Slashdot Mirror

← Back to Stories (view on slashdot.org)

Should Hacked Companies Disclose Their Losses?

Posted by samzenpus on from the what-did-you-lose? dept.

derekmead writes "By law, US companies don't have to say a word about hacker attacks, regardless of how much it might've cost their bottom line. Comment, the group of Chinese hackers suspected in the recent-reported Coke breach, also broke into the computers of the world's largest steel company, ArcelorMittal. ArcelorMittal doesn't know exactly how much was stolen and didn't think it was relevant to share news of the attack with its shareholders. Same goes for Lockheed Martin who fended off a 'significant and tenacious' attack last May but failed to disclose the details to investors and the Securities Exchange Commission. Dupont got hit twice by Chinese hackers in 2009 and 2010 and didn't say a word. Former U.S. counterintelligence chief Joel Brenner recently said that over 2,000 companies, ISPs and research centers had been hit by Chinese hackers in the past decade and few of them told their shareholders about it. This is even after the SEC has made multiple requests for companies to come clean about cyber security breaches in their quarterly or annual earnings reports. Because the potential losses, do hacked companies have a responsibility to report security breaches to investors?"

20 of 68 comments (clear)

  1. Of course they should. by vikingpower · · Score: 5, Insightful

    You're responsible toward your shareholders. If you don't have any, at least the board & upper management should be in the know.

    --
    Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
    1. Re:Of course they should. by udachny · · Score: 5, Interesting

      Oh, and I forgot to mention something: most people shouldn't be participating in stock market at all. The fact is that participation in the stock market is encouraged by government, which debases your savings with inflation, so you feel that you must do something. Since the interest rates on government bonds is non-existent, I mean it's negative given the inflation rate, you are basically forced into the stock market.

      But this a huge problem, most people do not understand the stock market, so the government hands them over to the financial institutions, that basically lobby the government to push people into their hands.

      My point is: you should NOT invest in things that you personally do not understand or at least didn't do homework on before you jumped into them. Government encourages people to participate in this giant casino and makes it LOOK like it's safe with various regulations. You think you are safe while in reality you are being robbed and the robbery is endorsed by the government itself. You are much better off either starting your own company if you want to invest or at the minimum to go and find out whatever you can about the company you are investing in. Visit the offices, visit the plants, visit the sites, request to see the books, etc.

      If you can't spend the time and you think you can trust somebody to do it for you, I have news for you: you won't be able to choose the best options, you won't be able to choose your account manager based on past performance, because the established industry pushed for the so called 'self-regulations' (FINRA), which are really extension of government power, because you can't operate in that space unless you comply. But that system PREVENTS COMPETITION!

      It ensures that you are going to give your money to the biggest crooks, the ones that are most connected to the government, which is working together with these crooks to steal your money from you by all means possible, while pretending you are protected by gov't.

      There is no competition, no small money manager can start his own brokerage, it's made impossible with regulations and rules and then with FINRA that prevents advertising based on past performance.

      Again: most people shouldn't be in the stock market.

      (I recommend that most people buy something of value, assets that withstand inflation if they can't be sure in what they are investing. But your gov't certainly doesn't want you to do that and the tax code proves it as well).

      --
      MY OTHER COMMENTS
    2. Re:Of course they should. by KingMotley · · Score: 2

      Sure, why don't you just cherry pick your answers. How about looking at the bigger picture:
      1990 gold price: 383, dow: 2468
      2012 gold price: 1685, dow: 13289
      gold is worth 4.40 times what it was in 1990, and the DOW is 5.38 times what it was in 1990. The numbers get even better for stocks the more years you add in. Your advice only works in time periods in which the stock market hard a down turn, but looking at a realistic plan for anyone doing investing for a lifetime would have been better served by buying just your average performing DOW stocks than they would have in gold.

      Let's try another example. Anyone buying gold in 1980 at the then current price of $680, it would have "wiped them out" (not an accurate term, but on the same scale you refer to the getting "wiped out" on the stock market), and it would have taken until 2007 (27 YEARS LATER) to get back enough profits to recoup their losses (not including inflation).

      Your advice is naive and short sighted. Let's talk in 5-10 years and see whose investments have done better, and who is "wiped out". See you then.

    3. Re:Of course they should. by KingMotley · · Score: 2

      I understand inflation just fine. What I don't understand is crackpots, and while your rants are entertaining and all over the place, you lose your focus.

      My advice is sound, and works, has worked, and will continue to work in all markets, economies, and time periods (given enough time). Yours is based on crackpot theories and only works in certain time periods with little concrete advice other than to run around crying because the sky is falling all because of *evil people.

      Good luck, I'm done.

  2. I dissent. by swschrad · · Score: 5, Insightful

    if the hack causes material changes in business or profitability, a public corporation is required by law to disclose what is known about the effect on continuing operations to the SEC, which 10K form is a public document. especially if a "going concern" warning is required by financial regulations.

    --
    if this is supposed to be a new economy, how come they still want my old fashioned money?
    1. Re:I dissent. by captaindomon · · Score: 5, Insightful

      Exactly. This kind of reporting is already required by the SEC if it causes or could potentially cause a reasonable material change to your books. Same as if a dinosaur ate your CEO, or your data center was wiped out by a giant mutant butterfly. We shouldn't be specifying each individual case in law, the SEC laws are so complex that there are SEC specialist lawyers all over the place already.

      --
      Just because I can hook a shark from a boat, I do no offer to wrestle it in the water.
    2. Re:I dissent. by TubeSteak · · Score: 4, Interesting

      Corporations have vastly more resources than the SEC's $1.3 billion budget.
      That budget is about .01% of the cash flows they're supposed to be regulating,
      which is why SEC violations almost always end in settlements for a fraction of the money involved, with no admission of guilt.

