Less Data Breach Disclosure Is Wise, Attorneys Say

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

July 1 — What is a Fortune 500 company to do about informing regulators and overseers when its network has just been breached, leaking sensitive customer information, credit card numbers and employee records?

Should it file a Form 8-K with the U.S. Securities and Exchange Commission, reach out to law enforcement, alert federal and state regulators, alert valued customers or should they stay quiet until their internal team fully investigates the matter?

Less disclosure—and in any event disclosure only after what has happened becomes clear—is probably the best approach, privacy attorneys told Bloomberg BNA. Trying to hide a breach when there are clear reporting obligations will displease regulators that may come calling and undermine consumer trust in your organization.


The questions revolving around what to disclose were what executives of The Wendy's Co. asked themselves after finding that malware had been discovered on their point of sale systems. After further investigation, Wendy's opted to file an 8-K and a press release that warned the breach was “considerably” larger than originally thought.

Wendy's and other large companies subject to a cyberattack may want to rethink their approach to data breach disclosures. They should focus on internal investigations and shoring up their cybersecurity before making any material disclosures to federal regulators or the public, privacy attorneys said.

Further, companies should pay attention to mistakes other companies have made in the past after a data breach.

According to Steven L. Caponi, a corporate and cybersecurity partner at K&L Gates in Wilmington, Del., companies should seek to avoid the “drip, drip, drip” of leaked information and make “fewer and more knowledgeable disclosures to demonstrate that you have the situation under control.”

Companies don't want to end up like Target Corp. (12 PVLR 2133, 12/23/13), “the poster child” of mishandling data breach disclosures, he said.

Target quickly reported a credit card system hacking breach only to have to more than once upgrade the seriousness of the intrusion, number of customers affected, how long the intrusion went undetected and other matters. Ultimately the chief executive officer of Target was forced to resign.

When Is a Breach Material?

Some companies that have experienced a data breach have reported the intrusion to the SEC through an 8-K.

Lisa Sotto, chairman of Hunton & Williams LLP's privacy and cybersecurity practice, said that companies shouldn't furnish an 8-K when it doesn't reach the level of a “material breach.”

According to the SEC, companies must file this form under certain circumstances to announce material events that shareholders should know about. What is material, however, depends on what types and the nature of incident a company may be reporting.

For data breaches, the SEC hasn't made a definitive ruling as to whether loss of personal information in these cyberattacks fall under the materiality standard. As of now, the SEC has only released guidance that says companies may want to consider filing an 8-K “to disclose the costs and other consequences of material” breaches.

Sotto, who is also managing partner of Hunton's New York office, said that breach materiality depends on what kinds of data are stored and protected by the company. Before filing an 8-K, a company would want to consider if personally indentifiable information, health care data, financial records or consumer data was breached, she said.

“There have been very few material breaches” and companies that have filed an 8-K would have made “strategic decision” to do so, Sotto said.

Lack of 8-Ks

According to Bloomberg Law data, large consumer-based companies such as The Home Depot Inc., Target, Wendys, Anthem Inc. and JPMorgan Chase & Co. have filed 8-Ks following a data breach.

However, not every company that experiences a data breach reports it in an 8-K or even in a press release. According to a recent Identity Theft Resource Center report, there were 781 data breaches tracked in 2015 and many more that went undiscovered. The vast majority of these didn't receive 8-K treatment.

What accounts for the disparity between number of incidents and lack of 8-K filings?

According to Caponi, the lack of filings can be attributed to the relatively new territory of cyberattacks and breaches. There is “no case law, judgements, or administrative rulings” that define what is material for a data breach disclosure, he said.

But the lack of filings may be changing. As more and more companies experience data breaches, enforcement agencies will issue guidance covering data breach reporting, Caponi said.

Going forward, the “trend will be to more disclosures occurring in 8-Ks,” Caponi said. With more and more disclosures, the SEC will eventually issue more guidance and “that will morph into a rule,” he said.

Crafting the Message

Before a data breach occurs, companies should already be prepared with an incident response plan that lays out who should take the reigns of the corporate message.

Incident response plans should outline “how to roll out information to law enforcement, shareholders, affected customers and regulatory agencies,” Caponi said.

According to Tanya Forsheit, co-chairman of the Privacy & Data Security group at Frankfurt Kurnit Klein & Selz in Los Angeles, “a good incident response plan will spell out which team” is responsible for the data breach reporting. “There is going to be a product manager type who oversees the whole response and keeps the trains running on time,” she said.

The plan will include people in the company's press department, information technology department and external consultants that will help contain the breach, Forsheit said.

Sotto said that in addition to the response plan, one of the first calls a company should make is to outside counsel to “work with them to obtain an forensic investigator under privilege.” The outside counsel will be able to “understand the nature and scope of the compromise” and draw conclusions that will help when regulatory agencies come knocking, she said.

A clear and concise incident response plan may help companies make a disclosure that sheds light on the data breach without sharing too much information.

According to Caponi, the response plan will help companies be “ahead of the curve.” The plan helps paint a picture with the company as “the victim” and shows that they are handling the situation appropriately, he said.

Who to Trust?

After a data breach, companies will face a barrage of inquiries from the press, consumers, directors and most importantly federal and state regulators. The increased focus may influence how much information is shared and to whom it is shared with.

Lawyers differ on which regulators to trust and how open companies should be with their information.

Sotto said it is important to provide information to both state and federal regulators to “to help them understand what happened and frame the issue before the media does that for you.” The regulators are “imminently rational” with how they use a company's data and won't make improper disclosures, she said.

Caponi, said however, that companies should be hesitant sharing all their information with regulators. Although companies should comply with reasonable information requests from regulators, they shouldn't give over all their information wholesale, he said. Certain federal regulators, such as the “Federal Trade Commission, the SEC and the Federal Communications Commission are not viewed as a friend of businesses” he said.

Instead, companies should turn to the “Federal Bureau of Investigation and the Department of Homeland Security to help deal” with the post-data breach threats, Caponi said. Law enforcement is a “tremendous resource” and “acts as a clearinghouse for information before victims are re-victimized.”

When it comes to disclosures, “companies should make sure that it doesn't impede law enforcement investigations, or impede internal investigations,” he said. Law enforcement is trying to stop future attacks, and an improper disclosure could tip off the nefarious actors, Caponi said.

Transparency Builds Trust

There are a number of different disclosure methods, but according to Sotto, no matter who you share the information with “transparency is the right way to go.” Companies must report “ sufficient, accurate and materially complete information without spilling their guts on paper,” she said.

“Losing dollars matters, of course, but losing future dollars and lack of trust” because you either lied or withheld information from the public or regulators “hurts even more,” Sotto said.

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.