One thing to appreciate about the SEC comment letter process is that it gives real life examples to what is often discussed hypothetically. Take, for example, cybersecurity and steps management should take when a data incident occurs. How quickly should a public company make its public disclosure of a data incident? What should it say? What should the process look like?
In 2018, the SEC issued helpful interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. This was in addition to the Division of Corporation Finance’s 2011 guidance regarding disclosure obligations relating to cybersecurity risks and incidents. In addition, our friends at corporatecounsel.net ran a helpful blog post on February 18 related to cyber response plan testing.
It is clear there is no single playbook for a data incident response, and the appropriate response is driven by the facts and circumstances of the situation. One size does not fit all. However, it is helpful when preparing a response plan to analyze a real life example. That is why the SEC comment exchange recently made public between the Staff and Chegg, Inc. last fall is particularly insightful.
Among other topics, it covers the following:
- The timing of the public disclosure.
- Disclosure controls and procedures.
- The materiality of the incident.
- Remedial actions.
As background, on September 25, 2018, Chegg, Inc. filed an 8-K that disclosed a data breach incident that occurred on or around April 29, 2018. The disclosure, filed under Item 8.01, was as follows:
On September 19, 2018, Chegg learned that on or around April 29, 2018, an unauthorized party gained access to a Company database that hosts user data for chegg.com and certain of the Company’s family of brands such as EasyBib. The Company understands that the information that may have been obtained could include a Chegg user’s name, email address, shipping address, Chegg username, and hashed Chegg password. The investigation into the incident, which is supported by third-party forensics, is ongoing. To date, the Company understands that no social security numbers or financial information such as users’ credit card numbers or bank account information were obtained. The Company expects to start notifying approximately 40 million active and inactive registered users and certain regulatory authorities on September 26, 2018.
Chegg takes the security of its users’ information seriously and will be initiating a password reset process for all user accounts.
Almost exactly one year later, on September 26, 2019, the Staff sent a comment letter to Chegg that it had performed a limited review of Chegg’s Form 10-K for the year ending December 31, 2018, including its subsequent 10-Q and 8-K filings (as is customary in such 10-K reviews). The first comment in the letter was as follows:
Form 10-K for the Year Ended December 31, 2018
Note 12 – Commitments and Contingencies, page 82
We note your reference to the “Data Incident” on page 18 and in a Form 8K filed on September 25, 2018 that the Company had a data breach in April 2018 that affected 40 million users. You indicated that to date, unauthorized users have not had a material effect on your Company. Please tell us how you reached such conclusion.
Additionally, tell us how you considered disclosure of the following, hereunder, elsewhere in this filing, and in your Forms 10-Q :
- The details of such incident including your assessment of its magnitude and concomitant financial, legal or reputational consequences;
- why there was a delay between the date of the incident (April 29, 2018) and the date it was reported (September 25, 2018);
- how you considered the cybersecurity incident in your assessment of disclosure controls and procedures;
- any action you have taken to remediate the incident and mitigate the harm.
Refer to https://www.sec.gov/rules/interp/2018/33-10459.pdf
Below is Chegg’s response to this comment, with the Staff’s comments presented in bold italics for ease of reference.
Form 10-K for Fiscal Year Ended December 31, 2018
Note 12 – Commitments and Contingencies, page 82
- We note your reference to the “Data Incident” on page 18 and in a Form 8K filed on September 25, 2018 that the Company had a data breach in April 2018 that affected 40 million users. You indicated that to date, unauthorized users have not had a material effect on your Company. Please tell us how you reached such conclusion.
Response:
The Company respectfully advises the Staff that it determined that the “Data Incident” did not have a material effect on the Company through the date of the filing of the Form 10‑K with the Commission, in light of the following facts: (1) the information obtained by an unauthorized party did not include users’ social security numbers, birthdates or financial information such as credit card information or bank account information; (2) user passwords were not stored as plaintext, and the Company initiated a password reset process for all user accounts; (3) the Company did not offer any broad‑based remedial measures such as free credit monitoring for users at the Company’s expense; (4) the Company expeditiously publicly disclosed the Data Incident within one week of learning of the Data Incident; (5) the Company’s users continued to use the Chegg Services platform following public disclosure of the Data Incident, as evidenced by the increase in subscribers to Chegg Services from 1.7 million subscribers as of June 30, 2018 to 1.9 million subscribers as of December 31, 2018; (6) the Company’s Total Net Revenues and Chegg Services Revenues were $74.2 million and $61.8 million, respectively, for the quarter ended June 30, 2018, and $95.7 million and $81.7 million, respectively, for the quarter ended December 31, 2018, demonstrating that there was no decrease in Total Net Revenues or Chegg Services Revenues since the announcement of the Data Incident; (7) to date, the Company has not paid any damages related to the Data Incident; and (8) the Company had cybersecurity insurance in place prior to the occurrence of the Data Incident to mitigate any potential losses related to the Data Incident. Based on the foregoing facts, the Company concluded that the Data Incident did not have a material effect on the Company.
