←back to thread

SEC charges four companies with misleading cyber disclosures

(www.sec.gov)
81 points impish9208 | 1 comments | 22 Oct 24 16:56 UTC | HN request time: 0s | source
Show context
hn_throwaway_99 ◴[22 Oct 24 17:43 UTC] No.41916731[source]
It's amusing to me how the economic and cultural incentives at so many companies is to lie as much as possible when it comes to breach disclosures while pretending that you're still technically telling the truth.

I think that in all of these cases it would have been no worse for the companies in question if they just sent out a dry, "just the facts, ma'am" report of what actually happened, without any of the BS "the security of our customer data is our primary priority!" statements to begin with that always accompany these kinds of breach disclosures. E.g. something like:

On <date>, due to a vulnerability in the third party vendor SolarWinds which provides network security services for us, we detected the following breaches of customer data:

1. xxx

2. yyy

The steps we are currently taking, and what you should do: zzz.

----

Perhaps one good thing that can come out of this is that some sort of "standard" format for breach disclosures comes about (think the "Nutrition Facts" labels on food boxes in the US). All I do when I see companies trying to minimize breach disclosures is assume they're bullshitting anyway.

replies(3): >>41918007 #>>41918463 #>>41918586 #
JumpCrisscross ◴[22 Oct 24 20:38 UTC] No.41918463[source]
> in all of these cases it would have been no worse for the companies in question if they just sent out a dry, "just the facts, ma'am" report of what actually happened

This assumes there is someone on staff capable of writing a no-nonsense diagnosis.

replies(1): >>41918691 #
1. TeMPOraL ◴[22 Oct 24 21:05 UTC] No.41918691[source]
Sure there are. The person writing the release gets fed some internal bullet points or summaries as source material; that material is strictly less bullshit than the resulting official press release.