TMCnet News

The Dallas Morning News Pamela Yip column
[June 03, 2011]

The Dallas Morning News Pamela Yip column


May 30, 2011 (The Dallas Morning News - McClatchy-Tribune Information Services via COMTEX) -- When the Securities and Exchange Commission voted last year to require companies to publicly disclose the impact of climate change on their businesses, it made clear that it wasn't taking a position on the validity of climate change.



One SEC commissioner said the agency was taking the action to improve the quality of disclosures by public companies.

Could the same rationale be applied to violations of cyber security, such as data breaches experienced by companies? Some in Congress think so.


A group of senators recently sent a letter to SEC Chairman Mary Schapiro requesting that the agency "issue guidance regarding the disclosure of information security risk, including material network breaches." The group said guidance was needed because of "inconsistencies in reporting, investor confusion and the national importance of addressing cyberspace security." The letter was signed by Sens. John Rockefeller, D-W.Va.; Robert Menendez, D-N.J.; Sheldon Whitehouse, D-R.I.; Mark Warner, D-Va.; and Richard Blumenthal, D-Conn.

Rockefeller is chairman of the Senate Committee on Commerce, Science & Transportation and is the lead sponsor of legislation to address the nation's vulnerability to cybercrime and attacks.

The committee, of which Sen. Kay Bailey Hutchison, R-Texas, is the ranking member, held a hearing last year on data security and data breach notification.

Currently, "companies do have a disclosure obligation when it comes to events such as cyber security or cyber vulnerabilities just like any other events that face a company in the normal course of business," SEC officials said.

"Companies are expected to disclose this information to the extent it would be considered material by a reasonable investor," they said.

Material information is information that would likely affect a stock's price once it becomes known to the public. Examples include a takeover or significant management changes.

When you consider the impact a serious data breach can have on a company's brand and reputation, it's clear that investors need to know when it happens.

Thirty-eight percent of nearly 250 companies surveyed by Hiscox, an international specialist insurer, failed to acknowledge the threat of a data breach in their SEC 10-K filings, the company reported in 2009.

Of the companies that did include the risk of a data breach in their filings, 26 percent failed to mention the financial impact while 49 percent failed to identify the reputational effect, said Hiscox.

Recently, Irving-based Michaels Stores Inc. said checkout terminals in 20 states were compromised Feb. 8 through May 6. Fewer than 100 customer debit cards were reported as used in fraudulent transactions, and no Texas stores were affected, the company said.

The largest U.S. arts and crafts chain also said that it doesn't know how much the debit card fraud will cost the company.

In a more serious breach, Sony Corp. said hackers breached its network and gained access to names, e-mail addresses and possibly credit card numbers of millions of its customers last month.

If a company had a data breach that led to a slew of lawsuits, it most likely would have to disclose the event in securities filings if the breach had a significant financial impact on the company, said Bill Katz, partner at Thompson & Knight in Dallas, whose specialties include antitrust, securities and other business litigation cases.

"The materiality threshold is there for these data breaches now anyway, but you may see the SEC taking a closer look at this, especially if there's a push both in the media and in Congress," he said.

SEC officials declined to say whether they're looking at requiring disclosure of data breaches.

Currently, companies have some discretion in determining what's material information, Katz said.

If the SEC were to issue specific guidance, it could address when data breaches must be disclosed and how to disclose them, he said.

Given how serious data breaches can be, the damage they can do to a company's brand and how consumers perceive it, the SEC should provide guidance. Investors should have full knowledge of such an occurrence.

To see more of The Dallas Morning News, or to subscribe to the newspaper, go to http://www.dallasnews.com. Copyright (c) 2011, The Dallas Morning News Distributed by McClatchy-Tribune Information Services. For more information about the content services offered by McClatchy-Tribune Information Services (MCT), visit www.mctinfoservices.com.

[ Back To TMCnet.com's Homepage ]