Should Hacked Companies Disclose Their Losses?

derekmead writes "By law, US companies don't have to say a word about hacker attacks, regardless of how much it might've cost their bottom line. Comment, the group of Chinese hackers suspected in the recent-reported Coke breach, also broke into the computers of the world's largest steel company, ArcelorMittal. ArcelorMittal doesn't know exactly how much was stolen and didn't think it was relevant to share news of the attack with its shareholders. Same goes for Lockheed Martin who fended off a 'significant and tenacious' attack last May but failed to disclose the details to investors and the Securities Exchange Commission. Dupont got hit twice by Chinese hackers in 2009 and 2010 and didn't say a word. Former U.S. counterintelligence chief Joel Brenner recently said that over 2,000 companies, ISPs and research centers had been hit by Chinese hackers in the past decade and few of them told their shareholders about it. This is even after the SEC has made multiple requests for companies to come clean about cyber security breaches in their quarterly or annual earnings reports. Because the potential losses, do hacked companies have a responsibility to report security breaches to investors?"

Of course they should.

[vikingpower]

You're responsible toward your shareholders. If you don't have any, at least the board & upper management should be in the know.

Re:Of course they should.

[udachny]

Sure, but this is a matter for the company in question to decide. The question posed in this story assumes that there are only 2 possibilities (false choice), either the company is forced to release information by government or it is not forced. As always in such matters, where the question concerns whether anybody should be forced by government into anything, it completely dismisses the obvious: this is up to the company and its shareholders. The question is not whether a company should be forced to do anything, the question is: is it a company with shareholders that want it to release information or not?

A company can be private or public, in either case no regulations should exist as to what is released to the public! It is up to the company and up to the public to do their homework and decide whether to participate in that business by buying stock in a company that releases or does not release any type of information. SEC is worse than irrelevant, it creates an ILLUSION of safety (as all government programs do), similar to TSA.

Do you think you are safer because of what TSA does?

Do you think you are safer because of what SEC does?

The reality is that no government agency can reduce your risks in life, but government can and does increase your risk of having your money stolen by giving you a false sense of security. Most often than not, your money is stolen by the government in the first place. SEC does not pay attention to obvious fraud in the market. Be it the banks or insurance or Madoff or Enron or whatever, if you think your money is safe because the government is telling you so, then you deserve everything that is coming your way.

Re:Of course they should.

[poity]

While I lean towards this, it can also be argued that this would only further encourage rivals (or short-sellers) to employ mercenary intruders, since it lowers the bar for influencing the market (you'd need only to damage a company's reputation rather than spend time looking for useful secrets to employ/sell). It seems like one of those things where it makes tremendous sense if EVERY company in the world were bound by it, but if only SOME companies were bound by it then those which are not will find themselves with an advantage.

Though when I think about it, the more important question we should probably be asking is, "is there a more efficient way to get companies to secure their networks?" I think this is probably the fastest way, and least costly to the government, so I'm for it despite misgivings.

Re:Of course they should.

[udachny]

Oh, and I forgot to mention something: most people shouldn't be participating in stock market at all. The fact is that participation in the stock market is encouraged by government, which debases your savings with inflation, so you feel that you must do something. Since the interest rates on government bonds is non-existent, I mean it's negative given the inflation rate, you are basically forced into the stock market.

But this a huge problem, most people do not understand the stock market, so the government hands them over to the financial institutions, that basically lobby the government to push people into their hands.

My point is: you should NOT invest in things that you personally do not understand or at least didn't do homework on before you jumped into them. Government encourages people to participate in this giant casino and makes it LOOK like it's safe with various regulations. You think you are safe while in reality you are being robbed and the robbery is endorsed by the government itself. You are much better off either starting your own company if you want to invest or at the minimum to go and find out whatever you can about the company you are investing in. Visit the offices, visit the plants, visit the sites, request to see the books, etc.

If you can't spend the time and you think you can trust somebody to do it for you, I have news for you: you won't be able to choose the best options, you won't be able to choose your account manager based on past performance, because the established industry pushed for the so called 'self-regulations' (FINRA), which are really extension of government power, because you can't operate in that space unless you comply. But that system PREVENTS COMPETITION!

