After a data theft, it’s important for companies to perform a proper breach notification. However, a recent study says companies fail to report key information after they’re breached.
While businesses continue to experience data breaches, detailed breach notification reports are becoming less common, according to the Identity Theft Resource Center (ITRC), which tracks publicly disclosed data breaches.
Among the 213 data breaches recorded by the ITRC in the first half of 2012, 63% of breach notification reports contained no details about:
- how the data breach occurred
- exactly what information was stolen, and
- who was responsible for the data breach
That’s double the amount of breach notification reports with a similar lack of information from the same time period a year ago.
According to the ITRC, there is “minimal transparency” when companies report data breaches, which keeps affected customers and the general public from fully understanding what risks are faced after a breach.
For example, if data is stolen by a malicious hacker, there’s a much greater chance the information will be used for identity theft than if, say, a negligent employee misplaces a hard drive containing the same information. A breach notification should note those specifics, so the public can understand how serious the incident was, the ITRC said.
Reporting all of the facts about a data breach can also help companies learn from incidents at other organizations and improve their own security.
By excluding key details from their data breach notification reports, companies may also cause more damage to their reputations and bottom lines after security incidents. People care about the privacy of their personal information, and when it’s at risk, they want to know everything. In a recent Ponemon Institute survey, most 58% of data breach victims expressed concern that the breach notification they received hid important information and “sugar coated” the message.
To increase disclosure, the ITRC argues in favor of a national data breach notification law, which is an issue some members of Congress have been trying to tackle for several years. Right now, most states have their own rules about data breach notification, and withholding certain information could be a violation of some of those laws.