Greater Transparency Needed When Reporting Data Breaches
Whether it was Cain vehemently denying that he’d killed Abel, or Bart Simpson saying “I didn’t do it” whenever he was caught doing another bad deed, fessing up has always been difficult for people, even though honesty is the best policy. Maybe that’s the reason why so many companies and organizations choose not to reveal significant details of data breaches when they occur and who knows how many others hide their breach incidents altogether.
The Identity Theft Resource Center’s (ITRC) recent review of the 213 data breaches recorded during the first half of 2012 revealed that 63% of breach notifications contained no details about how a breach occurred, exactly what was stolen, or who was responsible. ITRC said that the number of data breach notifications that included no pertinent details had doubled from the same time period in 2011.
Quoted in an Information Week news story about the report, ITRC said “with few exceptions, there is minimal transparency when it comes to reporting breaches.” Consequently, "the public has no way of knowing just how minor or serious the data exposure was for any given incident."
Karen Barney, ITRC program director and research analyst, was interviewed by Bank Info Security and said when businesses and organizations are not forthcoming about the details of their data breaches, customers, patients and others impacted by a breach are unable to act to protect their personal information.
ITRC estimates based on reported breach incidents indicate a 9% decline in breaches in all sectors during the first half of this year, compared to the same period a year ago. "Whether this represents an actual decrease in the number of breach incidents or just a decrease in reporting is impossible to determine," Barney said in the Bank Info Security story.
Damage to brand and company reputation, stock performance and customer loyalty often are cited as reasons why companies or organizations are not forthcoming with data breach notifications or information pertaining to a breach. But, in all honesty, isn’t holding back information from the people most affected by a breach more of an indication of mistrust and dishonesty than coming clean with the truth?