Proceed at Your Own Risk: Steps to Protect Confidential Information and Public Disclosures

What happened

Public companies regularly face challenges in protecting confidential information relating to material announcements of corporate developments as well as financial results and other events.  For example, recently, the U.S. Attorney in the Eastern District of New York charged two individuals with misappropriating material non-public information through their work as employees of an SEC filing service.

According to Bloomberg, the two individuals:

• Conspired to misappropriate confidential information about merger agreement signings.
• Realized profits of more than $1 million upon sales following public announcement of the signings.
• Planned to board a flight to Hong Kong when the FBI arrested them at JFK Airport.
• Face securities fraud charges with potential sentences of 25 years.

Separately, in the past some prominent companies needed to issue corrections when draft earnings releases were released prematurely or posted without removing metadata. 

The takeaways described below may help companies avoid the misuse, leak and premature or inadvertent disclosure of corporate information. 

Takeaways

Protecting Company Confidential Information

Although the misconduct took place at a vendor, the charges serve as a reminder to public companies to review their internal practices to protect confidential information.  Best practices include:

• Sharing material news only with those employees that have a need to know.
• Restricting access to documents on company networks to approved employees, including by:
  • Securing sensitive documents from inclusion in searches by others in the company.
  • Establishing device and printing restrictions for sensitive documents before release.
• Using code names in documents for significant matters.
• Securing physical documents in locked drawers, whether at the office or at home.
• Reminding employees of their confidentiality obligations in connection with significant transactions or developments, including:
• Observing the practices listed above.
• Not trading on material non-public information.
• Avoiding discussions with anyone outside the working group or in any location where others may overhear conversations.
• Not discussing or sharing information with spouses or other family or household members.
• Evaluating third party agents for Edgarization or press release distribution, including with respect to their compliance policies, reputation, and employee training and confidentiality procedures.

Protecting Public Disclosures

Based on prominent missteps from the past, public companies should consider reviewing their internal controls relating to public announcements, including:

• Scrubbing metadata – or only using clean PDF formats - before releasing documents (or sharing via cloud collaboration). On some prior occasions, failures have allowed viewers to see:
  • Tracked changes showing edits to sensitive documents.
  • Comments showing internal disagreements over wording.
  • Author names and timestamps showing the drafting timeline.
  • Hidden text.
• Preventing premature posting, or mistaken posting of outdated versions, by:
  • Establishing clear communications with financial printers, filing and transfer agents, as well as IR and website teams and other third party vendors with access to confidential or sensitive information.
  • Evaluating drafting and review controls, including collaboration tools with audit trails, to avoid confusion over drafts or final versions.
  • Maintaining formalized levels of review by legal, finance, IR, and other relevant teams.
  • Reconciling SEC filings and press releases to ensure consistency.
• Evaluating controls for authorized release times, protocols for transmission to wire services and documentation of approvals from stakeholders.
• Periodically conducting testing for SEC filing and press release distribution protocols.
• Establishing procedures for promptly retracting or correcting erroneous communications, along with Form 8-Ks where appropriate.
• Reviewing or updating the external communications policy, including identification of parties authorized to speak to the media or analysts and related confidentiality obligations.