I learned some new (and critical) information at the ABA White Collar Conference in New Orleans last week from a co-panelist on a cybersecurity presentation – information that is important for both incident response professionals and securities lawyers.
John Carlin, Assistant Attorney General for the National Security Division of the U.S. Department of Justice, was on the panel with me and mentioned during his talk some interesting meetings he had with SEC Enforcement Director Andrew Ceresney and SEC Corporation Finance Director Keith Higgins. The subject of the meetings: That there might be legitimate reasons NOT to disclose a data breach in an SEC filing, such as national security.
Carlin wanted to assure the audience that there can indeed be a safe harbor for issuers caught in the difficult situation of experiencing a data breach where disclosure of the data breach could somehow arguably impact the national security of the United States.
But even if AAG Carlin’s guidance is rock-solid, will that stop the class action bar from filing an SEC class action lawsuit anyway? Probably not – especially given the growing number of class actions that quickly sprout up after any large or well-publicized data breach.
However, under any circumstance, when considering to whom in the government one should disclose a data breach (which should always be the first decision made after a data breach), AAG Carlin’s team is worth consulting if your client experiences a data breach and is concerned disclosure could be a national security risk. Not only does AAG Carlin seem to me to be reasonable, thoughtful and well versed on the complex dynamic of data breaches and the conflicts that the SEC disclosure regulations can create during a data breache’s aftermath, but AAG Carlin is also a good partner to have when engaging in an incident response and trying to catch the perpetrators of the unlawful infiltration.