Risky Business: Target Discloses Data Breach and New Risk Factors in 8-K Filing… Kind Of

MintzLogo2010_Black

After Target Corporation’s (NYSE: TGT) net earnings dropped 46% in its fourth quarter compared to the same period last year, Target finally answered the 441 million dollar question – To 8-K, or not to 8-K?  Target filed its much anticipated Current Report on Form 8-K on February 26th, just over two months after it discovered its massive data breach.

In its 9-page filing, Target included two introductory sentences relating to disclosure of the breach under Item 8.01 – Other Events:

During the fourth quarter of 2013, we experienced a data breach in which certain payment card and other guest information was stolen through unauthorized access to our network. Throughout the Risk Factors in this report, this incident is referred to as the ‘2013 data breach’.

Target then buried three new risk factors that directly discussed the breach apparently at random within a total of 18 new risk factors that covered a variety of topics ranging from natural disasters to income taxes.  Appearing in multiple risk factors throughout the 8-K were the following:

  • The data breach we experienced in 2013 has resulted in government inquiries and private litigation, and if our efforts to protect the security of personal information about our guests and team members are unsuccessful, future issues may result in additional costly government enforcement actions and private litigation and our sales and reputation could suffer.
  • A significant disruption in our computer systems and our inability to adequately maintain and update those systems could adversely affect our operations and our ability to maintain guest confidence.
  • We experienced a significant data security breach in the fourth quarter of fiscal 2013 and are not yet able to determine the full extent of its impact and the impact of government investigations and private litigation on our results of operations, which could be material.

An interesting and atypically relevant part of Target’s 8-K is the “Date of earliest event reported” on its 8-K cover page.  Although Target disclosed its fourth quarter 2013 breach under Item 8.01, Target still listed February 26, 2014 as the date of the earliest event reported, which is the date of the 8-K filing and corresponding press release disclosing Target’s financial results.  One can only imagine that this usually benign date on Target’s 8-K was deliberated over for hours by expensive securities lawyers, and that using the February earnings release date instead of the December breach date was nothing short of deliberate.  Likely one more subtle way to shift the market’s focus away from the two-month old data breach and instead bury the disclosure within a standard results of operations 8-K filing and 15 non-breach related risk factors.

To Target’s credit, its fourth quarter and fiscal year ended on February 1, 2014, and Target’s fourth quarter included the entirety of the period during and after the breach through February 1.  Keeping that in mind, Target may not have had a full picture of how the breach affected its earnings in the fourth quarter until it prepared its fourth quarter and year-end financial statements this month.  Maybe the relevant “Date of earliest event” was the date on which Target was able to fully appreciate the effects of the breach, which occurred on the day that it finalized and released its earnings on February 26.  But maybe not.

Whatever the case may be, Target’s long awaited 8-K filing is likely only a short teaser of the disclosure that should be included in Target’s upcoming Form 10-K filing.

Article by:

Adam M. Veness

Of:

Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

To 8-K, or not to 8-K? For Target, that is indeed the question.


MintzLogo2010_Black

As anyone with a pulse and a computer, television or carrier pigeon knows, Target Corporation (NYSE: TGT) suffered a major data breach in December – the extent of which is still being uncovered – and pegs the latest number of customers that have had their personal information stolen anywhere from 70 to 110 million.  As a public company, a breach of this magnitude should be material enough to warrant a Form 8-K filing, right?  As of this post, Target doesn’t seem to think so.

Form 8-K contains mandatory disclosure requirements when certain enumerated events occur, as in the entry into a material definitive agreement (Item 1.01) or the resignation of a director (Item 5.02).  Reporting an event such as the Target data breach would likely fall under Item 8.01 of Form 8-K, which is used to report “Other Events.”  Item 8.01 permits the registrant, at its option, to disclose any events not otherwise called for by another Form 8-K Item that the registrant “deems of importance to security holders,” and is an entirely voluntary filing.

Although filing under Item 8.01 of Form 8-K is voluntary, other companies that have suffered smaller data breaches have opted to file an 8-K to disclose such breaches, including The TJX Companies, Inc.’s (NYSE: TJX) breach disclosed in an 8-K in January, 2007, and Morningstar, Inc.’s (NASDAQ: MORN) more recent breach disclosed in an 8-K in July, 2013.  Target’s securities lawyers may believe that the breach is not “important to security holders,” or  is not sufficiently material enough to the roughly $38 billion company to warrant the filing of an 8-K, but 70 to 110 million affected customers is hardly immaterial, even for Target.   In a statement released January 10, Target warned that the costs related to the breach “may have a material adverse effect on Target’s results of operations in fourth quarter 2013 and/or future periods.”

Indeed, Target evidently determined when filing its Form 10-K for 2012 that the risk of a data security breach was material enough to warrant disclosure in its risk factors:

If our efforts to protect the security of personal information about our guests and team members are unsuccessful, we could be subject to costly government enforcement actions and private litigation and our reputation could suffer.”

The nature of our business involves the receipt and storage of personal information about our guests and team members. We have a program in place to detect and respond to data security incidents. To date, all incidents we have experienced have been insignificant.  If we experience a significant data security breach or fail to detect and appropriately respond to a significant data security breach, we could be exposed to government enforcement actions and private litigation. In addition, our guests could lose confidence in our ability to protect their personal information, which could cause them to discontinue usage of REDcards, decline to use our pharmacy services, or stop shopping with us altogether. The loss of confidence from a significant data security breach involving team members could hurt our reputation, cause team member recruiting and retention challenges, increase our labor costs and affect how we operate our business.” (emphasis added)

Of course, there is no time limit for filing under Item 8.01 of Form 8-K due to it being a voluntary filing, so a filing may still be forthcoming from Target.  In any event, one can only imagine that the risk factor language above will look very different in Target’s next Form 10-K filing in two months.

Article by:

Of:

Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.