A group of Senators, lead by Senate Commerce Committee Chairman Jay Rockefeller, sent a letter Wednesday to the Securities and Exchange Commission advising the agency to construct regulations and guidelines for companies to follow when reporting data breaches and whether intellectual property or trade secrets have been stolen. Also signing the letter were Senators Robert Menendez, Sheldon Whitehouse, Mark Warner, and Richard Blumenthal.
It appears that the Committee is concerned about inconsistencies in how companies report cyber-compromises, as well as what they are doing to correct potential problems.
According to a Wall Street Journal article, the lawmakers "want the SEC, by issuing guidance, to make it more clear when attacks or data breaches rise to the material level and become subject to disclosure, rather than the current approach of relying on a company's interpretation of when an incident is material."
While an interesting concept, the SEC's increased presence in cyberspace could raise questions that will need to be resolved. As we see DoD and DHS (with Commerce and State thrown in for good measure) struggle with who will lead on cybersecurity, what does adding another agency to the mix of agencies that must be dealt with mean? How will an increased SEC presence in this space mesh with increased FTC and FCC efforts? What does any required significant reporting mechanism at the SEC mean for law enforcement investigations into cyber?
Cybersecurity has long been an issue that the private sector has prided itself on leading through self-regulation. With expected White House action coming this week, coupled with increased Congressional interest in cybersecurity and privacy, has the pendulum swung to desired government regulation on multiple fronts?