It ensures that you are going to give your money to the biggest crooks, the ones that are most connected to the government, which is working together with these crooks to steal your money from you by all means possible, while pretending you are protected by gov't.

There is no competition, no small money manager can start his own brokerage, it's made impossible with regulations and rules and then with FINRA that prevents advertising based on past performance.

Again: most people shouldn't be in the stock market.

(I recommend that most people buy something of value, assets that withstand inflation if they can't be sure in what they are investing. But your gov't certainly doesn't want you to do that and the tax code proves it as well).

Re:Of course they should.

[KingMotley]

And you would be wrong.

Most people should be in the stock market to some degree. You don't need any real super advanced knowledge to do well. Invest in 25-30 companies (diversify). Pick companies that you think will do well. Let that money sit and don't touch it.

Where people get things wrong is when they want to start micromanaging their portfolios, thinking they know better than everyone else, and they get burned. Don't ever invest in a company thinking to make a quick buck. Always buy with the intention of keeping it there for 2-3 years at a MINIMUM, and unless something earth shattering happens, KEEP IT THERE.

As with all things in life, never put all your assets in one bucket. Stocks may play a part, even a large part of your investments, but always have money in different things like bonds, commodities, and savings as well.

Re:Of course they should.

[udachny]

Your advice is terrible. If you are investing in a generally bull market and without government inflation, that is one thing. However you missed the part of my comment where I explained about inflation (a subject that is generally not understood by pretty much all people, very few truly understand it). Inflation is destroying your investments even if you are not touching them.

You have to look at your investments relative to the actual purchasing power over time, not to nominal dollar gains or losses. As such, anybody who followed your advice and invested in the stock market this way lost money over the last few decades.

Many of those who invested in the stock market bubble of the nineties got wiped out completely. Those who remained in stocks and bonds got their purchasing power eaten by inflation.

It's easy just to look at the indexes like DOW or NASDAQ and compare their relative change to gold. For example DOW could have been around 11000 in 2001 and 13000 today, but gold was 300 in 2001 and it's over 1685 today. The loss of purchasing power is obvious (from 1/36 to 1/7.7).

Again, I think this is the best thing anybody could do: do NOT invest into things you do not understand, especially during high inflationary environment caused by growth of government. You can find somebody to do it for you, but my point was that the government also makes it very difficult to find people who do it well as opposed to following the specially concocted government formula, which WILL have you mostly in government bonds one way or another (either via actual government debt instrument or via bank or other financial stock or any other 'government approved' way to steal your money from you)/

Re:Of course they should.

Government regulation is hardly a reason to ignore potential risks, but do you honestly believe no regulation at all is better than having regulatory bodies which are subject to capture by industry?

Re:Of course they should.

No doubt. All government regulation is corruption by default.

Re:Of course they should.

[KingMotley]

Sure, why don't you just cherry pick your answers. How about looking at the bigger picture:
1990 gold price: 383, dow: 2468
2012 gold price: 1685, dow: 13289
gold is worth 4.40 times what it was in 1990, and the DOW is 5.38 times what it was in 1990. The numbers get even better for stocks the more years you add in. Your advice only works in time periods in which the stock market hard a down turn, but looking at a realistic plan for anyone doing investing for a lifetime would have been better served by buying just your average performing DOW stocks than they would have in gold.

Let's try another example. Anyone buying gold in 1980 at the then current price of $680, it would have "wiped them out" (not an accurate term, but on the same scale you refer to the getting "wiped out" on the stock market), and it would have taken until 2007 (27 YEARS LATER) to get back enough profits to recoup their losses (not including inflation).

Your advice is naive and short sighted. Let's talk in 5-10 years and see whose investments have done better, and who is "wiped out". See you then.

Re:Of course they should.

[udachny]

As I said, inflation is what you don't understand.

1971 when Nixon defaulted on the gold US dollar, the controlled price was 19 dollars per ounce, which was the price even back in 1914. Obviously USA defaulted on the dollar because of this fixed price level, which was artificially set and didn't allow dollar to depreciate against gold to keep people from noticing inflation. By 1981 the price of gold went up to 800USD, what did DOW do? Now, once Volcker set interest rate at 21.5% the price of gold corrected to about 200 USD and stayed there for a few years and started a slow rise with rising inflation.

