Tag: privacy

Protecting Trade Secrets in the Cloud

FINAL SW logo wLLP2

The business community’s growing use of cloud-based computing services provides great benefits due to cost-savings and mobile information access.  However, business leaders should understand the risks of storing valuable trade secrets in the cloud.  This article provides the business community tips on how to safeguard valuable trade secrets stored in the cloud from being freely disclosed to the public, thus putting the business at risk of losing protections that courts grant trade secrets.

As businesses’ profit margins have continued to shrink since the Great Recession, more companies have looked to reduce costs by reducing growing expenses related to their information technology departments.[1] The first line item to draw attention in the IT budget is frequently the rising costs associated with maintaining and upgrading system hardware.  Businesses often find that housing and operating multiple servers stretches IT budgets thin by increasing maintenance, labor, and operational costs.  The solution so many businesses have turned to is to move their valuable data to virtual servers, or the “cloud.”[2]  A recent survey of IT executives provides that companies will triple their IT spending on cloud-based services in 2014 over 2011.[3]  Cloud service providers have also seen demand increase as they increase their cloud capabilities.[4]

Although cloud-based servers provide businesses with substantial financial and operational benefits, businesses must recognize that there are perils to shifting data to the cloud.  One of the key concerns businesses should consider before moving data to the cloud is the risk that its valuable trade secrets will lose protection as a result of insufficient safeguards to protect against disclosure.  This article addresses that concern and provides businesses keys for seeking to protect valuable secrets in the cloud.

What is a Protectable Trade Secret

The initial step for a business to determine how to protect its trade secrets is to understand how the law characterizes a trade secret.  Information qualifies as a trade secret only if it derives independent economic value as a result of not being generally known or readily ascertainable, and be subject to reasonable efforts to maintain its secrecy.  Trade secrets are broadly defined as information, including technical or non-technical data, a formula, pattern, compilation, program, device, method, technique, drawing, process, financial data, strategies, pricing information, and lists of customers, prospective customers, and suppliers.

Businesses Need to Take Reasonable Efforts to Protect Trade Secrets in the Cloud

Trade secrets are only protectable when the owner takes reasonable efforts to prevent them from being freely disclosed to the public so that the information does not become generally known.

Information does not have to be cloaked in absolute secrecy to be a trade secret, as long as a business’s efforts to maintain secrecy or confidentiality are reasonable.  It is easy for one to imagine how a business may protect confidential documents that are stored locally.  Computer files may be password-protected with several layers of encryption software, with access limited to specified personnel.  Similarly, paper files may be stored in locked cabinets, in secured rooms, where only specified personnel are granted access.

However, those seemingly straight-forward security protocols become murky when information is stored in the cloud.  Unlike storing data on local servers, storing data in the cloud requires the owner to disclose confidential information to a third-party vendor.  In most situations, disclosing data to a third-party eliminates trade secret protections.   Therefore, businesses must take additional steps to ensure that its data remains secure.

Three Keys to Protecting Trade Secrets Stored in the Cloud

There are no fail-safe measures to protect data stored in the cloud.  The best way for a business to protect its trade secrets is to locally store and protect its most valuable data with the proper data security protocols.  A business, however, should not fear the cloud as long as it takes certain steps to ensure that it exercises reasonable efforts to protect its cloud-based data.

First, business leaders must conduct appropriate due diligence before selecting a cloud-provider.  The business should conduct necessary research to select a reputable, well-established company that has the physical and technological capabilities to store and protect data.

Conducting due diligence on a provider includes ensuring that the provider has taken necessary steps to establish appropriate physical and virtual security protocols to protect the confidentiality of your information.  Inquire how the provider establishes physical security measures, and monitoring capabilities to prevent unauthorized access to its data centers and infrastructure.  Also, learn how the provider limits its employees’ access to customer data and determine the internal controls that the provider has in place to prevent unauthorized viewing, copying, or emailing of customer information.

A business should also inquire about the provider’s virtual security protocols.  A business must generally understand how its cloud-provider’s encryption software and security management systems work to protect data.  If your business is not capable of independently evaluating whether the provider has proper security protocols, a good indicator is to ask the provider for its client list.  If the provider has clients that are typically security-conscious companies, such as financial institutions or healthcare facilities, that is a good indication that the provider has been vetted and it has proper security measures in place.  Finally, the provider should maintain sufficient data-protection insurance coverage to protect against potential data breaches or system failures.

