In a letter to SEC Chair Mary Schapiro, five Democratic members of the Senate Committee on Commerce, Science & Transportation asked the SEC to issue interpretive guidance regarding disclosure of information security risk, including material network breaches.
The Commission, with its authority to protect investors and promote fair and efficient markets, has previously provided public companies with interpretive guidane on existing [data security] disclosure requirements. We request that the Commission develop and publish interpretive guidance clarifying existing disclosure requirements pertainign to information security risk, including material information security breaches involving intellectial property or trade secrets. In undertaking this effort, we also ask that the Commission examine how important market participants - sucha as credit rating agencies and securities analysts - incorparate evidence of information security risk into their assessments of companies and investment products. We believe this guidance, undertaking using longstanding Commission legal authority, will enhance investor and corporate awarenss of information security risk, thus improving the national and economic security of our nation.
The letter states that though the securities laws already require dislcosure or any material network breach, "leaders of publicly traded companies may not fully understand their affirmative obligation to disclose information on potentially compromised." The Committee's review of relevant disclosures indicates that material breach reporting, like information risk, is inconsistent and unreliable. The letter asks the SEC to remedy these disclosure issues. Though the SEC already has a full schedule of rulemaking mandated by the Dodd-Frank legislation, expect data security to move to that list with some prominence and urgency.
The full text of the Committee's letter is available at: http://commerce.senate.gov/public/?a=Files.Serve&File_id=4ceb6c11-b613-4e21-92c7-a8e1dd5a707e