From the July/August 2011 issue of Treasury & Risk magazine

Coming Clean on Breaches

As cybercrime proliferates, so do calls for more public disclosure of the scope of the damages sustained in attacks.

Cracked ComputerWhat do Sega, Citigroup, Sony and InfraGard have in common? All experienced data breaches earlier this summer. Some were the work of malicious or politically motivated groups, such as the attack on government contractor InfraGard by LulzSec. More often, criminals are trying to obtain information that can be used to steal money, either from the targeted company or its customers or suppliers.

In the Sony attack, hackers obtained over a million customers’ passwords, e-mail addresses, phone numbers, dates of birth and other information.

But the risks to companies go way beyond the defrauding of customers, says William Katz, a partner at the Texas law firm of Thompson & Knight.

“These data breaches raise issues of the need for public disclosure, reputational brand, and of course potential lawsuits if your customers or your vendors or suppliers end up being compromised and if they suffer financial losses,” Katz says.

In the past, corporations typically responded to data breaches by battening down the hatches, Katz says. But he argues that that’s a bad idea.

The first step should always be to contact law enforcement officials, who may want to pursue an investigation before perpetrators know the breach has been detected, Katz says.

Then there is the issue of disclosing data breaches. In May, a group of Democratic senators asked the Securities and Exchange Commission to provide guidance on when public companies should disclose such attacks.

The SEC requires public companies to disclose material losses, so if a breach could affect revenue or earnings, it must be reported, Katz notes. “If it turns out you are not disclosing things, it could create issues for you.”

Alan Charles Paul, who heads the privacy, data security and information law practice at the Washington law firm Sidley Austin, cautions that reporting current data breaches may not be enough. Paul notes that the SEC’s written response to the senators said existing SEC rules could also require companies to report vulnerabilities and potential breaches.

The takeaway, says Paul, is that companies need to do a high-level assessment of their data breach and hacking risks, such loss of trade secrets or reputational damage.

At the same time, Paul warns that in reporting potential risks, companies need to avoid telegraphing what hackers should go after. 

“That’s the delicate balance,” he says. “You want to provide information to the public and consumers and others who might be impacted by a breach, but you don’t want to attract more attention from potential hackers.”

 

For a look at the steps companies should take to guard against cyberattacks, see Unprepared for Hackers.

Comments