This article was written by Cheng Lim, Stephen Minns and Millie Zhong.
It was originally published in the LexisNexis Australian Media, Technology and Communications Law Bulletin.
There are more data breaches every year
Every day, we read a new story about a new data breach. It’s not just because it makes a good story for the media to report; it’s because there are more data breaches occurring. Telstra’s Cyber Security Report 2016 reports that 23.7% of Australian organisations surveyed detected a business interrupting security breach during an average month. The Asia Pacific region experienced an even higher level of security incidents with 45.5% of surveyed organisations impacted by a security incident in an average month.
It is little wonder then that the proposed Privacy Amendment (Notification of Serious Data Breaches) Bill (Proposed Privacy Amendment Bill) has received much public attention since the release of the exposure draft in December last year. This Bill, which is still in its consultation stage, requires organisations to make disclosures of “serious data breaches”. There has been significant media coverage to date of this Bill, and of the submissions made by various interested parties.
However, there has been little consideration or analysis in recent times of existing obligations of ASX listed companies to disclose data breaches under their continuous disclosure obligations. We examine this in the context of the TalkTalk data breach in October 2015, in which the names, addresses, dates of birth, phone numbers, email addresses, account information, credit card and/or bank details of TalkTalk’s four million customers had potentially been stolen. To put this in context, TalkTalk’s initial and highest estimate of 4 million customer records disclosed was less than 5 per cent of the customer records disclosed in the Target, Ebay and Home Depot cybersecurity breaches in 2013 and 2014, which reportedly affected 100 million to 145 million customers.
Cybersecurity breaches are perhaps not front of mind as triggering the continuous disclosure obligations, and indeed, up until late last year even widely publicised incidents did not appear to have any significant effect on share price. A study carried out in 2014 by NERA Economic Consulting found at the time, that cyber incidents did not appear to impact share prices significantly in the medium to long term. So perhaps this has been the basis on which one might argue that there is no immediate need for ASX listed companies to disclose cybersecurity breaches in order to comply with their continuous disclosure obligations.
However, will this continue to be the case? Following the TalkTalk data breach, the company’s shares fell by 10.7 per cent. Two weeks later, analysts halved their forecasts of the company’s full year customer growth, resulting in another 7 per cent drop in share price. This sharp drop in share price following the data breach clearly indicates the potential for cybersecurity breaches to have a material impact on share price, particularly where the cybersecurity breach has an impact on market share or customer retention.
ASX listed companies are already under continuous disclosure obligations under the Corporations Act 2001 (Cth) (Corporations Act) and the ASX Listing Rules. The Corporations Act requires corporations to disclose information that would reasonably be expected to have a material effect on the price or value of the securities of the entity, being information that would, or would be likely to, influence persons who commonly invest in securities in deciding whether to acquire or dispose of those securities. These statutory provisions have been adopted by the ASX in rule 3.1 of the Listing Rules.
As with the mandatory notification requirements under the Proposed Privacy Amendment Bill, continuous disclosure obligations are not triggered unless the relevant materiality thresholds have been met. As would be expected, while the threshold under the Proposed Privacy Amendment Bill focuses on the degree of harm a cybersecurity breach may potentially cause to the affected individual, the continuous disclosure obligations focus on the price impact of an incident on the company’s shares.
To date, very few general principles have been set out by either the courts or the ASX on what information is considered “material” in relation to the price or value of a company’s securities. The leading cases simply confirm that the test for “reasonably expected” is an objective one, made with reference to an investor commonly investing in listed securities, and that all relevant facts and circumstances must be considered in totality on a case by case basis and looking at both quantitative and qualitative measures.
Importantly, the courts have stated that it may permissible to examine how the market subsequently behaved when the information was disclosed as a device for confirming whether or not the information was subject to the continuous disclosure requirements.
The ASX has recommended a quantitative threshold for continuous disclosure in Guidance Note 8 to the Listing Rules, suggesting that the guidance on materiality in Australian Accounting and International Financial Reporting Standards should be applied. On this basis, a variation of 10 per cent or more in expected earnings will be “material” for the purposes of continuous disclosure, whereas a variation of 5 per cent or less can be considered “immaterial”.
