• neidu2@feddit.nl
    link
    fedilink
    English
    arrow-up
    17
    arrow-down
    1
    ·
    11 months ago

    As much as I agree that something needs to be done to these companies, and that they deserve punishment, I think this approach would only result in leaks (even more) underreported, which makes it even worse.

    • Corkyskog@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      6
      ·
      11 months ago

      Are these leaks even being reported by companies? Every article I have seen so far has just been compiling information off the new leaked data set someone picked up off the dark web or something.

      • Kiernian@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        11 months ago

        They weren’t, which is why the SEC updated 17 CFR Parts 229, 232, 239, 240, and 249.

        https://www.sec.gov/files/rules/final/2023/33-11216.pdf

        As of December 18th of last year, publicly traded companies are now required to disclose breaches. (soz, material cybersecurity incidents).

        Prior to that, they could …basically… just effectively sweep everything under the rug “like it never happened” minus a little handwaving and paper shuffling and nobody would find out about it until the information got sold and went public.

        I’ll have to go looking but I would be SERIOUSLY surprised if the disclosures apply to credit card companies (the MOST breached, historically) because I’m not sure what exactly qualifies someone as an asset-backed issuer, but it’s at least a really good step for the REST of things.