Second, a business must have contractual safeguards in place with its cloud-provider to adequately protect its intellectual property and trade secrets.  The contract should establish that the business owns the data, that it will be segregated from other data groups, and that the business may enjoy unfettered access to the data.  The contract should specify that the business can demand that the data be deleted or returned request, and detail how the provider will purge the data to ensure that it is properly deleted upon termination of the relationship.  The contract should require regular data backup and recovery tests, while restricting the provider from accessing, using or copying data for its own purpose.  Finally, the contract should establish the provider’s obligations to notify the business of a data breach or system failure.

Third, a business should also consider adding multiple layers of authentication and encryption to data containing trade secrets before transmitting it to the cloud-provider.  However, a business should consider if the additional encryption efforts could adversely affect the business’s ability to access, utilize, and port data for its normal business use.

Conclusion

There are several financial and operational benefits for a business to store data in the cloud.  However, businesses must understand that there are also risks to storing its valuable trade secrets on virtual servers.  Businesses need to take reasonable efforts to protect the confidentiality and secrecy of its most valuable data and information.

[1] Dave Rosenberg.  Reducing IT Infrastructure Costs via Outsourcing.  May 7, 2009.  news.cnet.com/8301-13846_3-10235742-62.html

[2] Thor Olavsrud.  How Cloud Computing Helps Cut Costs, Boost Profits.  March 12, 2013. www.cio.com/article/730036/How_Cloud_Computing_Helps_Cut_Costs_Boost_Profits

[3] Andrew Horne. Transformational Change in IT Will Drive 2014 Spending.  November 5, 2013.  http://blogs.wsj.com/cio/2013/11/05/transformational-change-in-it-will-drive-2014-spending/

[4] IBM Commits $1.2bn to Cloud Data Centre Expansion.  January 17, 2014. www.bbc.co.uk/news/business-25773266

Register for ARMA Live! 59th Annual Conference & Expo Oct. 26-28 San Diego, Calif.

ARMA Live! 59th Annual Conference & Expo Oct. 26-28 San Diego, Calif.

Register today!

The premier event in information governance is heading to the land of sand, sun, and surf. Join us for ARMA Live! Conference & Expo 2014 in San Diego on October 26-28 for the most comprehensive educational and networking experience in the profession. From inspiring keynotes to cutting-edge best practices and technology; your takeaways from this conference are worth far more to you and your organization than the price to attend. Visit our site often – we’ll be adding more and more details as we get them!

Five Reasons to Attend ARMA 2014

1. Find Real Solutions in Real Time
ARMA 2014 provides cutting-edge solutions to the challenges information governance professionals face today, such as developing automated, accurate retention schedules, managing mobile technologies, and outsourcing information to the cloud.

2. Establish Connections, Get Validation

  • Networking: ARMA 2014 provides a myriad of networking opportunities to make valuable connections with other information governance professionals and the companies that have the solutions you’re seeking.
  • Education: ARMA International’s education sessions and facilitators can help you validate the direction of your records management projects and avoid pitfalls along the way.
  • Expert Access: Our buzz session roundtable discussions will give you one-on-one time to speak with industry experts about the unique challenges you’re facing.

3. Learn Best Practices, Eliminate Pain Points
Are you curious about your peers’ best practices for eliminating the pain points you have in common? ARMA 2014 is your chance for serious, in-depth discussions and problem solving. Offering more than 70 sessions, access to industry-leading experts, and exposure to tomorrow’s technologies today, ARMA 2014 will give you a new perspective about your job. Get inspired, refreshed, and prepared to take back to the office an array of new ideas and approaches you can begin using immediately.

4. Get Acquainted with Emerging Technology
With more than 200 exhibitors at the ARMA 2014 Expo, the industry’s top emerging technologies will be on display. This is the year’s best opportunity to visit with vendors offering products and services you need for such responsibilities as electronic content management, document capture and destruction, digital preservation, e-discovery, e-mail management, and archiving. Exhibitors also can provide advice about the best solutions for your specific circumstances.

5. Have Access to the Industry’s Best and Brightest
ARMA 2014 is the PREMIER information governance event. You’ll be eager to take home and implement all you’ve learned from the best in the profession during ARMA 2014’s education sessions, Expo discussions, and networking opportunities.

