By Tash Bottum. Full text here.
Federal disclosure law requires companies to report certain types of events on a current basis. This reporting regime aims to promote transparency, enhance informed investments, and protect investors. However, the disclosure requirements are currently governed by a vague materiality standard, which fails to adequately guide companies in determining whether and when to disclose certain events. This failure decreases corporate transparency, which in turn frustrates the very purposes these laws are intended to defend. This is especially true in regards to disclosing a content data breach.
Today, content data breaches are increasingly prevalent, with cybersecurity experts opining that breaches are now an “inevitable” consequence of doing business. In today’s age of technology, companies dedicate vast resources to protecting incredible amounts of data and the focus on cybersecurity is rapidly increasing across industries. This focus is in large part due to the risks that content data breaches pose to a company’s interests. Recent studies have found that a content data breach decreases a company’s share price, which harms its investors.
This Note uses the recent Equifax content data breach to trace these harms and concludes that this phenomenon merits regulatory attention. Consequently, this Note rejects the materiality standard and proposes a new bright-line rule to govern whether and when companies must disclose a content data breach—the Content Data Breach Disclosure Rule (the CDBD Rule). The CDBD Rule would require companies to disclose content data breaches within four days of their discovery by way of the SEC’s Form 8-K, and specifically, Item 2.06: Material Impairments. This solution would resolve current reporting confusion amongst companies and facilitate corporate transparency while protecting investors. Accordingly, the CDBD Rule preserves and promotes the original purposes of the federal disclosure regime.