←back to thread

I have recordings proving Coinbase knew about breach months before disclosure

(jonathanclark.com)
685 points jclarkcom | 2 comments | 16 Nov 25 20:18 UTC | HN request time: 0s | source
1. jmclnx ◴[16 Nov 25 20:43 UTC] No.45948233[source]
Isn't there a new law from the Biden era that forces a company disclose breaches to their customers and the SEC within a few weeks ?

If so and if the US had a sane administration maybe, this would be acted upon, but these days, anything goes as long as you 'donate' to the ballroom.

replies(1): >>45948271 #
2. jclarkcom ◴[16 Nov 25 20:48 UTC] No.45948271[source]
Yes, I did briefly touch on that in the article. "SEC rules require timely reporting of material cybersecurity incidents."

Looking into this more now I see SEC Rule requiring disclosure within 4 business days of determining a cybersecurity incident is "material"

There is a big list of SEC violations as a result: 1. Late Disclosure (Item 1.05) If materiality was determinable in January → 4-day rule violated Penalty: Fines, enforcement actions

2. Misleading Statements/Omissions (Rule 10b-5) Any public statements about security between Jan-May could be problematic Omitting known material risks = securities fraud

3. Inadequate Internal Controls (SOX) Failure to properly investigate and escalate user reports Inadequate breach detection systems

4. Failure to Maintain Adequate Disclosure Controls My report should have triggered disclosure review Going silent suggests broken escalation process