Shostack + Friends Blog Archive


SarBox and Breaches

Earlier today Chris wrote (“Naming names isn’t always bad“):

A quick aside to optionsScalper, since you mentioned a firm’s duty to shareholders: when it comes to thinking about breach notices, I think about the efficient markets hypothesis, and whether investors might rationally think that failure to protect data might impact future profitability.

Bugger efficient markets! What does a breach say about your attestation to the effectiveness of your controls? Sure, breaches can happen even if you have effective controls in place. However, a breach may be the sort of material event which a public company ought to disclose, even if the plethora of personal information laws don’t require it.