Forgot your password?
typodupeerror
Businesses Government Security Your Rights Online

Should Hacked Companies Disclose Their Losses? 68

Posted by samzenpus
from the what-did-you-lose? dept.
derekmead writes "By law, US companies don't have to say a word about hacker attacks, regardless of how much it might've cost their bottom line. Comment, the group of Chinese hackers suspected in the recent-reported Coke breach, also broke into the computers of the world's largest steel company, ArcelorMittal. ArcelorMittal doesn't know exactly how much was stolen and didn't think it was relevant to share news of the attack with its shareholders. Same goes for Lockheed Martin who fended off a 'significant and tenacious' attack last May but failed to disclose the details to investors and the Securities Exchange Commission. Dupont got hit twice by Chinese hackers in 2009 and 2010 and didn't say a word. Former U.S. counterintelligence chief Joel Brenner recently said that over 2,000 companies, ISPs and research centers had been hit by Chinese hackers in the past decade and few of them told their shareholders about it. This is even after the SEC has made multiple requests for companies to come clean about cyber security breaches in their quarterly or annual earnings reports. Because the potential losses, do hacked companies have a responsibility to report security breaches to investors?"
This discussion has been archived. No new comments can be posted.

Should Hacked Companies Disclose Their Losses?

Comments Filter:
  • by vikingpower (768921) <exercitussolus@g ... m minus caffeine> on Monday November 05, 2012 @03:47PM (#41885309) Homepage Journal
    You're responsible toward your shareholders. If you don't have any, at least the board & upper management should be in the know.
    • by udachny (2454394)

      Sure, but this is a matter for the company in question to decide. The question posed in this story assumes that there are only 2 possibilities (false choice), either the company is forced to release information by government or it is not forced. As always in such matters, where the question concerns whether anybody should be forced by government into anything, it completely dismisses the obvious: this is up to the company and its shareholders. The question is not whether a company should be forced to do

    • by poity (465672)

      While I lean towards this, it can also be argued that this would only further encourage rivals (or short-sellers) to employ mercenary intruders, since it lowers the bar for influencing the market (you'd need only to damage a company's reputation rather than spend time looking for useful secrets to employ/sell). It seems like one of those things where it makes tremendous sense if EVERY company in the world were bound by it, but if only SOME companies were bound by it then those which are not will find themse

    • by udachny (2454394) on Monday November 05, 2012 @04:38PM (#41885959) Journal

      Oh, and I forgot to mention something: most people shouldn't be participating in stock market at all. The fact is that participation in the stock market is encouraged by government, which debases your savings with inflation, so you feel that you must do something. Since the interest rates on government bonds is non-existent, I mean it's negative given the inflation rate, you are basically forced into the stock market.

      But this a huge problem, most people do not understand the stock market, so the government hands them over to the financial institutions, that basically lobby the government to push people into their hands.

      My point is: you should NOT invest in things that you personally do not understand or at least didn't do homework on before you jumped into them. Government encourages people to participate in this giant casino and makes it LOOK like it's safe with various regulations. You think you are safe while in reality you are being robbed and the robbery is endorsed by the government itself. You are much better off either starting your own company if you want to invest or at the minimum to go and find out whatever you can about the company you are investing in. Visit the offices, visit the plants, visit the sites, request to see the books, etc.

      If you can't spend the time and you think you can trust somebody to do it for you, I have news for you: you won't be able to choose the best options, you won't be able to choose your account manager based on past performance, because the established industry pushed for the so called 'self-regulations' (FINRA), which are really extension of government power, because you can't operate in that space unless you comply. But that system PREVENTS COMPETITION!

      It ensures that you are going to give your money to the biggest crooks, the ones that are most connected to the government, which is working together with these crooks to steal your money from you by all means possible, while pretending you are protected by gov't.

      There is no competition, no small money manager can start his own brokerage, it's made impossible with regulations and rules and then with FINRA that prevents advertising based on past performance.

      Again: most people shouldn't be in the stock market.

      (I recommend that most people buy something of value, assets that withstand inflation if they can't be sure in what they are investing. But your gov't certainly doesn't want you to do that and the tax code proves it as well).

      • And you would be wrong.

        Most people should be in the stock market to some degree. You don't need any real super advanced knowledge to do well. Invest in 25-30 companies (diversify). Pick companies that you think will do well. Let that money sit and don't touch it.

