Apple Shareholders Demand Answers on Cyber Governance

Apple Shareholders Join Push For Cybersecurity Disclosures

Law360, New York (September 25, 2012, 8:46 PM ET) – Apple Inc . shareholders demanded Monday that the technology giant tell them more about how it handles privacy and data security threats, a new move that attorneys say puts pressure on companies to shore up their cybersecurity practices as lawmakers and regulators clamp down.

Citing a number of recent cybersecurity and privacy controversies that have drawn the attention of Congress and outside groups like the American Civil Liberties Union, clients of investment firms Trillium Asset Management LLC and Zevin Asset Management LLC unveiled a shareholder proposal pushing Apple to publish a report explaining how its board of directors is overseeing and preparing for these types of risks.

“The shareholders’ proposal is yet another example of corporate America understanding the importance of being proactive when it comes to data security and data privacy issues,” Shook Hardy & Bacon LLP data security and privacy group co-chair Al Saikali told Law360 on Tuesday. “These shareholders want to make sure that Apple is prepared to respond to growing cybersecurity threats and to protect the increasingly vast amounts of personal information that Apple collects and maintains about its customers.”

The proposal, which is intended for shareholders to consider at the company’s 2013 annual meeting, notes that the company has already suffered several high-profile data security missteps — including unauthorized access to iPhone users’ address books, the release of 1 million unique device identifiers and security concerns realted to iCloud — and that future lapses and potential resulting litigation could “place critical growth opportunities such as iCloud at risk.”

While shareholder requests specifically targeting companies’ privacy practices are rare, these demands are likely to grow in prominence in the coming years, according to experts.

“If you’re the shareholder of a large company and certain crucial assets of that company happen to be information assets, you want to make sure that the company has in place appropriate measures to make sure that that information is being protected,” Jeffer Mangels Butler & Mitchell LLP privacy, information management and data protection group co-chair Michael Gold said. “The fact that the risk has been identified and that a group of shareholders is insisting that the board take responsibility for this very important area is not surprising.”

In announcing the shareholder proposal, Michael Connor — the executive director of Open Media and Information Companies Initiative, a nonprofit organization that helped the shareholders develop their request — backed this potential trend, based on months of research his organization conducted into corporate goverance and the responsibilities of boards of directors with respect to privacy and security risks.

“We expect similar shareholder proposals on this critical issue will be filed at other firms in the coming months,” Connor said.

And as these demands increase, companies will have a tougher time ignoring their cybersecurity responsibilities, attorneys noted.

“Businesses are coming to realize that the data and information that they posses is a valuable asset. and in some cases for some companies, it’s the most valuable asset the company owns,” Gold said. “While putting this issue to the side has not been a problem for boards in the past, as time passes and appreciation for not only the positive value but also the negative value of these information assets grows, there will be more action on behalf of the boards to address this issue and make sure that they have appropriate policies in place to protect these assets.”

Adding to the pressure on companies is cybersecurity guidance issued by the U.S. Securities and Exchange Commission in October, which encouraged all public companies to disclose in their regulatory filings descriptions of the specific cybersecurity threats they face and the steps that they are taking to mitigate these risks, according to BakerHostetler privacy, security and social media team co-leader Gerald Ferguson.

“Although the shareholders’ request doesn’t specifically mention the SEC guidance, what they are asking for is essentially what the SEC asked companies to do in October of last year,” he said. “It’s reaffirming that cybersecurity is a boardroom issue that has got to be addressed at the highest level of the company.”

The SEC bolstered its nonbinding guidance in August, when reports emerged that the regulator had sent letters to Google Inc ., Amazon.com Inc ., American International Group Inc ., Hartford Financial Services Group Inc ., Eastman Chemical Co . and Quest Diagnostics Inc . pushing them to comply with this voluntary disclosure plan.

“This action by the SEC reflects its view that companies can and should be doing more in terms of cyber-disclosures,” Ferguson said.

Lawmakers have also been pushing for companies to share more, with Sen. Jay Rockefeller, D-W.Va., last week sending a letter to the CEOs of the 500 largest U.S. companies seeking their views on how to best protect the country’s critical infrastructure as part of an effort to revive stalled cybersecurity legislation.

“At the end of the day, I don’t see companies having any choice but to comply with these requests,” Ferguson said. “They can’t disregard what the SEC or lawmakers are doing, especially when the SEC backs it up with letters when it feels that its guidance hasn’t been appropriately responded to.”

Shareholders have an especially high interest in making sure that companies are monitoring potential cyberthreats, given the significant monetary and reputational harm that can result from a security lapse, attorneys noted.

“The reason why shareholders are concerned is because it’s an issue that can have a direct impact on the company’s bottom line and could do long-term damage to the competitiveness of the company if critical trade secrets and intellectual property are lost,” Ferguson said “Additionally, shareholders are also individuals in the community who could have their identities or other information stolen if there is a breach.”

In their proposal, the shareholders supplemented these concerns by citing Ponemon Institute studies that found that the average cost of a data breach was $5.5 million, and that the average loss in brand value as a result of these breaches ranged from $184 million to more than $300 million.

These losses include the cost of not only shareholder suits but also private actions brought by consumers who had their information compromised, attorneys noted.

While Apple is most likely “well ahead of the game in developing administrative and technical safeguards to protect consumers’ information,” it may be hesitant to comply with shareholders’ demands because doing so would make its disclosures publicly available for cyberattackers and competitors to view, Saikali noted.

But this potential risk may be outweighed by the mounting pressure from regulators, lawmakers, and now the newest group, shareholders, according to Ferguson.

“It might be the situation where one large lawsuit is going to get companies’ attention about the importance of disclosing this information,” he said. “My advice is, don’t wait for that lawsuit, get in line with the SEC’s guidance now.”

–Editing by Elizabeth Bowen and Sarah Golin.