As previously discussed on this blog (refer for example here), over the years there have been a number of different responses from the federal government to the threat of cyberattacks on U.S. companies and infrastructure, but overall the government’s track record on the issue is mixed. However, according to a January 12, 2015 Wall Street Journal article entitled “White House Aims to Harden Cyberattack Defense” (here), the White House is about to try again to address the issue, through new legislative proposals to be announced this week and in the President’s upcoming State of the Union address, and through an executive order to be introduced later this year. These initiatives arise as Department of Homeland Security data show that the number of cyber incidents reported to the agency has more than doubled in two years.
In a January 12, 2015 speech at the Federal Trade Commission, President Obama previewed a number of the initiatives he will be detailing in the State of the Union address, as discussed further below. According to the Journal, the White House’s proposals overall will focus on improving company disclosures around cyber breach events and on “improving how threats are shared between the U.S. government and companies.” The Journal article notes that “Sharing information [has] long been a thorny project given that companies are reluctant to share details of breaches and government agencies want to keep their own intelligence closely by.”
The Journal article also details statistical information from the Department of Homeland Security showing that the number of cyber incidents reported to the agency during the 2013 fiscal year (which ended September 30, 2013), more than doubled compared to the number of reports during the 2011 fiscal year. A graphic accompanying the article shows that in fiscal 2014, there were 228,700 cyber incidents reported to the agency, compared to just over 100,000 in the 2011 fiscal year. A note to the graphic comments that the statistics reflects cyber intrusions targeting government agencies, companies, organizations, and individuals in the U.S, and adds the further comment that “the actual number could be higher.”
In his January 12 speech at the Federal Trade Commission (here), President Obama announced his introduction of the Personal Data Notification & Protection Act, in order to implement nationwide, uniform consumer data breach notification rules. (Right now, there are 47 different state laws that govern data breach notifications.) As the President described the legislation in his speech, “under the new standard that we’re proposing, companies would have to notify consumers of a breach within 30 days. In addition, we’re proposing to close loopholes in the law so we can go after more criminals who steal and sell the identities of Americans —- even when they do it overseas.”
The President’s speech also announced the White House’s introduction of the Student Digital Privacy Act, which is meant to stop the sale of sensitive student data for non-education purposes, as well as his support for a Consumer Privacy Bill of Rights. As discussed on a January 12, 2015 CNN article (here), the President’s forthcoming State of the Union address (which he will deliver to Congress on January 20, 2015)will include greater detail on the initiatives he introduced in his speech at the FTC.
The Department of Homeland Security data, while perhaps understating the issue, confirm a sense that I think most of us have about this issue, which is that it is quickly growing worse. It is hard to tell now from the publicly available information, but the extent of the White House’s disclosure-related approach to cyber security issues may be restricted to the consumer data breach notification questions. But it is in any event not a surprise that the White House has chosen to focus on disclosure-related issues. Indeed, a disclosure focus has been among the principal responses of a number of federal agencies that have already tried to grapple with the issue.
Certainly that was among the approaches that the SEC took, when it issued guidance on cyber security related issues. On October 12, 2011, the SEC issued guidance regarding the disclosure obligations of public companies relating to cyber security risks and cyber incidents. The focus of this guidance was on whether information concerning cyber security and cyber incidents rose to the level of a disclosure obligation either as a risk factor under Regulation S-K Item 503(c) or in the MD&A Section of a Company’s mandatory SEC disclosure.
The focus of the SEC’s guidance was the question that companies are to ask themselves with respect to cyber security issues – that is, whether the “costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition.” If this question is answered in the affirmative, then, the agencies guidance specifies, there are a number specific categories of information that the company might address. The discussion of these issues might include the following:
- Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
- To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
- Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
- Risks related to cyber incidents that may remain undetected for an extended period; and
- Description of relevant insurance coverage.
As I discussed in another post (here), these disclosure issues have proven to be an area of focus for the SEC’s Division of Corporate Finance. Just the same, as discussed here, a study based on a review of actual disclosures in companies’ periodic filings shows that very few companies are actually including disclosures in their periodic reports about cyber incidents at the companies. The small number of companies including this information represents “a seemingly low number given the number of attacks that appear in the press on a regular basis.” The report notes further that none of the companies that disclosed actual attacks included the associated cost, even though the SEC’s Guidance requests the dollar costs of the attacks that have occurred.
It is possible that the White House’s disclosure-related approach to these issues will be limited to the consumer data breach notification requirements, and will not extend or relate to the requirements for breach notifications to investors. However, even if the White House does not go in that direction, I think there will continue to be pressure on these issues, from the SEC as well as from investors themselves.
I also continue to believe that at some point, perhaps in the near future given the administration’s focus on cyber security issues, that the SEC or another enforcement agency will seize upon developments at a particular company as a test case and in order to make an example. Among the many downsides to this approach if it were to be put into action is that the enforcement action could look a lot like kicking a company when it is down or blaming the victim for its misfortune. In any event, it is clear that cyber security-related disclosure issues will remain a key focus in the months ahead and are likely to continue to be a source of scrutiny and of challenge for companies as they all seek to grapple with the cyber security concerns.