While inflation was still low compared to 2000 and of-course to today, the stock market was still a sound enough investment strategy (though I am always against people buying things they don't understand), however it stopped being a sound investment strategy with Greenspan's put. Greenspan threw money at every problem to keep the stock market happy, eventually the interest rates were taken down to 1 and then 0. Of-course the recession that followed the implosion of the stock market bubble, which was inflated by the Fed wiped out people's investments.

Your advice is: put money into stock market and leave it there for many many years. Well, over many many years, the government comes in with huge inflation and destroys your purchasing power but also inflates bubbles that burst and then the gov't creates even more inflation to inflate more credit bubbles. That's the actual real scenario, that's the reality we live in, it's not a free market, it's an awful mix of collectivist ideas and special interests by the most connected bankers and such. You can't have a market and a return, there are NO DIVIDENDS.

Your strategy made sense when companies at least paid dividends that definitely covered inflation. Who is paying dividends today? Who is getting over 15 to 22% return to cover inflation and make at least 6%? The reality is that the next implosion of the credit bubble created by the government and the Fed may just take down the dollar itself and it will definitely take down the bonds, but as the gov't bonds go, so will corporate bonds, especially domestic companies. If a company is not selling overseas it may just lose all of its earnings, and if it is selling overseas it may face confiscatory levels of taxation due to gov't declaring 'windfall profit taxes' based on the relative collapse of the dollar value.

Your strategy doesn't take into account the reality, which is this: government is destroying the economy and the money.

Re:Of course they should.

[KingMotley]

I understand inflation just fine. What I don't understand is crackpots, and while your rants are entertaining and all over the place, you lose your focus.

My advice is sound, and works, has worked, and will continue to work in all markets, economies, and time periods (given enough time). Yours is based on crackpot theories and only works in certain time periods with little concrete advice other than to run around crying because the sky is falling all because of *evil people.

Good luck, I'm done.

Re:Of course they should.

[phantomfive]

However you missed the part of my comment where I explained about inflation (a subject that is generally not understood by pretty much all people, very few truly understand it). Inflation is destroying your investments even if you are not touching them.

Oh, and you understand so much better than everyone else, do you? You sound like a college student who has just learned about Dostoyevsky for the first time, and wonder why no one is talking about him! In reality the rest of already learned about him, and that's why we aren't talking about him. It is likely more people understand inflation than you realize.

t's easy just to look at the indexes like DOW or NASDAQ and compare their relative change to gold. For example DOW [google.com] could have been around 11000 in 2001 and 13000 today, but gold was 300 in 2001 and it's over 1685 today. The loss of purchasing power is obvious (from 1/36 to 1/7.7).

Oh, and you are measuring inflation in terms of gold. This is wrong for many reasons, but trivially demonstrated by looking at the gold price between 1980 and 1985. Did we have deflation during that time period? No, we did not. Many things affect the price of gold, which is why we don't measure inflation based on that price.

Re:Of course they should.

[phantomfive]

My advice is sound, and works, has worked, and will continue to work in all markets, economies, and time periods (given enough time).

It's worth remembering that your good advice only works in a growing economy. If we have a long, hundred year contraction (which could happen for example, if we hit peak oil or something), then the stock market will go down over that period.

Re:Of course they should.

[DriedClexler]

Your advice didn't work in any of the economies whose governments (unpredictably) collapsed or underwent severe economic turmoil: Weimar, Austria-Hungary, pre-Bolshevik Russia, ...

Re:Of course they should.

[KingMotley]

From my original post:

As with all things in life, never put all your assets in one bucket. Stocks may play a part, even a large part of your investments, but always have money in different things like bonds, commodities, and savings as well.

Sure, it's possible that all stocks, bonds, commodities go belly up along with all the banks and the government (that insures savings through FDIC), but at that point, all hell has broken lose, your money is most likely worthless and you're more interested in protecting yourself from zombies. But it could happen.

Re:Of course they should.

[phantomfive]

Yeah, your advice was pretty good. It's important to remember why advice works though, and when it can go wrong. Reading back to the beginning of the depression and seeing people desperately going from one asset to another, only to find that all of them were losing, is really sad. Some settled on gold, which also didn't work out very well.

