With the growing frequency of data breaches these days it’s difficult not only to keep track of them all but to provide an appropriate response for consumers. Recently the U.S. Securities and Exchange Commission (SEC) provided guidance for how organizations can define a practical approach when communicating information on data breaches, material risks, and other security hazards.
SEC’s guidance is updated from a 2011 information release. The intention of the guidance is to remind companies of their accountability for security risks and incident reporting when compiling documents for filing with securities regulators. According to the SEC, companies must divulge the following:
The SEC also recommends divulging other information like previous security incidents and a brief disclosure on the likelihood of such happening again. Mentions should be made of actions taken the reduce cybersecurity risks and how much they cost along with estimates on the potential cost of future incidents and the cost of keeping protections in place.
Estimates on the cost of reputational damage might also be disclosed. If there are pending or existing regulations or laws that have an impact on the requirements of organizations in reference to cybersecurity, those should be noted too. Costs related to litigation, investigation, and remediation should be included.
The ideology behind the SEC’s guidance is to increase accountability and promote transparency in an age of cyber risks. With comprehensive response plans in place, particularly where sensitive data like Social Security numbers have been compromised, it’s hoped that the material risks to stakeholders will be minimized.
According to the “The Fifth Annual Study: Is Your Company Ready for a Big Data Breach?”, coordinated and orchestrated by Experian Data Breach Resolution and the Ponemon Institute, as many as 70% of company heads revealed their businesses had multiple data breaches in the last year. 66% of the companies in the same study admitted to having taken no time to review their plan for dealing with such situations.
Now all 50 states in the U.S. have passed security breach notification laws requiring businesses and government to notify affected consumers if their personal data is compromised. Alabama and South Dakota caught up with the rest earlier in 2018 in enacting such legislation. Consumers need to know their rights per the Fair Credit Reporting Act and know the data breach laws of their state. Each state’s laws have conditions specifying who has to comply and what information must be divulged.
On May 25, 2018, the European Union (EU) enacted the General Data Protection Regulation (GDPR) which was the largest sweeping change to online personal data legislation in the last 20 years. The intention behind it was to protect and empower the citizens of the 28 EU countries where their personal data was concerned.
The regulation actually has a huge impact on the internet as it applies to any website that may interact with an EU citizen. It outlines the management of personal data by organizations moving forward, including consent, storage, usage, and communication with consumers on why the data is requested and what exactly it’s used for.
While no organization or business wants to have this experience, it’s important to do everything you can to prevent such incidents and to deal with them properly when they do occur.
Being proactive is a company’s best defense in this age of cyber risks. Stay on top of the latest threats, educate your employees, and seek legal help when needed to protect your organization and your consumers.
Worried about a data breach from the inside? Check out this article on how your employees are compromising your data and how to prevent data breaches.
Learn more about how Yurbi helps to protect your data and provides data governance features to help ensure there is no data leakage from your business intelligence solution.