Should companies reveal all data breaches? Some execs say no
When P.F. Chang's China Bistro was hit with a security breach, the company listed the 33 locations where credit and debit card numbers might have been stolen. According to the restaurant chain, thieves may have gained the numbers, customer names, and even expiration dates, making identity theft relatively easy.
P.F. Chang's isn't alone. Just recently there have been data breaches at Target Corp., Neiman Marcus, Sally Beauty Holdings Inc. and Michaels Stores Inc. But some executives say that disclosure about problems has gone too far.
Some top technical executives recently told the Wall Street Journal that the rush to disclose electronic attacks has gone too far. "There is this crazy hysteria," said Dawn-Marie Hutchinson, the head of information security for Urban Outfitters Inc. (URBN), to the paper.
At a Securities and Exchange Commission forum in July, the general counsel for Washington, D.C., gas utility WGL Holdings Inc., Leslie Thornton, warned against revealing too much about weaknesses. "You wouldn't necessarily disclose a nation-state actor trying to do harm in an industry that's very vulnerable," said Thornton. Reportedly, both Russian and Iranian hackers have been targeting American energy companies, the Journal reported.
In addition to keeping critical details out of the public eye, the argument is also that reports of breaches can cause unnecessary panic for little reason. Not all breaches result in lost data and not all data are valuable. If criminals got hold of last week's pencil inventory, who cares? Even credit card numbers that have been found on a system may never be put into use, so the critics claim.
But a problem with the position as portrayed is that it sounds like an uncommon stance. In reality, it is more likely business as usual. Statistics from the Government Accounting Office say there were close to 50,000 cyber incidents reported by federal agencies alone to the U.S. Computer Emergency Readiness Team in 2012.
According to Verizon's most recent Data Breach Investigations Report, in 2013 there were 63,437 security incidents and 1,367 confirmed data breaches worldwide. Those are just known ones that were reported. Often companies don't even realize that there has been a problem. More than 3,000 companies last year were victims of attacks and only knew it because they were told by the federal government.
Corporations have always been reluctant to report data breaches or other security incidents for fear of alarming customers and business partners, as well as affecting their stock prices. Even when companies face a data breach and are compelled by various state laws to disclose the problem to customers, 'fessing up can take a long time. For example, when someone had bought a hard drive that actually contained the Social Security numbers of 30,000 current and former Kaiser Foundation Health Plan employees, it took the company three months to notify the people whose identity was at risk.
Clearly there will be times when an electronic incident isn't worth public fuss. But given the track records of industries, some continued deference to public reporting, so consumers know what is happening with what is often their data, could be a good idea.