Target Aims for March to Report to SEC On Investment Consequences of Data Breach
By Rob Tricchinelli
Jan. 29 — Retailer Target will report on the investment consequences of its data breach to the Securities and Exchange Commission, but not until March, a company spokeswoman told Bloomberg BNA Jan. 29.
Target (TGT) announced in December that hackers breached its data and gained access to payment card information for approximately 40 million customers; in January it announced that hackers had accessed contact information for 70 million customers.
“Target’s next report will be the annual report on Form 10-K for the year ending February 1, 2014, which will be filed in March 2014,” a Target spokeswoman said in an email to Bloomberg BNA. “Target will fully comply with the SEC’s rules in that report, including an update to the material risks related to cybersecurity and cyber incidents, as well as a discussion of the financial impact of the data breach, to the extent known.”
The retailer’s comment comes after a Jan. 28 letter from Sen. John D. Rockefeller IV (D-W.Va.) asking why the company “has not yet reported the massive data breach [it] recently suffered to the Securities and Exchange Commission.” Rockefeller is chairman of the Senate Commerce Committee.
Target last filed a quarterly report Nov. 27, before its “confirmation of the data breach,” covering the quarter ending Nov. 2, the spokeswoman said.
While no SEC disclosure requirements apply exclusively to cybersecurity risks, other such requirements “may impose an obligation on registrants to disclose such risks and incidents,” according to an October 2011 disclosure guidancefrom the SEC’s Division of Corporate Finance.
The guidance says that in case of a “material cyber attack,” merely disclosing the risks of an attack might not be adequate. A company “may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences.”
Target’s 10-K filing from March 2013 mentioned that a potential data security breach could “affect how we operate our business.”
“A data breach involving the theft of personal information about tens of millions of Target customers is clearly a material cyber attack that has affected how your business operates,” Rockefeller wrote. “I am therefore puzzled why your company has not yet updated its SEC filings to reflect this event.
“Your failure thus far to provide this information to your investors does not seems consistent with the spirit or letter of the SEC’s financial disclosure rules,” he wrote.
Calls for Hearings
Banking trade groups have asked Congress to investigate the consequences of the attack on Target.
“Congress should examine the specific circumstances of this breach and the broader data security issues involved,” Frank Keating, president of the American Bankers Association, said in a Jan. 16 statement.
In a Jan. 3 letter to Congress, Credit Union National Association President Bill Cheney pressed Congress to “fully examine the chronic issue of merchant data breaches, their impact on consumers and financial institutions.”
The banking groups say that they, not merchants, typically bear the cost of reimbursing consumers when fraudulent transactions occur using data obtained from breaches.
Elsewhere, the House Commerce Subcommittee on Commerce, Manufacturing and Trade will hold a hearing in the first week of February on data breaches. The subcommittee announced that Target officials will testify but has not released further details.
A Senate subcommittee on international trade and finance will also hold a Feb. 3 hearing on safeguarding consumers’ financial data, but the witnesses do not include Target representatives.
To contact the reporter on this story: Rob Tricchinelli in Washington at email@example.com
To contact the editor responsible for this story: Phyllis Diamond at firstname.lastname@example.org
To see Rockefeller’s Jan. 28 letter to Target, visit http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=88b26fe9-f089-4f5e-9191-6e43342a456e
The SEC’s 2011 disclosure guidance can be found at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm