Breach reporting: Now companies have to do it

Consumer advocates as well as many business groups have attempted to get federal laws adopted in the United States that would mandate disclosure of security breaches in which some types of private information about identifiable people are exposed. In spite of the obvious logic of having a national standard, these efforts so far have failed.

But a recent action by the Securities and Exchange Commission may have created a disclosure requirement more sweeping than any of the legislative proponents could have wished for.

BACKGROUND: US companies pushed to disclose cyberattacks

It used to be that companies suffering a security breach did not have to tell anyone about it, even the people who might be negatively affected by it. That started to change on July 1, 2003, when the California Database Breach Act went into effect. This act required disclosure of any security breaches of databases that included specific types of mostly financial information about California residents. But, as ChoicePoint found out in 2005, just telling California residents about a breach that included residents from other states was rather dumb.

Forty-six states have passed their own laws since the California law was shown to force companies to tell customers when they might be in danger because of a company mess-up. If you live in Alabama, Kentucky, New Mexico or South Dakota, you just have to trust that the companies have enough of a conscience to let you know when you are in danger.

Having 46 often contradictory state laws is far from ideal if you happen to run a business that spans state lines. Having a national set of rules would make a great deal of sense, but asking the politicians in Washington to do something that makes sense does not always produce a sensible result. Part of the problem with the political process is the impact of lobbyists, which would likely produce a set of rules far weaker than the strongest state laws -- so maybe inaction is for the best.

But the Washington bureaucracy may have just cut through the logjam.

The SEC's Division of Corporation Finance has published what it quaintly calls "guidance" about what companies should disclose about security-related risks and incidents. The document carefully said that it is not a rule or regulation, but that companies should rather carefully review this guidance and think long and hard if they decide to disregard the advice.

The guidelines go far beyond anything that one would ever expect to make it out of Congress. At best, Congress would limit the disclosure requirement, like California does, to cases where specific pieces of private information are exposed. The guidance points out that "federal security laws, in part, are designed to elicit disclosure of timely, comprehensive and accurate information about risks and events that a reasonable investor would consider important to an investment decision."

The guidance goes on to make it clear that cybersecurity risks and events are covered under this umbrella and to detail the types of information that should reasonably be disclosed.

This could be a game changer. For example under this guidance, RSA would have to have been far more forthcoming about its recent problems. We might actually be able to tell how deep the sneakers are for the customers of compromised companies, and that would be a refreshing, if occasionally troublesome, change.

Disclaimer: Not being a public company, Harvard is not subject directly to the SEC's guidance. But, given time, accounting standards seem to expand to fix that problem. In any case, the university has not expressed an opinion on the SEC's guidance, so the above is my exploring the implications.

Read more about wide area network in Network World's Wide Area Network section.

This story, "Breach reporting: Now companies have to do it" was originally published by Network World.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies