Cybersecurity has been a hot button issue for quite a while, but the U.S. Department of Justice ratcheted things up last week when it announced the indictment of five Chinese military officers for hacking into U.S. companies’ computers to steal trade secrets and other sensitive business information. U.S. prosecutors clearly believe the intrusions were serious enough to warrant an action that risked causing diplomatic tensions with China. However, as serious as these state-sponsored cyber incidents are alleged to be, the three public companies involved had not previously disclosed the breaches. These circumstances raise interesting questions about the current state of cyber security disclosure practices.
First, the background. On Monday May 19, 2014, the Department of Justice announced the indictment of five officers of Unit 61398 of the Chinese People’s Liberation Army in Shanghai. The five defendants are alleged to have hacked into six American entities to steal trade secrets that would be useful to Chinese companies. The six entities include five U.S. companies and a labor union.
In the 45-page indictment (which was filed in the Western District of Pennsylvania and which can be found here), the defendants are variously charged with thirty-one criminal counts, including conspiring to commit computer fraud; accessing a protected computer without authorization; transmitting a program, information code or command with intent to cause damage to a protected computer; aggravated identity theft; economic espionage; and trade secret theft.
In a May 19, 2014 statement released when the indictment was announced, Attorney General Eric Holder said that “the range of trade secrets and other sensitive business information stolen in this case is significant and demands an aggressive response.” He also said that the Administration “will not tolerate actions by any nation that seeks to illegally sabotage American companies and undermine the integrity of fair competition in the operation of free markets.” This case, Holder said, “should serve as a wake-up call to the seriousness of the ongoing cyberthreat.”
In other words, this is very serious stuff. Serious enough, in fact, that the Administration was willing to risk damaging diplomatic relations with China by filing the indictment. And it is clear that China is not happy at all about the indictment. A Wall Street Journal May 20, 2014 article about the indictment quotes a spokesperson from the Chinese Foreign Ministry as saying that the indictment “grossly violates the basic norms governing international relations and jeopardizes China-U.S. cooperation and mutual trust.”
So here’s the situation – the U.S. government thinks the cyber attacks were serious enough to risk making an international incident out of it. But as serious as these breaches clearly were, the publicly traded companies involved chose not to disclose the incidents to their investors.
As discussed in a May 21, 2014 Bloomberg article entitled “U.S. Companies Hacked by Chinese DIdn’t Tell Investors” (here), the breaches that Attorney General described as “significant” and as “undermining the integrity of fair competition” and serious enough to imperil international relations nonetheless apparently were not sufficiently “material “ for the companies involved to disclose the incidents to their shareholders. The article quotes a representative of Alcoa as saying “to our knowledge, no material information was compromised during this incident which occurred several years ago.”
As the Bloomberg article notes, there are no explicit instructions from the SEC on how cyber breaches must be disclosed. The SEC has issued cyber security disclosure guidelines, but these guidelines allow companies a great deal of judgment on what must be disclosed. As I discussed in an earlier blog post (here), since the guidelines have been in place, very few companies (less than 1% of the Fortune 1000) have disclosed that they had in fact been the subject of an actual cyber event.
As the Bloomberg article puts it, companies generally have been “slow to inform the public about cyber-attacks and the loss of customer data.” But as one commentator quoted in the article says, “the question is would an investor have cared if Chinese hackers broke into a company and were messing around the place?”
Public companies clearly are reluctant to disclose cyber security breaches and other issues. For now, there seems to be little incentive for companies to be more forthcoming. Current practices seem unlikely to change unless the SEC takes greater initiative. The Bloomberg article quotes a former SEC official as saying “What it would take is an enforcement action against someone prominent. Until then you are going to continue to see the same approach taken by companies.”
I have no way of knowing for sure what the SEC will do, but I suspect that sooner or later we will see an SEC enforcement action on cyber security disclosure issues. And whether or not the SEC takes the enforcement initiative, we are certainly going to hear more about data breach disclosure issues in the form of shareholder lawsuits. It is worth noting in that regard that both of the two recent shareholder suits involving high profile cyber breaches – including the one filed in January 2014 against Target and its executives and the one filed earlier this year against Wyndham executives — contained allegations in which the shareholder plaintiffs asserted among other things that the company’s disclosures about their respective breach incidents had been inadequate.
In addition to shareholder derivative litigation, we may also see securities class action litigation against reporting companies over alleged misrepresentations and omissions about data breaches, as Doug Greene predicts in an interesting May 20, 2014 post on his D&O Discourse blog (here). Among other things, Greene says that the “advent of securities class actions following cybersecurity breaches” is “inevitable.”
Time will tell whether or not cyber-related securities class action lawsuits become a significant phenomenon. One reason that we may not see a significant number of cyber breach-related securities suits is that in general the securities markets have not proven to be particularly sensitive to a company’s disclosure that it has been hit with a data breach. A May 23, 2014 Bloomberg article entitled “Investors Couldn’t Care Less About Data Breaches” (here), discussing a recent data breach at Ebay states that the trend among companies that have suffered cyber attacks is that “the stock market practically ignores them.” (Which I suppose arguably supports the conclusion of the companies that were the victims of the Chinese military hacks that the incidents were not “material”).
It may be, as Greene suggests in his blog post, that stock price drops following the disclosure of a data breach are “inevitable.” However, in the absence of a significant stock price drop to point to, plaintiffs will have little incentive to file securities class action lawsuits. Unless and until a company’s announcement of a data breach causes the company’s share price to drop significantly, it seems likelier that the shareholder claimants will pursue derivative lawsuits, of the kind filed against Target and Wyndham.
In the meantime, there may be more to come from U.S. prosecutors on the topic of state-sponsored hacking. According to the Journal article about the Chinese military officers’ indictment, “other cases relating to China are being prepared,” and in addition “alleged hackers in Russia are likely to be targeted soon.” In other words, the U.S. government is preparing to ratchet things up even further.