Does The SEC Have A Duty To Correct Its Cybersecurity Statement?

Posted on February 26, 2018 by Keith Paul Bishop

Law firms and legal commentators have been churning out discussions of the Securities and Exchange Commission's Statement and Guidance on Public Company Cybersecurity Disclosures.  Rather than simply regurgitate the statement, I will take issue with the SEC's reminder that issuers owe a duty to update:

We remind companies that they may have a duty to correct prior disclosure that the company determines was untrue (or omitted a material fact necessary to make the disclosure not misleading) at the time it was made (for example, if the company subsequently discovers contradictory information that existed at the time of the initial disclosure), or a duty to update disclosure that becomes materially inaccurate after it is made (for example, when the original statement is still being relied on by reasonable investors).  Companies should consider whether they need to revisit or refresh previous disclosure, including during the process of investigating a cybersecurity incident.  (footnotes omitted)

The SEC locates this duty to update in Backman v. Polaroid Corp., 910 F.2d 10 (1st Cir. 1990) which it cites in a footnote.  The same footnote acknowledges that other Circuits have found no duty to update:

"But see Higginbotham v. Baxter Intern., Inc., 495 F.3d 753, 760 (7th Cir. 2007) (rejecting duty to update before next quarterly report); Gallagher v. Abbott Laboratories, 269 F.3d 806, 808-11 (7th Cir. 2001) (explaining that securities laws do not require continuous disclosure).  

Surprisingly missing from the SEC's Statement is any mention of the Private Securities Litigation Reform Act.  The PSLRA expressly disclaims any duty to update.  15 U.S.C. §§ 77z-2(d) and 78u-5(d) ("Nothing in this section shall impose upon any person a duty to update a forward-looking statement."). 

Granted the PSLRA safe harbor applies to "forward-looking statements" as defined and the case law involving the duty to update is at best unclear.   Nonetheless, I find the SEC's statement to be manifestly misleading.  A more forthright and accurate statement would be that the courts have reached opposite conclusions as to the existence of a duty to update and that no such duty exists with respect to forward-looking statements within the meaning of the PSLRA.  

This is more than a mere cavil.  Implying a duty to update is a dangerous proposition as it would seemingly require issuers to continuously review all prior statements no matter how long in the tooth.