Senator wants mandatory data breach disclosure in financial statements

Rockefeller’s provision would require the US Securities and Exchange Commission (SEC) to make explicit when a company must disclose data breaches and spell out steps they are taking to protect their systems from data breaches, according to a report by the Associated Press.

In October, the SEC issued guidelines, not mandates, instructing companies to disclose data breaches – as well as the risks of potential breaches – in their financial statements.

The SEC said that companies should disclose a data breach and the risk of cyber incidents “if these issues are among the most significant factors that make an investment in the company speculative or risky.”

Few companies, however, have actually followed the SEC guidelines, as demonstrated by some recent data breaches that have come to light months or years after they occurred.

For example, the recently disclosed data breach at Wyndham hotels, in which hackers broke in and stole credit card information three times over a two-year period, was not reported by the company in its filings with the SEC, according to the AP report.

In addition, Amazon did not disclose in its 2011 annual report the theft of personal data on 24 million customers at its Zappos online shoe retailer, the report noted.
 

What’s Hot on Infosecurity Magazine?