> It’s worth pointing out that the new SEC data breach disclosure rules will only go into effect in mid-December 2023. In addition, companies will be required to notify the SEC within four business days of determining that a cybersecurity incident is material to investors, which, based on MeridianLink’s statement, has yet to happen.
And there's the rub. Not so much the December bit, but the "material to investors" part. That has specific meaning, and until there are external requirements/penalties/whatever around security breaches, simple data theft may not rise to the level of materiality for the company. Since they e.g. don't really get hurt if their customers' private info is leaked.
"We'll pay for three years of identity protection services if you sign up at XYZ link" is about all that happens today, if you're lucky. Well, multiply the cost of that (in bulk rates) by the number of customers who will actually bother signing up (pretty low %), and you get a number which is, to no surprise, probably not material for most companies.
(Ransomware, e.g. physically stopping the business from functioning, probably does rise to the level of materiality, if no quick backup and recovery can be done)
Matt Levine (of Bloomberg) has an ongoing joke: "everything is securities fraud". Essentially, if anything bad happens (data breach discovered, CEO caught in sexual harassment complaint, whatever), and you didn't say in your previous quarterly filings that it was happening, then there is a case for suing you in court and claiming that was material info you didn't disclose. So far, the courts have not often been willing to say "that isn't securities fraud". Not saying it's impossible in this case, but I wouldn't count on it.
Yeah, I got it in my inbox after making that comment, and thought "well that was a pointless comment", but I suppose it does help that you linked to the Levine column. It is no doubt a sign of the times (and not a good one) that the funniest columnist is a guy who works at Bloomberg who writes about "Money Stuff".
It's different because in the case of mail and wire fraud, everything begins as fraud. A CEO having an affair isn't inherently fraud, but it becomes fraud when you don't admit to it.
> Since they e.g. don't really get hurt if their customers' private info is leaked.
They don't? They do at least a little. I know that I, at least, avoid doing business with companies that have suffered such leaks. Also, bigger picture, that such leaks happen makes me think hard about doing business with any company that stores any data about me.
> Since they e.g. don't really get hurt if their customers' private info is leaked
I don't know, that could depress future customer retention and hurt the business. Seems like it would run afoul of the Matt Levine Everything is Securities Fraud theory.
Unless the event is especially egregious that seems unlikely. Firstly, most consumers won't even know the breach happened. Secondly, you can quickly run out of places to go. Lets say I leave Target because they get hit by a ransomware attack. A year later Walmart gets hit. Do I go back to Target? Shop exclusively online? Most likely, I continue to use whatever company or service is cheapest and most convenient. All of my PII is already on the Dark Web from a hundred other breaches by now.
You're not thinking the Matt Levine way. None of that matters. What matters is whether said (undisclosed) event could be construed to have materially harmed the business, and thus form grounds for a shareholder suit.
The Theory is half tongue in cheek. But the other half is a serious representation of what happens in reality. Levine makes the case clearer than I do how the line of thinking can extend to catch-22s where disclosure and nondisclosure could both arguably be grounds for a suit.
> that could depress future customer retention and hurt the business.
But it doesn't really though, does it? People largely dgaf.
My info has been leaked by my hospital, medical insurance company, three major retailers, two social networks, etc etc. None of them appear to be impacted much, if at all. For some of them (insurance, the grocery store (!!?)), I don't have realistic choices to stop using the service anyways.
What a magnificent snarl of incentives for the SEC. The SEC wants disclosure for good reasons, but if you disclose because the hacker group is the one that reported it, that is essentially the "negotiating with terrorists" incentive structure. Ignore the report because it's the hacking group and it opens the defense for all companies to claim the report is made by the hacking group (because they can easily be deceptive about who is reporting). And so on and so on... what a mess.
"Pay up or we'll report you to the government" is a textbook example of blackmail. The gordian knot is easy to cut here though. The SEC can to refer illegal activities to the DOJ for prosecution separately from however they deal with the reporting issues.
> "Pay up or we'll report you to the government" is a textbook example of blackmail.
It's hard to feel too bad about companies who are actually doing illegal things that the government should be notified about anyway. It's like someone reporting their drug dealer to the police because they discovered their dealer was lacing their drugs with fentanyl. Sure, they're a snitch, but people are safer knowing the truth.
Hum, no, your example is not blackmail. It would be like the customer asking for free drugs or else he would report the dealer.
Anyway, the obvious course of action is to persecute the company and arrest the hacker. The problem here is probably that arresting the hacker is difficult.
Definitely closer to what I mean. Intelligence agencies is probably closer to the reality though.