        Where people get things wrong is when they want to start micromanaging their portfolios, thinking they know better than everyone else, and they get burned. Don't ever invest in a company thinking to make a quick buck. Always buy with the inten

        • by udachny (2454394)

          Your advice is terrible. If you are investing in a generally bull market and without government inflation, that is one thing. However you missed the part of my comment where I explained about inflation (a subject that is generally not understood by pretty much all people, very few truly understand it). Inflation is destroying your investments even if you are not touching them.

          You have to look at your investments relative to the actual purchasing power over time, not to nominal dollar gains or losses. As

          • Sure, why don't you just cherry pick your answers. How about looking at the bigger picture:
            1990 gold price: 383, dow: 2468
            2012 gold price: 1685, dow: 13289
            gold is worth 4.40 times what it was in 1990, and the DOW is 5.38 times what it was in 1990. The numbers get even better for stocks the more years you add in. Your advice only works in time periods in which the stock market hard a down turn, but looking at a realistic plan for anyone doing investing for a lifetime would have been better served by buyin

            • by udachny (2454394)

              As I said, inflation is what you don't understand.

              1971 when Nixon defaulted on the gold US dollar, the controlled price was 19 dollars per ounce, which was the price even back in 1914. Obviously USA defaulted on the dollar because of this fixed price level, which was artificially set and didn't allow dollar to depreciate against gold to keep people from noticing inflation. By 1981 the price of gold went up to 800USD, what did DOW do? Now, once Volcker set interest rate at 21.5% the price of gold corrected

              • I understand inflation just fine. What I don't understand is crackpots, and while your rants are entertaining and all over the place, you lose your focus.

                My advice is sound, and works, has worked, and will continue to work in all markets, economies, and time periods (given enough time). Yours is based on crackpot theories and only works in certain time periods with little concrete advice other than to run around crying because the sky is falling all because of *evil people.

                Good luck, I'm done.

                • My advice is sound, and works, has worked, and will continue to work in all markets, economies, and time periods (given enough time).

                  It's worth remembering that your good advice only works in a growing economy. If we have a long, hundred year contraction (which could happen for example, if we hit peak oil or something), then the stock market will go down over that period.

                  • From my original post:

                    As with all things in life, never put all your assets in one bucket. Stocks may play a part, even a large part of your investments, but always have money in different things like bonds, commodities, and savings as well.

                    Sure, it's possible that all stocks, bonds, commodities go belly up along with all the banks and the government (that insures savings through FDIC), but at that point, all hell has broken lose, your money is most likely worthless and you're more interested in protecting yourself from zombies. But it could happen.

                    • Yeah, your advice was pretty good. It's important to remember why advice works though, and when it can go wrong. Reading back to the beginning of the depression and seeing people desperately going from one asset to another, only to find that all of them were losing, is really sad. Some settled on gold, which also didn't work out very well.
                • Your advice didn't work in any of the economies whose governments (unpredictably) collapsed or underwent severe economic turmoil: Weimar, Austria-Hungary, pre-Bolshevik Russia, ...

                  • Why not? The US could go bankrupt, default on all loans, it's currency valued as toilet paper and sure, it'd hurt, but it wouldn't wipe me out either. That's why you diversify. My savings and bonds would be gone, but my commodities would be worth more, and my stocks would do ok. Of course I have stocks in the US, the UK, China, Europe, and Asia.

                    Countries come and go, but multinational corporations march on.

            • Gold's value is only a reflection of the watering down of the dollar.

              If the value of Gold goes down -- the stock market probably thinks a Democrat is going to get in office and pay off debts, maybe raise taxes. That increases the value of the dollar and thus gold falls.

              Gold is a hedge -- and it's only a good investment if your currency is losing value. It gained the most while Bush was ruining the economy.

              Your investment advice requires "market timing" and not needing the money when times are tough -- becau

          • However you missed the part of my comment where I explained about inflation (a subject that is generally not understood by pretty much all people, very few truly understand it). Inflation is destroying your investments even if you are not touching them.

            Oh, and you understand so much better than everyone else, do you? You sound like a college student who has just learned about Dostoyevsky for the first time, and wonder why no one is talking about him! In reality the rest of already learned about him, and that's why we aren't talking about him. It is likely more people understand inflation than you realize.

            t's easy just to look at the indexes like DOW or NASDAQ and compare their relative change to gold. For example DOW [google.com] could have been around 11000 in 2001 and 13000 today, but gold was 300 in 2001 and it's over 1685 today. The loss of purchasing power is obvious (from 1/36 to 1/7.7).

