This story appeared on Network Worl=
d at
http://www.networkworld.com/columnists/2011/101711-bradner.html
Breach
reporting: Now companies have to do it
'Net
Insider By Scott Bradner, Network World
October 17, 2011 02:16 PM ET
Consumer
advocates as well as many business groups have attempted to get federal laws
adopted in the United States that would mandate disclosure of security brea=
ches
in which some types of private information about identifiable people are
exposed. In spite of the obvious logic of having a national standard, these
efforts so far have failed.
But a recent
action by the Securities and Exchange Commission may have created a
disclosure requirement more sweeping than any of the legislative proponents
could have wished for.
It used=
to
be that companies suffering a security breach did not have to tell anyone a=
bout
it, even the people who might be negatively affected by it. That started to
change on July 1, 2003, when the California
Database Breach Act went into effect. This act required disclosure of a=
ny
security breaches of databases that included specific types of mostly finan=
cial
information about California residents. But, as ChoicePoint =
found
out in 2005, just telling California residents about a breach that incl=
uded
residents from other states was rather dumb.
Forty-s=
ix
states have pass=
ed their
own laws since the California law was shown to force companies to tell
customers when they might be in danger because of a company mess-up. If you
live in Alabama, Kentucky, New Mexico or South Dakota, you just have to tru=
st
that the companies have enough of a conscience to let you know when you are=
in
danger.
Having =
46
often contradictory state laws is far from ideal if you happen to run a
business that spans state lines. Having a national set of rules would make a
great deal of sense, but asking the politicians in Washington to do somethi=
ng
that makes sense does not always produce a sensible result. Part of the pro=
blem
with the political process is the impact of lobbyists, which would likely
produce a set of rules far weaker than the strongest state laws -- so maybe
inaction is for the best.
But the
Washington bureaucracy may have just cut through the logjam.
The SEC=
's
Division of Corporation Finance has
published what it quaintly calls "guidance" about what compan=
ies
should disclose about security-related risks and incidents. The document
carefully said that it is not a rule or regulation, but that companies shou=
ld
rather carefully review this guidance and think long and hard if they decid=
e to
disregard the advice.
The
guidelines go far beyond anything that one would ever expect to make it out=
of
Congress. At best, Congress would limit the disclosure requirement, like
California does, to cases where specific pieces of private information are
exposed. The guidance points out that "federal security laws, in part,=
are
designed to elicit disclosure of timely, comprehensive and accurate informa=
tion
about risks and events that a reasonable investor would consider important =
to
an investment decision."
The
guidance goes on to make it clear that cybersecurity risks and events are c=
overed
under this umbrella and to detail the types of information that should
reasonably be disclosed.
This co=
uld
be a game changer. For example under this guidance, RSA would have to have =
been
far more forthcoming about its
recent problems. We might actually be able to tell how deep the sneakers
are for the customers of compromised companies, and that would be a refresh=
ing,
if occasionally troublesome, change.
All contents copyright 1995-2011 Ne=
twork
World, Inc. http://www.networkworld=
.com