Changing Data Breach Response – Investor Rights as the Stimulus for Data Protection, Breach Response and IT Asset Management

By Bob Johnson, NAID

At the height of the 2013 holiday buying season, Target department stores, the second largest retailer in the U.S., announced its payment card system had been hacked, resulting in unauthorized access to the private information of more than 110 million customers. As a direct fall out, their longtime, highly successful CEO resigned, the company took a 46 percent sales hit over the holiday, and the stock lost approximately 20 percent of its value in four weeks. And, while share value has recovered, leery customers, a tarnished reputation and formidable unsettled law suits pose an ongoing threat.

Target was just the beginning of what was to be a litany of hacker-related breaches over the past year, including eBay (140 million), JP Morgan Chase (76 million), Home Depot (55 million), and hundreds of lower profile incidents, all of which unarguably tarnished both ROI and good will, the two things investors value the most.

Approximately one month after the Target breach, Coca-Cola announced the personal information of 74,000 current and past employees was breached. The incident was made public in compliance with the data breach notification requirements, now in 49 states. These regulations legally require organizations to notify affected individuals and data protection regulators when there is substantial risk of unauthorized access to personal information. In Coca-Cola’s case, it discovered a large number of laptops were missing, allegedly stolen by the employee responsible for their final destruction.

Despite the short-term discomfort, it was extremely prudent for Coke to comply with the notification requirement. The vast majority of organizations don’t, choosing instead to avoid immediate pain in favor of putting the organization and investors at risk of much more devastating consequences in the future; a threat, by the way, that exists in perpetuity. In failing to account for missing IT assets, organizations blatantly ignore their regulatory responsibility to investigate and report potential data breaches. Should any of those missing IT assets turn up later, even years later, these firms would not only have the data breach to deal with, they would also be guilty of ignoring their data breach reporting requirements. The fallout could be devastating to the company’s immediate bottom line and their long-term viability.

Target’s troubles and, in contrast, Coke’s prudent response, are two examples of an emerging reality that neither the C-suite, Wall Street or regulators can afford to ignore any longer. Negligent data protection, information governance, and IT asset management practices are now so potentially severe that they can put revenues, reputations, stock values and long-term viability at risk. We have reached the point where malfeasance in data protection could realistically pit investors and regulators against management and the organization. Further, we are at a point where investors and regulators can legitimately contend that data security, IT security, and governance are among the risk management and business activity issues organizations are required to report to investors in annual reports and stock offerings.

Protecting Investors

Investor rights are readily acknowledged in the U.S. and around the world. In the U.S., public companies are required to disclose issues materially relevant to the company’s performance, stressing the requirement to disclose all known risk factors. The mission of the U.S. Securities and Exchange Commission (SEC) “is to protect investors, maintain fair, orderly, and efficient markets, and facilitate capital formation.” Elsewhere, the SEC describes the nature and purpose of corporate disclosures.

“Through the Division’s review process, the staff checks to see if publicly-held companies are meeting their disclosure requirements and seeks to improve the quality of the disclosure. To meet the SEC’s requirements for disclosure, a company issuing securities or whose securities are publicly traded must make available all information, whether it is positive or negative, that might be relevant to an investor’s decision to buy, sell, or hold the security.”

Given this duty, it certainly seems appropriate that the knowledge of an organization continuing to rely on an unsecure operating platform or failing to track and control IT assets would rise to this stated threshold. These exact situations are included among those that have resulted in investor loses, and all, without question were “relevant to an investor’s decision to buy, sell, or hold the security,” as the SEC has so appropriately characterized the type of information worthy of reporting.

Of course, disclosure requirements are not limited to publicly traded companies. Private companies offering investment opportunities have the same obligation. The language referenced in state and federal laws on this matter is both similar and straightforward.

“All information which is material to enable a reasonable person to make an informed investment decision must be disclosed. A good rule of thumb is that anything which you would want to know about a company before making an investment in a similar enterprise would be deemed to be material and should be disclosed to potential investors.”