Re:Of course they should.

[KingMotley]

Why not? The US could go bankrupt, default on all loans, it's currency valued as toilet paper and sure, it'd hurt, but it wouldn't wipe me out either. That's why you diversify. My savings and bonds would be gone, but my commodities would be worth more, and my stocks would do ok. Of course I have stocks in the US, the UK, China, Europe, and Asia.

Countries come and go, but multinational corporations march on.

Re:Of course they should.

[Vitriol+Angst]

What you just wrote about investments should be required reading for ANYONE thinking about "investing."

It's a rigged game. I also need to mention that FINRA is now a "joint venture" -- meaning the previous government regulatory body that did a piss-poor job but managed to capture Martha Stewart for insider trading while waiting for a decade for a token arrest of Maddoff, is now OWNED by the financial institutions. How do you think that is going to work out?

Just because someone has a marble entrance, and isn't on the FBI's most wanted list, doesn't mean they aren't a crook and you should steer clear. Wall Street is a racket and there are honest people working hard for very, very dishonest people who will earnestly tell you otherwise. Do your homework. Note that there isn't a 16 year period without a "bubble pop" that almost every singe institution involved (e.g., LIBOR, Fed, Ratings agencies, international banks, etc.) have been caught abusing their positions of power for personal gain and no real punishment has ever been meted out. It's like the Mob, but without the jail time or integrity.

Re:Of course they should.

[Vitriol+Angst]

Gold's value is only a reflection of the watering down of the dollar.

If the value of Gold goes down -- the stock market probably thinks a Democrat is going to get in office and pay off debts, maybe raise taxes. That increases the value of the dollar and thus gold falls.

Gold is a hedge -- and it's only a good investment if your currency is losing value. It gained the most while Bush was ruining the economy.

Your investment advice requires "market timing" and not needing the money when times are tough -- because that's when the buying opportunities are best; just after the suckers got fleeced. YOUR 401K will rarely do much better than an index fund -- and that's if your lucky.

I dissent.

[swschrad]

if the hack causes material changes in business or profitability, a public corporation is required by law to disclose what is known about the effect on continuing operations to the SEC, which 10K form is a public document. especially if a "going concern" warning is required by financial regulations.

Re:I dissent.

[captaindomon]

Exactly. This kind of reporting is already required by the SEC if it causes or could potentially cause a reasonable material change to your books. Same as if a dinosaur ate your CEO, or your data center was wiped out by a giant mutant butterfly. We shouldn't be specifying each individual case in law, the SEC laws are so complex that there are SEC specialist lawyers all over the place already.

Re:I dissent.

[TubeSteak]

Corporations have vastly more resources than the SEC's $1.3 billion budget.
That budget is about .01% of the cash flows they're supposed to be regulating,
which is why SEC violations almost always end in settlements for a fraction of the money involved, with no admission of guilt.

In reality, the SEC should be the size of the IRS (10x the budget) and the IRS should have 2x its current budget.
You'd see a lot less corporate fraud if the regulators had the resources to do their job.

Re:I dissent.

[ryzvonusef]

Wee different. Going concern should not be the only criterion. It's an ethical issue, frankly.

For example, KFC was hacked, that would mean it should only be revealed if, say, KFC's secret recipe was stolen, and it threatened their going concern (unlikely but whatever...), but not if, say entire databases of consumer address and numbers were copied, which while hurting consumer privacy, would *not* hurt their going concern (since KFC could hush it up and go on selling chicken like normal).

I believe both cases should be revealed.

same as meat space

[Black+Parrot]

If they have an obligation to report losses by fire, storm, vandalism, or theft in meatspace, they should have the same obligations regarding over-the-net attacks.

Re:same as meat space

[Shoten]

If they have an obligation to report losses by fire, storm, vandalism, or theft in meatspace, they should have the same obligations regarding over-the-net attacks.

Actually, when it has any basis on stock value (in other words, if the breach has any material effect on a company's true worth, either via direct or indirect losses), they do have that obligation with regard to "over-the-net" attacks. Shortly after this rule went into effect by the SEC, Nortel was forced to disclose not only that they had suffered a major breach, but that the attackers had been in their systems for nearly a decade, and that Nortel even knew about it.

