If you’re wondering if businesses, who’ve been targets of cybercrime, have been properly handling the fallout, you have company: The U.S. Securities and Exchange Commission.
- Did the businesses adequately protect data?
- Were investors properly notified about the breach’s impact?
One of the companies being investigated is Target Corp.
The SEC, historically, has concentrated on giving guidance to companies regarding disclosure of data-breach risks, and the SEC has traditionally also assisted with ensuring that financial companies were well-equipped against hackers.
But the SEC doesn’t like when there seems to be incomplete disclosures of the data breaches or some kind of perceived misleading information.
For example, Target didn’t disclose its breach until the day after it was first reported—by renowned security blogger Brian Krebs.
Just how much should companies say about breaches? This is being debated among regulators, corporate attorneys and activist investors.
Nevertheless, public companies owe it to investors to inform them of material compromises that could affect the investors’ decisions to sell or buy shares. A material attack, says the SEC, includes one that makes a company greatly boost what it spends on defenses, and one in which intellectual property is stolen.
Businesses in general would rather keep silent about breaches to avoid negative fallout. At the same time, it’s not easy to come up with evidence that a business should have disclosed more about a data breach than it actually did. A stolen trade secret, even, won’t necessarily be harmful to a big company’s growth or profits. The interpretation here varies almost as much as the different kinds of cyber attacks do.
Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.