Federal Trade Commission, and a suit brought by the Minnesota Attorney General that claimed Accretive Health’s lax data security was part of an array of illegal business practices.
Accretive Health reached a settlement in this action in 2013, paying $14 million to investors in addition to millions in regulatory fines. The company’s stock has lost more than 90 percent of its value, has been delisted, and currently trades in the over-the-counter market.
While major fraud cases springing from data breaches are still relatively uncommon, there is well developed case law relating to disclosure obligations in such circumstances. A useful analogous “leak” of a different type was experienced by BP plc in the wake of that company’s Deepwater Horizon off-shore oil drilling rig explosion and spill into the Gulf of Mexico in 2011. While BP had offered investors a well-developed discussion of the possible risks associated with its offshore oil-drilling business, in the days following the realization of this risk, BP abjectly failed to properly apprise the market of what the company knew (or at least believed) to be the actual nature and scope of the harm.
Despite internal BP estimates of extremely high crude oil flow rates into the Gulf from the disabled rig’s wellhead – and the concomitant high estimates of environmental damage and clean-up costs – BP continually assured the public that it believed the flow rate to be one tenth of its non-public figures. Ultimately, BP was forced to pay $175 million to settle investor class action claims, and still faces certain non-class investor claims. Just as BP was required to offer accurate information regarding the state and effects of the leak, companies that are victims of cyber attacks will be required to do the same.
Given that whether a cybersecurity breach is material to a company is such a crucial determination for the balance of the reporting requirements, much depends upon management to make an unbiased, fact-specific assessment of any such event. In its 2011 guidance, the SEC reminded companies that
Information is considered material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision or if the information would significantly alter the total mix of information made available.
Competing assessments of materiality by managers and the investing public can be sharply polarizing, with shareholders commonly expressing concern that company brass is not being sufficiently forthcoming.
Recently, Yahoo! Inc. revealed that the company had suffered a massive data breach in 2014, affecting an estimated 500 million user accounts. While no securities fraud class action has been filed at the time of this piece, on September 26, 2016, Senator Mark Warner (D-Va), a member of the Senate Intelligence and Banking Committees and cofounder of the bipartisan Senate Cybersecurity Caucus, sent a letter to SEC Chair Mary Jo White requesting that her agency launch an investigation into Yahoo’s complete failure to disclose the data breach, which in some instances compromised users unencrypted passwords and security question-response pairs.
Senator Warner pointed out that Yahoo!, in connection with its on-going negotiations to sell off its internet business, had filed a preliminary proxy statement with the SEC in which Yahoo! assured investors that “to the knowledge of [Yahoo!], there have not been any incidents of . . . Security Breaches.” The Senator’s letter went on to highlight the apparent material nature of the event, indicating that heightened regulatory scrutiny appears to be in the offing for Yahoo!, if nothing worse.
Further supporting Senator Warner’s view that the breach was material was Yahoo!’s own internal conclusion that, based on its investigation, the breach was the result of a state-sponsored attack. The fact that Yahoo! appears to have known not only that it was the target of a highly sophisticated hacking operation but also that the company had been compromised has clearly raised concerns. At least in hindsight, Yahoo! may have difficulty convincing the public that a reasonable investor would not consider such an incident important when making an investment
Because we rely on a body of judicial decision and regulatory actions to guide corporate conduct regarding disclosures generally and securities fraud risk management in particular, the emergence of new fact patterns will always engender a certain period of unsettled responses.
However, increasing familiarity with the application of the SEC’s 2011 guidance and the growing number of incidents can be expected to raise the level that investors and regulators expect public companies to operate at when dealing with cybersecurity risks, breaches, and effects. As both investors and managers internalize past lessons regarding the fall-out from these events and develop an understanding of what types of protections and responses are expected, questions that once surrounded issues of materiality, required disclosures, and valuations will become better settled.