Cyber disclosure and data leaks
- Five banking trade groups asked the Securities and Exchange Commission on April 10 to roll back Item 106 cyber disclosure rules, while UK Biobank disclosed a separate data security breach on April 23. - UK Biobank said listings offering de-identified data from 500,000 participants appeared on an Alibaba-owned site, tied to three academic institutions; access was suspended and all platform access was temporarily halted. - Connecticut’s Senate then passed SB 4 by 31-4, adding data-broker deletion rights and genetic-data protections as regulators and companies tighten cyber governance. (ctmirror.org)
Cyber disclosure rules are under new pressure just as a major biomedical database disclosed that its research data was listed for sale online. (bpi.com) (ukbiobank.ac.uk) On April 10, the American Bankers Association, Bank Policy Institute, Securities Industry and Financial Markets Association, Independent Community Bankers of America, and Institute of International Bankers told the Securities and Exchange Commission to rescind or narrow Item 106 of Regulation S-K. (bpi.com) The groups said banks already report cyber incidents through multiple sector-specific regimes and argued that the Securities and Exchange Commission’s public-company rule can force disclosures that help attackers and complicate incident response. (bpi.com) (sec.gov) The Securities and Exchange Commission adopted the rule in July 2023. It requires public companies to disclose material cyber incidents on Form 8-K within four business days after deciding the incident is material, and to describe cyber risk management and board oversight in annual reports. (sec.gov 1) (sec.gov 2) That governance piece is the part the trade groups targeted in April 2026. Their letter focused on Item 106, which covers risk management, strategy, and governance disclosures, not just the incident-reporting clock that has drawn most public attention. (bpi.com) (sec.gov) Then came a real-world example of why data controls, not just breach notices, are under scrutiny. On April 23, UK Biobank told participants that de-identified data made available to researchers at three academic institutions had been listed for sale on a Chinese consumer website owned by Alibaba. (ukbiobank.ac.uk) UK Biobank said the listings were removed before any purchases were made, that no personally identifying information was exposed, and that the institutions and individuals involved had their access suspended. (ukbiobank.ac.uk) The organization also temporarily suspended all access to its Research Analysis Platform while it imposed stricter file-export limits and daily monitoring of exported files. UK Biobank says more than 22,000 researchers in over 60 countries use its data from 500,000 participants. (ukbiobank.ac.uk 1) (ukbiobank.ac.uk 2) Connecticut lawmakers moved the same week in the opposite direction from the banking groups. On April 23, the state Senate passed SB 4 by a 31-4 vote, adding new restrictions on data brokers and protections for biological samples and genetic data. (ctmirror.org) (cga.ct.gov) The bill would require data brokers to register with the Department of Consumer Protection, create a deletion mechanism for consumers, and give direct-to-consumer genetic testing customers property rights and exclusive control over their biological samples and test results. (cga.ct.gov 1) (cga.ct.gov 2) Taken together, the filings and the breach show the split in 2026 cyber policy: banks are asking securities regulators to pull back public disclosure mandates, while health-data custodians and state lawmakers are tightening controls on who can touch sensitive data at all. (bpi.com) (ukbiobank.ac.uk) (ctmirror.org)
