Last October, the SEC issued guidelines to companies about when they should notify their shareholders about incidents involving cyberattacks. The guidelines were--and still are--voluntary, so public companies are still free to keep cyberattack incidents out of earshot of their shareholders. I'm not sure if that's a good thing or not--reasonable people can disagree on the issue. But I feel pretty confident about one thing: companies are not revealing incidents involving cyberattacks because they feel legally or ethically compelled to do so.
Since issuing the guidelines, the SEC "nudged" Amazon.com to be more forthcoming about the cyberattack incident in which its subsidiary, Zappos.com, was targeted. In April, Amazon provided certain additional references about the attack in its annual report, but nonetheless argued that the disclosure was not required under SEC rules. (By the way, I agree with Amazon's position. Unless the incident materially impacts the business, disclosure isn't generally required under SEC rules.)
Both Verisign and LinkedIn made public announcements about cyberattacks on their systems, but it was unclear whether those announcements were motivated by the SEC's guidelines, or by the desire to maintain damage control using the press.
So what's happening here? Are companies being more forthright about cyberattacks because they have to be? Some pundits think so--check out the article in today's Bloomberg News.
But I disagree. Companies are not disclosing cyberattacks because they feel like they have to do so. If they felt legally compelled to make such disclosures, we'd be bombarded with stories about cyberattacks on a daily basis.
So which cyberattacks do we hear about? How does a company make the decision to release information about a cyberattack?
First, there's the easy answer: if the security or integrity of customer data was compromised, then companies will notify the public of the cyberattack in accordance with applicable state and federal laws. (That situation is the legal equivalent of a ground ball to first base: it's an easy out.)
But what about cases in which the attack does NOT result in customer data becoming compromised? Do we hear about those cases? Those are far more intriguing cases, and usually involve internal conversations in the impacted companies that go like this:
Company: "We've had a security breach."
Company's Attorney: "No way! Really? Wow. What happened?"
Company: "We're still looking into what happened, but we know all our data is safe. It's encrypted. Even if they saw it, they can't open it or read it."
Company's Attorney: "That's a good thing. So no one's information was compromised?"
Company: "No, whoever did this won't be able to decrypt it. But tell me, do we have to tell anyone about this?"
Company's Attorney: "Hmmm...since the data was encrypted, I don't think we need to say a word about it. But who else knows about this?"
Company: "More people than we had hoped. It's going to get leaked to people outside the company. It probably already has."
Company's Attorney: "Ok, then let's do damage control so no one gets the wrong idea about what happened. Issue a press release stating that the company was attacked, that such attacks are becoming commonplace, that such attacks are a reality in today's online world, and that the company's security precautions successfully withstood the attack. Within a few days, no one will care about the incident."
The bottom line is this: until the law requires disclosure, we shouldn't expect companies to voluntarily discuss the fact that they were targeted by hackers. If an incident does get reported (especially incidents in which no customer data was compromised), it's likely the result of a company exercising damage control, as opposed to the company feeling legally compelled to discuss the matter with its shareholders.