Gregory Fleischer saw my Shmoo talk, and was kind enough to tell me when he found breaches in SEC reports:
At your Shmoocon talk you mentioned that you had difficulty finding
SEC filings related to security breaches. I was doing some research
and came across several SEC filings that discuss security breaches.
Generally, these items are going to appear in either a 10-Q or 10-K.
Typically, this will be some boilerplate warning in the risk factors
section such as:
A material security breach of our information systems or data could
harm our reputation, cause a decrease in the number of customers,
and adversely affect our financial condition or results of operations.
- Acxiom, http://sec.edgar-online.com/
- BJ’S Wholesale, http://sec.edgar-online.com/
- JetBlue: http://sec.edgar-online.com/
2004/02/11/0001047469-04-004064/Section4.asp (Covers the voluntary hand-over of their customer data to a DHS contractor, as discussed in “Secondary Screening: JetBlue FOIAs” and “Testing Airline Customers.” I’d argue that voluntary handovers do not a breach make.)
- Polo Ralph Lauren: http://sec.edgar-online.com/
- TJX: http://sec.edgar-online.com/2007/03/28/0000950135-07-001906/
He’s found that this Google search against the edgar-online site
works well: (“disclosure of personal information”|”security breach”) (“10-K”|”10K”|”10-Q”|”10Q”) site:edgar-online.com
I haven’t had time to read all of these, but being a fan of evidence, I wanted to share data points as I learned them.