When your company gets attacked by hackers, how much do you tell the public and when? Often the answers are nothing and never, according to an attorney assisting Target Corp. with legal issues arising from its December data breach.
There was little consensus on when companies should report data breaches among business executives and officials at a cybersecurity roundtable discussion hosted Wednesday by the Securities and Exchange Commission. Companies are required to report breaches likely to affect investor decisions. But the potential damage from an attack is open to broad interpretation. And the harm of the disclosure, both through publicizing internal vulnerabilities and reputational damage, can be worse than the initial attack.
SEC commissioners at the panel acknowledged they need to learn more about cybersecurity risks. And the commissioners asked panelists whether the SEC should consider changing reporting requirements. “There is no doubt that the SEC must play a role in this area,” Commissioner Luis A. Aguilar said. “What is less clear is what that role should be.” But few of the executives and attorneys on the panels appeared to welcome broadening SEC disclosure mandates on cybersecurity. The majority of breaches wind up being immaterial to investors, said Douglas Meal, a Ropes & Gray LLP attorney on the panel, who has been working with Target in legal issues related to the retailer’s massive breach of consumer data. “If the company doesn’t have a legal obligation to disclose it’s often not in their interest,” Mr. Meal said.
When several companies including TJX Cos., reported card theft in 2007, they “were rewarded with all kinds of government investigations and litigation burdens,” Mr. Meal said. But other companies that had experienced large breaches by the same hacker group didn’t make disclosures and felt few negative effects, said Mr. Meal.
Since Target reported the theft of 40 million customer credit and debit cards in December it has faced dozens of lawsuits from consumers and banks. Many of them fault the timing and completeness of Target’s disclosures. In an interview after the panel discussion, Mr. Meal declined to comment on Target directly. But speaking generally, he said “if you never disclose the breach at all then you don’t have the class action suits…It’s the disclosure of the breach that creates the firestorm of litigation.” In an emailed statement, Molly Snyder, a Target spokeswoman said: “We want to be explicitly clear that Mr. Meal’s statements do not reflect the beliefs of Target.”
Ms. Snyder said the retailer alerted the public within days of confirming the attack. As Target’s investigation uncovered more customer data was stolen, the company made additional disclosures, though the company was not legally required to do so, Ms. Snyder said. “The decision was made to disclose because we felt it was the right thing to do and we are accountable to our guests,” Ms. Snyder said. Yesterday, Target executives testified before lawmakers that the company supports a uniform notification standard “that could provide additional protection for consumers,” Ms. Snyder said. Often state laws on customer notification may compel companies to disclose theft of government data. “But if you don’t have a legal obligation to disclose, why would you voluntarily disclose and put yourself in the crosshairs of that kind of litigation?” Mr. Meal said. “Companies think they are doing the right thing by disclosing but instead end up being viewed as the problem.”
By Joel Schectman at firstname.lastname@example.org.
- 1 Apr, 2014
- Posted by admin
- 0 Comments