On July 24, 2019, the Securities and Exchange Commission (the "SEC") announced charges against Facebook Inc. ("Facebook") for making misleading statements and risk factor disclosures regarding the misuse of Facebook user data in its public filings for over two years. The SEC's charges allege that, in the wake of the Cambridge Analytica breach, Facebook's disclosure related to the risk of misuse of user data as merely hypothetical was misleading when Facebook knew that a third-party developer had actually misused Facebook user data.
Without admitting or denying the SEC's allegations, Facebook agreed to pay $100 million to settle the charges and a permanent injunction from future violations of the Securities Act of 1933, as amended, and the Securities Exchange Act of 1934, as amended (the "Exchange Act").
Public companies should take notice of this SEC action and ensure that risk factor and other disclosures and public statements are adequately reviewed and updated on a regular basis. This requires that processes to channel material information and updates to the team or teams responsible for company disclosures are in place and effective. This action should also serve as a reminder that generic, out of date or hypothetical risk factor disclosures may subject public companies to risks related to assertions of misleading disclosures by the SEC, stockholders and others.
In addition to allegations of misleading disclosure, the SEC complaint alleged that Facebook had no specific policies or procedures in place to assess the results of an investigation into misuse of user data for purposes of making accurate disclosures in Facebook's public filings. In light of the SEC's recent action, we recommend that public companies take this opportunity to review their disclosure practices and consider the following five practice points:
- Channel Information to the Right Place – Disclosure controls and procedures are intended to ensure important information flows to the appropriate collection points in a timely manner. Disclosure teams at public companies should review their existing disclosure controls and procedures with their own organizational structures in mind to ensure that those individuals responsible for the preparation of public disclosures receive prompt updates from all business units on developments across the organization. Robust disclosure controls and procedures may provide significant protection in the event a disclosure is later challenged.
- Regularly Review Disclosure Controls and Procedures – Management is required to evaluate, and the principal executive officer and principal financial officer are required to certify, the effectiveness of disclosure controls and procedures in connection with the filing of quarterly and annual reports under the Exchange Act. Disclosure teams should ensure these evaluation procedures have appropriate substance and that they are not merely "check-the-box" exercises. If quarterly periodic evaluations are primarily focused on material developments in disclosure controls or areas of weakness or concern, we recommend a more fulsome review at least annually and also upon the occurrence of significant corporate developments, such as material acquisitions or dispositions, or other macro developments, such as the pending transition from LIBOR.
- Implement Special Procedures for Significant Events – When a significant corporate action, event or process is initiated or ongoing, we recommend that public companies designate a person or team to provide regular status updates to determine if and when public disclosure is required. In the SEC's Facebook action, the significant corporate event was an investigation, but this could be any number of non-ordinary course events, such as a significant business development, customer or supply issue, liquidity event or litigation or dispute.
- Consider Risk Factor Updates Year Round – Disclosure teams should, in conjunction with outside counsel, consider appropriate updates to the company's risk factor disclosure during the preparation of each annual and quarterly report to be filed with the SEC, even if the company does not regularly restate its risk factors in its quarterly reports. Updates should be considered not only in respect of company-specific events, but also for events impacting a company's industry or sector.
- Receive the Right Input – There may be risk factors relating to certain business units or functions that should be shared outside the core disclosure team for regular review. Disclosure teams should ensure that the appropriate business unit leads this process and that outside counsel or other third-party advisers review risk factor disclosures related to their area of responsibility. For example, someone from the information technology team might appropriately be tasked with review of cybersecurity risk factor disclosures even though such individual is not generally part of the broader disclosure team.