Why Your Company’s Cyber Breach Isn’t Currently a Bad Thing

Why Your Company’s Cyber Breach Isn’t Currently a Bad Thing

Article | 105 KY. L. J. ONLINE 1 | November 14, 2016

Devon Paige Cobb[1]

Introduction

“[T]here are only two types of companies: those that have been breached and those that don’t know they have.”[2] Despite the frequency of these hacks, the stigma associated with cybersecurity breaches of business and customer information is a harsh one. That stigma is imposed before the financial hits are measured, the average cost of which can be as much as $25 per exposed record.[3] Target alone reported a net $17 million in breach-related costs as well as $44 million in insurance payments.[4] While those numbers are substantial, these hacks can cost companies even more in intangibles, such as the decline in a company’s reputation,[5] loss of customer goodwill,[6] and liability flowing from either class action lawsuits by customers whose information has been breached or shareholders’ derivative actions.[7]

Cyber breaches of consumer information have plagued the private financial and healthcare sectors for years now, but only recently, in the wake of such scandals as Ashley Madison[8] and big business let downs like Target,[9] have these leaks focused society’s attention on the public sector.[10] The Securities Exchange Commission (SEC) has been slow to regulate disclosure of cybersecurity breaches for publicly traded companies. Only in 2011 did it publish guidelines that require publicly traded companies to disclose material cyber attacks, threats of loss, and actual losses.[11] And although the SEC met again in 2014 in a roundtable discussion,[12] it still has failed to mandate a specific timeline for publicly traded companies to follow in making their breach disclosures to the public.[13]

So can a cyber breach ever be a good thing for the company? Because there have not been specific regulations from the SEC, companies are free to take their time and consider only their own interests in making breach disclosures to the public; companies may even spin the breach as immaterial to avoid disclosure completely.[14] Without explicit SEC regulation of the timeline for disclosure, companies will inevitably waver on the time they take to make disclosures, creating ambiguity in industry standards and uncertainty in the marketplace following a breach. Furthermore, market distortions — the types that the SEC is most focused on preventing[15]— are likely to result from undisclosed information from data breaches. This Note argues that the SEC should mandate a specific timeline for requiring companies to disclose a cyber breach to maintain its objective of ensuring freely disseminated information, maintaining market integrity, and protecting investors.

I. The Setting: How Investors’ Interests Are Taking a Back Seat

Consumers, companies, and investors have competing interests in regards to a data breach. Unfortunately, investors’ interests are ultimately ignored. Consumers, however, need to be notified of breaches so that they can take remedial and protective post-breach measures to safeguard their information, like cancelling their credit cards. These interests are currently being protected by the Federal Trade Commission (FTC), whose mission is to protect consumers from unfair or deceptive business practices.[16] The Third Circuit recently held that the FTC may bring a claim that a company’s allegedly inadequate data security practices constitute “unfair” business practices in violation of Section 5 of the Federal Trade Commission Act.[17] Furthermore, many states have recognized the need for adequate consumer protection by enacting consumer breach notification disclosure statutes, but consumers are afforded this protection in only three-fourths of states.[18]

Companies often perceive that keeping a hack quiet is in their best interest. This allows the company to “save face”[19] and prevent indirect costs of “business lost”[20] from wary consumers, while, in the interim, trying to discover precisely what information was hacked and why. But companies also limit disclosures to avoid “provid[ing] a roadmap for hackers as to where they are vulnerable.”[21] For these same reasons, a company might fear that making a breach public would cause potential investors to shy away from the company.[22] Add to this list of concerns the looming fear of class action lawsuits for consumers who were harmed by the breach,[23] and it is easy to see why companies’ interests are best served when they have all the time in the world (or at least as long as they want) to disclose a breach.

These concerns leave investors’ interest in being notified of a data breach ignored under current SEC regulations. Investors care about data breaches being withheld because of the impact it could have on their investment’s stock price. Announcing publicly that a database of consumer information has been hacked would intuitively cause the breached company’s stock price to decrease for a number of reasons: loss of faith in the company’s ability to safeguard sensitive materials, impending liability costs to remedy such breach, including implementing new safeguards to assure breaches become less likely to occur, and costs of future lawsuits, to name just a few. The current regulations, or lack thereof, allow companies to be guided solely by industry standards when it comes to what and when to disclose post-breach.[24]

However, announcements of a data breach need not assuredly signal impending doom for a company’s stock price.[25] A few companies have successfully navigated such announcements.[26] Target and Home Depot both faced security breaches but chose to handle the situation differently.[27] Target delayed notifying customers of the breach and its stock dropped nearly 20% while Home Depot’s prompt notification to their larger affected consumer base was viewed as reassuring to the public and did not adversely affect the company’s stock price.[28]

