Data breaches must be reported within 4 days, says SEC

There have been many cases of US companies covering up serious personal data breaches for months at a time – often only admitting to them when an outside source learns of it.

This isn’t possible in Europe, where the law requires unauthorized access to personal data to be reported to regulators within three days, and now the US is finally adopting a similar requirement – even if it’s not for your benefit …

US companies often hide data breaches

When US companies are hacked, and customer data is exposed, they often fail to admit this to customers until months later.

For example, a hacker gained access to the phone numbers and email addresses of 5.4M Twitter users through a vulnerability first reported back in January of last year. The exact timing of the attack is unclear, but Twitter patched the hole after the report, yet only revealed in August that the user details had been obtained by a hacker and offered for sale.

European privacy law requires companies to disclose data breaches within three days of discovery.

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

No such requirement has been in place in the US, however.

SEC now set 4-day reporting requirement

This has now changed, with the Securities & Exchanges Commission (SEC) now requiring companies to disclose data breaches within four days.

The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material. 

The reason for this is to ensure that affected individuals are notifie–

We’re joking, of course: It’s to protect shareholders against their investment being put at risk by undisclosed financial liabilities.

“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

Photo: Ahmed Zayan/Unsplash

Add 9to5Mac to your Google News feed.