Contributed by Cynthia J. Larose and Adam M. Veness, Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
The Facebook, Inc. (Facebook) initial public offering last month was probably the most anticipated IPO filing of the 21st century. In its S-1 filing with the U.S. Securities and Exchange Commission (SEC) – the first step on any company’s journey to becoming a publicly traded company – Facebook has set the bar for S-1 disclosure in the areas of cybersecurity and privacy risks. 1 Less than four months before Facebook's S-1 filing, the SEC's Division of Corporation Finance (Division) issued informal guidance regarding public companies' disclosure of cybersecurity risks and cyber incidents (Cybersecurity Guidance).2 The Cybersecurity Guidance did not create any new disclosure requirements, but rather clarified existing law in an effort to better educate the ever-growing group of companies that face cybersecurity risks and cyber incidents in their businesses. In its S-1 filing, Facebook fully adopts Cybersecurity Guidance, and provides a real-life example of how companies facing cybersecurity and privacy risks should disclose this information to investors. Indeed, Facebook takes the Cybersecurity Guidance a step further and even discloses risks that are associated indirectly with cybersecurity and privacy concerns, such as unfavorable media coverage and potential reputational damage that could result from the failure to maintain adequate cybersecurity and privacy protection. For companies trying to review and understand the Cybersecurity Guidance, much can be learned by examining Facebook's "Risk Factors" and "Business" S-1 sections.
In accordance with the Cybersecurity Guidance, Facebook's Risk Factors clearly explain to potential investors how cybersecurity risks and incidents could have an adverse effect on the company. The Cybersecurity Guidance explains that companies should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky. In determining whether risk factor disclosure is required, the Division suggests that companies take into account all relevant information, including:
If risk factor disclosure is required, the Division suggests that appropriate disclosures may include:
The Division also cautions companies to avoid boilerplate and generic risk factors. Companies should ensure that they adequately describe the nature of the material risks and specify how each risk affects the company. Facebook has done just that. Rather than making mere general disclosures about cybersecurity and privacy risks for internet businesses, Facebook tailors its Risk Factors specifically to Facebook. By analyzing different aspects of Facebook's Risk Factors, other companies facing cybersecurity, cyber incidents, and privacy risks can use the Facebook S-1 as a roadmap for preparing their own risk factors.
Facebook's Risk Factors extensively discuss details about prior investigations by the Federal Trade Commission (FTC) and the Irish Data Protection Commissioner (DPC). The disclosure explains the specifics of a 20-year settlement agreement between Facebook and the FTC, which requires Facebook to establish and refine certain practices with respect to treatment of user data and privacy settings. The FTC settlement also requires bi-annual independent privacy audits. Facebook further discloses how the FTC and DPC audits have affected Facebook, and that Facebook expects to continue to be the subject of regulatory investigations and audits in the future by these and other regulators throughout the world.
— Cybersecurity Risks
Facebook directly addresses the Cybersecurity Guidance in its disclosure regarding how computer malware, viruses, hacking, phishing attacks, and spamming could harm its business. Rather than just generally disclosing how cybersecurity risks can harm an internet business, Facebook takes the extra step and discusses exactly how cybersecurity risks affect it. The disclosure goes into detail about how Facebook's prominence makes it a target for cybersecurity risks. The disclosure further discusses the indirect consequences of cybersecurity risks, including how spammers may embarrass or annoy Facebook users and make Facebook less user-friendly.
— Cybersecurity and Privacy Breaches
The unique nature of Facebook's business makes the risk of cybersecurity and privacy breaches even greater. In its Risk Factors, Facebook emphasizes how third-party platforms and websites that are integrated into Facebook increase the risk that user information may be improperly accessed or disclosed. Specifically, these third-parties may fail to adhere to adequate data security practices or fail to comply with Facebook's terms and policies. Facebook discusses the direct costs of improper access to its users' information, such as legal or regulatory action against Facebook, and the indirect costs of improper access to its users' information, such as reputational and brand damage.
