A sample text widget

Etiam pulvinar consectetur dolor sed malesuada. Ut convallis euismod dolor nec pretium. Nunc ut tristique massa.

Nam sodales mi vitae dolor ullamcorper et vulputate enim accumsan. Morbi orci magna, tincidunt vitae molestie nec, molestie at mi. Nulla nulla lorem, suscipit in posuere in, interdum non magna.

Schizophrenia On SocMedia

No, the title is not meant to imply a post about the privacy implications of mobile medical apps for psychotherapy. Instead, we’re taking a look at how the government acts at cross-purposes to itself when it comes to the oh-so-slow development of rules for new technologies and markets. The last few weeks have seen a couple of remarkable announcements, one from the FTC about digital advertising disclaimers and one from the SEC about corporate financial disclosures. Both were presented by the agencies as ways to enable use of social media by corporations — but instead just make things much harder, if not totally impracticable.

Two weeks ago, the Federal Trade Commission basically said “to heck” with form factor and responsive Web design by concluding that disclaimers, caveats and related mandatory advertising disclosures cannot be put into a popup window and must be in the same “conspicuous” format — font size and all — regardless of the device or medium. FTC .Com DisclosuresThe FDA had already cracked down on trailblazing pharma firms that tried Facebook advertisements on the same grounds. Both enforcement decisions demonstrate a complete lack of familiarity with new media and an inability to flexibly apply the principles of regulatory schemes to changing circumstances.

Even if, unlike advertiser contentions, potential “Do Not Track” mandates for Web browsing would not kill the Internet content industry, the FTC has signaled it is prepared unilaterally to dictate the size of social media ads in the guise of consumer protection. The old guidance allowed for “proximity” of disclosures — that is, disclosures that were “near, and when possible, on the same screen.” The new guidance places heightened emphasis on disclosures being clear and conspicuous to consumers across all platforms. The newly announced principle is that disclosures should be “as close as possible,” with short form disclosures such as hyperlinks or hashtags permitted only when their meaning is understood by consumers.

Check out this remarkable assertion, for instance:

If a disclosure is necessary to prevent an advertisement from being deceptive, unfair or otherwise violative of a Commission rule, and if it is not possible to make the disclosure clear and conspicuous, then either the claim should be modified so the disclosure is not necessary or the ad should not be disseminated. Moreover, if a particular platform does not provide an opportunity to make clear and conspicuous disclosures, it should not be used to disseminate advertisements that require such disclosures.

A second and related announcement came on Tuesday from the Securities & Exchange Commission. The SEC is the federal agency which pioneered use of Facebook and other social media services in the corporate realm by providing 2008 guidance that release of corporate earnings and other “material” financial information can permissibly utilize social media. Yet now the same agency — after a fruitless investigation of Netflix CEO Reed Hastings for an innocuous Facebook post — says that companies may treat social media as legitimate outlets for communication, much like corporate Web sites or the agency’s own public filing system called Edgar, but first have to make clear which Twitter feeds or Facebook pages will serve as potential outlets for announcements.

It is difficult to reconcile these new regulatory positions with the objectives the agencies articulate. The SEC says it believes that “company disclosures should be more readily available to investors in a variety of locations and formats to facilitate investor access to that information,” but its actions only serve to make the choice of location and format more rigid, and with fines a potential consequence for those pursuing flexibility.  Almost any lawyer counseling public company clients today will advise that financial information that in the future could be considered material by the SEC must be constrained to an official, designated Web page. So much for tweets, Facebook and other real-time forums, they’re just too risky — even though Hastings survived unscathed. The correct approach for the vast majority of the 13,000+ public companies in the U.S. is to steer clear of social media, at least for now, because the downside is simply too great.

Coming from a government that professes to want to encourage broader use of these new media, that’s classic bi-polarism, obviously not in a happy phase.

Note: Originally written for and reposted with permission of my law firm’s Information Intersection blog.


When World Views Collide: Social Media And the SEC

Yesterday the U.S. Securities & Exchange Commission did something routine. It issued a so-called “Wells-notice” against a company, charging the firm preliminarily with releasing confidential financial information to a select portion of the market, instead of publicly to all investors as required by Reg FD (“fair disclosure”). What is remarkable, and potentially troubling, is that the basis for the charge was a short social media message by Netflix CEO Reed Hastings, reposted on the company’s public Facebook page.

