The Weekly breach Breakdown Podcast by ITRC - Rules And Rule Breakers - S4E21

Show Transcript

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for August 4, 2023. Thanks to Sentilink for their support of the podcast and the ITRC. Each week, we look at the most recent events and trends related to data security and privacy. This week, we look at new data breach reporting rules from the U.S. Securities & Exchange Commission (SEC). We also give you a peek into the hottest topic the media keeps asking about from ITRC experts. We’re calling this episode – Rules & Rule Breakers.

U.S. Securities & Exchange Commission Adopts New Data Breach Reporting Rules

First, let’s jump into the all the Way Back Machine and discuss new rules from the SEC that were first proposed in March 2022. Back then, the Commission released draft rules that would take away the ability of public companies to delay data breach reporting while law enforcement investigated the compromise.

Instead of relying solely on state laws that vary on when a breach or cyberattack was required to be disclosed – and could be delayed by law enforcement – the SEC suggested that security or data events would need to be disclosed within four days of determining the event was material. The 2022 proposal also had requirements around Board level expertise and knowledge in cybersecurity.

Fast forward to the here and now, and the SEC has formally adopted the new disclosure rule with a couple of changes based on public comments. However, the key provision is intact – publicly traded companies will now have just four days to disclose to shareowners – and the public – that there has been a “material” cybersecurity or data breach event.

Material event is the key term here. The company determines if the event is material, which is to say it will significantly impact the business’s financial and or operational performance. Material events can include increased expenses or decreased revenue, as well as reputational damage, loss of major customers and disruption of operations.

Once that determination is made, the 96-hour data breach reporting countdown starts. There is also one way to delay disclosure. A company can petition the U.S. Attorney General for a 30-day delay if the notice risks national security or public safety.

The final rule does not include the original requirements for Board level expertise in cybersecurity. However, it does require annual disclosure of cyber risks and what is being done to address them. The new rules will go into effect later this month and will be enforceable for material events after December 15, 2023.

Artificial Intelligence and Identity Crimes

That’s the rules part of this episode – here’s the rule breakers part. The most common question reporters ask these days is what is the impact of generative artificial intelligence (AI) on identity crimes, especially phishing and other scams. Our standard answer is that it’s early days, but there is plenty of anecdotal evidence that a wave of AI-related identity crime is coming. Security researchers have already identified two versions of generative AI designed to engineer attacks: WormGPT and FraudGPT.

Two New Malicious AI Tools Available for Identity Criminals

This week, we learned two additional malicious AI tools based on Google’s Bard AI engine are in the wild. DarkBART and DarkBERT are AI tools that have been trained by using criminal identity marketplaces. Phishing lures and other identity scams are already hard to spot sometimes. Generative AI will only make it harder to tell fact from fiction. However, the same rules still apply. Don’t click on unsolicited emails and texts and verify with the actual source any interaction you did not initiate.

Contact the ITRC

If you want to know more about how to protect your business or personal information, or if you think you have been the victim of an identity crime, you can speak with an expert ITRC advisor on the phone, chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

You can also learn more about the latest data compromise trends by downloading our H1 2023 Data Breach Analysis at our website, www.idtheftcenter.org/publications.

Thanks again to Sentilink for their support of the ITRC and this podcast. Be sure to check out our sister podcast, the Fraudian Slip, for the latest in all things compromise, crime, and fraud that impact people and businesses. We will return next week with another episode of the Weekly Breach Breakdown.