Note: This article originally appeared on the Security Catalyst Blog.
I have personally discovered more than a hundred data breaches by schools, companies, doctors’ offices, tax professionals, government agencies, and individuals over the past several years. Unfortunately, very few of the breaching entities proactively announce an average breach, regardless of the law. Here are the most common reasons:
- Failure to Detect
- Market Devaluation of Privacy
- Poor Communication
- Ignorance of Law
- Notification Difficulty
Failure to Detect
Many organizations do not have proper diagnostic processes to detect breaches when they occur, and many do not keep proper logs. Thus, when a press releases reads, “we have no evidence that the sensitive information was accessed…” it may simply mean that they did not keep any records, and thus literally have “no evidence.”
Market Devaluation of Privacy
The market does not value privacy. Ensuring privacy is expensive, but the costs of violating privacy are small. Doing a simple cost/benefit analysis, organizations often come to the logical conclusion that the PR ‘costs’ of announcing a breach (especially when no hard proof of access exists) far outweigh any benefits.
In addition, most data breach notifications laws only require an organization to say, “Oops.” If the organization is feeling nice, they’ll say, “Oops, sorry.” And if they’re feeling gregarious, they’ll say, “Oops, sorry, and here’s a free report of how much damage has been done to your credit. You’ll still be at risk for years to come, though, so stay vigilant. Good luck.” But they have no responsibility to help you recover from financial identity theft, medical identity theft, or criminal identity theft. Merely getting a credit report does not protect against any of these risks.
Poor Communication
A cruel irony of data breaches is that the only source of information about a breach is filtered, packaged, and presented by the organization with the most incentive to skew the details. The breaching entity’s concern is to minimize perceived liability; therefore it is in their best interest to restrict the flow of information about the breach as far as possible.
I have read dozens of breach announcements, and they almost write themselves: “On X date, we discovered that some personal information was compromised. We acted immediately to make the information unavailable, and we have no evidence that anyone accessed it for inappropriate reasons. You should get a credit report as a precaution.” Keeping a victim in the dark about the details protects only the breaching entity.
Ignorance of Law
Even in states where breach notification laws exist, smaller organizations often assume that the law only applies in limited circumstances, to larger companies, or to particularly large breaches.
Notification Difficulty
For the most part, organizations which choose not to report breaches get away with it. But even under good circumstances, 100% victim notification is impossible. People move, phone numbers change, or addresses are incomplete or not on file. Letters that do arrive at the proper address may be ignored. Multiple contact strategies should be applied over long periods of time to reasonably ensure that most victims are notified.
I have suggested solutions to some of these problems here and with the creation of National ID Watch
Aaron Titus is the Privacy Director for the Liberty Coalition, and runs National ID Watch.