These types of positive consumer responses to a breach could in turn be just the kind of uptick that investors would want to know about most. Patrick Malcolm, a digital forensics and security expert commenting on the Ashley Madison leaks, noted the way the breach’s publicity could work in the company’s favor, explaining how a consumer told Malcolm that he was joining Ashley Madison “because it was more secure now.”[29] However, Malcolm explained, “there’s no evidence the company has actually changed its protocols.”[30] On the other hand, notifying the public that a company has been hacked could signal that the company has not been responsible with consumer information they pledged to keep safe.[31] Several companies have lost CEOs following breaches that uncovered corporate irresponsibility, poor business practices, disconcerting management, and the company’s inability to protect consumer data.[32] Regardless of whether the breach indicates a change in consumer confidence in the company or a reflection of poor management, the overall perception of a company post-breach can affect how investors view their investments and thus should fall within the SEC’s realm of regulations.

The SEC does play a role, albeit a mildly passive one thus far, in regulating data breaches. The SEC only began specifically addressing cyber breaches in 2011, when it published guidance on disclosure obligations. Unfortunately these guidelines gave no timeline for making disclosures and only mandated that disclosures are required for “material” information.[33] In 2014, the SEC held a roundtable where industry leaders considered making more regulations on disclosures.[34] Political leaders, such as Senator John D. Rockefeller, in his role as Chairman of the Committee on Commerce, are even “urging” the SEC to take more extensive action, noting concerns “about inconsistencies in disclosures, investor confusion, and the fact that many corporate leaders [do] not fully recognize the relationship between their companies’ cybersecurity measures and financial success.”[35] SEC Commissioner Luis A. Aguilar gave a speech at the New York Stock Exchange urging companies to take more steps and encouraging “more public reporting of cyberattacks.”[36] But the SEC has not taken any steps since the roundtable, simply continuing to encourage companies to follow the 2011 guidance, leaving investor interests and protections back-seated when it comes to breach notification.

II. The Problem: How Companies Can Work Around the Current Regulations

The SEC’s purpose is to “protect investors, maintain fair, orderly, and efficient markets, and facilitate capital formation,”[37] resting on the foundation that “only through the steady flow of timely, comprehensive, and accurate information can people make sound investment decisions.”[38] Thus, the SEC is charged with regulating and monitoring disclosures made by publicly traded companies to ensure investors have equal access to information. This is done by not only imposing a duty on companies to disclose “material” events, but also by imposing strict timelines under which the disclosures must be made. Under the SEC’s definition, “material”[39] means any information that has a substantial likelihood of being considered important to a reasonable investor when making an investment decision.[40] Because a breach could be of concern to investors, these disclosure mandates would assumedly include notifications when a publicly traded company has been hacked.[41]

Although the materiality test dictates an objective standard, companies still have room to deem a data breach “immaterial.”[42] If a company can twist the breach as immaterial, it can completely avoid disclosure, meaning that investors would not be notified even though the breach could influence their investment decisions.[43] SEC guidance has cautioned “a cyber-attack could be material if it causes a company to significantly increase what it spends to defend its systems or when intellectual property is stolen.”[44] This allows management to usurp the SEC’s role of deciding what investors need to know. If the breach results in only “minor intrusions” of consumer data, it likely does not need to be disclosed, whereas confirmed breaches of determinable consumer information definitely need to be disclosed.[45] For everything in between these two categories, management decides if the breach is important enough to warrant disclosing it to investors under the circumstances.[46]

Because certain circumstances already require public disclosure, the SEC could address these concerns by utilizing current provisions, including rules 10b-5[47] and 14a-9,[48] which regulate fraud in connection with the purchase and sale of securities and fraud in the solicitation of proxies. Rule 10b-5 prohibits the use of any manipulative or deceptive device in the buying and selling of securities, requiring disclosure of material information or abstention from trading.[49] This includes an obligation to disclose private information when necessary under the circumstances to prevent publicly known information from being misleading by the omission.[50]

Rule 10b-5 could potentially be applicable when a company has been the victim of a cyber-attack and serve to safeguard the interest of investors, but only for instances in which securities, such as the company’s stock, are being sold or purchased.>[51] Thus, this regulation does not always mandate a disclosure or require a trader to abstain from the market to ensure that the integrity of the marketplace is maintained if no securities are being exchanged. Under rule 10b-5, as long as the company itself is not buying or selling securities while withholding information regarding a data breach, no duty arises to disclose such a breach to the general public (i.e. investors).[52] Instead, the only duty the company has is to keep their insiders from trading in the market.[53]