Coincidently, TalkTalk’s initial estimate of its cybersecurity breach costs, announced three weeks following publication of its cybersecurity breach incident, led analysts to predict a downward revision of its full year earnings that would fall within this threshold. Interestingly, while the costs of cybersecurity breach events in the public eye have been high in absolute dollar amounts, they have not generally formed a significant percentage of the company’s revenue. For example, the Target incident in 2013, one of the most costly cybersecurity breaches to date, was reported to have cost the company US$252 million to remedy before insurance payouts and tax returns, and a net amount of $105 million after these were taken into account. These amounts respectively represent around 3.5 and 1.5 per cent of Target’s 2014 financial year revenue.
According to Verizon’s 2015 Data Breach Investigations Report, Target’s cybersecurity breach costs were at the upper limit of remediation costs for incidents of a similar scale. The report, based on almost 200 cyber liability insurance claims, assessed the remediation cost of cybersecurity breaches against the number of records involved. At the lower end of the scale, the cost of remedying 95 per cent of breaches involving 100 records were assessed to fall between US$18,000 and US$36,000, but potentially reaching $556,000. At the opposite end, the cost of breaches involving 100 million records were assessed to be between US$5 million and US$15.6 million for 95 per cent of incidents, with the highest potential remediation costs assessed at US$199 million. These cost assessments were reported as being independent of organisation size. A separate study by the Ponemon Institute found that the average cost of a data breach to Australian companies, including the cost of lost business and customer churn, was $A2.8 million in 2014.
Based on the above findings, a purely quantitative determination of materiality would suggest that cybersecurity breaches are much more likely to trigger continuous disclosure obligations for small to medium companies than for larger companies.
Of course, an assessment of materiality does not end with a quantitative evaluation. Depending on the information compromised, cybersecurity breaches can expose companies to regulatory action, increased regulatory supervision, statutory penalties and fines, and the risk of shareholder litigation or class actions from customers. cybersecurity incidents may also be damaging to a company’s relationships with its customers, suppliers and employees. In extreme cases, this may lead to the termination of material contracts, including the loss of the ability to accept credit card payments.
Perhaps by far the most significant cost arising from a cybersecurity breach is the damage to the company’s reputation. If the cybersecurity breach results in a significant (deleterious) change in the public perception of a company, this may have a material effect on price, even if the financial impact of the cybersecurity breach itself is small. For example, in James Hardie v ASIC, the New South Wales Court of Appeal held that that details relating to the corporate group’s restructure was subject to the continuous disclosure obligations, since this would free the group’s holding company from any remaining connection to the asbestos claims. Even accepting management’s assessment that the prospect of any liability claims coming home to the company was remote, it was found that the severing of that connection would reduce the negative sentiment in the market that was causing a blight on the company’s share value.
The TalkTalk incident in October 2015 is arguably an example of where the fact of the cybersecurity breach affected public perception to the extent that share prices were adversely impacted. While this has been an isolated occurrence thus far, there may be a number of factors that contribute to such a perception being formed. For instance, the Ponemon Institute study reported that the services and financial sectors in Australia showed higher abnormal churn rates than other industries following a cybersecurity breach. Presumably, consumer facing companies would also be more likely to suffer reputational damage from a cybersecurity breach incident than companies with predominately commercial customers, since the former are likely to have more records of individual customers’ personal and financial information.
A qualitative assessment therefore potentially leads to the opposite conclusion to that reached through a quantitative determination. While larger organisations are better able to absorb the costs of a cybersecurity breach, they are more likely to be impacted by reputational or other qualitative factors, since the number of people directly affected and the level of public attention are both likely to be higher.
The continuous disclosure obligations require companies to provide immediate notification of price sensitive information, subject to that information being sufficiently definite and complete. However, unlike the 30 day period under the Proposed Privacy Amendment Bill, there is no definitive “safe harbour” time period in relation to the continuous disclosure obligations.
While the scope and impact of some cybersecurity breaches may be immediately obvious (e.g. the Sony breach), there are cases in which the scope and impact of the incident may be unknown even though the fact of the breach is definite. And unlike a takeover, a capital raising or a material incident affecting a company’s operations, it is possible that the impact of a cybersecurity breach may have little or no impact on share price once its scope has been determined.
