Breach reporting: now companies have to

By: Scott Bradner

Consumer advocates as well as many business groups have attempted to get federal laws adopted in the US that would mandate disclosure of security breaches where the breach exposed some types of private information about identifiable people. In spite of the obvious logic of having a single national standard these efforts, so far, have failed to succeed. But a recent action by the Securities and Exchange Commission may have created a disclosure requirement more sweeping than any of the legislative proponents could have wished for.

It used to be that companies who suffered a security breach did not have to tall anyone about it, even the people who might be negatively affected by the breach. That started to change on July 1 2003 when the California Database Breach Act (http://www.datagovernance.com/adl_data_laws_california_security_breach_notifi.html) went into effect. This act required disclosure of any security breaches of databases that included specific types of mostly financial information about California residents. But, as ChoicePoint found out in 2005 (http://www.sobco.com/nww/2005/bradner-2005-02-28.html), just telling California residents about a breach that included residents from other states was rather dumb.

Forty six states have passed their own laws (http://www.ncsl.org/default.aspx?tabid=13489) since the California law was shown to force companies to tell their customers when the customer might be in danger because of a company mess up. If you live in Alabama, Kentucky, New Mexico, or South Dakota you just have to trust that the companies have enough of a conscience to let you know when you are in danger.

Having 46, often contradictory, state laws is far from ideal if you happen to run a business that spans state lines. So having a single national set of rules would make a great deal of sense , but asking the politicians in Washington to do something that makes sense does not always produce a sensible result. Part of the problem with the political process is the impact of lobbyists, which would likely produce a set of rules far weaker than the strongest state laws so maybe the inaction is for the best.

But the Washington bureaucracy may have just cut through the logjam. The Securities and Exchange Commission's Division of Corporation Finance has just published what it quaintly calls "guidance" (www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm) about what companies should disclose about security-related risks and incidents. The document carefully said that it is not a rule or regulation but companies should rather carefully review this guidance and think long and hard if they decide to disregard the advice.

The guidelines go far beyond anything that one would ever expect would make it out of Congress. At best, Congress would limit the disclosure requirement, like California does, to cases where specific pieces of private information are exposed. The guidance points out that "federal security laws, in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision." The guidance goes on to make it clear that cyber security risks and events are covered under this umbrella and to detail the types of information that should reasonably be disclosed.

This could be a game changer. For example under this guidance RSA would have to be far more forthcoming about their recent problems. (http://www.networkworld.com/columnists/2011/053111-bradner.html) We might actually be able to tell how deep the sneakers are for the customers of compromised companies, and that would be a refreshing, if occasionally troublesome, change.

disclaimer: Not being a public company Harvard is not subject directly to the Securities and Exchange Commission's guidance but, given time, accounting standards seem to expand to fix that problem. In any case the university has not expressed an opinion on the SEC's guidance so the above is my exploring the implications.