Skip Links

Shareholders kept in the dark on data breaches

SEC has regulations, but there is plenty of room for interpretation

By Taylor Armerding, CSO
November 09, 2012 08:30 AM ET

CSO - It happened more than three and a half years ago. So it presumably would be old news that Chinese hackers broke into soft drink behemoth Coca-Cola's computer systems and stole confidential files relating to its effort to acquire the China Huiyuan Juice Group for $2.4 billion.

15 of the worst data breaches

But it is just coming to light now, through a report earlier this week in Bloomberg Businessweek. The story said the FBI contacted Coke executives on March 15, 2009, and told them hackers had been inside their system for a month. The attempted deal for Huiyuan collapsed three days later.

The U.S. Securities and Exchange Commission (SEC) requires companies to report to its shareholders any "material losses" from attacks, plus any information, "a reasonable investor would consider important to an investment decision."

Meredith Cross, director of the SEC's division of corporation finance, told Businessweek, "We think reasonable investors could care, depending on the specific facts and circumstances."

But Coca-Cola never disclosed the breach to its investors. Most companies don't. Bloomberg reported on breaches of the British energy company BG Group, the Chesapeake Energy and others that were never disclosed to investors.

When questioned about it, most company officials or representatives either declined to comment, or declared that they were in full compliance with all applicable laws.

The response of Coca-Cola spokesman Kent Landers was typical. "We make disclosures in our public filings when we believe they are appropriate and in accordance with the requirements of the federal securities laws," he told Businessweek.

One reason for the lack of transparency may be that Coca-Cola didn't discover the breach itself. It took notification from the FBI. That is common. Security experts regularly point out that many companies don't know they have been hacked until a third party tells them.

Breach victims also frequently don't know what was taken, who took it and how it is being used. So, since it is difficult to put a value on the loss, they argue that it is not a material event, and therefore not subject to that SEC regulation.

David C. Vladeck, director of the Federal Trade Commission's (FTC) Bureau of Consumer Protection, made that point at a recent press conference, saying that the question of when major data breaches should be reported is "difficult. We don't necessarily have the right answers."

Stewart Baker, a partner at Steptoe & Johnson LLP and former assistant secretary for policy at the Department of Homeland Security, told Businessweek, "All of the ambiguities stack the deck against disclosure."

[See related: EPA data breach highlights worrying trend]

The SEC did not respond to questions about whether its regulations need to be less ambiguous. The agency does have a page on its website with "disclosure guidelines" from its Division of Corporate Finance.

Among those guidelines are that:

  • Companies should disclose the risk of cyber incidents, "if these issues are among the most significant factors that make an investment in the company speculative or risky.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News