Even though the Securities and Exchange Commission has warned publicly traded companies about their need to disclose data breach details and information about security risks, most haven’t complied. Now the agency is getting tougher in demanding disclosures.
The SEC first released guidelines last October detailing publicly traded companies’ obligation to report data breaches in their standard disclosure material. The agency didn’t issue a new rule but rather clarified that cyberattacks fall under the long-standing requirement that businesses report “material” developments that are significant enough that shareholders would reasonably want to know about them.
For example, the SEC said companies should report attacks if they:
- Have a material effect on the organization’s financial condition (if profits are lost, for example)
- Could result in reported financial information no longer being accurate, or
- Require the company to materially increase its security expenditures.
Those guidelines haven’t done much to increase data breach disclosures, as a former FBI agent reported in June that most of the thousands of data breaches being investigated by authorities were never reported to the SEC.
Now, it appears the SEC has increased its efforts to get companies to report breaches — at least six companies have received letters from the agency compelling them to disclose data breach details, Bloomberg reports. Companies receiving letters included:
- Amazon, whose Zappos.com division was hit by a data breach in which criminals stole the addresses and possibly credit card numbers of 24 million customers in January, and
- Google, whose networks were raided in 2010 by China-based hackers attempting to steal source code.
Both companies complied with requests to put details about the breaches in their earnings reports, Bloomberg said. American International Group, Hartford Financial Services Group, Eastman Chemical Co. and Quest Diagnostics have also gotten similar letters from the SEC, according to the news agency.
Though there have been no reports of organizations being penalized, public companies that fail to meet the data breach disclosure requirements could face SEC enforcement actions and lawsuits from shareholders.