The change is simple, and exactly what you propose; cyber security incidents are not explicitly lumped in with other actions that would negatively affect the value of a company, and thus the true value of its stock.

Every attempted hack?? No matter how small?

[Nutria]

Must they report to investors and the SEC every time a building is physically broken into?

Of course not.

You could convince me, though, that they should be reported to the local gendarmes who should then forward it on to the FBI where it must be made public.

Re:Every attempted hack?? No matter how small?

[JasoninKS]

Attempted hacks, no. Actual hacks, yes. Physical break-ins, yes. Your investors should know where you've had faults in security and what are you doing to make it better.

Re:Every attempted hack?? No matter how small?

[Synerg1y]

If attempted hacks were reported, we'd have hourly reports based on the nature of the internet...

Re:Every attempted hack?? No matter how small?

[nurb432]

Must they report to investors and the SEC every time a building is physically broken into?

If they call the cops, it becomes public record anyway. If they dont, then they are hiding a crime that was commited, a crime in itsself last i heard.

Re:Every attempted hack?? No matter how small?

[chill]

If that break-in has a material affect on their financials, yes, they do.

The impact is the bar here. If that break-in resulted in someone pilfering a vault with the firm's operating capital, then it needs to be reported on the form.

If they stole a lamp in the front office, no.

Re:Every attempted hack?? No matter how small?

[Shoten]

Must they report to investors and the SEC every time a building is physically broken into?

Of course not.

You could convince me, though, that they should be reported to the local gendarmes who should then forward it on to the FBI where it must be made public.

Actually, it depends. Is the building in question a guard shack, where some rent-a-cop's iPhone got stolen? No. Is the building Nakatomi Plaza, and the break-in resulted in $640,000,000 worth of bearer bonds being burned, stolen and/or spread to the winds? Then yes...the company very much has a requirement to disclose. The rule isn't based around the action, but the impact. VeriSign, for example, would be required to disclose a major physical security breach at their Mountatin View site which houses the root CA they operate. Why? Because the trust around that site is a material component of their intrinsic value as a corporation, and they are publicly traded. (Disregard for a moment the fact that they suck...let's just leave that aside for the time being.)

Depends on your POV

[3seas]

The hackers will say yes and then comment on what is claimed in losses

The company POV is to only disclose losses verified to the tax man and other authorities, but not public (unless its indirectly done as a requirment to stock holders)

why not

[mywibes]

Unless there is a fear of further aggravating the loss,there is no reason why they shouldnt share it

So, That's a No Then?

If they have an obligation to report losses by fire, storm, vandalism, or theft in meatspace, they should have the same obligations regarding over-the-net attacks.

Businesses don't report these tings to their customers or account holders or even their shareholders. They report these things to the police and their insurance companies in the hope of recovering from their losses. Even then, they are not obligated to do so, it is simply the most logical and prudent action.

So, I guess your answer to the question of; Should Hacked Companies Disclose Their Losses? your answer is no.

Re:So, That's a No Then?

[dunezone]

They report these things to the police and their insurance companies in the hope of recovering from their losses.

I thought most insurance companies require companies to disclose this information to the public if its related to financials such as banking. They alert the customers so they can be proactive at checking their statements and making sure fraudulent charges are stopped. This will also save the insurance company money because less claims will be filed by the banks.

Re:So, That's a No Then?

[Black+Parrot]

If they have an obligation to report losses by fire, storm, vandalism, or theft in meatspace, they should have the same obligations regarding over-the-net attacks.

Businesses don't report these tings to their customers or account holders or even their shareholders. They report these things to the police and their insurance companies in the hope of recovering from their losses. Even then, they are not obligated to do so, it is simply the most logical and prudent action.

So, I guess your answer to the question of; Should Hacked Companies Disclose Their Losses? your answer is no.

If you happen to have your facts right (which I seriously doubt), then I will draw the same conclusion that you did.

