The Securities and Exchange Commission’s new cybersecurity rules will come into effect on 18 December for large, publicly traded companies; smaller firms have an additional 90 days to comply. The rules, passed in July, require companies to report data breaches within four days and offer clarity on mitigating cyber risks. They also require firms to outline their cybersecurity processes and expertise. Companies, fearing a drop in share price, have expressed concern over the short reporting window.
Blue Shield of California members may have had their data exposed in a November data breach. Information included member names, dates of birth, addresses, subscriber