Even though companies do not have a duty to disclose a breach under rule 10b-5, they could still be required to make these types of disclosures in their annual 10-K forms.[54] However, these reports require companies to only report “the cybersecurity risks that could affect the business or its registrants materially;”[55] they do not require the company to report actual incidents or breaches. The SEC’s 2011 guidance encouraged companies to determine if “the costs or other consequences associated with one or more incidents or the risks of potential incidents [of cyber breaches] represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition,” and report this in the Management & Discussion Analysis (MD&A) section of the company’s annual reports.[56] The decision as to whether or not to disclose is complicated by a timing issue: even if companies do disclose a breach in their annual reports, investors are only deemed to have been notified at the end of the year when those reports are filed.[57] Thus, the breach’s impact could affect investment decisions to buy, sell, or trade far sooner than when the year-end report filings roll around.

In addition to annual and quarterly reports, public companies must report “certain material corporate events” in an 8-K report to announce major happenings of which shareholders should be aware.[58] Companies are given four days to file these disclosures.[59] Although cyber breaches are not specifically listed as items to be reported on an 8-K, registrants can use section 8 of the form to “report events that are not specifically called for by Form 8-K that the registrant considers to be of importance to security holders.”[60] Guidance has been given that:

… once the facts are gathered, a special filing may be warranted. . . . If the event or incident is a significant one or if it is one that a reasonable investor would expect to hear about outside the cycle of the normal disclosure of risk, it is prudent to do a special filing.[61]

This form alone, however, does not require a cyber breach disclosure to be made, and even if companies choose to disclose under this rule, there is once again an opportunity for work-around regarding the timing of the disclosure. Although the regulations governing 8-K filings mandate a four-day deadline for certain events falling under Sections 1-6 and 9 (covering standard business occurrences), filings regarding cyber breaches, which fall under Section 8’s “other events,” are not given this same four-day deadline, or even any specific deadline.[62]

Due to the SEC’s slow response in regulating disclosure, the only real pressure companies feel is to ensure they stay at least somewhat within the shadows of others in their industry.[63] This is currently the best and only standard against which a company can be judged.[64] Choosing to file an 8-K could be in the company’s best interest, especially if that is how others in the industry are treating the incident. However, because these measures are not strict regulations, they allow companies to interpret and set their own standards. This can lead to unequal dissemination of information and inefficient markets, as investors in A corporation could be notified of a breach more quickly than investors in B corporation. Although industry standards could be used to set strict demands for companies, the current standards are so lax as to allow companies to consider their own interests over that of their investors.

Piecing together all of this information shows that avoiding breach disclosures may be easier for companies than investors would like. If the SEC set disclosure notification timelines for publicly traded companies, it would communicate to companies that data breach disclosures are not only material and required, but would also remove the uncertainty management faces in determining a breach’s materiality.

III. The Solution: Regulating the Regulators

The SEC should mandate stricter data breach notification requirements and set a rigid timeline to give companies direction when handling a data breach. Tighter regulations will encourage companies to create response plans so that they can act quickly in the face of a breach. Regulations will also incentivize companies to put in place adequate safeguards, such as technological safety measures to protect consumer data, helping prevent breaches in the first place. This, in turn, benefits investors, as a breach would be less likely to have a detrimental effect if handled well.[65] A definite timeline will also move publicly traded companies to uniform and clear guidelines, clarifying the current vague industry standards set by the companies that have already been breached. These standards could also help set guidelines for small and non-public companies in the future.

The SEC should not set a flexible rule, such as “companies should disclose data breaches timely,”[66] because this type of rule would not solve the disclosure problem. This standard is no clearer than the current ambiguous guidance and would leave companies uncertain about how such a vague standard would be interpreted. Instead, it would only facilitate the current problems caused by industry standards, which allow companies to set their own disclosure timeframes based on what they believe is the most effective response time, focusing more on their own primary interests rather than their investors’. This type of standard would also allow for workarounds, opening the door to fraudulent practices and delay tactics for each company’s specific situation, avoiding the primary objectives of the SEC — to protect investors by keeping them equally informed and ensuring that they “are provided with material information in order to make informed investment decisions”[67] and to “maintain fair, orderly, and efficient markets.”[68] While a company may have unique circumstances that require a delayed notification timeline, the investor’s interest remains consistent in needing to be timely informed of incidents affecting their investments.