Highly misleading summary

[SirGarlon]

By law, US companies don't have to say a word about hacker attacks, regardless of how much it might've cost their bottom line

That claim is only true in a narrow and impractical sense. Several US states have mandatory data-breach reporting laws. A company doing business in those states, generally meaning buying or selling to/from persons or companies in those states, must comply with those laws. Generally they require notifying customers whose personal data is at risk. I have received two such letters myself since my state's law went into effect.

IANAL but really I don't think it takes a lawyer to be aware of these laws. Anyone who is informed about computer security should at least know of their existence, as should any IT manager employed in those states.

Re:Highly misleading summary

[SirGarlon]

And I should add that when I say "several," I mean *forty-six*. Out of fifty.

Chinese hackers?

Is there serious evidence that these hackers are Chinese or more importantly working for Chinese interest? Or is just the last determined hop or code comments? I see these statements all the time but is the evidence really solid?

Fines

[ThatsNotPudding]

The SEC should start doling out stout fines for publicly-traded entities that do not release information that impacts their returns; to say massive security breaches don't hurt the books is a lie so large as to be indictable.

They should but they won't.

[NinjaTekNeeks]

[Generalization] Companies are not ethical, they are rat bastard pieces of crap that care only about profits and money and give a fuck all about consumers.[/Generalization].

As such, being hacked doesn't immediately mean a financial or business impact. Hackers stole 100,000 encrypted database tables, well so what? Do you disclose worst case scenario if they attackers can decrypt them or do you just assume they won't be able to break the encryption. My bet would be companies would go the later route. Also translating lost data into dollars usually looks really bad. For example.

When prosecuting the case and determining damages, they will include the cost of reporting to each individual effected, labor, envelopes, stamps, etc. At a 2-3$ per person this adds up quick. That doesn't cover loss of revenue, business deals and who knows what. So on one hand you want to stick it to the people who attacked you but not spook your investors. Tricky situation, most companies instead just sweep it under the rug.

Re:They should but they won't.

[10101001+10101001]

As such, being hacked doesn't immediately mean a financial or business impact. Hackers stole 100,000 encrypted database tables, well so what? Do you disclose worst case scenario if they attackers can decrypt them or do you just assume they won't be able to break the encryption. My bet would be companies would go the later route.

Given your statement aobout companies being rat bastards, why would you believe they even *have* encrypted database tables? And if they do, what are the odds the key is stored on the same machine--ie, they only encrypted the table due to some contract specifying it but the contract failed to exclude the obvious "and the key can't be on the same machine"? But, yea, most companies are likely to try to downplay the risk.

Also translating lost data into dollars usually looks really bad.

That's a good thing if it's for the tax man--you can report an operating loss. And it's a bad thing to tell shareholders--who want the paper value of the company to go up. Never the less, if the company has an dollar loss as a result of a hack, why wouldn't they tell it? As for the hypothetical lost value from lost data? You report to shareholders the lost data and the potential lost value, both best case and worst case and an argument on how you think things will play out and why. Ie, you simply try your best to inform them because...tada..they're the owner(s) and deserve no less.

For example.

When prosecuting the case and determining damages, they will include the cost of reporting to each individual effected, labor, envelopes, stamps, etc. At a 2-3$ per person this adds up quick.

Um..is the discussion really about mailing an envelope to everyone potentially effected every time? Or is it to (a) include a report in the quarterly stockholder information you're already handing out and (b) handing a report to the SEC (and maybe the media, if appropriate) to allow them to disseminate the information to the broader community?

That doesn't cover loss of revenue, business deals and who knows what. So on one hand you want to stick it to the people who attacked you but not spook your investors. Tricky situation, most companies instead just sweep it under the rug.

And the question then becomes, and at what point is this not just fraud? If a company finds out the food they shipped out may be contaminated, they may *want* to sweep it under the rug, but to do so is most often simply illegal under various regulations. But without even the regulations, for a company to continually and knowingly to misrepresent itself just to not "spook your investors"? That's not how the world works. The only thing you can do is to try to spin the facts as best you can to adequately prepare those investors so they aren't overly spooked. But if there's a data breach and there's reason to be spooked, no amount of spin will or should help you.

