Due Diligence and Selling/Buying a Business: Data Breach Disclosures
On February 21, 2018, the Federal Securities and Exchange Commission (“SEC”) issued new guidance on public corporation cybersecurity disclosures; note that the SEC focuses on publicly-held corporations. However, the new SEC cybersecurity guidelines are relevant to small, closely-held corporations, and are relevant to issues with respect to due diligence when you are planning to buy or sell a San Diego business. We have written about data security issues in the past. See here, here, and here. This is a continuation of the series since data security is becoming ever more important.
Selling/Buying San Diego Businesses: Disclose Data Breaches and Cybersecurity Risks
Cybersecurity Guidance from the SEC was first issued in 2011. The new February 2018 Guidance is an update given data breaches and cyberattacks are increasing every year. There were over 850 data breach, hacks, and cyberattacks in 2017. Literally, millions of Americans are impacted by the loss of their of personal and financial information from data breaches. The Equifax data breach that was in the news last year involved 147.9 million customers; that is almost half of the American population and nearly two-thirds of adults living in the US. See here.
The new Guidance from the SEC suggests that corporations must give serious attention to disclosures with respect to periodic reports, registration statements, and public reporting requirements. To be clear, the SEC has not created a specific mandatory disclosure obligation with respect to data breaches, hacks, and other cybersecurity threats. However, the new 2018 Guidance lays the foundation for the idea that cybersecurity issues might be “material” for purposes of what a company must disclose. Thus, for example, the SEC Guidance states:
“Item 503(c) of Regulation S-K and Item 3.D of Form 20-F require companies to disclose the most significant factors that make investments in the company’s securities speculative or risky. Companies should disclose the risks associated with cybersecurity and cybersecurity incidents if these risks are among such factors, including risks that arise in connection with acquisitions.”
The 2011 Guidance keyed in on the idea of properly disclosing risks with respect to cybersecurity in general. The 2018 Guidance adds a focus on what disclosure is recommended after a cybersecurity event has occurred, whether the cyberattack was foiled or whether it was successful. In other words, disclosure that a cyberattack MIGHT occur is different than disclosure that a cyberattack has occurred. Obviously, the past cyberattack mandates a different assessment risk for future cyberattacks and a different kind of disclosure.
Selling/Buying San Diego Businesses: Private Placement Memoranda
As noted, the SEC focuses mainly on publicly-held corporations. The cybersecurity Guidance is just as applicable to private securities issued under Regulation D exemptions (Rule 504 and 506). While disclosure requirements under Rules 504 and 506 are much less, an entity offering or selling securities must still disclose material information. Under some circumstances, a serious data breach might be one such material matter that should be disclosed. This is a function of financial risk. Recent experience has shown that data breaches can be costly to the company experiencing the data breach or hack. Target stores suffered a data breach in 2013. Since then, the cost to Target in terms of settlements, attorneys’ fees, outside experts, employee time, etc., has exceeded $200 million.
Selling/Buying San Diego Businesses: Due Diligence When Buying or Selling a Business
When buying or selling a business in San Diego, there is a long list of items that must be considered and explored during the due diligence phase. This is a new item that should be added to a well-drafted Business Sale/Purchase Agreement. In general, if a company allows customers to use credit cards to make purchases, then the company collects, stores, and uses personal customer data. Even a minimal amount of such data must be protected from cyberattack, hacking and internal malicious intentional disclosure.
Contact San Diego Corporate Law
Every San Diego business needs a skilled and experienced business attorney who knows California law and evolving trends such as the need for cybersecurity. Your business needs an attorney like Michael Leonard of San Diego Corporate Law. To schedule a consultation, contact Mr. Leonard via email or call (858) 483-9200.