Additionally, tell us how you considered disclosure of the following, hereunder, elsewhere in this filing, and in your Forms 10-Q:
- The details of such incident including your assessment of its magnitude and concomitant financial, legal or reputational consequences;
Response:
The Company respectfully advises the Staff that it has reviewed CF Disclosure Guidance: Topic No. 2 on Cybersecurity and the Commission Statement and Guidance on Public Company Cybersecurity Disclosures. Prior to filing the Form 10‑K, the Company previously provided the material details related to the incident in its Current Report on Form 8‑K dated September 25, 2018 (the “), which included the date the unauthorized party obtained the Company’s information, the date the Company learned that Chegg information had been obtained by an unauthorized party, the total number of affected active and inactive users, the type of information that may have been obtained (and information that was not believed to have been obtained), and the Company’s intention to implement a password reset for all users. In the September 2018 Form 8‑K, the Company also stated that it did not believe that the Data Incident would have a material impact on its financial results for the full year ending December 31, 2018.
Following the issuance of the September 2018 Form 8‑K, the Company continued its forensic investigation under the direction of experienced outside counsel and with the assistance of a third‑party forensics firm. The Company evaluated the findings from the forensic investigation and determined that, other than certain updates to the Company’s “Risk Factors” in its Form 10‑K and Quarterly Reports on Form 10‑Q for the quarterly periods ended March 31, 2019 and June 30, 2019, and consistent with the response set forth above, the Company concluded that the Data Incident did not have a material effect on the Company, its financial statements, legal proceedings, reputation or customer or vendor relationships and therefore no additional disclosure was required.
- Why there was a delay between the date of the incident (April 29, 2018) and the date it was reported (September 25, 2018);
Response:
The Company respectfully advises the Staff that, as discussed in the September 2018 Form 8‑K, it did not learn of the incident until September 19, 2018, when a third party brought it to the Company’s attention. The Company immediately commenced an investigation under the direction of experienced outside counsel and promptly engaged a third‑party forensics firm to investigate the incident. As soon as the Company understood the parameters of the Data Incident, including the scope of any information obtained by the unauthorized party and potential implications, it reported the Company’s findings in the September 2018 Form 8‑K to inform investors about the incident, one week following the Company’s first awareness of the incident.
- How you considered the cybersecurity incident in your assessment of disclosure controls and procedures;
Response:
The Company respectfully advises the Staff that it has considered the Data Incident in its assessment of the Company’s disclosure controls and procedures. The Company believes that its disclosure controls and procedures established expedient review and investigation into the Data Incident under the direction of experienced outside counsel and with the assistance of a third‑party forensics firm. The Company provided an oral report of the Data Incident to its Board of Directors and its independent accounting firm and promptly provided public disclosure of the Data Incident in the September 2018 Form 8‑K within one week of the Company’s initial awareness of it. In the ordinary course, the Company reviews its disclosure controls and procedures and its internal controls over financial reporting with its Audit Committee of the Board of Directors, its outside legal counsel, and its independent accounting firm, and the Company continues to enhance and update them, including as part of its ongoing efforts to enhance its cybersecurity safeguards and measures. Through this process the Company determined no additional disclosures were necessary based on the Company’s judgment that its disclosure controls and procedures were effective, and that the Data Incident did not materially affect, nor was it reasonably likely to affect, the Company’s internal control over financial reporting.
- Any action you have taken to remediate the incident and mitigate the harm. Refer to https://www.sec.gov/rules/interp/2018/33‑10459.pdf
Response:
The Company respectfully advises the Staff that it notified its users that Chegg information had been obtained by an unauthorized party and implemented a password reset for all of its users. The Company did not offer any broad‑based remedial measures such as free credit monitoring for users at the Company’s expense. As part of the Company’s ongoing activities to implement and update its cybersecurity safeguards, measures and procedures, the Company did not incur any material expenses outside of the ordinary course to warrant specific disclosure in its Management’s Discussion and Analysis and financial statements contained in the Form 10-K or its Quarterly Reports on Forms 10-Q issued since the Form 10-K.
Additionally, in the Form 10-K, Item 1A—Risk Factors—“Any significant disruption, including those related to cybersecurity or arising from cyber-attacks, to our computer systems, especially during peak periods, could result in a loss of students, college and/or brands which could harm our business, results of operations and financial condition,” the Company disclosed the limitations of its cybersecurity mitigation activities by stating “While we have implemented physical, technical and administrative safeguards designed to help protect our systems, in the event of a system interruption or a security exposure or breach, they may not be as effective as intended and we may not have adequate insurance coverage to compensate for related losses.”
