With the growing frequency of data breaches these days it's difficult not only to keep track of them all but to provide an appropriate response for consumers. Recently the U.S. Securities and Exchange Commission (SEC) provided guidance for how organizations can define a practical approach when communicating information on data breaches, material risks, and other security hazards. SEC's guidance is updated from a 2011 information release. The intention of the guidance is to remind companies of their accountability for security risks and incident reporting when compiling documents for filing with securities regulators. According to the SEC, companies must divulge the following:
  • Material Security Risks: If the information item would be important to a rational investor in making investment decisions, it's considered "material" and must be disclosed.
  • More Than Data Breaches: Cybersecurity incidents and risks must be reported to investors expeditiously, even if they haven't yet been targeted by cyber thieves or other perpetrators.
  • Items Directly Impacting Investors: While it's not necessary to reveal details that could compromise security efforts (like technical infrastructure specifications), they must report cybersecurity incidents and risks that could inflict financial, legal, or reputational damage to investors.
The SEC also recommends divulging other information like previous security incidents and a brief disclosure on the likelihood of such happening again. Mentions should be made of actions taken the reduce cybersecurity risks and how much they cost along with estimates on the potential cost of future incidents and the cost of keeping protections in place. Estimates on the cost of reputational damage might also be disclosed. If there are pending or existing regulations or laws that have an impact on the requirements of organizations in reference to cybersecurity, those should be noted too. Costs related to litigation, investigation, and remediation should be included.

Increasing Accountability and Transparency

The ideology behind the SEC's guidance is to increase accountability and promote transparency in an age of cyber risks. With comprehensive response plans in place, particularly where sensitive data like Social Security numbers have been compromised, it's hoped that the material risks to stakeholders will be minimized. According to the "The Fifth Annual Study: Is Your Company Ready for a Big Data Breach?", coordinated and orchestrated by Experian Data Breach Resolution and the Ponemon Institute, as many as 70% of company heads revealed their businesses had multiple data breaches in the last year. 66% of the companies in the same study admitted to having taken no time to review their plan for dealing with such situations. Now all 50 states in the U.S. have passed security breach notification laws requiring businesses and government to notify affected consumers if their personal data is compromised. Alabama and South Dakota caught up with the rest earlier in 2018 in enacting such legislation. Consumers need to know their rights per the Fair Credit Reporting Act and know the data breach laws of their state. Each state's laws have conditions specifying who has to comply and what information must be divulged.

General Data Protection Regulation (GDPR)

On May 25, 2018, the European Union (EU) enacted the General Data Protection Regulation (GDPR) which was the largest sweeping change to online personal data legislation in the last 20 years. The intention behind it was to protect and empower the citizens of the 28 EU countries where their personal data was concerned. The regulation actually has a huge impact on the internet as it applies to any website that may interact with an EU citizen. It outlines the management of personal data by organizations moving forward, including consent, storage, usage, and communication with consumers on why the data is requested and what exactly it's used for.
  • Notifications: Under GDPR, notifying consumers that their information was compromised in a data breach is mandatory and required to take place within 72 hours of awareness.
  • Requesting Data Erasure: Called "the right to be forgotten" in the regulation, consumers are able to not only take back consent to use their personal data from a given organization, they can request that all of their data be completely and immediately erased.
  • Portability: Consumers may request at any time that they have access to any personal information an organization has regarding them and it has to be provided in a commonly used "machine-readable" format.
  • Designed for Privacy: The regulation maintains that the protection of data must be an integral part of an organization's system, not an afterthought or something added on after the fact.
  • Data Protection Officers (DPO): The regulation requires DPOs be appointed for organizations that are public authorities or if the business's activities, on a large scale, involve the regular monitoring of data subjects where the data consists of information on criminal history, health, race, religion, and sexual orientation.

What to Do If Your Company Experiences a Data Breach

While no organization or business wants to have this experience, it's important to do everything you can to prevent such incidents and to deal with them properly when they do occur.
  • Come Clean With Consumers: A data breach will have an impact on your reputation. In being upfront and honest with consumers, you will do much to protect your company's brand and instill confidence.
  • Provide Protection: One way to earn back the trust of your consumers if you can, is to offer identity protection services on you. If your company is to blame for putting someone's identity at risk, it's the decent thing to do.
  • Do Better: After such a breach, take steps to ensure it won't happen again and communicate that to your consumers. Do whatever it takes. Audit your security protocol and make whatever changes necessary to safeguard your company's data and that of your consumers. Internet lawyers exist for data breaches and can be invaluable in helping with both the incidents themselves and in revising your company's protocol to avoid future incidents.
Being proactive is a company's best defense in this age of cyber risks. Stay on top of the latest threats, educate your employees, and seek legal help when needed to protect your organization and your consumers. Worried about a data breach from the inside? Check out this article on how your employees are compromising your data and how to prevent data breaches. Learn more about how Yurbi helps to protect your data and provides data governance features to help ensure there is no data leakage from your business intelligence solution.

Stop rebuilding your reporting layer.

Embed Yurbi into your product and ship analytics to your customers in weeks — not quarters. Self-hosted, white-labeled, flat annual pricing.

Download Free Trial

Questions about Yurbi? We answer directly — not a support queue.

Talk to the team →

Get posts like this in your inbox

Embedded analytics insights and ISV guides. No spam.