The U.S. Securities and Exchange Commission is looking into whether companies properly handled and disclosed cyber attacks in the wake of a series of major data breaches.
The investigations began in recent months and are focused on whether companies adequately protected data and kept investors informed about the impact of any damages from a breach, according to people familiar with the matter, as reported by Bloomberg.
This type of investigation by the SEC is unusual because the agency hasn't previously investigated companies considered to be victims of cyber attacks. But a growing number of data breaches could be prompting closer scrutiny.
Companies typically keep details about breaches close to avoid potential lawsuits. One such lawsuit has been filed against P.F. Chang's, though the restaurant company has yet to release any details about the breadth and scope of its data breach. Target (NYSE:TGT) is still seeking to end lawsuits stemming from a data breach that compromised credit and personal information of more than 70 million shoppers in 2013.
While the SEC is focused on disclosure to shareholders by public companies, disclosure to consumers for affected retailers goes in lockstep. Target's actions in particular illustrate why the SEC might be interested. News of the breach was revealed by blogger Brian Krebs and not by Target itself. As the timeline of events unfolded, it became clear that Target failed to act on early warnings of malicious activity.
-See this Bloomberg story
Target defends pre-breach actions
Target failed to act on security warnings
Target: Timeline of a data breach
Target's data breach is a story with long legs
Target breach: Heating vendor confirmed as hackers' entry point