The U.S. Senate recently proposed a bill that would require publicly owned companies to be more forthcoming with respect to data breaches and cybersecurity vulnerabilities. For example, publicly owned companies would have to disclose, through U.S. Securities and Exchange Commission investor filings, whether any member of the company's board of directors is a cybersecurity expert.
The proposed measures are, in part, in response to successful cyber-attacks on major public companies, such as Sony and Home Depot, and the investigation of 100 top financial firms’ cybersecurity policies. If accepted, the disclosure requirements would enable the public to better evaluate how well their private information is being secured, and thereby incentivize public companies to ensure their security policies are continuously upgraded and enhanced.
For more information about drafting vendor data security policies, please contact the author or a member of the Polsinelli Privacy & Data Security Team.