In the end, as you say, it comes down to what "they should [do] but they won't". The real question is what, if anything, should be done on the societal, investor, and/or governmental end. The point that another poster raised, that most people shouldn't be investing in the stock market is quite cogent to this point. Society as a whole won't punish bad companies, generally. Government is too often too slow to act to have much effect--unless it's a long-term pattern of abuse. The only real recourse then is enough investor involvement, not simply to make a buck but to be involved enough to replace managers and CEOs who are so inclined to "sweep it under the rug". This also means working more towards making sure future data breaches are less likely to happen. But, even under such a scheme it's far from perfect, as enough big time speculators can game, manipulate, etc the stock market--and there's a long history of it in the past--which makes the idea of an investor driven stock market perhaps more of a pipe dream than a reality, anyways.

California has laws that are relevant....

[TeddyR]

California actually has laws governing this if personally identifiable information or medical info is breached. Unfortunately many companies do not know about these laws or do not follow them. Also, by the nature of how the law is worded, it may effectivly affect companies all over the US (anyone that does buisness with CA or a CA resident)...

1798.29
http://www.dmv.ca.gov/pubs/vctop/appndxa/civil/civ1798_29.htm

1798.82
http://www.dmv.ca.gov/pubs/vctop/appndxa/civil/civ1798_82.htm

Not All Attacks, But Some

[guttentag]

This should be covered for public companies in the U.S. by Sarbanes-Oxley Section 404, which is the top-down risk assessment. Basically, management is required to have certain internal controls in place (IT Security is one of the named categories), and the required risk assessment is supposed to evaluate those controls. If someone has "hacked" in and stolen sensitive information, your controls have failed and the auditor's report should reflect that. At the very least, Sarbanes-Oxley would require the disclosure of attacks that could impact the company's financials at the end of the quarter, but there may be a threshhold for reporting earlier to ensure shareholders are not blindsided by something really big. I am not a lawyer or an auditor, but if I were looking for that threshold, this is where I'd expect to find it.

(How ironic that they chose 404 to be the title of a report in which an auditor is looking for missing files)

They'd just lie ...

to suit their financial requirements/incentives.

Re:They'd just lie ...

[UltraZelda64]

Exactly what I was thinking. So why bother? And who the hell cares anyway?

If somebody broke into your house...

[Synerg1y]

Should you report it? Yes
Do you actually have to? No

Same concept?

Re:If somebody broke into your house...

[JohnFen]

Should you report it? Yes

In the absence of having to make an insurance claim, why should you report it?

Re:If somebody broke into your house...

[smellotron]

In the absence of having to make an insurance claim, why should you report it?

Crime reports are a tool to schedule and provision police officers on the street. By reporting a crime you are implicitly requesting additional surveillance. If that's what you want, then you should report the crime regardless of insurance claims.

I'd say yes BUT....

It's very likely the knee-jerk overreaction that followed the announcement would end up being far more detrimental than any hack ever could have been. We'd get to a point where a novice hacker would be able to wreak economic turmoil with minimal effort through ignorance and fear. The cost outweighs the benefits imo. I'd love to see that scenario reversed, but it's not there right now.

Gonna play the: people "CAN'T HANDLE THE TRUTH" card.

it is legally required

[swschrad]

but filling out all those damn reports while they drag out the body is a horrible waste of time.

CIO/CTO Tattoos

The seven-figure suits who head up IT for these companies, and the CEO's they report too, have a vested personal interest in not having "Stupid" prominently displayed on their foreheads.

This alone is enough to satisfy Occam.

Just as much

Just as much as they have to report claims on insurance, bonds, OSHA, or other regulatory findings. If they're subject to any PCI or HIPAA complaince, they should be subject to a standardized PR report describing the incident.

Fuck the investors - what about the customers?

"do hacked companies have a responsibility to report security breaches to investors?"

No, but they do need to let their customer base know that their information was taken, and pay for identity theft for a minimum of 2 years for each customer who's data was exposed, if they're real people (not businesses).

Absolutely, YES!

[realsilly]

Beyond the whole Shareholders argument, you have a duty to protect the data that you've asked for, and in some cases demanded of your customers. This is their data that they agreed to share with your company only. The rest of this discussion should be moot, but if you insist upon another reason, if the people of this country realized how much hacking is going on they have a chance to defend themselves against identity theft, bank account theft, outright fraud against them.