The SEC’s data breach notification regulations, enacted primarily to serve investors, would also provide an ancillary benefit of protecting consumers in states that do not afford them any protection through consumer notification laws.[69] Roughly one-fourth of states do not have consumer notification laws on their books.[70] Kentucky, for example, requires only that disclosures be made “in the most expedient time possible and without unreasonable delay.”[71] This type of standard sets no more of a specific deadline than mandating no timeframe at all, but at least requires that companies must eventually disclose the breach to consumers. Even Delaware, the capital of business governance,[72] offers no more of a specific timeline than “the most expedient time possible and without unreasonable delay.”[73]

In deciding precisely how long to make the notification timeline, the SEC could look to state consumer notification laws.[74] Ohio, for example, says “in the most expedient time possible but not later than forty-five days.”[75] Florida law is even stricter, saying “as expeditiously as practicable, but no later than 30 days after.”[76] By explicitly regulating notification deadlines, the SEC would integrate consumer and investor interests in building market integrity and in devising a comprehensive system that considers the competing interests of the marketplace as a whole, as SEC Commissioner Aguilar urged back in 2014.[77]

Alternatively, because investor concerns can vary widely based on industry, the SEC could consider setting a sliding scale timeline across different industries. For example, investors could need to know right away that a financial services company like American Express has been hacked of consumer credit card information. Consumers may place greater trust in a financial company to protect their sensitive information, and profitability would likely decline as a result of class action litigation costs and loss of customer loyalty. Investors would thus need to know of a breach almost immediately to anticipate how these market effects would impact their investments. Contrast this with a company that has been breached of consumer loyalty information, like Kroger, whose “Kroger Plus Card” records customer’s shopping trends but not financial information.[78] In this case, consumers do not have high expectations for maintaining the integrity of this information nor a cause of action when these types of non-sensitive reports are hacked.[79] Because certain industries are targeted more frequently and seriously, and the consequences of a breach are more detrimental to the health of the company, the SEC could, in considering these fluctuating concerns, create a sliding scale for data breach notifications for different industries.

Conclusion

Data breaches are becoming more frequent and more expensive, and they can have detrimental consequences for companies.[80] Consumers need to know as quickly as possible that an unauthorized access of their sensitive financial information has occurred in order to take proper safeguarding measures. But because the current norms are set by the industry, management is free to allow company-related concerns, such as the potential damage to its reputation and the subsequent effect on stock price, to guide its decision on when to notify the public of a data breach. This leaves investors’ interests unaddressed. A data breach can have a multitude of investment-related consequences, such as fluctuating stock prices, an increase in the company’s liabilities from class action law suits or increased cyber insurance costs, or a downturn in the company’s overall health and public perception.

The current state of data breach notification regulations for publicly traded companies allow companies to benefit from not having to disclose a breach to their investors. Without a specific timeline mandating when companies must disclose a breach, companies are free to follow either their state’s notification law, assuming there is one, which even then may be just as ambiguous as the current SEC guidelines, or the industry standards set by similar companies that have responded to data breaches. And if the company is in an industry that has not had many breaches, it would be free to set its own standard. None of these standards provide uniform or efficient markets, strengthen investor security, or ensure equally disseminated information, all of which the SEC is most concerned with promoting.[81] Because the SEC’s utmost objective is that of protecting investors, the regulatory body should set a specific and strict timeline under which companies are required to abide by after a data breach.


[1] J.D. Candidate 2017. The author would like to specially thank Lisa E. Underwood, Andrew K. Woods, Rutheford B. Campbell, Jr., and Gardner Bell for their help in the brainstorming process and mentoring of this Note.

[2] Elena Kvochko & Rajiv Pant, Why Data Breaches Don’t Hurt Stock Prices, Harv. Bus. Rev. (Mar. 31, 2015), https://hbr.org/2015/03/why-data-breaches-dont-hurt-stock-prices.

[3] Nicole Perlroth, Ashley Madison Chief Steps Down After Data Breach, N.Y. Times (Aug. 28, 2015), http://www.nytimes.com/2015/08/29/technology/ashley-madison-ceo-steps-down-after-data-hack.html?_r=0 (quoting Larry Ponemon, founder of the Ponemon Institute, whose firm found that “the cost of mega-breaches now averages $23 to $25 per exposed record, which includes the costs of lawsuits.”).

[4] Andria Cheng, Two Months After Damaging Data Breach, Target Stock Has its Best Day in 5 Years, Market Watch (Feb 26, 2014, 2:11 PM), http://blogs.marketwatch.com/behindthestorefront/2014/02/26/two-months-after-damaging-data-breach-target-stock-has-its-best-day-in-5-years.

