Democrats petition SEC to require cyber attack reports

Five Democratic senators, led by Sen. John D. Rockefeller, D-W.Va., wrote the Securities and Exchange Commission May 11, 2011, to ask the agency to clarify federal disclosure requirements concerning data thefts. The letter was written just a week after the House Subcommittee for Commerce, Manufacturing and Trade held a hearing on the recent massive Sony Corp. data breach that compromised personal information from nearly 100 million Sony customers.

Rockefeller, Chairman of the Senate Commerce, Science and Transportation Committee, addressed the clarification request to SEC Chairman Mary Schapiro. The letter was cosigned by Sen. Sheldon Whitehouse, D-R.I., Sen. Robert Menendez, D-N.J., Sen. Mark Warner, D-Va., and Sen. Richard Blumenthal, D-Conn.

Concerns

"Given inconsistencies in reporting, investor confusion and the national importance of addressing cyberspace security, we request that the Securities and Exchange Commission issue guidance regarding the disclosure of information security risk, including material network breaches," the senators wrote.

The senators acknowledged cyber security risks "are not well known or understood," but they maintain cyber security "is a core responsibility shared by leaders and managers throughout all levels of a business."

A 2009 study conducted by insurance underwriter Hiscox Inc. determined 39 percent of Fortune 500 companies did not mention relevant privacy or data security break-ins. The report called this omission a "significant oversight."

Further issues

The senators have additional concerns. "In addition to reporting inconsistencies, it is unclear whether corporations who do disclose their information security risk exposure are adequately assessing and mitigating these risks," they said. "In our review of recent disclosures, we found statements ranging from boilerplate descriptions of risk to details of specific attacks; we did not, however, find information on steps taken by the corporation to reduce risk exposure."

The legislators went on to say that once a publically traded company experiences a breach, that entity may not understand its disclosure obligations to consumers, although federal law requires such disclosure. The senators called corporate data theft reporting "inconsistent and unreliable" and said the poor quality of information about data breaches creates "an inefficient marketplace that devalues security and impairs investor decision-making."

The senators asked the SEC to develop and publish guidelines that clarify public disclosure requirements for security risks and breaches. "We believe this guidance, undertaken using longstanding commission legal authority, will enhance investor and corporate awareness of information security risk, thus improving the national and economic security of our nation," the letter concluded.

More legislation

Democrats are not alone in voicing cyber-security concerns. On the same day the five Democratic senators released their letter to the SEC, Rep. Clifford Stearns, R-Fla., filed HR 1841 intended to add new cyber-security protections to the law.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.