To those mystified by my crypticness, yes, my point is that the criminals are going to not be in the US and be where the US can't simply prosecute them, and this is not just a coincidence. They are in those places for that very reason. They may even be actively supported by their local government, so don't count on extradition or anything else like that. Even nominally friendly governments that we have treaties with are perfectly capable of 100% coincidentally simply not being able to find those guys, so sorry, we feel really bad for you though, if they want to. Paper is only worth the actions it produces.
That depends. Most countries you refer to the department of state who in turn talks to law enforcement in the country where the hackers are from and that country takes care of the problem.
However most hackers seem to be from countries like Russia, or North Korea where law enforcement will tell the state department to go away. DoD probably is the only option we have (though intelligence/CIA should get involved) - is it worth war?
I think they are referring to jurisdiction to enforce any judgement against the actor, which is likely in a foreign state with no extradition agreement with the US.
> jurisdiction to enforce any judgement against the actor, which is likely in a foreign state with no extradition agreement with the US
Justice has a long memory. A common theme, when new extradition agreements are struck, usually in the context of trade or security arrangements, is how to deal with the backlog of overdue enforcement.
Yes, I don't see the issue. If I understand correctly then reporting doesn't necessarily mean you are going to be in trouble (so long as you report in time)?
The law requires disclosure so that companies can't hide material information from investors. The SEC wants all incentives lined up so that companies will choose to report. The primary way that the SEC catches them now is that the data showed up somewhere like a data breach. So ultimately, the behavior of the hacker group is the source.
This hacker group just cut out several steps in the middle. The SEC verifies it, the company gets punished, and companies are on notice that they really should report. Just like the law says.
What WOULD be a problem is if the hacker group got rewarded for reporting...
If the SEC pursues prosecutions based on reports from hackers which uses the threat of SEC reports to extract payments, the SEC will be enabling and enforcing blackmail. The SEC would essentially be an accessory to the crime.
That’s not how the law would see it. Blackmailers incorporating otherwise-legal third party activity into their threat does not add legal liability for that 3rd party. Nor does it excuse any pre-existing liability for the blackmail target.
I'm not sure whether there'd be legal liability; that would probably depend on whether the third-party was aware of the scheme, and how often they 'enabled' it. I doubt that the SEC would be found to be an accessory the first time this happened (unless they'd been specifically warned), but if this happened frequently, I think they'd likely be found guilty by way of 'reckless or wanton negligence'. They might even be subjects of civil actions by victims of these blackmail schemes at a later date (if the circumstances were right).
Agree the incentives are a mess. SEC needs to change the incentives.
For example, the process for filing complaints could include a $1M fee refundable at 2X if you're right and a tax-paying citizen and/or entity.
These types of hackers exist outside of a society ruled by law, and it's unacceptable to let them leverage the tools of a civilized society if they don't live within its rules and pay taxes.
If someone has a better idea for how to fix the incentives, I'd be sincerely interested to hear it.
The SEC doesn't work for "the citizens," its mandate is in respect of investors. Especially small investors. U.S. law, broadly, prioritizes first consumers, then investors, and way, way, way below that, workers.
(They won't get it; there's an exemption "If you obtained the information by a means or in a manner that is determined by a United States court to violate applicable Federal or state criminal law", but it'd be hilarious to try.)
So you could have two hackers who each tip each other off to companies that they have independently hacked. They can just claim each other's rewards since they had nothing to do with the actual attack?
If there is any evidence that the hackers colluded with the tipper so they could both share in the reward (i.e. if the hackers get any % of what the tipper gets), then the tip would be treated as part of the hack and the tipper would not be eligible for the reward.
After having been part of various hacking cover-ups over the years, usually in some sort of triage for these sorts of things, I almost welcome the behavior vs. mega corporations or even state/local government getting away with it. Shame the fools that let it happen.
I wonder how many ransomware/hacking groups are being clandestinely paid by the sort of firms that would short the stock and benefit from such a disclosure. Or maybe these groups already plugged into the option markets and are profiting on both ends.
And there's the rub. Not so much the December bit, but the "material to investors" part. That has specific meaning, and until there are external requirements/penalties/whatever around security breaches, simple data theft may not rise to the level of materiality for the company. Since they e.g. don't really get hurt if their customers' private info is leaked.
"We'll pay for three years of identity protection services if you sign up at XYZ link" is about all that happens today, if you're lucky. Well, multiply the cost of that (in bulk rates) by the number of customers who will actually bother signing up (pretty low %), and you get a number which is, to no surprise, probably not material for most companies.
(Ransomware, e.g. physically stopping the business from functioning, probably does rise to the level of materiality, if no quick backup and recovery can be done)