Emergent Chaos

Gregory Fleischer saw my Shmoo talk, and was kind enough to tell me when he found breaches in SEC reports:

At your Shmoocon talk you mentioned that you had difficulty finding SEC filings related to security breaches. I was doing some research and came across several SEC filings that discuss security breaches.

Generally, these items are going to appear in either a 10-Q or 10-K. Typically, this will be some boilerplate warning in the risk factors section such as:

A material security breach of our information systems or data could harm our reputation, cause a decrease in the number of customers, and adversely affect our financial condition or results of operations.

• Acxiom, http://sec.edgar-online.com/ 2003/08/11/0000733269-03-000011/Section6.asp
• BJ'S Wholesale, http://sec.edgar-online.com/ 2004/08/17/0001193125-04-142267/Section8.asp
• JetBlue: http://sec.edgar-online.com/ 2004/02/11/0001047469-04-004064/Section4.asp (Covers the voluntary hand-over of their customer data to a DHS contractor, as discussed in "Secondary Screening: JetBlue FOIAs" and "Testing Airline Customers." I'd argue that voluntary handovers do not a breach make.)
• Polo Ralph Lauren: http://sec.edgar-online.com/ 2005/11/10/0000950123-05-013479/Section12.asp
• TJX: http://sec.edgar-online.com/2007/03/28/0000950135-07-001906/ Section5.asp

He's found that this Google search against the edgar-online site works well: ("disclosure of personal information"|"security breach") ("10-K"|"10K"|"10-Q"|"10Q") site:edgar-online.com

I haven't had time to read all of these, but being a fan of evidence, I wanted to share data points as I learned them.