• @[email protected]
    link
    fedilink
    English
    1710 months ago

    As much as I agree that something needs to be done to these companies, and that they deserve punishment, I think this approach would only result in leaks (even more) underreported, which makes it even worse.

    • @[email protected]
      link
      fedilink
      English
      610 months ago

      Are these leaks even being reported by companies? Every article I have seen so far has just been compiling information off the new leaked data set someone picked up off the dark web or something.

      • @Kiernian
        link
        English
        210 months ago

        They weren’t, which is why the SEC updated 17 CFR Parts 229, 232, 239, 240, and 249.

        https://www.sec.gov/files/rules/final/2023/33-11216.pdf

        As of December 18th of last year, publicly traded companies are now required to disclose breaches. (soz, material cybersecurity incidents).

        Prior to that, they could …basically… just effectively sweep everything under the rug “like it never happened” minus a little handwaving and paper shuffling and nobody would find out about it until the information got sold and went public.

        I’ll have to go looking but I would be SERIOUSLY surprised if the disclosures apply to credit card companies (the MOST breached, historically) because I’m not sure what exactly qualifies someone as an asset-backed issuer, but it’s at least a really good step for the REST of things.