[5] CF Disclosure Guidance: Topic No. 2, Cybersecurity, U.S. SEC. & Exch. Comm’n (Oct. 13, 2011) [hereinafter SEC Disclosure Guidance], https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.

[6] Andrew Ackerman, U.S. Chamber Warns Cyberattack Disclosures Could Hurt Corporate Profits, Wall Street J. (Oct. 29, 2014, 3:00 PM), http://www.wsj.com/articles/u-s-chamber-warns-cyberattack-discosures-could-hurt-corporate-profits-1414609209 (saying companies should disclose attacks to give customers a heads up because it’s the right thing to do in order for customers to protect themselves, even if no material adverse impact on the company itself results).

[7] Cory Bennett, SEC Weighs Cybersecurity Disclosure Rules, The Hill (Jan. 14, 2015, 6:00 AM), http://thehill.com/policy/cybersecurity/229431-sec-weighs-cybersecurity-disclosure-rules.

[8] See generally Robert Hackett, What to Know About the Ashley Madison Hack, Fortune (Aug. 26, 2015, 7:24 AM), http://fortune.com/2015/08/26/ashley-madison-hack.

[9] See generally Cheng, supra note 4.

[10] Nate Lord, The History of Data Breaches, Digital Guardian (Oct. 6, 2016), https://digitalguardian.com/blog/history-data-breaches.

[11] SEC Disclosure Guidance, supra note 5, at n. 3 (“Information is considered material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision or if the information would significantly alter the total mix of information made available”); See also Dave Michaels, Hacked Companies Face SEC Scrutiny Over SEC Disclosure, Bloomberg (July 7, 2014, 11:28 AM), http://www.bloomberg.com/news/articles/2014-07-02/hacked-companies-face-sec-scrutiny-over-disclosure (“In guidance issued three years ago, the SEC said a cyber-attack could be material if it causes a company to significantly increase what it spends to defend its systems or when intellectual property is stolen. . . . Materiality is very open to interpretation[.]”).

[12] See Cybersecurity Roundtable, U.S. Sec. & Exch. Comm’n (Mar. 26, 2014), http://www.sec.gov/spotlight/cybersecurity-roundtable.shtml.

[13] Id.; See SEC Disclosure Guidance, supra note 5; See also Rick M. Robinson, Stock Price May Not Tell the Whole Story About Security Breaches, Security Intelligence (Aug. 13, 2015), https://securityintelligence.com/stock-price-may-not-tell-the-whole-story-about-security-breaches (“A further complication for stockholders and their advisers is that reporting of breaches is often delayed, and existing SEC regulation leaves leeway for public companies as to when to disclose cyber incidents.”).

[14]See generally Robinson, supra note 13 (“A company may be able to time the announcement so that it is followed swiftly by corrective action.”).

[15] See What We Do, U.S. Sec. & Exch. Comm’n, https://www.sec.gov/about/whatwedo.shtml (last modified June 10, 2013) (“The mission of the U.S. Securities and Exchange Commission is to protect investors, maintain fair, orderly, and efficient markets, and facilitate capital formation.”).

[16] See generally, About the FTC, U.S. Fed. Trade Comm’n, https://www.ftc.gov/about-ftc (last visited Oct. 11, 2016) (describing mission as “[t]o prevent business practices that are anticompetitive or deceptive or unfair to consumers”).

[17] See FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. 2015); See also Michael S. Dicke and Catherine Kevane, Return of the Cyborg—FTC and SEC Oversight of Cybersecurity Ramps Up, Mondaq (Sept. 21, 2015), http://www.mondaq.com/unitedstates/x/428214/Securities/Return+of+the+CyborgFTC+and+SEC+Oversight+of+Cybersecurity+Ramps+Up.

[18] See Summary of U.S. State Data Breach Notification Statutes, Davis Wright Tremaine, LLP, http://www.dwt.com/statedatabreachstatutes (last visited Oct. 11, 2016).

[19] See Robinson, supra note 13 (“Public news of a data breach can generate negative publicity, but a company may be able to time the announcement so that it is followed swiftly by corrective action.”).

[20] Bill Rigby, Cost of Data Breaches Increasing to Average of $3.8 Million, Study Says, Reuters, (May 27, 2015, 6:03 AM), http://www.reuters.com/article/2015/05/27/us-cybersecurity-ibm-idUSKBN0OC0ZE20150527.