More specifically, the SEC checklist of disclosure-worthy issues includes market risk, corporate governance, a prospectus summary, and all risk factors.

In fact, data protection preparedness is arguably a more acute issue for smaller investment opportunities. Though the damage of lax IT asset and data protection can cripple a large organization, it can be fatal for a medium or small sized firm.

In any case, regardless of the size or structure of the investment, negligent practices or purposefully withholding known inadequacies in data management and protection rise to the level of a risk that any reasonable investor would want to know.

Rationalizing Data Security Failure

At this point, many readers are probably dubious that data protection and governance are disclosure-worthy, or even disclosure-capable.

They will be tempted to accept the premise that preventing such data breaches is beyond any organization’s capabilities or that it is impossible to discern or detect such related risks in advance. This reasoning is mistaken, however, and amounts to little more than a veiled excuse, providing refuge and permission to organizations that allow it to happen and continue.

For instance, there are credible reports that Target ignored advanced warnings of the potential data security breach. And, it would be hard to argue that no one at Home Depot understood the firm’s reliance on Windows XP put the organization at risk. Had the C-suite operated under the assumption that risk preparedness in data security, information governance and related issues were among the items they were legally required to disclose, senior management would likely have been paying attention. Stated another way, if the C-suite knew they would be held accountable to investors and regulators for the data protection, information governance and related issues, Target would have paid attention to early warnings and Home Depot would not have been running on an obsolete operating system.

Consider the situation, as described in the introduction, where organizations commonly dismiss missing IT assets. Veteran IT asset management services hired to help large companies inventory and retire end-of-life computers, routinely discover a significant percentage of that equipment cannot be located. Each of these computers embodies a potential breach incident with the potential to cripple the organization. This situation is eminently preventable given the proper corporate will …and IT asset tracking software.

Excusing knowable and preventable data security breaches as inevitable is a justification for a lack accountability. It creates a vicious cycle, wherein the lack of accountability allows for future breaches. The point is, this lack of accountability puts stakeholders at risk and a requirement to disclose data security and information governance issues would not only better protect the investor (which is the reason disclosures exist), it would effectively instill the accountability necessary to prevent the breach in the first place.

No one is disputing that such attacks are relentless and ingenious, and likely to continue for the foreseeable future. But, even if nothing can stop the onslaught, there are many proven strategies for isolating the regulated data, detecting access, and heeding the warning signs before the damage is irreparable.

Dave DeWalt, CEO of FireEye, a cyber-security company serving many high-profile organizations, touched on what is reasonably acceptable when such inevitable attacks strike.

“They’re going to get in. But don’t let them access the information that’s really important. Don’t let them get back out with that information. Detect it sooner. Respond sooner. And ultimately that exposure is very small. Maybe they got away with a few credit cards. Maybe they didn’t get away with any credit cards. But they didn’t steal 56 million of them or 40 million of them.”

Investors and regulators are being misled when they accept as inevitable and unpreventable that data breaches result in catastrophic loss. The hack attempt may well be inevitable, but not the loss of data.

According to Angie Singer Keating, CEO of Reclamere, Inc., a consultancy that helps breach organizations investigate the extent of the harm done, many such incidents could have been avoided given the appropriate corporate will.

“There are few if any discussions about data protection and governance in boardrooms before a data security incident,” says Keating, “but, increasingly, that’s where the fallout lands. Of course, afterwards the issue is uppermost on everyone’s minds.”

Trending Accountability

Despite the relative merits of such disclosures, even if regulators were inclined to agree, they would likely face strong opposition from institutions and lawmakers, at least in the near term. However, there are emerging trends that are likely to soften that opposition including calls for other non-financial disclosures, the approaching legal tsunami, and investor activism.

