In a front-page, above-the-fold article on Saturday, January 18, 2014 — that is, more than a month after Target first learned from the Secret Service that the company had been the subject of a massive cyber security hack – the New York Times reported that the company was vulnerable to the cyber attack because its systems were “astonishingly open – lacking the virtual walls and motion detectors found in secure networks like many banks’.”
The Times article is merely the latest part of a massive wave of negative publicity that has surrounded the company since it first announced the cyber attack a month ago. The Times article portrays the company as still struggling desperately just to get a handle on what happened and to try to start to repair the damage.
The recent events at Target underscore the damaging impact that a cyber breach can have on a company, its customers, and its business partners. As the situation unfolds, many lessons undoubtedly will be drawn from this incident. Among many other things, the recent events at Target will provide an opportunity to consider public company disclosure practices regarding privacy, network security and cyber vulnerability.
As my good friend Lauri Floresca of Woodruff Sawyer noted in a January 13, 2014 post on her firm’s Cyber Liability Blog (here), the Target cyber breach will serve as a “significant test case” for assessing the SEC’s disclosure guidance – both with respect to Target’s disclosures prior to the incident and also with respect to its future disclosures, as its grapples with the consequences of the breach. A January 16, 2014 memo from the Akin Gump law firm entitled ‘Cybersecurity Update: Are Data Breach Disclosure Requirements on Target?” (here) raises many of these same issues.
Readers will recall that in October 2011, the SEC issued guidance on cyber liability disclosure, as discussed here. Among other things, the Guidance suggested that appropriate risk factor disclosures might include:
- Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
- To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
- Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
- Risks related to cyber incidents that may remain undetected for an extended period; and
- Description of relevant insurance coverage.
As Floresca points out, in its most recent SEC filing on Form 10-K, dated March 20, 2013 (here), Target identified certain cyber liability concerns among the company’s risk factors. The company’s risk factors included the following:
If our efforts to protect the security of personal information about our guests and team members are unsuccessful, we could be subject to costly government enforcement actions and private litigation and our reputation could suffer.
The nature of our business involves the receipt and storage of personal information about our guests and team members. We have a program in place to detect and respond to data security incidents. To date, all incidents we have experienced have been insignificant. If we experience a significant data security breach or fail to detect and appropriately respond to a significant data security breach, we could be exposed to government enforcement actions and private litigation. In addition, our guests could lose confidence in our ability to protect their personal information, which could cause them to discontinue usage of REDcards, decline to use our pharmacy services, or stop shopping with us altogether. The loss of confidence from a significant data security breach involving team members could hurt our reputation, cause team member recruiting and retention challenges, increase our labor costs and affect how we operate our business.
…….
A significant disruption in our computer systems could adversely affect our operations.
We rely extensively on our computer systems to manage inventory, process guest transactions, service REDcard accounts and summarize and analyze results. Our systems are subject to damage or interruption from power outages, telecommunications failures, computer viruses and malicious attacks, security breaches and catastrophic events. If our systems are damaged or fail to function properly, we may incur substantial costs to repair or replace them, experience loss of critical data and interruptions or delays in our ability to manage inventories or process guest transactions, and encounter a loss of guest confidence which could adversely affect our results of operations.
It is interesting to consider these disclosures in light of the events since the company has announced that nearly 40 million payment card records and encrypted PINs and nearly 70 million records containing customers’ information have been compromised.
As I noted above, since it first disclosed the breach, the company has been subjected to a massive barrage of negative publicity. According to the Times article, the company has had to form and populate a huge team of “hundreds of employees” to try to understand the breach and to communicate with their clientele and business partners about what has happened. The company’s already damaged reputation has taken further hits as the company has been forced to reveal further information about more comprehensive breaches beyond those initially disclosed.
Message boards and social networking sites are full of vituperative messages from angry customers upset that their private information has been lost. The company has been hit with nearly 70 class action lawsuits filed on behalf of consumers and others. The company’s CEO has issued an apology and he and other senor managers have been compelled to respond to a steady stream of media requests. The firm has also seen a revenue downturn as current and prospective customers have steered away from the company’s stores out of privacy and security concerns. The Times article quotes one sources as saying that the “total damage to banks and retailers” resulting from the Target network security breach “could exceed $18 bilion.”
Hindsight is always 20-20, but in light of the magnitude of the crisis that the cyber breach has caused the company, it seems fair to ask whether or not the company’s risk factors fully captured the magnitude of the risks that a cyber incident posed for the company. As Floresca notes in her blog post, among the questions that may be asked is whether Target’s disclosures sufficiently disclosed the “probability of cyber incidents occurring” and the “quantitative and qualitative magnitude of those risks.” To be sure, it could be argued that no one could have envisioned a breach of this magnitude. But now that the Target breach has happened, the disclosure practices that may have seemed sufficient in the past may no longer suffice.
As the Akin Gump memo stated in the memo to which I linked above, “issuers should consider whether or not their current risk factor disclosures, as well as their ‘forward-looking statements’ language, are adequate in light of these high-profile cybersecurity incidents.” In particular, the memo notes that “in light of these high-profile cyber attacks, companies may want to take a fresh look at the SEC’s 2011 Disclosure Guidance to determine if their current risk factor disclosures should be supplemented to identify risks as technology evolves and more incidents occurs,” adding that the company should discuss its risks “in a way that avoids boilerplate language and statements of general risk applicable to all users of information technology.”
Even before the latest cyber security breaches, the SEC had already made it clear that corporate disclosure of cyber-security related risks is a priority for the agency. In light of the magnitude and high-profile nature of the Target incident, it seems probable that the agency’s focus on cyber security risks will be even higher profile. How that may translate into action remains to be seen, but it does seem likely that the company will select a company to use as an example in order to communicate its concerns about cyber disclosure issues.
As noted above, Target has already been hit with a host of lawsuits related to the recent network breach. To my knowledge, so far these lawsuits do not include a directors and officers’ liability lawsuit. Whether or not Target is hit with a D&O lawsuit, the possibility of an incident like this resulting in a D&O lawsuit seems obvious, at least to me. There have of course been D&O lawsuits in the past following cyber breaches, most notably in connection with Heartland Financial’s cyber breach. As norms about cyber disclosure evolve, and as expectations in connection with cyber disclosure change, it seems probable that the likelihood of a securities lawsuit alleging misrepresentations or omissions in connection with cyber disclosure will increase.
The recent events at Target have been hugely disruptive for the company, which presents object lessons for the many other companies. The most obvious companies to whom these lessons apply are other retail businesses. However, it would be a mistake to assume that the lessons only apply to other retail businesses. There are lessons for any enterprise here. While it is true that the hackers involved in the Target breach were targeting credit card information, other hackers may have other motivations. Other hacker groups may be more interested in intellectual property (such as proprietary technology) or corporate strategy.
The lesson from the Target breach is not that companies with credit card information are vulnerable. It is that the world is a dangerous place and that skilled and motivated hackers will target vulnerable companies. While some hackers are focused on consumer credit card information, companies that do not possess this type of information cannot assume they are immune from this type of attack.
The really disturbing thing to me about this story is that Target itself was unaware of the breach and only earned about it after being told by the Secret Service. This is obviously an extreme example, but I think many companies have a false sense of security when it comes to their exposure to a cyber breach. I think may companies would do well to consider what has happened to Target and to think about what it might mean for their enterprise if it were to be subjected to a cyber breach of the same level of sophistication and pervasiveness.