To disclose or not to disclose
In an August 12, 2014 post on Pymnts.com, the information security executive at Urban Outfitters, Dawn-Marie Hutchinson, argued against disclosure of breaches. In fact, the company’s policy is to notify their lawyers first so that they can use attorney-client privilege.
While I sort of understand the concept of not disclosing things too soon (like before you have any facts, for example), I have also seen companies not disclose breaches for 6 months or more.
I will argue that if customers find out that you have had a breach and decided not to tell them – without respect to whether that is even legal in many states – I can guarantee that you will tick off more people than if they find out from you in a timely and responsible fashion. Social media will go crazy once it does get out – it always does. Guaranteed.
For many years – prior to CA SB 1386, the grandfather of all breach laws – companies were not required to disclose and for sure, security was much better then — NOT!.
So what is the argument for not disclosing or not disclosing early? Customers will beat us up. Right! What’s your point. If you insist as a business to keep a lot of customer information and not protect it well, then you should get beat up. The answer to that is to communicate. Do it at the appropriate time. Take responsibility. Explain things. Have people understand the world is not going to end. And yes, you will likely take a short term hit.
Security is a business (financial) decision just like everything else a company does. It has to be weighed against all the other needs that those dollars can also be spent on. However, the pre-CA SB-1386 was not more secure than the post-CA SB-1386. In fact, most companies are paying way more attention now than they ever have. It’s a VERY hard problem. The hackers only have to be right (get in) one time. The company has to be right (keep the hackers out) every time. I have been doing this for a long time – it is not easy or simple.
Now maybe what Ms. Hutchinson was suggesting was that your first call after finding out about a possible breach should NOT be to the NY Times or Wall Street Journal. If so, then I agree with her. Responsible disclosure means just that. Responsible. You have to have some facts in order to be responsible.
Does that mean 1 day? 1 week? 1 Month. Probably one of those. It does not mean silence, however.
Mitch Tanenbaum
Update: Here is another article on the issue.