Not By "Any Manner" Of Means: Securing Cyber-Crime Coverage After Zurich v. Sony

Gilbert LLP Law Firm

Much has been written about the New York Supreme Court’s landmark ruling in Zurich American Insurance Co. v. Sony Corp., Index. No. 651982/2011 (N.Y. Supr. Ct. Feb. 21, 2014), in which a New York trial court denied coverage to Sony Corporation for liabilities stemming from a 2011 cyber-attack on its PlayStation Network. The court held that while a wide-scale data breach represents a “publication” of private information, the PlayStation Network breach did not fall within the ambit of Sony’s commercial general liability (“CGL”) policy because the policy covered only publications by the insured itself—not by third-party hackers. The court rejected Sony’s argument that the phrase “in any manner,” which qualified the word “publication” in Sony’s policy, sufficed to broaden coverage to encompass third-party acts. Instead, the court determined that the “in any manner” language referred merely to the medium by which information was published (e.g., print, internet, etc.), not the party that did the publishing.

Most of the commentary surrounding Sony has focused on the court’s interpretation of the phrase “in any manner.” But that aspect of the court’s ruling was relatively unremarkable: other courts have similarly limited the phrase, most notably the Eleventh Circuit Court of Appeals inCreative Hospitality Ventures, Inc. v. United States Liability Insurance Co., 444 Fed. App’x 370 (11th Cir. 2011) (holding that the issuance of a receipt to a customer containing more than the last five digits of the customer’s credit card number does not represent a publication). Lost in theSony debate is the fact that Sony may be able to prevail on appeal even if the appellate court refuses to adopt a broad reading of the “in any manner” language. Indeed, Sony can make a compelling case that the term “publication,” when read in context with the policy as a whole, is intended to encompass both first-party and third-party acts.

In focusing narrowly on the language of the advertising injury coverage grant, the Sony court overlooked a “cardinal principal” of insurance law: namely, that an insurance policy “should be read to give effect to all its provisions and to render them consistent with each other.”Mastrobuono v. Shearson Lehman Hutton, Inc., 514 U.S. 52, 63 (1995). Had the court taken a more holistic approach, it might have noticed that language in other parts of the policy evidenced the insurers’ intent to cover third-party publications. If Sony’s policy resembled the standard Insurance Services Office, Inc. (“ISO”) CGL policy, its exclusions section was surely riddled with clauses restricting coverage for certain types of injury “caused by or at the direction of the insured.” Only six of the exclusions in the ISO policy are not so qualified, including the absolute pollution exclusion and the exclusion for publications that occur prior to the policy period. It makes sense that insurers would wish to broadly exclude such categories of injury, just as it makes sense that exclusions for intentionally injurious acts would be written narrowly to apply only to the insured’s own actions. These carefully worded exclusions—when read together and in context with the policy as a whole—evidence a conscious decision by Sony’s insurers to exclude some injuries only if caused by the insured, while excluding other types of injury regardless of who, if anyone, is at fault. This, in turn, suggests that the insurers contemplated coverage for third-party acts unless such acts are expressly excluded.

Nowhere is this better illustrated that in the ISO policy’s exclusion for intellectual property infringement. This exclusion purports to broadly bar coverage for injury “arising out of the infringement of copyright, patent, trademark, trade secret or other intellectual property rights.” However, this broad exclusion is qualified by the caveat that it “does not apply to infringement,in your ‘advertisement’, [sic] of copyright, trade dress or slogan.” Thus, the exclusion bars coverage in the first instance for all intellectual property infringements irrespective of the identity of the perpetrator, then adds back coverage for certain acts of the insured. This evidences the insurer’s understanding that unless otherwise excluded, the policy affords coverage for advertising injury regardless of who caused it.

At minimum, the fact that the ISO policy exclusions vary with respect to whether they exclude all acts or only first-party acts should be sufficient to raise an ambiguity, thus triggering “the common-law rule of contract interpretation that a court should construe ambiguous language against the interest of the party that drafted it.” Mastrobuono, 514 U.S. at 62. Even if the policy does not unambiguously afford coverage for third-party publications, it is at the very least “susceptible to more than one reasonable interpretation.” Discovision Assocs. v. Fuji Photo Film Co., Ltd., 71 A.D.3d 448, 489 (N.Y. App. Div. 2010) (internal quotation marks and citation omitted). Pointing to ambiguity in the policy as a whole would provide policyholders such as Sony with a more plausible and straightforward avenue to securing coverage for third-party publications than does narrowly parsing the phrase “in any manner.”

