Insider Threat Management

Should Companies Report Data Breaches?

Should Companies Report Data Breaches?A group of major executives are arguing that companies shouldn’t be legally obligated to notify customers in the case of a data breach. A recent article in the Wall Street Journal, “A Contrarian View on Data Breaches,” highlights the argument that notifying the public of a data breach makes the breached company vulnerable to another attack.  Executives across the nation are arguing that many breaches don’t actually lead to harm on the consumer and can be handled quietly.

Data breaches have never been more relevant given the frequency at which they’re occurring.  eBay had a massive breach in which up to 233 million people had their personal details stolen.  Similarly, the Montana Department of Public Health and Human Services (DPHHS) was breached, in which 1.3 million people were notified that their information had been compromised.  These breaches,along with countless others this year, have been alarming the public for months now— across all industries.

While executives are on the front lines of dealing with these threats of data breaches on a daily basis, they have a very different reaction on disclosing them to the public.

One of the executives leading the movement of keeping data breach quiet is Dawn-Marie Hutchinson, the head of information security at Urban Outfitters Inc.  Rather than disclosing the breach, she believes that companies should seek legal counsel before reporting anything to the public or the authorities.

“Anything earlier than three months, in my opinion, would be too quick,” said Hutchinson on when to report a breach to the public.

Although the general public may not find this argument very popular, executives are being put in a difficult place given that once they go public with a breach; their jobs are at risk.  James Lewis a senior fellow at the Center for Strategic and International Studies who often advises Washington officials on cyber security pointed out, “If you’re a CEO or a general counsel, you might make America safer to share information, but you also might be out on the street.”

However, now that 47 states require companies to notify customers of data breaches, it is increasingly difficult to keep breaches under wraps.

Even with numerous defenses in place, companies are having difficulty stopping data breaches.  This stems from the fact that 76% of data breaches are caused by stolen or exploited user credentials.  Now that infiltrators are using user credentials, it is difficult to stop them given the fact that their activity appears as that of a normal user.

To combat the pressures of data breaches, companies like Telecom Argentina, a major local telephone company that serves the entire city of Buenos Aires, are turning to user activity monitoring to manage their risk.  According to Telecom Argentina CISO Diego Hernan Pizolli, user activity monitoring “directly minimizes the risks associated with employee and third-party vendor activity over a full range of applications and environments.”

Isaac Milshtein, the Director of Engineering IT Operations at Pelephone, a mobile phone carrier in Israel, also feels the pressure of not knowing what users are doing. “With so many privileged vendors accessing our servers, it can be difficult to keep an eye on who’s doing what,” said Milshtein

Even though user activity monitoring would help these executives understand any breaches that occur, the debate still remains whether or not they should have to report them.

  • What are your thoughts on executives not wanting to report data breaches?
  • Do you believe that their argument is justified, or do you think the consumer should be entitled to immediate notification?

We look forward to reading your comments below!

Subscribe to the Proofpoint Blog