Since the dawn of cybercrime in the late 1990s, public companies have largely operated under the notion that, while they have an essential responsibility to guard their data with appropriate security measures, they have little duty to report attacks to investors and regulators. That is all about to change.
A full-fledged cyber war is now completely out of the shadows and was put on center stage during the June 8-9 summit between President Barack Obama and Chinese President Xi Jinping. While little specific progress came out of the meeting, National Security Adviser Tom Donilon said afterwards that cybercrime is the “key to the future” of the U.S.-China relationship, making it ever more clear that each cyber-incident is now part of a high-level military and diplomatic dance.
This escalating, and highly publicized, battle over cybercrime is going to force U.S. businesses to be more forthcoming about attacks, exposing them to significant new legal and regulatory threats.
While it might seem obvious that companies would consider nearly any significant cyber-attack a material event to require proper disclosure, the reality is that the legal and regulatory implications of attacks are extremely murky. In fact, organizations are faced with intensely conflicting interests. A company trying to decide what and how much to disclose, and whom to disclose it to, faces a decision much like the one facing the kid who gets his lunch money stolen from the bully: Is there more risk in telling the authorities or in remaining silent?
More here: http://www.law.com/corporatecounsel/PubArticleCC.jsp?id=1202604319421&Corporate_Cyberattacks_Come_Out_of_the_Shadows&slreturn=20130515090441