Revealing a data breach to the public is uncomfortable at best. At worst, it can devastate sales. But in most states it’s a requirement and soon could be mandated nationwide with time limits on how long the company has to notify consumers. From our perspective, data breach notifications just makes good business sense, and with a multitude of highly publicized breaches in the last few years, this issue isn’t going away. Put your company’s policy in place now to prepare for what’s coming.
First, What’s Required
Surprisingly, companies that store health information have more leeway than other industries. HIPAA requires data breach disclosures to be made with “undue delay” and no more than 60 days after a breach is discovered. Non-HIPAA entities usually face state laws requiring companies to disclose data breaches to those affected, or to the public if not enough contact information exists for customers.
Cyber Risk Network reports that most states don’t specify how long a company has to disclose, only that it must be done within a “reasonable” time frame or “without undue delay.” Four states allow 45 days. Most advisors say 30 – 45 days is a reasonable time window.
There are several bills floating around the Capital to address data breaches and the Federal Trade Commission wants in on the issue, too. It wants the authority to “seek civil penalties for all data security and breach notice violations in appropriate circumstances.”
What Really Happens
According to a survey from web security company Threat Track Security, 57 percent of malware analysts have looked into enterprise data breaches that were never disclosed to the public. And for larger companies with more than 500 workers, the rate goes up to 66 percent. No wonder so many consumers suffer identity theft. If they don’t know their information has been stolen, they can’t take proactive measures to defend themselves.
Long reporting windows might seem like a good thing at first… until you realize that social media could expose the breach before you do. If that happens, or if customers begin putting two and two together and reveal the breach first, the reputational damage to your organization would be worse than the breach itself. This threat alone should be a strong inducement for companies to disclose a breach.
But infamous statements by Target’s attorney Douglas Meal, responding to Securities and Exchange Commission (SEC) mandates on data breach disclosures, make some valid points. The Wall Street Journal covered his statements in the article, “When to Disclose A Data Breach: How About Never?”
Meal argued that most breaches don’t affect investors in the long term, suggesting the SEC shouldn’t really be involved in regulating the matter. He points out that, “If the company doesn’t have a legal obligation to disclose, it’s often not in their interest.” Meal notes that the companies deciding to keep quiet about attacks from the same data breach suffered no ill consequences while those who fess up face burdensome government investigations and lawsuits.
This, of course, is at total odds with consumer interests. Target has taken great pains to separate itself from Meal’s statements for this reason. But that doesn’t make him any less correct. When he said, “Companies think they are doing the right thing by disclosing but instead end up being viewed as the problem,” he made a good point. However, a national standard on data breach disclosures, whether by bill or FTC mandate, would change that. All companies would face the same consequences for nondisclosure.
There’s No Right Way
No standards exist for exactly how companies should disclose breaches. History shows us that offering tidbits of information over a span of days or weeks is the norm. Companies generally acknowledge a breach first, and then reveal the extent of the breach after some investigation. Some argue this tactic is smart because it gets consumers to pay attention. The “unknown” of the details creates an open ear when the full extent of the problem is finally revealed.
And How It Hurts!
No doubt, disclosing a data breach will be painful. Your company must be prepared to deal with lawsuits, fines, and penalties. Your cyber risk insurer might drop you because of a claim. But, many policies won’t pay for the consequences of a data breach if you don’t disclose. Insurers understand that a failure to disclose creates a greater risk of lawsuits, higher fines, and larger settlements. So whether you disclose or not, a data breach hurts. How much you want to hurt is up to you. Pick your poison.
Quorum Cares about Data Security and Transparency
Quorum, by offering data recovery systems, faces these same issues. We know that keeping data secure is vitally important to the health of our enterprise clients, and we’ve always kept that information safe. But if a breach occurred, we believe notification is the only way to go. If our clients suffer, we suffer — so transparency just makes good business sense.
If your organization makes information security a priority, try Quorum’s Hybrid Cloud/Draas, onQ appliance, and archive vault for a complete backup solution that will help your business remain confidently prepared for anything that comes your way. Request a quote to learn more!
Posted on 04/22/2014 at 12:00:00 AM
Enter both words below, separated by a space
Please enter the words or numbers you hear
This is a standard security test that we use to prevent spammers from submitting fake response More Help