Consider a hypothetical alternative to the TalkTalk incident. Say a breach of a company’s systems is discovered on 22 October, but the extent of the compromise is at that point unknown. By 6 November, the company ascertains that while the breach was aimed at disrupting the company’s operations, no records appear to have been compromised and the vulnerability exploited in the attack has been patched. Would the company have been required to give notification of the breach on 23 October (and face the risk of a 10 per cent fall in its share price)? Or would it be justified in holding off any announcements until the impact was ascertained two weeks later, and then determining that no notification was required since the incident would no longer have a material effect on price (thereby preserving its share value)?
An analogous situation involving the investigation of a company CEO by the Corrupt Practices Investigation Bureau (CPIB) was considered by the Singaporean High Court in Madhavan Peter v PP. In that case, a distinction was drawn between “knowledge of information” and “knowledge of whether the information is likely to have a material effect on the price or value of a company’s securities”. While the CEO had been arrested, released on bail and had his passport impounded at the relevant time, evidence was given and accepted that the investigations at that stage were too vague for their nature to be determined and an assessment to be made as to their effect on share price. On this basis, the court found that non-disclosure of the investigation was not unreasonable.
The hypothetical scenario and the Singaporean case above highlight the difficulty faced by companies when complying with their disclosure obligations in navigating between informing the market of material developments and ensuring sufficient certainty so that disclosures do not result in undue volatility. The notification regime under the Proposed Privacy Amendment Bill also seeks to strike a similar balance between immediate notification for the mitigation of harm to individuals, and the requirement of certainty to avoid ‘notification fatigue’ by giving organisations 30 days to determine if there was likely to have been a serious data breach.
It is unclear whether or not Australian courts would follow Madhavan Peter v PP. While the cases agree that an ex ante approach should be taken to assess the materiality of the information at the time it is alleged the disclosure should have occurred, where subsequent market information has been available, the courts appear to have invariably based their decisions on market reactions after the fact. For example, in James Hardie v ASIC, the court found that “although the share price was relatively stable, there was a significant increase in the volume of share trading…Given the proximity in time to the public release of the information, the inference is that the market reacted to the information.”
In light of these precedents and the recent example of TalkTalk, it may not be possible for companies to rely on the “sufficient certainty” qualification in the continuous disclosure obligations, or the 30 day grace period in the Proposed Privacy Amendment Bill to delay notification of a cybersecurity breach to the market until they have assessed the full extent of its impact. According, as a general principle, if the impact of a cybersecurity breach is likely to be substantive, then the breach should be disclosed, even if the exact size or dimensions of the impact of the breach is not yet fully ascertained at the time.
The timing of when a cybersecurity breach is announced also has implications extend beyond compliance. According to the Ponemon Institute study, a “rush to notify” increased the cost of a data breach by approximately 5 per cent. The very significant reduction from 100 per cent to 4 per cent of customers affected after TalkTalk had ascertained the impact of its October cybersecurity breach also invites the question of whether the impact on its share value would also have been reduced if its announcement had been made later.
On the other hand, early notification may be beneficial from a public relations perspective. A delay in notification, even by a period of days, can result in adverse customer reactions. For example, in the Carphone Warehouse incident, the Company contacted potentially affected customers within three days of the incident after it had completed preliminary investigations into the incident. Despite this relatively short period between incident and notification, angry responses were still posted by customers on Twitter, questioning the length of time taken for customer notification and accusing the company of “hiding in [its] bunker”.
With increasing digitalisation and the emergence of new technologies such as the Internet of Things, the risk of cybersecurity breaches will only increase in the future. Regulatory bodies are also increasingly introducing notification regimes, on the basis that adequacy of information will assist in mitigating the potential adverse consequences of cyber risk such as financial loss or identity theft.
The continuous disclosure obligations are another dimension of this idea of “adequacy of information” which will allow shareholders to mitigate the risk of a drop in the value of their shares. A 2015 Harvard Business Review article has commented that the reason cybersecurity breaches have had limited impact on share prices was because “shareholders have neither enough information about security incidents nor sufficient tools to measure their impact”. This is likely to change as the public, and shareholders, become better educated on cybersecurity risks.
In the post-TalkTalk environment, it may therefore be prudent for companies to err on the side of caution and to tend to disclose any cybersecurity breaches with significant customer impact even if it is unclear whether this is strictly required under the continuous disclosure obligations. While a balance is to be struck between timely information and certainty, companies should bear in mind the considerable weight given by the courts to subsequent market behaviour and, the benefit of hindsight!