What is the fundamental purpose of data breach disclosures? To help the company breached? To help other companies in a similar position? To help the customers of the breached company? To help law enforcement? At its most extreme, should it ever be about shaming a company that had poor security? Depending on the circumstances, it can be about all of the above.
Focus on the customer. That’s a common breach disclosure refrain predicated on the idea that knowing of a breach helps customers make more informed choices. But does it really do that? With so many breaches being announced every few days in the U.S. alone, what more can customers do? Does it, indeed, help them?
This forces us to look at the unsuccessful breach. Should those be announced as well? Or would that result in disclosure fatigue, where the announcements no longer promote action? And if a company has been breached, how can it ever know with any certainty what was – and what was not – touched? It’s assumed that security logs in a breach have been tampered with and that misleading clues have been planted.
CA Veracode’s Jessica Lavery shares her thoughts on how companies should look at breach disclosures – and why it is so important that they consider all of the facts in their particular case before jumping into action.