First of all, this is not a trick question! It is from a WSF blog after a Securities and Exchange Commission (SEC) meeting on the very topic. Apparently there was little consensus on when companies should report data breaches among business executives and officials at a cybersecurity roundtable discussion hosted by the SEC.
Companies are required to report a breach that is likely to affect investor decisions. But the potential damage from an attack is open to broad interpretation. And the harm of the disclosure, both through publicizing internal vulnerabilities and reputational damage, can be worse than the initial attack. Just look at Target.
The SEC commissioners participating in the discussion acknowledged that they need to learn more about cybersecurity risks. And the commissioners asked panelists whether the SEC should consider changing reporting requirements.
Many who participated agreed that if the company doesn’t have a legal obligation to disclose it’s often not in their interest and many welcomed more clear guidance by the SEC.
Since Target reported the theft of 40 million customer credit and debit cards in December it has faced dozens of lawsuits from consumers and banks. Many of them fault the timing and completeness of Target’s disclosures. Target has stated that the retailer alerted the public within days of confirming the attack and as they found out more information they reported it as well stating it was the right thing to do.
In other words, there are likely lots of hacking going on and you (we) never hear about it. What to do? Be vigilant and monitor your credit card statements and other financial records.