The SEC responded to this comment with one additional follow-up comment. Below is Chegg’s response to this follow-up comment, with the Staff’s comments presented in bold italics for ease of reference.
Form 10-K for Fiscal Year Ended December 31, 2018
Item 1A. Risk Factors
Risks Related to our Business and Industry
Computer malware, viruses, hacking, phishing attacks and spamming could harm our business and results of operations., page 18
We note your response to comment 1. Please discuss preventative actions that you had taken since the “Data Incident,” as well as enhancements to your cybersecurity risk management program, if any, to facilitate a prompt detection and discovery of future cybersecurity incidents.
Response:
The Company respectfully advises the Staff that in future filings, the Company will provide additional clarification to reference the Company’s preventative actions and enhancements to its cybersecurity risk management program as follows (additions underlined and moved language in italics):
Computer malware, viruses, hacking, phishing attacks and spamming could harm our business and results of operations
Computer malware, viruses, hacking, physical or electronic break-ins, spamming and similar events could lead to disruptions of our website services, our mobile applications or systems we use and interruptions and delays in our services and operations, as well as loss, misuse or theft of data. Any such events could harm our business, be expensive to remedy and damage our reputation or brand. Computer malware, viruses, computer hacking and phishing attacks against online networking platforms have become more prevalent and may occur on systems we use in the future. We believe that the incidence of hacking among students may increase our risk of being a target for such attacks. These threats are constantly evolving, making it increasingly difficult to successfully defend against them or implement adequate preventative measures.
For instance, in April 2018, an unauthorized party gained access to user data for chegg.com and certain of our family of brands such as EasyBib (the 2018 Data Incident). The information that may have been obtained could include a Chegg user’s name, email address, shipping address, Chegg username, and hashed Chegg password. To date, no social security numbers or financial information such as users’ credit card numbers or bank account information were obtained. Additionally, Thinkful, prior to our acquisition of it, discovered an unauthorized party may have gained access to certain Thinkful company credentials (the Thinkful Data Incident). If we, or companies that we acquire, experience compromises to our or our acquired companies’ security that result in website performance or availability problems, the complete shutdown of our websites, or the actual or perceived loss or unauthorized disclosure or use of confidential information, such as credit card information, users may be harmed or lose trust and confidence in us and the companies that we acquire, and decrease the use of our services or stop using our services in their entirety, and we would suffer reputational and financial harm.
As part of our regular cybersecurity efforts, including enhancements to these efforts made following our discovery of these prior events, we have implemented physical, technical and administrative safeguards designed to help protect our systems. However, these safeguards may not be as effective as intended, and may not prevent future cybersecurity breaches. Efforts to prevent hackers from entering our computer systems are expensive to implement and may limit the functionality of our services, we may need to expend significant additional resources to further enhance our safeguards and protection against security breaches or to redress problems caused by breaches and such efforts may not be fully effective. Additionally, our network security business disruption insurance may not be sufficient to cover significant expenses and losses related to direct attacks on our website or systems we use. Though it is difficult to determine what, if any, harm may directly result from any specific interruption or attack, any failure to maintain performance, reliability, security and availability of our products and services and technical infrastructure, or the actual or perceived loss or unauthorized disclosure or use of the data we collect and develop may lead our users to lose trust and confidence in us or otherwise harm our reputation, brand and our ability to attract students to our website or may lead them to decrease the use of our services or applications or stop using our services in their entirety. Any significant disruption to our website or computer systems we use could result in a loss of students, colleges or advertisers and, particularly if disruptions occur during the peak periods at the beginning of each academic term, could adversely affect our business and results of operations.
If you have questions about the comment exchange between the SEC and Chegg or would like further guidance on related SEC disclosures and guidance, please contact the author or any member of our Corporate & Securities Practice for more information. We are also available to discuss our experience and impressions with the various cybersecurity and data breach incident response consulting vendors, as well as help management prepare an effective tabletop exercise to test your response plan.
About Bass, Berry & Sims’ Corporate & Securities Practice
Public and private companies of all sizes across a variety of industries turn to Bass, Berry & Sims for counsel on a wide range of corporate matters, including mergers, acquisitions and dispositions; capital markets transactions; executive compensation issues; corporate governance; and shareholder activism. We serve as primary corporate and securities counsel to more than 35 public companies and have counseled on 150 deals ranging in size from $20 million to more than $15 billion over the past two years. Click here to learn more about the Corporate & Securities Practice at Bass, Berry & Sims.