Intel’s Hack-Up: Don’t Hide Your Flaws

Intel’s Hack-Up: Don’t Hide Your Flaws

Intel Corp recently disclosed security flaws in its widely used microprocessors that could allow hackers to steal sensitive information from computers, phones and other devices. Software makers issued patches to protect against vulnerabilities, but Intel is facing a class action lawsuit claiming that the patches would slow computers and essentially force consumers to buy new hardware, and will likely have to compensate large customers for any software or hardware fixes. However, this could be the least of Intel’s worries, according to Joshua M. Robbins, chair of  Greenberg Gross LLP’s White Collar Defense and Governmental Investigations Practice Groups.

 

Although no data breaches have been reported yet, Intel’s shares did drop 3% after confirming the security flaw, and it appears that Intel CEO Brian Krzanich tried to dodge this bullet, having sold off $24 million of his stock options in December before disclosing the flaw. This begs the question, will an SEC – or even DOJ – investigation be launched?

“Intel could face hard questions about whether and why it concealed this flaw for more than six months before disclosing it to the public,” said Robbins. “Shareholders and regulators will be considering whether Intel made misleading statements about their chips within that time frame, and it certainly does bode well for the company that their CEO sold off as much stock as he was legally allowed to, right before the flaw was made public.”

 

What investigations are Intel liable to face following this incident?

One issue that will be investigated, is whether executives sold shares after learning about the security flaws, which could violate rules prohibiting insiders from trading on material information that is not known to the public.

In particular, Intel CEO Brian Krzanich reportedly sold or exercised 900,000 shares and stock options, earning approximately $24 million.  The sale reportedly reduced the number of Intel shares Krzanich owns to the minimum he is required to own under Intel’s corporate rules.  The timing of the sale has attracted attention because it occurred after the discovery of the chip vulnerabilities, but before the vulnerabilities were known to the public.  While the trades took place as part of a pre-planned sale, that will not necessarily insulate Krzanich if he knew about the security flaw at the time the sale was arranged.  Given the timing and magnitude of the sale, and the attention it has received in the media, the SEC is likely to conduct at least an initial investigation.  An investigation by the Department of Justice is also possible.

The security flaws have also attracted the attention of private litigants.  Intel, and other affected chipmakers, have already been hit with multiple lawsuits.  Some of these suits are derivative actions alleging insider trading.  Others are putative class actions that allege that consumers were injured by the defective chips and that the chips cannot be patched without degrading the chips’ performance.

 

What would you have said to be the ideal way to deal with a cybersecurity issue such as this one?

Every situation is unique, of course, but many companies should plan in advance for a data breach or other information security issue.  In recent guidance, the SEC emphasized the need for comprehensive policies and procedures related to cybersecurity risks and incidents.  For public companies, policies and procedures should guard against insider trading and ensure timely disclosure of non-public information regarding the cybersecurity issue.  This is also a good time to review insurance policies and ensure that there is adequate coverage for data security events.  After a cybersecurity event, call counsel.  Among other things, outside counsel can retain experts and shield portions of the investigation from discovery in litigation because of the attorney-client privilege or the work-product doctrine.

 

When are companies at risk to prosecution; what constitutes as a misleading disclosure?

Securities law does not create a general duty to disclose.  Nonetheless, a company may need to disclose information about a cybersecurity incident if necessary to prevent a statement from being misleading. For example, a company may need to disclose potential costs related to a cybersecurity incident to ensure that forward-looking statements about financial performance are not misleading. 

In general, statements are only actionable if they are material. In the context of securities law, information is material when the reasonable investor would view the information as significantly altering the “total mix” of the information available.  The evolving legal landscape and the complex factual and technological situations that often surround cybersecurity incidents means that materiality can be difficult to assess.  In addition, the law on materiality in the context of cybersecurity cases will likely continue to evolve with the changing technological, regulatory, and litigation landscape.

 

With cybersecurity becoming a growing issue, how do you think courts will change their viewpoint of security in 2018, including changes to keep towards maintaining an orderly market?

One issue that has generated attention is what consumers must show to have standing to bring a lawsuit in federal court.  If the only harm suffered is the theft of the data, is that enough?  Courts have arrived at different conclusions, although there is debate about whether there is a true circuit split or whether the decisions turned on the facts before the respective courts.  The US Supreme Court recently denied a cert petition on this issue in CareFirst v. Attias.  This question can arise in cybersecurity contexts other than data breaches.  For example, unlike high-profile data breaches, the Intel security issue involves vulnerabilities in Intel’s physical product itself – its chips – that could be exploited by hackers.  It is unclear, however, whether hackers have already exploited this vulnerability.  It remains to be seen whether standing will be raised as a defense in any of the cases filed against Intel.   

 

Josh Robbins, the chair of the firm’s White Collar Defense and Government Investigations Department, has represented the governments of the United States and other sovereign nations, Global 500 and Fortune 500 corporations, and individuals in jury trials, appeals before federal circuit courts and the United States Supreme Court, international arbitrations, and complex government investigations.  He has been lead trial counsel in numerous high-profile cases involving hundreds of millions of dollars at issue and significant national and international public attention, including matters reported in the Wall Street Journal, the Los Angeles Times, CNBC, the Investigation Discovery channel, and Forbes.com.

Leave A Reply