Senators Demand Public Companies Disclose Data Breaches

U.S. Senators are pushing for more transparency in regards to data breaches, namely at companies such as Sony, which recently had their PS3 Network hacked and resulted in the compromising of information of more than 100 million user accounts. The senators are asking for the Security and Exchange Commission (SEC) to clarify rules dealing with how companies must disclose when they have suffered a data breach.

In a letter to the SEC from the Senate Committee on Commerce, Science, & Transportation, chaired by Senator John D. Rockefeller IV (D-W.Va.), senators voiced their concerns by stating, “It is essential that corporate leaders know their responsibility for managing and disclosing security risk,” as quoted in the Information Weekly article. Senator Rockefeller further went on to say that the SEC should “clarify corporate disclosure requirements for cyber security breaches so that the American public can learn more about when hackers make efforts to penetrate companies' computer systems.”

So, how will any new rules by the SEC affect small- and medium-size businesses? It is being said that eventually there should be legislation enacted that would require mandatory notification if any data breaches occur. There are already federal laws in place that obligate “the disclosure of any material network breach, including breaches involving sensitive corporate information that could be used by an adversary to gain competitive advantage in the marketplace, affect corporate earnings, and potentially reduce market share,” the Information Weekly article said.

According to the senators, a failing on this part could lead to an ineffective marketplace that devalues security and hinders investor decision-making.

Rob Rachwald, director of security for Imperva, was quoted in a blog as saying, “Legislation of this nature often starts with breach notification requirements. When this was introduced into Germany, many companies came forward out of the blue and announced breaches — which surprised many. It’s only a matter of time before breach notification becomes a federal requirement; give it two years or less.” He went on to say that companies should start getting their houses in order in regards to security. In this way, they can help avoid situations like what happened to Sony and best determine how to “move beyond basic compliance and make laws work in their favor,” the report said.

While Sony’s security breach affected more than 100 million of its customers’ user accounts, other such breaches demonstrate the importance for businesses to be diligent with their business continuity plans. Recent security disasters include:

  • TJ Maxx: Tens of millions of credit and debit cards were involved.
  • Bank of New York Mellon: A missing tape contained social security numbers and bank account information on 4.5 million customers
  • The U.S. Department of Veterans Affairs: Personal information for some 76 million veterans was breached.

For more information about the impact of the Sony security breach on businesses small and large, read the full article:

For more information about Information Week’s 10 Massive Security Breaches, visit: