On October 14th, 2011, Joseph Menn reported for the Financial Times on how US securities regulators have issued guidelines for publicly traded companies to disclose about past hacking incidents and risks of future breaches. The SEC posted the directive as a staff recommendation rather than a binding rule. Nevertheless, the directive is sweeping; companies with public stock should discuss cyber risk factors in their quarterly filings and consider the potential impact from cyberattack when preparing balance and income statements. The directive also considered material costs like lost revenue from unauthorized use of trade secrets, reputational damage, and increased security spending.
The directive further explained that a company should discuss a “material” breach with the public by disclosing "the specific attack and its known and potential costs and other consequences.” Companies should also describe "what was stolen and whether it could affect future operating results, as well as any insurance provisions." As a matter of policy, cybersecurity experts have pressed for enforced disclosure of hacking for some time.
The source article can be found here.
William Snyder
Last week in our class we discussed the use of forced transparency – that is, laws requiring firms that hold personal to disclose breaches of data security. You may recall that some states have passed laws requiring such disclosure, but that the Congress has not yet been able to agree on such a law. Those laws carry criminal penalties for failing to disclose such a breach. There have also been attempts to use civil tort to impose liability for failing to disclose such breaches. In a classic example of the use of administrative law, the Securities and Exchange Commission is about to use its own authority to require such disclosures by companies that it regulates (namely, those that are publicly traded). They can do this without Congress being able to act, because regulation of publicly-held companies was delegated to them by Congress. Such delegations have been upheld by the courts as long as Congress provides sufficient and policy and standards to guide the administrative agency in exercising the delegated power (usually over interstate or foreign commerce) and the agency does not act in an arbitrary and capricious manner. While Congress debates a statute and the courts struggle to find a duty to disclose, the administrative agency is about to act with regulations.
William Snyder
Washington Post article on same development: http://www.washingtonpost.com/world/national-security/cybersecurity-sec-outlines-requirement-that-companies-report-data-breaches/2011/10/14/gIQArGjskL_story.html