As Law360 explained:

Netflix Inc. and its CEO Reed Hastings could face action by the SEC over Hastings’ July post revealing that Netflix members had watched more than one billion hours that month, the online video service said in a regulatory filing Thursday. Netflix and Hastings received a Wells notice on Wednesday that said the company could face either a cease-and-desist or civil injunctive suit for fair-disclosure violations allegedly prompted by the posting on the social networking site, according to an SEC filing by Netflix.

The juxaposition of a good-intentioned securities regulation and the disruptive impact of new technology could not be clearer. In his post, Hastings congratulated the Netflix team for a job well done in early July, noting the one billion hours of video delivered to subscribers the previous month. The message was just 43 words. In the usual social media fashion, the post was forwarded by his followers. Bloggers picked up on it. Media reports cited it.

So what’s the deal? Technically, Netflix had not filed an “8K” update with that data at the SEC nor issued a traditional press release. But the company had revealed the 1B streaming hours in its public blog well before the CEO’s Facebook post. And in 2008, the SEC became the first federal agency to recognize the growing communications functions of blogs by issuing landmark guidance saying that corporate use of blogs for release of material financial information would satisfy Reg FD.

Reed Hastings Facebook page

In this context, the action against Hastings seems to make little sense. Even if the prior blog post had not disclosed the 1B figure adequately, Hastings’ post was open to more than 200,000 followers of his Facebook page, could be “subscribed” by anyone (“friends” or not) and was widely and immediately disseminated, both in social and traditional media. Had Hastings done this via a Twitter DM (direct message) or a private Facebook message to one or more individual friends, that would be completely different. But his post was public and thoroughly publicized.

That’s the precise purpose of Reg FD. But the SEC’s Wells notice illustrates that even government agencies that “get it” technically are often trapped in outmoded world views. It’s one thing for a public company CEO to post messages about financial performance on financial chat rooms and lists, under a pseudonym, to pump up trading volume artificially. It’s quite another for bureaucrats to decide that unless one uses the obsolescent technology of the past, public disclosures are inadequate. Would the SEC also suggest that a webinar, rather than telephonic conference call, is insufficient under Reg FD when announcing earnings guidance because not all investors have broadband Web access? That is hardly a sensible result.

We’ve written a lot in this blog about social media policies and how to reduce enterprise legal exposure. The irony of the Netflix case is that a company and executive who seem to have had a valid policy and followed the government’s own guidelines for use of social media has been targeted in a possible enforcement action nonetheless. That raises the spectre, which numerous commentators noted in connection with more a recent SEC alert on social media usage by investment advisors, that vague agency guidelines may lead to policy making by criminal complaint, rather than rules of general applicability. If that is the case with regard to blogs and Facebook as mechanisms for Reg FD compliant disclosures, there’s an equally great risk that these new modes of communication and interaction will be rendered impotent for corporate purposes due to the unknown scope of potential SEC exposure. That’s a bad result which everyone should hope we do not reach.

 Originally written for and reposted with permission of my law firm’s Information Intersection blog.


Cybersecurity: When Guidelines Become Rules

So much media attention was paid to the spectacular collapse of U.S. Senate deliberations on a cybersecurity bill in August — and the Obama Administration’s controversial move to fashion an Executive Order on the subject — that few if anyone focused on the biggest change affecting the data protection landscape. The Securities & Exchange Commission (SEC) guidelines on disclosure of cyber attacks by publicly traded corporations have become de facto rules for at least six companies, including Google Inc. and Amazon.com Inc., according to recent agency enforcement letters.

virusspot.jpgLast fall, the SEC completed a long process of issuing staff “guidance” on when cybersecurity risks must be disclosed in public company securities filings (annual reports, 10Qs, etc.). The sensible conclusion was that if a hack or intrusion would be “material” to an ordinary investor, corporations need to disclose the cyber risk and discuss their actions to ameliorate or prevent it. Unlike Y2K, however, these guidelines, released by the SEC’s corporate finance section, did not come with a “safe harbor” for disclosing companies. In 1999, congressional legislation created a legal safety zone for Y2K disclosures, avoiding liability under the Securities Act of 1934, that has not been replicated with respect to more general cybersecurity risks.