[21] See Amy Terry Sheehan, Meeting Expectations for SEC Disclosure of Cybersecurity Risks and Incidents, Cybersecurity L. Rep., Aug. 12, 2015, at 1. http://www.davispolk.com/sites/default/files/agesser.Cybersecurity.Law_.Report.aug15.pdf.

[22] See Kvochko & Pant, supra note 2.

[23] Class action liability can flow from breach of contract liability. For example, after the Ashley Madison breach many users of the company’s service are suing for breach of contract because the company charged customers $19 to delete their actions without actually deleting the accounts. Perlroth, supra note 3.

[24] See infra, Part II; See also Ben Dipietro, The Morning Risk Report: Cybersecurity Disclosures Are Risky Business, Wall St. J.: Risk & Compliance J. (June 8, 2015, 7:25 AM), http://blogs.wsj.com/riskandcompliance/2015/06/08/the-morning-risk-report-cybersecurity-disclosures-are-risky-business-newsletter-draft (“[C]ompanies that have had breaches are in some respects setting the bar for companies that have not, as far as how to approach what to disclose. Best practices for disclosure are based on industry. . . .”).

[25] Because nearly all companies have been or are eventually breached these days, one source posits that shareholders hardly flinch at the news of data breaches anymore. See Kvochko & Pant, supra note 2 (saying that “[i]ndustry analysts have inferred that shareholders are numb to news of data breaches.”).

[26] See Sean Mason, Impact on Company Stock Following Data Breaches, InfoSec Insights (July 21, 2014), http://seanmason.com/2014/07/21/impact-on-company-stock-following-data-breaches; See also Sean Mason, Impact on Stock Following a Data Breach – Feb 2015 Edition, InfoSec Insights (Feb. 26, 2015), http://seanmason.com/2015/02/26/impact-on-stock-following-a-data-breach-feb-2015 (updating research). To see how many “incidents” versus actual breaches occur, see Verizon, 2015 Data Breach Investigations Report 3 (2015), https://www.arxan.com/wp-content/uploads/2015/05/rp_data-breach-investigation-report-2015_en_xg.pdf.

[27] Nathan Layne, In Wake of Target, Home Depot Tight with Info in Breach Response, Reuters (Sept. 8, 2014 1:28 PM), http://www.reuters.com/article/us-home-depot-dataprotection-disclosure-idUSKBN0H31UC20140908.

[28] See Catey Hill, Home Depot’s Data Breach Is Worse Than Target’s, So Where’s the Outrage? MarketWatch (Sept. 25, 2014 11:28 AM), http://www.marketwatch.com/story/yawn-who-cares-about-home-depots-data-breach-2014-09-24; Customer Data Breach Hits CVS Health Photo Site, Investopedia (July 21, 2015, 1:45 PM), http://www.investopedia.com/stock-analysis/072115/customer-data-breach-hits-cvs-health-photo-site-cvs-cost-hd-tgt-wmt.aspx (explaining that “Target is still recovering from the loss of customer trust that resulted from that breach, but much of the backlash was the result of how it had handled the affair, delaying the notification of customers that a breach had occurred. Companies seemed to have learned from that experience. Home Depot had more customers affected by a hack attack that occurred last year, but it notified consumers right away”).

[29]Paola Loriggio, Ashley Madison Hack Fails to Spur Cybersecurity Overhaul, CBC News (Dec. 25, 2015, 5:00 AM), http://www.cbc.ca/news/business/ashleymadison-hack-web-security-1.3380372 (Malcolm went on to say that “[m]aybe they’ve tightened up a few practices, but again, this is the kind of thing that receives attention only when it’s a screaming baby. After the baby’s not making any noise, everybody goes back to what they were doing.”).

[30] Id.

[31] See generally Data Breach FAQ, Target, https://corporate.target.com/about/shopping-experience/payment-card-issue-faq (last visited Sept. 27, 2016) (stating that Target is “sorry” for the breach).

[32] Perlroth, supra note 3 (reporting that Ashley Madison’s CEO stepped down from his position after the company’s hack, just as Sony Pictures Entertainment’s co-chairwoman and the CEO of Target stepped down after similar network breaches) (“Those ousters have made security a priority among executives. According to a survey . . . which tracks data breaches, only 13 percent of senior management said their concern about a data breach was extremely high before the breach at Target. That jumped to 55 percent after the incident . . . . [The founder of company that tracks data breaches stated,] ‘[t]he board is more concerned now than it has ever been with preserving the reputation of a company after a data breach. If the C.E.O. has to leave the company as a result, that’s the cost of doing business.’”).