The question of whether third-party publications are covered under the typical CGL policy is of crucial importance to policyholders seeking insurance recovery for cyber-crime injuries. Importantly, victory on this point by Sony or another hacking victim would transform Sony into a policyholder-friendly decision, because the Sony court answered the other difficult question presented in the case—whether a data breach represents a “publication”—in favor of coverage. If the appellate court is willing to look past the narrow language of the advertising injury coverage grant and focus on Sony’s policy as a whole, Sony will have a good chance of prevailing on appeal and, in doing so, will set a strong precedent in favor of cyber-crime coverage for hacking victims.

ARTICLE BY

Kami E. Quinn
Miriam Smolen
James Liddell
OF
Gilbert LLP

Forever 21 Faces Point-of-Sale Data Collection Class Action Lawsuit

Covington BUrling Law Firm

Fast fashion retailer Forever 21 Retail Inc. faces a putative class action lawsuit alleging that the retailer violated California law by requesting and recording shoppers’ credit card numbers and personal identification information at the point-of-sale.

Forever 21 shopper Tamar Estanboulian filed the lawsuit on September 7 in U.S. District Court for the Central District of California.  Estanboulian alleges that Forever 21 has a policy requiring its cashiers to request and record credit card numbers and personal identification information from customers using credit cards at the point-of-sale in Forever 21’s retail stores in violation of the Song-Beverly Credit Card Act of 1971, California Civil Code § 1747.08.  The complaint further alleges that the retailer pairs the obtained personal identification information with the shopper’s name obtained from the credit card used to make the purchase to get additional personal information.

According to the complaint, Estanboulian purchased merchandise with a credit card at a Forever 21 store in Los Angeles, CA this summer.  The cashier asked Estanboulian for her email address without informing her of the consequences of not providing the information.  Estanboulian alleges that she provided her email address because she believed that it was required to complete the transaction and receive a receipt.  She also claims that she witnessed cashiers asking other shoppers for their email addresses.  Shortly after completing her purchase and leaving the store, Estanboulian received a promotional email from Forever 21.

The proposed Class would include:  “all persons in California from whom [Forever 21] requested and recorded personal identification information in conjunction with a credit card transaction within one (1) year of the filing of this case.”

Forever 21 is not the only retailer that has been hit with a class action lawsuit for its data collection practices at the point-of-sale.  In June 2013, a putative class action was filed in U.S. District Court for the District of Massachusetts against J.Crew Group Inc. alleging that it collected zip codes from customers when they made purchases with credit cards at its Massachusetts stores.  The lawsuit also alleged that J.Crew then used that information to send unsolicited marketing and promotional materials.  The court approved a preliminary settlement in June pursuant to which J.Crew will provide $20 vouchers to eligible class members, up to $135,000 in attorneys’ fees and costs, and up to $3,000 to each of the class representatives.

ARTICLE BY

Morgan Kennedy
OF
Covington & Burling LLP

HTTPS – Should I Implement It on My Site?

Consultsweb Logo

Google announced last Wednesday, August 6, that the search engine will use https as a ranking signal. HTTPS stands forHypertext Transport Protocol Secure, which protects the data integrity and confidentiality of users visiting a site. For example, when a user enters data into a form on a site in order to subscribe to updates or purchase a product, a secure site protects that user’s personal information and ensures that the user communicates with the authorized owner of the site. For the HTTPS connection to work properly, websites require an SSL certificate, which is what enables the site to make a secure connection.

HTTPS Hypertext Transport Protocol Secure

Even though Google is making this change, it is not something that webmasters should jump into lightly. Webmasters should implement https only when they really need it and have sections in their site where they need to protect their visitors’ information.

Before making any drastic changes to the site, it is important to take into consideration that Google stated that this change will affect less than one percent of queries, carrying less weight than other signals such as high-quality content.

Cons of using https

  • Up until this recent announcement, it was recommended only using https on the sections of the site that needed to protect the confidentiality of user data, such as payment forms that collected credit card information, the site’s login section or any page that would sends/receive other private information (such as street address, phone number or health records), because using https in the whole site can overload webservers and make sites slower, which affects negatively on a site’s ranking.
  • Changing to https also means that all of the URLs in your site will change and it will be necessary to redirect all of the URLs on the site, so that they can be indexed by Google and avoid having duplicate content between https and http URLs. Redirects usually increase the load time of the site, which can be negative ranking factor and reduce the link juice coming from external sites pointing to http URLs.
  • SSL certificates cost money, and certificates signed by well-known authorities can be expensive.

I advise against making an immediate decision to change to https because it is a recent change and apparently the effort to switch exceeds the benefit obtained in rankings. Right now it is better to stand back and observe how the change affects those sites that alter their URLs to https.

