SEC’s Proposed Data Breach Disclosure Rules Will Add New Pressure to Security Teams

According to the latest data breach report by IBM and the Ponemon Institute, the average cost of a data breach in 2021 reached $4.24 million, a historic high. For many companies, however, the costs can be much higher, including business disruption, reputational and brand damage, ransomware payouts, and more, with costs accruing over several years.

To ensure that public companies are transparently accounting for this risk, the SEC has proposed new disclosure rules that will reduce the time in which companies must disclose a breach to a mere four days after deeming it material. While cybersecurity incidents already activate a rapid response from most organizations, CISOs today are initially most focused on corporate data and systems impacts. Going forward, CISOs will need to have board-level conversations within a day or two of discovering the breach to determine whether the incident is material and must be disclosed.

If enacted, the rules will make cybersecurity disclosures a board-level topic. Companies will also have to report on the board of directors’ cybersecurity expertise. These changes will transform enterprise security investments into a strategic priority. That’s the good news.

The bad news is that the change will come with significantly tighter deadlines and increased consequences for noncompliance.

What’s Changing?

The new rules would require public companies to:

  • Report material cybersecurity incidents within four business days after the determination that a material incident has occurred [emphasis ours]
  • Public companies would be expected to be “diligent in making a materiality determination” by “thoroughly and objectively evaluating the total mix of information available”
  • Since costs and risks can occur over several years, companies will need to provide regular updates about previous cybersecurity incidents
  • Document policies and procedures to identify and manage cybersecurity risks
  • Disclose cybersecurity governance practices
  • Report on the board of directors’ cybersecurity expertise.

Other Breach Notification Requirements

Any organization that collects, stores, or processes Personally Identifiable Information (PII) about its consumers and prospects is already subject to a myriad of state, federal and industry notification requirements when a security breach occurs.

Organizations are required to notify the impacted individuals if their information has been compromised, and often other governing bodies as well.

U.S. federal laws requiring data breach notifications include:

  • The Health Insurance Portability and Accountability Act (HIPAA) protects health information, such as an individual’s medical records.
  • The Gramm-Leach Bliley Act (GLBA) requires covered financial institutions to notify customers when their nonpublic personal information (NPI) is compromised by a security breach.
  • The FDIC’s Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers recently issued by the FDIC requires banks to notify the FDIC within 36 hours of determining that they have suffered a material computer security incident that could disrupt business operations or that could pose a threat to the financial stability of the country.

In addition to the federal laws, all 50 states have data breach reporting laws. As well, each state has different requirements for determining whether a breach has occurred and for the notices that are required. Thus, if a company has customers in 50 states and they suffer a data breach, they can have 50 different sets of reporting requirements.

How Spirion Can Help

While breach notification laws are certainly not new, the deadlines are getting shorter and shorter — all while companies are challenged to keep compliant with more and more applicable regulations that continue to evolve.

To meet these obligations, organizations can’t wait for a breach to occur to plan their response to a potential cyberattack. The time to start preparing is now. The first step in protecting sensitive and personal data is finding all of it — wherever it lives.

As data proliferates, discovery becomes exponentially more difficult. Most organizations have terabytes and petabytes of data spread across servers, laptops, and other devices. Solving the problem requires a Privacy-Grade™ discovery solution with enough breadth to search all locations and depth to find any data type.

Spirion can identify sensitive data-at-risk with 98% accuracy and the lowest false positive rate in the industry and automatically classify it for sensitivity, applicable regulatory guidelines, business processes, value of the data, its risk, and more.

Once you have located all of your data, the automated application of persistent labels, tags, and visual markers helps both humans and computers determine its sensitivity and treat it consistently via automated rule Playbooks. Spirion’s contextual classification also helps you to map your data elements to applicable regulations, business processes, the value and risk associated with the data, and other details. Classification ensures that only appropriate parties can access sensitive data as it moves throughout the organization and supports information sharing with other data protection controls, such as DLP products.

With this automation in place, when data breaches occur, you can easily identify which entities were impacted and which data breach notifications are in place. And because you have already identified the number of impacted individuals, the value of the data and its associated risk, you can quickly assess whether a data breach is material and needs to be reported.

Spirion’s classification is persistent, meaning it’s embedded as metadata within a file or other data asset, easily integrating with other tools to add sensitive data intelligence to the rest of your security stack. Spirion acts as a force multiplier to ensure tools like DLP platforms, CASB, IRM/DRM, encryption and other tools are optimized for the sensitivity of data.

A Future-Proof Foundation of Sensitive Data Management

Accurate sensitive data discovery, automated persistent and purposeful classification, data remediation  and programmatic sensitive data minimization is essential to maintaining compliance and keeping sensitive data secure. Spirion can deliver data protection and a proactive, data-centric, future-proof approach to security and compliance to protect what matters most – the personal data that your customers have entrusted to you and the sensitive, confidential data that your enterprise needs to keep secure.

With a foundation in place of sustainable sensitive data discovery, classification, and remediation, you will be ready to meet the challenges of today and tomorrow.

Can You Beat the Clock?: The New Regulations on Breach Notification Reporting

Learn more about the SEC’s “New Regulations on Breach Notification Reporting” in this (ISC)2 Think Tank Webinar featuring Scott Giordano, Spirion VP & General Counsel.

Watch on-demand here