In February we wrote about whether Facebook’s IPO would set the tone under the SEC’s then-relatively new cybersecurity disclosure guidance. In subsequent months, it has become apparent that this guidance is still not yielding the level of disclosure on cybersecurity matters that regulators want. This is especially true with respect to the disclosure of past incidents of data breach.

Two recent examples of high profile breaches that did not show up in SEC disclosures:

  • A well-known, large online retailer said nothing in its latest annual report about an online theft of customer data that took place earlier this year. When the SEC followed-up to ask why the incident had not been disclosed, the retailer asserted that disclosure was not required because the incident did not have a material impact on its business.
  • A highly popular social networking website similarly chose not to file a report with the SEC regarding a breach in June that exposed more than 6 million customer passwords.

Accordingly, new legislation is currently being debated in the Senate, which would require the SEC to review its original guidance and decide whether it should be updated or even made compulsory (i.e., issued as a formal guideline). Such new guidance, in whatever form it takes, would likely force reporting companies to make disclosures regarding cybersecurity, specifically past incidents of data breach, that they are not making under the current guidance regime.