When hackers breached the e-commerce firm Zappos in January, they may have compromised the personal information of as many as 24 million users. Legislatures in several states, including California, have responded to attacks such as this one by passing laws enhancing cybersecurity investigation and enforcement, and increasing requirements for disclosure of cyberattacks. The U.S. Securities and Exchange Commission (SEC) has also issued new guidelines for businesses and individuals under attack. The key issue to consider, in light of these new laws and regulations, is how much disclosure is not enough, and how much is too much.
The SEC is recommending disclosure of cyberattacks to an unprecedented degree. A new set of guidelines issued in October 2011 advises publicly-traded companies to disclose details of cybersecurity breaches as part of the quarterly 10-K report. Companies should disclose any and all cyberattacks, regardless of whether they caused a loss. The SEC even encourages companies to disclose “cyberrisks,” even in the absence of a breach. This potentially benefits investors, the SEC says, by providing comprehensive information about both actual and potential losses due to hacking and other cyberattacks. At the same time, extensive disclosure could put companies at greater risk by exposing weaknesses to hackers. Companies must carefully consider how much, or how little, to disclose. Too much disclosure could make them vulnerable to attack. Too little disclosure could make them vulnerable to lawsuits by investors.
State laws regarding cybersecurity disclosures are typically not as stringent as the SEC’s guidelines. California passed the first such law a decade ago. That law applies to any person or business that owns or licenses computer data containing a California resident’s “personal information,” such as social security number, home address, driver’s license number, and so forth. In the event of a breach that would reasonably lead to an unauthorized person obtaining the personal information, an owner or licensor of personal data must notify the person whose personal information may have been breached.
Forty-six states have followed California’s lead and passed similar laws. California has actually fallen behind some states that have passed laws with stricter disclosure requirements. A new law that took effect on January 1, 2012, requires an individual or business to notify the state attorney general of a cybersecurity breach if the breach affects more than five hundred California residents. The notice must include specific details of the type and size of the breach, and a toll-free number to allow users to contact credit agencies.
A new statute enacted in several states gives a powerful incentive for following state cybersecurity standards to companies that process debit and credit cards. The Payment Card Industry Data Security Standard (PCI DSS) establishes twelve broad requirements for securing cardholder data. A company that complies with PCI DSS in states that have enacted these laws is not liable for security breaches that compromise cardholders’ personal information. These statutes do not require the scope of disclosure found in the SEC’s guidelines, but they may offer an effective way for companies and regulators to fight cyberattacks without revealing information that could actually help the hackers.
The California Internet security lawyers at the Law Offices of Salar Atrizadeh represent businesses and individuals seeking guidance through the regulatory and transactional pitfalls of the Internet, combining legal knowledge with technological skill to find pioneering solutions for our clients. To schedule a confidential consultation, contact us today online or at (310) 694-3034.
More Blog Posts:
Legislative Efforts to Regulate Online Transactions, Internet Lawyer Blog, February 11, 2012
Internet Piracy Results In Arrests In New Zealand, Internet Lawyer Blog, January 22, 2012
Facebook Refers to Its Users As Public Figures, Internet Lawyer Blog, December 19, 2011