            Oh, and you are measuring inflation in terms of gold. This is wrong for many reasons, but trivially demonstrated by looking at the gold price between 19

      • What you just wrote about investments should be required reading for ANYONE thinking about "investing."

        It's a rigged game. I also need to mention that FINRA is now a "joint venture" -- meaning the previous government regulatory body that did a piss-poor job but managed to capture Martha Stewart for insider trading while waiting for a decade for a token arrest of Maddoff, is now OWNED by the financial institutions. How do you think that is going to work out?

        Just because someone has a marble entrance, and isn

  • I dissent. (Score:5, Insightful)

    by swschrad (312009) on Monday November 05, 2012 @03:53PM (#41885387) Homepage Journal

    if the hack causes material changes in business or profitability, a public corporation is required by law to disclose what is known about the effect on continuing operations to the SEC, which 10K form is a public document. especially if a "going concern" warning is required by financial regulations.

    • Re:I dissent. (Score:5, Insightful)

      by captaindomon (870655) on Monday November 05, 2012 @04:34PM (#41885901)
      Exactly. This kind of reporting is already required by the SEC if it causes or could potentially cause a reasonable material change to your books. Same as if a dinosaur ate your CEO, or your data center was wiped out by a giant mutant butterfly. We shouldn't be specifying each individual case in law, the SEC laws are so complex that there are SEC specialist lawyers all over the place already.
      • Re:I dissent. (Score:5, Interesting)

        by TubeSteak (669689) on Monday November 05, 2012 @10:20PM (#41889511) Journal

        Corporations have vastly more resources than the SEC's $1.3 billion budget.
        That budget is about .01% of the cash flows they're supposed to be regulating,
        which is why SEC violations almost always end in settlements for a fraction of the money involved, with no admission of guilt.

        In reality, the SEC should be the size of the IRS (10x the budget) and the IRS should have 2x its current budget.
        You'd see a lot less corporate fraud if the regulators had the resources to do their job.

    • Wee different. Going concern should not be the only criterion. It's an ethical issue, frankly.

      For example, KFC was hacked, that would mean it should only be revealed if, say, KFC's secret recipe [cracked.com] was stolen, and it threatened their going concern (unlikely but whatever...), but not if, say entire databases of consumer address and numbers were copied, which while hurting consumer privacy, would *not* hurt their going concern (since KFC could hush it up and go on selling chicken like normal).

      I believe both case

  • by Black Parrot (19622) on Monday November 05, 2012 @03:57PM (#41885437)

    If they have an obligation to report losses by fire, storm, vandalism, or theft in meatspace, they should have the same obligations regarding over-the-net attacks.

    • by Anonymous Coward on Monday November 05, 2012 @04:03PM (#41885509)

      If they have an obligation to report losses by fire, storm, vandalism, or theft in meatspace, they should have the same obligations regarding over-the-net attacks.

      Businesses don't report these tings to their customers or account holders or even their shareholders. They report these things to the police and their insurance companies in the hope of recovering from their losses. Even then, they are not obligated to do so, it is simply the most logical and prudent action.

      So, I guess your answer to the question of; Should Hacked Companies Disclose Their Losses? your answer is no.

      • by dunezone (899268)
        They report these things to the police and their insurance companies in the hope of recovering from their losses.

        I thought most insurance companies require companies to disclose this information to the public if its related to financials such as banking. They alert the customers so they can be proactive at checking their statements and making sure fraudulent charges are stopped. This will also save the insurance company money because less claims will be filed by the banks.
      • If they have an obligation to report losses by fire, storm, vandalism, or theft in meatspace, they should have the same obligations regarding over-the-net attacks.

        Businesses don't report these tings to their customers or account holders or even their shareholders. They report these things to the police and their insurance companies in the hope of recovering from their losses. Even then, they are not obligated to do so, it is simply the most logical and prudent action.

        So, I guess your answer to the question of; Should Hacked Companies Disclose Their Losses? your answer is no.

        If you happen to have your facts right (which I seriously doubt), then I will draw the same conclusion that you did.

    • by Shoten (260439)

      If they have an obligation to report losses by fire, storm, vandalism, or theft in meatspace, they should have the same obligations regarding over-the-net attacks.

