Revealing too much information on breaches could leave businesses vulnerable to attack.
According to Reuters, the US Securities and Exchange Commission (SEC) has convened after a series of high-profile data breaches which has sparked major public policy debates, including on how customers should be alerted, who should bear the cost of breaches and how such information should be disclosed both to government and the public.
However, companies that over share information could become targets of shareholder suits and regulatory probes. In some cases, federal law enforcement agencies like the FBI also tell companies they cannot reveal information about cyber attacks, putting public companies in a difficult position.
US lawmakers have been contemplating legislation to provide clarity about how notifications should be made, but so far Congress has not been able to pass any cyber security bills. Some have said that the SEC needs to do more, whether it is issuing more formal commission-level guidance or taking steps to ensure companies are disclosing more material incidents to investors.
Brendan Rizzo, technical director EMEA, Voltage Security, said that while companies and consumers both benefit from the increased security, with different states and different countries all having different requirements for cyber threat disclosure it is easy to see why companies and consumers alike are confused as to what laws apply in which scenarios.
“Consumers rightfully want to know when the sanctity of their sensitive information has been breached and, with more government and industry regulations arriving each year, it is easy to see why companies are now trying to find a data centric approach to protecting their customers’ data,” he said.
“Instead of building defensive barriers around silos of sensitive data, the data itself can be encrypted to protect it no matter where is goes. When the data itself is protected, a would-be thief would only be successful in stealing useless information that does not put consumers at risk, and companies then no longer have to worry about the disclosers and possible fines they would have faced before they implemented a data-centric solution.”
Tom Cross, director of security research at Lancope, said: “Data breach disclosure requirements are a complex policy issue. Companies are often disinclined to disclose information about breaches because they are concerned about the negative impact on their reputations, so some regulatory requirement may be necessary. There are cases where deliberate decisions are made to keep a breach under wraps in order to prevent the attackers from knowing that their activity is under investigation.
“On the other hand, consumers have a right to know when their data has been compromised. Investors have a need to accurately assess the risk that a computer security event could negatively impact their investments. Furthermore, the disclosure of technical information about breaches can help organisations learn from each other’s mistakes.
“It is possible to craft a thoughtful approach that insures that important information eventually surfaces without compromising investigations. However, an overly strict or inflexible requirement could have negative consequences. The devil is in the details.”