May 12, 2011

Federal Breach Disclosure Requirements Coming?

From today's WSJ.

A group of U.S. lawmakers wants the Securities and Exchange Commission to push companies to disclose when they have fallen victim to cyberattacks.

Three weeks after Sony Corp. was forced to shut down its PlayStation network by hackers who stole users' information, the group, which includes Senate Commerce Committee Chairman Jay Rockefeller of West Virginia, on Wednesday sent a letter to the SEC asking it to issue guidance stating that companies must report when they have suffered a major network attack and disclose details on intellectual property or trade secrets that hackers may have stolen.

The article adds:

In light of the growing threat and the national security and economic ramifications of successful attacks against American businesses, it is essential that corporate leaders know their responsibility for managing and disclosing information security risk.

A 2009 study by insurance underwriter Hiscox Inc. found that 38% of Fortune 500 companies made a "significant oversight" when they failed to mention risk of data-security breaches in their public filings.

Specifically, the lawmakers want to ensure that firms disclose when they have suffered a "material network breach," which would be a cyberattack or data theft that would affect the average investor's decision to purchase or sell a stock.

Legislation of this nature often starts with breach notification requirements.  When this was introduced into Germany, many companies came forward out of the blue and announced breaches--which surprised many.  It's only a matter of time before breach notification becomes a federal requirement, give it two years or less.  Smart companies will start to prepare now by:

  • Putting in place strong security programs to avoid having to make breach notifications in the first place.
  • Read prof Robert Bird's paper, Law As A Competitive Advantage.  It is here.  This is essential reading for anyone who wants to understand how legal requirements can mobilize organizations into move beyond basic compliance and make laws work in their favor.
  • Study our PCI paper.  This may seem like self promotion but it isn't.  Our survey shows is the characteristics of companies that successfully complied with PCI at a lower cost than their peers.

Authors & Topics:

Share on LinkedIn


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.