With all these corporations holding this information secret they are in essence assisting criminals in stealing their customer's data.

With this said, I also believe that if more of our talented hacker type folk were aware of this shit, they might show their abilities by going after the initial hackers with a vengeance.

The citizens of this country are being used by corporations for our personal information at every turn and they are not willing to protect this information, as such they should be fined $100.00 per day per customer information stolen until reported. So if you have 100 customers and it takes you 3 days to report a hack then your company should see an instant fine of $30,000. This would severely hurt a small company. Now make this a more realistic number for large corporations: 1,000,000 customers and 3 days, and BAM $300,000,000.00 fine would wake up some boards real fucking quick.

Lots of sides to that coin

[s.petry]

There are reasons not to make some things public, such as cost for hacking. It's kind of like we see in criminal law, as a method of reducing hacks.>/p>

Many people hack for attention/publicity. Take that away, they lose incentive to "hack" your site. Make a stink, and more will go at it to get their names in the paper.

Many don't understand that there are financial incentives to be hacking. Not always in a negative context either, consider penetration testers and how much money they can make. It can still pay to go in to a place and say "see how insecure you are? I can help".

Many simply don't know. Okay, we can give you head count for people required on Network and System teams to monitor and try to counter, but that's not the real cost. The real cost is in what actually gets leaked more often than head count. If you have no idea what was leaked, how do you determine value?

False representation?

[dutchwhizzman]

I'd say they were guilty of false representation of damages, costs and lost Intellectual Property towards their shareholders and possibly even leaking secret information about weapon systems and other military intelligence in some cases. They don't have to tell, but they'd sure would be liable for any damages occurred to their share holders and customers by not doing so. No need to change laws, just make sure they get sued hard for keeping their mouth shut and they will do it voluntarily the next time something happens.

Summary is completely wrong

The entire summary is a lie. Securities laws already require companies to report security problems that affect shareholders. Data breach laws in 49 states require problems to be reported, either to the victims or directly to the government. Federal laws require hacking of medical records or financial records to be reported. State common law imposes duties related to invasion of privacy, negligence or malpractice by a programmer, etc.

Just because there isn't a law that literally says "security breaches must be disclosed" doesn't mean they security breaches don't have to be disclosed. We have laws of GENERAL applicability so that every single scenario that could possibly happen doesn't have to be written out in advance. Sadly, this inaccurate summary is no worse than 99% of the other inflammatory Slashdot summaries related to legal issues.

For the stock holders

A corporation is owned by the stockholders no matter how small. They should have the right to be privately informed on losses and bad business practice, and failure to protect their assets. Does every corporation do that No, but the corporations that do, they increase the loyalty of their owners

Fucking parasites

No one fits the bill more correctly than the chinese. If we had any brains, we'd be killing them already.

Especially if it involves your social security #,

private medical info, dob, etc.

Yes

[lightknight]

It is a shock to shareholders, and annoys your customers, but 'tis better than the alternative.

Imagine a few hundred thousand credit card numbers being quietly stolen. Imagine waiting two years to admit to this theft. I imagine that that would be more damaging than admitting it immediately.

See, the true source of flack a company is going to receive is not that it has been hacked, but that it had such poor security measures in place to begin with. No one wants to be the captain of the ship who kept unencrypted user-names and passwords in a publicly accessible database. As such, the hit for that is unavoidable once it happens.

Remember hacker 'damage' in the 80s/90s

[Koos]

Remember the claimed 'damages' from hacker attacks in the 80s and 90s.. Like the E911 document worth over 80000 USD or the alleged 300 million dollar damage by Kevin Mitnick.

Usually those 'costs' were caused by companies trying to make the hacker pay for all the work surrounding the case and all the backlog in securing systems done as part of the clean-up operation in the aftermath of the break-ins.

I wonder if companies will overstate costs under these rules too or whether they will understate them because the numbers aren't used to make someone else pay.

How about...

the world just cuts China off from the internet as a whole until their government starts doing something...

But wait...

Healthcare has to report any breach, including those perpetrated by hackers.

TFS

By law, US companies don't have to say a word about hacker attacks

That implies there's a law that says they don't have to, not that there's no law that requires them to.