The risks posed by a data breach are enough to make any compliance officer's head spin, but an equally taxing question for companies is whether to publicly disclose the cyber-attack at all.
Such were the circumstances faced by Coca-Cola, when the Federal Bureau of Investigation informed the company in March 2009 that it had been attacked by Chinese hackers. Coca-Cola chose not to publicly disclose the breach.
The news did not come to light until this week, when Bloomberg news reported that hackers had broken into Coca-Cola's computer systems and spent at least one month “pilfering sensitive files” about its attempted $2.4 billion acquisition of fruit and vegetable juice company China Huiyuan Juice Group, Bloomberg reported.
The systems were first comprised by malware-infected e-mails targeted at Coca-Cola's senior executives. Once opened, the e-mails enabled the hackers to penetrate the network and steal sensitive information, according to Bloomberg.
In the same week that Coca-Cola suffered the cyber-attack, the Chinese Ministry of Commerce rejected Coca-Cola's acquisition of the Huiyuan Juice Group, although it is not entirely clear that the attack played a role in the acquisition falling through, according to Bloomberg. If successful, it would have been the largest foreign takeover of a Chinese company, Bloomberg reported.
Coca-Cola is not alone, however, in its choice not to disclose its data breach. In fact, many companies routinely conceal cyber-attacks from the public eye for fear that they will take a serious hit both from a reputational standpoint and to their stock price.
Other companies to have reportedly suffered data breaches and never disclosed them include ArcelorMittal, Apollo Group, and Verisign, to name a few.
One of the most pressing questions faced by companies that suffer a data breach is whether the choice not to disclose is in compliance with legal requirements. According to the Securities and Exchange Commission, companies must report any material losses from cyber-attacks and any information that “a reasonable investor would consider important” when deciding whether to invest. Most companies, however, say they do not consider hacks to be a material event that would require a disclosure by the SEC.
Further complicating the decision of whether to publicly report a data breach is that 46 states plus the District of Columbia have passed laws requiring companies to notify consumers whose personal information has been compromised. Yet, in many instances, companies don't always know exactly what information was compromised, who has access to it, and how that data is being used.
Look for an in-depth discussion on this topic in the Nov. 13 issue of Compliance Week.