Skip to main content

Risky Business: Target Discloses Data Breach and New Risk Factors in 8-K Filing… Kind Of

Written by Adam Veness

After Target Corporation’s (NYSE: TGT) net earnings dropped 46% in its fourth quarter compared to the same period last year, Target finally answered the 441 million dollar question – To 8-K, or not to 8-K?  Target filed its much anticipated Current Report on Form 8-K on February 26th, just over two months after it discovered its massive data breach.

In its 9-page filing, Target included two introductory sentences relating to disclosure of the breach under Item 8.01 – Other Events:

During the fourth quarter of 2013, we experienced a data breach in which certain payment card and other guest information was stolen through unauthorized access to our network. Throughout the Risk Factors in this report, this incident is referred to as the ‘2013 data breach’.

Target then buried three new risk factors that directly discussed the breach apparently at random within a total of 18 new risk factors that covered a variety of topics ranging from natural disasters to income taxes.  Appearing in multiple risk factors throughout the 8-K were the following:

The data breach we experienced in 2013 has resulted in government inquiries and private litigation, and if our efforts to protect the security of personal information about our guests and team members are unsuccessful, future issues may result in additional costly government enforcement actions and private litigation and our sales and reputation could suffer.

A significant disruption in our computer systems and our inability to adequately maintain and update those systems could adversely affect our operations and our ability to maintain guest confidence.

We experienced a significant data security breach in the fourth quarter of fiscal 2013 and are not yet able to determine the full extent of its impact and the impact of government investigations and private litigation on our results of operations, which could be material.

An interesting and atypically relevant part of Target’s 8-K is the “Date of earliest event reported” on its 8-K cover page.  Although Target disclosed its fourth quarter 2013 breach under Item 8.01, Target still listed February 26, 2014 as the date of the earliest event reported, which is the date of the 8-K filing and corresponding press release disclosing Target’s financial results.  One can only imagine that this usually benign date on Target’s 8-K was deliberated over for hours by expensive securities lawyers, and that using the February earnings release date instead of the December breach date was nothing short of deliberate.  Likely one more subtle way to shift the market’s focus away from the two-month old data breach and instead bury the disclosure within a standard results of operations 8-K filing and 15 non-breach related risk factors.

To Target’s credit, its fourth quarter and fiscal year ended on February 1, 2014, and Target’s fourth quarter included the entirety of the period during and after the breach through February 1.  Keeping that in mind, Target may not have had a full picture of how the breach affected its earnings in the fourth quarter until it prepared its fourth quarter and year-end financial statements this month.  Maybe the relevant “Date of earliest event” was the date on which Target was able to fully appreciate the effects of the breach, which occurred on the day that it finalized and released its earnings on February 26.  But maybe not.

Whatever the case may be, Target’s long awaited 8-K filing is likely only a short teaser of the disclosure that should be included in Target’s upcoming Form 10-K filing.

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.