      Actually, when it has any basis on stock value (in other words, if the breach has any material effect on a company's true worth, either via direct or indirect losses), they do have that obligation with regard to "over-the-net" attacks. Shortly after this rule went into effect by the SEC, Nortel was forced to disclose not only that they had suffered a major breach, but that the attackers had been in their systems for nearly a decade, and that Nortel even knew about it.

      The change is simple, and exactly what

  • by Nutria (679911) on Monday November 05, 2012 @04:00PM (#41885469)

    Must they report to investors and the SEC every time a building is physically broken into?

    Of course not.

    You could convince me, though, that they should be reported to the local gendarmes who should then forward it on to the FBI where it must be made public.

    • Attempted hacks, no. Actual hacks, yes. Physical break-ins, yes. Your investors should know where you've had faults in security and what are you doing to make it better.
      • by Synerg1y (2169962)

        If attempted hacks were reported, we'd have hourly reports based on the nature of the internet...

    • by nurb432 (527695)

      Must they report to investors and the SEC every time a building is physically broken into?

      If they call the cops, it becomes public record anyway. If they dont, then they are hiding a crime that was commited, a crime in itsself last i heard.

    • by chill (34294) on Monday November 05, 2012 @05:19PM (#41886401) Journal

      If that break-in has a material affect on their financials, yes, they do.

      The impact is the bar here. If that break-in resulted in someone pilfering a vault with the firm's operating capital, then it needs to be reported on the form.

      If they stole a lamp in the front office, no.

    • by Shoten (260439)

      Must they report to investors and the SEC every time a building is physically broken into?

      Of course not.

      You could convince me, though, that they should be reported to the local gendarmes who should then forward it on to the FBI where it must be made public.

      Actually, it depends. Is the building in question a guard shack, where some rent-a-cop's iPhone got stolen? No. Is the building Nakatomi Plaza, and the break-in resulted in $640,000,000 worth of bearer bonds being burned, stolen and/or spread to the winds? Then yes...the company very much has a requirement to disclose. The rule isn't based around the action, but the impact. VeriSign, for example, would be required to disclose a major physical security breach at their Mountatin View site which houses t

  • by 3seas (184403) on Monday November 05, 2012 @04:00PM (#41885477) Journal

    The hackers will say yes and then comment on what is claimed in losses

    The company POV is to only disclose losses verified to the tax man and other authorities, but not public (unless its indirectly done as a requirment to stock holders)

  • Unless there is a fear of further aggravating the loss,there is no reason why they shouldnt share it
  • by SirGarlon (845873) on Monday November 05, 2012 @04:04PM (#41885533)

    By law, US companies don't have to say a word about hacker attacks, regardless of how much it might've cost their bottom line

    That claim is only true in a narrow and impractical sense. Several US states have mandatory data-breach reporting laws [ncsl.org]. A company doing business in those states, generally meaning buying or selling to/from persons or companies in those states, must comply with those laws. Generally they require notifying customers whose personal data is at risk. I have received two such letters myself since my state's law went into effect.

    IANAL but really I don't think it takes a lawyer to be aware of these laws. Anyone who is informed about computer security should at least know of their existence, as should any IT manager employed in those states.

  • by ThatsNotPudding (1045640) on Monday November 05, 2012 @04:09PM (#41885595)
    The SEC should start doling out stout fines for publicly-traded entities that do not release information that impacts their returns; to say massive security breaches don't hurt the books is a lie so large as to be indictable.
  • by NinjaTekNeeks (817385) on Monday November 05, 2012 @04:19PM (#41885713)
    [Generalization] Companies are not ethical, they are rat bastard pieces of crap that care only about profits and money and give a fuck all about consumers.[/Generalization].

    As such, being hacked doesn't immediately mean a financial or business impact. Hackers stole 100,000 encrypted database tables, well so what? Do you disclose worst case scenario if they attackers can decrypt them or do you just assume they won't be able to break the encryption. My bet would be companies would go the later route. Also translating lost data into dollars usually looks really bad. For example.

    When prosecuting the case and determining damages, they will include the cost of reporting to each individual effected, labor, envelopes, stamps, etc. At a 2-3$ per person this adds up quick. That doesn't cover loss of revenue, business deals and who knows what. So on one hand you want to stick it to the people who attacked you but not spook your investors. Tricky situation, most companies instead just sweep it under the rug.
    • As such, being hacked doesn't immediately mean a financial or business impact. Hackers stole 100,000 encrypted database tables, well so what? Do you disclose worst case scenario if they attackers can decrypt them or do you just assume they won't be able to break the encryption. My bet would be companies would go the later route.