[33] SEC Disclosure Guidance, supra note 5.

[34] See Cybersecurity Roundtable, supra note 12.

[35] Craig Calle, Disclosing the SEC’s Cybersecurity Disclosure Guidance, Source Callé (Aug. 10, 2015), http://sourcecalle.com/blog/2015/8/10/disclosing-the-secs-cybersecurity-disclosure-requirements.

[36] See Michaels, supra note 11; Luis Aguilar, Commissioner, Sec. & Exch. Comm’n, Board of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus (June 10, 2014), https://www.sec.gov/News/Speech/Detail/Speech/1370542057946.

[37] See What We Do, supra note 15.

[38] Id.

[39] “Material” is defined by the SEC in two primary cases: Basic Inc. v. Levinson, 485 U.S. 224, 231-32 (1988) and TSC Industries, Inc. v. Northway, Inc., 426 U.S. 438, 449 (1976).

[40] SEC Disclosure Guidance, supra note 5, at n. 3 (This also includes instances where “the information would significantly alter the total mix of information made available.”).

[41] See supra Part I.

[42] Michaels, supra note 11 (statement of Thomas Sporkin, a former SEC enforcement lawyer) (“Materiality is very open to interpretation.”).

[43] See Joel Schectman, When to Disclose a Data Breach: How About Never?, Wall Street J.: Risk and Compliance Report (Mar. 27, 2014 12:41 PM), http://blogs.wsj.com/riskandcompliance/2014/03/27/when-to-disclose-a-data-breach-how-about-never/ (describing different companies’ response to similar hacks).

[44] Michaels, supra note 11.

[45] See Sheehan, supra note 21, at 3.

[46] Id.

[47] See Securities Exchange Act of 1934, 17 C.F.R. § 240.10b-5 (2016).

[48] See id. § 240.14a-9.

[49] 17 C.F.R. § 240.10b-5. The scope of this note is too limited to warrant a discussion of fraud in the solicitation of proxy statements.

[50] See id.

[51] The definition of a security, as given by the Howey test, involves only “investment contracts” in which money is invested in a common enterprise with the expectation of profits derived solely from the efforts of a third party promoter. See SEC v. W.J. Howey Co., 328 U.S. 293, 298-299 (1946).

[52] See Chiarella v. United States, 445 U.S. 222, 234 (1980); Dirks v. SEC, 463 U.S. 646, 655 (1983); United States v. O’Hagan, 521 U.S. 642, 678 (1997).

[53] 17 C.F.R. 240 §§ 240.10(b), 10b-5 (describing antifraud provisions of the federal securities laws, which apply to statements and omissions both inside and outside of Commission filings).

[54] See Fast Answers for Form 10-K U.S. Sec. & Exchange Comm’n, https://www.sec.gov/answers/form10k.htm (last modified June 26, 2009).

[55] Dipietro, supra note 24 (emphasis added). See Kobi Kastiel, What’s New in 2015: Cybersecurity, Financial Reporting and Disclosure Challenges, Harv. L. Sch. F. on Corp. Governance and Fin, Reg. (Feb. 18, 2015), http://corpgov.law.harvard.edu/2015/02/18/whats-new-in-2015-cybersecurity-financial-reporting-and-disclosure-challenges.

[56] Kastiel, supra note 55.

[57] See generally Researching Public Companies Through EDGAR: A Guide for Investors U.S. Sec. & Exchange Comm’n, (July 18, 2007), https://www.sec.gov/investor/pubs/edgarguide.htm (describing information contained in the annual 10-K filing).

[58] Fast Answers for Form 8-K, supra note 54.

[59] Form 8-K, U.S. Sec. & Exchange Comm’n, https://www.sec.gov/about/forms/form8-k.pdf, §B(1).

[60] See Fast Answers for 8-K, supra note 54 at Item 8.01.

[61] Sheehan, supra note 21. Information given in the SEC’s disclosure guidance is “intended to assist registrants in preparing disclosure required in registration statements” but this does not limit registrants; instead, they should also consider “whether it is necessary to file reports on . . . Form 8-K to disclose the costs and other consequences of material cyber incidents.” SEC Disclosure Guidance, supra note 5, at n. 2.

[62] See Fast Answers for 8-K, supra note 54. See also Form 8-K, supra note 59 at §B(1), (“When considering current reporting on this form, particularly of other events of material importance pursuant to Item 7.01 (Regulation FD Disclosure) and Item 8.01 (Other Events), registrants should have due regard for the accuracy, completeness and currency of the information in registration statements filed under the Securities Act which incorporate by reference information in reports filed pursuant to the Exchange Act, including reports on this form.”).