      In reality, the SEC should be the size of the IRS (10x the budget) and the IRS should have 2x its current budget.
      You'd see a lot less corporate fraud if the regulators had the resources to do their job.

      --
      [Fuck Beta]
      o0t!
  3. same as meat space by Black+Parrot · · Score: 2

    If they have an obligation to report losses by fire, storm, vandalism, or theft in meatspace, they should have the same obligations regarding over-the-net attacks.

    --
    Sheesh, evil *and* a jerk. -- Jade
  4. Every attempted hack?? No matter how small? by Nutria · · Score: 3, Insightful

    Must they report to investors and the SEC every time a building is physically broken into?

    Of course not.

    You could convince me, though, that they should be reported to the local gendarmes who should then forward it on to the FBI where it must be made public.

    --
    "I don't know, therefore Aliens" Wafflebox1
    1. Re:Every attempted hack?? No matter how small? by chill · · Score: 3, Informative

      If that break-in has a material affect on their financials, yes, they do.

      The impact is the bar here. If that break-in resulted in someone pilfering a vault with the firm's operating capital, then it needs to be reported on the form.

      If they stole a lamp in the front office, no.

      --
      Learning HOW to think is more important than learning WHAT to think.
    2. Re:Every attempted hack?? No matter how small? by Shoten · · Score: 2

      Must they report to investors and the SEC every time a building is physically broken into?

      Of course not.

      You could convince me, though, that they should be reported to the local gendarmes who should then forward it on to the FBI where it must be made public.

      Actually, it depends. Is the building in question a guard shack, where some rent-a-cop's iPhone got stolen? No. Is the building Nakatomi Plaza, and the break-in resulted in $640,000,000 worth of bearer bonds being burned, stolen and/or spread to the winds? Then yes...the company very much has a requirement to disclose. The rule isn't based around the action, but the impact. VeriSign, for example, would be required to disclose a major physical security breach at their Mountatin View site which houses the root CA they operate. Why? Because the trust around that site is a material component of their intrinsic value as a corporation, and they are publicly traded. (Disregard for a moment the fact that they suck...let's just leave that aside for the time being.)

      --

      For your security, this post has been encrypted with ROT-13, twice.
  5. Depends on your POV by 3seas · · Score: 2

    The hackers will say yes and then comment on what is claimed in losses

    The company POV is to only disclose losses verified to the tax man and other authorities, but not public (unless its indirectly done as a requirment to stock holders)

  6. why not by mywibes · · Score: 2

    Unless there is a fear of further aggravating the loss,there is no reason why they shouldnt share it

  7. So, That's a No Then? by Anonymous Coward · · Score: 4, Informative

    If they have an obligation to report losses by fire, storm, vandalism, or theft in meatspace, they should have the same obligations regarding over-the-net attacks.

    Businesses don't report these tings to their customers or account holders or even their shareholders. They report these things to the police and their insurance companies in the hope of recovering from their losses. Even then, they are not obligated to do so, it is simply the most logical and prudent action.

    So, I guess your answer to the question of; Should Hacked Companies Disclose Their Losses? your answer is no.

  8. Highly misleading summary by SirGarlon · · Score: 4, Informative

    By law, US companies don't have to say a word about hacker attacks, regardless of how much it might've cost their bottom line

    That claim is only true in a narrow and impractical sense. Several US states have mandatory data-breach reporting laws. A company doing business in those states, generally meaning buying or selling to/from persons or companies in those states, must comply with those laws. Generally they require notifying customers whose personal data is at risk. I have received two such letters myself since my state's law went into effect.

    IANAL but really I don't think it takes a lawyer to be aware of these laws. Anyone who is informed about computer security should at least know of their existence, as should any IT manager employed in those states.

    --
    [Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
    1. Re:Highly misleading summary by SirGarlon · · Score: 2

      And I should add that when I say "several," I mean *forty-six*. Out of fifty.

      --
      [Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
  9. Fines by ThatsNotPudding · · Score: 2

    The SEC should start doling out stout fines for publicly-traded entities that do not release information that impacts their returns; to say massive security breaches don't hurt the books is a lie so large as to be indictable.

  10. They should but they won't. by NinjaTekNeeks · · Score: 2

    [Generalization] Companies are not ethical, they are rat bastard pieces of crap that care only about profits and money and give a fuck all about consumers.[/Generalization].

    As such, being hacked doesn't immediately mean a financial or business impact. Hackers stole 100,000 encrypted database tables, well so what? Do you disclose worst case scenario if they attackers can decrypt them or do you just assume they won't be able to break the encryption. My bet would be companies would go the later route. Also translating lost data into dollars usually looks really bad. For example.

    When prosecuting the case and determining damages, they will include the cost of reporting to each individual effected, labor, envelopes, stamps, etc. At a 2-3$ per person this adds up quick. That doesn't cover loss of revenue, business deals and who knows what. So on one hand you want to stick it to the people who attacked you but not spook your investors. Tricky situation, most companies instead just sweep it under the rug.

  11. California has laws that are relevant.... by TeddyR · · Score: 2

    California actually has laws governing this if personally identifiable information or medical info is breached. Unfortunately many companies do not know about these laws or do not follow them. Also, by the nature of how the law is worded, it may effectivly affect companies all over the US (anyone that does buisness with CA or a CA resident)...

    1798.29
    http://www.dmv.ca.gov/pubs/vctop/appndxa/civil/civ1798_29.htm

    1798.82
    http://www.dmv.ca.gov/pubs/vctop/appndxa/civil/civ1798_82.htm

    --

    --
    Time is on my side
  12. If somebody broke into your house... by Synerg1y · · Score: 2

    Should you report it? Yes
    Do you actually have to? No

    Same concept?