Updated guidance offers suggestions on how and when public companies should disclose breaches and risks.