Public companies now have to report data breaches within 4 days

U.S. companies can no longer release quiet, belated information about data breaches.

The Securities and Exchange Commission released new rules yesterday requiring U.S. companies to report data breaches and other cybersecurity incidents within four days.

"Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors," SEC Chair Gary Gensler said in a press release. "Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them."

Mashable Light Speed Want more out-of-this world tech, space and science stories? Sign up for Mashable's weekly Light Speed newsletter. By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy. Thanks for signing up!

SEE ALSO: Protect yourself against data leaks and breaches

The SEC ruling goes on to say that the four-day rule can be delayed if the U.S. Attorney General decides that sharing the cybersecurity incident "would pose a substantial risk to national security or public safety." 

---

Related Stories

---

• T-Mobile reveals its second customer data breach of the year so far
• Millions of email names, passwords hacked in giant data breach, report says
• 235 million Twitter accounts were leaked in a huge data breach
• Uber's had a data breach, and we don't know how bad it is yet
• DoorDash data breach leaves important customer details exposed

This decision, which passed by a 3-2 vote along party lines according to the Associated Press, doesn't come as a complete surprise. As 9to5Mac reported, In Europe, companies have to disclose data breaches within three days. And true SEC heads will remember that the new rules were originally proposed a year ago, in March 2022, when the SEC noticed an increase in cybersecurity risk as so many U.S. companies started allowing employees to work from home. Currently, U.S. companies often fail to tell customers that their company has been hacked until months after the hack — just look at the way T-Mobileand Twitterhandled their recent data breaches.