MIME-Version: 1.0 Content-Location: file:///C:/9D28BA57/bradner-2011-10-17.htm Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="macintosh"

This story appeared on Network Worl= d at
http://www.networkworld.com/columnists/2011/101711-bradner.html<= /span>

 

Breach reporting: Now companies have to do it

 =

'Net Insider By Scott Bradner, Network World
October 17, 2011 02:16 PM ET

 

Consumer advocates as well as many business groups have attempted to get federal laws adopted in the United States that would mandate disclosure of security brea= ches in which some types of private information about identifiable people are exposed. In spite of the obvious logic of having a national standard, these efforts so far have failed.

&n= bsp;

But a recent action by the Securities and Exchange Commission may have created a disclosure requirement more sweeping than any of the legislative proponents could have wished for.

It used= to be that companies suffering a security breach did not have to tell anyone a= bout it, even the people who might be negatively affected by it. That started to change on July 1, 2003, when the California Database Breach Act went into effect. This act required disclosure of a= ny security breaches of databases that included specific types of mostly finan= cial information about California residents. But, as ChoicePoint = found out in 2005, just telling California residents about a breach that incl= uded residents from other states was rather dumb.

&n= bsp;

Forty-s= ix states have pass= ed their own laws since the California law was shown to force companies to tell customers when they might be in danger because of a company mess-up. If you live in Alabama, Kentucky, New Mexico or South Dakota, you just have to tru= st that the companies have enough of a conscience to let you know when you are= in danger.

&n= bsp;

Having = 46 often contradictory state laws is far from ideal if you happen to run a business that spans state lines. Having a national set of rules would make a great deal of sense, but asking the politicians in Washington to do somethi= ng that makes sense does not always produce a sensible result. Part of the pro= blem with the political process is the impact of lobbyists, which would likely produce a set of rules far weaker than the strongest state laws -- so maybe inaction is for the best.

&n= bsp;

But the Washington bureaucracy may have just cut through the logjam.

&n= bsp;

The SEC= 's Division of Corporation Finance has published what it quaintly calls "guidance" about what compan= ies should disclose about security-related risks and incidents. The document carefully said that it is not a rule or regulation, but that companies shou= ld rather carefully review this guidance and think long and hard if they decid= e to disregard the advice.

&n= bsp;

The guidelines go far beyond anything that one would ever expect to make it out= of Congress. At best, Congress would limit the disclosure requirement, like California does, to cases where specific pieces of private information are exposed. The guidance points out that "federal security laws, in part,= are designed to elicit disclosure of timely, comprehensive and accurate informa= tion about risks and events that a reasonable investor would consider important = to an investment decision."

&n= bsp;

The guidance goes on to make it clear that cybersecurity risks and events are c= overed under this umbrella and to detail the types of information that should reasonably be disclosed.

&n= bsp;

This co= uld be a game changer. For example under this guidance, RSA would have to have = been far more forthcoming about its recent problems. We might actually be able to tell how deep the sneakers are for the customers of compromised companies, and that would be a refresh= ing, if occasionally troublesome, change.

&n= bsp;

Disclaimer: Not being a public comp= any, Harvard is not subject directly to the SEC's guidance. But, given time, accounting standards seem to expand to fix that problem. In any case, the university has not expressed an opinion on the SEC's guidance, so the above= is my exploring the implications.

 

All contents copyright 1995-2011 Ne= twork World, Inc. http://www.networkworld= .com