Senators Demand Public Companies Disclose Data Breaches
Democrats call for SEC to require mandatory disclosures of all data breaches, and for public companies to detail their data breach mitigation strategies.
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Senators are calling on the Securities and Exchange Commission to clarify the rules that public companies must follow for disclosing when they've experienced a data breach.
"It is essential that corporate leaders know their responsibility for managing and disclosing security risk," said a letter to SEC chairman Mary Schapiro from five members of the Senate Committee on Commerce, Science, & Transportation, all Democrats.
According to a statement released by Senator John D. Rockefeller IV (D-W.Va.), who chairs the committee and co-signed the letter, the SEC should "clarify corporate disclosure requirements for cybersecurity breaches so that the American public can learn more about when hackers make efforts to penetrate companies' computer systems."
The letter cites a 2009 study from insurance underwriter Hiscox, which found that "38% of Fortune 500 companies made a 'significant oversight' by not mentioning privacy or data security exposures in their public filing"--meaning their mandatory, annual SEC 10-K filing.
The Hiscox study found that by industry, the worst offenders were utilities--which, by the way, also comprise a significant portion of the so-called U.S. critical infrastructure. Indeed, the study found that "46% of diversified financial companies, 50% of telecommunications firms, and an astounding 80% of utilities" didn't disclose their data security exposure, according to Risk Management. The study also found that--at least in 2009--only 7% of public companies fully encrypted their confidential data.
The senators also questioned the risk management practices of companies that do detail their security risk exposure. According to their letter, "in our review of recent disclosures, we found statements ranging from boilerplate descriptions of risk to details of specific attacks; we did not, however, find information on steps taken by the corporation to reduce risk exposure."
They also found insufficient disclosure of information regarding the theft of intellectual property or trade secrets. "Federal securities law obligates the disclosure of any material network breach, including breaches involving sensitive corporate information that could be used by an adversary to gain competitive advantage in the marketplace, affect corporate earnings, and potentially reduce market share," they wrote. Failing to detail this information, said the senators, could result in "an inefficient marketplace that devalues security and impairs investor decision-making."
In other words, people should be able to dump their stock in a company that isn't securing its data properly, or which goes on to suffer a catastrophic data breach. First, however, investors need more information. Accordingly, might the senators' letter prefigure legislation aimed requiring mandatory disclosure of related information?
"Legislation of this nature often starts with breach notification requirements," said Rob Rachwald, director of security for Imperva, in a blog post. "When this was introduced into Germany, many companies came forward out of the blue and announced breaches--which surprised many. It's only a matter of time before breach notification becomes a federal requirement, give it two years or less."
In the meantime, he said, companies can start by getting their security house in order, to help avoid Sony-style breaches and determine the best way to "move beyond basic compliance and make laws work in their favor."