Full disclosure

Weighing your corporation’s obligations after an attack

Brian Krebs
3 March 2014

3 min read

You’ve been hacked, your systems are back in your control – and now the real work begins. What are your legal obligations if your company is publicly traded? How do you balance the need for full disclosure with the need to survive? Be prepared for some of the toughest decisions of your career.

If your organization has been hacked, the bad news is just beginning. You may also have a legal responsibility to notify shareholders, customers and regulatory authorities, risking damage to your corporate reputation – though being caught in a cover-up could be even more costly.

Publicly traded companies in the United States, for example, must report material breaches to the US Securities and Exchange Commission. The European Union’s new data-breachnotification regulation, meanwhile, requires telecommunications and Internet service providers to report a data breach to authorities within 24 hours of its discovery; if consumers’ personal data is involved, affected individuals must be alerted “without undue delay.” Japan, meanwhile, has steep fines for companies that fail to disclose breaches. In Latin America, Brazil is considering a data-breachnotification statute that also would require all customer data to be stored within the nation’s borders.


Becky Pinkard, director of security operations at Pearson, PLC, a London-based publishing firm, said most EU observers believe regulators are pushing toward an EU-wide data-breach-notification law. The EU also has proposed a more comprehensive framework called the Network and Information Security (NIS) directive. The NIS has established multiple groups of corporate-sponsored and private members to work toward adoption, Pinkard said.

“You are most likely to see databreach notifications in the EU where companies fall under regulatory review and face the threat of fines for non-compliance,” Pinkard said. “In my experience in speaking with other info-security professionals, companies not under this gun are not reporting any data-breach information.”

Japan already has strict data-breachdisclosure laws with steep penalties for violators, said Hendrik Adrian, CEO of KLJTech Co. Ltd., a Tokyo-based security filter appliance maker. “Unhappy individuals or entities can report it to the government and make a case in court,” Adrian said. “This is practically a 100% win case for the reporters; and while the hacker can be punished three years maximum and fined about US$10,000, the unhappy victims can claim damages as big as they want.”

Among Latin American nations, Brazil appears to be taking the lead in establishing the groundwork for a national data-breach-notification law, said William Beer, managing director of cybersecurity at the Brazil offices of Alvarez & Marsal, a business advisory firm.

“This proposal is creating a lot of concern, not just for the data-breach-notification provisions, but also because it would require companies operating in Brazil to keep the data about Brazilian citizens only in Brazil,” Beer said. “It looks like it has a good chance of passage, but it will be interesting to see if there will be any enforcement.”


Legal repercussions aren’t the only risk to companies that hide breaches, however; public opinion can be far harsher, said Wim Remes, managing consultant at IoActive, a global security services provider with offices in Europe and the Americas. “Not a single party will forgive you for a boilerplate letter or manufactured video response,” Remes said.

Still, few breached companies report incidents when they occur, said Kevin Lawrence, senior security associate at Stach & Liu, a security consultancy based in Phoenix, Arizona (USA). “There are usually ways to logically reason why a company is not obligated to notify,” Lawrence said. “Numerous companies are compromised every day and don’t disclose simply to avoid negative public perception.”

In February 2013 a Waltham, Massachusetts (USA)-based security firm, Bit9, disclosed that its networks had been breached in a multi-stage attack designed to compromise customers that rely on Bit9’s antimalware software.

Bit9 immediately alerted law enforcement to the breach, and then hired an outside forensics team to lead the investigation. The company chose to notify customers not just because it was the right thing to do, but to protect itself down the road.

“From a legal perspective it’s important because you never know where the investigation will lead,” said Harry Sverdlove, Bit9’s chief technology officer. “If it leads to an insider or lawsuit situation, having outside investigators becomes legally important and it’s a lot harder to challenge their findings – particularly when the outside team ensures that everything is done with evidentiary rules of handling in place.”

Sverdlove advises companies not to focus on the potential risks of disclosure. “I would say that almost always the benefits of sharing intelligence, and full disclosure to the customer and the public, outweighs the negative reaction that a breach can cause,” he said. ◆

Related resources