      Given your statement aobout companies being rat bastards, why would you believe they even *have* encrypted database tables? And if they do, what are the odds the key is stored on th

  • by TeddyR (4176) on Monday November 05, 2012 @04:41PM (#41886005) Homepage Journal

    California actually has laws governing this if personally identifiable information or medical info is breached. Unfortunately many companies do not know about these laws or do not follow them. Also, by the nature of how the law is worded, it may effectivly affect companies all over the US (anyone that does buisness with CA or a CA resident)...

    1798.29
    http://www.dmv.ca.gov/pubs/vctop/appndxa/civil/civ1798_29.htm [ca.gov]

    1798.82
    http://www.dmv.ca.gov/pubs/vctop/appndxa/civil/civ1798_82.htm [ca.gov]

  • This should be covered for public companies in the U.S. by Sarbanes-Oxley Section 404 [wikipedia.org], which is the top-down risk assessment. Basically, management is required to have certain internal controls [wikipedia.org] in place (IT Security is one of the named categories), and the required risk assessment is supposed to evaluate those controls. If someone has "hacked" in and stolen sensitive information, your controls have failed and the auditor's report should reflect that. At the very least, Sarbanes-Oxley would require the discl
  • by Synerg1y (2169962) on Monday November 05, 2012 @05:02PM (#41886225)

    Should you report it? Yes
    Do you actually have to? No

    Same concept?

    • but filling out all those damn reports while they drag out the body is a horrible waste of time.

    • by JohnFen (1641097)

      Should you report it? Yes

      In the absence of having to make an insurance claim, why should you report it?

      • In the absence of having to make an insurance claim, why should you report it?

        Crime reports are a tool to schedule and provision police officers on the street. By reporting a crime you are implicitly requesting additional surveillance. If that's what you want, then you should report the crime regardless of insurance claims.

  • "do hacked companies have a responsibility to report security breaches to investors?"

    No, but they do need to let their customer base know that their information was taken, and pay for identity theft for a minimum of 2 years for each customer who's data was exposed, if they're real people (not businesses).

  • Beyond the whole Shareholders argument, you have a duty to protect the data that you've asked for, and in some cases demanded of your customers. This is their data that they agreed to share with your company only. The rest of this discussion should be moot, but if you insist upon another reason, if the people of this country realized how much hacking is going on they have a chance to defend themselves against identity theft, bank account theft, outright fraud against them.

    With all these corporations holdi

  • There are reasons not to make some things public, such as cost for hacking. It's kind of like we see in criminal law, as a method of reducing hacks.>/p>

    Many people hack for attention/publicity. Take that away, they lose incentive to "hack" your site. Make a stink, and more will go at it to get their names in the paper.

    Many don't understand that there are financial incentives to be hacking. Not always in a negative context either, consider penetration testers and how much money they can make. It

  • I'd say they were guilty of false representation of damages, costs and lost Intellectual Property towards their shareholders and possibly even leaking secret information about weapon systems and other military intelligence in some cases. They don't have to tell, but they'd sure would be liable for any damages occurred to their share holders and customers by not doing so. No need to change laws, just make sure they get sued hard for keeping their mouth shut and they will do it voluntarily the next time somet
  • It is a shock to shareholders, and annoys your customers, but 'tis better than the alternative.

    Imagine a few hundred thousand credit card numbers being quietly stolen. Imagine waiting two years to admit to this theft. I imagine that that would be more damaging than admitting it immediately.

    See, the true source of flack a company is going to receive is not that it has been hacked, but that it had such poor security measures in place to begin with. No one wants to be the captain of the ship who kept unencrypt

  • Remember the claimed 'damages' from hacker attacks in the 80s and 90s.. Like the E911 document worth over 80000 USD or the alleged 300 million dollar damage by Kevin Mitnick.

    Usually those 'costs' were caused by companies trying to make the hacker pay for all the work surrounding the case and all the backlog in securing systems done as part of the clean-up operation in the aftermath of the break-ins.

    I wonder if companies will overstate costs under these rules too or whether they will understate them beca

An age is called Dark not because the light fails to shine, but because people refuse to see it. -- James Michener, "Space"

Working...