 

ARTICLE BY

Robert Padgett
OF
Consultwebs.com, Inc.

Employee Codes of Conduct: Really? Requiring Someone To Use Information “Fairly And Lawfully” Can Be Illegal?

Allen Matkins Law Firm

Companies have lots of very good reasons for adopting codes of conduct.  These reasons include:

  • Ensuring compliance with applicable exchange listing rules (e.g., NYSE Rule 303A.10 and NASDAQ Rule 5610);
  • Minimizing the risk of securities law violations (e.g., Regulation FD and Rule 10b-5);
  • Protecting company assets (trade secrets as well as reputational assets);
  • Complying with contractual obligations requiring confidentiality; and
  • Complying with customer and employee privacy laws and regulations.

Thus, I was amazed to see a recent decision by a panel of the National Labor Relations Board finding the following language in a code of conduct to be unlawful:

Keep customer and employee information secure.  Information must be used fairly, lawfully and only for the purpose for which it was obtained.

Fresh & Easy Neighborhood Market and United Food & Commercial Works Int’l Union, Cases 31-CA-077074 and 31-CA-080734 (July 31, 2014).   The NLRB found that this language violated employees’ rights under Section 7 of the National Labor Relations Act which guarantees employees “the right to self-organization, to form, join, or assist labor organizations, to bargain collectively through representatives of their own choosing, and to engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection”.  Reversing the administrative law judge, the panel found that employees would reasonably construe the above language “to prohibit discussion and disclosure of information about other employees, such as wages and terms and conditions of employment”.  Really?  This admonition was included at page 16 of a 20 page booklet primarily dedicated to a variety of ethical matters.  In my view, it is arbitrary and capricious, if not just plain bizarre, to interpret this language as conveying any limitation on employees’ Section 7 rights.

ARTICLE BY

Keith Paul Bishop
OF
Allen Matkins Leck Gamble Mallory & Natsis LLP

Firewall on the Hill: The Cybersecurity Information Sharing Act

Morgan Lewis logo

U.S. Treasury Secretary Jack Lew is urging Congress to pass legislation to bolster the country’s cyber defenses. The proposed bill—the Cybersecurity Information Sharing Act of 2014 (CISA)—may unleash a brute-force attack in the cyber war, but opposition based on privacy and civil liberties concerns could stop the bill dead in its tracks.

The CISA would enable companies to

  • share information with one another, including an antitrust exemption for the exchange or disclosure of a “cyber threat indicator,” which is broadly defined and includes information that indicates any attribute of a cybersecurity threat;
  • share information with the federal government, including the absence of any waiver of privilege or trade-secret protection and the retained ownership of the disclosed information;
  • launch countermeasures and monitor information systems under broad sets of circumstances, potentially expanding the information to be shared; and
  • monitor and share the information under an umbrella of protection from liability relating to the permitted activities, including a good-faith defense (absent gross negligence or willful misconduct) for activities not authorized by the CISA.

The CISA includes some protections for individuals. Namely, the U.S. Attorney General would develop governing guidelines to limit the law’s effect on privacy and civil liberties. Moreover, companies would be required to remove information that is known to be personal information (and not directly related to a cybersecurity threat) before sharing a cyber threat indicator.

In sum, companies could decide to share a wealth of information with one another and with the federal government if the CISA is passed, when sharing personal information depends on the reach of any future guidelines. If an extensive information-sharing program materializes, and there is at least a perception that sensitive personal information is being shared, companies could feel pressure from customers and advocacy groups to disclose their CISA activities and policies in their privacy statements. Companies should stay informed about developments in cybersecurity legislation, but the potential fallout regarding privacy could substantially weaken or postpone any new system. For every cybersecurity legislative effort, there will be bold countermeasures.

ARTICLE BY

Doneld G. Shelkey
A. Benjamin Klaber
OF:
Morgan, Lewis & Bockius LLP

Wyndham Data Breach Ruling Cleared for Potential Appeal to Third Circuit

COV_cmyk_C

 

U.S. District Court Judge Esther Salas ruled on Monday that the U.S. Court of Appeals for the Third Circuit can review her conclusion that Section 5 of the Federal Trade Commission Act provides the FTC with authority to bring actions arising from companies’ data security violations.

In April of this year, Judge Salas denied Wyndham Hotels and Resorts’ motion to dismiss a FTC lawsuit that alleges that Wyndham violated the FTC Act’s prohibition against “unfair practices” by failing to provide reasonable security for its customers’ personal information. Although her order is not a final ruling and is not binding on any other judge, it received considerable attention because it was the first time that a court has weighed in on the scope of the FTC’s authority over data security and privacy matters.

