SEC Preparing to Regulate Data Breach Disclosures

May 06, 2015

​Fenwick & West partner Mike Dicke, co-chair of the firm's securities enforcement group, was quoted extensively in a Daily Journal article reporting that the Securities and Exchange Commission (SEC) is re-working its disclosure rules for public companies that have experienced cybersecurity breaches. 

According to Dicke, a former associate regional director for enforcement in the SEC’s San Francisco office, the agency is likely to take enforcement actions in cybersecurity cases before it actually issues the revised rules.

"I expect we'll see an enforcement case arising out of one of the major data breaches in 2013 or 2014," Dicke said, referring to the investigations the SEC is concluding into the high-profile breaches experienced by Target, Sony Pictures and Home Depot. 

"The SEC's enforcement division has a history of stepping in when there's a void of guidance from the commission in a particularly important area like cybersecurity disclosure," he explained.

Dicke also noted that increased SEC activity in this area is likely to present public companies with a challenge: how to be timely in reporting cyber breaches while at the same time be sufficiently diligent in gathering, and then providing, the most accurate information possible. 

Although answers to the timing question will be difficult to nail down, Dicke indicated, the recommended approach to accuracy in data breach reporting will be clear-cut. 

"What is clear is that once ​you speak about something that is material, once you open your mouth, you have to speak fully and truthfully," he said.​