Calls for other non-financial disclosures: Shareholders are calling for an increasing number of non-financial disclosures from the organizations that they invest in. Sustainability, diversification, human rights, and animal rights are generally high on those lists.

In the “flat earth” economy of the new millennium, phrases and buzzwords like “information is power,” “big data,” and “information age” are tossed around with abandon, belying the fact that information is commonly thought of as the legal tender of our times. Certainly, information governance and known, or knowable, data security risks are as relevant to investor decision-making and welfare as diversification and sustainability are. An organization’s ability to govern the real currency of our age – information – is worthy of some mention on its holistic balance sheet. What investor isn’t owed an honest portrayal of that balance sheet?

The approaching legal tsunami: When a data security breach happens, scores of lawsuits result. While they’re expensive to defend, actual damages have been largely avoided up to now because the breach couldn’t be demonstrated.

Slowly, however, that failsafe is being challenged. Last year, for the first time, a Florida appellate court overturned such a ruling, leading to a $3 million settlement, based on the fact that the respondent violated an obligation to protect the personal data and that obligation was an inherent provision of the business relationship. Just a week later, a California court allowed a similar case to go to court, a case where no actual damages had been demonstrated, leading to a $4 million settlement.

More recently, offsetting an earlier victory by getting the scores of separate lawsuits against it combined into four cases, Target watched as a judge allowed 3 of those 4 cases to proceed. That was a surprise. And, Home Depot recently warned investors that future legal costs, settlements and fines stemming from its 2014 breach could have a tangible impact on the company’s performance.

Even more troubling, Target, Home Depot and a growing list of organizations are also in the cross hairs of banks seeking to recoup the costs they’ve incurred due to the breaches. In the past, banks and payment card companies refrained from such pursuits. In fact, they were thick as thieves.

Banks have always been able to determine which retailers had been breached and when those breaches caused damages to individuals. However, they refrained from naming names or assigning public blame, probably because doing so could result in loss of consumer confidence in their payment cards and, just as importantly, providing such information would give plaintiffs the evidence they needed to assign damages, thereby revoking retailers’ get-out-of-jail-free card. Apparently, that gentleman’s agreement is losing sway, and, if so, it means retailers on the wrong side of a breach can expect to face banks and payment card services, in additional to the fact that class actions will be better armed.

In November, a Minnesota court green-lighted damaged banks’ right to sue Target. Home Depot and others are bracing for a similar fate.

Regulators also seem be taking a new perspective that bodes ill for those on the wrong side of data loss. The FTC is currently pursuing a $10 million fine against two companies at the center of a data breach for “deceptive” business practices. Essentially, the FTC maintains the organization deceived customers by not protecting their data, taking the position that actual damages were not the issue. By assigning an unfair business practice definition of data breaches, such events are being pursued from a completely different angle. It’s reminiscent of the Feds busting Al Capone for tax evasion instead of RICO.

Suffice to say, the legal and regulatory trends are decidedly unfavorable to data breaches. The loopholes are closing and data loss is increasingly affecting the value, profits, reputation and viability of organizations. Investors will be harmed.

Investor activism: Given the emerging environment, investors are not likely to sit idly by. Soon, the throng of class action suits lining up after a breach will be joined by outraged investors robbed of their earnings due to negligent information governance, IT asset management and data security.

If Home Depot’s continued use of Windows XP was deemed as negligent, and if the resulting loss of customer goodwill and the cost of legal fees and settlements affect the value of the stock, wouldn’t investors have suffered due to that negligence? Let’s face it, damaged activist investors have sued for a lot less. Sure, the company could just as easily have lost value due to a misguided business decision but is that really the same thing? No, it isn’t, because investors would have been able to evaluate the management team’s pedigree, acumen and experience. Investors had only assumptions and reasonable expectations when it came to data governance.

When it happens, C-suite focus on adequate data governance will follow quickly and, in that environment, investor disclosure on these issues will be done by choice not edict. Given the direction of things, it is only a matter of time.