Should Hacked Companies Disclose Their Losses? 68
derekmead writes "By law, US companies don't have to say a word about hacker attacks, regardless of how much it might've cost their bottom line. Comment, the group of Chinese hackers suspected in the recent-reported Coke breach, also broke into the computers of the world's largest steel company, ArcelorMittal. ArcelorMittal doesn't know exactly how much was stolen and didn't think it was relevant to share news of the attack with its shareholders. Same goes for Lockheed Martin who fended off a 'significant and tenacious' attack last May but failed to disclose the details to investors and the Securities Exchange Commission. Dupont got hit twice by Chinese hackers in 2009 and 2010 and didn't say a word. Former U.S. counterintelligence chief Joel Brenner recently said that over 2,000 companies, ISPs and research centers had been hit by Chinese hackers in the past decade and few of them told their shareholders about it. This is even after the SEC has made multiple requests for companies to come clean about cyber security breaches in their quarterly or annual earnings reports. Because the potential losses, do hacked companies have a responsibility to report security breaches to investors?"
So, That's a No Then? (Score:4, Informative)
If they have an obligation to report losses by fire, storm, vandalism, or theft in meatspace, they should have the same obligations regarding over-the-net attacks.
Businesses don't report these tings to their customers or account holders or even their shareholders. They report these things to the police and their insurance companies in the hope of recovering from their losses. Even then, they are not obligated to do so, it is simply the most logical and prudent action.
So, I guess your answer to the question of; Should Hacked Companies Disclose Their Losses? your answer is no.
Highly misleading summary (Score:5, Informative)
That claim is only true in a narrow and impractical sense. Several US states have mandatory data-breach reporting laws [ncsl.org]. A company doing business in those states, generally meaning buying or selling to/from persons or companies in those states, must comply with those laws. Generally they require notifying customers whose personal data is at risk. I have received two such letters myself since my state's law went into effect.
IANAL but really I don't think it takes a lawyer to be aware of these laws. Anyone who is informed about computer security should at least know of their existence, as should any IT manager employed in those states.
Re:Every attempted hack?? No matter how small? (Score:4, Informative)
If that break-in has a material affect on their financials, yes, they do.
The impact is the bar here. If that break-in resulted in someone pilfering a vault with the firm's operating capital, then it needs to be reported on the form.
If they stole a lamp in the front office, no.