Denials of motions to dismiss ordinarily are not immediately appealable, absent permission from both the district court and the court of appeals.  In her ruling on Monday, Judge Salas granted Wyndham’s motion to appeal her order to the Third Circuit.  Judge Salas reasoned that there is substantial grounds for differences of opinion on two issues: (1) whether the FTC can bring a Section 5 unfairness claim involving data security; and (2) whether the FTC must formally promulgate regulations before bringing its unfairness claim.

If the Third Circuit grants Wyndham’s Petition to Appeal, the appellate court will review the legal conclusions in Judge Salas’s April order.  If the Third Circuit denies the petition, the case will proceed in the district court.  Even if the Third Circuit denies this petition for review, it ultimately may hear an appeal of the outcome of summary judgment proceedings or a trial in this case.

Article By:

Jeff Kosseff
Of:
Covington & Burling LLP

Privacy, Behavioral Health and Hospital Regulations: Recent Developments in Wisconsin Law [VIDEO]

vonBriesen

In recent months, the Wisconsin legislature has passed several bills relating to health information privacy, treatment of behavioral health patients, and regulation of hospitals. Please view this webcast that will provide a summary of the legislative action and tips for complying with the new law.

http://player.vimeo.com/video/90057974

Health Law Check-Up Webcast: Recent Developments in Wisconsin Law

Article By:

Meghan C. O’Connor
Ralph V. Topinka
Of:
von Briesen & Roper, S.C.

Risky Business: Target Discloses Data Breach and New Risk Factors in 8-K Filing… Kind Of

MintzLogo2010_Black

After Target Corporation’s (NYSE: TGT) net earnings dropped 46% in its fourth quarter compared to the same period last year, Target finally answered the 441 million dollar question – To 8-K, or not to 8-K?  Target filed its much anticipated Current Report on Form 8-K on February 26th, just over two months after it discovered its massive data breach.

In its 9-page filing, Target included two introductory sentences relating to disclosure of the breach under Item 8.01 – Other Events:

During the fourth quarter of 2013, we experienced a data breach in which certain payment card and other guest information was stolen through unauthorized access to our network. Throughout the Risk Factors in this report, this incident is referred to as the ‘2013 data breach’.

Target then buried three new risk factors that directly discussed the breach apparently at random within a total of 18 new risk factors that covered a variety of topics ranging from natural disasters to income taxes.  Appearing in multiple risk factors throughout the 8-K were the following:

  • The data breach we experienced in 2013 has resulted in government inquiries and private litigation, and if our efforts to protect the security of personal information about our guests and team members are unsuccessful, future issues may result in additional costly government enforcement actions and private litigation and our sales and reputation could suffer.
  • A significant disruption in our computer systems and our inability to adequately maintain and update those systems could adversely affect our operations and our ability to maintain guest confidence.
  • We experienced a significant data security breach in the fourth quarter of fiscal 2013 and are not yet able to determine the full extent of its impact and the impact of government investigations and private litigation on our results of operations, which could be material.

An interesting and atypically relevant part of Target’s 8-K is the “Date of earliest event reported” on its 8-K cover page.  Although Target disclosed its fourth quarter 2013 breach under Item 8.01, Target still listed February 26, 2014 as the date of the earliest event reported, which is the date of the 8-K filing and corresponding press release disclosing Target’s financial results.  One can only imagine that this usually benign date on Target’s 8-K was deliberated over for hours by expensive securities lawyers, and that using the February earnings release date instead of the December breach date was nothing short of deliberate.  Likely one more subtle way to shift the market’s focus away from the two-month old data breach and instead bury the disclosure within a standard results of operations 8-K filing and 15 non-breach related risk factors.

To Target’s credit, its fourth quarter and fiscal year ended on February 1, 2014, and Target’s fourth quarter included the entirety of the period during and after the breach through February 1.  Keeping that in mind, Target may not have had a full picture of how the breach affected its earnings in the fourth quarter until it prepared its fourth quarter and year-end financial statements this month.  Maybe the relevant “Date of earliest event” was the date on which Target was able to fully appreciate the effects of the breach, which occurred on the day that it finalized and released its earnings on February 26.  But maybe not.

Whatever the case may be, Target’s long awaited 8-K filing is likely only a short teaser of the disclosure that should be included in Target’s upcoming Form 10-K filing.

Article by:

Adam M. Veness

Of:

Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.