Key Highlights
- The Identity Theft Resource Center (ITRC) reports a growing silence in breach disclosures.
- Data breach notices have become less helpful over time due to lack of actionable information.
- Lawsuits and legal advice are leading companies to be less forthcoming with details.
- Uniformity in data breach laws is necessary for fairness, according to ITRC President James E. Lee.
The Silent Crisis in Data Breach Disclosures
ITRC’s annual report reveals a disturbing trend: companies are increasingly failing to disclose the full details of data breaches. This isn’t just a minor inconvenience; it’s a significant shift that impacts how individuals can protect themselves and others from future attacks.
The Decline in Actionable Information
According to ITRC President James E. Lee, up until 2020, data breach notices typically contained actionable information that helped businesses and consumers understand the risk and take appropriate steps. However, since then, these notifications have become less informative.
Lawsuits and Legal Risks
The decline in disclosure quality is directly linked to legal advice from counsel. Companies are now hesitant to include detailed information about breaches for fear of creating a roadmap for lawsuits. This means that when a breach occurs, the notification often omits crucial details like what happened, how it happened, and what can be done to prevent recurrence.
Call for Uniformity in Disclosure Laws
Lee emphasizes the need for uniform data breach laws across states. Currently, different states have varying definitions of personal information, trigger points for notification, and requirements for disclosures. This inconsistency creates a patchwork that unfairly depends on where an individual lives to determine their level of protection.
The Consequences
The lack of detailed disclosure means that consumers are left in the dark about what happened, when it happened, and how they can protect themselves from similar attacks. It also makes it harder for other companies to learn from these incidents and implement effective security measures.
Expert Perspective on CISOs
Chief Information Security Officers (CISOs) face a tough decision: follow legal advice and risk creating a roadmap, or provide full disclosure and potentially face litigation. Lee advises that the best course is to be forthcoming, even if painful, as it can prevent future attacks and protect others.
A Path Forward
To address this crisis, lawmakers must work towards uniform data breach laws at both state and federal levels. This would ensure that all entities facing a breach provide consistent, detailed information to affected individuals and the public. Until then, businesses will continue to walk an uphill battle between legal compliance and real security.
So, you might think this is new, but it’s been building for years. The lack of detail in data breach disclosures isn’t just about current events; it’s a systemic issue that needs urgent attention.
