Fitbit, the fitness-tracking company with six wearable devices that track and collect data about things like calories burned, steps logged, “quality” of sleep and sleep patterns, heart rate, etc.) as well as web and mobile apps and premium services, has filed with the Securities and Exchange Commission for a $100 million initial public offering. We have discussed the SEC’s Cybersecurity Guidance issued in 2011 and based on that Guidance, how the SEC expects public companies (and soon-to-be public companies) to disclose specific cybersecurity risk to investors — see our discussion here. Given that, we thought we would check Fitbit’s S-1 filing to see how a company collecting gobs of health and fitness data on millions of users (nearly 21 million units sold last year) discloses cybersecurity risk.
Boilerplate, or discussion of company-specific risk? You be the judge (the entire S-1 can be obtained here):
We collect, store, process, and use personal information and other customer data, which subjects us to governmental regulation and other legal obligations related to privacy, information security, and data protection, and our actual or perceived failure to comply with such obligations could harm our business.
We collect, store, process, and use personal information and other user data, and we rely on third parties that are not directly under our control to do so as well. Our users’ health and fitness-related data and other highly personal information may include, among other information, names, addresses, phone numbers, email addresses, payment account information, height, weight, and biometric information such as heart rates, sleeping patterns, GPS-based location, and activity patterns. Due to the volume and sensitivity of the personal information and data we manage and the nature of our products, the security features of our platform and information systems are critical. If our security measures, some of which are managed by third parties, are breached or fail, unauthorized persons may be able to obtain access to sensitive user data. If we or our third-party service providers, business partners, or third-party apps with which our users choose to share their Fitbit data were to experience a breach of systems compromising our users’ sensitive data, our brand and reputation could be adversely affected, use of our products and services could decrease, and we could be exposed to a risk of loss, litigation, and regulatory proceedings. Depending on the nature of the information compromised, in the event of a data breach or other unauthorized access to our user data, we may also have obligations to notify users about the incident and we may need to provide some form of remedy, such as a subscription to a credit monitoring service, for the individuals affected by the incident. A growing number of legislative and regulatory bodies have adopted consumer notification requirements in the event of unauthorized access to or acquisition of certain types of personal data. Such breach notification laws continue to evolve and may be inconsistent from one jurisdiction to another. Complying with these obligations could cause us to incur substantial costs and could increase negative publicity surrounding any incident that compromises user data. Our users may also accidentally disclose or lose control of their passwords, creating the perception that our systems are not secure against third-party access. Additionally, if third parties we work with, such as vendors or developers, violate applicable laws, agreements, or our policies, such violations may also put our users’ information at risk and could in turn have an adverse effect on our business. While we maintain insurance coverage that, subject to policy terms and conditions and a significant self-insured retention, is designed to address certain aspects of cyber risks, such insurance coverage may be insufficient to cover all losses or all types of claims that may arise in the continually evolving area of cyber risk.