17 comments

[ 5.3 ms ] story [ 49.1 ms ] thread
Now we need FTC to step up and impose this on privately held companies that hold large numbers of consumer profiles, regardless of annual revenues. Several states already codify such disclosure requirements, but the (education and) enforcement of those rules only happens if the breached data becomes public anyway. (Nowadays, what is eventually published for sale by hackers may not even be able to be connected back to all of the specific data breaches involved in producing it.)
I anticipate managers dissuading people from investigating possible breaches. If you don’t know there is a breach you don’t have to report it.
Then you need to make it illegal to know of a breach and don't report it. This might give employees incentive to report their management illegal act of hiding a potential breach by obstructing internal investigation. Or better make the consequences of failing to secure system very painful and may put the company out of business. Not that 12 month of free credit monitoring for affected users. This will encourage companies to secure the data or better to not store what is not absolutely unnecessary because it is a huge liability. But of course governments like to access these data themselves from time to time.
You can’t know unless you investigate, right? I am saying managers will see situations where it could have happened, and they can figure out if there was a breach, but then instruct people to not look for it. Or just make it not a priority. Or whatever. They don’t know for sure so they can’t say you knew and didn’t report it.
How would that go down?

"I believe that someone currently has access to our customer database"

- "It's probably nothing. Carry on with your regular work. Nothing to see here."

Luckily for consumers, the do nothing approach to this problem is more costly than disclosing.

Funny, I see developers refusing to investigate breaches because "its not their job"
Material threat to be identified within 96 hours?

How would receiving an encrypted email detailing a vulnerability of your flagship product fit with the 96 hours, given that 90 days are often needed to fix said vulnerability (s) before informing the public?

In short, wouldn't that company's vulnerability make for excellent zero-days while they are trying to repair and retest the problematic product?

my interpretation of this is that the existence/disclosure of a vulnerability is entirely distinct from a data breach event (the SEC is mainly concerned with the latter)
Ummm, ChatGPT is a vulnerability or a data breech if new stock tips can be had this way?
slow down there fellow: >Under the incoming cybersecurity disclosure requirements, first approved by the SEC in July, organizations must report cybersecurity incidents, such as data breaches, to the SEC in a specific line item on a Form 8-K report within four business days

first line. It's going to a speicif org, not russian hackers in siberia.

I agree, that better be one damn secure batphone they're using.

8-K filings are public filings. You can see them on SEC's EDGAR database
Looking forward to how these disclosures will be written when we found out about them from the SEC's PR in July. As a shameless plug, you can subscribe & use this web page to view and receive notifications when new cybersecurity incidents / data breach disclosures are made public by the SEC:

https://last10k.com/stock-screeners/cybersecurity

V.F. Corporation (VFC), an apparel company, was the first company to file a cybersecurity incident under this new rule. The period of the report shows Friday, Dec 15 so it appears they submitted it to the SEC after-hours on Friday and the SEC accepted/published it this Monday morning, Dec 18 but the company became aware of the incident on Monday, Dec 13. Their stock price is down almost 8% today.

Sources:

https://last10k.com/sec-filings/vfc/0000950123-23-011228.htm

https://www.sec.gov/Archives/edgar/data/103379/0000950123230...

https://www.reuters.com/business/retail-consumer/vans-owner-...

Doesn't this bring the US in line with the EU, Australia, and I would assume a range of other countries ?
CISOs seething. Going to be very interesting what the Solarwinds SEC case outcome is, going to set a massive precedent.