[63] See Sheehan, supra note 21.

[64] See Dipietro, supra note 24 (quoting Jay Knight, a former SEC staffer and head of his law firm’s capital markets practice group).

[65] See generally Customer Data Breach Hits CVS Health Photo Site, Investopedia (July 21, 2015, 1:45 PM), http://www.investopedia.com/stock-analysis/072115/customer-data-breach-hits-cvs-health-photo-site-cvs-cost-hd-tgt-wmt.aspx (explaining how stores like Wal-Mart, CVS, and Costco have been upfront with their customers about breaches and how this honesty prevents a meltdown in consumer trust and protects investors).

[66] Language such as this can be found in state consumer notification laws. For example, Oregon (Or. Rev. Stat. Ann. § 646A.604(1)(a) (West, LEXIS through 2016 Sess.)) and South Carolina (S.C. Code Ann. § 39-1-90(a) (LEXIS through 2016 Sess.)) provide for the most expedient time possible and without unreasonable delay. Many states, including Pennsylvania (73 Pa. Cons. Stat. and Cons. Ann. § 2303(a) (West, Westlaw through 2016 Sess.)), Mississippi (Miss. Code Ann. § 75-24-29(3) (West, Westlaw through 2016 Sess.), and Missouri (Mo. Rev. Stat. § 407.1500(2)(1)(a)(LEXIS through 2016 Sess.)) say only “without unreasonable delay.” For more state laws, see Summary of U.S. State Data Breach Notification Statutes, supra note 18.

[67] Calle, supra note 35.

[68]What We Do, supra note 15.

[69] See Summary of U.S. State Data Breach Notification Statutes, supra note 18.

[70] See id.

[71] Ky. Rev. Stat. Ann. § 365.732 (Lexis Nexis, LEXIS through 2016 Sess.).

[72] See Why Incorporate in Delaware or Nevada?, BizFilings, http://www.bizfilings.com/learn/incorporate-delaware-nevada.aspx (Sept. 23, 2016).

[73]Del. Code Ann. tit. 6, § 12B-102(a) (LEXIS through 80 Del. Laws ch 399).

[74] See generally Summary of U.S. State Data Breach Notification Statutes, supra note 18 (showing a map of the United States and giving the online user the ability to click on each state and see their particular data breach notification statutes).

[75] Ohio Rev. Code Ann. § 1349.19(B)(2) (LexisNexis, LEXIS through file 123 (HB 483)).

[76] Fla. Stat. Ann. § 501.171(3)(a) (West, Westlaw through 2016 second regular sess.). Of the other states that have consumer notification laws, only these additional states have rigid timelines: Washington (Wash. Rev. Code Ann. § 19.255.010(16) (LexisNexis, LEXIS through 2016 1st Special Sess.) and Vermont (Vt. Stat. Ann. tit. 9, § 2435(b)(1) (LEXIS through 2015 adjourned sess. (2016))) mandate disclosure be made in the “most expedient time possible and without unreasonable delay,” no more than 45 days; Wisconsin (Wis. Stat. Ann. § 134.98(3)(a) (West, LEXIS through Acts of the 2015-2016 legislative sess.) mandates disclosures to consumers be made “within a reasonable time not greater than 45 days.”

[77] See Michaels, supra note 11 (urging firms to increase public reporting and weigh impact on consumers).

[78] Mike Lennon, Kroger Notifies Customers of Data Breach Stemming from Third-Party Email Vendor, Security Week (Apr. 1, 2011), http://www.securityweek.com/kroger-notifies-customers-data-breach-stemming-third-party-email-vendor; see Hayley Peterson & Ashley Lutz, Why Kroger is America’s Most Underrated Grocery Store, Business Insider (Mar. 6, 2015, 10:54 AM), http://www.businessinsider.com/why-people-love-kroger-2015-3 (“Nine out of 10 purchases at Kroger are made with the chain’s popular ‘Kroger Plus Card,’” [which makes] customers eligible for discounts, including fuel savings [and] gives Kroger unprecedented access into the behavior of its customers, and allows it to tailor promotions to individual shoppers.”).

>[79] See generally Verizon, supra note 26 at page 3 (noting that the top three industries targeted and affected by security incidents are public, information, and financial services).

[80] Rigby, supra note 20.

[81] See What We Do, supra note 15 (“The mission of the U.S. Securities and Exchange Commission is to protect investors, maintain fair, orderly, and efficient markets, and facilitate capital formation.”).