SEC guidelines push for clearer data breach disclosures
Whether or not they're enough is another matter.
American companies haven't always been forthright about disclosing data breaches in a responsible way, and regulators want to encourage better behavior. The Securities and Exchange Commission has issued "interpretive guidance" that it hopes will both promote clearer disclosures and fewer ethical conflicts. The guidance asks companies to share more information about cyberattacks and other risks, and warns executives against trading securities before they've publicly shared the details of a breach -- they shouldn't dump shares knowing a hack will tank the company's stock price.
Whether or not this makes a difference is another story. Although Democrats at the SEC supported the guidance, they argued that the real solution would be tougher rules requiring better disclosures and improved security standards. The guidance may formalize SEC interpretations that haven't always been made public, but it doesn't change those laws to keep pace with modern cybercrime. It's not uncommon for companies to downplay or cover up incidents, but they won't necessarily face serious repercussions for their actions.
If nothing else, though, this is a shot across the bow. It's a reminder that companies shouldn't sit on news of a breach, jeopardizing the data of their customers for the sake of profit. If companies honor the guidelines (and that's a big "if,") you may understand the true severity of a breach and have a better chance at mitigating the damage.
