The Wall Street Journal has an article on how certain executives are questioning the value of notifying the general public on company data breaches. The pay-walled article notes that there are valid reasons against more transparency.
The thing is, most of these so-called reasons are self-serving – which is why 47 states have laws requiring breach notification. Plus, the article lays out certain practices that makes one wonder whether they understand how the law works.
Can’t Sue If They Don’t Know, Might Tip Off Criminals
Some of the reasons given against more transparency are semi-comical. One executive said that “‘there is this crazy hysteria,” about cyberattacks” which I’m going to assume is meant for data breaches in general and not just cyberattacks (aka, attacking online servers). It is also pointed out that “not every corporate document is a valuable trade secret; credit-card numbers may….never [be] used.”
Regarding the hysteria: just because it feels crazy doesn’t mean it’s not real. Identity theft is usually the end product of a data breach and, according to a 2013 Bureau of Justice Statistics report, 16.6 million people experienced identity theft in 2012, with financial losses totaling $24.7 billion. Put in this light, it’s crazy that more isn’t done to curtail data breaches.
But, wait, contrarians might say. Not all data breaches do result in sensitive information being stolen. Also, as already pointed out above, just because it’s stolen, it doesn’t mean it will be used. The first charge is a moot point. Data breach laws do not require that all data breaches be reported. By and large, the laws require notification if sensitive personal data is lost or stolen.
As to the second observation, the premise is so infantile that I would have to retort with a childish “so what?” How would a company that has experienced a personal information data breach know whether the stolen information will be used or not? They can’t. That’s the point; that’s why the public at large is notified of it. So they can check their bank statements or whatever it is they have to do.
Plus, the logic itself doesn’t make any sense. Let’s use the same exact parallels to argue about guns, shall we? Hey, someone stole my gun, but we all know that most guns are not used in crimes. Thus, chances are that the gun will not be used in a crime. Hence, the theft doesn’t really represent a threat – after all, it could be hanging on someone’s wall, being admired by the thief. No need to let anyone know that the gun was stolen; chances are nothing will come out of it.
Does this sound reasonable to you?
My jaw also hit the floor when I read this particular line: “If you never disclose the breach at all, then you don’t have class-action suits,” said one particular lawyer.
*Sigh*. While I don’t doubt that there are many organizations actively hiding data breaches for this exact reason, it sounds quite wrong for it to come out of the mouth of a lawyer from a respected firm. My hope is that he has either been misquoted or quoted out of context. If I may offer this observation, to show how wrong the statement happens to be: if you kill a man, give him cement shoes, dump him in the Hudson, and never disclose it at all, then you don’t get arrested.
Verbal Legal Wrangling
There was also another aspect that left me scratching my head and wondering whether people knew what they were doing (my emphases):
In hacker simulations, the company has mapped out one response for a data breach it discovers on its own and another if it’s alerted by law enforcement or a journalist. But “we actually don’t use the term breach,” because that could trigger disclosure laws, Ms. Hutchinson said.
She said she might recommend telling consumers about a hacking incident, but only after extensive analysis. Announcing “anything earlier than three months, in my opinion, would be too quick,” Ms. Hutchinson said.
I guess it depends on which laws Ms. Hutchinson is referring to, but the laws that I know (state laws) have very specific definitions of what a data breach constitutes – meaning how you decide to classify something has very little bearing. You can’t claim something is not a data breach just because you’ve decided to call it a “coconut chocolate bar” and refer to it as such in your internal memos.
Of course, we can all appreciate that the breached companies are victims, too. But I think the public’s cynicism and lawsuit-happy trigger-fingers are most probably a result of such attitudes like the above.