In October of 2011, the Securities and Exchange Commission issued a non-mandatory guidance statement on cybersecurity and the reporting of security requirements. Despite this guidance, which was intended to clarify existing reporting requirements for publicly traded companies under Sarbanes-Oxley and other federal privacy laws and regulations, many companies are either not reporting cybersecurity breaches or are skirting the reporting requirements by making very general disclosures which appear designed to minimize or disguise the nature and severity such breaches.
In response to this dearth of meaningful reporting, the Chairman of the Senate Commerce, Scientce and Transportation Committee, Sen. Jay Rockefeller, is seeking to add provisions to cybersecutiy laws that would strengthen and clarify breach-reporting obligations. Among the results of these changes would be a requirement that the SEC clarify when companies must disclose cyber breached and requiring companies to spell out the steps they are taking to protect their computer systems from intrusions.
In the wake of such spectacular hacks as the breach of LinkedIn’s site and the repeated intrusions into Wyndam Hotel’s systems (for which the FTC is actively pursuing punitive enforcement against the company), it has become increasingly clear that cyber-crime is a real risk to businesses. In response to the damage that such intrusions does to both investors and end-customers, the government is clearly placing increased pressure on companies to step up and combat this economic threat through implementation of better preventative measures and by disclosing the existence of breaches after the fact, to ensure that system issues within companies’ security are not simply swept under the proverbial rug. Increasingly businesses must make protection of critical infrastructure and its data storage, handling, and destruction key elements in their business planning and implementation, rather than the afterthought if often seems to be.