Critics urge SEC to scale back cyberattack reporting to lesser California requirement

California is widely viewed as a leader on consumer protection and privacy, passing laws that exceed other states and federal law. Indeed, former Federal Communications Commission Chairman Ajit Pai derisively referred to California as the "nanny state" and complained that California's laws created de facto national standards.

In a notable reversal, California's data breach law is being cited as a reason to scale back proposed federal data breach reporting rules. The Security and Exchange Commission proposed cyberattack reporting rules earlier this year that would require publicly traded companies to report material cybersecurity incidents on Form 8-K, which must be filed with the SEC to dispose major events that could affect share value.

The proposed rules would also require publicly traded companies to provide updated disclosures in periodic reports describing their policies and procedures for the identification and management of cybersecurity risks, and the cybersecurity expertise of management and the board of directors. Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release No. 33-11038, 87 FR 16590 (proposed March 9).

Currently there are no SEC reporting rules specific to cyberattacks. Rather, the SEC has issued general guidance that companies must report cyberattacks just as they have to report other risks that could affect share value. The SEC said that cyberattack disclosure rules are to address wide inconsistencies in companies' reports. Some companies disclosed significant details such as the estimated costs of an incident, engagement of cybersecurity professionals, and remedial steps taken to address cyberattacks. Ironically (but perhaps not surprisingly), the SEC noted that companies experiencing the most high-profile cybersecurity attacks often report the "least amount of information."

Another significant concern cited by the SEC was timeliness of cyberattack reports. SEC staff noted that some companies failed to report cyberattacks in SEC filings at all, noting for example a report that 75 percent of ransomware attacks are unreported. When companies do report, they are often not timely, reporting incidents to the SEC well after public disclosures in press reports. Further, many companies have been reporting cyberattacks only once per year in their annual reports on Form 10-K.

One of the most controversial parts of the SEC's rules proposal is a requirement that companies report a cybersecurity incident within four business days after a company determines that it has experienced a material cybersecurity incident. The report must include when the cyberattack was discovered, whether it is ongoing, a brief description of the nature and scope of the attack, whether any data was stolen, altered, accessed or used for any other unauthorized purpose; the effect of the incident on the company's operations, and whether the registrant has remediated or is currently remediating the incident.

Many commenters opposed the four-business day disclosure rule. The Information Technology Industry Council urged the SEC to revise the four-day rule, noting that such requirement exceeds even California's data breach law. The ITI pointed out that California's law has an exception that allows delayed reporting of cyberattacks if a law enforcement agency determines that the notification will impede a criminal investigation. California Civil Code §1798.82.

The concern is that the four-day reporting requirement might actually tip off cyber criminals about vulnerabilities and cause them to race to exploit the vulnerability in other corporate systems. While it makes sense not to aid hackers, there should be some requirement to force disclosure in a timely manner. Without such requirement, recent high-profile breaches suggest corporations will continue to drag their feet in disclosing to their customers and investors.

For example, T-Mobile suffered a data breach in August 2021 in which cyber criminals hacked and exfiltrated customers' sensitive personal data including names, addresses, birthdate, drivers' license numbers and social security numbers. The criminals had enough time to begin offering the data for sale on the dark web because T-Mobile failed to disclose the breach for months. And when it did so, it sent a perfunctory text message to customers stating the existence of a breach, but not mentioning how sensitive the stolen data was. T-Mobile ended up paying a half billion dollars to settle a class action suit. In Re: T-Mobile Customer Data Security Breach Litigation, Master Case No. 4:21-MD-03019-BCW (W.D. Missouri 2021).

Marriott waited three months to disclose a 2018 cyberattack that exposed personal data including social security numbers for 145 million people in the United States and a half billion customers worldwide. In 2017, hackers exploited a known flaw in Equifax's software to steal 143 million U.S. consumers' credit files. Equifax waited four months to disclose the attack. Perhaps one reason for the delay was that a patch existed for the flaw well before the attack, but Equifax hadn't installed it.

All three publicly traded companies would have had to report much more granular information to potential investors within four business days under the proposed SEC rules. Such information would undoubtedly be reported in the press, giving consumers who aren't investors a much deeper and quicker insight into cyberattacks involving their personal data. Rather than extending the period to report, the SEC should consider allowing corporations to submit a private notice disclosing a data breach but requesting additional time to make a public report if there is an ongoing law enforcement action that could be compromised.

The SEC's reporting requirements are a good step in the right direction, but they do not require corporations to disclose their data retention policies. The cyberattacks on T-Mobile, Marriott and Equifax revealed that the corporations keep customer data for years, thereby increasing the risk that a consumer's private data could be stolen and exploited, and increasing shareholder risk of financial losses from the inevitable lawsuits that will follow. The SEC continues to take comments on its proposed rules, so there is still time to address this critical component of an effective cyberattack disclosure policy.