The recent SEC enforcement steps also have taken place at the corporate finance division level, but presumably with the informal approval at least of SEC Chair Mary Schapiro. In these cases, the agency “requested” that a number of large Internet companies clarify or modify their SEC filings to disclose cyber incidents that previously had not been reported to investors. In April, the SEC asked Amazon to disclose in its next quarterly filing that hackers had raided its Zappos.com unit, stealing addresses and some credit card digits from 24 million customers in January, which Amazon did.  Google likewise agreed in May to put a previously disclosed cyber atack in its formal earnings report. AIG, Hartford Financial Services Group, Eastman Chemical and Quest Diagnostics were also asked to improve disclosures of cyber risks, according to agency staff correspondence reported by Bloomberg News.

As one example, here is the relevant excerpt from the corporate finance staff’s May 2, 2012 letter to Google CEO Larry Page:

We note your disclosure that if your security measures are breached, or if your services are subject to attacks that degrade or deny the ability of users to access your products and services, your products and services may be perceived as not being secure, users and customers may curtail or stop using your products and services, and you may incur significant legal and financial exposure. We also note your Current Report on Form 8-K filed January 13, 2010 disclosing that you were the subject of a cyber attack. In order to provide the proper context for your risk factor disclosures, please revise your disclosure in your next quarterly report on Form 10-Q to state that in the past you have experienced attacks. Please refer to the Division of Corporation Finance’s Disclosure Guidance Topic No. 2 at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm for additional information.

The difference between fall 2011 and spring 2012 is that, irrespective of the formal legal effect of staff guidance, the SEC is using its administrative processes to produce a disclosure result not specifically compelled by the agency’s rules for corporate securities filings. That in itself is not surprising, since the securities laws and implementing SEC regulations are broad enough to encompass any factor, whether financial or otherwise, that could affect stock prices. Here, the SEC staff opined in its guidance that basic SEC rules about market manipulation, insider trading and misleading shareholders (e.g., Rule 10b-5) required disclosure of cyber incidents and cybersecurity risks by any business potentially affected by hacking. And that’s obviously not confined to online retailers or Web-centric businesses.

The bigger question is how businesses can protect themselves from the embarrassment of such compelled, government-mandated cyber disclosures and the even greater potential for fines and formal enforcement actions the SEC may utilize in the  IT security realm going forward. Here are a few pointers:

  • Do not assume that merely because your business is not online, cybersecurity cannot affect the company. Hundreds of “brick and mortar” retailers, for instance, have had consumer credit card records breached.
  • Treat data security just like your securities lawyers treat any other risk to the business’s future, since that is how federal regulators view cyber risks.
  • Do not assume the SEC’s focus on cybersecurity is limited to public companies, because the underlying rules cited by its corporate finance division apply just as much to private placements as they do to proxy solicitations and 10K reports.
  • When disclosing IT security risks, make sure they are balanced by something concrete and proactive to prevent, or diminish the severity of, cyber attacks. Otherwise diclosures may have the opposite effect of encouraging shareholder class action litigation.
  • Work closely with compliance counsel, IT technology experts and your insurance carriers to develop workable cybersecurity assessment and intrusion notification regimes, internally and externally. This should not only reduce legal exposure, but going forward lower the company’s costs for cyber insurance. Periodic outside reviews should provide both comfort and legal protection to CEOs or CFOs signing SEC submissions.

These SEC staff actions were balanced by the traditional caveat that “our comments or changes to disclosure in response to our comments do not foreclose the Commission from taking any action with respect to the company or the filings and the company may not assert staff comments as a defense in any proceeding initiated by the Commission or any person under the federal securities laws of the United States.”  But the chances the full SEC would prosecute a public company for following staff suggestions are remote. On the other hand, for public corporations that ignore this lesson, and fail to disclose cybersecurity risks, we suspect only pain and expense — most likely in a Commission prosecution or fine — lie in their SEC futures. So rules are really rules, even when they are not.

Note: Originally written for and reposted with permission of my law firm’s Information Intersection blog.


Was It All a Joke at AOL?

SEC Probing More AOL Advertising Deals [TechNews.com]. The Securities and Exchange Commission is investigating “millions of dollars of advertising deals” involving America Online that “go significantly beyond the scope of problems already disclosed” by AOL Time Warner Inc., sources familiar with the probe said yesterday. What this suggests is that even during the “bubble” years, AOL’s earnings were overstated by realizing revenue on Enron-like deals. They fooled a lot of folks into investing, particularly after the Time Warner merger. As the epitome of the “new economy,” AOL’s continuing accounting irregularities only underscore that there was not much real value to the “value propositions” these Internet-centric companies touted.