How Fast to Disclose a Breach?

What are the rules (or regulations) that state how fast to disclose and where?

SC Magazine has an article on the new rule by the SEC that says a public company should make a disclosure.

SEC’s 4-day breach disclosure rule hits opposition in Congress

One of the problems was that there was an attacker that contacted the SEC stating this company we hacked is not disclosing it.

Hacker Group files sec complaint against its own victim.

The argument is what is the purpose of telling a breach status within 4 days?

Telling the public about a negative story would be good transparency, but now the company has to make decisions.

The act of making this decision takes time, so instead of fixing issue or working on the breach one has to think about how to disclose it to public.

Giving more information to investors may not be the only thing that happens especially when the hackers are in the mix.

What if a hacker wants to know how you are looking at their breach right now? They may be anxious to get paid. They may not be interested in your attempts at recovery.

With these conflicting goals which may also be difficult to visualize hopefully enough people speak up about the unknown nature of hacker attacks that makes this SEC rule at least a decent review (before modifying).


Contact for info