Not reporting a data breach – your reputation may suffer but what about your pocketbook?
Pat Clawson - July 23rd, 2012
How would you feel if a restaurant, hotel or retailer knew your information had been compromised, but you didn’t find out until fraudulent charges started appearing on your credit card? Or if a company you had invested tens of thousands of dollars in didn’t let you know that it had suffered a data breach? Not great I’d imagine, but for some reason, this seems to be all-too-common a scenario.
As cybercriminals become increasingly skillful and malware becomes harder to detect, more companies than ever are falling victim to cybercrime. While this is unfortunate, the real tragedy lies in the fact that many of these companies’ customers and investors may never even know their information was stolen. And while for some this never results in any harm, try using that as a source of comfort for the many people it does impact.
Last fall, the SEC issued cybersecurity guidance suggesting that corporations disclose when a data breach occurs. While this was a step in the right direction (increased government involvement is something I have long called for), it simply isn’t enforceable. Of course, the SEC and consumers and investors alike want corporate entities to let the public know when they’ve been hacked. But as long as they can remain in compliance with SEC regulations without doing so, why would they? It likely results in bad PR. What if people think their security was lacking or worse, nonexistent and therefore irresponsible?
Sorry. Those arguments just don’t hold up anymore. In today’s incredibly advanced cyber landscape, a company can have the most up-to-date systems in place and still be breached. With massive hacker networks and even state-sponsored malware, no one is safe. Look at Google – one of the most technically advanced (not to mention wealthiest) organizations in the world and they too experienced the loss of user information when it was targeted by China in 2010. The point is, if it can happen to Google, it can happen to anyone. But Google did the right thing and disclosed the breach in a timely manner. And I’d say Google’s reputation remained fairly well intact (It’s estimated that the company will report revenues of $8.41 billion for last quarter.)
Companies need to get over their fear of coming clean with any data breach. If anything, the fallout will be worse if they’re found out later on. One unfortunate example of this is pointed out by Richard Lardner of the Associated Press. Wyndham Hotels experienced three data breaches between 2008 and 2010 but never publicly disclosed any of them. The company is now faced with a lawsuit from the FTC, not to mention intense public scrutiny.
While I’d like to think that Wyndham’s example and the fact that every organization is susceptible to a breach this day in age would be enough to convince companies to report data loss, it won’t. We need actionable laws in place. Senator Jay Rockefeller of New York hopes to add language to the SEC’s mandate that makes clear when companies must disclose cyber breaches and spell out the steps they’re taking to protect their networks from future electronic intrusions.
It’s my hope that this language is taken into account and that the SEC takes action against companies that don’t comply by imposing fines against them. Things usually change drastically when money is on the line.