Healthcare // Analytics
News
5/13/2011
05:03 PM
Connect Directly
RSS
E-Mail
50%
50%

Senators Demand Public Companies Disclose Data Breaches

Democrats call for SEC to require mandatory disclosures of all data breaches, and for public companies to detail their data breach mitigation strategies.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Senators are calling on the Securities and Exchange Commission to clarify the rules that public companies must follow for disclosing when they've experienced a data breach.

"It is essential that corporate leaders know their responsibility for managing and disclosing security risk," said a letter to SEC chairman Mary Schapiro from five members of the Senate Committee on Commerce, Science, & Transportation, all Democrats.

According to a statement released by Senator John D. Rockefeller IV (D-W.Va.), who chairs the committee and co-signed the letter, the SEC should "clarify corporate disclosure requirements for cybersecurity breaches so that the American public can learn more about when hackers make efforts to penetrate companies' computer systems."

The letter cites a 2009 study from insurance underwriter Hiscox, which found that "38% of Fortune 500 companies made a 'significant oversight' by not mentioning privacy or data security exposures in their public filing"--meaning their mandatory, annual SEC 10-K filing.

The Hiscox study found that by industry, the worst offenders were utilities--which, by the way, also comprise a significant portion of the so-called U.S. critical infrastructure. Indeed, the study found that "46% of diversified financial companies, 50% of telecommunications firms, and an astounding 80% of utilities" didn't disclose their data security exposure, according to Risk Management. The study also found that--at least in 2009--only 7% of public companies fully encrypted their confidential data.

The senators also questioned the risk management practices of companies that do detail their security risk exposure. According to their letter, "in our review of recent disclosures, we found statements ranging from boilerplate descriptions of risk to details of specific attacks; we did not, however, find information on steps taken by the corporation to reduce risk exposure."

They also found insufficient disclosure of information regarding the theft of intellectual property or trade secrets. "Federal securities law obligates the disclosure of any material network breach, including breaches involving sensitive corporate information that could be used by an adversary to gain competitive advantage in the marketplace, affect corporate earnings, and potentially reduce market share," they wrote. Failing to detail this information, said the senators, could result in "an inefficient marketplace that devalues security and impairs investor decision-making."

In other words, people should be able to dump their stock in a company that isn't securing its data properly, or which goes on to suffer a catastrophic data breach. First, however, investors need more information. Accordingly, might the senators' letter prefigure legislation aimed requiring mandatory disclosure of related information?

"Legislation of this nature often starts with breach notification requirements," said Rob Rachwald, director of security for Imperva, in a blog post. "When this was introduced into Germany, many companies came forward out of the blue and announced breaches--which surprised many. It's only a matter of time before breach notification becomes a federal requirement, give it two years or less."

In the meantime, he said, companies can start by getting their security house in order, to help avoid Sony-style breaches and determine the best way to "move beyond basic compliance and make laws work in their favor."

Comment  | 
Print  | 
More Insights
Big Love for Big Data? The Remedy for Healthcare Quality Improvements
Big Love for Big Data? The Remedy for Healthcare Quality Improvements
Healthcare data is nothing new, but yet, why do healthcare improvements from quantifiable data seem almost rare today? Healthcare administrators have a wealth of data accessible to them but aren't sure how much of that data is usable or even correct.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government Tech Digest Oct. 27, 2014
To meet obligations -- and avoid accusations of cover-up and incompetence -- federal agencies must get serious about digitizing records.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and community news at InformationWeek.com.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.