Publicly traded businesses now have yet another set of guidelines to follow regarding security risks and incidents. On October 13, 2011 the Securities and Exchange Commission (SEC) Division of Corporation Finance released a guidance document that assists registrants in assessing what disclosures should be made in the face of cyber security risks and incidents. The guidance provides an overview of disclosure obligations under current securities laws - some of which, according to the guidance, may require a disclosure of cyber security risks and incidents in financial statements.
Today the Senate Judiciary Committee approved two federal data security bills, Senator Leahy's S. 1490, the Personal Data Privacy and Security Act, and Senator Feinstein's S. 139, the Data Breach Notification Act. Of course, there have been dozens of proposed federal breach notification bills over the past several years, from both sides of the aisle. Senator Leahy's office issued this statement earlier today. While we cannot predict the fate of S. 1490 and S. 139, and we will have future occasion to comment on the bills in more detail, Tanya and I wanted to highlight a few notable provisions now.