Congress is getting in on the act: a group of Senators wrote to the SEC Chairman, telling her that “in light of the growing threat and the national security and economic ramifications of successful attacks against American businesses, it is essential that corporate leaders know their responsibility for managing and disclosing information security risk” and recommending that the SEC mandate guidelines for full disclosure of “cyberattacks” for public companies.

Since the implementation of California’s “right to know” disclosure law (SB1386) in 2003, followed by other states, there’s been an on-going debate about how much shareholders and the public deserve to know about breaches that may affect both them and their personally identifiable information.  It seems inevitable that some level of mandated disclosure will emerge at a national level in the US.  The European Union’s tighter data privacy requirements and its e-Privacy Directive (2009/136/EC) already impose disclosure requirements in certain circumstances.

All of this, of course, relies on a company’s ability to know that something untoward has happened.  It’s not yet clear whether there’s any liability when a company is unaware of a break-in, since there really isn’t any case law yet, but we have to suspect that as in other areas of the law, ignorance will not be a viable defense.

So what should you do in your company?  Preventing the attacks in the first place is, of course, what most people would wish for.  You may also find that despite your best efforts, a problem occurs, in which case you’d like to have the best possible forensic information available, so that you can quickly assess the impact and legal ramifications of any break-in.