In the wake of the Equifax and Securities and Exchange Commission's data breach disclosures, there has been a lot of public outcry over the assertion that it took too long to disclose these data breaches to the public. "Too long" is a relative term, to start with, as I have little doubt that some people will see anything shy of instantaneous disclosure via clairvoyant transmission as taking to too long. But as for the rest of us, it is important to consider why it often takes what appears to be too long for a company (or agency) to disclose a data breach to the public.
In my role as an attorney who has guided many companies through this data breach incident response process, I can tell you from firsthand experience that the most common reason is the company just does not know enough of the facts to justify telling people that their personal information has been compromised when it really does not know whether it has or has not been.
Data breaches do not present themselves to the company with a neat little bow and calling card that says, "Guess what? You have a data breach! On X date, Hacker X accessed your network, took PII records of the following individuals and intends to sell them on the DarkNet. Now go alert the public."
Instead, data breaches usually start as some anomalous computer event that is detected, gets someone's attention, and is then looked into to see whether the event is something more, like an incident. But even if it is an incident, that doesn't mean it's a data breach. And, just because there is an intrusion (i.e., unauthorized access) to the company's network does not mean it's a data breach. It takes time, effort, and good forensics in most cases to determine whether a data breach has actually occurred and, if so, who and what data was affected. If companies notified the public of a "data breach" every time they had an incident or intrusion in their network, it would be a steady stream of notifications and the public would simply ignore them (even more). (Read more about this in my Guide to Responding to Data Breaches: Understanding Data Breach Foundations)
Of the difficulty and subjectivity that goes into balancing these interests and making this determination, the Chairman of the SEC put it very well: "You don't want to make disclosures that are misleading." In the case of the SEC's own breach, he decided it was time to make the disclosure after the SEC had turned up all of the facts that it was going to get before completing its investigation. (SEC Chairman Feels Bipartisan Heat On Breach Disclosure – Law360)
While it's fun and cool to jump on the bandwagon of companies taking too long to disclose data breaches, we have to be honest with ourselves and ask what we really want companies to do. Are they supposed to willy-nilly alert the public of a potential compromise of their personal data every time they suspect the slightest little thing could have occurred? Is that really what we want? And, in doing so, are they to then risk providing false or misleading information to the public because they are making statements based on nothing more than fear and a hunch?
Shawn will be co-leading the Privacy & Risk Summit at InfoSec World 2018 in Orlando, Florida on March 22, 2018.
