SEC charges another company for misleading cybersecurity disclosure

SideBar

In June, the SEC brought charges against First American Financial Corporation for failure to timely disclose a cybersecurity defect.  According to the SEC’s order in that case, in May 2019, the company was advised by a journalist that its software application for sharing document images related to title and escrow transactions had a vulnerability that exposed “over 800 million title and escrow document images dating back to 2003, including images containing sensitive personal data such as social security numbers and financial information.” That evening, the company issued a public statement and, on the next trading day, furnished a Form 8-K to the SEC.  However, as it turns out, the company’s information security personnel had already identified the vulnerability in a report of a manual test of the application about five months earlier, but failed to remediate it in accordance with the company’s policies.  They also failed to apprise senior executives about the report, including those responsible for making public statements, even though the information would have been “relevant to their assessment of the company’s disclosure response to the vulnerability and the magnitude of the resulting risk.” There were no charges of securities fraud; the company was found only to have violated the requirement to maintain disclosure controls and procedures and ordered to pay a penalty of almost a half million dollars. (See this PubCo post.)

SideBar

What is a hashed password?  According to Wired, it’s a password that has been

“converted into a collection of cryptographic hashes, random-looking strings of characters into which the passwords have been mathematically transformed to prevent them from being misused. This transformation is called hashing. But just what sort of hashing those passwords have undergone can mean the difference between the thieves ending up with scrambled text that takes years to decipher or successfully ‘cracking’ those hashes in days or hours to convert them back to usable passwords, ready to access your sensitive accounts. A hash is designed to act as a ‘one-way function’: A mathematical operation that’s easy to perform, but very difficult to reverse. Like other forms of encryption, it turns readable data into a scrambled cipher. But instead of allowing someone to decrypt that data with a specific key, as typical encryption functions do, hashes aren’t designed to be decrypted. Instead, when you enter your password on a website, it simply performs the same hash again and checks the results against the hash it created of your password when you chose it, verifying the password’s validity without having to store the sensitive password itself.”

SideBar

Problematic hypothetical disclosures have certainly drawn scrutiny—and claims of misleading disclosure—in the last few years, especially in the context of cybersecurity. In In re Alphabet Securities Litigation, a three-judge panel of the 9^th Circuit held that a complaint “plausibly alleged” that the defendants’ decision to omit information about certain cybersecurity defects and vulnerabilities “significantly altered the total mix of information available for decision-making by a reasonable investor” and that scienter—intent to deceive, manipulate or defraud—was adequately alleged. Alphabet’s Forms 10-Q  incorporated the risk factor disclosures from its 2017 Form 10-K and did not update to disclose various significant security vulnerabilities that had been discovered–specifically, a vulnerability in its Google+ social network that had, for three years, left private data of hundreds of thousands of users exposed to third-party developers.  Instead, the company specifically stated that there were “no material changes to our risk factors” since the previous Form 10-K.  Importantly, the Court held that the complaint contained a plausible allegation that Alphabet’s omission was materially misleading: its risk factor discussion of cybersecurity was framed in the hypothetical, while, it was alleged in the complaint, the “hypothetical” events had in fact already occurred.  (See this PubCo post.)

And the SEC has also brought actions on the same basis.  In 2018, the entity formerly known as Yahoo! Inc. agreed to pay a $35 million penalty “to settle charges that it misled investors by failing to disclose one of the world’s largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts.”  In its Order in that case, the SEC found that, in late 2014, Yahoo learned of a massive cyber breach by hackers associated with the Russian Federation—at that time considered the largest breach of its kind—that affected over 500 million user accounts, resulting in the “theft, unauthorized access, and acquisition of hundreds of millions of its users’ data, including usernames, birthdates, and telephone numbers,” referred to internally as the company’s “crown jewels.” The Order charged that the company’s “senior management and relevant legal staff did not properly assess the scope, business impact, or legal implications of the breach, including how and where the breach should have been disclosed in Yahoo’s public filings or whether the fact of the breach rendered, or would render, any statements made by Yahoo in its public filings misleading.” In particular, the Order found that the company’s risk disclosure was presented in the hypothetical: its “risk factor disclosures in its annual and quarterly reports from 2014 through 2016 were materially misleading in that they claimed the company only faced the risk of potential future data breaches” that might expose the company to loss and liability “without disclosing that a massive data breach had in fact already occurred.” These risk factor disclosures “misleadingly suggested that a significant data breach had not yet occurred, and that therefore the company only faced the risk of data breaches and any negative effects that might flow from future breaches.” (See this PubCo post.) 

The SEC has also specifically warned of the dangers of “hypothetical” risk disclosure in the context of stolen data and IP.   CF Disclosure Guidance Topic No. 8, which relates to Intellectual Property and Technology Risks Associated with International Business Operations, provided guidance regarding disclosures that Corp Fin believes companies should consider with respect to intellectual property and technology risks that could arise in connection with international operations, especially in locations where protection of intellectual property may be a bit dicey. The guidance encourages each company to assess these risks and consider their potential impact on its business, financial condition and results of operations, and reputation, stock price and long-term value.  Notably, the guidance expressly states that “where a company’s technology, data or intellectual property is being or previously was materially compromised, stolen or otherwise illicitly accessed, hypothetical disclosure of potential risks is not sufficient to satisfy a company’s reporting obligations.” (See this PubCo post.)

SideBar

The SEC’s 2018 guidance on cybersecurity disclosure addressed disclosure obligations under existing laws and regulations, cybersecurity policies and procedures, disclosure controls and procedures, insider trading prohibitions and Reg FD and selective disclosure prohibitions in the context of cybersecurity. In determining whether disclosure regarding cybersecurity risks and incidents is necessary, “companies generally weigh, among other things, the potential materiality of any identified risk and, in the case of incidents, the importance of any compromised information and of the impact of the incident on the company’s operations.” But how is “materiality” assessed in the context of cybersecurity? The SEC noted that the Basic v. Levinson probability/magnitude test is still a relevant part of the analysis. The SEC also advised that “materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations.”  In that regard, the SEC noted that compromised information “might include personally identifiable information, trade secrets or other confidential business information, the materiality of which may depend on the nature of the company’s business, as well as the scope of the compromised information.” Materiality “also depends on the range of harm that such incidents could cause. This includes harm to a company’s reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities.”   (For more information about the SEC guidance, see this PubCo post and this Cooley Alert.)

It’s worth noting here that prominently featured on the SEC’s Spring 2021 Reg-Flex Agenda are proposed rules regarding cybersecurity risk governance disclosure. Given the recent consternation over hacks and ransomware, it should come as no surprise that the SEC may propose rule amendments to enhance issuer disclosures regarding cybersecurity risk governance. The agenda identifies October 2021 as the target date for issuance of a proposal. (See this PubCo post.)