Aside from discussing the direct risks associated with cybersecurity and privacy breaches, Facebook also emphasizes the secondary risks related to unfavorable media coverage and negative user reaction to cybersecurity and privacy breaches. Specifically, Facebook explains that unfavorable media coverage or publicity regarding its privacy practices, regulatory activity, or the actions of platform developers could adversely affect Facebook's reputation and have an adverse effect on the size, engagement, and loyalty of Facebook's user base.
— U.S. and Foreign Laws Relating To Privacy and Data Protection
In its Risk Factors, Facebook recognizes the evolving landscape of privacy and data protection laws in the U.S. and abroad by disclosing how these changing laws have affected and will continue to affect its business. In addition to general statements about the impact of privacy and data protection regulations, the disclosure goes further and discusses potential changes to specific regulations (i.e., the 1995 European Union Data Protection Directive). Facebook discloses that these changes could delay or impede the development of new Facebook products, and could result in increased operational costs, negative publicity, fines, and litigation.
The Cybersecurity Guidance regarding disclosures in the "Description of the Business" section focuses primarily on the disclosure of cyber incidents that materially affect the Company's products, services, relationships with customers or suppliers, and competitive conditions. In the Business section of its S-1, Facebook's discussion of specific cyber incidents is minimal and relates primarily to its settlement with the FTC resolving its investigation into various practices with respect to Facebook's treatment of user data and privacy settings (as also discussed in Facebook's Risk Factors). Presumably, the FTC investigation is the only "cyber incident" that Facebook believes materially affects the areas listed above, and thus is the only cyber incident that Facebook was required to disclose.
Follow the Roadmap – Find Your Data – Know Your Risks
By providing extensive disclosures related to cybersecurity, cyber incidents, and privacy risks, Facebook has given companies facing cybersecurity and privacy risks a roadmap on how to comply with the Cybersecurity Guidance. Although specific disclosures and disclosure language will differ from Facebook's S-1, companies should follow Facebook's lead regarding the framework, breadth, and detail of its disclosures.
The most important point that companies should take away from Facebook's S-1 disclosures is specificity. Boilerplate and generic disclosures related to cybersecurity and privacy risks are inadequate and discouraged by the SEC. To ensure full compliance with the Cybersecurity Guidance, companies should disclose risks specific to their business, while including details concerning how those risks may directly and indirectly affect the company's business. Key to a company's ability to provide adequate and fulsome disclosure in accordance with the expectations of the Cybersecurity Guidance, is a risk assessment related to data privacy and information security issues. Without that, even beginning to craft specific disclosure becomes an impossible task. If a company discloses material and specific information related to its cybersecurity and privacy risks and tailors those disclosures to its business as Facebook has done in its S-1, then it will be well on its way to providing adequate disclosure to investors and to minimizing the comments it receives from the SEC.
Cynthia J. Larose is a Member of Mintz Levin's Corporate & Securities Section, Chair of the Privacy & Security practice, and a Certified Information Privacy Professional (CIPP). Cynthia represents companies in information, communications, and technology, including e-commerce and other electronic transactions. She counsels clients through all stages of the "corporate lifecycle," from start-ups through mid- and later-stage financings to IPO, and has broad experience in technology and business law, including online contracting issues, licensing, domain name issues, software development, and complex outsourcing transactions. Cynthia has extensive experience in privacy, data security, and information management matters, as well as data transfers in the context of mergers and acquisitions and technology transactions. She conducts privacy audits and risk assessments to determine data and transaction flow and to assess privacy practices, and assists with drafting and implementation of privacy policies and information security policies and procedures and monitoring of privacy "best practices" across all levels of the enterprise.
Adam M. Veness is an Associate in the Corporate & Securities Section and is based in the firm's Boston office. He was a Summer Associate at Mintz Levin in 2009. Before rejoining Mintz Levin, Adam focused on general civil litigation, construction litigation, personal injury defense, and employment matters. His professional experience also includes clerking for the United States Army JAG Corps. During law school, Adam participated in the Civil Litigation Clinic through Greater Boston Legal Services where he represented clients in Social Security disability appeals and in unemployment insurance hearings.
To view additional stories from Bloomberg Law® request a demo now